# Bitcoin & Quantum Computing

> A three-part research series by NVK (@nvk, CEO of Coinkite / Coldcard) examining quantum computing's actual threat to Bitcoin. Grounded in primary sources: IACR preprints, 15+ Delving Bitcoin threads, 20+ Bitcoin Optech newsletter issues, BIP specifications, academic papers, mailing list arguments, testnet reports, and Liquid sidechain data. ~15,000 words total. Compiled via llm-wiki (https://llm-wiki.net), a personal LLM-compiled knowledge base, using parallel agentic research across academic, technical, applied, contrarian, and historical angles. No hype. No FUD. Just engineering.

The series debunks the manufactured quantum panic around Bitcoin while taking the actual defense-in-depth argument seriously. It is the most comprehensive publicly-available inventory of post-quantum Bitcoin proposals as of April 2026.

## What's New (2026-04-11)

**Part 3 updated** — added **proposal #14: PQC Precommitment for Post-Quantum Migration** by Daniel Buchner ([`csuwildcat/pqc-precommitment-migration`](https://github.com/csuwildcat/pqc-precommitment-migration), draft BIP published 2026-04-10, Informational, BSD-3-Clause).

The construction uses BIP 342's "unknown tapscript public key type" rule as a forward-compatibility hook. Tags `0x10`–`0x12` are defined for `SLH-DSA-SHA2-128s/192s/256s` and `0x20`–`0x22` for `SHRINCS-L1/L3/L5`, so the tagged PQC public keys are encoded as unknown key types under current BIP 342 rules. A canonical tapscript leaf looks like a real Schnorr `OP_CHECKSIGVERIFY` plus N `OP_CHECKSIGADD` slots carrying the tagged PQC pubkeys, tallied with `OP_NUMEQUAL`. Each slot is satisfied today with a non-empty dummy witness sized so that each slot self-funds the 50-unit sigops decrement (`len(dummy) >= 47 - len(slot-key)`). A future soft fork can bind real verification semantics to those tags, transporting full PQ signature material via the annex or another new witness location — **without rewriting the output or script**. Non-standard under current Bitcoin Core default relay policy (policy, not consensus). Does not, by itself, address Taproot key-path exposure — assumes P2MR (BIP 360) or equivalent handles that separately.

Why this matters: it is the first proposal that is simultaneously (a) consensus-valid today with zero protocol changes and (b) explicitly designed to receive real PQ verification via a future soft fork with **no UTXO rewrite**. A worried holder can park coins into these outputs *today* and automatically gain real PQ verification whenever Bitcoin eventually soft-forks — whichever path it picks. If Q-day never comes, nothing breaks. If it does, migration is a no-op.

The other 13 proposals and the broader analysis (quantum threat timelines, developer positions, Taproot escape hatch, governance bottleneck, QSB no-fork path) are unchanged since 2026-04-09.

## Articles

- [Part 1: I Spent 200 Hours Reading Quantum Computing Papers So You Don't Have To. Bitcoin Is Fine.](https://bitcoinquantum.space/part1/): Why the quantum threat to Bitcoin is overhyped. What Shor's and Grover's algorithms actually break. What the media gets wrong. The 8 claims you'll hear and why 7.5 of them are wrong. Published 2026-04-05. Thread: https://x.com/nvk/status/2041162989760590171
- [Part 2: I Went Deeper Down the Quantum Rabbit Hole. The Industry Is Full of Shit.](https://bitcoinquantum.space/part2/): The base rate problem with expert predictions. What experts actually say when you read between the lines. Follow the money: VCs, defense contractors, and quantum startups have billions riding on hype. The real reason to upgrade Bitcoin's cryptography isn't quantum — it's classical cryptanalysis. Published 2026-04-07. Thread: https://x.com/nvk/status/2041644230620139787
- [Part 3: I Read Every Bitcoin Quantum Proposal. Here's Where We Actually Are.](https://bitcoinquantum.space/part3/): 17 researchers, 14 proposals, three overlapping positions plus a fourth that skips politics entirely and a fifth that pre-commits today and lets a future soft fork catch up later. Comprehensive inventory of BIP-360, SHRINCS, SHRIMPS, QRAMP, Ruffing's Taproot proof, the zk-STARK BIP-32 escape, Quantum Safe Bitcoin (QSB), Buchner's PQC precommitment slots, and more. Published 2026-04-09 (updated 2026-04-11). Thread: https://x.com/nvk/status/2042256970644611072

