Written by: Cointelegraph

Translated by: AididiaoJP, Foresight News

Key Points

• BIP-360 officially incorporates quantum resistance into Bitcoin's development roadmap for the first time, marking a cautious, gradual technological evolution rather than a radical change in the cryptographic system.
• Quantum risk primarily threatens exposed public keys rather than the SHA-256 hash algorithm used by Bitcoin. Therefore, reducing public key exposure has become the core security issue for developers to address.
• BIP-360 introduces a payment to Merkle root (P2MR) script, which, by removing the key path spending option from the Taproot upgrade, ensures that all UTXO spending must go through a script path, thereby minimizing the exposure risk of the elliptic curve public key.
• P2MR retains the flexibility of smart contracts, still supporting multi-signature, time locks, and complex custodial structures through Tapscript Merkle trees.

Bitcoin's design philosophy enables it to withstand severe economic, political, and technological challenges. As of March 10, 2026, its developer team is addressing an emerging technological threat: quantum computing.

The recently released Bitcoin Improvement Proposal 360 (BIP-360) formally includes quantum resistance in Bitcoin's long-term technical roadmap for the first time. While some media reports tend to describe it as a significant transformation, the reality is much more cautious and gradual.

This article will delve into how BIP-360 reduces Bitcoin's quantum risk exposure by introducing a payment to Merkle root (P2MR) script, removing the key path spending feature of Taproot. The aim is to clarify the improvements of this proposal, the trade-offs introduced, and why it has not yet enabled Bitcoin to achieve complete post-quantum security.

Sources of Quantum Threats to Bitcoin

The security of Bitcoin is based on cryptographic principles, primarily including the Elliptic Curve Digital Signature Algorithm (ECDSA) and the Schnorr signature introduced through the Taproot upgrade. Traditional computers cannot reverse-engineer the private key from the public key in a feasible time. However, a sufficiently powerful quantum computer running Shor's algorithm could potentially cryptographically break the elliptic curve discrete logarithm problem, jeopardizing private key security.

Key distinctions include:

• Quantum attacks mainly threaten public key cryptosystems, not hash functions. The SHA-256 algorithm used by Bitcoin is relatively robust against quantum computation. Grover's algorithm only offers quadratic speedup, not exponential.
• The real risk lies in the moment when the public key is made public on the blockchain.

Based on this, the community generally sees public key exposure as the primary source of quantum risk.

Potential Vulnerabilities of Bitcoin in 2026

The various types of addresses in the Bitcoin network face different levels of future quantum threats:

• Reused addresses: When funds from this address are spent, the public key becomes exposed on-chain. Once quantum-related cryptographic computers (CRQC) appear in the future, this public key will be at risk.
• Legacy payments to public keys (P2PK) outputs: Early Bitcoin transactions directly wrote the public key into the transaction output.
• Taproot key path spending: The Taproot upgrade (2021) provides two spending paths: one is a concise key path (which reveals an adjusted public key when spent), and the other is a script path (which exposes a specific script through Merkle proof). Among these, the key path is the primary theoretical vulnerability under quantum attack.

BIP-360 is directly designed to address the issue of key path exposure.

Core Content of BIP-360: Introduction of P2MR

The BIP-360 proposal introduces a new output type called payment to Merkle root (P2MR). This type structurally resembles Taproot but makes a critical change: it completely removes the key path spending option.

Unlike Taproot, which commits to an internal public key, P2MR only commits to the Merkle root of the script tree. The process for spending P2MR outputs is as follows:

Reveal one leaf script from the script tree.

Provide a Merkle proof to confirm that the leaf script belongs to the committed Merkle root.

Throughout this process, there are no public key-based spending paths.

The direct impacts of removing the key path spending include:

• Avoiding exposure of the public key due to direct signature verification.
• All spending paths rely on hash-based commitments that offer stronger quantum resistance.
• The number of elliptical curve public keys that exist on-chain in the long term will significantly decrease.
• Compared to solutions relying on elliptic curve assumptions, hash-based methods have significant advantages in resisting quantum attacks, thus drastically reducing potential attack surfaces.

Features Retained by BIP-360

A common misconception is that abandoning key path spending will weaken Bitcoin's smart contract or scripting capabilities. In fact, P2MR fully supports the following features:

• Multi-signature configuration
• Time locks
• Conditional payments
• Asset inheritance schemes
• Advanced custodial arrangements

BIP-360 achieves all the above functions through Tapscript Merkle trees. This solution retains full scripting capabilities while discarding the convenient but potentially risky direct signature path.

Background knowledge: Satoshi Nakamoto briefly mentioned quantum computing in early forum discussions, suggesting that if it became a reality, Bitcoin could transition to stronger signature schemes. This implies that reserving flexibility for future upgrades is part of its initial design philosophy.

Practical Impact of BIP-360

Although BIP-360 appears to be a purely technical improvement, its impact will widely reach areas such as wallets, exchanges, and custodial services. If the proposal is adopted, it will gradually reshape the creation, spending, and custody of new Bitcoin outputs, particularly having a profound impact on users who value long-term quantum resistance.

