Share
Bitcoin developers are advancing one of the most controversial and technically complex proposals in the network’s history: BIP-361, titled ‘Post-Quantum Migration and Legacy Signature Sunset.’
Led by Jameson Lopp and five co-authors, the proposal is not simply an incremental upgrade, it is an attempt to redesign Bitcoin’s cryptographic foundation before quantum computing renders current security assumptions obsolete.
BIP 361: "Post Quantum Migration and Legacy Signature Sunset" has been published.
You can read it here: https://t.co/JIuMbitQQj pic.twitter.com/iH63XIWi6k
— Murch (@murchandamus) April 14, 2026
At stake is not just user funds, but the long-term credibility of Bitcoin as a secure, censorship-resistant monetary system.
The core problem: exposed public keys and quantum risk
Bitcoin today relies on elliptic curve cryptography (ECDSA and Schnorr), which is considered secure against classical computers but vulnerable to sufficiently advanced quantum machines. Specifically, Shor’s algorithm could allow a quantum computer to derive a private key from a known public key. This matters because many Bitcoin addresses, especially early Pay-to-PubKey (P2PK) outputs and spent outputs, have already revealed their public keys on-chain.
Developers estimate that roughly 25% of the total Bitcoin supply may be vulnerable under this model, meaning that if a cryptographically capable quantum computer emerges, attackers could potentially sweep these funds.
The risk is not purely theoretical. Some researchers and institutions suggest that quantum systems capable of breaking current cryptography could emerge as early as the late 2020s, while others argue the timeline may stretch decades. This uncertainty is precisely what makes the debate urgent: Bitcoin upgrades take years to coordinate, meaning mitigation must begin long before the threat fully materializes.
BIP-361 structure: forced migration by design
BIP-361 introduces a time-bound, multi-phase migration strategy that effectively forces the network to abandon legacy cryptography. The proposal builds on earlier work like BIP-360, which introduces quantum-resistant address formats such as P2QRH (Pay-to-Quantum-Resistant-Hash).
The transition unfolds in two primary enforcement phases:
- Phase A: Nodes would reject transactions that send funds to legacy, quantum-vulnerable address types. This creates a forward-only system where all new outputs must adopt quantum-resistant formats.
- Phase B: After a defined period, all legacy signature schemes become invalid at the consensus level. Any coins that remain in vulnerable addresses become permanently unspendable.
This structure is intentionally coercive. Rather than relying on voluntary migration, it creates a ‘deadline effect,’ where users, custodians, and institutions must upgrade or risk losing access to funds.
Economic and game-theoretic rationale
From a game theory perspective, the proposal attempts to eliminate what developers see as a dangerous asymmetry: if quantum attackers can exploit vulnerable coins, they gain disproportionately, while the rest of the network absorbs systemic damage.
Lopp has previously argued that allowing quantum theft, even if recoverable, would dilute trust and undermine Bitcoin’s monetary integrity. The logic behind freezing or effectively burning unmigrated coins is to make the failure mode non-exploitable.
This aligns incentives across the network. If vulnerable coins cannot be stolen, attackers lose the primary economic motivation to develop or deploy quantum attacks against Bitcoin. As some analyses put it, the goal is to make the system ‘fail safely’ rather than catastrophically.
Implications: Satoshi-era coins and supply shock
One of the most controversial implications is that unmigrated coins, including those attributed to Satoshi Nakamoto, could be permanently frozen. Estimates suggest around 1.1 million BTC in early addresses fall into this category.
Register and unlock all content immediately
This has profound monetary implications. If a significant portion of Bitcoin’s supply becomes unspendable, it effectively reduces circulating supply, potentially altering scarcity dynamics. However, critics argue this is indistinguishable from confiscation at the protocol level, raising philosophical questions about property rights in Bitcoin.
Technical trade-offs: scalability and cost
Beyond ideology, the proposal introduces serious technical challenges. Post-quantum signature schemes, such as SPHINCS+ or FALCON, are significantly larger than current signatures. Estimates suggest they can be 10x to over 100x larger, depending on the scheme.
This has cascading effects:
- Larger transaction sizes increase fees
- Reduced throughput due to block space constraints
- Potential pressure on node storage and bandwidth
In effect, migrating to quantum-resistant cryptography could fundamentally change Bitcoin’s fee market and usability, especially for smaller transactions. Critics argue that this trade-off may undermine Bitcoin’s efficiency long before quantum computers pose a real threat.
Expert divide: urgency vs. overreaction
The debate is less about whether quantum computing threatens Bitcoin and more about timing. Some researchers point to advances from Google suggesting future systems could break cryptography faster than expected (in 9 minutes), strengthening the case for early action.
Google says a quantum computer could crack your bitcoin private key in 9 minutes.
That's within a single block confirmation window. 41% chance an attacker beats your tx.
But the scarier part: 6.9 million BTC (one-third of supply) already have public keys exposed on-chain.…
— Whale Factor (@WhaleFactor) April 5, 2026
However, Grayscale views quantum risk as long-term, not an immediate market concern. Michael Saylor has also dismissed near-term fears as overstated. Reports referenced by firms like Deloitte indicate that a successful quantum attack could cause system-wide economic disruption, not just isolated theft. Meanwhile, some market analysts argue that if no action is taken, as much as 20–30% of Bitcoin supply could be dumped by attackers, triggering severe price instability.
This divide creates a dilemma: act early and bear costs, or delay and risk large-scale exposure if quantum capabilities arrive sooner than expected.
Coordination risk and adoption barriers
Even if the proposal is technically sound, implementation faces a major hurdle: social consensus. Bitcoin upgrades require widespread agreement among developers, miners, exchanges, wallet providers, and users.
History shows that contentious upgrades, such as the block size wars, can lead to chain splits. Given the stakes involved in BIP-361, some analysts estimate a high probability that the community may fail to reach consensus at all.
If that happens, Bitcoin could face a fragmented response:
- Some nodes enforcing quantum-resistant rules
- Others maintaining legacy compatibility
- Potential network splits or inconsistent security guarantees
The bigger picture: Bitcoin’s long-term adaptability
BIP-361 ultimately forces a broader question: Can Bitcoin remain static in a world of rapidly advancing computation?
The proposal reframes Bitcoin not just as a financial system, but as a long-lived protocol that must anticipate technological shifts decades in advance. Unlike traditional software, Bitcoin cannot easily patch vulnerabilities after they are exploited, especially if those vulnerabilities affect ownership itself.
In that sense, BIP-361 is less about quantum computing specifically and more about how Bitcoin handles existential risks. It introduces a model where security upgrades are proactive, enforced, and economically incentivized, rather than reactive and optional.
Share
