bip bip-360 bip-361 bip-39 consensus quantum-computing security soft-fork

BIP361: Bitcoin's Post-Quantum Sunset Plan Goes Official

bitcoinindex.net · · 8 min read
BIP361: Bitcoin's Post-Quantum Sunset Plan Goes Official

Bitcoin just took its first formal step toward a post-quantum future, and it’s more aggressive than you might expect.

On February 11, 2026, BIP361 was officially assigned its number in the Bitcoin Improvement Proposals repository. The proposal, titled “Post Quantum Migration and Legacy Signature Sunset,” does exactly what the name suggests: it would force Bitcoin to migrate away from ECDSA and Schnorr signatures, then shut those signature schemes down entirely after a hard deadline.

If you don’t migrate in time, your coins become permanently unspendable. No exceptions. No appeals. Just gone.

This is the most contentious Bitcoin upgrade proposal in years, and it raises a question the community has been avoiding: is breaking Bitcoin’s immutability ethos less dangerous than letting quantum computers break Bitcoin itself?

What BIP361 actually does

BIP361 is a three-phase plan co-authored by Jameson Lopp (Casa CSO), Christian Papathanasiou (BitcoinQS founder), and four others. It builds on top of BIP360, which introduces Pay-to-Quantum-Resistant-Hash (P2QRH) addresses that can support post-quantum signature schemes like FALCON-512 or SPHINCS+.

Here’s how the migration would work.

Phase A: Ban new quantum-vulnerable addresses

Three years after BIP360 activates, Bitcoin stops accepting new sends to legacy address types (anything using ECDSA or Schnorr signatures). You can still spend from old addresses, but you can only send to P2QRH addresses.

This makes quantum-vulnerable addresses “send-only.” It forces every wallet, exchange, and custodian to upgrade their address infrastructure. No choice. Upgrade or become incompatible.

Phase B: The sunset

About five years after Phase A (roughly eight years from BIP360 activation), ECDSA and Schnorr signatures become consensus-invalid. At a predetermined block height, nodes will reject any transaction attempting to spend from quantum-vulnerable UTXOs.

All un-migrated coins freeze. Permanently.

This is the part that has people screaming.

Phase C: Maybe a recovery mechanism

Phase C is speculative. The idea is to allow users to prove ownership of frozen UTXOs using zero-knowledge proofs of their BIP-39 seed phrase. If you can prove you have the seed, you can recover the coins even after Phase B.

But here’s the problem: this cryptographic construction doesn’t exist yet. It’s a research goal, not a solution. And even if it did exist, it wouldn’t help Satoshi’s coins or any other pre-BIP39 outputs. Those would be permanently frozen if not migrated.

Without Phase C, Phase B is just coin burning with a countdown timer.

Why this exists: the quantum threat is accelerating

The authors argue that voluntary migration will fail. Bitcoin moves slowly. Segwit took years to reach meaningful adoption. Taproot is still incomplete. If the community waits until quantum computers are actually breaking signatures, it will be too late to coordinate a response.

And the timeline is compressing faster than most people realize.

NIST ratified three production-grade post-quantum signature schemes in 2024. Academic roadmaps now estimate cryptographically-relevant quantum computers (CRQCs) as early as 2027-2030, according to McKinsey. Caltech’s president publicly stated he expects fault-tolerant quantum systems within 5-7 years.

Even more concerning: quantum algorithms are improving up to 20x faster than hardware, according to Google’s Security Blog. That means the barrier to breaking ECDSA is dropping faster than raw qubit counts suggest.

About 25% of all bitcoin sits in addresses with exposed public keys (mostly P2PK outputs and reused addresses). If a quantum computer can derive private keys from public keys, those coins can be stolen. That includes an estimated 1 million BTC from Satoshi, sitting in early P2PK outputs.

The nightmare scenario, as outlined in the BIP rationale:

“We may not know the attack is underway. Quantum attackers could compute the private key for known public keys then transfer all funds weeks or months later, in a covert bleed to not alert chain watchers.”

An attacker could silently derive private keys offline, then coordinate a massive sweep months later. By the time anyone notices, it’s too late.

BIP361’s answer: turn quantum security into a private incentive. Don’t migrate and you will lose your coins. Not maybe. Certainly.

The controversy: freezing coins is unprecedented

Bitcoin has never invalidated previously-valid UTXOs. Ever. The entire value proposition rests on immutability. Your keys, your coins. Not “your keys, your coins, unless the network decides otherwise.”

BitcoinTalk user “d5000” put it bluntly in July 2025:

“100% NACK from my part. I welcome the addition of post-quantum schemes as soon as there’s a battle tested and future-proof option available. But it does not make sense to make the usage of PQ cryptography mandatory.”

The philosophical resistance is fierce. Some users argue that quantum theft of old coins is economically equivalent to “mining” them. Once stolen and sold, the threat is gone. Setting a precedent for freezing UTXOs, they say, is more dangerous than the theft itself.

Others point out the cold storage problem. Imagine a relative dies. The heirs know the coins exist but can’t access the cold wallet in time. The coins freeze. Inheritance becomes a race against a block-height deadline.

And then there’s the problem of physical Bitcoin collectibles like Casascius coins. Many are still sealed, their private keys never exposed. Peeling them destroys their collector value. Under BIP361, they’d become unspendable unless peeled before Phase B. A cultural artifact, destroyed by consensus rule.

