Developers Jameson Lopp of Casa, Christian Papathanasiou of BitcoinQS, and four co-authors (Ian Smith, Joe Ross, Steve Vaile, and Pierre-Luc Dallaire-Demers) formally submitted BIP-361, titled "Post Quantum Migration and Legacy Signature Sunset," to the Bitcoin BIPs repository on April 15, 2026. The proposal targets mainnet activation on January 1, 2027, and responds to accelerating research suggesting that quantum computers capable of breaking Bitcoin's cryptographic foundations could arrive as early as 2027, with most estimates placing the window at 2027 to 2030.

---

What the Proposal Does

BIP-361 works in two enforcement phases and one experimental third phase.

To understand the migration requirement, it helps to know what BIP-361 is paired with. BIP-360, titled "Pay to Quantum Resistant Hash," introduced a new post-quantum address format using Winternitz One-Time Signatures (WOTS+), a hash-based scheme considered resistant to quantum attacks. BIP-360 defines where funds should go; BIP-361 enforces when they must leave.

In Phase A, spanning roughly three years after activation (approximately 160,000 blocks), the network would stop accepting new transactions sent to older address formats. Existing balances in those addresses would remain spendable, but only if sent to post-quantum (PQ) compatible destinations. Phase B kicks in two years after Phase A concludes. At that point, any Bitcoin still sitting in legacy addresses would be frozen permanently at the network level. The proposal also describes a speculative Phase C that could allow recovery of frozen coins using zero-knowledge proofs tied to an HD wallet seed phrase, though that mechanism is still under cryptographic research and carries no activation timeline.

To take effect, the proposal requires 90% miner support, meaning 1,815 out of every 2,016 blocks in a signaling window must signal approval. This threshold is enforced via a modified BIP9 version-bits mechanism, the technical path that allows miners to coordinate activation.

---

The Quantum Threat Behind the Proposal

Bitcoin currently relies on two signature schemes: ECDSA (Elliptic Curve Digital Signature Algorithm) and Schnorr signatures. Both are vulnerable to Shor's algorithm, a mathematical approach that a powerful enough quantum computer could use to reverse-engineer a private key from a publicly visible public key. Any address that has already sent a transaction has exposed its public key on-chain and is therefore theoretically at risk.

The proposal's authors highlight a particular danger they describe as the covert attack scenario. A quantum-equipped adversary could silently derive private keys from exposed public keys and wait before draining funds, making the theft difficult to detect or trace. This risk is a primary justification the authors offer for imposing hard deadlines rather than relying on voluntary migration.

Google Quantum AI published research in early 2026 suggesting that a cryptographically relevant quantum computer could break Bitcoin's ECDSA protections using fewer than 500,000 physical qubits, a threshold far below earlier projections. A separate Google analysis estimated the process could take under nine minutes on a sufficiently advanced machine. McKinsey, academic researchers, and BIP-361's own authors place the likely arrival window for such a machine at 2027 to 2030. Bernstein analysts have separately characterized the quantum threat as real but manageable and no longer a distant, decade-long concern, though their framing is notably more measured than the urgency expressed in BIP-361 and they have not endorsed a specific arrival timeline for a cryptographically relevant quantum computer.

In August 2024, NIST formally standardized SPHINCS+/SLH-DSA as a post-quantum cryptographic algorithm, establishing that quantum-resistant cryptography is mature enough for real-world deployment and providing the technical baseline for migration efforts like BIP-361.

One significant technical and economic concern in the developer community involves the size of post-quantum signatures. Current Bitcoin ECDSA and Schnorr signatures are approximately 64 bytes, while leading post-quantum alternatives such as SPHINCS+/SLH-DSA produce signatures of 8 kilobytes or more. That increase raises concerns about blockchain bloat, higher transaction fees, and reduced throughput, all of which factor into the community debate over whether BIP-361's requirements are practical at scale.

Approximately 34% of Bitcoin's total supply had already exposed its public key through on-chain activity as of March 1, 2026. That figure covers an estimated 6.7 to 6.9 million BTC, with around 1.7 million BTC sitting in older Pay-to-Public-Key (P2PK) format addresses, considered the most vulnerable category.

