MIT Researcher Proposes New Path To Make Bitcoin Quantum-Safe

MIT Digital Currency Initiative director Neha Narula has laid out a proposed roadmap for making Bitcoin resilient to a future cryptographically relevant quantum computer, arguing the network should prioritize a practical, low-risk path that lets users secure their coins now rather than waiting for consensus on harder questions such as how to handle unmoved coins.

In a post published April 20, Narula said Bitcoin does not need “100% of the answers immediately” before taking meaningful action. Instead, she argued for a staged approach: deploy a post-quantum-safe output type and signature scheme through a soft fork, coordinate wallet and application support around it, and push users toward migration well before any true quantum emergency arrives.

Bitcoin Needs Low-Risk Quantum Defenses Now

Her core thesis is straightforward. “We should make the low-harm, low-risk, high-benefit, safety-critical mitigations NOW, and save the high-harm, high-risk mitigations for LATER, when we know with more certainty a CRQC is close,” she wrote, using CRQC to refer to a cryptographically relevant quantum computer.

The proposal Narula favors centers on P2MR, described in BIP 360, combined with a new post-quantum signature opcode and cryptographic agility. In her framing, that combination would allow Bitcoin users to move funds into an output type that remains safe against a quantum attacker, provided they do not reveal a non-post-quantum public key through address reuse or similar behavior.

“If this is done, it gives Bitcoin users the ability to move their coins to a safe output type immediately, having confidence their coins are safe even if a powerful CRQC appears, without worrying about future softforks,” she wrote. “The best candidate for this I have seen so far is P2MR (BIP 360) in conjunction with a new PQ signature opcode and cryptographic agility.”

Narula’s case is not that this solves everything. It does not. She draws a clear distinction between protecting individual users who migrate early and protecting Bitcoin as a system if a large share of coins remains vulnerable. That unresolved portion, which she labels X, is central to the longer-term debate. If only a negligible amount of bitcoin remains exposed, she suggests the network could likely absorb the risk. If the number is large, the situation could become far more destabilizing.

“At the very least I’d say it depends on exact numbers,” she wrote. “If only 0.0001% of coins are insecure, I think Bitcoin will be fine. If 20% of coins are insecure, I think things would probably get pretty chaotic if a CRQC would appear.”

Still, Narula argues that uncertainty over X should not delay the first step. A migration path would generate real on-chain data about adoption and give Bitcoin time to reduce the vulnerable share before the network is forced into more contentious decisions. In her telling, the difficult debate over whether old, inactive or lost coins should eventually be frozen can wait.

“Most importantly, we do not have to decide what to do with people who are unlikely to show up to do anything at all (Satoshi’s coins) right now in order to make progress,” she wrote. “Eventually, if a CRQC seems close, we will have to make a decision one way or the other… But resolving that conversation is not needed to make useful, meaningful progress.”

Narula also pushed back on ideas she sees as distractions or inferior near-term solutions. She dismissed the notion that research proof-of-concept approaches, such as manually constructing post-quantum verification in script or relying on expensive escape-hatch mechanisms, should anchor Bitcoin’s main response. Those ideas may be technically possible, she said, but not operationally suitable for broad deployment.

She also acknowledged the tradeoffs. P2MR would reduce one of Taproot’s efficient privacy properties by eliminating the key spend path, and it depends on wallets handling address reuse correctly. She flagged those as real downsides, but not enough to outweigh the benefit of giving users a way to protect funds without waiting for a second, more politically fraught soft fork.

The roadmap Narula sketched leaves Bitcoin’s hardest governance questions unresolved. That is the point. Her argument is that the network should stop treating perfect alignment as a prerequisite for obvious preparation.

At press time, Bitcoin traded at $75,802.