Jameson Lopp’s position is uncompromising. In his essay “Against Allowing Quantum Recovery of Bitcoin,” he argues:

“Quantum recovered coins only make everyone else’s coins worth less. Think of it as a theft from everyone.”

He frames quantum-stolen bitcoin not as “lost coins” (which Satoshi famously called “a donation to everyone”), but as inflation. Coins that should be gone, re-entering circulation and diluting everyone’s holdings.

His analogy:

“Wouldn’t quantum ‘miners’ have earned their coins by all the work and resources invested in building a quantum computer? I suppose, in the same sense that a burglar earns their spoils by the resources they invest into surveilling targets and learning the skills needed to break into buildings.”

I respect Lopp’s clarity here. But I’m not convinced freezing coins is less harmful than theft. Bitcoin’s social contract has always been “code is law.” Changing the rules to invalidate old outputs breaks that contract in a way theft doesn’t.

How urgent is this, really?

Experts disagree sharply on the timeline.

Ethan Heilman, co-author of BIP360, told Decrypt:

“There’s no good, concrete way of actually predicting it on a timescale of more than one or two or three years out. I would be really surprised if it happens within the next five years.”

Jameson Lopp, in the same interview, estimates the timeline differently. He notes we’re still several orders of magnitude away from a cryptographically-relevant quantum computer, and if innovation continues at its current linear rate, it could take over a decade or even several decades to reach that point.

But Lopp warns the real danger is ossification:

“It’s the nature of network protocols to ossify over time. What it really means is that it becomes harder and harder to reach consensus in a decentralized network made up of many different nodes.”

This is where I think Lopp is exactly right. The technical threat might be a decade away. The coordination threat is here now.

Bitcoin’s governance is famously conservative. That’s a feature when resisting bad ideas. It’s a bug when facing existential risks. If the community waits for an active attack before coordinating a response, it may never coordinate at all.

The technical challenges are brutal

Even if the community agreed to migrate, the technical hurdles are severe.

Post-quantum signatures are enormous. SPHINCS+-128s signatures are 7,856 bytes, compared to 48 bytes for ECDSA. That’s 164 times larger. Even the more efficient FALCON-512 is 690 bytes, a 15x increase.

Transaction fees are calculated by size. A 15x size increase means a 15x fee increase. Bitcoin’s throughput could drop from roughly 7 transactions per second to less than 1 TPS with SPHINCS+. Small-value transactions might become economically unfeasible.

This might require increasing the block weight limit, which is its own political nightmare. The block size wars were brutal. Reopening that debate in the context of a quantum migration could fracture the network.

And then there’s the coordination problem. The BIP estimates a minimum of 76 days of continuous processing time for a network-wide upgrade under optimal conditions. That assumes perfect coordination, no delays, no philosophical objections, no contentious forks.

Segwit and Taproot both took years. This would be mandatory with a hard deadline.

Will this actually happen?

I don’t think BIP361 will activate as written.

Phase A (banning new vulnerable outputs) might pass. It’s less controversial, doesn’t destroy coins, and only forces infrastructure upgrades. The ecosystem can adapt.

Phase B (freezing old outputs) is a different beast. The Bitcoin community has never forced a consensus change that destroys previously-valid UTXOs. The philosophical resistance is too strong. The precedent is too dangerous.

My guess: we’ll see a watered-down version. Phase A passes. Migration to P2QRH addresses happens voluntarily. And if quantum computers actually arrive and start sweeping coins, then an emergency version of Phase B gets fast-tracked.

But by then, coordination may be impossible. Possibly leading to a chain split. Quantum-resistant Bitcoin versus legacy Bitcoin, both claiming to be the “real” Bitcoin.

Or maybe the quantum threat never materializes. Physical limits prevent quantum computers from scaling. Classical cryptography develops countermeasures. Bitcoin’s hash-based addresses (where the public key is never exposed) provide enough protection. And this entire debate becomes a footnote.

But if Lopp is right about ossification, the inability to act preventatively is more dangerous than the quantum threat itself. Bitcoin’s greatest strength (resistance to change) could become its fatal weakness.

What happens next

BIP361’s pull request remains open and active, with commits as recent as March 2, 2026. BIP360 (the prerequisite for quantum-resistant addresses) was merged into the BIPs repository on the same day BIP361 got its number.

No Core implementation exists yet. This is still at the specification stage. Actual activation is years away at minimum.

The community discussion is fierce, technical, and unresolved. This is a stress test of Bitcoin’s governance model. Can a decentralized network coordinate preventative action against a long-term existential threat? Or does it require an active crisis to overcome inertia?

I genuinely don’t know the answer. But I know this: doing nothing is a choice too. And it might be the most dangerous one.

Sources: BIP361 Pull Request, BIP361 Official Website, BIP360: Pay-to-Merkle-Root, Jameson Lopp: “Against Allowing Quantum Recovery of Bitcoin”, BitcoinTalk Discussion Thread, Decrypt: “Bitcoin Takes Step Towards Quantum Fix as Experts Diverge on Urgency of Threat”, Cointelegraph: “Bitcoin Proposal to Retire Legacy Signatures Against Quantum Threats”, Google Security Blog: Quantum Algorithm Cost Tracking, McKinsey: Quantum Computing Timeline Estimates. Data/status as of March 3, 2026.