When Google's Quantum AI team published a new whitepaper on March 31, it landed less like an academic milestone and more like a detonation beneath a bridge no one had fully inspected. The team calculated that breaking Bitcoin's elliptic-curve signature scheme now requires fewer than 500,000 physical qubits, roughly twenty times less than the group's own 2019 estimate of ten million, and that a sufficiently capable machine running Shor's algorithm against a single exposed Bitcoin address could complete the cryptographic attack in approximately nine minutes. Google separately published a 2029 target for industry-wide migration to post-quantum cryptography, signalling that the engineering community considers the threat a planning horizon rather than a distant abstraction.
Fourteen days later, a coalition of six Bitcoin developers led by Casa co-founder Jameson Lopp filed BIP-361: "Post Quantum Migration and Legacy Signature Sunset." The proposal lays out a phased plan to migrate Bitcoin to quantum-resistant address types built on BIP-360 and, critically, to freeze any coins that fail to complete the transition within five years of activation. The total at risk: approximately 6.7 million BTC in addresses whose public keys are already exposed on-chain, roughly 32 percent of circulating supply, worth more than $520 billion at current prices.
The filing has fractured Bitcoin's developer community along lines of philosophy as much as cryptography, reopening questions about immutability, property rights, and whether Bitcoin's consensus process is capable of managing a coordinated, time-limited migration at all.
The Mechanism Behind BIP-361
BIP-361 is structured as a three-phase soft fork that depends on BIP-360 being activated first. BIP-360, which introduces a new quantum-resistant output type based on post-quantum signature algorithms, moved onto the Bitcoin testnet in early 2026 via BTQ Technologies, a cryptography firm leading the bulk of the implementation work and the most visible corporate actor in the effort to date.
Phase A triggers three years after BIP-360 activates. From that date, the network will reject new transactions that send funds to legacy address formats whose public keys sit exposed on-chain: primarily pay-to-public-key (P2PK) outputs used in Bitcoin's earliest years, and any pay-to-public-key-hash (P2PKH) address that has already made at least one outbound transaction, thereby broadcasting its underlying key to the public ledger. Phase A does not touch existing balances; it simply closes the intake pipe for new deposits flowing into vulnerable address types.
Phase B fires two years after Phase A, at the five-year mark post-activation. At a block height coded into the protocol at activation time and not adjustable reactively, Bitcoin nodes would refuse to validate ECDSA and Schnorr signatures attached to any address flagged as quantum-vulnerable. Coins that have not migrated to a BIP-360 output are frozen in place and rendered unspendable until a third mechanism becomes available.
That third mechanism, Phase C, remains under active research. The proposal envisions that a holder who possesses a BIP-39 seed phrase — the standard 12- or 24-word recovery mnemonic introduced in 2013 — could construct a zero-knowledge proof of key ownership and recover frozen funds without exposing the private key to on-chain observation. For wallets whose keys derive from a BIP-39 mnemonic, the recovery path exists in principle. For wallets that predate the standard, it does not exist at all, a gap that sits at the center of the fiercest objections to the proposal.
The $520 Billion Exposure
Lopp's headline figure, 5.6 million BTC, refers to coins he believes are permanently lost or effectively unowned: coins widely attributed to Bitcoin's pseudonymous creator Satoshi Nakamoto, early miners who used obsolete P2PK scripts, and wallets dormant for more than a decade with no known active custodian. His logic is direct: a future quantum attacker who derives private keys from exposed public keys on the blockchain can spend those coins at will. A disorderly release of even a fraction of that supply would overwhelm exchange order books and trigger cascading liquidations across derivative markets before any coordinated response was possible.
Google's March whitepaper provides the quantitative grounding. The team compiled two quantum circuits implementing Shor's algorithm for the elliptic-curve discrete logarithm problem at 256-bit security, one consuming fewer than 1,200 logical qubits and roughly 90 million Toffoli gates, a second trading gate depth for a lower qubit count. Both designs fit within a superconducting qubit machine with fewer than 500,000 physical qubits, hardware that does not exist commercially today but that Google projects the broader industry is converging toward before the end of the decade. The 20-fold reduction from Google's own prior estimate was the figure that accelerated BIP-361 from developer mailing list discussion into a formal proposal filing.
The exposure is distributed unevenly across address types. P2PK outputs, which broadcast raw public keys in every transaction, carry the highest immediate risk. Any address that has made at least one outbound payment is also vulnerable because the corresponding signature field contains the public key. Lopp estimates the combined category totals 6.7 million BTC. Of that, roughly 1.7 million BTC, including coins Satoshi mined during Bitcoin's first two years, predates BIP-39 entirely and cannot be recovered through the zero-knowledge path outlined in Phase C. Under BIP-361 as currently drafted, those coins would be permanently frozen once Phase B activates regardless of what their original owners, living or deceased, once intended.
A Protocol Civil War Takes Shape
Blockstream chief executive Adam Back, the cryptographer cited in Bitcoin's original whitepaper and a figure whose views carry unusual weight in protocol debates, does not dispute that quantum hardware is advancing. He disputes the prescription. Back argues that Bitcoin should add quantum-resistant signing options now, making them available to holders who want to migrate voluntarily, while preserving existing address types indefinitely until a genuine emergency is confirmed. "Making changes in a controlled way is far safer than reacting in a crisis," Back wrote in a widely circulated post this week. He cited Bitcoin's track record of rapid patch deployment as evidence that the network can coordinate effectively once a concrete threat materializes, and argued that the quantum timeline remains distant enough to allow a measured, non-coercive approach.
