BIP 361 (Post Quantum Migration)
Draft proposal to migrate Bitcoin off ECDSA/Schnorr signatures before quantum computers can break them - by sunsetting legacy signatures on a fixed timeline.
BIP-361 - "Post Quantum Migration and Legacy Signature Sunset" - is a draft proposal published February 11, 2026 by Jameson Lopp, Christian Papathanasiou, Ian Smith, Joe Ross, Steve Vaile, and Pierre-Luc Dallaire-Demers. It is the active migration framework for Post-Quantum Bitcoin: the only categorical cryptographic threat that exists for Bitcoin's current signature schemes is a sufficiently powerful quantum computer, and BIP-361 is how the network would respond.
The problem
ECDSA and Schnorr signatures rely on the discrete logarithm problem in elliptic-curve groups being computationally hard. A large-enough quantum computer running Shor's algorithm breaks that assumption. Any UTXO whose public key has been revealed on-chain becomes spendable by anyone with such a machine.
Public keys are revealed in two main scenarios:
- P2PK outputs (pay-to-pubkey, used in early Bitcoin): the pubkey is in the output script itself, exposed from the moment the output is created. Mostly Satoshi-era coins.
- Address reuse: any address that has already sent a transaction has revealed its pubkey in the spending tx. Receive once and never spend, the pubkey stays hidden (it's hashed in the address). Spend once, and the pubkey is permanently public for that address.
The BIP estimates over 34% of all bitcoin falls into one of those categories. That includes much of Satoshi's stash, dormant whale wallets, and any address that's been reused.
The two-phase migration
The proposal splits the migration into staged consensus changes:
Phase A - Stop the bleeding. Disallow sending funds to quantum-vulnerable address types. New transactions must use a quantum-resistant output type (the BIP is signature-scheme agnostic and assumes a separate proposal lands a PQ output type). Holders can still spend from vulnerable addresses, but only to safe ones.
Phase B - Sunset legacy signatures. Five years after Phase A activates, ECDSA and Schnorr spends are restricted. Funds in vulnerable addresses can only be moved via a quantum-safe rescue protocol - one that proves knowledge of the underlying seed without producing a forgeable signature. The BIP suggests using BIP-32 hardened derivation: prove you can derive the child key, which a quantum attacker reading only the public key cannot do.
The five-year gap exists because, in the authors' framing, "coordinating wallets, exchanges, miners and custodians historically takes years."
What this is and isn't
Is: a draft BIP. Would deploy as a soft fork if it advances. Currently in the open-discussion phase.
Isn't: activated, scheduled, or consensus. The community has not agreed on which quantum-resistant signature scheme to use. Candidates include lattice-based (ML-DSA is the leading example, NIST-standardized in 2024 as FIPS 204), hash-based (SLH-DSA, FIPS 205), and isogeny-based schemes - each with different trade-offs in signature size, verification cost, and assumed security.
The estimated arrival of cryptographically-relevant quantum computers (CRQCs) is somewhere between 2027 and the early 2030s, depending on whose roadmap you trust. The BIP exists to start the multi-year coordination process before the threat is acute, not after.
The Satoshi question
The two-phase mechanism implicitly addresses what to do about dormant pre-quantum coins. Under Phase B, any P2PK output (including Satoshi's known holdings) becomes unspendable except via the rescue protocol. Satoshi has never demonstrated active key control, and BIP-32 derivation requires the seed - not the public key - so a third party cannot rescue those coins. Functionally, they would become permanently locked.
This is not the BIP's stated goal, but it is an unavoidable consequence: the same rule that protects vulnerable holders from quantum theft also strands the original holdings of anyone whose keys are unavailable. Whether the network views that as a feature or a bug is part of why this is still a draft.
See the Quantum and Bitcoin rabbit hole for the measured exposure this framework would migrate - and why mass migration in a panic would be the worst response.
Spec: BIP-361.
Key takeaways
- Two-phase migration: first stop receiving to vulnerable addresses, then restrict spending from them
- Estimates over 34% of all BTC has revealed a public key on-chain and is quantum-vulnerable
- Draft - not consensus - but the cryptographically-relevant quantum timeline (2027-2030) is forcing the conversation
Related terms (16)
- BIP (Bitcoin Improvement Proposal)
- BIP 32 (HD Wallets)
- ECDSA (Elliptic Curve Digital Signature Algorithm)
- Schnorr Signature
- Public Key
- P2PK (Pay to Public Key)
- P2PKH (Pay to Public Key Hash)
- Address Reuse
- Soft Fork
- Satoshi Nakamoto
- Post-Quantum Bitcoin
- Shor's Algorithm
- Grover's Algorithm
- CRQC (Cryptographically-Relevant Quantum Computer)
- ML-DSA / Dilithium (FIPS 204)
- SLH-DSA / SPHINCS+ (FIPS 205)