Quantum Update
What changed for Bitcoin specifically
RESOURCE ESTIMATES FOR BREAKING SECP256K1 KEEP FALLING
Apr 2 — Luo et al. (arXiv 2604.02311): 1,333 logical qubits for 256-bit ECDLP — a low-width record, down from Häner et al.'s 2,124.
Apr 15 — Babbush, Gidney, Drake, Boneh v2 (arXiv 2603.28846): <500K physical qubits at 10⁻³ error rate, ~9 min from a primed state.
Apr 15 — Babbush, Gidney, Drake, Boneh v2 (arXiv 2603.28846): <500K physical qubits at 10⁻³ error rate, ~9 min from a primed state.
REAL HARDWARE TODAY
Best public demos are still sub-100 logical qubits: Quantinuum reports 48 error-corrected / up to 94 error-detected logical qubits on Helios, while LLNL's 2026 roadmap still labels today as 1–50 "minimal" logical qubits plus one "good" logical qubit. The gap to the estimates above remains large.
EXPOSED-COIN COUNT
Coinbase's Quantum Advisory Council (Apr 21) puts vulnerable bitcoin — held in P2PK outputs or in address-reused P2PKH / P2WPKH, where the public key has already appeared on-chain — at ~6.9M BTC, roughly 33% of supply. A CRQC (cryptographically-relevant quantum computer) running Shor's algorithm derives the private key from any exposed public key, so it would recover the keys for every such output from public chain history.
The Q-Day Prize
Project Eleven, April 24 — and the backlash that followed
THE ANNOUNCEMENT
On April 24, Project Eleven awarded its 1 BTC Q-Day Prize to Giancarlo Lelli for what its press release described as the "largest quantum attack on elliptic curve cryptography to date" — a 15-bit ECC key recovered using IBM quantum hardware. Project Eleven
THE BACKLASH — "THE QUANTUM PART DID NOTHING"
Within hours, independent reviewers reproduced the result without any quantum hardware. Critics argued the IBM circuit's output was statistically indistinguishable from random coin flips, and that classical search alone trivially recovers a 15-bit key — a search space of just 32,767 candidates. Project Eleven's announcement post on X now carries a Community Note fact-check.
"The quantum computer contributed nothing (noise)! The answer was recovered by a classical checker sifting random noise."
— Jonas Schnelli, former Bitcoin Core maintainer · reproduced the result in ~20 lines of Python · news.bitcoin.com
Independently, Yuval Adam swapped Lelli's IBM quantum backend for
/dev/urandom (Linux's classical RNG) and recovered the same key with the same pipeline.— independent verification · news.bitcoin.com
A separate critique from Craig Gidney (Google quantum researcher, co-author of the secp256k1 estimate paper) argued the submission did not meaningfully demonstrate progress toward a cryptographically relevant attack.
— Craig Gidney, blog post Apr 25 · Yellow
CONFLICT-OF-INTEREST CONCERNS
Project Eleven (Alex Pruden, $20M Series A in Jan at $120M valuation) sells PQ-migration tooling, designed the prize, picked the judges, awarded the bounty, and issued the press release. Pruden later acknowledged the result was "not Q-Day" and framed it as incremental progress in a noisy, classically assisted NISQ setting. Protos
Two Camps
Freeze the old coins, or don't.
CAMP A — FREEZE
Old keys exposed (P2PK, reused addresses) face future theft once signatures break. Freeze first, sort later.
• BIP-361 (Lopp et al, Apr 14): calendar deadline. Phase A blocks new sends to legacy types (~3 yrs); Phase B restricts legacy ECDSA/Schnorr spends behind a quantum-safe rescue path (~5 yrs).
• Hourglass V2 (Beast/Casey): throttle P2PK to 1 BTC per block, draining ~1.7M BTC over ~32 years.
• BIP-361 (Lopp et al, Apr 14): calendar deadline. Phase A blocks new sends to legacy types (~3 yrs); Phase B restricts legacy ECDSA/Schnorr spends behind a quantum-safe rescue path (~5 yrs).
