Chapter 06. When refusal is not enough: Bitcoin’s quantum migration dilemma

Chapter 06. When refusal is not enough: Bitcoin’s quantum migration dilemma
Photo by Boitumelo / Unsplash

This is the July 2026 draft of chapter 06 in my new book, When Policy Falls Behind: Bitcoin, AI, and the Governance of Fast Systems. Copyright © 2026 by Murray A Rudd. A pdf version of this chapter is available at: https://dx.doi.org/10.2139/ssrn.6693259

Introduction

A cryptographically relevant quantum computer (CRQC) running Shor’s (1997) algorithm could derive private keys from exposed public keys (Proos and Zalka, 2003), breaking the elliptic curve digital signature algorithm that secures Bitcoin transactions (Aggarwal et al., 2018; Stewart et al., 2018). More than a third of Bitcoin’s circulating supply has revealed a public key on-chain and is exposed to long-exposure quantum attacks should such a CRQC become available (Lopp et al., 2026). The cryptographic response is comparatively well developed. NIST has ratified post-quantum (PQ) signature schemes (NIST, 2024c, 2024a); the Bitcoin community has drafted technical proposals for migration (Beast et al., 2024; Lopp et al., 2026); and the engineering work needed to deploy quantum-resistant infrastructure is tractable (Mosca, 2018). The challenge is not the availability of cryptographic tools. It is, instead, the institutional question those tools force: what does Bitcoin’s governance require when inaction becomes a choice with system-level consequences?

Bitcoin’s governance architecture rests on permissionlessness and it manifests as a specific configuration of IAD boundary and position (Chapter 2), with exit as the sole formally binding mechanism for high-level political and epistemic disputes. That architecture handles routine operational activity, additive opt-in change, and resistance to hostile capture well, but handles coordinated change toward an external deadline poorly. The same properties that make Bitcoin resistant to censorship, arbitrary intervention, and exogenous redefinition make it difficult to organize binding action when the external pressure is not hostile governance but technological change. It is thus prone to institutional latency via Chapter 2’s second failure mode.

Quantum migration creates that problem because a purely opt-in path leaves a large residual exposure. The population of UTXOs whose owners cannot or will not migrate voluntarily includes approximately 1.7 million BTC held in early Pay-to-Public-Key (P2PK) addresses.[1] Leaving those outputs exposed could open an expansive attack surface for a supply shock (Rudd and Porter, 2025) that institutional holders, exchanges, developers, and users cannot defensibly ignore. Bitcoin’s architecture is therefore being asked to do something its design did not anticipate: produce a coordinated response to an external threat on a timescale dictated outside the protocol.

Two BIPs show why the problem is institutional rather than only technical. BIP 360 (Beast et al., 2024), an opt-in PQ output type, has progressed through technical review and testnet implementation with limited controversy. BIP 361 (Lopp et al., 2026), a phased deprecation of ECDSA and Schnorr signatures that ultimately freezes unmigrated coins, has generated broad public criticism alongside acknowledgment from its own authors that the proposal is not currently in a position to be adopted. The different responses are not incidental. BIP 360 adds a capability that users may choose. BIP 361 asks the community to decide whether preserving Bitcoin as a functioning monetary network can justify constraining legacy claims that still satisfy earlier rules.

Existing work can describe the quantum threat, compare PQ schemes, and specify migration paths, but it treats the problem as cryptographic and stops where the institutional problem begins: none of it explains when a technically available response acquires the legitimate authority to be imposed on holders who have not consented. That gap matters because the obstacle is not a defect Bitcoin can patch but a direct expression of how Bitcoin is governed – a permissionless configuration with no venue in which coordinated, deadline-bound constraint can be authorized. Should the community fail to produce that authority before a CRQC arrives, the exposed coin population becomes a standing threat to Bitcoin’s viability as a monetary network through the ordinary operation of the architecture.

In the terms of Chapter 2 – the four-level IAD framework (Ostrom and Ostrom, 2004; Ostrom, 2005) and Williamson’s (Williamson, 1985, 1999, 2002) alignment of transactions to governance forms – the gap is a governance form mismatch: coordinated migration against an external deadline is a transaction that calls for a governance form Bitcoin’s architecture, by design, cannot supply. A directional reading of institutional latency explains the pattern – low latency when the task is resisting unwanted external change, high latency when it is coordinating a defensive response to one. I argue that the binding constraint sits at the epistemic level, in an unsettled question about what Bitcoin’s commitments are for once quantum exposure turns inaction into a choice. This is a volitional question – in Bromley’s (2006) sense of what there is most reason to want – rather than a computational one that cryptography can close. If technical readiness or procedural process could by itself produce legitimate migration authority, that claim would fail. Whether a system built to deny unwanted authority can also generate legitimate authority for coordinated constraint, without ceasing to be the thing worth defending, is the condition on which Bitcoin’s survival of an externally timed threat depends.

Directional institutional latency in the quantum case

Chapter defines institutional latency as the lag between a recognized institutional claim and a legitimate binding response. The quantum case adds a directional refinement. Bitcoin has low latency when the governance task is resistance to unwanted external authority, tolerable latency when the task is voluntary endogenous improvement, and high latency when the task is coordinated response to an externally imposed deadline. Quantum migration falls in the third category: the threat is increasingly well-specified, cryptographic response paths are visible, and monitoring infrastructure exists, but the authority question remains unsettled.

Bitcoin developers have the technical capacity to deploy PQ signature schemes but governance lacks a mechanism for converting recognized exposure into binding response on a timescale matched to quantum’s seemingly accelerating offensive curve. The failure mode is directional: the same architecture that can reject unwanted external authority struggles to generate legitimate authority for coordinated defensive constraint.

