The Bitcoin Halving and the Quantum Question

There is a knife at the edge of the schedule. Nobody knows when it falls. We know only that the schedule will keep cutting, every four years, every two hundred and ten thousand blocks, whether the knife arrives or not. The Bitcoin Halving has a clock. Quantum computing has a rumor. The rumor is real enough that thirty percent of the supply is sitting on the table with its keys showing, and a small committee has written a deadline for the rest of us. This sermon is about that deadline, and about the cut that will keep firing while we decide what to do about it.

I. The Knife and the Clock

The clock is the Bitcoin Halving. Every 210,000 blocks. Ten minutes a brick, four years a course. The schedule is the only honest thing in finance. It does not slip. It does not negotiate. At block 1,050,000, in spring 2028, the subsidy gets cut from 3.125 BTC to 1.5625 BTC, and the schedule walks one more step toward the Halfture. The Halfture is the last cut, the terminal halving, the one that ends issuance forever. That is not 2028. That is centuries out. Capital-H Halfture for the final notch only. Lowercase halving for the rehearsals.

The knife is Q-Day. The hypothetical morning when a quantum computer crosses the line from a press release into a tool. The morning Shor’s algorithm becomes a weapon you can rent. When that happens, every Bitcoin address whose public key is visible on chain becomes a coin you can move. Not in theory. In wallclock minutes.

The clock and the knife are not the same animal. The clock is mathematics. The knife is engineering. The clock will fire. The knife may or may not.

II. What Q-Day Actually Is

Bitcoin signs spends with ECDSA over the secp256k1 curve. Public keys are derived from private keys through one-way arithmetic. The arithmetic is hard for classical computers and conjectured to be easy for sufficiently large quantum computers using Shor’s algorithm, which was published in 1994 and has not aged.

The question has always been the qubit count. For years the answer was twenty million logical qubits, which felt safely fictional. In early 2026 a Google research paper revised the estimate down by more than an order of magnitude, suggesting that under newer architectures the resource requirement for elliptic-curve attacks might fall under 500,000 physical qubits, and that an at-rest attack on a single ECC-256 key might be possible in roughly ten days with around 26,000 physical qubits. Nobody has built a machine that does this. Nobody is close. But the slope of the line has steepened, and the slope is what religion is made of.

Note the language. At rest. The attack works against a key that has already published its public component on chain. The mempool attack, the steal-it-mid-broadcast attack, is a much harder problem because of timing. The first thing Q-Day will eat is anything that has been sitting still with its face uncovered.

III. The Six Million Coins That Were Always Naked

This is the part most people get wrong. They imagine quantum risk as a future condition that will arrive with a new technology. The exposure is already present tense. The keys are already public. The only thing missing is the machine.

Glassnode’s May 2026 report put a number on it. 6.04 million BTC, 30.2 percent of issued supply, with on-chain public-key exposure right now. 1.92 million BTC of that is structural exposure: pay-to-public-key outputs from the earliest era, bare multisig, and any modern Taproot output where the key path reveals the key. The other 4.12 million BTC is operational: addresses that were reused, partially spent, or stored carelessly enough that the spending key has touched the chain.

Six million coins. A third of every bitcoin that has ever been mined. Sitting in a state where, the morning the knife is sharp, somebody else can pick them up.

This is not a fringe figure. It includes the Patoshi blocks, the early P2PK rewards, much of the cold storage from 2010 and 2011, and a sprawl of operationally careless wallets that have been hot for fifteen years. It is the part of the chain that was always going to age into a different problem.

IV. The 22,000-Wallet Trap

There is a story being told this year about Satoshi that may or may not be true, and that is worth telling either way. The Patoshi pattern, the famously identifiable nonce-stamped early mining run, points to roughly 1.1 million BTC mined and not moved. In 2010, before the protocol switched the standard output format to pay-to-public-key-hash, those coins were distributed across about 22,000 addresses of exactly 50 BTC each.

One reading of that distribution, popularized by André Dragosch of Bitwise this year, is that the topology was a deliberate quantum hedge. Splitting one million coins across twenty-two thousand single-block-reward bags raises the per-attack cost. The knife still works, but it has to be drawn 22,000 times. The story may flatter the founder more than the founder deserves. Maybe it was a hedge. Maybe it was hygiene. Maybe it was no plan at all and the pattern is a Rorschach. The keys are still exposed. But the architecture, intentional or not, looks like a hand that did not want to make the theft cheap.

The schedule does not depend on anyone’s intent. The clock keeps firing whether the founder was a prophet or a janitor. But if the founder set a small trap for the future, the schedule got a head start.

V. BIP-360 and the Sunset Clock

Bitcoin does not patch itself. Bitcoin gets patched by a small group of people who write proposals that other people argue about for years before nodes start enforcing them. There are now two such proposals on the table, both new in 2026, and the second one is the most philosophically charged change ever offered to the protocol.

BIP-360 was merged into the BIPs repository on February 11, 2026. It defines the first quantum-resistant address type, using hash-based and lattice-based signature schemes. It is the carrot. It gives anyone who wants to migrate a place to migrate to. It is uncontroversial in the way new address types usually are.