• Wallet support: Wallet applications may offer optional P2MR addresses (possibly starting with "bc1z") as a "quantum fortification" option for users to receive new coins or store long-term hold assets.
• Transaction fees: Since using the script path introduces more witness data, P2MR transactions may be slightly larger compared to Taproot key path spending, potentially leading to a slight increase in transaction fees. This reflects the trade-off between security and transaction compactness.
• Ecosystem coordination: The comprehensive deployment of P2MR will require updates from all parties including wallets, exchanges, custodians, and hardware wallets. Relevant planning and coordination work need to commence several years in advance.

Background knowledge: Governments worldwide have begun to focus on the risks of "collecting first and decrypting later," i.e., the current mass collection and storage of encrypted data in anticipation of future quantum computers making it crackable. This strategy mirrors the potential concerns regarding Bitcoin's exposed public keys.

Clear Boundaries of BIP-360

While BIP-360 enhances Bitcoin's defense against future quantum threats, it is not a complete reconstruction of the cryptographic system. Understanding its limitations is equally important:

• Existing assets do not automatically upgrade: All old unspent transaction outputs (UTXO) remain vulnerable until users actively migrate funds to P2MR outputs. Therefore, the migration process entirely relies on individual user actions.
• No introduction of new post-quantum signatures: BIP-360 does not adopt lattice-based signature schemes (such as Dilithium or ML-DSA) or hash-based signature schemes (such as SPHINCS+) to replace the existing ECDSA or Schnorr signatures. It merely removes the public key exposure model brought by the Taproot key path. A comprehensive transition to post-quantum signatures at the foundational layer will require a much larger protocol change.
• Cannot provide absolute quantum immunity: Even if a fully operational CRQC suddenly emerges in the future, resisting its impact will still require large-scale, high-intensity collaborative responses among miners, nodes, exchanges, and custodians. Long-dormant "sleeping coins" could trigger complex governance challenges and put immense pressure on the network.

Motivations Behind the Developers' Proactive Layout

The technological development path of quantum computing is filled with uncertainties. Some believe its practical application will take decades, while others point out that IBM's goal of fault-tolerant quantum computers by the late 2020s, advancements by Google on quantum chips, research by Microsoft on topological quantum computing, and the U.S. government's set transition timeline for cryptographic systems from 2030 to 2035 all indicate that progress is accelerating.

The migration of critical infrastructure requires a long time frame. Bitcoin developers emphasize that systematic planning must occur at all levels, from BIP design and software implementation to infrastructure adaptation and user adoption. Waiting until the quantum threat is imminent could result in being reactive due to insufficient time.

If the community reaches a broad consensus, BIP-360 may advance through a phased soft fork approach:

• Activating the new P2MR output type.
• Gradually increasing wallet, exchange, and custodial support for it.
• Users gradually migrating assets to new addresses over several years.

This process is similar to the path from optional to widespread usage experienced during the Segregated Witness (SegWit) and Taproot upgrades.

Widespread Discussions Surrounding BIP-360

There are ongoing discussions within the community about the urgency of implementing BIP-360 and its potential costs. Core issues include:

• Is the slight fee increase acceptable for long-term holders?
• Should institutional users lead the asset migration to set an example?
• How should "sleeping" bitcoins that will never be moved be handled?
• How can wallet applications accurately convey the concept of "quantum safety" to users without inciting unnecessary panic while still providing effective information?

These discussions are ongoing. The introduction of BIP-360 has significantly advanced the in-depth exploration of related topics but has not yet resolved all issues.

Background knowledge: The theoretical concerns about quantum computers potentially breaking current cryptography can be traced back to 1994 when mathematician Peter Shor proposed Shor's algorithm, which predates the emergence of Bitcoin. Therefore, Bitcoin's planning against future quantum threats essentially responds to this theoretical breakthrough that has existed for over thirty years.

Current Measures Users Can Take

Currently, the quantum threat is not imminent, and users need not overly worry. However, it is beneficial to take some cautious measures:

• Adhere to the principle of not reusing addresses.
• Always use the latest version of wallet software.
• Stay informed about Bitcoin protocol upgrades.
• Pay attention to when wallet applications start supporting the P2MR address type.
• Users holding a significant amount of Bitcoin should quietly assess their risk exposure and consider making corresponding contingency plans.

BIP-360: The First Step Towards the Quantum Resistant Era

BIP-360 marks the first concrete step Bitcoin has taken at the protocol level to reduce quantum risk exposure. It redefines the way new outputs are created, minimizing the unintentional leakage of public keys while laying the groundwork for future long-term migration planning.

It will not automatically upgrade existing Bitcoins, retains the current signature system, and highlights the fact: achieving true quantum resistance requires a cautious, coordinated, and ecosystem-wide sustained effort. This relies on long-term engineering practices and phased community adoption rather than a single BIP proposal being a panacea.