Bitcoin’s directional configuration

BIP 360 can proceed as an endogenous, opt-in capability but BIP 361 asks the community to coordinate around an externally imposed deadline and to constrain legacy claims that still satisfy earlier rules. Exit imposes costs on actors proposing change but does not impose equivalent costs on actors blocking change. A minority can resist needed defensive change by threatening exit, while a majority cannot compel the minority to coordinate without producing the very split the majority is trying to avoid.

In Williamsonian terms, BIP 361 is a high-specificity, high-uncertainty, low-frequency governance transaction (Williamson, 1979, 1985). That configuration would normally call for a hierarchical or strongly coordinated governance form. Bitcoin’s architecture is valuable for the job it was designed to do precisely because it does not supply that type of coordination. Quantum migration therefore converts the governance form mismatch developed in earlier chapters into an externally-timed survival problem.

The quantum threat requires collective action

The threat profile

A CRQC running Shor’s algorithm could – if and when CRQCs become technically feasible – derive private keys from exposed public keys (Proos and Zalka, 2003), breaking the ECDSA and Schnorr signatures that secure Bitcoin transactions. The threat is bounded by what Shor’s algorithm cannot do – it does not break SHA-256 hash functions, which Grover’s (Grover, 1996) algorithm can attack only with quadratic speedup that practical key lengths comfortably outpace (Bernstein, 2009; Aggarwal et al., 2018). Bitcoin mining and the integrity of the chain itself are not the immediate concern. The immediate focus is the signature scheme that secures spending authorization for individual UTXOs.

The threat is time-bounded by quantum’s offensive curve. NIST has ratified production-grade PQ signature schemes in 2024 (NIST, 2024a, 2024c), with FIPS 206 (FN-DSA) released as an initial public draft in late-2025 and not yet finalized. In March 2026, a Google Quantum AI team estimated that solving 256-bit ECDLP on secp256k1 – the discrete logarithm problem underlying Bitcoin’s signatures – would require fewer than 500,000 physical qubits, roughly an order-of-magnitude reduction in required resources over prior estimates (Babbush et al., 2026). McKinsey places CRQC capability emergence as early as 2027-2030;[2] other more conservative estimates extend the range to the mid-2030s (Mosca and Piani, 2025). The dispersion across credible estimates is wide but the lower bound has been moving earlier rather than later, and the timeline exhibits deep uncertainty [27, 28] on multiple fronts.

A useful distinction divides the attack surface. Long-exposure attacks operate against keys exposed on-chain for arbitrary durations, giving the attacker as much time as needed to perform quantum key recovery. Short-exposure attacks operate against keys revealed only briefly during transaction confirmation, and require CRQC capability sufficient to complete the recovery within a single block’s 10-minute confirmation interval (Beast et al., 2024). Blockstream’s quantum framing[3] puts more weight on short-exposure risk than many others do, arguing that fast-clock quantum architectures could make briefly revealed public keys relevant rather than leaving only long-exposed keys in the first-order threat class.

As of March 2026, more than 34% of Bitcoin’s circulating supply had revealed a public key on-chain (Lopp et al., 2026). The exposure includes early P2PK addresses holding approximately 1.7 million BTC, of which approximately 1.1 million is attributed to Satoshi, along with reused addresses across output types and, distinctly, Pay-to-Taproot (P2TR) outputs, which commit the tweaked public key in the scriptPubKey and so expose it at UTXO creation independent of reuse (Beast et al., 2024). Every P2TR output is therefore exposed to a long-exposure attack via the key path, whatever the eventual spend path; the internal key is additionally revealed only on script-path spends. Approximately 5.6 million BTC, roughly 28% of circulating supply, have not moved in over a decade (Lopp et al., 2026); this dormant population is sometimes treated as lost, though recent movements of long-dormant UTXOs during 2025-2026 indicate that dormancy and loss are not equivalent, and that the share of genuinely inaccessible coins is likely smaller than the dormancy figure suggests (Rudd and Porter, 2025).

The technical proposals as institutional artifacts

BIP 360 (Beast et al., 2024), a “Pay-to-Merkle-Root” (P2MR) proposal, introduces a new opt-in output type that operates with nearly the same functionality as P2TR but removes the quantum-vulnerable key-path spend. P2MR commits to the Merkle root of a script tree without committing to an internal public key, which protects against long-exposure attacks. The proposal does not address short-exposure attacks, introduce PQ signature schemes, require any user to migrate, or constrain any user’s ability to continue using existing output types. The proposal is enabling infrastructure: it adds a capability to the protocol without engaging anyone’s epistemic commitments. BIP 360 entered testnet implementation in early 2026 and merged into the BIPs repository in February 2026 (for recent updates on GitHub, see Beast et al., 2024).

BIP 361 (Lopp et al., 2026), a “Post Quantum Migration and Legacy Signature Sunset” proposal, addresses the population of UTXOs that BIP 360 leaves vulnerable. The proposal presupposes that some PQ output type exists (BIP 360 or successor) and adds a phased deprecation of legacy ECDSA and Schnorr signatures. Phase A, activating approximately three years after BIP 361 itself, prevents new sends to quantum-vulnerable addresses. Phase B, activating two years after Phase A, invalidates legacy signatures at the consensus layer, rendering coins in unmigrated addresses permanently unspendable. A possible Phase C would allow recovery of frozen funds through zero-knowledge proofs of seed phrase ownership. The proposal is enforcement infrastructure: it does not add a capability but removes one, on a published timeline, from anyone who fails to migrate.

