Jameson Lopp intros QR proposal + OPCAT author joins BIP 360
BITCOIN QUANTUM RESISTANCE MONTHLY UPDATE #1
In the last 30 days, there has been significant movement on Bitcoin quantum resistance — including a new proposal from Casa CSO Jameson Lopp and the QBTC sidechain team, as well as the addition of Ethan Heilman as a co-author of BIP 360 and revisions to the proposal that focus on Taproot quantum resistance as a “first step” toward addressing Bitcoin’s quantum vulnerabilities.
BITCOIN QUANTUM HIGHLIGHTS | JULY
Jameson Lopp presents plan to phase out ECDSA/Schnorr + proposes freezing of QVC coins 5+ years after activation of BIP 360
BIP 360 gets Ethan Heilman onboard — re-focusing the BIP on making Taproot quantum resistant
Hourglass v2 in the works: Now limits spending to 1 BTC per legacy input per block (rather than 1 UTXO per block)
New research suggests RSA could be broken with 20x less quantum power than previously believed possible
Trump modifies PQC policy: agencies are no longer required to start implementing Post-Quantum Cryptography
MONTHLY QUANTUM POLL
Earlier this month, Hunter ran a poll on X to gauge how the community wants to handle quantum-vulnerable coins.
Nearly 300 votes came in, and there was a clear winner: 41.6% of voters prefer to just do nothing. In a post-quantum scenario, this could lead to the liquidation of coins held in quantum-vulnerable addresses.
The second most voted alternative (28.4%) was Hourglass v2, a proposal still being developed by the Anduro team, designed to drastically slow down how quickly quantum-vulnerable coins can move.
Jameson Lopp introduces a 3-phase plan to make Bitcoin quantum-resistant
A group of contributors, led by Jameson Lopp and the QBTC Bitcoin sidechain team published a proposal titled Post-Quantum Migration and Legacy Signature Sunset.
The new approach outlines a phased plan to transition Bitcoin users away from ECDSA/Schnorr signature schemes and towards BIP 360/PQC addresses. This proposal assumes BIP 360 as a pre-requisite.
Phase A:
A soft fork that prohibits sending to legacy address types (like P2PKH, P2SH or P2TR). Only quantum-resistant address types (P2QRH) would be permitted for new outputs.
Phase B:
Roughly five years later, a second consensus change would prohibit spending from legacy outputs. Legacy UTXOs would become unspendable unless migrated in time.
Phase C (optional):
Introduces a recovery mechanism using ZK proofs of seed ownership (i.e. xpub/xpriv keys). Use of ZKproofs would allow users to prove ownership of frozen coins without revealing private keys, but would require the introduction of a zk-verification opcode, which may be contentious and requires significant research.
This approach is the first public proposal to define a formal timeline for sunsetting vulnerable legacy ECDSA/Schnorr signatures.
OPCAT author Ethan Heilman joins BIP 360 effort
OPCAT co-author, Ethan Heilman, has officially joined BIP 360 as a co-author alonside Hunter Beast.
Heilman is working on narrowing the scope of the BIP to focus on Taproot quantum resistance – which does not require the introduction of new PQC algorithms into Bitcoin right off the bat. This approach offers a more palatable “first step” in making Bitcoin quantum resistant, before introducing new complex signature schemes.
Following his arrival, BIP 360 underwent a major update. Here’s what’s new:
Taproot-based structure:
The new version reuses Bitcoin’s Taproot output format (P2TR), but disables key path spending. That means P2QRH outputs can only be spent via script path, never by revealing a classical public key.
PQC decoupled:
Instead of including post-quantum signature algorithms in BIP 360, the authors now intend to propose post-quantum signatures in a separate BIP. This allows developers to activate Taproot quantum resistance without needing to introduce PQC, which will require substantially more review.
BIP 360 in its updated form may be reviewed here. Additionally, please feel free to review this quick explainer video by Hunter Beast
New Hourglass Iteration Proposes 1 Bitcoin Limit per Legacy Spend
The Anduro team is working on a new version of Hourglass, dubbed v2, which is set to be a consensus-level upgrade to limit the speed at which quantum-vulnerable bitcoin can be moved.
This proposal is still in research phases — however, folks can learn more about their process via Hunter’s recent talk at PubKey in NYC.
The team hopes to make changes that will effectuate the following:
Disable creation of new P2PK outputs (like Hourglass v1), with plans to phase out reused addresses and possibly P2TR key path spends (i.e. BIP 360).
Limit spending from quantum-vulnerable addresses to 1 BTC per block (from 1 input per P2PK output per block in v1), drastically slowing movement from these addresses — and expanding the number of protected addresses to include reuased ones.
Hourglass v2 requires change over and above 1 BTC per spend to be sent back to the original spending address at the consensus level.
Set to establish a timeline and bandwidth cap for risky output types, gradually pushing users toward quantum-resistant formats.
Core motivations for these changes include maintaining incentive-compatibility with miners (as in v1), while addressing incentives of holders and economic nodes (new).
The proposal is still on the make and the team is receiving feedback from the community in their discord channel.
For more information on this, please watch Hunter’s talk at PubKey on the subject here.
Quantum Bitcoin Summit at Presidio Bitcoin
This month several leading Bitcoin developers — including Peter Wuille, Ava Chow, Tadge Dryja and others — descended onto the Presidio Bitcoin in San Francisco to roundtable about potential quantum mitigation in an invite-only setting.
Tadge, Hunter, Jameson Lopp and Lightning Labs' Olaoluwa Osuntokun all presented proposals for mitigating the quantum threat. To view the talks at this event, check out the Presidio Bitcoin X page here.
PsiQuantum founder Terry Rudolph was also in attendance, giving an update on the state of quantum computing and its likelihood of breaking ECDSA anytime soon — hint: he took the "over" bet when asked if this might happen in the next 5 years.
For a full breakdown, including insights from Bitcoin Policy Institute’s Matthew Pines, Zach Shapiro, and Zach Cohen on the event’s takeaways and what quantum means for Bitcoin’s future, watch the Bitcoin Policy Hour recap here.
Government Agencies no Longer Required to Implement PQC
A modified Executive Order from President Trump replaced one of Biden’s final actions on Post Quantum Cryptography.
The new EO:
Removes the original deadlines for PQC deployment across federal systems
Eliminates the need for agencies to require post-quantum capable solutions from suppliers
Removes the requirement for international encouragement to use PQC
To learn more about other changes made to the US Post Quantum Cryptography Policy, dive deeper into this story.
Breaking RSA Now Needs 20x Less Quantum Power
Craig Gidney from Google Quantum AI published a paper that shows how a refined version of Shor’s algorithm could break RSA-2048 encryption in just 12 hours and with less than one million noisy (not error corrected) qubits.
The new research revisits a 2019 paper of his own, in which he estimated that breaking RSA would require 20 million qubits and 8 hours.
FUD of the Month: Did China Really Break RSA?
This month, headlines claimed that Chinese researchers broke RSA using a quantum computer.
What really happened?
The paper referred to covered a quantum experiment to factor a 48-digit RSA integer. That number is only 22 bits long in binary, far from cryptographically relevant, as standard RSA encryption used today typically relies on 2048-bit or 3072-bit keys.Why the confusion?
Headlines and social media posts skipped key details (like the bit length of the target) and implied this experiment was a breakthrough against real world encryption (it wasn’t).
Impact on Bitcoin?
None. Bitcoin uses secp256k1, an elliptic curve cryptographic (ECC) scheme that’s completely different from RSA. There’s still no known quantum computer capable of breaking it (or RSA).