Bitcoin quantum security controversy heats up: Disagreements over freezing mechanisms and optional upgrade paths emerge

On April 15, 2026, Bitcoin Improvement Proposal BIP-361—co-drafted in its official form by Bitcoin core developer Jameson Lopp and five collaborators—was formally released in draft form to the official GitHub repository. The proposal’s full name is “Post-Quantum Migration and the Repeal of Legacy Signatures.” It argues for a mandatory, progressive three- to five-year timeline to force all Bitcoin holders on the network to migrate their assets from quantum-vulnerable addresses to quantum-resistant addresses—those who fail to migrate by the deadline will have their assets permanently frozen at the protocol level and will be unable to make any on-chain transfers.

BIP-361’s technical foundation inherits from BIP-360, which was officially registered earlier that same year in February. BIP-360 introduced a quantum-resistant output type called Pay-to-Merkle-Root, intended to protect newly issued Bitcoins from quantum attacks. However, BIP-360 can only cover future assets, and it is powerless against the large amount of legacy assets with exposed public keys—this is the “stock” problem BIP-361 is trying to solve. Once the proposal was published, it immediately triggered intense backlash within the Bitcoin community. Critics described the plan using words such as “authoritarian” and “predatory,” arguing that it violates Bitcoin’s core philosophy as a censorship-resistant, decentralized monetary system.

One day later, on April 16, 2026, Adam Back, CEO of Blockstream, delivered a public speech at Paris Blockchain Week, clearly opposing BIP-361’s mandatory freezing path and instead advocating for an optional quantum-resistant upgrade plan. Back emphasized, “Preparing in advance is far safer than scrambling to respond during a crisis,” and also pointed out that the Bitcoin community has the ability to quickly coordinate and respond to critical vulnerabilities.

By this point, the quantum security issue for Bitcoin has officially evolved from a long-term technical discussion into a public showdown over network governance philosophy, asset sovereignty, and security boundaries. The split between supporters and opponents of BIP-361 is not simply a debate over technical merits and demerits, but rather a fundamental difference in how they understand the future direction of Bitcoin.

Countdown Accelerates: Quantum Threat Moves from Sci-Fi to Countdown

Accelerating Compression of Quantum Threat Timeline

Bitcoin’s security model is built on the computational infeasibility of elliptic curve digital signature algorithms—namely ECDSA. Under the classical computing paradigm, brute-forcing private keys would take far longer than the age of the universe, so this assumption has never truly been challenged in decades. However, the existence of Shor’s algorithm completely overturns that premise at the mathematical level: it can reduce the complexity of solving the discrete logarithm problem from exponential to polynomial. As a result, once quantum computers reach sufficient scale, cracking ECDSA will no longer be a theoretical assumption, but an engineering goal that can be achieved.

Over the past year, the timeline for quantum threats has been continuously and significantly compressed. By the end of 2024, Google launched the Willow quantum chip, which has 105 physical qubits. Although this scale is still far from directly threatening Bitcoin’s encryption—estimates suggest cracking Bitcoin’s encryption would require about 13,000,000 qubits to decrypt within 24 hours—Willow’s exponential reduction in error rates in quantum error correction has laid the groundwork for rapid subsequent iteration.

The real turning point came at the end of March 2026. A technical white paper published by Google’s Quantum AI team shows that a sufficiently powerful quantum computer would theoretically require only one-fifth of the resources previously estimated to crack the underlying encryption used by Bitcoin. The entire cracking process could be completed in as little as about nine minutes. The white paper further compresses the required number of physical qubits to fewer than 500,000—again about one-fifth of earlier estimates. Based on this, Google explicitly moved up the recommended deadline for quantum-safe migration to 2029.

Meanwhile, in parallel, a research team at Caltech achieved breakthroughs on a neutral-atom quantum computing architecture. The research indicates that Shor’s algorithm can run to cryptography-relevant levels on a scale of 10,000 to 22,000 qubits, and the required number of physical qubits has dropped dramatically from the millions. Oratomic’s research further verifies the aggregating effect of quantum threats across platforms.

Technical Preparation and Community Response

Against the backdrop of the quantum-threat timeline being compressed at an accelerated pace, technical preparation across the Bitcoin ecosystem is also progressing in sync:

In February 2026, BIP-360 was officially registered, introducing the quantum-resistant output type Pay-to-Merkle-Root, laying a technical reserve for the post-quantum Bitcoin network.

In March 2026, BTQ Technologies successfully deployed the first working implementation of BIP-360 on the Bitcoin quantum testnet. The testnet has already been running more than 50 miner nodes and has processed more than 100,000 blocks in total.

