Original title: Bitcoin's quantum upgrade path: What BIP-360 changes and what it does not
Original source: Cointelegraph
Original translation: AididiaoJP, Foresight News
Core Points
· BIP-360 formally incorporates quantum resistance into Bitcoin's development roadmap for the first time, marking a cautious and incremental technological evolution rather than a radical overhaul of the cryptographic framework.
· Quantum risk primarily threatens exposed public keys rather than the SHA-256 hash algorithm used by Bitcoin. Thus, reducing public key exposure becomes the core security issue that developers are focused on solving.
· BIP-360 introduces Pay to Merkle Root (P2MR) scripts, which eliminate the key path spending option in the Taproot upgrade, forcing all UTXO spending to go through script paths, thereby minimizing the exposure risk of elliptic curve public keys.
· P2MR retains the flexibility of smart contracts, still supporting multi-signatures, time locks, and complex custodial arrangements through Tapscript Merkle trees.
Bitcoin's design philosophy enables it to withstand severe economic, political, and technical challenges. As of March 10, 2026, its developer team is addressing an emerging technological threat: quantum computing.
The recently published Bitcoin Improvement Proposal 360 (BIP-360) formally incorporates quantum resistance into Bitcoin's long-term technical roadmap for the first time. While some media reports tend to describe it as a major reform, the actual situation is more cautious and gradual.
This article will explore how BIP-360 reduces Bitcoin's quantum risk exposure by introducing P2MR scripts and removing the key path spending function from Taproot. The aim is to clarify the improvements of this proposal, the trade-offs introduced, and why it has not yet achieved complete post-quantum security for Bitcoin.
The Threat of Quantum Computing to Bitcoin
Bitcoin's security is based on cryptographic foundations, mainly including the Elliptic Curve Digital Signature Algorithm (ECDSA) and the Schnorr signatures introduced through the Taproot upgrade. Traditional computers cannot reverse-engineer a private key from a public key within a feasible time. However, a sufficiently capable quantum computer running Shor's algorithm could potentially break the elliptic curve discrete logarithm problem, thereby endangering private key security.
Key distinctions include:
· Quantum attacks primarily threaten public key cryptographic systems rather than hash functions. The SHA-256 algorithm used by Bitcoin is relatively robust against quantum computation. Grover's algorithm can only provide quadratic speedup, not exponential speedup.
· The real risk lies in the moment when the public key is exposed on the blockchain.
Based on this, the community generally views public key exposure as the primary source of quantum risk.
Potential Vulnerabilities of Bitcoin in 2026
Different types of addresses within the Bitcoin network face varying degrees of future quantum threats:
· Reused addresses: When funds from these addresses are spent, their public keys are exposed on-chain. If a cryptographic-related quantum computer (CRQC) emerges in the future, these public keys will face risks.
· Legacy Pay to Public Key (P2PK) outputs: Early Bitcoin transactions directly included public keys in transaction outputs.
· Taproot key path spending: The Taproot upgrade (2021) provided two spending paths: one is a simple key path (which exposes an adjusted public key upon spending), and the other is a script path (which exposes specific scripts through Merkle proofs). Among these, the key path is the most significant theoretical weak point under quantum attack.
BIP-360 is designed specifically to address the public exposure of key paths.
The Core Content of BIP-360: Introducing P2MR
The BIP-360 proposal introduces a new output type called Pay to Merkle Root (P2MR). This type structurally references Taproot but makes a critical change: it completely removes the key path spending option.
Unlike Taproot's commitment to an internal public key, P2MR only commits to the Merkle root of a script tree. The process of spending P2MR outputs is:
Reveal a leaf script from the script tree.
Provide a Merkle proof to confirm that the leaf script belongs to the committed Merkle root.
Throughout the process, there is no public key-based spending path.
The direct impacts of removing the key path spending include:
· Avoiding the exposure of public keys through direct signature verification.
· All spending paths rely on hash-based commitments that are more quantum-resistant.
· The number of elliptic curve public keys that remain on the chain will significantly decrease.
· Compared to solutions relying on the elliptic curve assumption, hash-based methods provide significant advantages in resisting quantum attacks, drastically reducing the potential attack surface.
Functions Retained by BIP-360
A common misconception is that giving up the key path spending will weaken Bitcoin's smart contract or scripting capabilities. In fact, P2MR fully supports the following functions:
· Multi-signature configurations
· Time locks
· Conditional payments
· Asset inheritance schemes
· Advanced custodial arrangements
BIP-360 implements all of the above functions through Tapscript Merkle trees. This solution retains full scripting capability while discarding the convenient but potentially risky direct signature path.
Background knowledge: Satoshi Nakamoto briefly mentioned quantum computing in early forum discussions, believing that if it became a reality, Bitcoin could migrate to a stronger signature scheme. This indicates that reserving flexibility for future upgrades is part of its initial design philosophy.
Practical Impacts of BIP-360
Although BIP-360 may seem like a purely technical improvement, its effects will widely touch on aspects like wallets, trading platforms, and custodial services. If the proposal is adopted, it will gradually reshape the creation, spending, and custody of new Bitcoin outputs, especially having a profound impact on users who value long-term quantum resistance.
