Update (April 15, 06:45 UTC): this piece was updated to include comments from Jameson Lopp.
A group led by cypherpunk Jameson Lopp and five co-authors has published a draft Bitcoin Improvement Proposal, BIP-361, that sketches a plan to limit the risk posed by future quantum computers. The draft, titled “Post Quantum Migration and Legacy Signature Sunset,” outlines the second phase of a three-stage strategy to migrate Bitcoin toward post-quantum-safe signature schemes and to neutralize outputs that would be exposed if large-scale quantum attacks become practical.
The proposal responds to a clear threat: an estimated 1.7 million BTC, including some coins attributed to Satoshi, remain in early pay-to-public-key (P2PK) addresses whose public keys are revealed on-chain and could be vulnerable to sufficiently powerful quantum computers. If a quantum-capable attacker could derive private keys from those public keys, they could spend those coins and potentially trigger a sudden shock to circulating supply and market confidence.
Lopp emphasized that BIP-361 is a preliminary concept, not a production-ready change. “Rather, it’s a rough sketch of one way we could approach the issue of a looming circulating supply shock if quantum computing advances to the point that a post-quantum signature scheme achieves consensus for being added to Bitcoin,” he told Cointelegraph, adding that the proposal is expected to evolve with further research and development.
How BIP-361 builds on prior work
BIP-361 follows BIP-360, published in February, which proposed a soft fork adding a new output type called pay-to-Merkle-root (P2MR). P2MR resembles Taproot’s P2TR but omits the quantum-vulnerable key-path, protecting newly created outputs from future quantum attacks. BIP-360, however, does not address the roughly 34% of Bitcoin supply still held in legacy, quantum-vulnerable addresses unless those owners choose to move their funds.
The three-phase plan in BIP-361
– Phase A (three years after activation): Disallows new BTC from being sent to legacy, quantum-vulnerable address types, ensuring new coins are created using quantum-resistant outputs.
– Phase B (five years after activation): Invalidates legacy-style signatures, effectively freezing funds that remain in vulnerable UTXOs so they cannot be spent with the original keys.
– Phase C: Offers a potential recovery path for owners who can prove continued ownership (for example, by proving knowledge of a seed phrase) using zero-knowledge proofs or a similar cryptographic mechanism to reclaim frozen coins.
The authors frame the approach as creating a private incentive to upgrade: coins frozen by inaction would slightly increase the value of remaining liquid coins, while coins recovered by a quantum attacker would harm the value of all holders. They describe the proposal as defensive — intended to protect the ecosystem from a scenario where a malicious actor exploits un-migrated keys to destroy value and trust.
Community reaction
The idea has sparked controversy. Critics argue the plan departs from long-held Bitcoin norms by rendering existing UTXOs unspendable if owners don’t take action. Protocol developer Mark Erhardt’s sharing of the draft drew strong criticism from commentators who labeled the approach “authoritarian and confiscatory.” Bitcoin Magazine editor Brian Trollz rejected the concept outright; TFTC founder Marty Bent called it “laughable,” and Phil Geiger criticized the plan with the quip, “We have to steal people’s money to prevent their money from being stolen.”
Supporters counter that without coordinated migration to quantum-resistant schemes, the sudden emergence of a quantum-capable attacker could cause a rapid loss of circulating supply and severe market disruption, making some proactive defense preferable to inaction.
Next steps
BIP-361 is a draft intended to start discussion rather than an imminent change. The authors expect the design to be refined through community review, technical analysis, and further research into practical recovery mechanisms such as zero-knowledge proof systems.
Cointelegraph remains committed to independent, transparent reporting; readers are encouraged to verify claims and follow developments as the proposal and community responses evolve.