Frozen or stolen

Last week we wrote about why uncensorable money is a necessary good - even when people we don't like use it. The argument was clean because the censoring authority was outside Bitcoin: governments, banks, OFAC, the people who built the surveillance system in 1970 and never stopped expanding it.

This week the question gets harder. Because the censoring authority being proposed is Bitcoin itself.

On 14 April, six developers - including Casa CTO Jameson Lopp - published Bitcoin Improvement Proposal 361, titled "Post Quantum Migration and Legacy Signature Sunset." It is a draft. It is not activated. But it is the most consequential governance proposal Bitcoin has produced in a decade, and it forces the network to choose between two outcomes neither side wants: freezing roughly a third of all Bitcoin in existence, or watching it potentially get stolen by a quantum computer.

What's at stake

Bitcoin's signatures rely on elliptic curve cryptography - specifically a curve called secp256k1. Every wallet has a private key (which only you should know) and a public key (which the network uses to verify your signatures). The mathematical relationship between them is what makes the whole thing work. Today, deriving a private key from a public key is computationally infeasible. With a sufficiently powerful quantum computer running Shor's algorithm, it isn't.

There's a critical detail here. For the most part, your public key is hidden - what gets posted to the blockchain is a hash of it. The public key only gets exposed when you actually spend from an address. The problem is, an enormous amount of Bitcoin lives at addresses that have already spent at least once, or that use older formats where the public key was always exposed. Those coins are sitting in plain sight, cryptographically speaking.

Here's how that exposure breaks down across the supply.

That last number is part of why this debate is so charged. Satoshi's coins have not moved in over fifteen years. Most of them sit in early Pay-to-Public-Key addresses where the public key is fully exposed on chain. Under BIP 361, those coins would either be migrated to quantum-resistant addresses by their owner - which would be one of the most consequential events in Bitcoin's history - or they would be frozen forever.

Why this proposal, why now

On 31 March, Google Quantum AI published a 57-page paper titled "Securing Elliptic Curve Cryptocurrencies against Quantum Vulnerabilities." Co-authored with researchers from Stanford and the Ethereum Foundation, it tightened previous estimates of how much quantum hardware would be needed to break secp256k1.

The headline figure: under 500,000 physical qubits could derive a Bitcoin private key from a public key in roughly 9 minutes. That's a 20-fold reduction from the previous best estimate of about 9 million qubits. The improvement comes from algorithmic optimisation, not better hardware.

For context: IBM's most advanced quantum processor today has 156 qubits. Google's Sycamore has 53. We are orders of magnitude away from 500,000 physical qubits, and even Google has set its own internal post-quantum migration deadline at 2029. But Ethereum researcher Justin Drake - one of the paper's co-authors - now puts the probability of a quantum computer recovering an ECDSA private key by 2032 at "at least 10%."

A 10% probability of catastrophe within seven years is not nothing. And the proposal's authors estimate a full Bitcoin migration to quantum-resistant signatures would take seven years from the day consensus forms. The two timelines have started to overlap.

What BIP 361 actually does

BIP 361 builds on a companion proposal, BIP 360, which introduces a new Bitcoin address type called Pay-to-Merkle-Root (P2MR) - a quantum-resistant format that doesn't expose public keys. BIP 360 is already running on a quantum testnet, deployed by BTQ Technologies in early 2026.

BIP 361 is the activation plan - and it has three phases.

The whole sequence requires a soft fork. Activation timing has not been set. The proposal is still a draft.

The split

The Bitcoin community has split sharply, and the split runs through people who would normally be on the same side.

Lopp's argument is essentially defensive. If quantum computers arrive and 6.7 million Bitcoin get drained from old addresses, the resulting flood of supply hitting the market would crater the price, destroy miner incentives, and potentially break the network. A pre-scheduled migration with a hard deadline forces wallets, exchanges, and individuals to act before the threat is real, rather than scrambling in a panic when it's too late. Coins that get frozen in the process would, in many cases, have been lost anyway - the proposal's authors point out that 5.6 million BTC haven't moved in over a decade.

The opposition is more philosophical. Adam Back, Blockstream CEO, has argued that optional quantum-resistant upgrades should be made available now, but that pre-scheduled freezes are an overreach. Bitcoin, he points out, has historically been able to coordinate emergency soft forks within hours when something genuinely urgent happens. The network's track record is that crisis focuses attention. We don't need to legislate a freeze five years in advance to handle a threat that may or may not materialise.

Others have been blunter.

That's the heart of it. Bitcoin's pitch to the world has always been that property rights on this network are inviolable. Not "inviolable except when there's a good reason." Just inviolable. If BIP 361 activates, that pitch acquires an asterisk: your coins are yours forever, unless six developers and a rough consensus of nodes decide that the threat to the network outweighs your individual claim.

A reasonable person can read that and conclude two opposite things. Either: this is exactly what Bitcoin is supposed to resist, and the precedent of freezing coins for any reason is corrosive. Or: a network that doesn't defend itself when it can foresee the threat isn't being principled, it's being suicidal, and the philosophical purity costs you everything.

The technical cost nobody is talking about

Even if BIP 361 sailed through, post-quantum Bitcoin doesn't look the same as the Bitcoin we have today. Quantum-resistant signature schemes are dramatically larger than ECDSA. The leading NIST-standardised candidate, ML-DSA-87, produces signatures of roughly 4,627 bytes. ECDSA signatures are 64 bytes.

That's 72 times bigger. Block space is a finite resource on Bitcoin, and bigger signatures mean fewer transactions per block, higher fees, and pressure on layer-two solutions like Lightning to absorb more activity. The migration is not just a cryptographic upgrade - it's an economic one too.

Where this lands

BIP 361 is unlikely to activate in its current form. Soft forks require overwhelming consensus, and the philosophical opposition is currently too strong. But the discussion it has triggered will shape the next several years of Bitcoin development. Some version of quantum-resistant addresses is coming, almost certainly via BIP 360. Whether the migration is voluntary, mandatory with a freeze, or mandatory with zero-knowledge recovery is the open question.

The deeper question - the one last week's piece set up - is what kind of network Bitcoin actually wants to be. The argument for uncensorable money is that the system works the same for everyone, including people you don't like, including coins long forgotten. The argument for BIP 361 is that defending the network sometimes requires acting on its behalf, even when individual coins suffer.

Both can be true. They're just hard to reconcile.

For now: if you're holding Bitcoin, the practical action is the same one good security has always demanded. Don't reuse addresses. Move funds to modern address types. Avoid leaving public keys exposed any longer than necessary. The quantum threat isn't here yet. The good habits that protect against it are free.