## Core Findings

### The threat is overhyped
- The largest number factored by a quantum computer is **15** (not 21 — the 2012 "factoring 21" result baked the answer into the circuit)
- Breaking secp256k1 requires roughly **1,200-2,300 logical qubits** running for minutes with fault tolerance
- Current state (2026): **48-94 logical qubits**, millisecond coherence
- Factoring records are a fundamentally bad benchmark due to the fault-tolerance step function (per Gidney, Westerbaan, Aaronson)
- Expert timelines range from 2029 to "never"; defense-in-depth is the right framing, not panic

### The work is real
- **17 named researchers** actively building post-quantum Bitcoin defenses
- Key people: Ethan Heilman (BIP-360), Jonas Nick (SHRINCS/SHRIMPS), Pieter Wuille, Tim Ruffing (Taproot PQ proof), Matt Corallo, conduition, jesseposner, Olaoluwa Osuntokun (zk-STARK escape), Tadge Dryja, Greg Maxwell, Robin Linus (Binohash), Avihu Levy (QSB)
- **15+ active Delving Bitcoin threads**, 20+ Bitcoin Optech newsletter issues (#307-#399)
- **Real SHRINCS transactions exist on Liquid** — Bitcoin's sidechain
- BIP-360 has a running testnet: BTQ Technologies v0.3.0, 50+ miners, 100,000+ blocks, 5 Dilithium post-quantum opcodes active

### Taproot has a partial escape hatch
- Tim Ruffing's [IACR ePrint 2025/1307](https://eprint.iacr.org/2025/1307) formally proves Taproot's script-path spending is post-quantum secure with a **2^81 security bound**
- But 70-90% of P2TR outputs are BIP 86 key-path-only with an unspendable script path — they can't use the escape hatch directly
- **New finding (April 2026)**: Olaoluwa Osuntokun's zk-STARK BIP-32 proof-of-concept lets wallet owners prove seed ownership without revealing the seed, shrinking the confiscation surface from "most Taproot users" to "non-HD wallets and lost seeds". Proof size: ~200KB with risc0 recursive composition. Generation: ~50s on M4 Max.

### SHRINCS is real engineering
- Jonas Nick's SHRINCS produces **324-byte post-quantum signatures** — only 5x larger than Schnorr
- Compare to NIST SLH-DSA: 7,856 bytes (24x larger than SHRINCS)
- Real transactions on Liquid sidechain
- Extensions: SHRIMPS (multi-device, ~2.5KB), Greg Maxwell's cross-signature aggregation
- Unsolved: state management (fault injection, wallet duplication, parallel signing race conditions)

### The critical gap: Lightning
- **No post-quantum adaptor signature construction exists** — not even in theory
- Lightning Network depends on adaptor signatures
- This is Bitcoin's most important scaling layer, and it has no known post-quantum path

### Quantum Safe Bitcoin (QSB) — the no-fork breakthrough (April 2026)
- Published April 9, 2026 by Avihu Levy (StarkWare, co-author of ColliderScript)
- Achieves quantum-resistant Bitcoin transactions using **only existing consensus rules — no soft fork required**
- Uses a hash-to-signature puzzle: RIPEMD-160 hash of a transaction-bound public key interpreted as DER-encoded ECDSA signature (~2^-46 probability)
- Security rests on hash pre-image resistance, not elliptic curve hardness — Shor's algorithm provides zero advantage
- Cost: **$75-$150 per transaction** in GPU compute
- Lineage: ColliderScript (2024, $50M/tx) → Binohash (Feb 2026, $50/tx) → QSB (April 2026, $75-$150/tx for quantum safety)
- Limits: legacy script only, non-standard transactions requiring miner-direct submission (Slipstream), not yet broadcast on-chain