On April 14, 2026, after the white paper from Google’s Quantum AI team was widely reported by the media, it caused shockwaves across the industry, shifting the “quantum doomsday” narrative from science fiction to a strategic schedule that can be planned.

On April 15, 2026, Jameson Lopp and five collaborators formally submitted the draft of BIP-361, attempting to solve the legacy-asset security issues that BIP-360 could not cover.

On April 16, 2026, Adam Back publicly opposed BIP-361 at Paris Blockchain Week and proposed an optional upgrade route; on the same day, BitMEX Research released a substitute proposal titled “Canary Fund,” suggesting that the freezing mechanism should only be triggered when quantum attacks are actually proven to have occurred.

Asset Scale Involved

According to estimates from multiple parties, in the current total Bitcoin supply across the network, about 34% of the assets have had their public keys exposed on-chain and face direct threats from quantum attacks. Specifically:

Approximately 1.7 million BTC is stored in early P2PK addresses, including about 1.0 million to 1.1 million Bitcoins widely believed to belong to Satoshi Nakamoto. In this category, the public keys of these assets are permanently public on the blockchain, representing the highest level of risk exposure.

Jameson Lopp further noted that approximately 5.6 million BTC has not moved for more than 10 years and may have been permanently lost. If future breakthroughs in quantum computing lead to the cracking of private keys for old addresses, this portion of assets may be transferred again, potentially causing severe market volatility and even a systemic confidence crisis.

Dissecting the Risk: How Many Bitcoins Are Exposed to Quantum Firepower

Address Categories of Risk Exposure and Quantification

To understand the scale and structure of assets involved in BIP-361, it is first necessary to clarify technical differences among Bitcoin address formats and the degree to which their quantum risk is exposed. Different address types have fundamental differences in how public keys are exposed and what protection mechanisms exist, directly determining their level of quantum fragility.

BIP-361’s Three-Stage Migration Mechanism

BIP-361 proposes a clear phased migration roadmap that turns a quantum security upgrade into a “private incentive” for each holder: if holders do not upgrade proactively, they will face increasing friction and restrictions in how their assets can be used, until the network ultimately rejects them entirely. The proposal divides the migration process into three progressive stages:

Stage A: After three years are launched, the network will prohibit anyone from sending new Bitcoins to legacy quantum-vulnerable addresses. Holders can still spend assets from these addresses, but they cannot receive any new incoming funds. The design intention of this stage is to block “incremental risk,” preventing new funds from continuously flowing into address types that are weak in security.

Stage B: After five years are launched, legacy signatures—meaning ECDSA and Schnorr signatures—will be fully deprecated at the consensus layer. The network will reject any attempt to spend Bitcoins from quantum-vulnerable wallets. At this point, un-migrated assets are effectively frozen and cannot be transferred in any on-chain way.

Stage C: A rescue mechanism that still remains under research. Holders of frozen wallets may prove their control over the private key via zero-knowledge proofs; if verification succeeds, the frozen assets will be able to be restored for use. This mechanism is intended to provide a final remedial path for holders who missed the migration window due to having failed to pay attention to market dynamics for the long term.

Key Data From Google and Caltech Research

The Google Quantum AI white paper published on March 30, 2026 has a disruptive core conclusion: cracking the 256-bit elliptic curve discrete logarithm problem used by Bitcoin requires only about 1,200 logical qubits and fewer than 500,000 physical qubits, and the entire cracking process can be completed in a matter of minutes.

Previously, mainstream industry estimates believed that cracking Bitcoin encryption would require millions, or even tens of millions, of physical qubits, spanning more than 10 years. Google’s white paper reduces this threshold by about 20 times, and it explicitly points out that once a Bitcoin transaction is broadcast to the network, it waits in the mempool for block confirmation, with an average waiting time of about 10 minutes. During this window, if an attacker has a quantum computing device that fits the requirements, they can use the publicly available transaction public key to reverse-engineer the corresponding private key in about nine minutes, with a success probability of approximately 41%.

Caltech’s research, meanwhile, proves on a neutral-atom architecture that Shor’s algorithm can run at cryptography-relevant levels on a scale of 10,000 to 22,000 qubits. The two independent technological paths—superconducting qubits and neutral-atom qubits—both point toward lower thresholds for cracking, meaning that the quantum threat does not rely on a single technology’s “miracle” breakthrough.

A white paper co-published by ARK Invest and Unchained proposes a five-stage evolution framework, arguing that current quantum computing is still in “Stage Zero”—quantum computers exist but have no commercial value, and there remain multiple technical milestones before they can crack Bitcoin’s ECDSA. The report states that security researchers for Bitcoin recently estimated the probability of quantum computers recovering private keys before 2032 at about 10%.

