BIP-361 is a formal Bitcoin Improvement Proposal that lays out a structured, three-phase plan for migrating Bitcoin away from cryptography that quantum computers could eventually break, before they actually break it.

A protocol-level decision that will affect every Bitcoin holder, and one worth understanding now while the timeline is still measured in years.

Why Quantum Computers Threaten Bitcoin

Bitcoin's security rests on a type of math called elliptic curve cryptography (ECC). Three things have to hold for Bitcoin security to remain:

• Digital signature: When a transaction is sent, a wallet produces a signature using the private key

• Network verification: The network confirms that signature using the public key

• One-way protection: No one can work backwards from a public key to derive the private key.

As long as all three points hold, the coins stay safe.

Classical computers cannot perform that reversal of the public key to private key in any practical timeframe. Quantum computers running an algorithm called Shor's algorithm, however, could and academic roadmaps now place cryptographically relevant machines arriving between 2027 and 2030, with recent algorithmic advances potentially compressing that window by up to 20×.

Bitcoin Addresses That Have Already Sent Funds Are Vulnerable

Bitcoin addresses that have already sent a transaction have their public key permanently recorded on the blockchain. 

Once that public key is visible, a sufficiently powerful quantum computer could derive the private key and access the funds. As of early 2026, 34% of Bitcoin's entire UTXO set contains addresses with exposed public keys. At current prices, hundreds of thousands of BTC sit in that category.

What BIP-361 Actually Is

BIP-361, formally titled "Post-Quantum Migration and Legacy Signature Sunset," was authored by Jameson Lopp, Christian Papathanasiou, Ian Smith, Joe Ross, Steve Vaile, and Pierre-Luc Dallaire-Demers. Published as an informational draft on February 11, 2026, it is not a panic response, it is a structured migration plan designed to convert a future emergency into a managed process.

BIP-361 follows a similar proposal pattern with one distinction: the threat it is responding to is a class of computing that did not exist when Bitcoin launched.

Bitcoin's Three-Phase Quantum Migration Plan: What Holders Need to Know

Phase A: The Migration Window — why new addresses matter immediately

If BIP-361 activates, roughly three years after it does, the network stops accepting Bitcoin sent to old-style addresses. Any Bitcoin moved to a quantum-resistant address during this window is no longer at risk. Holders who act here are done, they have nothing further to worry about.

The 160,000-block window, approximately three years at Bitcoin's average ten-minute block time, is deliberate. Bitcoin upgrades historically take time to coordinate across wallets, exchanges, and hardware, and the proposal is designed to give the ecosystem a realistic runway to move.

Phase B: The Signature Sunset — what happens to coins left behind

Two years after Phase A ends, at a pre-announced block height, nodes will reject any transaction attempting to spend from a legacy ECDSA or Schnorr address. Coins in quantum-vulnerable addresses at that point become frozen.

The implication is direct: coins that have not been moved to quantum-resistant addresses by the sunset will be inaccessible until their owners can prove ownership through quantum-safe cryptographic methods. For holders who lost seed phrases, or for long-dormant wallets, recovery becomes uncertain.

Coins attributed to Satoshi Nakamoto, estimated at roughly 1.1 million BTC across thousands of addresses fall into this category. Given Satoshi's absence from the ecosystem, those coins would almost certainly remain frozen.

Supporters of Phase B argue this is the only way to eliminate the attack surface. A quantum attacker targeting Bitcoin would not announce itself; it would drain vulnerable addresses silently, gradually, over time. The sunset converts that threat from covert theft into a permanently closed door.

Phase C: The Recovery Mechanism — still in development

Phase C is the safety net for any holder who missed the Phase B deadline. If coins are frozen, this mechanism would allow a holder to prove ownership — using their seed phrase — without exposing the private key. Prove ownership, recover access.

There is a significant caveat. Phase C is built around BIP-39 seed phrases, which were not introduced until 2013. Any Bitcoin held in wallets created before that date — including coins attributed to Satoshi Nakamoto — used a different key system that this recovery method cannot reach. For those coins, Phase C offers no path back.

