BIP-361: BITCOIN VS. QUANTUM RISK
Share
For years, the quantum threat had that convenient scent of catastrophes that one puts off until tomorrow. We talked about it like we talk about a distant asteroid or a nuclear winter for computers. The topic existed, of course, but always in a blurry, comfortable, abstract zone. On one side, tech enthusiasts saw it as the ultimate test that would separate serious protocols from speculative toys. On the other, the more jaded rolled their eyes, convinced that it was just another version of the monster under the bed. Then one detail changed the nature of the debate. That detail is BIP-361. Not a rumor. Not a hysterical thread on X. Not a wild fantasy from a "quantum blockchain" salesman. A real Bitcoin Improvement Proposal, published in the official BIPs repository, with a dry, almost administrative title: Post Quantum Migration and Legacy Signature Sunset. Its current status is simple: Draft. Nothing is adopted. Nothing is activated. Nothing is set in stone. But the mere fact that this idea now exists in Bitcoin's formal space is enough to mark a rupture.
This rupture is more significant than it seems. Because as long as a topic remains confined to speculative discussions, Bitcoin can ignore it without betraying its principles. But when an official proposal lays out a possible trajectory in black and white, the ecosystem no longer has the luxury of treating the issue as background noise. BIP-361 forces us to face a possibility that many preferred to keep at a distance: one day, Bitcoin's historical cryptographic schemes, ECDSA and Schnorr, might no longer be sufficient to guarantee the inviolability of funds. This is not a prophecy. Nor is it an immediate emergency. It is a serious hypothesis, serious enough that some are beginning to think about what comes next.
The problem, obviously, is that the quantum debate has become a kind of public dump where misunderstandings pile up. So we need to put things in order before going any further. No, quantum computing today does not allow one to empty Bitcoin like an ATM. No, a quantum computer is not already ready, hidden in a basement, to crack secp256k1 between two coffees. Even the most advanced companies in the field still explain that current machines are very far from being able to break modern cryptography on a practical scale. And yet, that's no reason to laugh at the subject. Because cryptographic transitions never happen at the last minute. When you wait for the fire to be visible from the street before buying the extinguisher, you've already lost the house.
This is where BIP-361 becomes fascinating. The text does not propose an optional gadget, a small extra precaution for anxious users. It outlines a strategy for gradual migration to post-quantum outputs, followed by an announced sunset of so-called "legacy" signatures. In essence, the BIP says this: if Bitcoin one day introduces a post-quantum output type, then a dynamic must be created that pushes holders to migrate, not gently, not solely on a voluntary basis, but through a clear and increasing incentive mechanism. The document describes a succession of phases. The first would prohibit sending funds to addresses deemed quantum-vulnerable. The next would progressively invalidate certain expenditures still relying on ECDSA or Schnorr. Finally, the text even mentions the possibility of a recovery mechanism for old funds, while acknowledging that this part remains entirely to be designed. This is not a patch. It is a proposal for a defensive reorganization of Bitcoin's cryptographic timeline.
And this is precisely why the subject is explosive. Bitcoin is not just software. It is also a moral architecture. Its founding narrative rests on a few core principles that have become almost sacred reflexes: permissionless ownership, individual sovereignty, irreversibility, rule neutrality, the idea that a protocol does not judge the history of coins but only the cryptographic validity of their spending. However, BIP-361, even in its current draft form, forces a question that many Bitcoiners don't like to hear: what happens to this philosophy when the cryptographic layer on which it rests begins to show, not an active flaw, but a potential long-term obsolescence? At what point does fidelity to principles become suicidal rigidity? At what point does defending the protocol require betraying some of its habits?
The crux of the problem is simple to state, but less simple to digest. Not all bitcoins are exposed in the same way to a future quantum attack. This is a crucial point, and probably the most misunderstood in public discourse. The theoretical risk is not uniformly distributed across the entire supply. It primarily concerns outputs whose public key has already been exposed on the chain. Historically, this includes certain old P2PK type outputs, very present in the early days of Bitcoin. In more modern formats, the public key usually only appears when the funds are spent. This does not make the problem magical or non-existent, but it significantly changes the attack surface. To say "quantum threatens Bitcoin" without specifying this nuance is like saying "rain threatens houses" without distinguishing a concrete bunker from a cardboard shack.
This distinction is essential for an almost political reason. For behind the technical debate lies a narrative battle around old coins, dormant coins, Satoshi-era coins, and more generally anything that hasn't moved in a long time. If a portion of historically exposed UTXOs were to become theoretically vulnerable to an actor with credible quantum capability, Bitcoin would face an awful choice. Either the network allows it to happen, in the name of procedural purity, and accepts that a technologically advanced predator captures old but valid funds from the perspective of old rules. Or the network intervenes upstream, by changing acceptance rules and organizing a forced or semi-forced migration. In the first case, Bitcoin saves its legal absolutism but risks a major economic and symbolic shock. In the second, it protects the system at the cost of a deviation from its image of absolute neutrality. Charming menu.
