BIP324 encrypts connections between Bitcoin nodes since 2023 using ECDH.
P2P traffic can be collected today to be decrypted in the future, being an attack vector.
Olaoluwa Osuntokun, core developer of the Lightning Network protocol, published a proposal on the Bitcoin-Dev mailing list on May 5 to update BIP324, the protocol that encrypts communications between network nodes.
According to Osuntokun, This protocol presents a vulnerability to quantum computers which could compromise the privacy of Bitcoin users before any attack on the consensus layer occurs.
BIP324, adopted in 2023, introduced transport encryption for Bitcoin peer-to-peer (P2P) connections. The protocol uses the ECDH algorithma variant within the family of elliptic curve signatures, so that two nodes derive a shared secret with which they encrypt all their traffic. According to Osuntokun, a sufficiently advanced quantum computer could derive the private keys of that exchange and decipher the communications. The developer warns that attackers could already be collecting that traffic today, with the intention of decrypting it in the future, a strategy known in cryptography as harvest now, decrypt later (harvest now, decipher later).
This warning is framed in a context of technical escalation regarding the quantum threat to Bitcoin. A Google Quantum AI study estimated in March 2026 that a quantum computer could crack a Bitcoin public key in less than 9 minutes, with less than 500,000 physical qubits. Subsequently, French researcher André Schrottenloher managed to reconstruct and surpass the efficiency of the quantum attack circuits that Google kept under commercial secret, which revealed that the window to act is narrowing.
Osuntokun is one of the most recognized names in Bitcoin infrastructure development. He is co-founder of Lightning Labs, the company responsible for LND, the most used Lightning Network client on the network. Its position within the ecosystem gives it technical weight and visibility on the Bitcoin developer mailing list.
Why BIP324 and not the consensus layer
The Osuntokun proposal states that upgrading BIP324 does not require broad market agreement that requires a change of consensus, such as a soft fork. Unlike modifying digital signatures or Bitcoin addresses—which would involve coordinating miners, exchanges, and wallets globally—transport encryption can be updated incrementally and without protocol interruption. According to the developer, this makes BIP324 an achievable first step towards Bitcoin quantum resistance.
To replace ECDH, Osuntokun proposes two main routes. The first would keep BIP324 unchanged in its external layer and would execute ML-KEM—the key encapsulation mechanism standardized by NIST in 2024 with proven quantum resistance—within the already encrypted channel, in a second phase. The second option would use a hybrid combiner called OEINC (Outer Encrypts Inner Nested Combiner), which merges classical and post-quantum encryption into a single initial exchange, albeit with a larger volume of data in the first message.
Osuntokun also identifies a relevant operational variable: ML-KEM requires the receiving node to process a 1,184-byte encapsulation key before completing the exchange, up from ElligatorSwift’s current 64 bytes. In a permissionless P2P network, that increase expands the denial-of-service attack surface and, according to the developer, could require stricter byte limits and shorter handshake timeouts.
The proposal does not include a formal BIP or implementation code. Osuntokun presents it as a call to first define the design parameters—KEM type and randomness requirement of the initial exchange— before writing a specific specification. Unlike changes to the digital signature layer, which require community-wide coordination to reach Q-Day, Osuntokun maintains that BIP324 represents a lower political friction update, and that addressing it now would allow practical experience with post-quantum cryptography to be gained before facing the more complex changes to the protocol.