The two proposals are not technically substitutable. BIP 360 alone leaves the long-exposure problem unaddressed for the large UTXO population whose owners cannot or will not migrate voluntarily. BIP 361 alone is technically inoperative because it depends on a PQ output type for migration to be possible. The proposals are structurally different in their institutional demands (Table 6.1). BIP 360 operates within the architecture’s normal capacity for additive opt-in change, while BIP 361 forces engagement with the architecture’s most resistant levels. The joint proposal turns on a threshold: the point at which the marginal cost of voluntary-only migration (BIP 360 plus operational and implementation infrastructure) exceeds the marginal cost of coercive migration (BIP 360 plus BIP 361).

Dimension BIP 360 (P2MR) BIP 361 (Sunset)
Proposal type Enabling infrastructure Enforcement infrastructure
Coercion Opt-in Mandatory
Adds or removes capability Adds Removes
IAD levels engaged Operational, implementation Political (constitutional), epistemic (meta-constitutional)
Threat coverage Long-exposure attacks only Full migration of vulnerable UTXOs
Target UTXO scope Future and migrating UTXOs All vulnerable UTXOs by Phase B flag-day
Lead authors Beast et al. (2024) Lopp et al. (2026)
Status (April 2026) Merged in BIP repository; testnet implementation Draft; informational status; pre-adoption
Community response Limited controversy Substantial public criticism
Architecture-fit Within normal capacity Forces engagement at most resistant levels

Table 6.1. BIP 360 and BIP 361 compared across technical and institutional dimensions

The community’s response illustrates the directional asymmetry the framework predicts. BIP 360 has progressed through technical review and testnet implementation with limited controversy. BIP 361 has drawn extensive public criticism.[4] The proposal has been described in community discourse as “authoritarian,” “laughable,” and “confiscatory,” alongside acknowledgment from the proposal’s own authors that BIP 361 “isn’t a spec, nor is it proposed for activation. It’s a rough idea for a contingency plan that needs more R&D.”[5] The two responses diverge because the proposals engage different governance levels.

Recent Blockstream research blurs the binary between voluntary migration and coercive sunset. Its research program treats opt-in PQ readiness as an implementation problem that can be advanced before political settlement over legacy coin deprecation. Simplicity (O’Connor, 2017) provides one route:[6] on the layer-2 Liquid protocol, PQ verification can be deployed as a contract rather than through a Bitcoin mainnet consensus change (Ruffing, 2025), making the sidechain a proving ground for cryptographic infrastructure that may later inform Bitcoin. Blockstream’s SHRINCS (Kudinov and Nick, 2025) and SHRIMPS[7] research also targets the constraint that matters most for Bitcoin: PQ signatures must be small enough, recoverable enough, and operationally safe enough to fit wallet and block-space realities. Liquid does not solve Bitcoin’s mainnet migration problem but it shows that opt-in technical preparedness can move ahead of epistemic agreement over coercive migration, preserving option value while the community deliberates over whether BIP 361-style enforcement could ever be legitimate.

Bitcoin’s situation in cross-domain perspective

Transport Layer Security (TLS) migration to PQ cipher suites is coordinated through Internet Engineering Task Force (IETF) working groups with explicit standards processes and version negotiation mechanisms.[8] Banking infrastructure migration is coordinated through regulatory agencies and SWIFT-level standards bodies (BIS, 2025). Government public key infrastructure migration is coordinated through NIST and the Cybersecurity and Infrastructure Security Agency (CISA), with explicit deadlines: the Commercial National Security Algorithm Suite 2.0 (NSA, 2022) mandates PQ migration by 2030 with full deployment by 2033, and NIST IR 8547 plans to prohibit elliptic curve cryptography after 2035 (NIST, 2024b). Each architecture supplies political level coordination venues that Bitcoin lacks.

Bitcoin’s situation is distinctive because it lacks the coordination mechanisms those other domains take for granted. Its design inherits a cypherpunk preference for individual cryptographic sovereignty and mutual cooperation over hierarchical coordination (Brunton, 2019; Jarvis, 2022), and that orientation still shapes community responses to questions requiring collective change (Swartz, 2018). The current quantum challenge tests whether an architecture designed to resist imposed authority can coordinate when technological change, rather than hostile governance, imposes the deadline. Mainstream PQ signatures are also larger; they consume more block space and raise costs for node operators and fee-paying users.

The cross-domain contrast also concerns standards bodies. TLS, banking, and government PKI migrations treat NIST cryptographic standards as authoritative. Bitcoin’s relationship to NIST is more ambivalent because documented failures such as the Dual_EC_DRBG incident (Checkoway et al., 2016) reinforce a sovereignty-first preference for independent verification. The migration problem is therefore not only which signature scheme works but whose assurance counts.

Institutional configuration across IAD levels

Governance layers

The two principal proposals – BIP 360 (Beast et al., 2024) and BIP 361 (Lopp et al., 2026) – engage different parts of Bitcoin’s four-level IAD architecture (Table 6.2). BIP 360 operates mainly at the operational and implementation levels. BIP 361 reaches the political and epistemic levels because it asks whether Bitcoin’s constitutive commitments permit coercive migration when voluntary migration leaves residual system exposure.