### Governance is the real bottleneck
- Bitcoin's last soft fork activated in **November 2021** — 4.5+ years ago
- Ethan Heilman estimates 7 years for full post-quantum migration (2.5y BIP review, 0.5y activation, 4y ecosystem migration)
- Comparative state: Google's internal PQC deadline is 2029, Cloudflare is already 65% post-quantum, Ethereum has a formal roadmap
- Bitcoin: 0% mainnet PQ transactions via protocol changes (though QSB provides a no-fork path)

## The 14 Proposals Inventoried

1. **BIP-360 / P2MR** — new address format, Taproot minus key-path (published BIP, testnet running)
2. **SHRINCS** — 324-byte hash-based signatures (real Liquid transactions)
3. **SHRIMPS** — 2.5 KB multi-device PQ signatures (prototype)
4. **QRAMP** — hard fork, burn unprotected coins after deadline (politically radioactive)
5. **Ruffing Taproot Proof** — script-path is already PQ-safe (peer-reviewed)
6. **zk-STARK BIP-32 Escape** — prove seed ownership via STARK, migrate without key-path (April 2026 PoC)
7. **Lifted Signatures** (Sattath & Wyborski) — use existing HD wallet keys for PQ spending
8. **OP_CTV Path** — quantum resistance with no new crypto (conceptual)
9. **STARK Compression** — aggregate PQ sigs per block to 76 bytes/tx
10. **Yellowpages** — off-chain PQ address registry ($6M funded)
11. **Hourglass V2** — gradually restrict vulnerable address spending
12. **Binohash** (Robin Linus, Feb 2026) — collision-resistant hash in Bitcoin Script; mainnet PoC mined
13. **Quantum Safe Bitcoin (QSB)** (Avihu Levy, Apr 2026) — PQ transactions with no soft fork
14. **PQC Precommitment** (Daniel Buchner, Apr 10 2026) — tapscript forward-compatibility slots using BIP 342 unknown key types; consensus-valid today with ordinary Schnorr spends and dummy slot witnesses; gains real SLH-DSA or SHRINCS verification via a future soft fork without rewriting the output. Draft BIP at https://github.com/csuwildcat/pqc-precommitment-migration

## Author

**NVK** (@nvk) — CEO of [Coinkite](https://coinkite.com), the company behind the [Coldcard](https://coldcard.com) Bitcoin hardware wallet. Long-time Bitcoin builder focused on operational security, self-custody, and durable cold storage. This series is independent research, not affiliated with any quantum computing vendor.

## Practical Guidance

**For Bitcoin holders**: Stop reusing addresses. Keep long-term holdings in addresses you have never spent from (your public key is still hidden behind a hash). Protect your xpub. Use a Coldcard. Unplug the computer. Go outside. You win.

**For developers**: Review jesseposner's PQ HD-wallet work. Fix the OP_STARK_VERIFY transaction-binding bug. Solve the state-management problem for stateful signatures — it's a career-making problem. Complete Avihu Levy's QSB pipeline and get the first quantum-safe Bitcoin transaction on-chain. If you work on Lightning, the adaptor signature gap is your problem and nobody else is solving it.

**For institutions**: Plan a 2-3 year key rotation window. Track the ECDLP challenge suite for empirical threat progression. The Trezor Safe 7 is the only hardware wallet shipping any PQC at all (firmware only, not signing).

## Optional

- [About page](https://bitcoinquantum.space/about/): Who NVK is, methodology, source disclosure
- [Full content for LLMs](https://bitcoinquantum.space/llms-full.txt): Complete concatenated article content