Dans cet article
- A Bitcoin Developer Just Proposed Freezing 6.9 Million BTC
- Key Takeaways
- BIP-360: Quantum-Safe Addresses for Bitcoin
- BIP-361: The Freeze Proposal That Divided the Community
- What This Costs Without a Soft Fork
- What Institutional Holders Should Prepare For
- What Bitcoin Holders Should Do Now
- FAQ
- What is BIP-360?
- Will Satoshi's Bitcoin be frozen?
- How much will quantum-safe Bitcoin transactions cost?
- When will Bitcoin become quantum-resistant?
- References
- What's Next
A Bitcoin Developer Just Proposed Freezing 6.9 Million BTC
In February 2026, a group of Bitcoin developers formally proposed freezing approximately 6.9 million BTC — roughly 34% of the total supply — before quantum computers become powerful enough to steal them. That includes an estimated 1.1 million BTC attributed to Satoshi Nakamoto, worth roughly $74 billion at current prices.
This isn't speculation. These are two draft proposals — BIP-360 and BIP-361 — now merged into Bitcoin's official BIP repository. If you read our earlier piece on what Google's quantum paper means for holders, you know the threat timeline just shortened. These proposals are the Bitcoin community's first concrete response. And they've split the community in half.
Key Takeaways
- BIP-360 introduces quantum-resistant
bc1zaddresses via a soft fork, using a new output type called Pay-to-Merkle-Root (P2MR) - BIP-361 proposes freezing dormant coins in legacy addresses, including Satoshi's ~1.1 million BTC in P2PK format
- Without a soft fork, quantum-safe transactions would cost ~$200+ each due to post-quantum signatures being 33x larger than current ECDSA signatures
- Migration is not automatic. Every Bitcoin holder must actively move their funds to new quantum-safe addresses
- The ethical debate is unresolved. Freezing coins to prevent theft means taking control of coins that belong to someone else
- BIP-360's testnet is already live — 50+ miners, 100,000+ blocks mined, 100+ contributors as of March 2026
- Timeline: both proposals are at draft stage. Deployment likely 2-4 years from consensus, assuming consensus forms at all
BIP-360: Quantum-Safe Addresses for Bitcoin
BIP-360 is the construction plan. It defines how Bitcoin can add post-quantum cryptography without breaking the existing protocol.
Authored by Hunter Beast, Ethan Heilman, and Isabel Foxen Duke, the proposal introduces a new output type called Pay-to-Merkle-Root (P2MR). It uses SegWit version 2 outputs with a new address encoding: bc1z (bech32m). If you've seen bc1q (SegWit) or bc1p (Taproot) addresses, this follows the same progression.
What P2MR changes: Taproot (BIP-341) lets you spend Bitcoin two ways — a fast keypath spend using your public key directly, or a scriptpath spend using a Merkle tree of scripts. The keypath is efficient but quantum-vulnerable, because it exposes the public key. P2MR removes the keypath entirely. Every spend goes through the Merkle root of the script tree. The public key never appears on-chain during normal use.
Signature schemes: BIP-360 enables five new opcodes for CRYSTALS-Dilithium (ML-DSA) post-quantum signatures. These are based on lattice problems that no quantum algorithm can efficiently solve. The tradeoff is size: a Dilithium signature is approximately 2,420 bytes, compared to ~72 bytes for a standard ECDSA signature. That is 33x larger.
Two other signature schemes play supporting roles. FALCON is prioritized for its signature aggregation potential — the ability to combine multiple signatures into one, which becomes critical when signatures are this large. SPHINCS+ serves as a conservative fallback based on hash functions rather than lattice math, offering a different security assumption.
One candidate was dropped. SQIsign, based on isogeny problems, was deprecated after benchmarks showed it was 15,000x slower than ECC verification. Theoretical elegance doesn't help if a full node can't validate blocks in reasonable time.
Testnet status: BTQ Technologies launched testnet v0.3.0 on March 19, 2026. As of publication, it has attracted 50+ miners, produced over 100,000 blocks, and involved 100+ contributors. All five Dilithium opcodes are enabled and functional. The proposal preserves compatibility with Lightning Network, BitVM, and Ark.
For a deeper look at how Bitcoin's scripting system works and how Taproot laid the groundwork for this, see Technical Deep Dive.
BIP-361: The Freeze Proposal That Divided the Community
BIP-361 is the harder conversation. It asks: what do we do about the coins that can't be migrated?
Co-authored by Jameson Lopp (CTO of Casa) and five other contributors, BIP-361 was formally assigned on February 11, 2026. It addresses 6.9 million BTC sitting in quantum-vulnerable address types — roughly 34% of the circulating supply.
