Skip to main content

BIP-361: Bitcoin's Most Controversial Proposal Since SegWit

· 12 min read
Dora Noda
Dora Noda
Software Engineer

A small group of Bitcoin developers just proposed something that would have been unthinkable five years ago: deliberately freezing roughly 6.5 million BTC, including the entire Satoshi-era stash, before a future quantum computer can sweep them onto the open market.

Welcome to BIP-361 — the proposal that forces Bitcoin to choose between two of its most sacred values: immutability and survival.

A $74 Billion Defensive Crouch

On February 11, 2026, the Bitcoin Improvement Proposal repository quietly assigned a number to a draft authored by Casa CTO Jameson Lopp and five other researchers. By April, that draft — BIP-361 — had become the most divisive technical document in Bitcoin since the SegWit civil war of 2017.

The proposal addresses a strategic risk that has been hiding in plain sight for a decade. Approximately 6.5 million Bitcoin sit in addresses that a sufficiently powerful quantum computer could compromise — early Pay-to-Public-Key (P2PK) outputs, reused-address Pay-to-Public-Key-Hash (P2PKH) wallets, and any UTXO whose public key has already been broadcast to the chain. At today's prices, that is roughly $74 billion of exposure on the low end, and some analyses push the at-risk surface closer to $400–500 billion when extrapolated across all dormant supply.

Among those vulnerable coins: an estimated 1.1 million BTC attributed to Satoshi Nakamoto across more than 22,000 wallets, identified through the distinctive "Patoshi pattern" mining signature. Those coins have not moved for over a decade. They cannot move themselves. And in a world where a cryptographically relevant quantum computer (CRQC) becomes operational, they can only move one way — out of Satoshi's wallet and into someone else's.

How the Freeze Actually Works

BIP-361 is not a single switch. It is a five-year choreographed migration with three sequential phases, designed to give every active Bitcoin holder time to opt in voluntarily before the consensus layer makes the choice for them.

Phase A kicks in roughly three years after activation. The network would refuse to accept new transactions sending BTC to legacy quantum-vulnerable address types. Existing holders could still spend their coins out of those addresses — the door swings outward only. The point is to push wallets, exchanges, and custody providers to default to quantum-resistant formats before the deadline.

Phase B arrives two years later. At this point, legacy signatures become invalid at the consensus level. Any UTXO that has not been migrated to a quantum-safe output is, by definition, unspendable. The coins still exist on-chain, but no signature recognized by the network can move them. They are frozen, permanently and by design.

Phase C is the moral release valve, still under active research. It would let owners of frozen UTXOs reclaim their funds via zero-knowledge proofs tied to BIP-39 seed phrases — without ever exposing the underlying private key to a watching quantum adversary. If implemented, Phase C means a long-lost holder could resurrect their stake without surrendering the secret that protects it. If it is not implemented, frozen really means frozen.

The proposal does not arrive in isolation. It explicitly builds on BIP-360, which entered testnet via BTQ Technologies in early 2026 and introduces a new output type called Pay-to-Merkle-Root (P2MR). P2MR works similarly to Pay-to-Taproot but removes the key-path spend, eliminating the long-exposure attack surface that quantum computers would exploit. Notably, BIP-360 does not yet replace ECDSA or Schnorr with lattice-based schemes like ML-DSA — that fight is still ahead. BIP-360 simply hides the public key behind a hash until spend time. BIP-361 then says: and after five years, anyone still standing in the open gets locked out.

The Adam Back Counter-Position

The proposal hit a wall the moment it became public. At Paris Blockchain Week, Blockstream CEO Adam Back — a cryptographer who has tracked the quantum field for 25 years — argued that BIP-361 is solving the wrong problem with the wrong tool.

Back's position rests on three claims. First, current quantum computers remain "essentially lab experiments" and progress has been "incremental." Second, Bitcoin's culture has repeatedly proven it can mobilize quickly when a real threat emerges — bugs are identified and patched within hours when the stakes are clear. Third, building optional quantum-resistant upgrades that holders can opt into preserves Bitcoin's promise of sovereign control, while a forced freeze sets a governance precedent that no soft fork has ever crossed.

The Lopp camp is betting the opposite way. Their wager is that coordination under pressure, with a price chart in free-fall and a quantum adversary actively draining the chain, is precisely when consensus fractures. Better to schedule the migration now, on calm seas, than to attempt it during a crisis that will already be eroding faith in the network's durability.

This is the actual disagreement, stripped of rhetoric: Can Bitcoin coordinate under emergency conditions, or must it pre-coordinate during peacetime? Every other argument — about Satoshi's neutrality, about whether 6.5 million BTC are "really" abandoned, about whether freezing equals confiscation — flows downstream from that question.

Why the Threat Stopped Being Hypothetical

The reason this debate has gone from a fringe topic to a numbered BIP in 2026 is straightforward: the timeline shrank.

In March 2026, Google's Quantum AI team published research indicating that a quantum computer with fewer than 500,000 physical qubits — corresponding to roughly 1,200 logical qubits — could break elliptic curve cryptography. Earlier estimates had pegged the requirement at 10 million physical qubits. Google's own internal target for post-quantum readiness across its products is 2029. McKinsey and academic roadmaps cited inside BIP-361 place a CRQC arrival window of 2027 to 2030.