The authors defend the hard deadline approach directly. "This is not an offensive attack, rather, it is defensive: our thesis is that the Bitcoin ecosystem wishes to defend itself," they wrote in response to community criticism.

---

Community Pushback

Not everyone agrees the proposal strikes the right balance. Critics on social media have raised concerns about the principle of forced migration. "This quantum proposal is highly authoritarian and confiscatory," wrote one user on X. Another described it as "central planning with deadlines, behavior coercion." The debate reflects a longstanding tension in Bitcoin between security upgrades and the network's foundational commitment to property rights and protocol immutability.

Bernstein analysts offered a more measured framing, one that differs from the urgency expressed by BIP-361's authors and the McKinsey and academic consensus on timeline. "Quantum should be seen as a medium to long term system upgrade cycle rather than a risk," according to a note from Bernstein analysts led by Gautam Chhugani, published April 8.

---

What This Means for Users in Emerging Markets

The stakes are especially high for Bitcoin holders in South Asia and Sub-Saharan Africa, two of the fastest-growing regions for self-custodied Bitcoin use.

India currently ranks first globally in crypto adoption, with over 60 million combined users on exchanges WazirX and CoinDCX, and Pakistan ranks eighth, with significant P2P Bitcoin activity tied to cross-border remittances. Pakistan's regulatory environment is also formalizing: the newly established Pakistan Crypto Council and the planned PVARA regulatory body signal a maturing ecosystem that will need to address wallet migration requirements as BIP-361 moves forward.

Both markets have large legacy wallet user bases built through years of peer-to-peer trading, often on older software. Based on available adoption data, analysts infer that much of this software may not yet support post-quantum address formats, though no dedicated on-chain study of address-type distribution by country was available at the time of writing.

Nigeria ranks second globally in the 2026 adoption index, with 18% of internet users holding crypto wallets. Sub-Saharan Africa as a whole recorded 180% year-over-year growth in stablecoin transfers, and wallet adoption across the region grew 38% year over year. The region now has four countries in the global top 20 for crypto adoption, up from two in 2024, with Ethiopia (10th), Kenya (13th), and Ghana (20th) joining Nigeria.

For grassroots holders in these markets, the practical barriers are real. Quantum-safe Bitcoin migration is currently possible without a soft fork, but costs an estimated $200 per transaction under currently available methods, though that figure is early-stage and subject to change as tooling matures. That cost is prohibitive for small-balance holders. Based on available adoption data, analysts infer that many users in Nigeria, Kenya, Ethiopia, and Ghana hold Bitcoin on older devices with infrequent software updates, though no dedicated regional study confirms this directly, and community awareness of address-type risk remains limited.

An additional risk in these markets involves exchange infrastructure. Older nodes that have not been upgraded treat post-quantum witness programs as anyone-can-spend outputs, meaning regional exchanges that delay upgrades could inadvertently expose user funds to theft during the transition window. This makes timely software updates by exchange operators a matter of direct user protection, not merely regulatory compliance.

Kenya's Virtual Asset Service Providers Act, which came into force in November 2025, represents meaningful regulatory infrastructure for the country's digital asset sector, even though it does not yet address quantum migration standards. Wallet providers and exchanges operating across these regions will need to integrate BIP-360 output types before Phase A takes effect.

---

What Comes Next

BIP-361 now enters the Bitcoin developer review process, alongside its companion BIP-360, which will face its own round of technical scrutiny. Achieving 90% miner signaling is a high bar, and both proposals will face sustained technical and philosophical debate before any activation can proceed. Adoption will also depend on node operators and wallet developers, not miners alone, as the entire network must upgrade to recognize new address formats. If activation proceeds on January 1, 2027, Phase A would begin immediately, barring new transactions to legacy addresses. Phase B, which would freeze any remaining legacy balances, would follow approximately five years after activation. The authors have flagged Phase C recovery as contingent on further cryptographic research. Whether the broader community accepts a hard deadline for legacy signatures, or demands a softer migration path, will likely define the debate around Bitcoin's quantum readiness for the rest of this year.