Bitcoin’s debate about quantum computers produced a published draft with real political consequences on Apr. 14.
Bitcoin Improvement Proposal 361 (BIP 361), titled “Post Quantum Migration and Legacy Signature Sunset,” landed in Bitcoin’s official proposal repository with a three-phase plan to phase out ECDSA and Schnorr signature spends entirely once a quantum-resistant output type exists on the network.
The proposal builds directly on BIP 360, published in February, which introduced a new address format that strips Taproot’s quantum-vulnerable key-path spend, called Pay-to-Merkle-Root (P2MR). The proposal also preserved compatibility with Lightning, BitVM, and multi-signature setups.
Together, the two drafts constitute the most explicit governance posture Bitcoin has adopted regarding quantum migration to date.
Halfway through this debate, the real split is no longer just about cryptography but about governance: who has the authority to force a migration, on what timeline, and at what political cost if quantum attacks arrive sooner than expected.
What makes this moment sharp is the external calendar hardening around it, as NIST finalized FIPS 203, 204, and 205 in August 2024 and urged organizations to begin migrating immediately.
The UK’s NCSC has set migration milestones for 2028, 2031, and 2035, while US federal agencies face a 2035 quantum-transition target.
Governments, banks, and national cyber agencies already have migration deadlines on their calendars, making blockchains late arrivals to that debate.
Bitcoin’s coercive logic
What separates BIP 361 from prior Bitcoin post-quantum (PQ) discussions is its deliberate coerciveness.
Phase A, three years past the activation of a quantum-resistant address type, blocks new sends to vulnerable address formats. Phase B, two years later, invalidates ECDSA and Schnorr spends from quantum-vulnerable UTXOs at the consensus layer. Coins that have not migrated get frozen.
A possible Phase C would allow frozen coin holders to prove ownership via zero-knowledge proofs linked to a BIP-39 seed phrase and to recover their funds via a later recovery mechanism.
The proposal’s authors, including Jameson Lopp of Casa, frame this as a defense. As of Mar. 1, over 34% of all Bitcoin sat in addresses whose public keys had already been exposed on-chain, making those coins theoretically readable by a quantum machine running Shor’s algorithm.
Google researchers estimated in recent work that a sufficiently powerful quantum computer could crack a Bitcoin private key in roughly nine minutes, with one analysis citing 2029 as a plausible outer bound for a cryptographically relevant machine.
The counterargument arrived on the mailing list immediately.
Tadge Dryja, a Bitcoin developer and Lightning Network co-author, said that the plan is not viable in its current form because it ties the activation of quantum-resistant outputs to the deactivation of elliptic-curve outputs.
That link, Dryja argued, could destroy coins preemptively and relies on definitions of “quantum-vulnerable UTXO” still contested in practice.
The BIPs repository explicitly states that inclusion certifies only that a proposal met formal editorial criteria, with community endorsement and activation timing being separate determinations.
BIP 360 is already running on Bitcoin’s quantum testnet, deployed by BTQ Technologies in early 2026. BIP 361 co-author Ethan Heilman has estimated that a full Bitcoin migration to quantum resilience would take seven years from the day consensus forms.
Tron’s calculated entry
Justin Sun published his own declaration on post-quantum resistance.
In a post on X, the Tron founder announced that the network is officially launching a post-quantum upgrade initiative to become the first major public blockchain to deploy NIST-standardized post-quantum cryptographic signatures on mainnet.
Sun wrote that “while Bitcoin debates whether to freeze vulnerable coins and Ethereum forms research committees, Tron is building.” He added that a technical roadmap is “coming soon.”
Tron holds roughly $86.7 billion in stablecoins, about 97.78% of which is USDT, alongside approximately $5.1 billion in total value locked in DeFi.
Post-quantum readiness on a chain of that scale becomes a question of custody and settlement infrastructure. The networks, exchanges, and custodians moving dollar liquidity through Tron have operational keys, admin paths, and bridge mechanisms that a quantum attacker targeting high-value addresses would prioritize first.
Tron’s current public posture is narrative compression, consisting of decisive language and competitive positioning of the scheme selection, migration model, wallet compatibility plan, and activation path needed to verify what “first major public blockchain” actually means in practice.
CategoryBitcoinTRONEthereumGovernance styleOpen, adversarial, consensus-drivenExecutive-led, founder-driven messagingOpen, layered, research-ledPublic status todayBIP 361 published as a draft in official repo; BIP 360 already publishedInitiative announced by Justin Sun; roadmap still pendingOfficial PQ portal live; active roadmap and devnetsCore migration modelPhased sunset of legacy signatures after a PQ output existsUndisclosed so far; Sun says NIST-standardized PQ signatures on mainnetGradual migration via account abstraction, precompiles, and later consensus changesMain policy logicForce migration with future restrictions and eventual invalidation of vulnerable spendsClaim speed and decisiveness before full technical detailBuild cryptographic agility and avoid a disruptive flag dayWhat users may faceNew sends blocked to vulnerable formats, later frozen legacy coins if not migratedUnknown until roadmap: optional, hybrid, or mandatory migration not yet specifiedWallet and account upgrades spread over time rather than a single cutoffWhat is already specified publiclyPhase A / Phase B / possible Phase C; definition of vulnerable UTXOs under debateNarrative claim, competitive framing, “roadmap coming soon”Execution-, consensus-, and data-layer approach; weekly interoperability devnetsWhat is still missingConsensus, activation path, final definition of quantum-vulnerable outputsScheme choice, migration model, wallet compatibility plan, activation pathSingle fixed migration date or standalone flagship PQ proposalMain risk/trade-offProtect the network but risk freezing or stranding coinsStrong messaging without yet-published operational detailFlexible migration but less coordination pressure on a fixed timetableKey infrastructure at stakeLegacy UTXOs with exposed public keysStablecoin settlement rail, custody, admin keys, bridgesEOAs, bridges, validator keys, execution-layer migrationBest one-line summaryCertainty requires deadlinesSpeed is the productSafety requires agility
NIST’s relevant standards, such as ML-DSA, FN-DSA, and SLH-DSA, carry different trade-offs in signature size, verification speed, and implementation complexity, and choosing among them is a material technical decision.