Three years. That is not a comfortable buffer for a $1.3 trillion network whose migration logistics are non-trivial. One academic analysis estimated that fully replacing every ECDSA-based UTXO with a post-quantum equivalent would require approximately 1,828 hours — over 76 days — of cumulative network throughput dedicated to migration transactions, assuming the entire community agreed to coordinate. That math gets dramatically worse if a quantum attacker is racing the network in parallel.

The asymmetry is what makes the threat strategic rather than merely technical. A nation-state actor that achieves CRQC capability six months before the rest of the world does not need to attack actively used wallets — those coins move regularly and re-anchor behind hashed public keys. The attacker needs only to systematically derive private keys from the millions of long-exposed P2PK and reused-address public keys sitting in plain view on the chain, and quietly drain them. By the time anyone notices, the supply shock has happened.

The Ossification-vs-Self-Defense Fault Line

Bitcoin's culture has historically resolved hard tradeoffs by refusing to choose. Ossification — the principle that the protocol should change as little as possible, as slowly as possible — is treated as a feature, not a bug. SegWit (2017) was bitterly contested before activation and forked away the BCH chain. Taproot (2021) activated smoothly because it was strictly opt-in and added new functionality without removing anything. OP_CTV covenants finally activated in 2025 after years of debate.

BIP-361 is structurally different from all three precedents. It is not opt-in. It does not preserve existing rights. It says, explicitly, that holders of certain UTXO types lose the ability to spend their own coins after a deadline. Even SegWit at its most divisive did not remove existing capability — it added a new one and changed the economic calculus around using the old one.

Critics argue this sets the precedent that miner signaling can freeze UTXOs for any sufficiently popular reason: OFAC compliance, stolen funds recovery, court-ordered seizure, sanctions enforcement. The slippery-slope concern is not paranoia — it is a structural observation that once the network demonstrates it can freeze a category of coins, the only remaining question is what justifies inclusion in that category.

Supporters counter that the alternative is worse: doing nothing means accepting that the supply shock is inevitable, that Satoshi's coins (and millions of others) will be stolen rather than frozen, and that the network's price discovery during that event will be catastrophic enough to delegitimize Bitcoin in the eyes of the institutional capital it spent a decade attracting. A freeze, in this framing, is the lesser violation.

The realistic outcome is probably a fork. A meaningful minority will refuse to accept any consensus rule that makes valid signatures retroactively invalid. They will run the pre-Phase-B client. The chain will split. Whether the split looks like Bitcoin Cash (a small-cap fork that fades) or like a genuine schism (where two roughly equal chains compete for the Bitcoin name) depends on how exchanges, custodians, and the institutional ETF complex handle the activation.

Infrastructure Implications for the Rest of the Stack

Even before activation, BIP-361 changes the operational picture for everyone running Bitcoin infrastructure. Wallet providers must add quantum-safe address generation to their roadmaps now, because the migration window is not the moment to discover that their key derivation library cannot produce P2MR outputs. Exchanges must decide how they will treat deposits to vulnerable address types during Phase A. Custody providers managing cold-storage holdings face a particularly acute version of the problem: any private key that has been air-gapped for years must be brought online to sign migration transactions, exposing it to operational risk that the cold storage was specifically designed to avoid.

For RPC providers and node operators, the multi-phase activation creates a new category of edge cases. During Phase A, mempools must reject transactions sending to legacy types — but only those, while still relaying transactions spending from them. During Phase B, the same nodes must implement consensus logic that distinguishes valid post-quantum signatures from invalid legacy ones, with no margin for off-by-one errors. Any infrastructure provider serving institutional clients during the activation period needs to be on the right side of that consensus boundary on day one.

The Lightning Network adds another layer. Channel state proofs depend on signatures whose validity must be enforceable at settlement time, potentially years after the channel opens. A channel opened today, secured by an ECDSA signature, must still be enforceable in 2031 — or the proposal needs an explicit grandfathering carve-out for in-flight channel commitments. The BIP-361 draft does not yet address this in detail.

The Decision Bitcoin Cannot Defer

What makes BIP-361 different from every prior contentious soft fork is that the timeline is not set by Bitcoin's developers. It is set by the world's quantum computing labs. Bitcoin can delay the decision, but the decision will not delay itself.

The community has roughly the same window the Google researchers gave themselves: about three years to pick a path. Adam Back's optional-upgrades road requires holders to actively migrate, accepting that some non-trivial percentage will not — and that a quantum adversary will eventually claim what they leave behind. Lopp's forced-migration road requires the network to make a choice on behalf of holders who cannot or will not act, accepting that this violates a principle that has held since the genesis block.

Neither path preserves all of what Bitcoin claims to be. The third path — pretending the deadline is not real — preserves none of it.

What BIP-361 actually proves is that Bitcoin's "do nothing" default has expired. The protocol has reached the size, age, and strategic importance where inaction is itself a choice with consequences. Whether the network can metabolize that fact without fracturing is the question that will define Bitcoin for the next half-decade.

The most controversial proposal since SegWit may turn out to be the most clarifying one.

BlockEden.xyz operates production-grade RPC infrastructure across Bitcoin and 25+ other chains, serving developers building wallets, custody systems, and institutional applications. As Bitcoin's quantum migration debate moves from forums to consensus rules, infrastructure providers that support both legacy and post-quantum address types — without breaking — will be the ones still standing on activation day. Explore our API marketplace to build on infrastructure designed for the long arc.

Sources

Share on Twitter