Quantum Safe Bitcoin qBTC

1/ Today, alongside @lopp, we published a draft BIP that sketches Bitcoin’s long‑term migration to post‑quantum cryptography. This BIP is designed to protect Bitcoin and its ecosystem from the advent of quantum computing.

It comes as no surprise that Google has announced a 2029 quantum migration deadline. Some of us have been saying this for the past year++

@chamath @saylor We agree with you @chamath that’s why we created qBTC an implementation of the Bitcoin protocol with ML-DSA post quantum security baked in. We presented it last year at Bitcoin 2025 and will be there again this year.

@saylor No. A store of value has to be 100% hacking resistant. It’s an existential feature. For other industries it will be important but less binary/existential.

@saylor @chamath The entire stack can not upgrade together technically. Quantum will affect that entire stack yes. Attacking Bitcoin results in immediate value extraction Attacking HTTPs results in mitm attacks which may result in credential disclosure which may result in value extraction.

@chamath Your AI thesis assumes the digital world is quantum-resistant. If quantum breaks cryptography, it breaks AI, cloud infrastructure, banks, and the internet—not just Bitcoin. The entire stack upgrades together.

Quantum safety cannot be layered on top of classical cryptography. If the base layer isn’t secure in a post-quantum world, neither is the system built on it. We won’t ship a compromise. We’re now evaluating launching as a sovereign L1. Bitcoin, rebuilt for the post-quantum era

@conordeegan We are seeing and hearing further alignment behind ML-DSA which was a design choice from the onset for qBTC. Are you seeing similar from your optical lens Conor ? Hope you are well.

If you're implementing ML-DSA and trying to decide between pure ML-DSA and HashML-DSA in FIPS 204, use pure ML-DSA. Wrote up the full reasoning but here's the short version. ML-DSA does not work like ECDSA (or RSA-PSS). With ECDSA, your application hashes the message, then the signing algorithm signs the digest. Two separate steps. ML-DSA takes the entire message as input. Internally it hashes the message together with the signer's public key fingerprint using SHAKE-256, producing a 64-byte value called mu. Everything after that, the lattice arithmetic, rejection sampling, signature encoding, operates only on mu. The message is never touched again. The public key binding is important. It means mu is unique to a specific signer, giving ML-DSA a property called non-resignability that ECDSA does not have. An attacker who intercepts mu cannot use it to forge a signature under a different key. HashML-DSA was added to the standard because some vendors wanted the old hash-then-sign workflow back. You hash with something like SHA-512, pass the digest to a modified ML-DSA that flips a domain separation byte and encodes the hash function's OID into the signature. The problem is this turns the hash function into a formal parameter of the primitive. Either the hash is fixed by your protocol (making HashML-DSA redundant) or it varies and the verifier depends on an untrusted parameter. The good news, we do not need HashML-DSA. Nothing stops you from hashing at the application layer and passing the digest to pure ML-DSA as the message. ML-DSA hashes it again internally, binds it to the public key, and produces a standard signature. The double hash is negligible, your hash function choice stays in your protocol spec where it belongs, and ML-DSA stays a self-contained primitive with a clean security proof. The ecosystem pretty much aligns with this. RFC 9881 prohibits HashML-DSA in X.509. RFC 9882 excludes it from CMS. TLS 1.3 ML-DSA draft defines only pure mode. NSA's CNSA 2.0 disallows it. Full write-up including the External Mu mechanism for split signing architectures below.

@nic_carter This echoes our experience too: there’s awareness, but also reluctance. Ultimately it doesn’t matter what anyone thinks. If quantum risk stops institutions from investing in Bitcoin, we should collectively do everything possible to upgrade the network and support its growth.

I just finished indexing the statements of literally every single major Bitcoin developer regarding quantum risk and let me tell you, the results are not pretty almost every single senior/influential bitcoin dev / prior upgrade gatekeeper either explicitly denies the risk or thinks we have decades some acknowledge the risk but see no urgency to act the only ones who explicitly see the risk are _not_ the protocol gatekeepers. 100% of maintainers deny or are silent on the risk I have the receipts, it's pointless to try and tell me the most important core devs secretly actually care. they don't. unless they're engaged in some vast conspiracy to outwardly deny the risk while privately being extremely concerned.

bitcoiners need to realize I'm not a critic that can be dismissed through the traditional means - I have been around forever, I know exactly how everything works - no one has leverage over me, so no one can shut me up, and I have the distribution to get my ideas out there - I have done the work. I have the receipts. I am not speaking out of ignorance. I have just as much information as anyone - I'm used to bitcoiners yelling at me online, so that doesn't work either. I don't care what maxis or anyone else thinks - I am a bitcoiner, and I am motivated by a desire to make it better if you think you can get me to stop by dismissing me as an outsider or saying "you don't know how things work" you are horribly mistaken. I do know how things work, and I don't like what I'm seeing. I will continue until the problem is fixed. so you might as well press the "fix everything" button sooner rather than later.

@nic_carter When we proposed our BIP "Post quantum migration and legacy signature sunset" along with @lopp we experienced a similar beaurocratic gate keeping process and whilst we received overall very positive feedback, we still do not have a BIP number or agreement.