• Hourglass V2 (Beast/Casey): throttle P2PK to 1 BTC per block, draining ~1.7M BTC over ~32 years.
CAMP B — DON'T
Freezing valid signatures means a consensus-level freeze of otherwise valid spends. Detect or defend without taking anyone's coins.
• BitMEX "Canary": honeypot tripwire; freeze legacy only if its spend proves a working quantum computer.
• PACTs (Paradigm): dormant holders prove ownership now (BIP-322 + OpenTimestamps; STARK proof later), redeem later.
• QSB (Avihu Levy): hash-based signatures inside existing script. No fork. ~$75–150 GPU compute per spend.
• Quip: wallet-side PQ commitment via an L2 (Arch Network). Mainchain unchanged. Available now.
• BitMEX "Canary": honeypot tripwire; freeze legacy only if its spend proves a working quantum computer.
• PACTs (Paradigm): dormant holders prove ownership now (BIP-322 + OpenTimestamps; STARK proof later), redeem later.
• QSB (Avihu Levy): hash-based signatures inside existing script. No fork. ~$75–150 GPU compute per spend.
• Quip: wallet-side PQ commitment via an L2 (Arch Network). Mainchain unchanged. Available now.
Lopp's own framing: "I know folks don't like BIP-361. I don't like it myself. I wrote it because I like the alternative even less."
— Jameson Lopp · CoinDesk, Apr 15
The objection, in one line: "We have to steal people's money to prevent their money from being stolen."
— Phil Geiger, Metaplanet (Apr 15)
CORALLO · APR 15 · "PQC — WHAT IS OUR GOAL, EVEN?"
Matt Corallo (Spiral) reframes the question: the goal isn't the perfect freeze policy, it's maximising the number of coins secured before a CRQC arrives — so the freeze question matters less when it does. Implication: focus on the weakest links (mainstream wallets that reuse static addresses — Bitcoin.com, Trust, Coinbase Wallet, Blockchain.com), not on perfecting expert setups or designing the ultimate PQ scheme today.
"we should be seeking to minimize the chance that the Bitcoin community feels the need to fork to burn coins by reducing the number of coins which can be stolen"
— bitcoindev, Apr 15
"we should be seeking to minimize the chance that the Bitcoin community feels the need to fork to burn coins by reducing the number of coins which can be stolen"
— bitcoindev, Apr 15
SEPARATE FROM THE FREEZE QUESTION
Both camps still need a quantum-safe signature scheme for new outputs. BIP-360 defines a PQ-friendly output format; the actual sig scheme (SHRINCS / SHRIMPS) is on the next slide. Presidio Bitcoin's "Quantum Readiness v1" compares all the proposals end-to-end: github.com/presidiobtc/bitcoin-quantum
SHRINCS / SHRIMPS
Yes: SHRINCS is a post-quantum signature scheme. It proves a wallet can spend without relying on ECDSA/Schnorr.
Spend
Transaction digest
The message being authorized
→
Signer
SHRINCS / SHRIMPS
Secret key + signing state
→
Witness
PQ signature
~324 B or ~2.5 KB path
→
Verifier
Public key check
Nodes validate the spend
SHRINCS: one signer, one queue
leaf
0
0
leaf
1
1
next
leaf
3
3
...
The counter is the state. Each normal signature consumes one Unbalanced XMSS leaf — a one-time key. Reuse a leaf and the private key leaks, so the wallet must remember which leaves it has spent. Early signatures are about 324 bytes; if state is lost, the wallet falls back to a larger stateless backup path that doesn't require a counter.
SHRIMPS: compact slots for devices
hardware
compact path · first sig
phone
compact path · first sig
desktop
compact path · first sig
later
fallback path · larger sig
SHRIMPS is the multi-device version. With
n_dev = 2^10, seed restores can each get a compact ~2,564-byte first signature before falling back safely.MARCH → APRIL → MAY
March proved a SHRINCS verifier on Liquid via Simplicity; April introduced SHRIMPS for hardware-wallet + phone + desktop signing. May framing: candidate Bitcoin signature verifiers, separate from BIP-360's output format.
