BIP-361: Bitcoin’s Three-Phase Quantum-Resistant Security Upgrade Fully Explained

In April 2026, Bitcoin developers published one of the most significant proposals in the cryptocurrency’s seventeen-year history: Bitcoin Improvement Proposal 361, better known as BIP-361. This proposal outlines a structured, three-phase migration of Bitcoin’s cryptographic foundations to quantum-resistant algorithms — a critical step in preparing the world’s leading cryptocurrency for the era of quantum computing. The Bitcoin quantum resistant BIP-361 proposal has sparked intense discussion within the developer community, raising questions about timeline, technical feasibility, and what changes users and holders can expect in Bitcoin’s fundamental security architecture. Understanding BIP-361 is not merely an academic exercise — it is increasingly essential knowledge for anyone with long-term exposure to Bitcoin.

Why Quantum Resistance Matters for Bitcoin Now

Bitcoin’s current security model relies primarily on the Elliptic Curve Digital Signature Algorithm (ECDSA) using the secp256k1 curve, and the SHA-256 hashing algorithm for proof-of-work mining. These cryptographic primitives are robust against all known classical computing attacks, providing Bitcoin with a security margin of decades under conventional threat models. A classical computer attempting to derive a Bitcoin private key from its public key would require computational resources exceeding the energy output of entire stars and timescales longer than the age of the universe.

However, quantum computers — machines that exploit quantum mechanical phenomena like superposition and entanglement to perform computations exponentially faster than classical computers — pose a fundamentally different threat. A sufficiently powerful quantum computer running Shor’s algorithm could theoretically derive a Bitcoin private key from its corresponding public key in hours or days, rather than the billions of years that classical computers would require. This is not speculation — Shor’s algorithm is mathematically proven to work against elliptic curve cryptography, and the only question is when quantum hardware capable of running it at scale will exist.

The question, therefore, is not whether this threat will materialise, but when. Leading quantum computing researchers now estimate that cryptographically relevant quantum computers — those capable of breaking ECDSA encryption at Bitcoin’s security level — could exist within 8-15 years. IBM has committed to achieving fault-tolerant quantum computing by 2033. Google’s quantum research division has made exponential progress in error correction since 2024. State-level programs in China and the United States are both classified and well-funded. BIP-361 reflects Bitcoin developers’ judgment that preparation must begin now, even if the threat remains distant, because cryptographic migrations of this complexity require a decade or more to execute safely.

The Three Phases of BIP-361 Explained in Detail

BIP-361 proposes a carefully sequenced, three-phase migration strategy designed to introduce quantum resistance while minimising disruption to Bitcoin’s existing ecosystem of wallets, exchanges, and infrastructure providers. Each phase is designed to build on the previous one, allowing the ecosystem to adapt incrementally rather than facing a sudden mandatory change.

Phase 1 focuses on the Soft Fork Introduction of Post-Quantum Address Types. This phase introduces new Bitcoin address formats based on quantum-resistant signature schemes — specifically CRYSTALS-Dilithium and SPHINCS+, two algorithms selected by the US National Institute of Standards and Technology (NIST) as post-quantum standards in 2024 following a multi-year international competition. CRYSTALS-Dilithium is a lattice-based signature scheme that provides security against both classical and quantum adversaries. SPHINCS+ is a hash-based signature scheme that offers an alternative with different security assumptions, providing diversity against unknown future attacks.

These new address types will be opt-in, allowing users and wallets to migrate voluntarily while the old address types remain fully valid and spendable. This approach follows the same precedent established by SegWit (BIP-141) in 2017, which introduced new transaction types that eventually became dominant without ever forcing adoption. Phase 1 is expected to activate through a soft fork mechanism with a 95% miner signalling threshold, similar to how Taproot was activated in 2021.

Phase 2, targeted for implementation 2-4 years after Phase 1, introduces Deprecation Warnings and Migration Incentives for Legacy Addresses. During this phase, Bitcoin nodes will begin issuing standardised warnings when transactions involving older ECDSA-protected outputs are broadcast to the network, encouraging users to migrate their funds to quantum-resistant addresses. Additionally, fee incentive structures may be adjusted to make quantum-resistant transactions slightly cheaper relative to legacy transactions, nudging economic behaviour toward migration. Importantly, legacy outputs remain spendable throughout Phase 2 — no funds will be inaccessible or locked during this transitional period.

