🤝 DAIC partners withPawtato

Inside BIP-361: Bitcoin’s Hardest Post-Quantum Decision

Published:
Bitcoin’s post-quantum debate changed once the problem had a deadline. BIP-360 proposal gives users a safer output format to migrate into, while BIP-361 pushes the harder question: what happens to the coins that stay behind? This article walks through the proposal, the scale of exposed BTC, the migration timeline, and the governance fight that makes the draft so disputable.

Key Takeaways

  • Bitcoin's quantum problem is no longer theoretical once migration deadlines enter the discussion.
  • BIP-360 and BIP-361 solve different parts of the same problem, which is why they need to be read together.
  • The exposed supply is large enough to matter for holders, custodians, and developers.
  • The proposal combines technical migration logic with governance choices that raise ownership and precedent concerns.
  • The investment relevance comes from timing, not just from the threat itself, because delay now has measurable cost.

How BIP-361 Extends Bitcoin's Post-Quantum Concept

In our previous article, we covered BIP-360, the first serious attempt to protect Bitcoin outputs from quantum exposure by giving the network a safer address format to migrate into. What it does not do is fix the coins that were created long before anyone was thinking seriously about quantum machines.

That is the gap BIP-361 tries to address. Published in April 2026, the draft was co-written by Jameson Lopp of Casa and Pierre-Luc Dallaire-Demers of Pauli Group, along with four other contributors. It gives Bitcoin a framework for legacy migration, but not yet a plan the network has agreed to deploy.

For anyone holding BTC or responsible for assets, the difference between the two proposals is practical. BIP-360 helps avoid the problem on new outputs. BIP-361 is about what happens to everything that does not move in time.

Why 6.9 Million BTC Are Already Exposed to Quantum Risk

The chart from our BIP-360 analysis makes one thing hard to miss: Bitcoin's quantum exposure is already split into two very different problems. One is structural, where the public key is visible on-chain by design. The other is operational, where the coin becomes vulnerable because of how it is used, stored, or reused.

Structural exposure is the harder problem because the holder cannot undo it with better habits. It now stands at 1.92 million BTC, or 9.6% of issued supply, and those coins are already sitting in formats that reveal the key to anyone reading the chain. Operational exposure is larger at 4.12 million BTC, or 20.6% of supply, with 1.63 million BTC sitting at exchanges. Together, those two buckets put roughly 6.9 million BTC in the exposed category, or about one-third of the total supply. That is the scale BIP-361 is reacting to.

Exposure categoryEstimated amountApprox. value at June 1, 2026 (1 BTC about $73.6k)Why it matters
Structural exposureAbout 1.92 million BTCAbout $141 billionPublic keys are already visible on-chain by design
P2PK outputsAbout 1.7 million BTCAbout $125 billionThe oldest and most visible part of the structural bucket
Operational exposureAbout 4.12 million BTCAbout $303 billionVulnerability comes from reuse and custody practice
Total exposed supplyAbout 6.9 million BTCAbout $508 billionThe full exposure set Bitcoin has to plan for

BIP-360 can help users move into safer outputs going forward, but it does not solve the part of the supply that is already exposed and cannot be made safe by waiting.

BIP-361 exists because the second problem is not going away on its own. The question is what happens to a several-hundred-billion-dollar exposure set if migration has not happened in time.

How BIP-361 Uses a Soft Fork to Force Migration

The force in BIP-361 comes from the way it turns migration into a timetable and then puts that timetable inside a soft fork. The draft defines two formal phases, and both are aimed at pushing exposed coins out of legacy formats before the old path stops working.

Phase A begins 160,000 blocks after activation, or roughly three years later. From that point on, legacy wallets can send funds out to new PQ addresses, but they can no longer receive new funds in. That starts shrinking the exposed set without freezing anyone on day one.

Phase B follows two years later, at a predetermined block height. At that point, nodes tighten verification of ECDSA and Schnorr spends, so any coin that has not migrated must satisfy the new rules or lose spendability. For a holder, that is the point where migration stops being a recommendation and becomes an obligation.

The mechanism is familiar, but the direction is not. Bitcoin has used soft forks before to add new capabilities without taking practical rights away from holders who did nothing. BIP-361 uses the same structure to narrow the old path instead, which is why it feels much more disruptive than its implementation style first suggests.

The draft does discuss rescue logic, but it does so carefully. It points to BIP-32 hardened derivation and ZK-STARK-style proof ideas as possible ways for authentic holders to prove wallet-level knowledge that a quantum attacker would not have, yet none of that appears as a formal third phase in the specification table. The enforceable part of the BIP is two-step, not three-step, and that distinction matters because the migration schedule is already concrete while the recovery side remains conditional.

One more limitation belongs here because it affects the whole mechanism. BIP-361 cannot activate on its own in its current form, since it depends on a separate post-quantum signature proposal to define the replacement path for the legacy signatures it aims to phase out. So the draft is not a complete migration package by itself. It is the part that tells Bitcoin how to stop waiting.

