BIP-361 would phase out legacy Bitcoin signatures

Researchers published a draft proposal, BIP-361, that would stage a multi-year transition to restrict and then invalidate legacy Bitcoin outputs whose public keys are already visible on the blockchain. The draft sets deadlines that would first prevent new transactions to vulnerable address types and later block spending from existing ECDSA and Schnorr outputs that expose public keys.

The proposal targets address formats such as pay-to-public-key (P2PK) and other early outputs where the public key is onchain. The draft states that more than one third of bitcoin in circulation has exposed public keys, which the authors say creates a sizeable attack surface if quantum computers become capable of deriving private keys from public keys.

Under the plan, an initial phase would stop the network from accepting new transactions that send coins to the vulnerable formats. Subsequent phases would reject transactions that use the exposed ECDSA or Schnorr signature schemes, progressively restricting and eventually cutting off spending from outputs that have not been migrated to quantum-resistant alternatives. The authors propose a fixed migration window lasting several years to give wallets, exchanges and custodians time to move funds.

The draft discusses a possible recovery mechanism for coins left behind after the migration window. The mechanism would likely rely on zero-knowledge proofs tied to seed phrases, but the authors note technical details and social coordination requirements remain under development.

The proposal describes a potential stealth risk: a quantum-capable attacker could derive private keys without immediate detection and transfer stolen coins later to avoid raising alarms. BIP-361 aims to reduce the total number of onchain public keys available for future exploitation rather than wait for a quantum breakthrough.

The plan has prompted debate in the Bitcoin community about timing and approach. A recent report from a technology firm suggested practical quantum attacks could appear sooner than many expected and mentioned a tentative transition window around 2029. Other researchers have proposed alternative technical paths, including methods to make transactions quantum-safe without a soft fork, reflecting a lack of consensus on the best engineering route.

Adopting BIP-361 would require broad coordination across Bitcoin’s decentralized stakeholders. The draft notes that Bitcoin’s protocol changes have historically involved long coordination periods among developers, node operators, wallet providers, exchanges and custodians. The proposal remains a draft and next steps include community review, technical discussion and consensus-building to determine whether and how to proceed.