The breakdown: approximately 1.7 million BTC sits in P2PK addresses, the earliest format Bitcoin used from 2009 to around 2012. These addresses store the public key directly on-chain, making them immediately vulnerable once a sufficiently powerful quantum computer exists. Of that 1.7 million, an estimated 1.1 million BTC is attributed to Satoshi Nakamoto.
The remaining ~5.2 million BTC sits in other legacy address types with varying degrees of exposure — addresses where the public key has been revealed through past transactions or address reuse.
The three-phase plan:
Phase A — 3 years after activation: New Bitcoin can no longer be sent to legacy address types. This is a soft deadline. You can still spend from legacy addresses, but the network stops accepting new deposits into them. It's a one-way door that pushes adoption of bc1z addresses.
Phase B — 5 years after activation: Legacy ECDSA and Schnorr signatures are deprecated entirely. Any Bitcoin still in legacy addresses is frozen. It cannot be moved using the old signature schemes. This is the hard freeze.
Phase C — After Phase B: A zero-knowledge proof recovery mechanism activates. If you missed the deadline but still have your seed phrase (BIP-39 or later), you can prove ownership of the frozen coins and migrate them to a quantum-safe address. This works because you can prove knowledge of a private key without revealing it. But there's a catch: this cannot help coins stored with pre-BIP-39 key formats. That includes Satoshi's coins.
For context on how dormant coins, inheritance planning, and lost access interact with this proposal, see Bitcoin Inheritance.
The community is divided.
Jameson Lopp, the proposal's most visible advocate, put it bluntly: "It's better to freeze 5.6 million BTC than let hackers have them."
Adam Back, CEO of Blockstream and one of the people cited in Bitcoin's whitepaper, pushed back. He favors voluntary, optional upgrades — not a protocol-enforced freeze. The difference matters: one approach trusts holders to act in time; the other accepts that many won't and forces the issue.
Brian Trollz, editor at Bitcoin Magazine, rejected the proposal outright.
Phil Geiger of Metaplanet captured the paradox: "We have to steal people's money to prevent their money from being stolen."
Charles Hoskinson, founder of Cardano, offered outside criticism: "Bitcoin's quantum fix is a hard fork that can't save Satoshi's coins." (For the record, BIP-360 and BIP-361 are designed as soft forks, not hard forks — though whether the freeze constitutes a de facto hard fork in social terms is its own debate.)
What This Costs Without a Soft Fork
The numbers explain why BIP-360 exists as a dedicated proposal rather than just bolting post-quantum signatures onto the existing transaction format.
A CRYSTALS-Dilithium signature is approximately 2,420 bytes. A standard ECDSA signature is approximately 72 bytes. That is a 33x increase in signature size. In a system where block space is fixed at roughly 4 MB per block, that increase is not an inconvenience — it's a structural problem.
At current fee rates and without any protocol optimization, a single quantum-safe transaction would cost roughly $200 or more. That makes post-quantum Bitcoin unusable for ordinary transactions. You could secure your savings, but you couldn't spend them without burning a significant percentage in fees.
BIP-360 addresses this through an optimized witness structure specific to P2MR outputs. The SegWit witness discount — which already gives signature data a 75% fee reduction compared to other transaction data — applies to post-quantum signatures under this proposal. Without that discount, the cost picture would be even worse.
The longer-term solution is signature aggregation using FALCON. If multiple signatures in a block can be combined into a single proof, the per-transaction overhead drops dramatically. This is analogous to how Schnorr signature aggregation works for current Bitcoin transactions, but adapted for post-quantum math. FALCON's algebraic structure makes this possible where Dilithium's does not — which is why both schemes are included in the proposal despite Dilithium being the primary signer.
What Institutional Holders Should Prepare For
No action is required today. Both proposals are at draft stage. Neither has entered the activation process, and Bitcoin's consensus mechanism means years of review, testing, and community debate before any change goes live.
That said, the direction is set. When consensus forms — and the existence of a working testnet suggests momentum — custodians and institutional holders will need to plan for key rotation and address migration. This is not a passive upgrade. Every UTXO must be moved to a new address type. For institutions holding Bitcoin across hundreds or thousands of addresses, that is a significant operational undertaking.
Swiss holders should note that FINMA's regulatory framework already references NIST post-quantum cryptography standards. The same CRYSTALS-Dilithium algorithm in BIP-360 is part of NIST's FIPS 204 standard, finalized in 2024. There is regulatory alignment here, even if the Bitcoin-specific implementation is still in draft.
From my seat at Bitcoin Suisse, I expect the institutional conversation to shift from "if" to "when" within the next 12-18 months, driven primarily by custodial audit requirements and insurance considerations.
For practical guidance on securing your Bitcoin today — regardless of quantum timelines — see the self-custody guide and BIP-39 seed phrase security.
