Neha Narula is director of digital currency at the MIT Media Lab and is on the board of directors for Block.

Her first observation is that it is easier to give Bitcoiners an opt-in option to do have quantum resistance than it is to make all bitcoin addresses quantum resistant, which is more or less the observation Antoine Ponsoit made on the Mailing List earlier this month.

Narula suggests achieving this opt-in option by adopting BIP 360's P2MR scheme (#1432230). It's similar to taproot, but disables the keypath spend.

Narula notes that there are a few downsides to such a proposal, including a potential foot-gun via address reuse and a minor loss in efficiency, but concludes:

These downsides, for the ability to say that you can go away and not come back for a long time and your coins are safe in the presence of a CRQC, seem reasonable to me. The efficient privacy loss part is annoying, but maybe we can get it back later once we are all using PQ signatures.

The second half of her post concerns the far more controversial question of what to do about other people's coins.

This came up most recently when @lopp's quantum proposal was given a BIP number, (BIP 361, #1471384)

At it's root is this idea expressed in a heading on Narula's post:

"Bitcoin security as a common good""Bitcoin security as a common good"

Narula expresses an argument I've seen on the Bitcoin Development Mailing List (#1451973):

There is an argument that if too many other people’s coins are insecure, your coins are insecure.

I like the distinctions that Narula draws between things we probably should work on first and things that really aren't that important right now.

We do not have to decide what to do with people who are unlikely to show up to do anything at all (Satoshi’s coins) right now in order to make progress.

Narula provides this handy image from Ethan Heilman's talk on Cryptographic Agility at OpNext:

Proposed roadmap for mitigations. The actions in the blue dashed boxes help with the blue triangle; the actions in the purple dashed boxes are only needed for the purple trapezoid. We cannot have PQ-safe outputs until the first activation happens; we do not need to consider whether or not to freeze coins until closer to Q-Day. Even if the second soft fork doesn’t activate, or we can’t reach agreement, the blue triangle Bitcoin is PQ-safe. Inspired by a slide from Ethan Heilman’s Cryptographic Agility talk, which you can see once recordings come online from the 2026 MIT Bitcoin Expo or 2026 OPNEXT.

And she concludes with some interesting counterarguments:

First, you might think that P2MR is going to be too difficult for wallets to implement correctly (namely because they really like reusing addresses), so even if deployed and implemented, it will be implemented incorrectly and a significant number of wallets will not truly be PQ-safe. You mostly agree with the above strategy, you just don’t think P2MR is the specific right way to go about it.

Second, you might think the blue triangle will not be large enough (wallets won’t implement it, people won’t move), so we should spend most of our time and energy on the purple trapezoid instead. In fact, you might think the purple trapezoid is going to be so large that we might as well just wait until closer to Q-Day and cram this into one soft fork.

Third, you might think that deploying a PQ-safe output type now is in some ways “giving up” because X will still be too high, and it will make it harder to motivate people to come up with better solutions. They might not appreciate the common good point raised above.