What makes Phase B completely unprecedented is not the technical mechanism - it is what the mechanism does to the social contract. Every prior soft fork either added a new rule or tightened an existing one in ways that left compliant holders unaffected. BIP-361 is the first proposal that would make previously valid coins unspendable for holders who did nothing wrong by the rules that existed when they acquired them. That is the line Phase B crosses, and it is the line that turns a technical upgrade into a governance crisis.

Whether that outcome is best described as a defensive burn, a forced migration penalty, or a confiscation depends entirely on which side of the debate you are standing on, and that is where the argument begins.

Confiscation Debate and the Bitcoin Security Argument

The discussion around BIP-361 is not a routine governance disagreement. It is a collision between two coherent views of what Bitcoin is supposed to protect.

Critics see the proposal as a protocol-level freeze that crosses into confiscation. Reporting on the backlash describes the plan as authoritarian, confiscatory, and incompatible with Bitcoin's ownership guarantees, which is why the debate has landed so hard in Bitcoin's social layer rather than just its technical layer.

Jameson Lopp's own writing helps explain why the draft exists at all. In Against Allowing Quantum Recovery of Bitcoin, he argues that letting quantum-capable attackers recover vulnerable coins is itself a form of theft and that freezing or burning those outputs is a harm-prevention response rather than a seizure of legitimate property.

His later article, Quantum Attack Game Theory, pushes that logic further by showing that the threat is not just a one-time sweep-and-sell event; a quantum adversary could trigger market dumps, slow-bleed selling, shorting cascades, blockspace griefing, and even 51% attack incentives.

That is why the counterargument is so clean. A quantum-capable machine that can derive private keys from public blockchain data would also destroy the meaning of ownership, only in a way that benefits an attacker and gives the network no reliable timeline to react. In that framing, the choice is not freeze or freedom. It is who reacts first.

This is where the Satoshi coin question becomes heavy rather than theoretical. A hard deadline would almost certainly lock up some of the balance set most associated with Bitcoin's origin story, and no version of the proposal has solved the symbolic or political cost of that outcome. Even supporters of migration logic have to reckon with the fact that freezing early coins looks, to many readers, like rewriting Bitcoin's history rather than protecting its future.

The key point for this section is that BIP-361 is not just a technical proposal; it is the policy expression of Lopp's security argument. These two articles give the reader the missing context for why the draft exists, and they show why the debate around BIP-361 is about more than code.

BIP-361 Adoption Odds, Amendments, and Hourglass BIP

BIP-361 in its current form does not look like an easy clean pass. The technical assessment attached to this project argues that adoption as written is less likely than a softened or amended path, mainly because the proposal asks holders to act by fixed deadlines or lose spendability.

Migration pathMain featureCore tradeoff
Hard migration deadlineFreezes or encumbers non-migrated outputs under deadline-driven consensus rules.Strongest protection, highest coercion.
Voluntary migrationRelies on incentives, defaults, and wallet/user behavior rather than invalidation.Lowest pressure, weakest control.
Hourglass BIPRate-limited spending from P2PK outputs instead of a full freeze.Middle path, still controversial.

The most credible changes under discussion aim to reduce that pressure. The assessment points toward narrower scope, longer or adaptive timelines, stronger rescue logic, and a period of non-coercive incentives before any final cutoff becomes enforceable. A softer middle route is the proposed Hourglass-style approach for P2PK outputs, which would rate-limit spending rather than hard-freeze it, preserving some path to spend while reducing the shock a quantum attacker could create.

What BIP-361 Means for Bitcoin Holders, Custodians, and Developers

Whatever happens to BIP-361 itself, the publication of the draft changed the risk picture. Legacy Bitcoin formats are now a documented, foreseeable issue, which means custodians, exchanges, ETF issuers, treasury teams, and wallet developers cannot treat post-quantum migration as a remote talking point anymore.

The timing question is not merely theoretical. Current analysis frames the quantum problem as one that requires years of coordination, not a last-minute response, and the BIP itself warns about the consequences that may occur if we do not react to this. Bitcoin has handled long and bitter upgrade fights before. SegWit and Taproot both took years of debate and still passed without splitting the chain. Those earlier fights were about what Bitcoin could do better. BIP-361 is about what Bitcoin may be willing to do to its own historical coins to keep functioning under a new threat model.

That is why this draft matters even before activation logic exists. It turned post-quantum migration from a background concern into a design choice with deadlines, tradeoffs, and visible losses. The harder question is not whether quantum risk is real. It is how Bitcoin should respond to it.

The information provided by DAIC, including but not limited to research, analysis, data, or other content, is offered solely for informational purposes and does not constitute investment advice, financial advice, trading advice, or any other type of advice. DAIC does not recommend the purchase, sale, or holding of any cryptocurrency or other investment.