MIT Digital Currency Initiative director Neha Narula today laid out a pragmatic, staged roadmap to make Bitcoin resilient against a future cryptographically relevant quantum computer (CRQC), arguing the network should act now on low-risk protections instead of holding out for perfect consensus on tougher questions like how to treat unmoved or lost coins.
In an April 20 post, Narula said Bitcoin “does not need 100% of the answers immediately” and urged a practical sequence of steps: introduce a post‑quantum‑safe output type and a new post‑quantum signature opcode via a soft fork, build wallet and app support around that option, and drive user migration well before any actual quantum emergency.
Her core prescription is straightforward: “We should make the low‑harm, low‑risk, high‑benefit, safety‑critical mitigations NOW, and save the high‑harm, high‑risk mitigations for LATER, when we know with more certainty a CRQC is close.” In this context CRQC = cryptographically relevant quantum computer.
What she proposes in concrete terms
- Deploy P2MR (BIP 360) as a post‑quantum‑safe output type combined with a new post‑quantum signature opcode and cryptographic agility (the ability to swap crypto primitives as needed).
- Coordinate wallets and services to support that new output and nudge users to migrate coins into it.
- Rely on address hygiene (avoid address reuse and exposing non‑PQ public keys) so migrated funds remain safe against a quantum attacker.
The benefit: users who move coins into the new output type would have immediate, practical protection against a CRQC—without waiting for answers to thornier governance problems or for a second, more controversial soft fork.
Limits and the unresolved “X” problem
Narula is explicit this is not a full solution. Moving early adopters protects those funds, but the network’s systemic safety depends on how many coins remain vulnerable—what she labels X. If X is tiny, Bitcoin could probably absorb the risk; if X is large, a sudden CRQC could be destabilizing. She frames it numerically: “If only 0.0001% of coins are insecure, I think Bitcoin will be fine. If 20% of coins are insecure, I think things would probably get pretty chaotic if a CRQC would appear.”
Her point: uncertainty about X shouldn’t block the first step. A migration path would produce on‑chain adoption data and give the community time to shrink the vulnerable share before being forced into harder choices—such as whether old or lost coins should be frozen or otherwise treated.
Rejecting heavyweight or impractical alternatives
Narula pushes back on research proof‑of‑concepts and complex escape hatches—manual post‑quantum verification in script or expensive emergency mechanisms—that may be technically possible but are operationally impractical for broad deployment. Instead she favors a low‑friction, deployable mitigation that provides real protection today.
Trade‑offs acknowledged
She flags real downsides to P2MR: it removes one of Taproot’s more efficient privacy/efficiency properties by eliminating the key‑spend path and it relies on wallets correctly handling address reuse. Narula argues these trade‑offs are manageable relative to the advantage of giving users an immediate, low‑risk way to secure funds.
Governance questions intentionally deferred
Narula’s roadmap deliberately leaves the hardest governance decisions unresolved. That’s the point: do not let the need for perfect consensus prevent obvious, safety‑critical preparation.
Market snapshot
At press time, Bitcoin traded at $75,802.
Read more AI-generated news on: undefined/news
