Quantum-proofing Bitcoin$62,473.38 has finally reached the stage where the plan is simple: upgrade, or eventually lose the ability to spend your coins. Decentralization, but with deadlines, because of course.
Six Bitcoin$62,473.38 researchers, including Casa co-founder Jameson Lopp, published BIP-361 on April 15, proposing a formal migration away from legacy ECDSA and Schnorr signatures toward quantum-resistant alternatives. The draft builds on BIP-360, which introduced a post-quantum output type called Pay-to-Merkle-Root, or P2MR. The core idea is not just technical hardening. It is incentive design. BIP-361 tries to make quantum safety a private economic interest for holders, instead of a vague collective good that everyone agrees is important right up until they have to do something. [1]
Register for free and get unlimited access to all articles.
What BIP-361 actually proposes
The proposal lays out a three-phase migration path for Bitcoin. Its end state is blunt: unmigrated funds that still rely on legacy signatures would become unspendable after a transition period of roughly five years. [2]
That is the attention-grabber, and not by accident. Bitcoin has plenty of dormant coins, lost coins, and deeply inactive holders. A voluntary migration with no consequences would likely move too slowly to matter if the quantum threat becomes practical faster than expected. BIP-361's answer is to force action through wallet-level self-interest. Move funds into quantum-resistant outputs in time, or accept that the network may eventually stop honoring the old spending method.
This is a more aggressive posture than the industry's usual "we should probably think about this" approach. It also acknowledges a politically awkward fact: any serious quantum migration for Bitcoin will almost certainly involve trade-offs around old UTXOs, backwards compatibility, and who bears the cost of waiting.
Why the proposal exists now
The authors point to a measurable exposure problem. More than 34% of all BTC is currently held in addresses with public keys already exposed on-chain, according to the source reporting around the proposal. That matters because Bitcoin's classical signature schemes, ECDSA and Schnorr, depend on the practical difficulty of deriving a private key from a public key. A sufficiently capable quantum computer could, in theory, reverse that assumption. [3]
This is not a hypothetical limited to active traders or hot wallets. Some of the most famous untouched coins, including roughly 1 million BTC commonly attributed to Satoshi Nakamoto, sit in outputs that are considered exposed to this class of risk. [4]
The proposal also focuses on a less obvious danger: detection lag. A quantum-capable attacker would not necessarily announce themselves by smashing the glass in public. If they were economically motivated, they could quietly generate valid spends from vulnerable outputs and delay broadcasting transactions to avoid tipping off the market or the network. By the time "Q-Day" is obvious, the damage could already be underway.
BIP-361 is built on concerns that have been moving from theoretical to increasingly concrete. The reporting around the proposal cites a March 2026 Google Quantum AI paper suggesting that breaking elliptic curve cryptography may require fewer resources than earlier estimates assumed. That does not mean Bitcoin is about to be cracked tomorrow morning. It does mean the margin for complacency is getting thinner. [1]
Bitcoin is not uniformly exposed. Public keys are not always visible before spending, depending on address type and usage history. But once a public key has been revealed on-chain, the coin becomes a clearer target in a post-quantum attack model. That distinction matters because it means the risk is unevenly distributed across the UTXO set.
BIP-361 tries to solve this by giving the network a staged path to deprecate vulnerable spending methods. BIP-360's P2MR structure is the technical foundation, while BIP-361 provides the migration logic and the social coordination strategy. In plain English: one proposal creates the new rails, the other figures out how to get people onto them.
Why this is contentious
Rendering legacy funds unspendable is not a minor tweak. It cuts straight into one of Bitcoin's most sensitive norms: that valid coins remain valid, even if their owners are inactive, careless, or long gone.
Critics will likely frame BIP-361 as confiscatory by design, especially because many coins would not migrate for reasons unrelated to negligence. Some are probably lost forever. Others sit in old storage setups whose owners may not follow protocol politics or software changes closely. A hard sunset would effectively write those coins out of circulation.
Supporters, however, have a straightforward rebuttal. If quantum-capable attackers can seize exposed coins anyway, then preserving formal spendability under legacy rules may be a fiction. From that perspective, the choice is not between ideal continuity and forced migration. It is between managed disruption now and potentially chaotic theft later.
The incentive angle
The most interesting part of BIP-361 is not the cryptography. It is the economics. Bitcoin governance tends to stall when a proposal mostly benefits "the network" in the abstract. BIP-361 reframes migration as an individual asset-protection decision. Holders do not need to be convinced to save Bitcoin civilization. They need to be convinced not to leave their own UTXOs sitting in a danger zone.
That is a more realistic political theory. It also creates urgency in a system that usually resists deadlines unless miners, exchanges, wallet providers, and large custodians all feel direct pressure.
If BIP-361 gains traction, wallet infrastructure becomes the real battleground. Post-quantum migration only works if mainstream Bitcoin wallets, custodians, hardware devices, and exchanges support the new output standard cleanly and early. Otherwise, the proposal stays an academic warning label attached to software most users cannot practically access.
There is also a supply-side wrinkle. If a meaningful share of legacy coins ultimately becomes unspendable, Bitcoin's effective circulating supply could tighten. That would be a byproduct, not the purpose, but markets would notice. Any proposal that potentially locks away long-dormant BTC, including high-profile early-era holdings, will invite plenty of speculation and very little restraint.
The bigger challenge is social consensus. Technical proposals do not become Bitcoin policy because they are clever. They become policy because enough of the ecosystem accepts the cost of implementation. On that front, BIP-361 is entering a debate that is equal parts cryptography, property rights, and game theory. Easy room.
What to watch next
The next signal is whether BIP-361 advances from a provocative draft into a serious coordination effort among wallet developers, node operators, custodians, and mining stakeholders. Support for BIP-360's P2MR design matters too, since BIP-361 depends on a credible post-quantum destination, not just a threat model.
Watch for three pressure points. First, better estimates of quantum timelines, especially from major research labs. Second, ecosystem tooling that makes migration cheap and obvious for ordinary users. Third, the political reaction to the sunset clause, which is where this proposal will either gain urgency or hit a wall.
Bitcoin may well need a quantum migration plan. BIP-361's wager is that polite suggestions will not get it done. That part, at least, sounds uncomfortably plausible.
Your reviews help us improve the quality of both current and future articles. All reviews are public and visible to other readers. We use both ratings and comments to improve future articles and to revise any articles that do not meet our standards.
See more like this on Google
