April 15, 2026 — Bitcoin Core developer Jameson Lopp, together with five collaborators, officially released Bitcoin Improvement Proposal BIP-361 as a draft on the official GitHub repository. The full title of the proposal is "Post-Quantum Migration and Legacy Signature Deprecation." It advocates for a three-to-five-year phased timeline that would require all Bitcoin holders to migrate their assets from quantum-vulnerable addresses to quantum-resistant addresses. If holders fail to migrate by the deadline, their assets would be permanently frozen at the protocol level, making any further on-chain transfers impossible.
BIP-361 builds on the technical foundation of BIP-360, which was formally registered in February of the same year. BIP-360 introduced the quantum-resistant output type known as Pay-to-Merkle-Root, designed to protect all newly issued Bitcoin from quantum attacks going forward. However, BIP-360 only covers future assets and is powerless to safeguard the vast pool of legacy assets whose public keys have already been exposed—a gap BIP-361 seeks to address. Upon its announcement, BIP-361 sparked immediate and fierce backlash within the Bitcoin community. Critics labeled the proposal "authoritarian" and "predatory," arguing that it violates Bitcoin’s core philosophy as a censorship-resistant, decentralized monetary system.
One day later, on April 16, 2026, Blockstream CEO Adam Back delivered a public address at Paris Blockchain Week, explicitly opposing BIP-361’s forced freezing mechanism and instead advocating for an optional quantum-resistance upgrade path. Back emphasized, "It’s far safer to prepare in advance than to scramble during a crisis," while also noting the Bitcoin community’s ability to coordinate rapid responses to critical vulnerabilities.
At this point, the issue of quantum security for Bitcoin shifted from a long-running technical debate to a public dispute over network governance, asset sovereignty, and the boundaries of security. The divide between BIP-361’s supporters and opponents is not simply a matter of technical merit; it reflects two fundamentally different visions for Bitcoin’s future.
Countdown Accelerates: Quantum Threat Moves from Sci-Fi to Reality
The Accelerating Quantum Threat Timeline
Bitcoin’s security model is built on the computational infeasibility of breaking the Elliptic Curve Digital Signature Algorithm (ECDSA). Under classical computing, brute-forcing a private key would take longer than the age of the universe, a premise that has never been seriously challenged for decades. However, the existence of Shor’s algorithm fundamentally upends this assumption: it can reduce the complexity of solving discrete logarithm problems from exponential to polynomial time. Once quantum computers reach sufficient scale, breaking ECDSA will shift from theoretical possibility to engineering reality.
Over the past year, the quantum threat timeline has compressed rapidly and significantly. At the end of 2024, Google unveiled the Willow quantum chip, featuring 105 physical qubits. While this is still far from threatening Bitcoin’s cryptography—estimates suggest around 13 million qubits would be needed to break Bitcoin’s encryption within 24 hours—Willow’s exponential reduction in error rates for quantum error correction has set the stage for rapid future advances.
The real inflection point came at the end of March 2026. Google’s Quantum AI team published a white paper showing that a sufficiently powerful quantum computer could, in theory, break Bitcoin’s core cryptography with just one-twentieth of the resources previously estimated by academia. The entire process could be completed in as little as nine minutes. The paper further reduced the estimated number of physical qubits required to under 500,000—again, just one-twentieth of prior estimates. Based on this, Google moved its recommended deadline for quantum-safe migration up to 2029.
At the same time, a research team at Caltech achieved parallel breakthroughs using neutral atom quantum computing architectures. Their research demonstrated that Shor’s algorithm could run at cryptographically relevant levels with as few as 10,000 to 22,000 qubits, a dramatic reduction from the millions previously thought necessary. Oratomic’s research further confirmed the compounding effect of quantum threats across platforms.
Technical Readiness and Community Response
Against the backdrop of an accelerating quantum threat timeline, the Bitcoin ecosystem has been advancing its technical preparations in parallel:
- February 2026: BIP-360 is officially registered, introducing the quantum-resistant Pay-to-Merkle-Root output type and laying the groundwork for a post-quantum Bitcoin network.
- March 2026: BTQ Technologies successfully deploys the first working implementation of BIP-360 on the Bitcoin Quantum Testnet, which now runs over 50 miner nodes and has processed more than 100,000 blocks.
