Institutions want a post-quantum roadmap for Bitcoin by 2029. Sitting around a table at Pubkey, Ryan Gentry, Thomas Pacchia, and Christian Langalis sort the real engineering, BIP-360 and the BIP-361 freeze debate, from the FUD, and land on a familiar answer: the cryptographers will figure it out.
↓ Jump to the video and timestamps
We recorded this one live at Pubkey in New York, which means it is less a structured interview than four people pulling a thread until it snaps and then grabbing the next one. Ryan Gentry, Thomas Pacchia, and Christian Langalis were at the table, and somewhere between college football, the FTX hangover, and the longhouse theory of political organization, we actually got to the thing we sat down to talk about: whether quantum computers are coming for Bitcoin, and what the people who would have to fix it are actually doing about it.
The reason the topic was in the air that afternoon is that earlier in the day there had been a livestream panel, the kind of thing that did not exist three years ago, where serious people from serious financial institutions sat on a stage and talked about Bitcoin's quantum exposure as a line item they have to manage. Ryan had been in the room for it. His read on what he heard is the spine of this post, and it is more useful than another round of "is Bitcoin quantum safe," because the question has quietly moved on from whether Bitcoin can be made quantum-resistant to how it gets migrated and who decides.
This is a conversation post, not a protocol spec. For the heavier engineering, I will point you to the cryptographers we have had on who actually write this code. But the framing from this table is worth getting down, because it captures the exact moment the quantum question turned from a meme into a governance problem.
The thing that set the conversation off was not a new paper. It was a vibe shift Ryan picked up at a livestreamed panel earlier that day, where representatives from large financial institutions, the kind of names you would recognize, talked openly about quantum as something they have to plan around.
His charitable read on their position is the most useful part of the whole segment, so I want to lay it out the way he did. The institutional case for Bitcoin, the one that got these firms to allocate, is asymmetric upside with very limited downside. Ryan reached for a Ross Stevens formulation to make the point: if you have an exponential return profile and you can eliminate the probability that the thing goes to zero, your expected return does not just improve, it explodes, because the zero in the distribution was doing enormous damage to the average. Take the zero out and the math gets very good very fast.
Quantum, to an allocator, is a thing that puts a non-zero number back into the "goes to zero" bucket. So when these institutions ask Bitcoin for a quantum roadmap, they are not being unreasonable. They are protecting the exact property that made the asset investable for them in the first place. As Ryan put it, they need something to tell the investor who has suddenly gotten nervous and is asking what the plan is.
Where he is less charitable, and I think correctly, is on whether those institutions understand the thing they are asking about. Open-source protocol development does not have a CEO who can publish a roadmap on demand. There is no one to call. The work happens in proposals and mailing lists and on the timelines of the people doing it, and from the outside that can look like silence even when it is the opposite of silence. The risk Ryan flagged is that a panicky investor who cannot parse the proposals defaults to the laziest available story, which is that Bitcoin is doomed and will never coordinate a fix. That is the same fatalism Bitcoin has been fighting since the beginning, dressed up in new physics.
It is worth separating two things that get jammed together, because the panel did.
The first is the underlying technical reality, which is real and has been getting more concrete. Bitcoin's signatures rest on elliptic-curve cryptography, and a sufficiently large, fault-tolerant quantum computer running Shor's algorithm could in principle derive a private key from a public key that has been exposed on-chain. For a long time the resource estimates for that machine were comfortably enormous. They have been shrinking. A Google Quantum AI researcher, Craig Gidney, published work in May 2025 reducing the estimate for factoring RSA-2048 to under a million noisy qubits, roughly a twentyfold cut from his own 2019 figure, achieved through better algorithms rather than better hardware. CoinDesk's write-up of that result is the readable version. A follow-on analysis pushed the same logic onto the ECDSA curve Bitcoin actually uses. None of this means the machine exists. It means the goalposts are moving toward us, not away.
The second thing is the institutional reaction, which is rational at the portfolio level and overwrought at the engineering level. BlackRock quietly added quantum computing to the risk factors in its iShares Bitcoin Trust prospectus, warning in an SEC filing that advances in the field could undermine the cryptography securing the network and that Bitcoin might need a broad consensus upgrade to stay secure. That is the largest asset manager in the world putting the quantum question in writing. When you hold that much of an asset, you disclose the tail risks, and you start asking the asset's community for a plan.
The table's posture toward all of this was calm without being dismissive. Ryan's summary of his own position was direct:
I do not think quantum computers are going to take bitcoin to zero.
The point is not that the risk is fake. It is that "doomed" and "being actively engineered against on a multi-year horizon" are very different claims, and the FUD collapses them into one.
Here is the part the nervous-investor story misses entirely: there is a lot happening, and it is written down.