· Wallet support: Wallet applications may offer optional P2MR addresses (possibly starting with "bc1z") as a "quantum-secured" option for users to receive new coins or store long-term assets.
· Transaction fees: Due to the use of scripts, P2MR transactions may incur slightly higher fees compared to Taproot key path spending, reflecting the trade-offs made between security and transaction compactness.
· Ecological synergy: The full deployment of P2MR requires updates from various parties, including wallets, trading platforms, custodians, and hardware wallets. Related planning and coordination efforts need to start several years in advance.
Background knowledge: Governments worldwide have begun to focus on the risks of "collect first, decrypt later," meaning a vast collection and storage of encrypted data, with the intent to decrypt it when quantum computers are available in the future. This strategy is analogous to the potential concerns regarding public keys exposed in Bitcoin.
The Clear Boundaries of BIP-360
While BIP-360 enhances Bitcoin's defense against future quantum threats, it does not represent a complete overhaul of the cryptographic framework. It is equally important to understand its limitations:
· Existing assets do not automatically upgrade: All old unspent transaction outputs (UTXOs) remain vulnerable until users actively transfer funds to P2MR outputs. Therefore, the migration process entirely depends on individual user actions.
· No new post-quantum signature schemes introduced: BIP-360 does not adopt lattice-based signature schemes (like Dilithium or ML-DSA) or hash-based signature schemes (like SPHINCS+) to replace existing ECDSA or Schnorr signatures. It only removes the public key exposure model introduced by the Taproot key path. A comprehensive transition to post-quantum signatures at the foundational level would require a much larger protocol change.
· Cannot provide absolute quantum immunity: Even if a practically operational CRQC suddenly appears in the future, resisting its impact would still require widespread, high-intensity collaboration among miners, nodes, trading platforms, and custodians. Long-dormant "sleeping coins" could lead to complex governance challenges and exert immense pressure on the network.
Motivation for Developers' Forward-looking Layout
The technological development path of quantum computing is fraught with uncertainty. Some opinions suggest practicalization may still take decades, while others point to IBM's fault-tolerant quantum computer goals by the late 2020s, Google's breakthroughs in quantum chips, Microsoft's research on topological quantum computing, and the U.S. government's set timeframe for transitioning cryptographic systems by 2030-2035, indicating that relevant progress is accelerating.
Key infrastructure migrations require lengthy time cycles. Bitcoin developers emphasize the need for systematic planning at all stages, from BIP design, software implementation, infrastructure adaptation to user adoption. If action is taken only when quantum threats appear imminent, it may lead to being caught off-guard due to insufficient time.
If the community reaches a broad consensus, BIP-360 could be advanced through phased soft forks:
· Activation of the new P2MR output type.
· Gradual increase of support from wallets, trading platforms, and custodians.
· Progressive migration of user assets to new addresses over several years.
This process is similar to the path of optional to widespread application experienced by Segregated Witness (SegWit) and Taproot upgrades.
Wide-ranging Discussions Surrounding BIP-360
The urgency of implementing BIP-360 and its potential costs continue to provoke ongoing discussions in the community. Core issues include:
· Is the slight fee increase for long-term holders acceptable?
· Should institutional users take the lead in migrating assets to set a demonstration effect?
· How should "sleeping" bitcoins that will never be moved be properly addressed?
· How should wallet applications accurately convey the concept of "quantum security" to users without inciting unnecessary panic while providing effective information?
These discussions are still ongoing. The proposal of BIP-360 has greatly propelled deeper discussions on related topics, but it has not yet resolved all questions.
Background knowledge: The theoretical concept that quantum computers could break current cryptography dates back to 1994 when mathematician Peter Shor proposed the Shor algorithm, long before the emergence of Bitcoin. Thus, planning for future quantum threats in Bitcoin is essentially a response to this theoretical breakthrough that has existed for over thirty years.
Measures Users Can Take Currently
Currently, the quantum threat is not imminent, and users need not over-worry. However, taking some prudent measures is beneficial:
· Adhere to the principle of not reusing addresses.
· Always use the latest version of wallet software.
· Stay informed about updates to the Bitcoin protocol.
· Watch for when wallet applications start supporting the P2MR address type.
· Users holding large amounts of Bitcoin should quietly assess their risk exposure and consider developing corresponding contingency plans.
BIP-360: The First Step Towards a Quantum-Resistant Era
BIP-360 marks the first concrete step Bitcoin has taken at the protocol level to reduce quantum risk exposure. It redefines the way new outputs are created, minimizing the accidental leakage of public keys, and lays the foundation for future long-term migration planning.
It will not automatically upgrade existing Bitcoins, retains the current signature framework, and highlights the fact that achieving true quantum resistance requires a carefully coordinated, ongoing effort across the entire ecosystem. This depends on long-term engineering practices and phased community adoption rather than being accomplished by a single BIP proposal.
免责声明:本文章仅代表作者个人观点,不代表本平台的立场和观点。本文章仅供信息分享,不构成对任何人的任何投资建议。用户与作者之间的任何争议,与本平台无关。如网页中刊载的文章或图片涉及侵权,请提供相关的权利证明和身份证明发送邮件到support@aicoin.com,本平台相关工作人员将会进行核查。
