Bitcoin BIP-361 Proposes Quantum Defense Migration That Could Freeze Millions of BTC

Bitcoin's developer community has updated BIP-361, titled "Post Quantum Migration and Legacy Signature Sunset," on the official Bitcoin repository. The proposal maps out a three-phase transition away from cryptographic schemes that a sufficiently powerful quantum computer could break.

Phase A, spanning roughly three years, would block new transactions sending BTC to quantum-vulnerable addresses. Phase B, arriving around year five, would render ECDSA and Schnorr signatures invalid, effectively freezing any coins still sitting in unprotected wallets. Phase C remains exploratory, proposing zero-knowledge proof-based recovery mechanisms for funds that become frozen under Phase B.

The stakes are not abstract. A Google-commissioned study estimated that approximately 6.7 million BTC currently sit in addresses that would be vulnerable to a cryptographically relevant quantum computer (CRQC). At current valuations, that represents hundreds of billions of dollars in assets that could be compromised or, under BIP-361's logic, preemptively locked to prevent theft. Neither outcome is comfortable, and the community has split sharply. Critics label the proposal "authoritarian and confiscatory," while proponents, including cryptographer Jameson Loop, frame it as a necessary defensive measure.

BIP-361 builds on BIP-360, which introduced the P2MR (pay-to-Merkle-root) transaction type as a foundation for post-quantum addresses. That sequencing matters: the infrastructure for quantum-resistant transactions is being laid now, ahead of any confirmed quantum threat.

For the broader blockchain industry, BIP-361 crystallizes a problem that applies to every chain still relying on ECDSA or Ed25519 signatures. Migrating to NIST-finalized post-quantum standards introduces significant overhead. NIST finalized three PQC schemes in 2024: FIPS 203 (ML-KEM), FIPS 204 (ML-DSA), and FIPS 205 (SLH-DSA). The size difference is stark. An Ed25519 signature occupies 64 bytes; an FN-DSA-1024 signature runs to 1,280 bytes; ML-DSA-87 signatures reach 4,627 bytes. At scale, those differences compound into meaningful bandwidth, storage, and fee-pressure costs across any network that handles high transaction volumes.

Expert surveys now put the probability of a CRQC arriving before the end of the 2030s at above 50%. That timeline gives blockchain projects roughly a decade to complete migrations. The problem is that no major distributed ledger has finished a full PQC transition yet, which means the industry is watching Bitcoin's contentious debate as a live case study in how painful this process can be when retrofitted onto an existing, high-value network.

The lesson for new infrastructure is to design for cryptographic agility from day one: the ability to swap signature schemes without breaking identity, consensus, or smart contract layers. Chains that can update their cryptographic primitives through governance or upgrade mechanisms, without requiring every user to manually migrate funds, will be structurally better positioned when the quantum threat becomes concrete.

BIP-361's Phase B freeze scenario also raises a question that goes beyond Bitcoin. Who bears responsibility when a protocol's security upgrade involuntarily affects user assets? The answer will shape regulatory expectations and user trust across the entire sector.