BIP-361 Turns Bitcoin’s Quantum Debate Into a Property-Rights Fight
Bitcoin developers have put a radical idea on the table: if the network ever gets a post-quantum output type, coins that stay on legacy cryptography long enough could eventually become unspendable. That is the core political effect of BIP-361, even if its authors describe it as a defensive migration plan rather than confiscation. The proposal is still only a draft, but it has already shifted the conversation from abstract quantum risk to a much harder question: should Bitcoin proactively freeze vulnerable coins before a quantum attacker can steal them?What BIP-361 actually proposes
BIP-361 is titled “Post Quantum Migration and Legacy Signature Sunset.” In plain terms, it lays out a pre-announced retirement path for Bitcoin’s legacy ECDSA and Schnorr spending methods once a post-quantum output type exists on the network.That wording matters because the proposal is not presented as an emergency patch for one corner case. It is a system-wide migration plan. The authors argue that waiting until a quantum computer is visibly capable of stealing coins would be too late, because the ecosystem would then be trying to coordinate wallets, exchanges, miners, and custodians under panic rather than under a timetable.
The takeaway is that BIP-361 is less about a single technical trick and more about forcing Bitcoin to choose a migration deadline before a crisis arrives.
Why the “34% of Bitcoin” number is driving urgency
The proposal’s most arresting statistic is its claim that, as of March 1, 2026, more than 34% of all bitcoin have already revealed a public key on-chain. Those outputs, according to the draft, could be stolen by an attacker with a sufficiently powerful quantum computer.At current mined supply, that roughly implies around 6.7 million BTC in the risk zone, not because all old wallets are identical, but because many coins have exposed keys through early output types, address reuse, or previously revealed spending paths. This is why the proposal keeps returning to early P2PK outputs as the sharpest example. Once the public key is already visible, the theoretical quantum attack path is much cleaner.
The takeaway is that BIP-361 is not reacting to a hypothetical edge case. It is reacting to the scale of already-exposed keys that cannot be hidden again.
How the three-phase migration would work
Phase A begins about 160,000 blocks, or roughly three years, after activation. At that point, users could still spend from quantum-vulnerable scripts, but new sends to those legacy destinations would no longer be allowed. In effect, the network would start starving old address types of new inflows while still giving holders time to move out.Phase B starts two years after that, five years after activation overall. This is the real hard line. Nodes would reject transactions that rely on ECDSA or Schnorr signatures for vulnerable outputs, which means coins that have not migrated by then become frozen at the consensus layer.
Phase C is still only a concept. The draft says a future proposal may allow recovery of some frozen funds through a zero-knowledge proof tied to a BIP-39 seed phrase. That idea is important politically because it softens the optics, but technically it remains unfinished and explicitly separate from the current proposal.
The takeaway is that the migration path is gradual at first, then absolute. That is why critics are treating it as a governance fight now rather than a technical detail for later.
Why the rescue story is weaker than the headline suggests
Phase C sounds reassuring at first glance, but the draft itself makes the limitation clear. The recovery mechanism is still pending research, demand, and consensus. More importantly, the authors note that for P2PK outputs created before BIP-32 existed, it may be impossible to prove HD wallet ownership through the proposed BIP-39 route. That is why they point to an additional “Hourglass” style idea for P2PK coins.This is the awkward part of the proposal. The coins most frequently discussed in public - early miner outputs and wallets often associated with the Satoshi era - are exactly the coins least likely to fit neatly into a modern HD-wallet recovery framework. So while BIP-361 is often summarized as “freeze now, recover later,” the “recover later” side is much less mature than the “freeze” side.
The takeaway is that the proposal offers a strong migration stick today and only a partial rescue story tomorrow.
Why critics call it confiscation
The backlash has been harsh because BIP-361 rewrites a principle many Bitcoiners treat as foundational: if you control valid keys, the network should not decide that your coins are morally or technically off-limits before an actual theft occurs. That is why critics have described the plan as confiscatory even though no coins would be reassigned to new owners.The authors reject that framing. Their argument is that allowing quantum attackers to loot exposed outputs would be a redistribution event anyway, except the winners would be whoever reaches quantum capability first. In that logic, freezing vulnerable coins is not seizure but damage control. The draft even leans on a well-known Satoshi line about lost coins increasing everyone else’s value, then draws the corollary that quantum-stolen coins would reduce everyone else’s value.