The most developed work on the address side is BIP-360, authored by the developer who goes by Hunter Beast and originally framed as "QuBit," a Pay to Quantum Resistant Hash output type. The mechanics have evolved in the open, but the idea is a new address format that removes the quantum-vulnerable key-spend path and commits to post-quantum signature schemes, the NIST-standardized lattice and hash-based families like ML-DSA and SLH-DSA. The project's own write-up is the clearest primer, and there is already testnet implementation work demonstrating quantum-resistant transactions. Hunter Beast's framing for the whole effort, which has become something of a motto, is "prepared, not scared." That is the right register, and it is the one this panel was in.
The harder, more contested piece is migration. New addresses do not help the coins sitting in old, quantum-vulnerable outputs whose owners never move them, including, famously, a very large amount of early Bitcoin. That is where BIP-361 comes in, titled "Post Quantum Migration and Legacy Signature Sunset," with Jameson Lopp among the contributors. The proposal sketches a phased plan: a window after activation where new sends to vulnerable address types are blocked, then a later phase where legacy signatures are invalidated outright, which would freeze coins that never migrated, with a possible zero-knowledge rescue path floated for recovery. The deadline most people anchor to is 2029, which is roughly when Google has said it wants its own systems post-quantum ready.
Ryan name-checked the migration proposal at the table and was honest that he had not made up his mind on it. That is the correct amount of certainty to have right now. Freezing untouched coins to protect the network is one of the genuinely hard tradeoffs in Bitcoin, because "your keys, your coins" and "we will invalidate your old signatures for the good of the network" are in obvious tension, and reasonable people land in different places. He also pointed to active writing from working developers, including the contributor who goes by Roast Beef, as evidence that this is a live design conversation rather than a stalled one. The takeaway he kept landing on was less about any single BIP and more about the shape of the thing: the groundwork is being laid for something to eventually get merged in, if and when it is needed.
Thomas Pacchia, who runs Pubkey and has watched Bitcoin's governance fights from inside the room for years, put the institutional anxiety in the only context that makes it legible: this is a coordination fight, and Bitcoin has had those before.
He is moderating a panel at the upcoming conference built around exactly this, with guests drawn from different eras and camps of Core development, specifically to surface how the culture around protocol changes has shifted over the last five or six years. His expectation, said with a grin, is that he is not going to make a ton of friends with it. That is the tell that it is the right panel. The quantum migration debate is not really a debate about qubits. It is a debate about who gets to decide what Bitcoin does, on what timeline, and how much an institution holding a large share of the supply should get to influence that. The block size wars were about throughput and the same underlying question. Quantum is about cryptography and the same underlying question.
One of the funnier moments captured the gap between the institutions and the people doing the work. Ryan recounted someone on the institutional panel fumbling a BIP number on stage, mangling it the way the running gag in Inglourious Basterds mangles "three." It is a small thing, but it is the whole dynamic in miniature: the firms now hold the asset and have to speak about its roadmap publicly, while the actual roadmap lives in the heads and repos of people they have never met and do not entirely understand. Closing that gap, more than solving any equation, is the work of the next few years.
If you want the honest, deflationary version of where this stands, it is this. Quantum is a real long-term risk to Bitcoin's signature scheme. The resource estimates for the attacking machine are shrinking, which is why institutions started disclosing it and asking for a plan in 2025 and 2026. There is no machine today that can do it. There are multiple serious proposals, BIP-360 for quantum-resistant addresses and BIP-361 for migration, that are being argued over in the open by the best cryptographers in the space. And the hardest part is not the math, it is agreeing on the migration, especially what to do about coins that never move.
The practical posture for a normal holder is the one Hunter Beast named: prepared, not scared. Follow the proposals if you are inclined. Do not panic-move your stack in response to a headline. And recognize that the loud "Bitcoin is doomed" version of this story is, as Ryan put it, the same FUD pattern Bitcoin has beaten over and over, just with newer vocabulary. The version worth your attention is quieter and more boring, which is that this is a known engineering problem with people working on it, and the institutions are catching up to a conversation Bitcoiners have been having for years.
The line the whole segment kept circling back to, and the one I would leave you with, was Ryan's:
Got the best cryptographers in the world working on Bitcoin. They're going to figure it out.
Ryan Gentry spent years leading business development at Lightning Labs, where he helped scale the Lightning Network's payments volume, after an earlier stint as an analyst at Multicoin Capital. He has since moved toward Bitcoin infrastructure on the capital side. On this episode he carried most of the substantive quantum discussion, drawing on having sat in on the institutional panel earlier that day.
Thomas Pacchia is the co-founder of Pubkey, the Bitcoin bar and event space in New York's Greenwich Village that hosted this recording, with a much larger second location and steakhouse opening in Washington, DC. A former derivatives lawyer who later worked at Fidelity, he is also the force behind the "Hot Style Takeover" events that run alongside the major Bitcoin conferences.
Christian Langalis works on Urbit and is involved with the Urbit Systems Technical Journal, the project's technical publication modeled on the old Bell Labs journal. His thread on the show was the Urbit angle on cryptography and identity, including the project's move to anchor its identity layer to Bitcoin.
