This article explains how BIP-360 is reshaping Bitcoin’s quantum resistance strategy, analyzes its improvements, and discusses why full post-quantum security has not yet been achieved.

Written by: Cointelegraph

Translated by: AididiaoJP, Foresight News

Key Points

• BIP-360 is the first to formally incorporate quantum resistance into Bitcoin’s development roadmap, marking a cautious, incremental technological evolution rather than a radical overhaul of cryptographic systems.
• Quantum risks mainly threaten exposed public keys, not the SHA-256 hash algorithm used by Bitcoin. Therefore, reducing public key exposure is a core security focus for developers.
• BIP-360 introduces Pay-to-Merkle-Root (P2MR) scripts, removing the key-path spending option in the Taproot upgrade, forcing all UTXOs to be spent via script paths, thereby minimizing the risk of elliptic curve public key exposure.
• P2MR retains the flexibility of smart contracts, supporting multi-signature, timelocks, and complex custody structures through Tapscript Merkle trees.

Bitcoin’s design philosophy enables it to withstand severe economic, political, and technological challenges. As of March 10, 2026, its developer community is actively addressing an emerging technological threat: quantum computing.

The recently proposed Bitcoin Improvement Proposal 360 (BIP-360) is the first to officially include quantum resistance in Bitcoin’s long-term technical roadmap. While some media portray it as a major breakthrough, the reality is more cautious and gradual.

This article will explore how BIP-360, by introducing P2MR scripts and removing Taproot’s key-path spending, reduces Bitcoin’s quantum exposure. It aims to clarify the proposal’s improvements, trade-offs, and why full post-quantum security has yet to be realized.

Sources of Quantum Threats to Bitcoin

Bitcoin’s security relies on cryptography, primarily elliptic curve digital signatures (ECDSA) and Schnorr signatures introduced via Taproot. Classical computers cannot feasibly derive private keys from public keys. However, a sufficiently powerful quantum computer running Shor’s algorithm could break elliptic curve discrete logarithm problems, threatening private key security.

Key distinctions:

• Quantum attacks mainly threaten public key cryptography, not hash functions. Bitcoin’s SHA-256 remains relatively robust against quantum attacks; Grover’s algorithm offers quadratic speedup, not exponential.
• The real risk arises when public keys are exposed on the blockchain.

Therefore, the community generally considers public key exposure as the primary quantum threat.

Potential Weaknesses in Bitcoin by 2026

Different address types in Bitcoin face varying levels of future quantum threat:

• Reused addresses: When funds are spent from an address, its public key becomes visible on-chain. If future cryptographic quantum computers (CRQCs) emerge, that public key could be at risk.
• Legacy Pay-to-Pubkey (P2PK) outputs: Early Bitcoin transactions directly embed public keys in outputs.
• Taproot key-path spends: Taproot (2021) offers two spending paths: a simple key-path (exposing a tweaked public key) and a script path (revealing specific scripts via Merkle proofs). The key-path is the most vulnerable under quantum attacks.

BIP-360 specifically targets the public key exposure issue.

Core of BIP-360: Introducing P2MR

BIP-360 proposes a new output type called Pay-to-Merkle-Root (P2MR). Structurally similar to Taproot, it makes a key change: completely removing the key-path spending option.

Unlike Taproot, which commits to an internal public key, P2MR only commits to the Merkle root of a script tree. Spending a P2MR output involves:

• Revealing a leaf script from the script tree.
• Providing a Merkle proof to verify that the leaf belongs to the committed Merkle root.

Throughout this process, no public key-based spending path exists.

The direct effects of removing the key-path spending include:

• Avoiding public key exposure through signature verification.
• All spending relies on hash-based commitments with stronger quantum resistance.
• The number of elliptic curve public keys permanently on-chain will be significantly reduced.
• Compared to schemes relying on elliptic curve assumptions, hash-based methods offer substantial advantages against quantum attacks, greatly reducing potential attack surfaces.

Features Preserved by BIP-360

A common misconception is that abandoning the key-path spending weakens Bitcoin’s smart contract or scripting capabilities. In fact, P2MR fully supports:

• Multi-signature configurations
• Timelocks
• Conditional payments
• Asset inheritance schemes
• Advanced custody arrangements

BIP-360 achieves all these via Tapscript Merkle trees. It preserves full scripting flexibility while discarding the convenient but potentially risky direct signature paths.

Background: Satoshi Nakamoto briefly discussed quantum computing in early forums, suggesting that if it became practical, Bitcoin could migrate to stronger signature schemes. This indicates that leaving room for future upgrades was part of the initial design philosophy.