Phase 3 is the most contentious aspect of BIP-361: the Eventual Sunset of ECDSA Outputs. In a hard-fork event requiring broad network consensus, Bitcoin would eventually stop relaying or mining transactions that spend from old, quantum-vulnerable address types. This phase is described in BIP-361 as a “long-term goal” rather than a near-term mandate, and its activation would require overwhelming community consensus that quantum computing has reached a level where ECDSA outputs face genuine near-term risk. The timeline for Phase 3 is deliberately left open-ended in the proposal.

Technical Challenges: Signature Size and Transaction Throughput

Implementing quantum resistance in Bitcoin is technically complex for several interconnected reasons that go beyond simply swapping one signature scheme for another. The most significant practical challenge involves signature size. Post-quantum signature schemes like CRYSTALS-Dilithium produce signatures that are substantially larger than ECDSA signatures — a CRYSTALS-Dilithium signature at the Level 2 security parameter is approximately 2,420 bytes, compared to the 71-72 bytes typical of a Bitcoin ECDSA signature. This represents a size increase of more than 30 times.

This size disparity has direct implications for Bitcoin’s block space. Bitcoin’s current block weight limit of 4 million weight units can accommodate roughly 2,500-3,000 ECDSA-signed transactions per block. With CRYSTALS-Dilithium signatures of the same size, that capacity would fall dramatically unless compensating measures are implemented.

BIP-361 addresses this challenge by proposing modifications to Bitcoin’s block weight accounting specifically for quantum-resistant signature data. The proposal suggests a witness discount of approximately 4x for post-quantum signature data — similar in concept to the witness discount introduced for SegWit data — which would reduce the effective block space cost of quantum-resistant transactions and maintain throughput at acceptable levels. This is a elegant solution that preserves Bitcoin’s existing fee market structure while accommodating the technical requirements of larger signatures.

A second technical challenge involves key sizes. CRYSTALS-Dilithium public keys are also larger than ECDSA public keys — approximately 1,312 bytes versus 33 bytes for a compressed secp256k1 public key. This means quantum-resistant Bitcoin addresses would be longer and take up more UTXO set space. BIP-361 addresses this by proposing that quantum-resistant public keys be stored in the witness (a separate transaction structure introduced with SegWit) rather than in the scriptPubKey, minimising the UTXO set bloat.

The Satoshi Era Coin Problem

Perhaps the most philosophically charged aspect of BIP-361 involves Bitcoin’s oldest coins. Approximately 1-2 million Bitcoin have never moved from addresses created in Bitcoin’s earliest years — some of these are widely believed to belong to Satoshi Nakamoto. Many of these early addresses use Pay-to-Public-Key (P2PK) format, where the full public key is exposed on-chain, making them directly vulnerable to a quantum attack on ECDSA without any additional steps.

BIP-361’s Phase 3 creates a difficult situation for these dormant coins. If ECDSA outputs are eventually made unspendable to protect the network from quantum threats, these coins would effectively be removed from circulation permanently. This has two potentially contradictory effects: on one hand, it reduces the circulating supply of Bitcoin (potentially bullish for price); on the other hand, it raises profound questions about Bitcoin’s property rights guarantees — the fundamental promise that coins are only spendable by their rightful owners.

The BIP-361 authors attempt to navigate this dilemma by establishing a very long transition period and stringent consensus requirements for Phase 3 activation. The proposal suggests that Phase 3 should only activate when there is evidence of an imminent quantum threat — specifically, when a quantum computer capable of breaking ECDSA in under 24 hours has been publicly demonstrated. This standard sets a deliberately high bar for the most disruptive aspect of the migration.

Community Reaction: Developer Debate and Governance Challenges

The Bitcoin developer community’s response to BIP-361 has been characterised by cautious optimism balanced with healthy and vigorous scepticism. Proponents argue that the proposal is appropriately conservative, respects Bitcoin’s tradition of gradual consensus-driven upgrades, and addresses a genuine long-term security risk before it becomes an emergency that forces hasty decisions.

Critics raise several concerns. Some argue that the quantum computing threat timeline is highly uncertain, and that locking in CRYSTALS-Dilithium and SPHINCS+ now risks Bitcoin being tied to NIST standards that may themselves prove inadequate against future quantum computers. The NIST standardisation process, while rigorous, has been criticised for focusing on algorithms that may have undiscovered vulnerabilities — particularly lattice-based schemes like Dilithium, whose mathematical security assumptions have received less public scrutiny than established algorithms like RSA or ECDSA.