Table 6.2. Quantum migration interventions located at the IAD levels they engage. “Primary” indicates the level at which the intervention’s principal governance demand is concentrated; “Secondary” indicates a level at which the intervention also engages but where the demand is derivative or instrumental; “–” indicates the intervention does not engage the level)

Intervention Epistemic Political Implementation Operational
User education campaigns Primary
Wallet PQ output support Primary
Exchange and custodian PQ migration Primary
Hardware wallet firmware updates Primary
BIP 360 activation (P2MR output type) Primary Secondary
Subsequent PQ signature scheme BIP Primary Secondary
BIP 361 Phase A (block sends to vulnerable addresses) Secondary Primary Secondary
BIP 361 Phase B (invalidate legacy signatures) Primary Primary Secondary Secondary
BIP 361 Phase C (ZK proof recovery) Primary Primary Secondary Secondary
Hourglass-style throttling for P2PK Secondary Secondary Primary Secondary

Epistemic level

At the epistemic level, BIP 361 asks what Bitcoin’s commitments to immutability, individual sovereignty, and credible long-term store of value function are for when quantum exposure turns inaction into a system-level risk. The sunset rationale and the confiscation objection are both epistemic claims, even when framed as political arguments about rule changes: each asserts a different priority among constitutive commitments, and Bitcoin has no formal venue in which that priority can be settled.

Political level

At the political level, epistemic commitments are operationalized through contests over rule-making authority, resource allocation, and norm-shaping narratives. For the quantum case, this means deciding how any settlement over immutability, property rights, and long-term network preservation would be expressed in concrete protocol rules.

The political level handles the contested operationalization of whatever the community works out at the epistemic level about what immutability and property rights commitments require. If the epistemic level question of what the commitments are for were settled in favor of strict immutability, the political contestation would concern how to operationalize that strict reading – which signature schemes can be added, what voluntary migration mechanisms are acceptable, and how to handle the population of UTXOs whose owners cannot migrate. If the epistemic level question were settled in favor of credible long-term store of value supremacy, the political contestation would concern how to operationalize the resulting protections – what migration timelines are reasonable, what enforcement mechanisms are proportionate, and what recovery options are required to prevent inadvertent harm. The political level cannot resolve the epistemic question; it can only operationalize whatever resolution the epistemic level produces.

Bitcoin’s architecture handles the political level with characteristic difficulty when epistemic level commitments are themselves under contestation, as they are in the BIP 361 case. There is no central authority that can issue an authoritative interpretation of the protocol’s constitutive commitments, and the political level contestation over operationalization therefore proceeds without the epistemic ground being stable. Multiple identity narratives generate different answers to the political level questions because they rest on different epistemic level commitments, and the architecture provides no formal mechanism for adjudicating among them. The constitutional record – the original Nakamoto (2008) white paper, the accumulated body of BIPs and their associated discussions,[9] the implemented protocol code, and the diffuse community discourse through which interpretations are formed and contested – supplies no binding answer because the question concerns a situation the original commitments did not anticipate or presumed that voluntary collective action could address.

The community’s response to BIP 361 in the months following its February 2026 assignment illustrates the dynamics. Substantive engagement occurred – the proposal’s authors include experienced BIP contributors, the technical community has reviewed the proposal in detail, and the public response has been vigorous and largely critical. What has not occurred, and cannot occur within the architecture, is binding adjudication. The proposal cannot be approved or rejected by any authority; it can only accumulate or fail to accumulate the diffuse community support needed for implementation level activation. The political contestation does not get resolved by the response; it gets deferred while the epistemic question beneath it remains unsettled and the operational and implementation work on BIP 360 proceeds in parallel.

Implementation level

The implementation level translates political level mandates into concrete protocol upgrades – soft forks, BIP activations, and signature scheme deployments – and handles that work imperfectly, with characteristic delays. The Taproot history establishes the benchmark (Wuille et al., 2020): roughly four years from initial BIP draft to activation, with the bulk of that time spent in technical refinement, community discussion, and activation mechanism debate. The implementation level can produce binding response but the timescale is long and the process does not accelerate well under external pressure.

Two features of the implementation level matter for the quantum case. First, the sequential structure: quantum migration requires not a single soft fork but a sequence: a PQ output type; a PQ signature scheme; possibly hybrid schemes (Bindel et al., 2019); and possibly enforcement mechanisms (Beast et al., 2024; Lopp et al., 2026). Each soft fork is a separate implementation problem with its own activation timeline and the aggregate timeline reflects how the political level contestation cascades into implementation level rule-setting. Second, the parameter selection problem: multiple PQ signature schemes are available, with NIST FIPS 206 still in draft as of early 2026, and the implementation mechanism must select among them under conditions where the optimal choice is not yet settled in the broader cryptographic community.

BIP 360 was merged into the official BIP repository on 11 February 2026, with a working testnet implementation activated on the separate Bitcoin Quantum network on 19 March 2026 (Beast et al., 2024). Both milestones reflect movement at the operational and implementation levels of the architecture; neither requires the political or epistemic engagement that BIP 361 forces.

Operational level

At the operational level, migration proceeds through independent market actors – wallet developers, exchanges and custodians, and hardware manufacturers – each deploying PQ support on its own commercial incentives rather than by collective decision. Operational change therefore runs on market mechanisms rather than governance processes. Because the deployment costs concentrate among a few actor classes rather than falling on every user, partial migration is feasible without complete coordination. Operational pressure is therefore the weakest the architecture faces; the difficulty arises in the political and epistemic levels.

Implicit assumptions in the BIP 361 case

The BIP 361 rationale (Lopp et al., 2026) advances a sequence of analytical claims, framed as self-evident, that warrant explicit examination at the political and epistemic levels. Each claim corresponds to a question on which reasonable analysts can differ and each operates in the proposal as a substantive position that becomes visible only when stated as such rather than left as a background assumption. The six positions below are not exhaustive; they are those whose explicit statement most directly illuminates what the proposal asks of Bitcoin’s architecture.