The disagreement among developers extends well beyond Back and Lopp. Bitcoin Core developer Mark Erhardt publicly called BIP-361 "authoritarian and confiscatory." Podcaster Marty Bent described it as "ridiculous." Developer Phil Geiger distilled the property-rights objection into a single sentence: "We need to steal people's money to prevent it from being stolen." The language is sharp, but it reflects a structural concern: BIP-361 would be the first Bitcoin protocol change to retroactively alter the spending conditions attached to coins that already exist, rather than governing how future coins behave.
Lopp himself has been disarmingly self-critical. He described BIP-361 as "a rough idea for a contingency plan" that he hopes never needs to be activated, positioning the filing more as a forcing function to accelerate voluntary migration under BIP-360 than as a committed legislative program. That framing has not quieted critics who note that a five-year sunset encoded at activation ceases to be voluntary the moment the network reaches consensus.
Cardano founder Charles Hoskinson added a structural critique that goes beyond the property-rights objection. In an April 16 post, Hoskinson argued that BIP-361 is functionally a hard fork disguised as a soft fork, because it alters the spending conditions on existing UTXOs rather than simply adding new transaction types. He flagged the 1.7 million BTC in pre-BIP-39 addresses as an unresolvable problem: those holders, if any remain alive and in possession of their original keys, have no cryptographic path to prove ownership under BIP-361's recovery mechanism. Hoskinson framed Bitcoin's absence of formal on-chain governance as the root vulnerability, describing the protocol as ill-equipped to handle contentious changes that require binding decisions on behalf of all stakeholders.
Market and Infrastructure Fallout
The financial stakes of inaction are substantial and asymmetric. Lopp stated directly that "if there is any credible evidence that anyone has the capability to recover lost or vulnerable coins with a quantum computer, you should expect a massive market panic immediately." Six-point-seven million BTC represents a supply overhang of roughly 32 percent of circulating supply; disorderly dumping by a quantum attacker would exceed daily trading volumes across all major venues by an order of magnitude and would likely detonate margin positions across centralized and decentralized lending markets simultaneously.
The opposite scenario carries its own distinct price implications. Permanently freezing that supply would reduce Bitcoin's spendable circulation to roughly 14 million coins, a 32 percent scarcity increase that several crypto research desks have flagged as a medium-term price support, provided the freeze proceeds without triggering a broader crisis of confidence in Bitcoin's foundational property-rights guarantees. Whether the market prices a forced freeze as a supply shock or as a precedent-setting governance failure depends entirely on how the activation narrative plays out.
Wallet providers, custodians, and exchanges holding Bitcoin on behalf of clients face a straightforward but operationally intensive migration requirement before Phase B activates. For retail platforms with complete customer records and modern key-management infrastructure, the task is manageable within a five-year window. For the estimated hundreds of thousands of long-dormant addresses belonging to early enthusiasts, deceased holders, or forgotten hardware wallets, migration is simply impossible. Institutional custodians with agreements drafted before quantum risk appeared on legal risk registers are already reviewing their exposure, according to people familiar with assessments at several major firms.
Governance Without a Rulebook
BIP-361's most consequential implication is not cryptographic but constitutional. Bitcoin has no formal governance mechanism: no on-chain vote, no arbitration body, no amendment procedure. Soft forks advance through rough consensus among developers, miners, and economic node operators, a process that worked smoothly for SegWit in 2017 and Taproot in 2021 but that has never been tested against a proposal to permanently alter the spending rights attached to an identified category of existing holdings.
BIP-360's testnet deployment by BTQ Technologies demonstrates that quantum-resistant primitives are technically available. Whether BIP-361's mandatory sunset can achieve the social consensus required for activation is a separate and harder question. The proposal's co-authors have been careful to present it as a discussion draft rather than a finished specification, but a draft that encodes a fixed flag-day schedule carries a political weight that "discussion" framing does not fully neutralize.
Google's 2029 migration target for the broader cryptographic industry provides an external pressure point. For Bitcoin's consensus process, which has historically operated on timescales that make five years feel compressed, that window is narrow. Whether Back's optional-upgrade path and Lopp's mandatory-sunset path can be reconciled into something the network's competing constituencies accept is the open question that will define Bitcoin development for the next several years.
The uncomfortable truth surfacing from this debate is that Bitcoin's defining strength and its most acute vulnerability appear to be the same property. The protocol's resistance to unilateral modification is what makes it a credible store of value across political jurisdictions and asset classes; that same resistance is what makes mounting a timely, coordinated response to a category-level cryptographic threat structurally difficult. Ethereum's development community has already discussed post-quantum migration frameworks that lean on its established upgrade governance. Bitcoin's developers are discovering that their consensus model, lean by design and adversarial by temperament, is poorly suited for decisions that require binding coordination against a fixed external deadline.
Lopp's framing strips away comfortable middle ground. If the quantum threat materializes before a migration completes, inaction will have made the choice by default, handing an attacker the largest unguarded treasury in financial history. If the threat does not arrive within the proposed five-year window and BIP-361 activates anyway, the network will have permanently altered property rights in a manner its founding documents never contemplated. Neither outcome is comfortable, and the debate now playing out across developer mailing lists and conference calls is in many respects a reckoning Bitcoin has deferred since 2008: who, ultimately, has the authority to change the rules.