Bitcoin's Quantum Defense Crossroads: A Comprehensive Analysis of BIP-361, PACTs, and the "Immutability" Debate

Bitcoin’s quantum threat is no longer a distant technological fable; it’s an imminent, industry-scale event. The core of this debate has shifted from theoretical speculation to practical route selection at the operational level. If earlier discussions were still stuck on “Can quantum computing break Bitcoin?”, then in 2026 the focus has evolved into “Which approach should we choose to stop it?”

The debate framework is narrowing step by step, with three positions forming a stark standoff: the BIP-361 forced migration route argues for driving a network-wide address upgrade through hard protocol constraints; the PACTs timestamp-proof route offers a soft, self-rescue channel that doesn’t require migration; and the community veto route insists on the underlying principle that the network should not be interfered with. It would rather passively endure the quantum onslaught than actively undermine the neutrality principle of “code is law.”

Why the Quantum Shadow Is Accelerating

At the end of March 2026, a technical white paper was jointly released by Google’s Quantum Artificial Intelligence team and Ethereum Foundation researcher Justin Drake, along with Stanford cryptography professor Dan Boneh. The white paper systematically evaluated the resources required for quantum computers to break Bitcoin’s underlying cryptography, revealing a set of key data: a quantum computer of roughly 500,000 qubits would require only one-twentieth of the resources that academia had previously estimated to break the elliptic-curve encryption algorithm Bitcoin relies on, and the entire process could be completed in as little as about 9 minutes. Bitcoin’s average transaction confirmation time is about 10 minutes, meaning that under certain conditions, an attacker would have about a 41% chance of stealing the private key and diverting funds before the transaction is confirmed.

A more direct risk comes from that portion of Bitcoin whose public keys have been permanently exposed on-chain. The white paper states that currently about 6.9 million BTC face a direct quantum-attack threat due to public-key exposure, including roughly 1.1 million BTC controlled by Satoshi Nakamoto.

The market has not been indifferent to this warning. By late 2025, Bitcoin’s price saw a decline of about 12%. Some analysts linked this to the synchronized rise in quantum-computing stocks, believing that the market has begun pricing long-term quantum risks.

As of May 6, 2026, Gate market data shows Bitcoin at $81,108.8, down 1.40% over the past 24 hours. Its market cap is $1.49 trillion, with a market share of 56.37%. The current market sentiment index is in a neutral range. The quantum issue has not yet triggered large-scale panic selling, but discussions about industry infrastructure are continuing to heat up.

Exposure Breakdown: Trillions Hang on the Quantum Cliff

Bitcoin’s quantum fragility is not evenly distributed. Different address types face sharply different risk levels.

Early Pay-to-Public-Key (P2PK) addresses directly exposed the full public key. In the face of sufficiently powerful quantum computers, attackers don’t need to wait for transaction broadcasts; they can break private keys at any time. Modern widely used address types default to only publicly disclosing the public-key hash, but when transferring, the public key still needs to be broadcast to the network—opening an attack window of roughly 9 minutes.

Bitcoin introduced Schnorr signature schemes through the Taproot upgrade in 2021, but that did not resolve quantum fragility. Schnorr signatures are also based on the elliptic-curve discrete logarithm problem, so they do not provide any fundamental security improvement against quantum algorithms.

A report published by the Human Rights Foundation in October 2025 shows that about 6.51 million BTC face quantum-attack risk. Of these, 1.72 million BTC are stored in early P2PK-format addresses and are in a state of fully “permanently lost.” Another roughly 4.49 million BTC has an attack surface as well, but active holders could theoretically migrate it to secure addresses.

Galaxy Digital’s research department, in its analysis from March 2026, pointed out that about 7 million BTC are at risk under the definition of “long exposure.” However, within the currently publicly known range of quantum capabilities, this portion of assets cannot yet be practically exploited. The key variable is whether the pace of quantum hardware development will outpace the community’s response cycle.

Route One: BIP-361—Forced Migration and Countdown Freeze

On April 15, 2026, six developers led by Casa co-founder Jameson Lopp formally submitted BIP-361 to Bitcoin’s official proposal repository, with the full name “Post-Quantum Migration and Old Signature Repeal.”

Three-Phase Timeline

The proposal uses BIP-360 (registered in February of the same year, introducing the anti-quantum output type Pay-to-Merkle-Root) as its technical foundation, constructing a countdown-style migration path:

• Phase 1 (3 years after activation): Prohibit users from depositing new Bitcoin into old-format addresses, effectively preventing more assets from flowing into the quantum-risk zone.
• Phase 2 (about 5 years after activation): Fully declare traditional ECDSA and Schnorr signatures invalid. Any Bitcoin that has not completed migration before this deadline will be permanently frozen and unusable.
• Phase 3 (after freezing): Introduce a zero-knowledge proof mechanism that allows some users to recover frozen funds.