Others worry about the governance implications of Phase 3 — specifically, the question of who decides when legacy addresses are “unsafe enough” to warrant a hard fork sunset. Bitcoin has no central authority and no formal governance mechanism for making such determinations. The social consensus process that has successfully managed previous Bitcoin upgrades has never been tested against a change as contentious as rendering some coins permanently unspendable.

A vocal minority within the Bitcoin community argues that BIP-361 is premature and that Bitcoin’s finite development bandwidth should be focused on scaling solutions and privacy improvements rather than defending against a still-speculative threat. However, this view is countered by the observation that cryptographic migrations take years to implement safely, and waiting until quantum computers pose an imminent threat would leave insufficient time for a safe, community-wide migration.

BIP-361 in the Context of the Broader Industry

Bitcoin’s BIP-361 arrives as quantum resistance becomes an industry-wide priority across the blockchain ecosystem. Ethereum’s development roadmap includes quantum resistance as part of its long-term “Splurge” phase, with preliminary work on quantum-resistant validator signatures already underway. Ripple’s XRP Ledger (XRPL) has already published a formal quantum-resistant amendment targeting 2028 activation — making XRPL the frontrunner in the race to post-quantum security among major blockchains.

The traditional financial sector is facing the same challenge. Post-quantum cryptography migrations for banking infrastructure, TLS internet security, and government communications are all underway following NIST’s 2024 standardisation of CRYSTALS-Dilithium, CRYSTALS-Kyber, and SPHINCS+. Bitcoin’s BIP-361 can be seen as the crypto ecosystem’s equivalent of the global post-quantum migration that is occurring across all digital security infrastructure.

The fact that Bitcoin — widely regarded as the most conservative and slow-moving major blockchain, with a culture of extreme caution around protocol changes — has now published a concrete quantum resistance proposal signals that the developer community has moved beyond debating whether to act. The conversation has shifted to how, at what pace, and with what specific technical choices.

What Bitcoin Holders and Investors Should Do Now

For everyday Bitcoin holders, BIP-361’s near-term implications are limited but worth understanding. Phase 1 will introduce new address types that wallets can optionally support, but there is no immediate action required. Users holding Bitcoin in hardware wallets, software wallets, or exchange custody will continue to have full access to their funds during Phases 1 and 2, which will play out over a multi-year timeframe.

The most important near-term action for Bitcoin holders is to ensure their Bitcoin is held in a wallet where they control the private keys, and to monitor wallet provider announcements about post-quantum address support. Hardware wallet manufacturers including Ledger, Trezor, and Coldcard are expected to announce CRYSTALS-Dilithium support timelines following BIP-361’s publication, giving holders a clear pathway to quantum-resistant storage.

Long-term holders with significant positions should also note that P2PKH addresses (beginning with “1”) and P2WPKH addresses (beginning with “bc1q”) are both quantum-vulnerable in the sense that their ECDSA signatures can be attacked. Transitioning large holdings to quantum-resistant address types in Phase 1 — when they become available, likely in 2027-2028 — is advisable for maximum long-term security.

Conclusion: BIP-361 as a Milestone in Bitcoin’s Maturation

BIP-361 represents a watershed moment in Bitcoin’s technical evolution. The fact that Bitcoin developers are now formally addressing post-quantum cryptography — a challenge that was largely theoretical just five years ago — reflects the network’s growth from a cypherpunk experiment to a multi-trillion-dollar global monetary system that must be defended with the highest possible security standards.

The Bitcoin quantum resistant BIP-361 roadmap is ambitious but appropriately cautious. The three-phase structure respects Bitcoin’s culture of voluntary adoption, maintains full backward compatibility through the early phases, and reserves the most disruptive changes for a Phase 3 activation that requires genuinely extraordinary consensus. If successfully implemented, BIP-361 will ensure that Bitcoin’s cryptographic security remains unassailable not just against today’s threats, but against the quantum computing power of tomorrow’s most sophisticated adversaries.

In a world where quantum supremacy is approaching — not as a distant theoretical possibility but as an engineering project on the active roadmaps of the world’s most powerful companies and governments — BIP-361 may ultimately prove to be one of the most important technical decisions Bitcoin has ever made. The developers proposing it deserve credit for engaging this challenge now, while there is still time to get it right.