Impact of BIP-360 in Practice

While seemingly a purely technical improvement, BIP-360 will broadly impact wallets, exchanges, and custody services. If adopted, it will gradually reshape how new Bitcoin outputs are created, spent, and stored, especially affecting users prioritizing long-term quantum resistance.

• Wallet support: Wallets may offer optional P2MR addresses (possibly starting with “bc1z”) as a “quantum-resistant” option for receiving new coins or holding long-term assets.
• Transaction fees: P2MR transactions, relying on script paths, will include more witness data than Taproot key-path spends, potentially increasing transaction size and fees. This reflects a trade-off between security and transaction compactness.
• Ecosystem coordination: Full deployment of P2MR requires updates across wallets, exchanges, custodians, and hardware wallets. Planning and coordination should begin years in advance.

Background: Some governments have started to focus on the “collect now, decrypt later” threat, collecting encrypted data now to decrypt with future quantum computers. This strategy echoes concerns about public key exposure in Bitcoin.

Limitations of BIP-360

Although BIP-360 enhances Bitcoin’s defenses against future quantum threats, it is not a complete overhaul of cryptographic systems. Its limitations include:

• Existing assets are not automatically upgraded: All unspent transaction outputs (UTXOs) remain vulnerable until users actively transfer funds to P2MR outputs. Migration depends on individual user actions.
• It does not introduce new post-quantum signatures: BIP-360 does not adopt lattice-based schemes (e.g., Dilithium, ML-DSA) or hash-based signatures (e.g., SPHINCS+) to replace ECDSA or Schnorr. It only removes the public key exposure mode in Taproot key-paths. A full transition to post-quantum signatures at the protocol level would require a much larger upgrade.
• It cannot provide absolute quantum immunity: If practical CRQCs emerge suddenly, defending against their impact will require large-scale, coordinated efforts among miners, nodes, exchanges, and custodians. Long-dormant “sleeping coins” could pose governance challenges and network stress.

Developers’ Forward-Looking Planning

The development path of quantum computing remains uncertain. Some believe practical quantum computers are decades away, while others point to:

• IBM’s fault-tolerant quantum computer goals in the late 2020s
• Google’s breakthroughs in quantum chips
• Microsoft’s research in topological quantum computing
• U.S. government’s 2030–2035 cryptography transition deadlines

Transitioning critical infrastructure takes a long time. Bitcoin developers emphasize the need for systematic planning across BIP design, software implementation, infrastructure adaptation, and user adoption. Acting only when quantum threats are imminent risks being too late.

If the community reaches broad consensus, BIP-360 could be implemented gradually via soft forks:

• Activate the new P2MR output type.
• Wallets, exchanges, and custodians progressively support it.
• Users migrate assets over several years in a phased manner.

This approach mirrors the path of SegWit and Taproot upgrades, from optional adoption to widespread use.

Community Discussions Surrounding BIP-360

There is ongoing debate about the urgency and costs of implementing BIP-360. Key questions include:

• Is the slight fee increase for long-term holders acceptable?
• Should institutional users lead by example in migrating assets?
• How to handle “sleeping” Bitcoin that will never be moved?
• How should wallets communicate “quantum safety” to users—avoiding unnecessary panic while providing accurate information?

These discussions continue. The proposal has spurred important conversations but does not resolve all issues.

Background: The theoretical threat of quantum computers capable of breaking current cryptography dates back to 1994, with Peter Shor’s algorithm. This predates Bitcoin by decades. Bitcoin’s planning for future quantum threats is essentially a response to this longstanding theoretical breakthrough.

Current User Actions

Quantum threats are not imminent, so users need not panic. However, some prudent measures include:

• Avoid address reuse.
• Use the latest wallet software versions.
• Follow Bitcoin protocol upgrade developments.
• Watch for wallet support for P2MR addresses.
• Large holders should quietly assess their risk exposure and consider contingency plans.

BIP-360: A Step Toward a Quantum-Resistant Era

BIP-360 marks a concrete first step in reducing Bitcoin’s quantum exposure at the protocol level. It redefines how new outputs are created, minimizes accidental public key leaks, and lays groundwork for long-term migration.

It does not automatically upgrade existing Bitcoin holdings, retains current signature schemes, and underscores that achieving true quantum resistance requires careful, coordinated, ongoing effort across the entire ecosystem. This depends on long-term engineering, phased community adoption, and cannot be achieved by a single BIP alone.