Protection Scope and Core Flaws

BIP-361 also includes a rescue route for BIP-32 derived wallets (the deterministic key-generation standard introduced in 2012). But wallets from before 2012 (including most of the known Satoshi addresses) do not use BIP-32, so they cannot be protected via this route.

As a result, Satoshi’s roughly 1.1 million BTC fall into a unique policy vacuum—without a dedicated solution, these assets cannot be migrated in both legal and technical senses.

Quantified Ripple Effects

According to developers’ estimates, about 1.7 million early BTC in P2PK-format addresses covered by BIP-361 are directly affected. If reused addresses that expose public keys are included in the calculation, the total exposure could be expanded to more than 6.7 million BTC.

Route Two: PACTs—Stamping on the Blockchain, Not Moving Assets

On May 1, 2026, Dan Robinson, a general partner at Paradigm, publicly proposed Provable Address-Control Timestamps (short for PACTs).

Completely different from BIP-361’s forced-migration logic, the core principle of PACTs is: don’t move tokens, don’t disclose identities, and don’t decide in advance whether to freeze. Holders only need to “plant seeds now” so they can be used when future protective measures are activated.

Four-Step Technical Process

PACTs’ operating mechanism can be divided into four steps:

• Generate a commitment: Holders use BIP-322 (a message-signing standard from Bitcoin addresses without spending) to generate an address-control proof, combining it with a random salt to create a cryptographic commitment, ensuring it cannot be forged or guessed.
• Anchor an on-chain timestamp: The above commitment is anchored on the Bitcoin blockchain via the OpenTimestamps service, forming an immutable time record. The wallet information is not revealed throughout.
• Keep it private: The salt, proof files, and timestamp data are all privately held by the holder. On-chain, only a hash anchor remains, preventing outsiders from inferring the specific address or amount.
• Unlock in the future: If the Bitcoin network activates a quantum-vulnerable-address freezing mechanism through a soft fork, the protocol can incorporate a rescue path. When holders want to spend, they submit a STARK zero-knowledge proof to verify that their commitment was created before quantum hardware appeared, and the network releases assets accordingly.

Filling the Gap Left by BIP-361

What deserves particular attention is that PACTs specifically targets and fills an important gap in BIP-361: it can cover BIP-32 derived wallets, which is exactly the address range that BIP-361 provides rescue for after freezing. Robinson explicitly states that PACTs still cannot protect early wallets created before 2012 (including Satoshi’s addresses). But at least it provides a complete protection chain for the user group after BIP-32.

Conditions for Real-World Deployment

PACTs’ deployment depends on a prerequisite for which community consensus has not yet been reached: Bitcoin must introduce STARK verification infrastructure via a soft fork. This means Bitcoin must integrate a new class of zero-knowledge proof verification functionality at the protocol level—creating significant tension with Bitcoin’s long-standing commitment to minimalist technical ideology.

Route Three: Community Veto—Network “Neutrality” Must Not Collapse

While BIP-361 and PACTs each propose technical routes, there is also a strongly expressed third stance within the community: the Bitcoin network should not undergo any protocol-level intervention.

Core Argument: Protocol neutrality is the only irreplaceable core asset

Opponents argue that Bitcoin’s value anchor is not the security of any particular generation of cryptographic scheme, but rather its non-intervention transaction-settlement mechanism. Once developers can freeze certain addresses on the grounds of “quantum protection,” it objectively establishes an operational precedent for intervening with assets for other reasons later (such as regulatory compliance and sanctions enforcement).

“Freezing any token—even a token that’s ‘lost’—is telling the market that all roughly 19.8 million BTC in circulation are only conditionally yours,” said Samuel Patt, founder of Op Net, in a comment in the late April period. “The institutional risk department won’t care about the reason for freezing. They care about the precedent itself.”

TFTC founder Marty Bent, on April 15, directly described the proposal as “absurd.”

Game-Theory Perspective: Quantum Attacks Could Become Another Form of “Market Clearing”

Some analysts draw even more aggressive conclusions from a game-theory perspective: if a quantum attack truly occurs, it itself could be a mechanism for discovering the true market price. Bitcoin on-chain analyst James Check believes the quantum threat is more a consensus issue than a technical one, because the community “can’t reach consensus to freeze” unmigrated old-address tokens. This means that when quantum attacks become feasible, a large amount of “lost” Bitcoin could flow back into the market.

Mati Greenspan’s framing is even more vivid: if a quantum computer cracks early Bitcoin wallets, it won’t trigger rollbacks or freezes—it will trigger the largest bug-bounty payout in human history.