Clash of Three Camps: Freeze, Upgrade, or Stay Put

The controversy triggered by BIP-361 quickly formed a clear multi-party layout within just a few days, with each side staging deep exchanges around Bitcoin’s governance philosophy, security boundaries, and asset sovereignty.

Prefer Freezing Over Letting Quantum Hackers Get Away With It

As the main driver of the proposal, Jameson Lopp’s position is reflected in a widely circulated statement: compared with potential future quantum computing attacks, he prefers to freeze approximately 5.6 million BTC of long-dormant assets from the network rather than let them fall into the hands of attackers.

Lopp also admits that BIP-361 is still in the draft stage and not a mature plan that can be implemented immediately. He wrote on a social platform: “I know everyone doesn’t like this plan. I don’t like it either. I wrote it because I like another choice even less.” This statement reveals the core of the supporters’ stance: BIP-361 is not an ideal solution, but a difficult trade-off made in response to a quantum-threat timeline being compressed.

The arguments in support of BIP-361 can be summarized as the following logical chain: if quantum computers break through earlier, approximately 1.7 million to 5.6 million BTC in early P2PK addresses could be cracked and sold off in one round, which would cause a dramatic crash in Bitcoin’s price and severely erode the network’s trust base. Meanwhile, proactively freezing these vulnerable assets would keep systemic risk within a foreseeable range, allowing Bitcoin to transition smoothly into the post-quantum era.

Mandatory Freezing Violates Bitcoin’s Core Principles

As the most representative figure among the opposition, Adam Back raised two core reasons against it at Paris Blockchain Week. First, the Bitcoin community has the ability to quickly coordinate responses to critical vulnerabilities, so there is no need to pre-set a mandatory freezing timeline before a crisis actually occurs. Second, preparedness should be reflected in the R&D and deployment of anti-quantum technological solutions, not in stripping users of their right to dispose of their assets. Back advocates an “optional upgrade” route—providing anti-quantum address options; users migrate voluntarily; and the protocol layer does not impose mandatory interference.

The opposition voices from the community are even sharper. On April 16, 2026, crypto opinion leader Jimmy Song publicly stated that BIP-361 is “completely unacceptable” to him. However, he also said he hopes to see supporters try to push the proposal into a soft fork or hard fork vote—“not to obtain ‘fork dividends,’ but because we need to see how this kind of thing will develop.”

TFTC founder Marty Bent described the proposal as “absurd.” Metaplanet’s Phil Geiger argued that given there has already been migration windows for years, human intervention is unnecessary. Some community members labeled BIP-361 as “authoritarian” and “predatory,” arguing that it makes some unspent transaction outputs invalid and violates the fundamental philosophy of the Bitcoin network—that it cannot be censored and that assets cannot be arbitrarily frozen.

Substitute Proposals and Third-Party Voices

On April 16, 2026, BitMEX Research released an alternative proposal, attempting to find a middle path between “blind freezing” and “complete laissez-faire.” The proposal suggests creating a “signal treasury,” using a “number of no accidents” to generate a special address for which no one knows the private key. If a quantum computer truly has the ability to crack, rational attackers would prioritize attempting to steal the funds from this publicly posted bounty address. Once any passive spending occurs from that address, it constitutes on-chain evidence that a quantum threat is real, thereby automatically triggering a comprehensive freeze of quantum-vulnerable assets.

BitMEX Research acknowledges that the proposal increases technical complexity and execution risk, but considering that “any form of freezing is highly controversial,” a conditional-trigger mechanism like this to mitigate the impact of freezing might be worth considering.

Strategy founder Michael Saylor previously said in public comments that the credible quantum threat to Bitcoin’s cryptography may still require more than ten years, and any meaningful breakthroughs would be detected early and trigger coordinated software upgrades across the global digital system.

The Bitcoin Policy Institute has also recently warned that progress in quantum computing may be compressing the timeline window for network upgrades, and some researchers expect quantum computers with cryptography-relevant capabilities to appear between 2029 and 2035.

Chain Reaction: How Will This Split Reshape the Industry Landscape?

A Test of Network Consensus Mechanisms

The controversy sparked by BIP-361 is, at its core, a stress test of Bitcoin’s governance mechanism when facing an unprecedented external threat. As a decentralized network, Bitcoin’s upgrade decisions require complex coordination among multiple stakeholders, including developers, miners, node operators, users, and capital holders. In the past, debates over Bitcoin upgrades mainly focused on function expansion areas such as scaling, privacy, and smart contracts—these issues are typically measured in years or even decades. But quantum threats compress the decision timeline into a relatively urgent window: the 2029 deadline proposed by Google is less than three years away.

