BIP-361 has turned a technical Bitcoin security problem into a philosophical test. The proposal, formally called Post Quantum Migration and Legacy Signature Sunset, would create a public timeline for moving coins away from legacy ECDSA and Schnorr signature paths before quantum-capable attackers can exploit exposed public keys.
The idea is simple to describe and hard to accept. If Bitcoin eventually adds a post-quantum output type, BIP-361 would push users toward it. After a long migration window, some old signature spends would stop being valid. Coins left in vulnerable outputs could become unspendable under upgraded rules.
That is why the debate is so heated. Supporters see a defensive plan against a future quantum theft event. Critics see a dangerous precedent that could freeze coins belonging to users who are offline, unaware, dead, imprisoned, or simply unwilling to move. This guide explains what the draft proposes, why it exists, and what holders should watch next.
This article is based on the public BIP-361 proposal site and the related Bitcoin BIPs discussion on GitHub. For teams thinking about cryptographic risk, governance, and high-trust infrastructure, the same planning mindset also connects to AI strategy, DevOps services, business process automation, and technical risk reviews.
| Question | Practical answer |
|---|---|
| What is it? | A draft Bitcoin proposal for post-quantum migration and legacy signature sunset |
| Is it active? | No. It is a draft and would need broad technical and social consensus |
| What risk is targeted? | Quantum theft from outputs with exposed public keys |
| What is most controversial? | Freezing legacy UTXOs that do not migrate before the deadline |
| Who should watch it? | Wallet teams, exchanges, custodians, miners, long-term holders, and security researchers |
What BIP-361 proposes for Bitcoin
BIP-361 proposes a scheduled retirement of Bitcoin’s legacy signature paths after the network has a viable post-quantum output type. In plain language, it says the ecosystem should not wait until a cryptographically relevant quantum computer appears before deciding how to handle exposed public keys.
Bitcoin currently relies on classical digital signatures. ECDSA secures older spending paths, while Schnorr signatures power Taproot-era behaviour. These systems are strong against normal computers, but large enough quantum computers running Shor’s algorithm could eventually derive private keys from exposed public keys.
The proposal does not claim that quantum attackers can do this today. The draft is about coordination time. Wallets, exchanges, custodians, miners, explorers, hardware wallets, and long-term holders may need years to support a safer address format and migrate balances.
That makes the plan different from a routine wallet recommendation. It would turn migration from advice into a protocol-level deadline. After the deadline, spending with vulnerable signature types would no longer be accepted by upgraded nodes.
The headline risk is obvious: a dormant holder who does not migrate could lose spendability. The counter-risk is also obvious: if nobody acts, an attacker with the first practical quantum capability could target vulnerable coins and damage confidence in the entire network.
Why old Bitcoin can become quantum-vulnerable
BIP-361 focuses on coins whose public keys are already visible on-chain or can become visible during spending. Early Pay-to-Public-Key outputs are the clearest example because they placed public keys directly in the blockchain. Some of the oldest coins, including coins widely attributed to Satoshi Nakamoto, are often discussed in this category.
Modern Bitcoin address habits reduced some exposure by hiding public keys behind hashes until spending. But that protection can weaken when addresses are reused, when outputs have already been spent from, or when script paths expose keys. Once the public key is known, the quantum threat model changes.
The BIP-361 authors argue that this is not merely about protecting individual dormant wallets. If a large amount of old Bitcoin became suddenly spendable by a quantum-capable attacker, the market could face a severe trust shock. The attacker might steal quietly, wait to broadcast transactions, or move coins in a way designed to destabilize confidence.
Public estimates vary, but the discussion often cites roughly 1.7 million BTC in early P2PK outputs and a much larger share of supply with some form of public-key exposure. Exact numbers matter less than the design problem: a decentralized network cannot easily call a meeting during an emergency and coordinate everyone overnight.
That is why the proposal tries to create certainty before the crisis. It says the network should define a migration window, make the consequences public, and remove the incentive for quantum attackers to race toward dormant vulnerable coins.
How the BIP-361 phases would work
BIP-361 is structured around phases. The first major phase would stop new funds from being sent to quantum-vulnerable legacy address types after a delay. The proposal describes this as Phase A, roughly 160,000 blocks, or about three years, after activation.
That first step is meant to reduce future exposure. Users could still move funds out of old scripts, but the network would stop encouraging fresh deposits into vulnerable destinations. Wallets and services would have a clear reason to support post-quantum formats before the deadline.
Phase B is the major flashpoint. Roughly two years after Phase A, old ECDSA and Schnorr spend paths would be invalid under upgraded consensus rules. At that point, coins that had not moved to safer formats could become frozen.
Phase C is less defined. The proposal leaves room for a future recovery mechanism, possibly using zero-knowledge proofs to show control of an HD wallet seed phrase without exposing the secret itself. That idea is still research-heavy and may not cover all early coins, especially outputs created before modern seed standards.
The timeline is therefore best understood as a pressure mechanism. It creates a known window for migration, then raises the cost of doing nothing. Whether Bitcoin users would accept that pressure is the heart of the current debate.