We can then understand why BIP-361 is not just a technical proposal. It is a maturity test for Bitcoin. An almost civilizational test, on the scale of a monetary protocol. For a long time, Bitcoin culture thrived on the idea that time was on its side. The more years passed, the more robust the network seemed, the more proof-of-work showed its resilience, the more expected attacks resembled threats already absorbed by history. Quantum reverses this feeling. It introduces the possibility that an external, slow risk, outside the usual logic of network attacks, could strike not Bitcoin's monetary policy, nor its pure decentralization, but the mathematical foundation that secures access to funds. This is another category of threat. Colder. Deeper. Almost humiliating, ultimately, because it reminds us that even a protocol designed to last is never above the evolution of science.
However, we must keep a cool head. The real world does not confirm an imminent panic, but it confirms something much more important: the post-quantum transition has already begun elsewhere. In August 2024, NIST published its first three finalized post-quantum cryptography standards, with ML-KEM for key establishment, ML-DSA for digital signatures, and SLH-DSA as a backup method based on a different mathematical approach. Then, in March 2025, NIST selected HQC as an additional algorithm for post-quantum encryption, with the explicit idea of having an alternative based on another mathematical family. This timeline says something very clear: serious cryptography institutions are no longer asking if the transition needs to be prepared. They are already busy structuring it. The real question is no longer "should we think about it?" but "how long does it take to migrate properly without breaking everything?"
And this is where Bitcoin has a very particular problem. Large conventional IT infrastructures can plan cryptographic migrations with circulars, regulatory deadlines, vendor contracts, and maintenance windows. It's painful, it's costly, it's bureaucratic, but it's doable. Bitcoin, however, does not operate like a Ministry of Interior or a central bank. It's not enough to send an email titled "please migrate by Tuesday." Any profound evolution requires social, software, economic, and ideological coordination of rare complexity. Developers, nodes, businesses, wallets, custodians, individual users, miners, and incidentally all the usual hysterics who scream betrayal as soon as a comma is changed, must be convinced. A post-quantum migration on Bitcoin would therefore be, by definition, slow, debated, contested, dissected. This is not a weakness. It is the price of decentralization. But it is also why waiting until the last moment would be stupid.
BIP-361 starts precisely from this reality. Its strongest intuition is not "quantum is coming tomorrow," but "if one day we have to move, we'll need to have made the movement conceivable long before." This is an almost psychological idea. Bitcoin hates surprises. The protocol thrives on predictability. Its halvings are known in advance. Its issuance is codified. Its rhythm transforms time into a rule. BIP-361 seeks to apply this logic to a possible security transition: announce, prepare, phase, make costs legible, transform a vague threat into an intelligible calendar. In this sense, the BIP is consistent with the deep culture of Bitcoin. Where it becomes unsettling is when this predictability is accompanied not just by an option, but by a future tightening of rules for those who would lag behind.
This is where criticisms will multiply, and not all of them will be foolish. Some will say that the BIP opens a dangerous slippery slope. If we accept that a protocol can, in the name of a future risk, declare certain forms of ownership too risky to continue existing as before, then the line between legitimate adaptation and cryptographic interventionism becomes less clear. Others will recall that dormant coins, even if they seem "lost," should not be redefined by an improvised technical tribunal. After all, no one signed up for a currency where forgetfulness, old prudence, or simply not following the news for ten years can transform a theoretical right into a logistical problem. And there is a serious objection here: collective security must not become a convenient pretext for an opportunistic rewriting of ownership.
But the opposite objection is just as powerful. For those who advocate active preparation will respond that neutrality is not passivity. A monetary protocol has no duty to let itself be bled dry in the name of legal romanticism, especially if migration paths have been proposed well in advance. They will also say that there is nothing noble in allowing a technologically dominant actor to siphon old UTXOs on the grounds that "the rules were there." The rules, precisely, are there to defend the integrity of the system, not to offer a jackpot to the first entity capable of exploiting a historical mathematical breakthrough. If quantum brings about a change of ground, then refusing to move out of dogmatism might be less a proof of fidelity than a demonstration of foolishness. And on this point, to be honest: they would not be entirely wrong.