- April 14, 2026: Google’s Quantum AI white paper garners widespread media coverage, thrusting the "quantum doomsday" scenario from science fiction into the realm of strategic planning.
- April 15, 2026: Jameson Lopp and five collaborators formally submit the BIP-361 draft, aiming to address the legacy asset security gap left by BIP-360.
- April 16, 2026: Adam Back publicly opposes BIP-361 at Paris Blockchain Week, advocating for an optional upgrade path. On the same day, BitMEX Research releases the "Canary Fund" proposal, suggesting that freezing mechanisms should only be triggered if a quantum attack is actually demonstrated.
Scale of Assets at Stake
According to multiple research estimates, about 34% of all Bitcoin in circulation has public keys already exposed on-chain, making these assets directly vulnerable to quantum attacks. Specifically:
- Early P2PK addresses hold around 1.7 million BTC, including the widely believed Satoshi Nakamoto stash of 1 to 1.1 million Bitcoin. The public keys for these assets are permanently visible on the blockchain, making them the most exposed category.
- Jameson Lopp further notes that approximately 5.6 million BTC have not moved in over a decade and may be permanently lost. If future quantum breakthroughs allow private keys for old addresses to be cracked, these assets could be moved again, potentially triggering severe market volatility or even a systemic crisis of confidence.
Dissecting the Risk: How Much Bitcoin Is Exposed to Quantum Threats?
Address Types and Quantifying Exposure
To understand the scale and structure of assets affected by BIP-361, it’s important to clarify the technical differences among Bitcoin address formats and their respective quantum risk exposures. Different address types vary fundamentally in how they expose public keys and in their protective mechanisms, which directly determines their level of quantum vulnerability.
| Address Type | Main Features | Public Key Exposure | Quantum Risk Level | Estimated BTC Involved |
|---|---|---|---|---|
| P2PK | Early format (2009–2010) | Public key permanently on-chain | Highest—vulnerable to "collect now, decrypt later" attacks | ~1.7 million |
| P2PKH | Starts with "1", hash-protected | Exposed briefly when spent | Medium—must be cracked within 10 minutes | Several million |
| P2SH/P2WPKH | Starts with "3" or "bc1", modern format | Exposed briefly when spent | Lower—similar to P2PKH | Large amount |
| P2TR/P2MR | Taproot and quantum-resistant formats | Limited or quantum-resistant exposure | Lowest—designed for post-quantum era | Very few |
BIP-361’s Three-Phase Migration Mechanism
BIP-361 proposes a clear, phased migration roadmap, turning the quantum security upgrade into a matter of "private incentive" for every holder: those who do not proactively upgrade will face increasing friction and restrictions on asset use, eventually being fully locked out by the network. The migration process is divided into three escalating phases:
- Phase A: Three years after launch, the network will prohibit anyone from sending new Bitcoin to legacy quantum-vulnerable addresses. Holders can still spend from these addresses but cannot receive new funds. This phase aims to block "incremental risk" by preventing new inflows into weak address types.
- Phase B: Five years after launch, legacy signatures—namely ECDSA and Schnorr—will be fully deprecated at the consensus level. The network will reject any attempt to spend Bitcoin from quantum-vulnerable wallets. At this point, unmigrated assets are effectively frozen and can no longer be transferred on-chain.
- Phase C: This phase involves a rescue mechanism still under research. Holders of frozen wallets may be able to use zero-knowledge proofs to demonstrate control of their private keys. If successful, frozen assets could be restored. This mechanism aims to give holders who missed the migration window a final chance for recovery.
Key Data from Google and Caltech Research
The Google Quantum AI white paper, published March 30, 2026, delivered a disruptive conclusion: breaking Bitcoin’s 256-bit elliptic curve discrete logarithm problem requires only about 1,200 logical qubits and fewer than 500,000 physical qubits. The entire process could be completed in minutes.
Previously, mainstream industry estimates held that breaking Bitcoin’s encryption would require millions or even tens of millions of physical qubits and over a decade of effort. Google’s white paper lowers this threshold by roughly twentyfold and explicitly points out: when a Bitcoin transaction is broadcast, it waits in the mempool for block confirmation, with an average wait time of about ten minutes. Within this window, if an attacker has a suitable quantum computer, they could use the public transaction key to reverse-engineer the private key in about nine minutes, with a roughly 41% chance of successfully intercepting the funds.
Caltech’s research, using neutral atom architectures, demonstrated that Shor’s algorithm can operate at cryptographically relevant levels with 10,000–22,000 qubits. Two independent technical paths—superconducting and neutral atom qubits—both point to lower thresholds for breaking cryptography, meaning the quantum threat doesn’t depend on a "miraculous" breakthrough in a single technology.
A white paper jointly released by ARK Invest and Unchained proposes a five-stage evolution framework, arguing that quantum computing is still at "stage zero"—quantum computers exist but have no commercial value, and several technical milestones remain before Bitcoin’s ECDSA can be broken. The report estimates that Bitcoin security researchers currently put the probability of quantum computers recovering private keys before 2032 at about 10%.
Three Camps Clash: Freeze, Upgrade, or Wait and See?
The BIP-361 debate quickly crystallized into distinct camps, each engaging in deep arguments over Bitcoin’s governance philosophy, security boundaries, and asset sovereignty.
Better to Freeze Than Let Quantum Hackers Win
Jameson Lopp, the main proponent of the proposal, summed up his position in a widely shared statement: compared to the risk of future quantum attacks, he would rather see around 5.6 million long-dormant BTC frozen than have them fall into attackers’ hands.
Lopp also acknowledged that BIP-361 is still a draft and not a mature, ready-to-implement solution. On social media, he wrote: "I know people don’t like this proposal. I don’t like it myself. I wrote it because I dislike the alternative even more." This reveals the core of the supporters’ stance: BIP-361 isn’t ideal, but it’s a difficult trade-off in the face of a rapidly compressing quantum threat timeline.
Supporters of BIP-361 argue as follows: if quantum computers break through earlier than expected, 1.7 to 5.6 million BTC in early P2PK addresses could be cracked and dumped all at once, causing a massive price crash and severely undermining network trust. Proactively freezing these vulnerable assets would contain systemic risk within a foreseeable range and allow Bitcoin to transition smoothly into the post-quantum era.
Forced Freezing Violates Bitcoin’s Core Principles
Adam Back, the most prominent opponent, presented two main arguments at Paris Blockchain Week. First, the Bitcoin community has the ability to coordinate rapid responses to critical vulnerabilities and doesn’t need to preemptively set a forced freezing timeline before a crisis actually occurs. Second, preparation should focus on developing and deploying quantum-resistant technologies, not on stripping users of control over their assets. Back advocates for an "opt-in upgrade" path—offering quantum-resistant addresses for voluntary migration, with no protocol-level coercion.
Community opposition has been even more pointed. Crypto thought leader Jimmy Song stated on April 16, 2026, that BIP-361 is "completely unacceptable" to him, though he’d like to see supporters try to push the proposal through a soft or hard fork vote—"not to get ‘fork dividends,’ but because we need to see how these things play out."
TFTC founder Marty Bent called the proposal "absurd." Metaplanet’s Phil Geiger argued that, given the years-long migration window, intervention is unnecessary. Some community members labeled BIP-361 "authoritarian" and "predatory," saying it would invalidate some unspent transaction outputs and violate Bitcoin’s core philosophy of being censorship-resistant and immune to arbitrary asset freezes.
Alternative Proposals and Third-Party Perspectives
On April 16, 2026, BitMEX Research released an alternative proposal seeking a middle ground between "blind freezing" and "total inaction." The plan suggests creating a "signal vault"—a special address generated using a "non-surprising number" whose private key is unknown to anyone. If quantum computers become capable of breaking Bitcoin, rational attackers would likely target the bounty in this public address first. Any spend from this address would serve as on-chain proof of a real quantum threat, automatically triggering a network-wide freeze of quantum-vulnerable assets.
BitMEX Research acknowledges that this approach increases technical complexity and execution risk, but given that "any form of freezing is highly controversial," such a conditional trigger might be worth considering.
Strategy founder Michael Saylor previously stated that a credible quantum threat to Bitcoin’s cryptography is likely more than a decade away, and any meaningful breakthrough would be detected early, prompting coordinated global software upgrades.
The Bitcoin Policy Institute recently warned that quantum progress may be compressing the window for network upgrades, with some researchers projecting that quantum computers capable of breaking cryptography could emerge between 2029 and 2035.
