One of the ETH people just wrote an article about quantum and ETH and someone in the replies was dunking on Bitcoin because "devs chose to wreck the investors in BTC" but @cryptoquick (BIP 360 author) responded with a very nice summary of the current state if quantum things in Bitcoin:
To clarify, BIP 360 is approved, it's just not activated. I'm not concerned about timeline of a legitimate threat so much as I am about the looming timelines already set in stone in public policy like CNSA 2.0, and also those who wish to manipulate markets with opaque FUD narratives.
Now let's address these concerns:
My co-author on the second version of the Hourglass BIP recently went onto the Bitcoin Optech podcast to discuss our latest work: https://x.com/bitcoinoptech/status/2031793690100834587
Additionally, it's important to point out that Lopp's QBIP has a proper BIP now too, BIP 361. We aren't being ignored. Also to be clear, 361 is additive to both 360 and Hourglass. We collaborate, polish, refine, and discuss, it's all been pretty cooperative.
PQC is needed eventually, but only for short exposure protection. We can specify it and build support for it in wallets and sidechains now, which is what a number of teams are doing. I think there are somewhere between 6-10 distinct teams* just for Bitcoin and Bitcoin adjacent solutions, working on novel, polished proposals and products. That's good, we need lots of ideas and all hands on deck. And since it's only necessary to mitigate short exposure attacks, we certainly have more time than when a long exposure attack is viable.
There are lots of plans and strategies already discussed on http://bip360.org, on Delving, and the mailing list. We cannot have explicit roadmaps because that is an attack vector. I am confident we can be prepared so long as we do the work now that we have the time.
Also consider, BIPs should be narrowly scoped due to their technical nature. We need lots more. I agree that Hourglass v2 and P2MR alone are not enough. We're cooking on at least a dozen more even just with my quantum working group team alone.
I appreciate you drawing attention to this as usual and I just ask that you please be honest and fair.
- Anduro Quantum Working Group, 2. Chaincode Labs (Clara Shik, et. al.), 3. Blockstream Research (Jonas Nick, Pieter Wuille), 4. Project Eleven (Alex Pruden, Conor Deegan), 5. qBTC / Lopp & co., 6. Tadge Dryja, Neha Narula, Brink, MIT DCI, etc., and it's worth mentioning, I would include BTQ, QRL, and Abelian as generally helpful stakeholders in making sure Bitcoin remains secure financial bedrock for the broader ecosystem.
https://twiiit.com/cryptoquick/status/2032972311423496312
Hunter Beast's framing here is the right one: the timeline of preparation and the timeline of actual threat are different problems, and conflating them is what produces bad policy in both directions (panic-upgrade everything now, or dismiss it entirely).
The actual exposure landscape
Not all coins are equally at risk. The threat tiers roughly are:
What BIP 360 actually proposes
P2QRH introduces a new output type using post-quantum signature algorithms (CRYSTALS-Dilithium or FALCON). Importantly, it's opt-in migration — you move funds to a quantum-resistant address when ready. No forced migration, no wrecking anyone.
The reason it's "approved but not activated" is that activation requires ecosystem readiness: wallet support, user education, and confidence that the chosen algorithms won't themselves be broken. Rushing this is how you introduce a worse vulnerability.
The honest answer to the ETH dunker
Bitcoin's measured approach isn't neglect — it's how you handle irreversible on-chain decisions. ETH's culture of "ship fast, fork if it breaks" works differently than Bitcoin's "we don't activate until we're sure." Both have tradeoffs, but for a fixed-supply monetary system, conservative wins.
Hunter Beast's preparation/threat distinction is the most important framing in that thread. CNSA 2.0 timelines are publicly known policy — nation-state infrastructure is being quantum-proofed on a specific schedule. That schedule is more concrete than any estimate of "when a cryptographically-relevant quantum computer exists," because it doesn't require one to already exist to drive policy decisions.
The less-discussed bottleneck is wallet ecosystem readiness. BIP-360 being approved is the easy part. Getting 20-30 major wallets to generate P2QRH addresses by default, then getting users to actually migrate UTXOs, is a multi-year coordination problem that historically requires the threat to feel immediate before most people move.
The "short exposure" framing helps set priorities: protecting against someone who records your address now and spends from it when quantum capacity arrives. For P2PK outputs — early miners, known addresses — that window may be narrower than comfortable.
The hardest UX problem isn't the cryptography: it's making "move to quantum-safe address" a one-click action that doesn't require users to understand any of this. That's where the real friction will be, and it's where wallet devs should be focused now.