A group of six contributors active in Bitcoin’s quantum security research, including Jameson Lopp, co-founder of Casa, have introduced BIP-361, a proposal outlining a plan to gradually eliminate legacy ECDSA and Schnorr digital signatures in the network. This move targets vulnerabilities in older Bitcoin address types that are considered susceptible to future quantum computer attacks.
Key features of BIP-361
BIP-361 offers a migration framework designed to address quantum risk in Bitcoin’s transaction system. The draft, titled “Post Quantum Migration and Legacy Signature Sunset,” structures the transition in three phases, aiming to push users towards adopting post-quantum secure solutions before threats become practical.
The proposals build upon BIP-360, which previously introduced the Pay-to-Merkle-Root (P2MR) output format—a design intended to enhance resistance against quantum attacks. Developers say more than one-third of all bitcoin could be at risk, with a major portion stored in addresses where public keys have been exposed on-chain, making them vulnerable if sufficiently advanced quantum computers are developed.
Among these are roughly 1 million bitcoins associated with early wallets reportedly belonging to Satoshi Nakamoto. Given the scale of exposure, the concern is not limited to inactive coins but extends to all unspent outputs whose security could be undermined if quantum computing progresses as predicted.
The urgency is heightened by recent research, such as a March 2026 paper from Google Quantum AI, indicating that breaking elliptic curve cryptography might require far fewer resources than previously assumed. In addition, a Caltech and Oratomic study demonstrated that only 10,000 qubits—much less than past forecasts—could be sufficient to compromise Bitcoin’s security using Shor’s algorithm.
“Prior to a quantum attack, it is impossible to know the motivations of the attacker. An economically motivated attacker will try to remain undetected for as long as possible, while a malicious attacker will attempt to destroy as much value as possible,” the proposal’s authors noted.
The migration timeline and challenges ahead
BIP-361 details a phased approach to transition users away from quantum-vulnerable addresses. In Phase A, starting roughly three years after activation, Bitcoin nodes would block all transactions sending funds to these at-risk addresses, effectively beginning a forced migration period to safer address types.
Phase B would follow approximately two years later, resulting in nodes outright rejecting any transaction that relies on the older ECDSA and Schnorr signature schemes. Funds remaining in these addresses would become permanently inaccessible.
A potential Phase C is outlined but not yet fully specified. This stage could allow recovery of frozen funds through zero-knowledge proofs tied to users’ seed phrases. However, the timeline and technical details for this option remain undeclared, relying on further research and consensus within the community.
The proposal is positioned as a private incentive, urging holders to act before they encounter difficulties accessing their assets. The BIP also echoes a sentiment once expressed by Satoshi Nakamoto, suggesting that lost coins effectively increase the value of remaining holdings, while coins taken through quantum exploitation have the opposite effect.
“Fail to upgrade and you will encounter additional friction to access your funds, creating a certainty where none previously existed.”
Casa, co-founded by Jameson Lopp, specializes in security solutions and self-custody infrastructure for bitcoin holders. Their development team is involved in various industry standards and has previously participated in proposals influencing Bitcoin’s cryptographic resilience.