Ethereum’s layered bet
Ethereum takes the structural opposite of Bitcoin’s forced deadlines.
The Ethereum Foundation launched pq.ethereum.org in March 2026 as a hub for its post-quantum research, roadmap, and open-source repositories, with more than 10 client teams running weekly post-quantum interoperability devnets.
The roadmap spans three layers. At the execution layer, native account abstraction, as defined by EIP-7701 and EIP-8141, provides a built-in migration path away from ECDSA, allowing users to rotate to quantum-safe authentication via smart accounts without requiring a protocol-wide cutover.
At the consensus layer, BLS signatures would eventually give way to hash-based alternatives under the leanSig scheme, which combines XMSS-style quantum resistance with STARK-based aggregation to offset the size and performance costs of post-quantum primitives.
The Foundation’s own assessment places core L1 protocol upgrades around 2029, with full execution layer migration extending beyond that date.
Ethereum’s February 2026 protocol priorities post made the intersection explicit, with native account abstraction providing a natural migration path away from ECDSA-based authentication, while developers are working on complementary EIPs to make quantum-resistant signature verification cheaper in the EVM.
Ethereum has an official roadmap and an active engineering track, with Glamsterdam targeted for the first half of 2026, and it is arriving with no standalone quantum proposal introducing a fixed migration date.
Two futures for migration
The bull case runs through cryptographic agility.
If the threat stays far enough out, and NIST’s estimate that full integration can take 10 to 20 years from standardization supports that reading, chains can migrate without emergency powers.
Bitcoin’s sunset logic narrows to the most clearly exposed outputs or evolves into a softer incentive structure.
Tron eventually publishes a roadmap that names its scheme and migration model, and the market rewards systems that make migration boring: smart accounts, precompiles, key rotation, and wallet updates handled gradually enough that no user wakes up locked out.
Ethereum’s own team has said L1 protocol upgrades could be completed around 2029, the cleanest publicly stated timeline among the major chains in this race.
ScenarioBitcoinTRONEthereumBull case: long runway, orderly migrationSunset logic softens or narrows to the clearest exposed outputs; migration happens before emergency politics take overTRON publishes a credible roadmap, names a scheme, and turns executive speed into operational executionAccount abstraction, precompiles, and staged upgrades make migration gradual and boringWhat wins in this scenarioClear incentives plus enough time for wallets and custodians to adaptFast coordination across wallets, exchanges, and stablecoin infrastructureCryptographic agility across layers without a disruptive flag dayBear case: selective attacks arrive earlyPressure lands first on exposed or high-value legacy coins; governance fight over freezes happens before consensus is matureStablecoin rail concentration turns custody keys, admin paths, and bridges into prime targetsEOAs, bridges, and validator keys become the first pressure pointsWhat breaks in this scenarioPolitical legitimacy of freezing coins vs letting them be stolenNarrative advantage collapses if no published runbook existsDiffuse roadmap looks slow if markets suddenly demand a hard timetableBottom lineMost direct defense, but also the most coerciveFastest rhetoric, but proof depends on roadmap detailsMost complete migration architecture, but still without a single forcing date
The bear case begins where Ethereum’s own portal draws the boundary, and early quantum machines may target a small number of high-value keys.
Bitcoin faces its hardest political test under that scenario because BIP 361 already exposes more than 34% of BTC on-chain, and any selective attack on Satoshi-era or P2PK coins would force the governance question before consensus has formed.
Ethereum’s exposure is concentrated in externally owned accounts, bridges, and validator keys, the exact places a well-resourced attacker would try to exploit first.
Tron’s concentration as a USDT rail makes custody and admin-key migration the first thing to scrutinize, and a narrative initiative without a published technical roadmap offers no operational protection under those conditions.
Who decides
Bitcoin says certainty requires deadlines, Ethereum says safety requires agility, and Tron says speed is the product. None of those positions is obviously wrong.
A coercive Bitcoin deadline forces migration but risks leaving coins behind whose owners cannot be reached.
Ethereum’s layered approach spreads migration pain over years but lacks a single focal point to coordinate wallets, custodians, and exchanges on the same timetable.
Tron’s executive speed may prove real, or it may prove to be another well-timed announcement awaiting a second act.
The actual contest over which governance model can move users, infrastructure, and hundreds of billions in assets before a quantum adversary selects the weakest node belongs to whoever has a runbook when the window closes.