The “private incentive to upgrade” framing

The proposal describes Phase B’s freezing mechanism as a “refined private incentive” and treats frozen unmigrated coins as economically equivalent to the Satoshi-described “donation to everyone.”[10] This conflates two cases that institutional economics distinguishes. The first concerns coins frozen because owners are dead, lost their keys, or are unaware – the modal case for up to 5.6 million BTC that have not moved in over a decade. The second case involves coins frozen because owners chose not to migrate despite capability, perhaps a small share of total frozen value but a different normative case. The first is a transfer from heirs and estates to remaining holders; the second is a Pareto-relevant signal of preference. Treating them identically aggregates over distributional consequences institutional economics typically holds open.

The “redistribution dilemma” trichotomy

The proposal presents the alternatives for handling lost coin quantum vulnerability: allowing anyone to steal; allowing throttled theft; or permitting no one to steal. The trichotomy presupposes that prevention of theft is the dominant normative objective. An alternative framing prioritizes minimization of total welfare loss inclusive of users frozen out by mistake, which justifies partial recovery mechanisms – the Phase C zero-knowledge-proof option, the hourglass-style throttling proposal – even at the cost of permitting some quantum theft. The trichotomy is analytically restrictive in a way the proposal does not acknowledge.

The five-year flag-day

Phase B activates two years after Phase A, which itself activates approximately three years after BIP 360, giving a five-year lag from BIP 360 activation to legacy signature invalidation. The proposal asserts this timing as “the best balance” between giving account owners migration time and maintaining ecosystem integrity. This is the parameter on which formal decision analysis would have most to contribute. At what assumed CRQC arrival distribution does five years dominate three years or seven years? How robust is that dominance to specification of the loss function? The proposal’s five-year choice is asserted, not derived.

The fiduciary duty claim

Under BIP 361’s interpretation, institutional holders face fiduciary duties to migrate, with BIP 361 authors framing inaction as a duty violation. Chapter 5 develops the custody and fiduciary problem in detail but the quantum-specific point is narrower. Fiduciary implications depend on probability assessment. An institution that assesses the offensive curve as slow can defensibly monitor the situation; one that assesses it as fast can defensibly migrate early. The proposal treats that assessment as settled when it is precisely one of the disputed inputs.

The unilateral stakeholder framing

The stakeholder incentives table in BIP 361 also lists incentives to upgrade but not the costs of premature upgrade: engineering costs at exchanges and wallet providers; fee and throughput costs from larger PQ signatures; coordination risk if the selected scheme is later deprecated; and option value lost by committing to a migration path before the technical landscape settles. Option value (McDonald and Siegel, 1986) is central because the BIP 360 / BIP 361 timing choice determines whether Bitcoin preserves or destroys the option to wait for NIST, IETF, TLS, and wallet-ecosystem convergence.

The status quo specification

The proposal evaluates BIP 361 against an implicit status quo of inaction. At least three plausible candidates for the appropriate status quo exist: current state with no PQ infrastructure; BIP 360 activated as a floor with no enforcement; and BIP 360 plus voluntary best-practice migration without enforcement. Each generates a different counterfactual against which BIP 361’s marginal contribution is evaluated. A differential evaluation across these candidate baselines is what formal cost-benefit analysis would produce, and the result turns on which counterfactual is taken as the baseline.

These six implicit positions do not invalidate the BIP 361 proposal. They identify where the proposal’s economic claims rest on unstated normative assumptions and empirical commitments. A formal institutional economics treatment would identify each, examine its sensitivity, and characterize the conditions under which the proposal’s policy conclusion follows.

IAD interpretation

As documented in other chapters, Bitcoin’s architecture here handles the operational and implementation levels with characteristic adequacy and the political and epistemic levels with characteristic difficulty. The BIP 360 and BIP 361 proposals split along this divide: BIP 360 operates at the operational and implementation levels and is moving through the architecture at its normal pace, while BIP 361 forces engagement at the political and epistemic levels and encounters the architecture’s strongest resistance. The architecture has not failed; it is doing exactly what its directional institutional latency profile predicts, but that profile may not be adequate for a novel threat arriving on an indeterminate time horizon.

The directional profile at the epistemic level is the most unfavorable in the architecture. Resistance to exogenous change is institutionally expressed as the refusal to allow external conditions to revise constitutive commitments – a position with strong principled support and deep historical grounding in Bitcoin’s governance development process (De Filippi and Loveluck, 2016). Coordination toward endogenous change at the epistemic level is rare and slow because the architecture treats such coordination as suspect by design. Coordination toward exogenous change at the epistemic level is what BIP 361 ultimately requires and what the architecture is least equipped to supply. The IAD framework cannot specify how governance change should be supplied; specifying that would require either a hierarchical authority Bitcoin does not have or non-coercive and timely deliberative mechanisms that have not been developed. It clarifies instead why the question is hard, the necessary first step toward whatever pragmatic process the community ultimately conducts to address it.

BIP 361’s authors and critics are not necessarily differing on technical cryptography, the existence of the threat, or the desirability of network security; all of these are mainly settled. They are differing on what Bitcoin’s purpose is and whether the answer to that question can be revised because of emergent external pressure. The quantum challenge can be conducted productively only if the parties recognize that they are arguing about the epistemic question, because the political and implementation mechanisms cannot supply an answer until the epistemic question is – at least provisionally – settled.

Research needs and opportunities

Hypotheses on Bitcoin’s response to the quantum challenge

Testable predictions about the Bitcoin community’s response to the quantum challenge over the coming years can be generated as conditional statements with specified mechanisms and empirical indicators rather than as predictions in the strong sense (Table 6.3). Each can be tested within a 2- to 5-year horizon using public discourse, BIP-process records, and survey research.