This compressed timeline poses an unprecedented challenge to Bitcoin’s “slow governance” model. If the community cannot reach consensus on a quantum-safe upgrade path within a limited time frame, Bitcoin will face two distinctly different risk scenarios: either excessive intervention that damages the core value of decentralization, or insufficient response that leads to systemic trust collapse when quantum attacks occur.

Potential Impact on Markets and Holder Behavior

The discussion around BIP-361 has itself begun to affect patterns of behavior among market participants. Holders of early P2PK addresses—especially the roughly 1.1 million BTC that have long been regarded as “Satoshi assets”—are facing an increasingly urgent decision window: either migrate proactively to quantum-resistant addresses to avoid future possible freezing risks, or choose to wait and bear uncertainty.

For exchanges and custodial service providers, quantum-safe migration has shifted from long-term planning to near-term operational considerations. After Google’s white paper was released, leading exchanges and custodians are accelerating evaluations of how much quantum-vulnerable exposure exists within their hot and cold wallet architectures, and they have begun planning for a phased migration to anti-quantum address formats.

From a broader industry perspective, the dispute over BIP-361 is catalyzing the entire crypto industry’s increased focus on the migration to post-quantum cryptography. Not only Bitcoin—Ethereum, Solana, and other major public chains are also facing similar quantum threats. And because Bitcoin is the crypto asset with the largest market capitalization, the path it chooses to respond to this challenge will set a precedent for the entire industry.

Accelerating Effects on Post-Quantum Cryptography R&D

One positive side effect of the controversy over BIP-361 is that it has significantly accelerated the R&D and testing of post-quantum cryptography within the Bitcoin ecosystem. It took only one month for BIP-360 to move from a theoretical proposal to deployment on the testnet—this speed is extremely rare within the Bitcoin ecosystem. The BIP-360 implementation deployed by BTQ Technologies on the Bitcoin quantum testnet has already provided initial validation of the engineering feasibility of anti-quantum address formats.

At the same time, research investment into post-quantum cryptography areas such as lattice-based cryptography and hash signature schemes is increasing noticeably. If the dispute over BIP-361 can push the community to reach consensus on a quantum-safe upgrade framework within a shorter cycle, the dispute itself will become an important proof of resilience for the Bitcoin network.

Conclusion

The deeper significance of the BIP-361 controversy goes far beyond whether a technical proposal is accepted or rejected. It reveals a kind of challenge that the Bitcoin network has never truly faced during its 15-year evolution: when the pace of external threats surpasses the pace of decision-making for internal governance, how does a decentralized system make a trade-off between “security” and “freedom,” the two core values?

Jameson Lopp represents a mindset of “preventive intervention”—acknowledging the slow nature of decentralized governance, and therefore advocating proactive action while the crisis is still manageable. Adam Back, on the other hand, represents a mindset of “trust in network resilience”—believing in the Bitcoin community’s ability to coordinate in real crises, and therefore rejecting a mandatory plan that may damage core values before a crisis happens.

The disagreement between the two sides is not a matter of right versus wrong, but rather different judgments about where Bitcoin’s future resilience comes from. What Lopp worries about is that if no action is taken in advance, quantum hackers may become the “ultimate predatory actors” for Bitcoin. What Back worries about is that if the method of acting early is mandatory protocol-layer freezing, Bitcoin could lose its most essential attribute that distinguishes it from traditional financial systems.

No matter whether BIP-361 ultimately gains community consensus, the debate itself has already produced an irreversible positive impact. It has brought quantum security from academic papers and distant forecasts into the mainstream agenda of the Bitcoin community, forcing every participant—developers, miners, exchanges, institutional holders, and ordinary users—to confront a problem that had previously been selectively ignored. Post-quantum cryptography R&D is accelerating, anti-quantum address formats are moving from concept toward testnet validation, and exchanges and custodians are re-examining the security assumptions behind their asset architecture. To a large extent, these changes are thanks to the “necessary split” triggered by BIP-361.

For Bitcoin holders, the most important thing right now may not be rushing to pick a side between Lopp and Back, but understanding the core message revealed by this debate: quantum computing is no longer a distant threat from science fiction. It is moving toward reality at a speed faster than most people expect. If you hold Bitcoin—especially Bitcoin stored in older address formats—closely monitoring the progress of quantum-safe upgrades and learning how to migrate to anti-quantum addresses will be an unavoidable responsibility for every responsible holder over the coming years.