The takeaway is that BIP-361 is colliding with Bitcoin’s deepest philosophical fault line: whether neutrality means letting vulnerable coins stand untouched, or defending the whole network even at the cost of freezing some of them.
How BIP-361 relates to BIP-360 without depending on it
BIP-361 is often discussed alongside BIP-360 because both sit inside Bitcoin’s new post-quantum conversation. BIP-360 proposed a forward-looking output design intended to avoid Taproot’s quantum-vulnerable key path. BIP-361 addresses the backward-looking side of the same problem: what to do about coins that are already exposed under today’s signature schemes.But there is an important nuance. The BIP-361 draft does not formally say “this activates after BIP-360.” Its metadata currently lists only a required future post-quantum signature BIP. That means the conceptual relationship is obvious, but the specification is not yet locked to one exact post-quantum implementation path.
The takeaway is that BIP-360 is the lifeboat many people point to, while BIP-361 is the deadline mechanism. They are related, but not yet fused into a single activation package.
Why the timing debate has become much louder in 2026
This proposal would likely have sounded fringe a few years ago. It does not sound fringe now because the timeline assumptions have changed. The draft points to McKinsey and academic roadmaps that place a cryptographically relevant quantum computer in the 2027 to 2030 window, and it cites Google’s latest algorithmic progress as evidence that the safety margin is shrinking.That pressure is reinforced by Google’s own posture. In March 2026, Google said it is setting a 2029 timeline for its post-quantum cryptography migration. When one of the world’s largest infrastructure operators starts putting a date on its own migration, Bitcoin developers no longer have the luxury of treating quantum risk as a distant academic problem.
The takeaway is that BIP-361 is not controversial only because it is aggressive. It is controversial because the outside world is also moving faster than Bitcoin usually prefers to move.
What happens next if the draft survives the backlash
For now, BIP-361 remains just that - a draft. No activation date exists, no miner signaling path has been agreed, and publication in the BIPs repository does not imply endorsement. Before anything like this could matter on mainnet, Bitcoin would need far more than a GitHub document. It would need a post-quantum output path, wallet support, exchange support, miner support, and far broader social consensus than exists today.That is why the proposal matters even without activation. It forces the ecosystem to pick a side early. Either Bitcoin accepts some form of coercive migration to defend exposed coins before Q-day, or it accepts the possibility that a future attacker could lawfully, in consensus terms, become the new owner of those funds first.
The takeaway is that BIP-361 may never activate in its current form, but it has already succeeded at one thing: it made Bitcoin’s quantum problem political, not theoretical.
FAQ
Is BIP-361 active on Bitcoin now? No. It is a draft published in the official BIPs repository, which is an archive and publication medium, not an approval mechanism.Does it freeze all old wallets? No. The target is quantum-vulnerable outputs, especially coins whose public keys are already exposed on-chain or remain tied to legacy signature paths.
Would holders get years to migrate? Yes. The current draft gives roughly three years before new sends to vulnerable addresses are blocked, and about five years before legacy spends become invalid.
Does Phase C guarantee recovery later? No. Phase C is still unfinished, and even the draft acknowledges that early P2PK outputs may need a different solution because BIP-39 style proof may not apply to them.
Is this definitely built on BIP-360? Not formally. They are part of the same post-quantum debate, but BIP-361 currently requires a future post-quantum signature BIP rather than naming BIP-360 directly.
Why is the reaction so hostile? Because many Bitcoiners would rather risk future theft than accept a consensus rule that deliberately freezes coins before any actual attacker appears on-chain.
Conclusion
BIP-361 is one of the clearest examples of how quantum risk can turn a technical upgrade path into a constitutional fight. Its supporters see it as a painful but rational defense against a class of attack that could undermine Bitcoin’s monetary credibility all at once. Its opponents see it as a preemptive freeze policy that crosses a line Bitcoin was designed not to cross.That is why the draft matters even in its earliest form. It is not only asking whether Bitcoin can become post-quantum. It is asking what Bitcoin is willing to sacrifice, and what it refuses to sacrifice, in order to get there.
Editorial Team - CoinBotLab
🔵 Bitcoin Mix — Anonymous BTC Mixing Since 2017
🌐 Official Website
🧅 TOR Mirror
✉️ [email protected]
No logs • SegWit/bech32 • Instant payouts • Dynamic fees
TOR access is recommended for maximum anonymity.
🌐 Official Website
🧅 TOR Mirror
✉️ [email protected]
No logs • SegWit/bech32 • Instant payouts • Dynamic fees
TOR access is recommended for maximum anonymity.