Why supporters call BIP-361 defensive
Supporters of BIP-361 argue that doing nothing is also a choice. If vulnerable outputs remain spendable forever, the first actor with sufficient quantum capability may get an enormous advantage. That actor might be a company, state, criminal group, intelligence service, or unknown lab.
The defensive argument is that freezing vulnerable coins is less damaging than letting them be stolen. Lost coins reduce circulating supply. Quantum-stolen coins could enter circulation suddenly, fund attackers, shake confidence, and create a perception that Bitcoin’s security model failed.
The proposal also tries to align incentives. Active holders who value access would move to safer outputs. Wallets would integrate new formats. Exchanges and custodians would update infrastructure. Miners and node operators would have years of notice before old spend paths retire.
From a governance perspective, the proposal is a forcing function. It pushes the network to decide whether quantum risk is a future emergency or a manageable migration project. If the answer is migration, waiting until Q-Day is the worst possible schedule.
This is also where technical operations matter. Large custodians and exchanges cannot migrate critical systems with a blog post and a weekend patch. They need testing, staged rollout, customer communications, incident plans, and production controls similar to mature DevOps programs.
Why critics see a dangerous precedent
BIP-361 critics focus on property rights, neutrality, and precedent. Bitcoin’s strongest social promise is that valid coins remain spendable by whoever controls the keys. If the network deliberately makes old coins unspendable, even for a security reason, critics argue that the promise changes.
The human edge cases are real. Some owners may be offline for years. Some may use old cold storage that cannot be moved quickly. Some may have died and left inheritance instructions. Some may be in jurisdictions where moving funds creates legal risk. Some may never see the warning.
Critics also worry about line-drawing. If coins can be frozen for quantum risk, could future developers propose freezes for sanctions, theft recovery, lost keys, regulatory pressure, or controversial ownership claims? BIP-361 supporters reject that comparison, but the precedent concern is why the debate is so emotional.
There is also technical uncertainty. Post-quantum signatures are larger, newer, and still evolving. A bad migration choice could create new risks while trying to solve an old one. Bitcoin has a conservative development culture because rushed consensus changes can be worse than slow ones.
The most reasonable criticism is not that quantum risk is fake. The reasonable criticism is that the cure may alter Bitcoin’s social contract. Any serious BIP-361 review must weigh both risks honestly instead of treating dissent as ignorance.
What wallets, exchanges, and holders should do
BIP-361 is not active law for Bitcoin. Holders do not need to panic. But the proposal is a useful warning that key exposure, address reuse, and old storage practices deserve renewed attention.
For individual users, the safest habit is already familiar: avoid address reuse, keep wallet software current, maintain recoverable backups, and understand what kind of addresses hold your funds. If coins are in very old outputs and you can move them safely, review the tradeoff before waiting another decade.
For exchanges and custodians, the work is larger. They should inventory address types, identify public-key exposure, model migration costs, test post-quantum wallet support when standards mature, and prepare customer communications long before any deadline exists.
Wallet vendors should treat the draft as a requirements signal. Even if the draft changes or fails, users will need clearer visibility into address risk. Wallets that can label legacy exposure, warn against reuse, and guide safe migration will be better prepared for any post-quantum future.
For organisations, the lesson fits broader business process automation and risk governance. Critical cryptographic transitions are not only code changes. They are inventory, communication, policy, testing, rollback, audit, and user education projects.
BIP-361 FAQ
Is BIP-361 already part of Bitcoin?
No. BIP-361 is a draft proposal. It would need deep review, implementation work, ecosystem support, miner and node adoption, and broad social consensus before anything like its timeline could matter on mainnet.
Would BIP-361 confiscate Bitcoin?
Supporters say no because the protocol would not transfer coins to another party. Critics argue that making valid legacy spends impossible is confiscatory in effect. The disagreement is central to the debate.
What coins are most exposed to quantum risk?
Coins in early P2PK outputs are the most discussed because their public keys are visible on-chain. Reused addresses and already-spent outputs can also expose public keys, which matters if sufficiently powerful quantum computers arrive.
Does BIP-361 depend on BIP-360?
BIP-361 assumes Bitcoin has some post-quantum output type available first. BIP-360 is one related proposal, but the legacy signature sunset idea depends on a credible post-quantum migration destination, not only on a headline.
What should long-term holders do now?
Long-term holders should avoid address reuse, understand whether their public keys are exposed, keep backups safe, and follow wallet guidance. If a holder controls very old coins, moving them requires careful security planning rather than impulsive action.
BIP-361 may never activate in its current form. It may be revised, rejected, replaced, or absorbed into a different post-quantum roadmap. But it has already forced Bitcoin to confront a hard question: is the bigger risk leaving old coins vulnerable, or changing the rules to protect the network from a future quantum exploit?
The responsible answer is not panic. It is disciplined review. If your organisation needs help mapping cryptographic migration risk, governance decisions, and technical rollout planning, contact Progressive Robot to turn abstract security debate into a practical readiness plan.
