BIP-361 draft would freeze 1.7M quantum-vulnerable BTC

A group led by cypherpunk Jameson Lopp and five co-authors posted a draft Bitcoin Improvement Proposal, BIP-361, that would freeze roughly 1.7 million BTC held in legacy pay-to-public-key (P2PK) addresses. The draft was posted to GitHub as part two of a three-stage plan called “Post Quantum Migration and Legacy Signature Sunset.” The authors say the proposal aims to reduce the risk that future quantum computers could use vulnerable keys to sign transactions and drain early unspent outputs.

The authors estimate about 34% of Bitcoin’s supply remains in address types that are not quantum-resistant unless owners move funds to newer formats. The draft builds on BIP-360, published earlier, which proposed a soft fork to introduce a new output type called pay-to-Merkle-root (P2MR). P2MR resembles Taproot’s pay-to-taproot path but removes the legacy key path that the authors say is susceptible to quantum attacks. BIP-360 targets new outputs; BIP-361 focuses on existing vulnerable outputs.

Under BIP-361 the upgrade would proceed in three phases after activation. Phase A would begin three years after activation and prevent new Bitcoin from being sent to legacy P2PK addresses so that new activity uses quantum-resistant address types. Phase B would take effect five years after activation and invalidate legacy signature types, which would make any coins still in vulnerable addresses effectively frozen. Phase C would offer a possible recovery route using zero-knowledge proofs that could allow holders who still control their seed phrases to reclaim frozen funds.

The proposal describes the schedule as creating a private incentive for users to migrate funds. The authors write, “This is not an offensive attack, rather, it is defensive: our thesis is that the Bitcoin ecosystem wishes to defend itself and its interests against those who would prefer to do nothing and allow a malicious actor to destroy both value and trust.”

The draft has prompted strong criticism within the Bitcoin community. When the proposal circulated on social media, some users called it “highly authoritarian and confiscatory” and questioned forcing an upgrade that would render old spends invalid. Brian Trollz, a Bitcoin editor, rejected the proposal outright. Marty Bent, founder of TFTC, described it as “laughable.” Phil Geiger, head of business development at Metaplanet, wrote, “We have to steal people’s money to prevent their money from being stolen.”

Proponents of the draft say leaving vulnerable outputs unchanged could invite theft if quantum-capable adversaries emerge, and that a phased approach gives users time to migrate while creating an economic incentive to move funds into quantum-resistant formats. The authors point to early P2PK outputs, including long-idle addresses attributed to Bitcoin’s pseudonymous creator, as particularly sensitive.

Outside experts note uncertainty about when quantum computing will be capable of breaking current digital signatures and whether proposed quantum-resistant cryptography will be fully effective. The BIP-361 authors and other developers argue that preparing protocol-level changes now could reduce systemic risk if such capabilities appear.

BIP-361 remains a draft on GitHub and would require community discussion and consensus before any activation path is set. The proposal interacts with ongoing work on BIP-360 and other efforts to make Bitcoin resilient to future cryptographic threats.