7-Part Series
What would it actually take to make Bitcoin resistant to quantum computers? Not in theory — in working code, with real tradeoffs, on a live network.
The quantum threat to Bitcoin is well-documented: Shor’s algorithm will eventually break the elliptic curve cryptography that secures every transaction. The question is not whether to migrate, but how — and what breaks along the way.
This series examines the engineering challenges through the lens of projects that have attempted the migration in practice, including the BTQ project (a Bitcoin fork using NIST-standardized CRYSTALS-Dilithium signatures), BIP-360 (Hunter Beast’s Pay-to-Quantum-Resistant-Hash proposal for Bitcoin itself), and the broader post-quantum cryptography research community.
The goal is technical education, not advocacy. Every design choice involves tradeoffs. We present the problems, the options, and the consequences — and let readers draw their own conclusions.
What Changing Bitcoin's Signatures Actually Requires
Why Shor's algorithm breaks elliptic curve cryptography, what NIST's CRYSTALS-Dilithium standard offers as a replacement, and the concrete engineering required to swap signature schemes in a running blockchain.
Why Quantum-Resistant Transactions Need Bigger Blocks
Dilithium signatures are 34 times larger than ECDSA. A typical transaction ends up about 15 times larger. This single fact cascades through block sizes, emission schedules, witness discounts, and chain growth rates — with no easy answers.
From BIP-360 to Pay-to-Merkle-Root
Taproot exposes public keys on-chain, making it vulnerable to quantum key extraction regardless of what scripts you put in the leaves. BIP-360's P2MR proposal removes the key path entirely.
How Hash160 Keeps Them Small
A 1,312-byte public key compressed to a 20-byte address through the same hash function Bitcoin has always used — plus dual address prefixes, bech32m encoding, and why address reuse becomes even more dangerous.
What Changes and What Doesn't
SHA-256 proof-of-work is unchanged — existing ASICs work. But payout transactions explode in size, and you can't stealth-mine for two years like Satoshi did. How do you bootstrap honestly?
Why Both Signature Types Must Coexist
Hard cutover versus gradual migration in a monetary system carrying hundreds of billions in value. Lost wallets, exposed public keys, hardware updates, and the canary network thesis.
Why One Algorithm Isn't Enough
Dilithium is the right first choice, but cryptographic agility demands a framework for Falcon, SPHINCS+, and algorithms that don't exist yet. How do you future-proof a blockchain's signature system?
This series draws on engineering work from the BTQ project, Hunter Beast’s BIP-360 proposal, and contributions from the open-source community — including the pseudonymous security researcher masato83, whose vulnerability disclosures shaped several critical design decisions.