What Bitcoin Holders Should Do Now
The quantum threat is real but not imminent. Here's what matters today.
Check your address types. If your wallet generates addresses starting with bc1q (P2WPKH) or bc1p (P2TR/Taproot), you're using modern formats. These are still quantum-vulnerable in theory, but they don't expose your public key until you spend — giving you time to migrate when quantum-safe addresses become available. If you're holding coins in very old address formats (especially P2PK from 2009-2012), the risk is higher. See Wallets — Staying Secure for a full breakdown of address types.
Don't reuse addresses. Every time you spend from an address, your public key is exposed on-chain. Using a fresh address for each transaction limits the window of exposure. Most modern wallets do this automatically.
Keep your seed phrase secure. If BIP-361 activates and you miss the Phase A and B deadlines, Phase C's zero-knowledge recovery depends entirely on your ability to prove you hold the original seed phrase. Lose it, and those coins are frozen permanently. This is true regardless of quantum computing — your seed phrase is your last line of defense in every scenario.
Stay informed, don't panic. McKinsey estimates quantum attacks become viable between 2027 and 2030. Google's internal quantum migration target is 2029. The Bitcoin development community is moving, as this article documents. The timeline is measured in years. But years pass quickly when migration requires active steps from every holder.
For more on address privacy and reducing your on-chain exposure, see Bitcoin Privacy.
FAQ
What is BIP-360?
BIP-360 is a Bitcoin Improvement Proposal that introduces quantum-resistant addresses using a new output type called Pay-to-Merkle-Root (P2MR). It uses SegWit version 2 with bc1z address encoding and supports CRYSTALS-Dilithium post-quantum signatures. The proposal is designed as a soft fork, meaning it can be adopted without breaking compatibility with existing Bitcoin software. It was merged into Bitcoin's official BIP repository as a draft in February 2026.
Will Satoshi's Bitcoin be frozen?
If BIP-361 activates as proposed, yes. Satoshi's estimated 1.1 million BTC sits in P2PK addresses — the earliest Bitcoin format, where the public key is stored directly on-chain. Phase B of BIP-361 would freeze all coins in legacy addresses that haven't been migrated. Phase C offers zero-knowledge proof recovery, but only for wallets using BIP-39 seed phrases or later formats. Satoshi's coins predate BIP-39 by several years and cannot be recovered through this mechanism — assuming Satoshi doesn't move them during the migration window.
How much will quantum-safe Bitcoin transactions cost?
Without protocol changes, a quantum-safe Bitcoin transaction would cost approximately $200 or more at current fee rates. This is because post-quantum signatures (CRYSTALS-Dilithium) are roughly 2,420 bytes — 33x larger than standard ECDSA signatures (~72 bytes). BIP-360 introduces an optimized witness structure and applies the SegWit witness discount to reduce this cost to practical levels. Long-term, FALCON-based signature aggregation could reduce per-transaction overhead further.
When will Bitcoin become quantum-resistant?
Both BIP-360 and BIP-361 are at draft stage as of April 2026. A testnet is live with 50+ miners and 100,000+ blocks. Assuming community consensus forms, deployment is likely 2-4 years away. For context, Google's internal deadline for post-quantum migration is 2029, and McKinsey estimates quantum attacks become viable between 2027 and 2030. The Bitcoin development process is deliberate by design — rushing a change to a $1 trillion+ network carries its own risks.
References
- BIP-360 Draft — Hunter Beast, Ethan Heilman, Isabel Foxen Duke. "Pay to Merkle Root." Bitcoin Improvement Proposals, February 2026.
- BIP-361 Draft — Jameson Lopp et al. "Legacy Signature Sunset." Formally assigned February 11, 2026.
- Google Quantum AI — Babbush et al. "Securing Elliptic Curve Cryptocurrencies against Quantum Vulnerabilities." March 2026.
- NIST Post-Quantum Cryptography Standards — FIPS 203 (ML-KEM), FIPS 204 (ML-DSA/Dilithium), FIPS 205 (SLH-DSA/SPHINCS+). Finalized 2024.
- BTQ Technologies — Testnet v0.3.0 press release, March 19, 2026.
- CoinDesk — Quotes from Jameson Lopp, Adam Back on BIP-361 debate.
- Bitcoin Magazine — Brian Trollz editorial response to BIP-361.
- McKinsey & Company — Quantum computing viability estimates, 2027-2030 window.
What's Next
This article covered what Bitcoin developers are building. For the underlying threat — how Google's paper changed the math and what it means for your specific wallet — read Quantum Computing and Bitcoin: What Holders Must Know.
To understand the technical foundations that make these proposals possible, start with Technical Deep Dive. For practical steps on securing your Bitcoin today, see Wallets — Staying Secure.