Voices Across the Ecosystem
Coverage of the quantum debate expanded across the ecosystem; positions diverged
"DECADES AWAY"
• Saylor: "overblown… likely decades away."
• Adam Back: "real in theory, not yet practical."
• Bernstein: "neither existential nor novel."
• Adam Back: "real in theory, not yet practical."
• Bernstein: "neither existential nor novel."
"ON THE HORIZON"
• Coinbase Quantum Advisory Council: "not imminent but now clearly on the horizon."
• Haroche (Nobel): Bitcoin "could be an early target."
• Haroche (Nobel): Bitcoin "could be an early target."
Coinbase Quantum Advisory Council
APR 21 · 50pp
• Panel: Aaronson, Boneh, Drake, Kannan, Lindell, Malkhi
• Threat: "not imminent but now clearly on the horizon"
• Timeline debate: "largely irrelevant"
• Exposure: ~6.9M BTC in keys-exposed UTXOs
Coinbase
• Threat: "not imminent but now clearly on the horizon"
• Timeline debate: "largely irrelevant"
• Exposure: ~6.9M BTC in keys-exposed UTXOs
Coinbase
Saylor · MARA · Adam Back
APR 7–27
Bernstein · Grayscale · BTC Policy Institute · Haroche
APR 7–8
• Bernstein: "real but manageable", 3–5 yr window.
• Grayscale: "governance, not engineering."
• BTC Policy Institute: "State of Play" report.
• Haroche (Nobel laureate): Bitcoin "could be early target."
btcpolicy.org
• Grayscale: "governance, not engineering."
• BTC Policy Institute: "State of Play" report.
• Haroche (Nobel laureate): Bitcoin "could be early target."
btcpolicy.org
Conferences & Threads
QUANTUM ON STAGE
MIT Bitcoin Expo (Apr 11–12) — Heilman on algorithm agility.
OPNEXT NYC (Apr 16) — quantum sessions; Blockspace podcasts.
bitcoin++ Vegas (Apr 23–24) — Oxford Debate "Quantum FUD vs Quantum Compute": Zell, Pruden, Black. btcplusplus.dev
OPNEXT NYC (Apr 16) — quantum sessions; Blockspace podcasts.
bitcoin++ Vegas (Apr 23–24) — Oxford Debate "Quantum FUD vs Quantum Compute": Zell, Pruden, Black. btcplusplus.dev
BITCOIN-DEV THREADS (APR 2 – MAY 5)
• "Algorithm Agility for Bitcoin" — Heilman, Apr 2.
• "PQ BIP-86 Recovery via zk-STARK" — Roasbeef, Apr 8. Reduced xpriv variant cut composite prover time
• "In defense of a PQ output type" — Antoine Poinsot, Apr 9.
• "PQC – What is our Goal, Even?" — Matt Corallo, Apr 15. Reframes the migration goal: maximise coins secured before a CRQC arrives, focus on weakest-link mainstream wallets (covered on the Two Camps slide).
• "A Post-Quantum Path for BIP 324" — Roasbeef, May 5. Heilman pushed TLS 1.3; declined.
• "PQ BIP-86 Recovery via zk-STARK" — Roasbeef, Apr 8. Reduced xpriv variant cut composite prover time
~49s → ~2s; succinct proof ~64s → ~3s.• "In defense of a PQ output type" — Antoine Poinsot, Apr 9.
• "PQC – What is our Goal, Even?" — Matt Corallo, Apr 15. Reframes the migration goal: maximise coins secured before a CRQC arrives, focus on weakest-link mainstream wallets (covered on the Two Camps slide).
• "A Post-Quantum Path for BIP 324" — Roasbeef, May 5. Heilman pushed TLS 1.3; declined.