Hypothesis Mechanism Empirical indicator
H1. BIP 360 will progress through the architecture faster than BIP 361, controlling for technical complexity. Directional institutional latency: BIP 360 operates at operational and implementation levels where the architecture handles change adequately; BIP 361 forces engagement at political and epistemic levels where the architecture is structurally resistant. Time from BIP draft to activation for BIP 360 versus time to non-rejection or activation for BIP 361.
H2. Bitcoin community sentiment on coercive migration mechanisms will shift non-linearly rather than linearly in response to substantive offensivecurve updates. Epistemic engagement: incremental updates to CRQC capability estimates produce small political level adjustments; threshold-crossing demonstrations produce discrete epistemic reassessments. Comparison of community sentiment shifts to incremental CRQC capability updates versus discrete threshold-crossing demonstrations or near-demonstrations.
H3. The institutional holder population (ETFs, treasuries, sovereign holders) will diverge from the self-custody population in BIP 361 sentiment, with institutional holders becoming supportive earlier than the offensive-curve probability alone would predict. Constituency formation: stability-first institutional holders face fiduciary and reputational pressures that compress their decision horizon; sovereignty-first self-custody holders face no equivalent compression. Differential sentiment in institutional research notes, custody-platform statements, and ETF prospectus disclosures versus self-custody community discourse and developer-forum positions.
H4. Any actual demonstration of quantum capability against ECDSA at sub-Bitcoin key lengths will produce community responses qualitatively different from incremental CRQC capability claims of equivalent technical magnitude. Threshold-crossing salience: epistemic questions deferred under conditions of capability uncertainty become difficult to defer under conditions of demonstrated capability, regardless of the gap between demonstrated and threatening capability levels. Comparison of community discourse, BIP-process activity, and institutional research output before and after any verified ECDSA break at any key length.
H5. Within the institutional / self-custody divergence predicted in H3, BIP 361 scheme-commitment timing preferences will further differentiate by trust in NIST cryptographic standardization, with sovereignty-first holders favoring delayed commitment pending independent validation. Differential trust in standards bodies: stability-first holders likely accept NIST standards as operationally necessary; sovereignty-first holders inherit skepticism rooted in documented NIST compromises that Bitcoin’s design choices already encode. Comparison of scheme-commitment timing preferences in custody-platform statements and ETF disclosures versus self-custody community discourse, controlling for the H3 institutional/self-custody split.

Table 6.3. Hypotheses on Bitcoin’s response to the quantum challenge

Modeling implications

The institutional diagnosis implies a focused modeling agenda rather than a broad methods survey. Formal analysis should not ask simply whether BIP 361 has positive expected net benefits under a single CRQC timeline. It should model an adaptive pathway under deep uncertainty, with threat-side milestones, response-side adoption indicators, and legitimacy costs that change as the migration window narrows. Existing tools – CBA (Hahn and Tetlock, 2008; Arrow et al., 2013), real options (Dixit and Pindyck, 1994), marginal abatement cost curves (Enkvist et al., 2007; Kesicki and Ekins, 2012; ICF, 2014), robust decision-making (Lempert et al., 2003), dynamic adaptive policy pathways (Haasnoot et al., 2013), info-gap theory (Ben-Haim, 2006), and hybrid Bayesian pathway methods (Buurman and Babovic, 2016; Jeong et al., 2021; Rodriguez-Sanchez et al., 2026) – provide useful components, but none is sufficient alone.

The three strands are coupled through time. As threat-side evidence accumulates – FIPS finalization, lower-bit key-recovery demonstrations, qubit and gate-cost reductions, and broader cryptographic deployment – the probability mass on an early CRQC shifts, narrowing the window in which the response side (BIP 360 activation, wallet and custodian readiness, and voluntary migration rates) can complete migration without coercion. The cost and legitimacy strand fixes the crossover, as engineering cost, exposed-UTXO risk, coercion cost, option value, and the political threshold for deprecating unmigrated coins move against one another while that window narrows. A model contributes by tracking these quantities jointly, so that the migration decision follows from their interaction rather than from any single assumed timeline.

The evidence gap is therefore practical: identify when voluntary migration remains robust, when delay destroys the option to coordinate, and when coercive sunset mechanisms become less costly than exposed-UTXO risk. Formal modeling cannot decide what Bitcoin should value but it can discipline the timing question by making the tradeoffs explicit enough for deliberation to proceed on less speculative terms.

Conclusion

Bitcoin’s quantum dilemma exposes a directional asymmetry in institutional latency. The same governance properties that make Bitcoin resistant to capture, censorship, and arbitrary intervention also make coordinated defensive change difficult when the deadline comes from outside the protocol. Exit dominance, distributed authority, and path-dependent informal norms protect Bitcoin against unwanted authority. They do not easily generate legitimate authority when an external technological threat makes inaction costly.

BIP 360 and BIP 361 reveal that asymmetry. BIP 360 fits Bitcoin’s ordinary implementation capacity because it adds an opt-in capability without forcing a settlement over legacy claims. BIP 361 encounters principled resistance because it asks whether the community may constrain coins that still satisfy existing rules in order to preserve Bitcoin as a functioning monetary network. The disagreement is therefore not reducible to engineering. It turns on the epistemic question of what Bitcoin’s commitments are for when the conditions under which those commitments must operate have changed.

The framework developed here does not resolve that question. The pragmatist question (Bromley, 2006; Rudd, 2023) remains open: what is there most reason to want, given conditions that did not exist when the original commitments were made? The analysis does settle where the problem lies: the binding constraint sits at the epistemic and political levels, cryptographic readiness cannot by itself produce legitimate migration authority, and voluntary migration and coercive sunset rules belong to different institutional categories.

