Bitcoin has spent 16 years operating on one foundational promise: if you hold the private key, you control the coins. No government, no bank, no developer can override that. A proposal published this week by core developer Jameson Lopp and five co-authors is now challenging that promise for the first time in Bitcoin’s history, and the community is split sharply over whether the medicine is worse than the disease.
The proposal, Bitcoin Improvement Proposal 361, carries the title “Post Quantum Migration and Legacy Signature Sunset.” BIP-361 lays out a three-phase timeline: blocking inflows to vulnerable addresses roughly three years after activation, freezing all legacy coins two years later, and leaving open a future recovery path through zero-knowledge proofs for holders who miss the deadline. Over 34% of all Bitcoin has exposed a public key on-chain, according to the proposal, leaving those funds vulnerable to theft by a sufficiently powerful quantum computer.
What the Threat Actually Is
Bitcoin’s security relies on elliptic curve cryptography. To spend funds, a user signs a transaction with a private key. When that signature is broadcast, the corresponding public key becomes visible on-chain. Classical computers cannot reverse-engineer a private key from a public key in any practical timeframe. A sufficiently powerful quantum computer running Shor’s algorithm could, in theory, do exactly that.
Roughly 28% of all Bitcoin, or about 5.6 million tokens, has not moved in over a decade, with Lopp and other analysts considering it likely lost. If ever recovered through advances in quantum computing, that amount could introduce significant volatility and undermine confidence in the network.
Approximately 1.7 million BTC sits locked in old-style addresses known as P2PK, the kind used in Bitcoin’s earliest days. Those addresses expose public keys directly, making them vulnerable once quantum computing reaches sufficient power. Satoshi Nakamoto’s stash alone is valued at roughly $74 billion at current prices.
Lopp was direct about the stakes. “It doesn’t even require a massive market dump,” Lopp said. “If there is any credible evidence that anyone has the capability to recover lost or vulnerable coins with a quantum computer, you should expect a massive market panic immediately.”
What BIP-361 Proposes
BIP-361 lays out a three-phase soft fork plan. Phase A would begin approximately three years after a companion quantum-resistant address proposal, BIP-360, is activated. During Phase A, wallets would be blocked from sending funds to legacy address types, pushing users toward newer quantum-safe formats. Phase B would kick in two years after that, rendering all legacy signatures invalid at the consensus layer. Coins that did not migrate would become frozen and unable to move. A third phase, still under research, would allow holders of frozen coins to prove ownership through a zero-knowledge proof tied to a BIP-39 seed phrase and recover their funds.
Lopp was candid about his own discomfort with the proposal. In a post on X, Lopp conceded: “I know folks don’t like BIP-361. I don’t like it myself. I wrote it because I like the alternative even less.”
The pushback was swift. Developer and researcher Mark Erhardt described it as “authoritarian and confiscatory.” Phil Geiger, head of business development at Metaplanet, said: “We have to steal people’s money to prevent their money from being stolen.”
Adam Back’s Counter-Argument
At Paris Blockchain Week today, Blockstream CEO Adam Back offered a different framing. Back told attendees that Bitcoin developers should start building optional quantum-resistant upgrades now, even though current quantum computers remain “essentially lab experiments” with progress that has been “incremental.”
Back addressed the underlying question of whether Bitcoin’s developer community can respond quickly to a sudden quantum breakthrough. “Bugs have been identified and fixed within hours. When something becomes urgent, it focuses attention and drives consensus,” he said, suggesting Bitcoin’s rough-consensus governance could handle an emergency without pre-scheduled freezes years in advance.
Back called for continued research, further testing of alternative signature schemes in sidechains and layer-2 networks, and technical work to enable optional, non-disruptive upgrade paths that users can adopt voluntarily if needed. His position is that controlled preparation beats crisis reaction but that forcing a freeze on existing coins crosses a philosophical line Bitcoin should not cross.
The Canary Fund Alternative
BitMEX Research floated a third path that attempts to thread this needle. Bitcoin developers are weighing a proposal for a “canary” system that would only restrict vulnerable older wallets if a quantum-capable attacker proves the threat on-chain. The canary address would hold a bounty that only a quantum attacker could unlock, with any spend both triggering a retroactive freeze on vulnerable coins and publicly signalling that Bitcoin’s signature scheme has been broken. Supporters say the approach avoids an “authoritarian” pre-scheduled freeze like BIP-361, while critics warn it gambles that the first quantum attacker will claim the bounty rather than quietly steal funds on a massive scale.
The canary approach is elegant in principle. It delays any action until proof of threat exists, preserving Bitcoin’s ownership guarantees in the meantime. The fatal objection is that a sophisticated quantum attacker may have no interest in claiming a public bounty. They would rather quietly drain vulnerable wallets at scale before anyone knows what is happening.
What Happens Next
BIP-361 is a draft. It has no activation timeline. Lopp told Cointelegraph that BIP-361 is not currently positioned for adoption and described it as a rough sketch of one possible approach, with various aspects expected to evolve as research continues. BIP-360, which must be activated first to provide the quantum-resistant address types that BIP-361 depends on, is still working through testnet implementation.
The deeper question BIP-361 raises has no clean answer. Bitcoin’s decentralised governance is extraordinarily resistant to changes that touch existing coins. No upgrade in Bitcoin’s history has ever rendered valid coins unspendable. Bitcoin’s decentralized governance is “a strength in normal times and a weakness when you’re racing a clock,” with voluntary migration without a hard deadline “only working if you assume the threat arrives on a schedule.”
That tension between Bitcoin’s immutability principle and the practical need to defend against a credible future threat is now a live debate with named proposals, merged GitHub commits, and the most prominent voices in Bitcoin’s developer community on opposite sides of it.