The mechanism remains under active research and is not yet fully specified. Whether it works in practice, and for whom, will be a significant factor in how the broader community evaluates the proposal as a whole.

How BIP-361 and BIP-360 Work Together

Think of it as policy and infrastructure. BIP-361 sets the rules, what has to happen and when. BIP-360, developed by BTQ Technologies, builds the road, the new opcodes that make quantum-resistant transactions possible in the first place. Without BIP-360, or a comparable proposal, there would be no quantum-safe address type to migrate to.

BIP-360 runs on Dilithium (ML-DSA), a post-quantum signature scheme ratified by NIST in 2024. BTQ's testnet has mined over 100,000 blocks using this infrastructure, moving the proposal from theory into something that can be tested and validated in practice.

What Bitcoin Retail Holders Can Do Right Now

BIP-361 has not yet been activated. But the vulnerability it addresses — exposed public keys — can be mitigated today, regardless of how the proposal ultimately proceeds. Where a holder stands depends on one thing: whether their address has ever sent a transaction or not.

A retail holder is actively mitigating against a quantum threat if they:

• Have never spent from the address: The public key has never been exposed. Provided the coins remain in self custody, they carry no current quantum exposure. Modern address formats — bech32 and Taproot — do not reveal the public key until the first spend. 

• Have previously sent from an older address: The public key is already on-chain. The most meaningful step available today is to consolidate into a fresh, unspent address and avoid reusing it — reducing the window of exposure. Pay-to-public-key (P2PK) addresses — common in Bitcoin's earliest transactions from 2009 to 2010 — are the highest priority. The public key is embedded directly in the script, making exposure unconditional regardless of spend history.

The Governance Debate

No Bitcoin protocol change of this scale moves without contested debate, and BIP-361 is no exception.

The Hard Fork Question

BIP-361 is classified in the proposal as a soft fork. Charles Hoskinson, Ethereum co-founder and founder of Cardano, has challenged this directly. In a public response to the proposal, Hoskinson argued that freezing legacy transaction types at the consensus layer cannot be achieved without a hard fork and that the proposal's authors are aware of this.

The proposal's own backward compatibility section acknowledges that Phase C may require a hard fork to implement. The classification remains contested.

The Immutability Concern

Bitcoin's foundational property has always been that no external authority can freeze or confiscate coins. Phase B would freeze coins, even if the stated purpose is protection. Critics argue that establishing this precedent is a greater long-term threat than quantum computers themselves. Once the network accepts preemptive coin freezing as a legitimate governance action, the logic can be applied to future situations for different stated reasons.

The Canary Address Alternative

Alternative approaches have been proposed. A market-driven canary address model would establish known-vulnerable addresses with small Bitcoin balances. When canary coins move without the owner's action, the network receives an early warning signal and can activate protective measures reactively.

The Case for a Pre-Announced Sunset

Supporters counter that a reactive approach hands the advantage to the attacker. A sophisticated quantum actor would not target high-profile canary addresses first, it would begin with less visible, higher-value targets, draining them quietly over months. A pre-announced, time-bound sunset closes the attack surface permanently.

The coordination challenge: Coordinating decentralised networks is slow. Bitcoin's own history reflects this — major protocol changes have historically taken years to reach consensus. BIP-361's phased, deadline-driven structure is designed with that reality in mind.

Conclusion

BIP-361 is a planning document, not a crisis response. The quantum threat to Bitcoin's ECDSA-based cryptography is real, the timeline is compressing, and the proportion of exposed Bitcoin — 34% of the UTXO set — is large enough that the question cannot be deferred indefinitely.

Whether BIP-361 is the right mechanism, whether alternative approaches prove more compatible with Bitcoin's values, or whether the timeline shifts in ways that change the calculus, the underlying problem does not go away. The best position for any Bitcoin holder is to understand what the exposure is, take the steps that are available today, and follow the governance process as it develops.

BIP-361 was published as an informational draft on February 11, 2026, authored by Jameson Lopp, Christian Papathanasiou, Ian Smith, Joe Ross, Steve Vaile, and Pierre-Luc Dallaire-Demers. The full specification is available on the Bitcoin GitHub repository.