Chain Reaction: How This Schism Could Reshape the Industry
A Test for Network Consensus Mechanisms
At its core, the BIP-361 debate is a stress test of Bitcoin’s governance mechanisms in the face of unprecedented external threats. As a decentralized network, Bitcoin’s upgrade decisions require complex coordination among developers, miners, node operators, users, and capital holders. Historically, Bitcoin’s upgrade debates have focused on scaling, privacy, and smart contract functionality—issues measured in years or even decades. The quantum threat, however, compresses this decision timeline into a much tighter window: Google’s recommended 2029 deadline is less than three years away.
This compressed timeline poses an unprecedented challenge to Bitcoin’s "slow governance" model. If the community fails to reach consensus on a quantum security upgrade path within the available time, Bitcoin faces two stark risks: over-intervention could undermine its core value of decentralization, while inadequate action could lead to a catastrophic loss of trust if a quantum attack occurs.
Potential Impact on Market and Holder Behavior
The BIP-361 debate is already influencing market participant behavior. Holders of early P2PK addresses—especially the roughly 1.1 million BTC long thought to be Satoshi’s—now face an increasingly urgent choice: proactively migrate to quantum-resistant addresses to avoid future freezing, or wait and accept the uncertainty.
For exchanges and custodians, quantum-safe migration has shifted from a long-term plan to an immediate operational concern. After Google’s white paper, leading exchanges and custodians are accelerating assessments of quantum vulnerability in their hot and cold wallet architectures and planning gradual migration paths to quantum-resistant address formats.
From a broader industry perspective, the BIP-361 debate is catalyzing attention to post-quantum cryptography across the entire crypto sector. Not just Bitcoin, but Ethereum, Solana, and other major blockchains face similar quantum threats. As the largest crypto asset by market cap, Bitcoin’s response will set a precedent for the entire industry.
Accelerating Post-Quantum Cryptography R&D
One positive side effect of the BIP-361 controversy is the significant acceleration of post-quantum cryptography research and testing within the Bitcoin ecosystem. BIP-360 went from theoretical proposal to testnet deployment in just a month—a rare speed for Bitcoin. BTQ Technologies’ BIP-360 implementation on the Bitcoin Quantum Testnet has already provided initial validation for the engineering feasibility of quantum-resistant address formats.
Meanwhile, research into lattice-based cryptography, hash-based signatures, and other post-quantum approaches is ramping up. If the BIP-361 debate pushes the community to reach consensus on quantum security upgrades more quickly, the debate itself will become a testament to the Bitcoin network’s resilience.
Conclusion
The significance of the BIP-361 debate goes far beyond the fate of a single technical proposal. It exposes a challenge Bitcoin has never truly faced in its fifteen-year evolution: when the pace of external threats outstrips the speed of internal governance, how should a decentralized system balance its core values of "security" and "freedom"?
Jameson Lopp represents a "preventive intervention" mindset—acknowledging the slow nature of decentralized governance and advocating for proactive action while the crisis is still manageable. Adam Back embodies a "trust the network’s resilience" philosophy—believing in the community’s ability to coordinate in the face of real crisis, and therefore rejecting any preemptive, protocol-level measures that could harm Bitcoin’s core values.
Their disagreement is not about right or wrong, but about different assessments of where Bitcoin’s future resilience lies. Lopp fears that without early action, quantum hackers could become Bitcoin’s "ultimate predators." Back fears that if early action means forced protocol-level freezes, Bitcoin could lose its most essential distinction from traditional finance.
Regardless of whether BIP-361 ultimately gains community consensus, the debate has already had an irreversible positive impact: it has brought quantum security from academic papers and long-term forecasts into the mainstream Bitcoin agenda, forcing every participant—developers, miners, exchanges, institutional holders, and everyday users—to confront an issue that had previously been selectively ignored. Post-quantum cryptography research is accelerating, quantum-resistant address formats are moving from concept to testnet validation, and exchanges and custodians are re-examining the security assumptions of their asset architectures. Much of this progress can be credited to the "necessary schism" sparked by BIP-361.
For Bitcoin holders, the most important thing right now may not be to pick sides between Lopp and Back, but to grasp the core message this debate reveals: quantum computing is no longer a distant sci-fi threat—it’s advancing toward reality faster than most people expect. If you hold Bitcoin—especially if it’s stored in older address formats—closely following quantum security upgrades and learning how to migrate to quantum-resistant addresses will be an unavoidable responsibility for every prudent holder in the years ahead.