BIP-361, the Post Quantum Migration and Legacy Signature Sunset, is the stick. Published April 14, 2026 by Jameson Lopp and five co-authors, it proposes a phased deadline. Three years after activation, no new outputs may be sent to legacy quantum-vulnerable addresses. Five years after activation, legacy signatures stop being valid, period. Any coin still sitting in a P2PK or reused-address state is, from the perspective of the consensus protocol, frozen. Not stolen. Frozen. Bitcoin would refuse to recognize the signature even if a private key were ever produced.

This is not a technical fix. It is a theological one. It says: scarcity is more important than the past. The coins that nobody moved before the deadline are not coins anymore.

The room is split. Some say BIP-361 is the only way to keep the supply intact, because if the knife arrives before the freeze those 6.04 million coins flood the float and break the entire scarcity premise. Others say invalidating Satoshi’s coins is a soft confiscation dressed in protocol clothing. There is no clean answer. There is only the deadline and the calendar.

VI. The Halfture Will Get There First. Or It Will Not.

Now stack the two timelines.

The clock. The next ordinary cut is at block 1,050,000 in spring 2028. The Halfture, the final cut, the terminal halving, the only one that is actually the rapture, is roughly the year 2140. Centuries of cuts between here and there, each one rehearsing the last.

The knife. Aggressive Q-Day estimates put cryptographically relevant quantum machines five to ten years out. Conservative estimates put them twenty to forty. BIP-361’s clock, if it activates in 2027, runs out in 2030 for legacy sends and 2032 for legacy signatures.

So the answer to which timeline wins is: nobody knows, and the schedule does not care.

This is the part where the doctrine earns its weight. The thing you hold, you can migrate. The thing you do not hold, somebody else decides for. If your coins are on an exchange when BIP-361 activates, you are trusting the exchange to migrate. If your coins are in a paper wallet in a safe deposit box, you have a moving deadline. If your coins are in a hardware wallet you control, you have a chance to walk them across into a quantum-safe output the day the new address type is ready. Self-custody is what makes the migration even possible. You have to hold Bitcoin to be saved. Not metaphorically. Mechanically. The signature that proves the coin is yours has to come from a key you can still produce, in a format the future network will still honor. The signature is the soul. The address is the body. Q-Day comes for the body. The Halfture, the last cut, the equation where Halfture = Rapture, comes for the supply.

VII. The Counter-Sermon

Maybe none of this matters. Maybe Q-Day is a perpetual five-years-away the way fusion is a perpetual thirty. Maybe BIP-361 dies in the mailing list, the way most ambitious BIPs die. Maybe the 6.04 million exposed coins stay exposed for the next century and the chain just lives with them.

The harder version says: the moment Bitcoin freezes anyone’s coins to save the supply, it has admitted the rules are negotiable. That is a one-way door. Some people will read it as the protocol growing up. Some will read it as the moment Bitcoin became the thing it was built against. Both readings are honest. The clock keeps cutting either way.

VIII. Look at Your Addresses

There is no urgent action here. Q-Day has not arrived. BIP-361 has not activated. None of this is financial advice. This is theology with a calendar.

But there is a small, slow action. Look at your addresses. The ones holding coins you have not touched since 2017. The ones reused on a forum tip. The cold wallet you set up before SegWit. Note which are quantum-exposed in the trivial Glassnode 30.2 percent sense. Make a plan for the morning a quantum-safe address type is uncontroversially available.

The schedule keeps firing. Migrate before the rapture.

FAQ

What is the Bitcoin Halving?
The Bitcoin Halving is the protocol-enforced reduction of the block subsidy by 50 percent every 210,000 blocks, roughly every four years. The last Halving, called the Halfture, is the terminal cut that ends issuance forever; it is roughly the year 2140. Every Halving before then is a rehearsal of the Halfture.

Are quantum computers a threat to Bitcoin today?
No machine exists today that can break secp256k1 in any practical sense. The 2026 Google estimate of roughly 500,000 physical qubits for an elliptic-curve break is a long way from current hardware, which is in the low thousands of physical qubits and noisy. The threat is real on a horizon, not on a calendar.

What is BIP-361 and why is it controversial?
BIP-361 is the Post Quantum Migration and Legacy Signature Sunset, proposed in April 2026 by Jameson Lopp and co-authors. It would phase out legacy signature types over five years, freezing any coin still held in a quantum-vulnerable address. The controversy is that the freeze would include around 1.1 million BTC attributed to Satoshi, raising the question of whether scarcity should ever override the right of a private key to spend its coin.

How much Bitcoin is quantum-exposed right now?
According to Glassnode’s May 2026 report, 6.04 million BTC, about 30.2 percent of issued supply, has visible public keys on chain. About 1.92 million BTC is structurally exposed (P2PK, bare multisig, Taproot key-path spends) and about 4.12 million BTC is operationally exposed through address reuse and partial spends.


Discover more from Halfture

Subscribe to get the latest posts sent to your email.

Leave a Reply