A Clear Explanation of BIP-361: What Is the Bitcoin Community Really Arguing About?

This week, there has been a lot of discussion and controversy in the BTC community regarding BIP-361. Here's a summary based on my understanding.
BIP-361 is a draft proposal introduced by Andrew Poelstra, with in-depth analysis and promotion by security expert Jameson Lopp. The core logic of this draft is: before quantum computers can crack Bitcoin, take preventive measures by freezing BTC associated with addresses that have exposed public keys ( and with remedial measures ).
1/ Background Information
Over the past 17 years, Bitcoin has remained highly secure. Its security is guaranteed by asymmetric elliptic curve digital signature algorithms (ECDSA). This algorithm makes it virtually impossible for current computers (including supercomputers) to derive the private key from the public key within a reasonable timeframe. This ensures the one-way, irreversible nature from private key to public key.
The current crisis, or turning point, is that: the physics community generally believes that sufficiently powerful quantum computers (with millions of physical qubits) can use Shor's algorithm to crack ECDSA in a very short time.
Earlier this year, Google's Quantum AI team released some research progress. They haven't broken Bitcoin yet, but data suggests that the threat of quantum computing to cryptography might arrive sooner than expected.
The Bitcoin community's response is: there's no need to panic, but we must actively respond, discuss, and take action.
This is why proposals like BIP-360, BIP-361, and others are emerging—because Bitcoin is an open-source software community without a CEO, and every major upgrade is extremely slow, requiring a long time to reach community consensus. Waiting until quantum computers actually appear might be too late.
2/ Upgrade Strategies and Ideas
Logically, since Bitcoin is open-source software, upgrading the Bitcoin algorithm to counteract quantum computing is straightforward. There are some implementation options, such as algorithms like Dilithium selected by NIST, which, although with some side effects compared to the current ECDSA, are theoretically feasible.
Beyond technical issues, the bigger problem is: after the upgrade, people like us can transfer BTC from old addresses to new addresses safely; but what about addresses where the public key has already been exposed, or addresses belonging to deceased owners or with lost private keys? These unowned BTC cannot be moved. They will forever be vulnerable to quantum attacks, becoming targets for attackers to drain, potentially causing market crashes.
How many BTC have exposed public keys?
Current industry estimates suggest about 2 to 4 million BTC (including Satoshi's 1.1 million); another 2 to 3 million are dormant, meaning "not moved for over 5 years." These are encrypted via hash functions, and quantum computers currently cannot directly crack them. Regardless, this is a significant amount. MicroStrategy, for example, has struggled to acquire only 780k BTC. Once these millions are compromised, the impact on Bitcoin would be enormous.
3/ What Does BIP-361 Aim to Do?
This difficult problem is what the BIP-361 proposal seeks to address and solve.
Its core idea is: addresses that do not upgrade to quantum-resistant wallets will have their funds frozen. This will pressure everyone to migrate to quantum-resistant addresses.
It is deployed in three phases using BIP9 signaling:
◦ Phase A (Activation after about 160,000 blocks (~3 years): prohibit sending BTC to addresses that expose public keys (. Only allow transfers to new addresses that are quantum-resistant ). This step aims to prevent more people from falling into the trap.
◦ Phase B (Approximately 2 years after Phase A, totaling about 5 years: nodes will reject all elliptic curve-based signatures, including traditional ECDSA and newer Schnorr signatures. Unspent transaction outputs (UTXOs) vulnerable to quantum attacks that are not transferred will be frozen and unspendable. In other words, if you do not act within 5 years, your coins on the chain will no longer be recognized.
◦ Phase C )TBD(: to address the moral dilemma of "dead coins" or forgotten coins, patching Phase B. As long as users have mnemonic phrases, they can prove ownership via zero-knowledge proofs without exposing the old public key, thus unfreezing the assets. — Logically sound, but technically challenging and still in theoretical validation.
Regarding Phase C, here’s an explanation: the current dilemma is that some addresses expose public keys during transfers, making them vulnerable to quantum theft. The rescue/patch idea in Phase C is:
◦ Users hold 12/24-word mnemonics
◦ Use the zero-knowledge proof method mentioned in BIP-361
◦ Users submit a proof to the network: "I won't tell you my private key, but I can prove I own this mnemonic phrase, which can derive the private key for the old address, establishing ownership of the frozen assets"
◦ The network verifies this zero-knowledge proof (, and the verification process itself is quantum-resistant ). Once verified, the protocol allows users to "mirror" the frozen coins to a new, quantum-resistant address.
In summary, BIP-361's logic is: don't wait to be robbed, block the "possible theft" routes in advance.
4/ Community Controversies
After BIP-361 was announced in the BTC community, the overall opposition outweighed support.
Adam Back said: "This is confiscation, not protection." He favors soft forks and voluntary upgrades, explicitly opposing forced freezing. Marty Bent also posted a lengthy thread criticizing it, arguing it violates the principle of "your keys, your coins," advocating voluntary migration and education rather than setting a forced deadline.
Charles Hoskinson was more aggressive: he claimed it is essentially a hard fork that would turn Bitcoin into a shitcoin.
Technically, it appears to be a soft fork, but at the social consensus level, its coerciveness has sparked fierce debate over whether it constitutes a hard fork.
Phil Geiger humorously commented: "We have to first steal people's money to prevent them from being stolen."
Jameson Lopp, one of the proposal's co-authors, admitted: "I don't like it either, but I wrote it because I prefer it over another outcome — quantum computers stealing coins." Sometimes, choosing the lesser of two evils is necessary.
Opponents worry not only about "stealing" funds but also about the increased complexity in the Bitcoin codebase due to the zero-knowledge proof patch in Phase C, which could introduce new bugs and attack surfaces.
Some supporters, however, express backing.
Hu Yilin @epr510 supports it, arguing that Satoshi likely already destroyed the private keys, reflecting his free will. Quantum computers would violate this will and re-activate the coins. Freezing forgotten or abandoned coins respects the principle of "property free disposal."
He also rebutted the "slippery slope" argument: freezing addresses that are vulnerable to cracking is a bug fix, not censorship. People who lost their coins want to recover them, not have them stolen by quantum attackers, so freezing does not violate their freedom.
Matt Corallo proposed a compromise: separate the quantum upgrade from freezing old addresses into two independent steps. Technical updates can proceed without consensus, and the final consensus issue can be resolved through a large fork competition.
5/ Potential Impacts
From a numerical perspective, it’s straightforward: millions of BTC worth hundreds of billions of dollars. If BIP-361 is implemented, it could cause a sudden reduction in the circulating supply, a kind of technical contraction. However, if this leads to a split in consensus, undermining confidence in Bitcoin’s fixed and immutable total supply, the market value might not simply rise with the reduction.
Satoshi once said: "Lost coins only make everyone else's coins worth slightly more. Think of it as a donation to everyone."
In BIP-361, this is rephrased as: "Quantum recovered coins only make everyone else's coins worth less. Think of it as theft from everyone."
Losing coins is a donation; being stolen by quantum computers is a robbery.
If not frozen, there are only three possibilities: (1) Allow anyone to steal, first-come-first-served; (2) Restrictive theft, such as miners using RBF to recover quantum-affected coins; (3) No one is allowed to steal. BIP-361 opts for the third.
The proposal itself is unlikely to pass in its current form and will undergo many revisions. But its significance is that it brings a previously avoided issue to the forefront, facilitating early consensus and collective resistance against quantum computing.