What makes the scene even more interesting is that the quantum debate does not only concern the integrity of some old coins. It also touches on users' daily behavior. In a world where the post-quantum transition becomes serious, good operational hygiene would take on new prominence. Reusing addresses, unnecessarily exposing public keys, letting funds lie dormant in old formats, postponing software migrations out of laziness or superstition: all of this would no longer be just mediocre tinkering, but a way of voluntarily settling into the most fragile zone of the future. In other words, quantum security is not just a matter for developers. It would also become a matter of user discipline, as were in their time the backup of seeds, the verification of addresses, or the refusal to leave one's coins on a centralized platform. Bitcoin has always rewarded people who take sovereignty seriously. Quantum would only add a new layer to this old lesson.
One must also resist a mediocre temptation: to turn this debate into a marketing circus. We already see fear-mongers, prophets with red thumbnails, sellers of "quantum-safe" tokens explaining, with a shark's smile, that Bitcoin would be a doomed dinosaur. This is absurd. BIP-361 shows the exact opposite. It shows that instead of denying the issue, some within the Bitcoin ecosystem prefer to start formalizing it. This is not a sign of terminal weakness. It is a sign of a living protocol, lucid enough to consider its vulnerabilities without sinking into panic. Saying that Bitcoin is thinking about the post-quantum era does not mean that Bitcoin is doomed. It means that Bitcoin is doing what a serious monetary system must do: anticipate long-term shocks instead of discovering them with the fire already in the curtains.
The most important question remains, one that few people articulate correctly. Does BIP-361 protect Bitcoin, or does it modify Bitcoin to the point of making it less true to itself? The honest answer is that both possibilities still coexist. Since the BIP is in draft, it should be read as an intellectual front line, not as a final decision. Its interest is not to provide a definitive solution today, but to force the ecosystem to articulate what it considers non-negotiable. Should historical property be preserved at all costs, even in the face of a structural cryptographic risk? Can a forced migration be acceptable if it is announced very early, clearly, and motivated by the survival of the system? Is a mechanism for recovering old funds a rational assurance or an infernal Pandora's box? All these questions already existed in the background. BIP-361 simply had the brutal elegance to put them on the table.
Ultimately, quantum security acts here as a philosophical revealer. As long as Bitcoin mainly faced hostile states, nervous central banks, uneducated media, and feverish regulators, the narrative remained almost comfortable. The protocol resisted the human world, its manipulations, its censorship, its monetary illusions. Quantum shifts the scene. It reminds us that the enemy is not always an institution or an ideology. Sometimes, the enemy is simply the evolution of computational capabilities and the gradual obsolescence of certain technical foundations. And this forces Bitcoin to prove that it is not only a revolt against the fiat system, but also a structure capable of navigating scientific paradigm shifts without losing its soul. This is more difficult. And much more interesting.
It would therefore be foolish to conclude that BIP-361 heralds the collapse of Bitcoin. It would be just as foolish to conclude that it is useless because quantum computers capable of cracking secp256k1 are not yet here. The correct diagnosis is more demanding. BIP-361 is a sign that Bitcoin is entering an age where security can no longer be thought of solely as political, economic, or social resistance. It must also be thought of as cryptographic agility, that is, as the ability to preserve the fundamental properties of the system while evolving the mathematical building blocks that support them. This idea may displease purists. Too bad. A currency that claims to last for centuries cannot behave like a sect convinced that its first language will be eternally sufficient.
The real question, then, is not whether BIP-361 will go all the way as is. It would even be surprising if it did without major modifications. The real question is whether Bitcoin will have the courage to prepare a credible response in time to a slow, complex, still incompletely defined threat, but one that cannot be casually dismissed. And to this question, there is no final answer yet. Only camps, intuitions, red lines, anxieties, calculations, and a nascent mapping. But that's already huge. Because in Bitcoin, major battles often begin this way: not with a sudden change, but with a still fragile proposal, submitted almost discreetly, which eventually reveals everything the network thinks about itself. BIP-361 is of this nature. Behind its appearance as a technical draft, it holds a mirror up to Bitcoin. Not the flattering mirror of scarcity or price. A rougher mirror. That of its ability to survive the future without betraying itself.
And perhaps that's why the subject deserves to be taken seriously now. Not because panic is justified. It is not. Not because a quantum machine is about to wake up Satoshi's coins tomorrow morning. There's no evidence to support that. But because a serious monetary civilization does not prepare when the danger is already visible to the naked eye. It prepares when the danger is still just a shape on the horizon, clear enough to force lucid minds out of denial, not yet close enough to excuse haste. This is exactly where Bitcoin stands today regarding quantum. Between alarmism and inertia. Between fantasy and strategy. Between fidelity to the past and the instinct for survival. BIP-361 does not yet bring peace to this terrain. It does better. It opens the necessary war.
Understanding Bitcoin in depth, from its creation by Satoshi Nakamoto to its role in the global economy, requires mastering its foundations. Here are the essential pages to discover Bitcoin, how it works, its importance, and its evolution: