At Lugano Plan B 2025, amid the polished optimism of Bitcoin evangelism, one panel cut through the noise with a dose of existential realism. Moderated by Preston Pysh, “Bitcoin and the Quantum Threat” gathered Jameson Lopp, Brad Mills, Mohamed Allam, and Hunter Beast to confront a question few want to dwell on: What happens when quantum computing becomes real enough to break Bitcoin?
How Soon Is Quantum “Soon”?
Timelines dominated the conversation, and consensus was elusive. Hunter Beast warned that Bitcoin might have two to three years to act before hardware progress and Shor’s algorithm optimisations make today’s Elliptic Curve Cryptography (ECC) vulnerable to attack. Mohamed Allam’s lens was economic — he predicted that venture capital would pivot from the AI boom to quantum startups within the same time frame, accelerating development once the current hype cycle bursts.
Jameson Lopp offered a more tempered view: a decade or more before cryptographically relevant machines exist. Yet his caution carried a sting — if the timeline proves shorter than five years, Bitcoin’s governance machinery likely won’t react in time. Brad Mills, speaking as the market’s conscience, drew a parallel to the block-size wars: the debate may seem academic, but delay invites chaos. “The time to start is now” became the unspoken refrain.
The Math Behind the Fear
For most of Bitcoin’s history, “quantum risk” lived in the same drawer as “asteroid impact.” But the panel unpacked it in concrete terms. The real measure isn’t the number of physical qubits, but logical qubits — error-corrected units that can actually execute Shor’s algorithm to derive private keys from public ones. Optimisations are shrinking those requirements faster than most assume, though some of the most hyped technologies, such as “topological qubits”, remain mostly speculative.
The immediate danger lies not in future blocks, but in old coins. Bitcoin’s UTXOs reveal their public keys only when spent. Addresses using pay-to-public-key (P2PK) or reusing addresses are exposed; pay-to-public-key-hash (P2PKH) addresses are safe until their first spend. Around six million BTC are already public-key–revealed, much of it held by exchanges. Roughly 1.7 million BTC appear abandoned — tens of thousands of addresses holding about 50 BTC each, inert but visible targets for the first quantum adversary. Some joked about a “Satoshi bounty,” where lost coins might serve as a sacrificial buffer for the rest.
Choosing a Quantum-Resistant Future
Even if Bitcoin agreed on a fix tomorrow, migrating would be a logistical feat. Larger post-quantum (PQ) signatures bloat transactions, straining Bitcoin’s already tight block space. A full-scale key rotation could take months or years, depending on network throughput and user participation. And as several panelists noted, most users are reactive — they won’t move until after an exploit hits the headlines.
The cryptographic menu isn’t simple. Hash-based schemes like SPHINCS+ are battle-tested but produce signatures measured in kilobytes and lack convenient key derivation. Lattice-based alternatives such as Dilithium are smaller and faster but add verification overhead and untested complexity. Either way, every extra byte of data matters on Bitcoin’s fee market.
Hunter Beast outlined BIP-360, a proposal to embed PQ signature options within Taproot’s script paths, allowing users to choose a quantum-resistant spend route. But code is only half the battle — hardware wallets, libraries, and custodians all need to upgrade in sync. Lopp complemented this with a focus on policy and incentives, arguing that without coordinated economics, even the best BIP could languish unused.
Money, Incentives, and Apathy
Among the most controversial suggestions was a cut-off date — a point after which quantum-vulnerable coins could no longer be spent. Lopp argued that such a rule might be the only way to force migration before catastrophe. Yet it would clash with Bitcoin’s cardinal ethos: “Don’t touch other people’s coins”. The moral calculus is brutal — either break that taboo or risk mass theft once a quantum adversary arrives.
The asymmetry is glaring. Billions flow into quantum hardware research; Bitcoin’s quantum defence efforts are almost unfunded. Institutional custodians and ETFs may eventually act to protect balance sheets — perhaps even supporting the invalidation of vulnerable UTXOs — but that approach may alienate Bitcoin’s cypherpunk roots. Meanwhile, markets won’t wait for clarity: even rumours of a working quantum attack could trigger panic selling long before any mitigation is live.
The panel closed on a sober truth: Bitcoin’s strength — its resistance to change — is also its greatest vulnerability. Every meaningful upgrade takes years of consensus-building, wallet updates, and communication. Success demands not just a BIP, but a campaign: standardisation, testing, user education, and perhaps uncomfortable compromise.
No one on stage believed the sky was falling tomorrow. But the message was unmistakable: the time to prepare is before the sirens sound. Bitcoin’s next great test may not be ideological or regulatory — it may be quantum. And when that day comes, the network will need more than math. It will need coordination, courage, and time — three things the panel agreed are in dangerously short supply.