That diagnosis also defines a standalone modeling agenda. Bitcoin’s quantum readiness cannot be assessed by asking only whether PQ signatures exist or whether a migration path can be coded. The harder question is how different response pathways perform under uncertainty about CRQC timing, user adoption, legacy exposure, coercion costs, and the legitimacy threshold for deprecating unmigrated coins. Quantum migration therefore becomes a test of whether Bitcoin can preserve its resistance to unwanted authority while developing enough institutional capacity to respond when survival may require coordinated constraint. Failing that test would show that the same design securing Bitcoin against capture can leave it unable to authorize its own survival; passing it would establish that a permissionless network can mount a coordinated defense against an externally timed threat without surrendering the properties that make it worth defending.

References

Aggarwal, D, G Brennen, T Lee, et al. 2018. Quantum attacks on Bitcoin, and how to protect against them. Ledger 3: 127. https://doi.org/10.5195/ledger.2018.127

Arrow, K, M Cropper, C Gollier, et al. 2013. Determining benefits and costs for future generations. Science 341: 349-350. https://doi.org/10.1126/science.1235665

Babbush, R, A Zalcman, C Gidney, et al. 2026. Securing elliptic curve cryptocurrencies against quantum vulnerabilities: resource estimates and mitigations. Google Quantum AI working paper, https://quantumai.google/static/site-assets/downloads/cryptocurrency-whitepaper.pdf

Beast, H, E Heilman and I Foxen Duke 2024. Bitcoin Improvement Proposal 360: Pay-to-Merkle-Root (P2MR). https://github.com/bitcoin/bips/blob/master/bip-0360.mediawiki

Ben-Haim, Y 2006. Info-Gap Decision Theory: Decisions Under Severe Uncertainty, Second Edition. Oxford, U.K.: Academic Press.

Bernstein, DJ 2009. Introduction to post-quantum cryptography. In Post-Quantum Cryptography, eds. DJ Bernstein, J Buchmann and E Dahmen, 1-14. Berlin, Heidelberg: Springer Berlin Heidelberg. https://doi.org/10.1007/978-3-540-88702-7_1

Bindel, N, J Brendel, M Fischlin, et al. 2019. Hybrid key encapsulation mechanisms and authenticated key exchange. In Post-Quantum Cryptography. PQCrypto 2019. Lecture Notes in Computer Science 11505, eds. J Ding and R Steinwandt, 206-226. Cham: Springer International Publishing. https://doi.org/10.1007/978-3-030-25510-7_12

BIS 2025. Project Leap Phase 2: Quantum-proofing payment systems. https://www.bis.org/publ/othp107.pdf

Bromley, DW 2006. Sufficient Reason: Volitional Pragmatism and the Meaning of Economic Institutions. Princeton NJ: Princeton University Press.

Brunton, F 2019. Digital Cash: The Unknown History of the Anarchists, Utopians, and Technologists Who Created Cryptocurrency. Princeton, N.J.: Princeton University Press.

Buurman, J and V Babovic 2016. Adaptation pathways and real options analysis: an approach to deep uncertainty in climate change adaptation policies. Policy and Society 35: 137-150. https://doi.org/10.1016/j.polsoc.2016.05.002

Checkoway, S, S Cohney, C Garman, et al. 2016. A systematic analysis of the Juniper dual EC incident. Cryptology {ePrint} Archive, Paper 2016/376, https://eprint.iacr.org/2016/376

De Filippi, P and B Loveluck 2016. The invisible politics of Bitcoin: governance crisis of a decentralised infrastructure. Internet Policy Review 5. https://doi.org/10.14763/2016.3.427

Dixit, AK and RS Pindyck 1994. Investment under Uncertainty: Princeton University Press.

Enkvist, P-A, Tomas Nauclér and J Rosander 2007. A cost curve for greenhouse gas reduction. McKinsey Quarterly, 01 February 2007, https://www.mckinsey.com/business-functions/sustainability/our-insights/a-cost-curve-for-greenhouse-gas-reduction

Grover, LK 1996. A fast quantum mechanical algorithm for database search. Proceedings of the Twenty-Eighth Annual ACM symposium on Theory of Computing, 212–219, https://doi.org/10.1145/237814.237866

Haasnoot, M, JH Kwakkel, WE Walker, et al. 2013. Dynamic adaptive policy pathways: a method for crafting robust decisions for a deeply uncertain world. Global Environmental Change 23: 485–498. http://dx.doi.org/10.1016/j.gloenvcha.2012.12.006

Hahn, RW and PC Tetlock 2008. Has economic analysis improved regulatory decisions? Journal of Economic Perspectives 22: 67-84.

ICF 2014. Economic analysis of methane emission reduction opportunities in the U.S. onshore oil and natural gas industries. Report prepared for the Environmental Defence Fund, https://www.edf.org/sites/default/files/methane_cost_curve_report.pdf

Jarvis, C 2022. Cypherpunk ideology: objectives, profiles, and influences (1992–1998). Internet Histories 6: 315-342. https://doi.org/10.1080/24701475.2021.1935547

Jeong, Y, H Jang and B Yoon 2021. Developing a risk-adaptive technology roadmap using a Bayesian network and topic modeling under deep uncertainty. Scientometrics 126: 3697-3722. https://doi.org/10.1007/s11192-021-03945-8

Kesicki, F and P Ekins 2012. Marginal abatement cost curves: a call for caution. Climate Policy 12: 219-236. https://doi.org/10.1080/14693062.2011.582347

Kudinov, M and J Nick 2025. Hash-based signature schemes for Bitcoin. IACR preprint, https://eprint.iacr.org/2025/2203.pdf

Lempert, RJ, SW Popper and SC Bankes 2003. Shaping the Next One Hundred Years: New Methods for Quantitative, Long-term Policy Analysis. Santa Monica, CA: RAND.

