Blockchain

Why BIP-361 is Wrong

fahad

Hello There,

In this post I will share my opinion on the current Bitcoin quantum computing debate. There is a lot of noise out there and I think most of it is driven by panic rather than principle.

Intro:

Let me start with the foundation: Not your keys, not your coins.

This is not just a saying. It is the contract every Bitcoin participant accepted when they chose to use the network. Satoshi included. Any proposal that violates this contract regardless of the justification is a proposal against Bitcoin itself.

BIP-361 violates it. That is my position and I will explain why.

The Actual Threat:

Before panicking, it helps to understand what is actually vulnerable.

Not all Bitcoin is equally exposed to quantum attacks. The exposure depends on whether your public key has ever been revealed on-chain:

  • P2PK addresses: Satoshi’s coins fall here. Public key is permanently on-chain and visible today.
  • Reused P2PKH addresses: public key was exposed when you spent from them the first time.
  • Taproot key-path spends: public key revealed on spending.
  • Never-spent addresses: significantly safer. A quantum computer has nothing to work from if your public key was never broadcast.

As of early 2026, roughly 34% of all Bitcoin supply has an exposed public key on-chain. That is the real attack surface. The remaining 66% is relatively safe for holders who follow one rule: never reuse an address.

This distinction matters. The threat is real but it is not universal.

Why BIP-361 is Wrong:

BIP-361 proposes invalidating ECDSA and Schnorr signatures after a deadline, effectively freezing any coins that haven’t migrated. It frames this as a technical scheme migration. In practice it freezes coins by killing the signature scheme those coins depend on. The end result is the same and your coins are gone.

There are also serious technical problems with the proposal:

  • No agreed post-quantum signature scheme. The current candidates ( SPHINCS+, Dilithium, Falcon ) each carry different tradeoffs. Choosing wrongly and baking it into consensus is worse than waiting.
  • Block size implications are unresolved. Post-quantum signatures are dramatically larger than ECDSA. SPHINCS+ is 8,000 bytes versus ECDSA’s 72 bytes. Without solving this the migration creates a fee crisis that prices out ordinary holders while whales move comfortably.
  • The node-to-wallet-to-user upgrade pipeline takes time. Even after node consensus activates a new scheme, hardware wallet firmware needs security audits and updates. Users need time to act. The effective window for ordinary holders is far shorter than the headline deadline suggests.

IMHO BIP-361 is an act of laziness and capitulation. The engineering problems are hard and the deadline is a political shortcut.

There is also a principle problem that cannot be engineered away. The moment developers can freeze coins once, they can do it again. Every government and regulator watching Bitcoin will point to this and say: “See? The network can intervene. So can we.” That precedent is permanent. A price shock from quantum theft is temporary. These are not equivalent risks.

The Right Approach:

Blockstream demonstrated in March 2026 that this problem is solvable without touching existing coins.

They broadcast the first post-quantum signed transactions on Bitcoin’s Liquid sidechain using a scheme called SHRINCS which is a hash-based signature that produces 324-byte signatures. The NIST standard SPHINCS+ produces 8,000+ bytes. SHRINCS is 7x smaller, relies only on SHA-256 security — the same hash function Bitcoin already uses — and requires no new cryptographic assumptions.

The path forward from here is clear:

  • A new optional address format using quantum-resistant signatures deployed as a soft fork exactly like Taproot. Addresses starting with bc1r.
  • Test on Liquid first, deploy to mainchain when ready. Liquid has previewed every major Bitcoin upgrade before mainchain adoption.
  • Trust emergency consensus if Q-Day actually arrives. Bitcoin’s developer community has fixed critical bugs within hours when urgency drove consensus. The tools will already be deployed and tested.

No forced migration. No deadlines. No frozen coins. Holders who want quantum protection move voluntarily. Everyone else carries on.

What About the 34%?

This is the question BIP-361 supporters use to justify their position. If quantum computers can steal exposed coins, don’t we have a responsibility to prevent that?

No. We have a responsibility to build the tools. We do not have the right to confiscate on behalf of protection.

If a quantum attacker eventually drains exposed wallets then that is a market event. Bitcoin has absorbed Mt. Gox, exchange hacks, and supply shocks before. The market handles it. It is painful and temporary.

Holders of exposed addresses accepted a risk by not migrating. That consequence is theirs to bear. This is what financial sovereignty actually means not just the upside, but the full responsibility.

Fin:

Banks will be quantum-safe by 2030 through top-down mandate. No philosophy required. A CEO decides, IT implements, done.

Bitcoin cannot work that way. Its decentralization is the thing worth protecting and also what makes protecting it harder. That is not a bug, It requires us to be smarter and more principled than the alternatives.

Ship the tools early. Make them optional. Trust holders to act in their own interest. Let the market absorb residual risk. Never touch anyone’s coins.

That is Bitcoin working exactly as designed.