"but youre not meant to do it like this. you need to submit a BIP and get mired in 1000 layers of never ending bitcoin bureaucracy" I don't care actually. I'm opting out of the enormously dumb, fake, gatekept feedback process the beatings will continue

@drakefjustin @tcoratger Hi @drakefjustin At Bitcoin 2025 in Vegas we presented a Bitcoin L2 with post quantum security. We also co authored a BIP with @lopp on Bitcoin post quantum migration. We would be happy to be involved and share our experiences and lessons learned. Let us know.

Today marks an inflection in the Ethereum Foundation's long-term quantum strategy. We've formed a new Post Quantum (PQ) team, led by the brilliant Thomas Coratger (@tcoratger). Joining him is Emile, one of the world-class talents behind leanVM. leanVM is the cryptographic cornerstone of our entire post-quantum strategy. After years of quiet R&D, EF management has officially declared PQ security a top strategic priority. Our journey began in 2019, with the "Eth3.0 Quantum Security" presentation at StarkWare Sessions. Since 2024, PQ has been central to the @leanEthereum vision. The pace of PQ engineering breakthroughs since then has been nothing short of phenomenal. It's now 2026, timelines are accelerating. Time to go full PQ: → PQ ACD: Antonio Sanso (@asanso) kicks off a bi-weekly All Core Devs PQ transactions breakout call next month. These sessions focus on user-facing security, covering dedicated precompiles, account abstraction, and longer-term transaction signature aggregation with leanVM. → PQ foundations: Today we are announcing a $1M Poseidon Prize to harden the Poseidon hash function. We are betting big on hash-based cryptography to enjoy the strongest and leanest cryptographic foundations. Check out our other $1M PQ initiative, the Proximity Prize. → PQ devnets: Multi-client PQ consensus devnets are live! Shoutout to pioneers @zeamETH, @ReamLabs, @PierTwo_com, @geanclient, @ethlambda_lean, as well as established consensus teams Lighthouse, Grandine, and soon Prysm. This incredible teamwork is coordinated by @corcoranwill via weekly PQ interop calls. → PQ workshops: Building on last year's PQ workshop in Cambridge (see photo), the EF is hosting another 3-day PQ event in October. Top experts from around the world will convene. In addition, a PQ day is set for March 29 in Cannes just ahead of EthCC. → PQ FV and AI: Last week Alex Hicks (@alexanderlhicks) ran a specialised maths AI for 8 hours, at a $200 cost. It one-shotted a formal proof one of the hardest lemmas in the foundations of hash-based snarks. Mind-blowing. Applied cryptography will never be the same. → PQ roadmap: A comprehensive breakdown of the EF's proposed PQ strategy will be shared soon™ on pq[.]ethereum[.]org. The roadmap targets a full transition in coming years with zero loss of funds and zero downtime. Stay tuned :) → PQ education: The ZKPodcast (@zeroknowledgefm) is producing a 6-part video series on Ethereum's PQ strategy. EF Enterprise Acceleration is also preparing material for enterprises and nation-states. Finally, Ethereum is now represented on the PQ advisory board that Coinbase announced yesterday. Believe in something. Believe in PQ security.

Quantum threat forces 63-year old investment bank to abandon Bitcoin sg.finance.yahoo.com/news/quantum-t…

We are grateful to @TokenizeCon and @michaelterpin for giving us the opportunity to talk about the quantum threat to Bitcoin

Thank you @saylor for your vote of confidence on the BIP that our chief scientist Christian Papathanasiou @0xfffffffa co authored with Jameson Lopp @lopp

@caprioleio 🙋‍♂️

VanEck CEO talking about the Bitcoin quantum risk and their readiness to dump it if the risk grows. We must quantum proof Bitcoin in 2026!

Today, @IBM and @Cisco announce plans to collaborate on laying the groundwork for a distributed quantum computing network: ibm.co/6011B3DXS Our first milestone: entangling a pair of cryogenically separated quantum processors within the next five years.

"Today, we announce our plans with Cisco to study how we can link quantum processors to lay the groundwork for distributed quantum computing." IBM and Cisco are working on building the first fault-tolerant network of quantum computers by early 2030s

Behind building a quantum computer lies a world of subtle sounds. This ASMR journey invites you into the lab’s quiet rhythms, gentle hums, and intricate patterns of work, offering a glimpse into the focus and precision that drive scientific discovery.

A one-degree change at the start of a voyage determines whether you reach your destination safely or collide with disaster. Bitcoin has the same opportunity today. If we make that one-degree course correction now, we strengthen the system for the next century. If we don’t, the math is unforgiving — and the outcome is inevitable.

$IBM just unveiled Quantum Nighthawk, its most powerful quantum processor yet. IBM says verified quantum advantage will be proven by more people before 2026 ends.

Today, we launched Helios, a technological marvel redefining the possible. Helios is the most accurate quantum computer in the world, with 98 of the highest fidelity physical qubits ever released, and 48 error-corrected logical qubits. Learn more: quantinuum.com/blog/introduci…