Key Highlights
- Bitcoin developers led by Jameson Lopp proposed BIP 361, a three-phase plan to migrate to quantum-resistant addresses and eventually freeze ~6.7 million vulnerable BTC via a “flag day” soft fork. Critics call the forced migration “authoritarian” and a breach of immutable property rights.
- Google Quantum AI’s March 2026 research shows breaking Bitcoin’s ECDSA could require under 500,000 physical qubits and run in minutes. This shortened timelines and raised alarms over “harvest now, decrypt later” attacks on exposed legacy public keys.
- Lightning Labs CTO Roasbeef released a zk-STARK prototype to rescue frozen wallets by proving seed ownership without exposing keys. Meanwhile, StarkWare’s Quantum Safe Bitcoin (QSB) enables quantum-resistant transactions today via hash-based proofs — no soft fork needed.
Bitcoin developers have ignited fierce debate with a new proposal aimed at shielding the network from future quantum computer attacks that could crack its cryptography.
On Tuesday, cypherpunk Jameson Lopp and five co-authors published BIP 361, titled “Post Quantum Migration and Legacy Signature Sunset.” The draft, posted to the Bitcoin BIPs GitHub repository, outlines a three-phase plan to push users toward quantum-resistant addresses and eventually disable old signature schemes vulnerable to quantum threats.
The proposal arrives amid growing concern over how Bitcoin manages public keys. In the network’s earliest days, many addresses — including a large portion from Bitcoin creator Satoshi Nakamoto’s era — exposed public keys directly on the blockchain.
A powerful enough quantum computer, running Shor’s algorithm, could theoretically derive the corresponding private keys from those exposed points. Recent analyses peg the total at-risk supply at roughly 6.7 million BTC, worth tens of billions of dollars at current prices. This includes early Pay-to-Public-Key (P2PK) outputs and coins in reused addresses where keys become visible upon spending.
BIP 361 builds on the earlier BIP 360, which introduced post-quantum output types. Once activated via soft fork:
- Phase A, roughly three years later, would block new sends to legacy addresses, nudging adoption of safer formats.
- Phase B, five years after activation on a fixed “flag day,” would invalidate ECDSA and Schnorr signatures entirely, freezing any unmigrated quantum-vulnerable UTXOs.
- Phase C, still under discussion, could offer a recovery path for some frozen funds using zero-knowledge proofs to verify ownership, such as via BIP-39 seed phrases.
Proponents argue the structured timeline creates clear incentives for migration without waiting for a crisis. Many supporters asked to hurry up with the plan, pointing to the slow pace of ecosystem-wide upgrades across wallets, exchanges, and services, while overall reaction on X was swift and overwhelmingly negative.
Critics called the plan “authoritarian” and “confiscatory,” accusing it of violating Bitcoin’s core promise of immutable property rights.
“This quantum proposal is highly authoritarian and confiscatory,” commented a user, “There is no good rationale for forcing the upgrade and rendering old spends invalid. Upgrade should be 100% voluntary.”
Many rejected Phase B outright, insisting upgrades must remain voluntary and that inactive or lost coins—including potential Satoshi holdings—should not face forced freezes. Others labeled it central planning that treats Bitcoin like an HOA rather than decentralized money.
Developers behind the BIP, including Bitcoin Stack Exchange contributor Mark “Murch” Erhardt who announced it, framed the move as a pragmatic defense. Yet the backlash highlights deep tensions over balancing long-term security against the protocol’s resistance to retroactive rule changes.
Given Bitcoin’s consensus-driven process means any soft fork requires broad miner and node support, the proposal is currently testing the community’s tolerance for enforced upgrades.
The looming quantum threat on Bitcoin
The quantum risk to Bitcoin is not new, but it has evolved from distant theory into a concrete planning issue. Satoshi Nakamoto himself touched on cryptographic weakening as early as 2010 in Bitcointalk discussions. He envisioned a gradual migration: if signatures or hashes grew weak, users could re-sign coins into stronger formats, preserving the system’s integrity without panic.
Back then, quantum computing was barely on the horizon. Experts projected that elliptic curve cryptography like Bitcoin’s secp256k1 would remain secure until at least 2030–2040.
That timeline tightened dramatically after the Google Quantum AI research paper dropped in late March. This news study suggests a cryptographically relevant quantum computer might break ECDSA with far fewer resources than previously thought—potentially in as little as nine minutes using under 500,000 qubits, faster than Bitcoin’s average block time.
As of now, Bitcoin’s vulnerability is uneven. Modern Taproot addresses expose keys only briefly during spends, but legacy coins—especially dormant ones from 2009 to 2011—sit fully exposed. Roughly 1–2 million BTC are tied to pure P2PK scripts, with Satoshi’s presumed ~1.1 million BTC among the most prominent targets.
Earlier discussions floated ideas like hash-based signatures (Lamport, SPHINCS+), commit-delay-reveal schemes, or quantum-secure Taproot variants.
Alternative proposals gaining traction
As debate swirls around BIP 361’s forced migration timeline, two other approaches have already gained attention for offering potentially less disruptive paths. Olaoluwa “Roasbeef” Osuntokun, CTO at Lightning Labs, recently released a working prototype using zk-STARK proofs to rescue vulnerable wallets.
This tool allows users to prove ownership of funds derived from a BIP-32/BIP-86 seed phrase without revealing the seed or private keys, creating an “escape hatch” that could recover coins even if an emergency soft fork disables legacy signatures.
The zk-STARK-based recovery aims to prevent millions of wallets—including long-dormant ones—from being permanently locked, addressing one of the biggest criticisms of hard cutoffs.
Separately, StarkWare introduced Quantum Safe Bitcoin (QSB) on April 9, 2026—a hash-based “hash-to-sig” scheme that enables quantum-resistant transactions today without any soft fork or protocol change. By replacing vulnerable elliptic curve signatures with puzzles relying on the preimage resistance of cryptographic hashes, QSB fits within Bitcoin’s existing Script limits and works immediately for users willing to pay the premium.
Though computationally expensive ($75–$200 per transaction due to GPU-heavy proof generation and larger sizes), it provides a practical bridge for high-value holdings while longer-term upgrades like BIP 360 mature.
StarkWare’s approach leverages the firm’s expertise in STARK proofs and has been praised for its backward compatibility, though critics note it does not solve the problem of already-exposed legacy coins.
Also read: Worst Q1 Since 2018 Weighs on Bitcoin as April Bounce Hits First Test