Technical Skeptics: The Threat Timeline Is Being Seriously Overestimated

Not all opposition comes from an ideological stance. Some technical people question the urgency of the threat itself. As of 2026, the most powerful quantum computers have only about 1,500 physical qubits, while cracking 256-bit ECDSA requires at least 500,000. The “last mile” of quantum hardware development still involves major engineering challenges, and practical attack capability is not available in the short term.

Cross-Comparison of the Three Main Routes

Based on the breakdown above, the differences among the three solutions across key dimensions can be summarized as follows:

From the table above, it can be seen that none of the three solutions can perfectly resolve the quantum exposure problem of Satoshi’s addresses—this is the most structural and most thorny challenge in the current debate.

“Satoshi Paradox”: Why 1.1 Million BTC Become the Chain’s Shackles

Satoshi’s roughly 1.1 million BTC are distributed across about 22,000 addresses, with each address holding about 50 BTC. In the face of the quantum threat, this set of assets forms a classic “hostage dilemma”: no matter which protective route the community chooses, the very existence of these assets continues to disrupt decision-making space.

Assuming the quantum threat materializes around 2030, several possible evolution scenarios exist:

Scenario One: Satoshi’s identity remains active. If, before quantum hardware matures, the person controlling Satoshi’s private keys creates timestamp proofs via PACTs, then once the network activates a later soft fork, these assets could be legally recovered via STARK proofs. But the conditions are extremely stringent: the private-key holder must actively act; PACTs cannot passively protect. By contrast, if the BIP-361 route is adopted, Satoshi must publicly move the assets, which would disturb the psychology of the entire market.

Scenario Two: The private keys are permanently lost. In this case, about 1.1 million BTC are effectively “disabled assets.” Once quantum attacks become feasible, attackers can calmly crack these addresses’ public keys and steal all the assets. At that time, the roughly $84 billion worth of BTC entering the market would constitute one of the largest supply shocks in the history of the crypto industry.

Scenario Three: The community freezes assets in advance. If a protocol freeze based on BIP-361 is activated, these 1.1 million BTC will be permanently removed from circulating supply. For the overall market, a reduction in effective supply could increase the scarcity of remaining circulating BTC. But freezing would also trigger governance controversy and loss of trust, which could simultaneously suppress valuation. The net effect of these two forces is highly uncertain and cannot be determined in advance.

Scenario Four: No intervention. This is the core claim of the community veto route. Before quantum attacks ultimately materialize, Satoshi’s addresses exist in a grace period. If quantum progress is fast enough within that window, markets may face “quantum panic pricing,” forcing Bitcoin valuation models to incorporate a quantum-security discount factor. If the grace period is long enough, technical preparation could be completed without triggering a governance crisis—but this assumption is being continuously tested.

Industry Structural Impact: The Quantum Dispute Is Changing Bitcoin’s Governance DNA

The value of this debate goes far beyond a mere comparison of technical proposals. In essence, it is a comprehensive stress test of Bitcoin’s governance model.

Historically, each major Bitcoin upgrade—whether from SegWit to Taproot—took a long time, but the controversies never touched the fundamental question of whether “the network has the power to intervene in assets.” The introduction of BIP-361 is the first to push this boundary into the spotlight: if the network has the capability to forcibly freeze unmigrated addresses, then the meta-rule that “token assets belong to the private-key controller” has already been revised.

In addition, major institutions have begun factoring Bitcoin’s quantum readiness into their risk assessment matrices. According to observations from several research firms, some asset management companies are discussing a Quantum Readiness Index as an internal quantification metric. For investors on the Gate platform, the progress of quantum protection routes is gradually becoming one of the factors used to evaluate the long-term risk of holding Bitcoin.

Meanwhile, the gap in quantum adaptability between Bitcoin and other public chains is also drawing attention. Some competing chains, because they adopt more flexible governance mechanisms, face lower consensus costs when initiating anti-quantum migrations. For example, according to publicly available information, the XRP Ledger has laid out a four-phase anti-quantum plan, targeting completion before 2028. Whether Bitcoin can complete its response before quantum hardware matures depends on whether this debate can consolidate a minimal viable consensus amid community divisions.

Conclusion

Quantum threats are moving from academic hypotheses to engineering agendas, forcing Bitcoin to face the deepest technical choice since its birth. The three response routes—forced migration, timestamp proofs, and community veto—each embody different security philosophies and technical beliefs.

Perhaps the most important part of this debate is not who persuades whom, but what it reveals about Bitcoin’s governance landscape in the face of low-probability, high-impact events: how a distributed decision-making system composed of developers, miners, nodes, and holders responds to an event with a clear technical countdown, without a central authority. Quantum computers have not cracked any single Bitcoin yet, but the choices about it have already begun reshaping Bitcoin’s power structure in advance.