Lopp, J, C Papathanasiou, I Smith, et al. 2026. Bitcoin Improvement Proposal 361: Post Quantum Migration and Legacy Signature Sunset. https://github.com/bitcoin/bips/blob/master/bip-0361.mediawiki

McDonald, R and D Siegel 1986. The value of waiting to invest. The Quarterly Journal of Economics 101: 707-727. https://doi.org/10.2307/1884175

Mosca, M 2018. Cybersecurity in an era with quantum computers: will we be ready? IEEE Security & Privacy 16: 38-41. https://doi.org/10.1109/MSP.2018.3761723

Mosca, M and M Piani 2025. Quantum Threat Timeline Report 2025. https://globalriskinstitute.org/publication/quantum-threat-timeline-report-2025b/

Nakamoto, S 2008. Bitcoin: a peer-to-peer electronic cash system. Unpublished white paper, https://bitcoin.org/bitcoin.pdf

NIST 2024a. FIPS 205: Stateless Hash-Based Digital Signature Standard. https://doi.org/10.6028/NIST.FIPS.205

NIST 2024b. Transition to Post-Quantum Cryptography Standards. NIST IR 8547 (Initial Public Draft). https://csrc.nist.gov/pubs/ir/8547/ipd

NIST 2024c. FIPS 204: Module-Lattice-Based Digital Signature Standard. https://doi.org/10.6028/NIST.FIPS.204

NSA 2022. Commercial National Security Algorithm Suite 2.0. Cybersecurity Advisory CSA-220907-1, https://media.defense.gov/2022/Sep/07/2003071834/-1/-1/0/CSA_CNSA_2.0_ALGORITHMS_.PDF

O’Connor, R 2017. Simplicity: a new language for blockchains. Blocksteam technical paper, https://blockstream.com/simplicity.pdf

Ostrom, E and V Ostrom 2004. The quest for meaning in public choice. American Journal of Economics and Sociology 63: 105-147. https://doi.org/10.1111/j.1536-7150.2004.00277.x

Ostrom, E 2005. Understanding Institutional Diversity. Princeton, N.J.: Princeton University Press.

Proos, J and C Zalka 2003. Shor's discrete logarithm quantum algorithm for elliptic curves. Quantum Information & Computation 3: 317–344. https://dl.acm.org/doi/10.5555/2011528.2011531

Rodriguez-Sanchez, AE, E Tello-Leal, BA Macías-Hernández, et al. 2026. Data-driven probabilistic MACCs for smart cities: Monte Carlo simulation and Bayesian Inference of rebound effects. Data 11: 87. https://doi.org/10.3390/data11040087

Rudd, MA 2023. Bitcoin is full of surprises. Challenges 14: 27. https://doi.org/10.3390/challe14020027

Rudd, MA and D Porter 2025. Bitcoin supply, demand, and price dynamics. Journal of Risk and Financial Management 18: 570. https://doi.org/10.3390/jrfm18100570

Ruffing, T 2025. The post-quantum security of Bitcoin’s Taproot as a commitment scheme. IACR preprint, https://eprint.iacr.org/2025/1307.pdf

Shor, PW 1997. Polynomial-time algorithms for prime factorization and discrete logarithms on a quantum computer. SIAM Journal on Computing 26: 1484-1509. https://doi.org/10.1137/S0097539795293172

Stewart, I, D Ilie, A Zamyatin, et al. 2018. Committing to quantum resistance: a slow defence for Bitcoin against a fast quantum computing attack. Royal Society Open Science 5. https://doi.org/10.1098/rsos.180410

Swartz, L 2018. What was Bitcoin, what will it be? The techno-economic imaginaries of a new money technology. Cultural Studies 32: 623-650. https://doi.org/10.1080/09502386.2017.1416420

Williamson, OE 1979. Transaction-cost economics: the governance of contractual relations. The Journal of Law and Economics 22: 233-261. https://doi.org/10.1086/466942

Williamson, OE 1985. The Economic Institutions of Capitalism. New York: The Free Press.

Williamson, OE 1999. Public and private bureaucracies: a transaction cost economics perspective. Journal of Law, Economics and Organization 15: 306-341. https://doi.org/10.1093/jleo/15.1.306

Williamson, OE 2002. The theory of firm as governance structure: from choice to contract. The Journal of Economic Perspectives 16: 171–195. http://www.jstor.org/stable/3216956

Wuille, P, J Nick and A Towns 2020. Bitcoin Improvement Proposal 341. Taproot: SegWit version 1 spending rules. https://github.com/bitcoin/bips/blob/master/bip-0341.mediawiki


  1. https://www.unchained.com/blog/bitcoin-address-types-compared ↩︎

  2. https://www.mckinsey.com/capabilities/mckinsey-technology/our-insights/mckinsey-quantum-technology-monitor-2026-a-commercial-tipping-point#/ ↩︎

  3. https://blockstream.com/quantum/ ↩︎

  4. https://cointelegraph.com/news/bitcoin-devs-and-researchers-propose-freezing-quantum-vulnerable-coins-bip-361 ↩︎

  5. https://x.com/lopp/status/2044406134178795748 ↩︎

  6. https://github.com/BlockstreamResearch/simplicity ↩︎

  7. https://blog.blockstream.com/shrimps-2-5-kb-post-quantum-signatures-across-multiple-stateful-devices/ ↩︎

  8. https://www.ietf.org/archive/id/draft-ietf-tls-hybrid-design-13.html ↩︎

  9. https://github.com/bitcoin/bips ↩︎

  10. https://satoshi.nakamotoinstitute.org/posts/bitcointalk/threads/71/#7 ↩︎