· BIP-360 formally incorporates quantum resistance into Bitcoin's development roadmap for the first time, marking a cautious, incremental technical evolution rather than a radical overhaul of the cryptographic system.

· The quantum risk primarily threatens exposed public keys, not the SHA-256 hash algorithm used by Bitcoin. Therefore, reducing public key exposure has become the core security issue that developers are focusing on solving.

· BIP-360 introduces a Pay-to-Merkle-Root (P2MR) script, which removes the key path spending option from the Taproot upgrade, mandating that all UTXO spends must go through a script path, thereby minimizing the risk of exposing elliptic curve public keys.

· P2MR retains the flexibility of smart contracts, still supporting multisig, timelocks, and complex custody structures through the Tapscript Merkle tree.

Bitcoin's design philosophy enables it to withstand severe economic, political, and technological challenges. As of March 10, 2026, its development team is addressing an emerging technological threat: quantum computing.

The recently released Bitcoin Improvement Proposal 360 (BIP-360) has, for the first time, formally listed quantum resistance on Bitcoin's long-term technical roadmap. Although some media reports tend to portray it as a major change, the reality is more cautious and gradual.

This article will delve into how BIP-360 reduces Bitcoin's quantum risk exposure by introducing the Pay-to-Merkle-Root (P2MR) script and removing Taproot's key path spending functionality. It aims to clarify the proposal's improvements, the trade-offs it introduces, and why it does not yet make Bitcoin fully post-quantum secure.

Source of the Quantum Computing Threat to Bitcoin

Bitcoin's security is built on cryptographic foundations, primarily the Elliptic Curve Digital Signature Algorithm (ECDSA) and, since the Taproot upgrade, Schnorr signatures. Traditional computers cannot derive a private key from a public key in a feasible amount of time. However, a sufficiently powerful quantum computer running Shor's algorithm could potentially break the elliptic curve discrete logarithm problem, thus compromising private key security.

The key distinctions are as follows:

· Quantum attacks primarily threaten public-key cryptography, not hash functions. The SHA-256 algorithm used by Bitcoin is relatively robust against quantum computing. Grover's algorithm only offers a quadratic speedup, not an exponential one.

· The real risk lies in the moment a public key is revealed on the blockchain.

Based on this, the community widely regards public key exposure as the primary quantum risk.

Bitcoin's Potential Vulnerabilities in 2026

Different types of addresses in the Bitcoin network face varying degrees of future quantum threat:

· Reused addresses: When funds are spent from such an address, its public key is revealed on-chain, making it vulnerable if a cryptographically relevant quantum computer (CRQC) emerges in the future.

· Legacy Pay-to-Public-Key (P2PK) outputs: Early Bitcoin transactions directly wrote the public key into the transaction output.

· Taproot key path spends: The Taproot upgrade (2021) provided two spending paths: a concise key path (which exposes a tweaked public key upon spending) and a script path (which exposes a specific script via a Merkle proof). The key path is the main theoretical weak point under a quantum attack.

BIP-360 is designed specifically to address this key path vulnerability.

The Core of BIP-360: Introducing P2MR

The BIP-360 proposal adds a new output type called Pay-to-Merkle-Root (P2MR). This type is structurally similar to Taproot but makes one key change: it completely removes the key path spending option.

Instead of committing to an internal public key like Taproot, P2MR commits only to the Merkle root of a script tree. Spending a P2MR output involves:

Revealing a leaf script from the script tree.

Providing a Merkle proof to confirm that this leaf script belongs to the committed Merkle root.

Throughout this process, there is no spending path based on a public key.

The direct impacts of removing the key path spend include:

· Avoiding public key exposure from direct signature verification.

· All spending paths rely on more quantum-resistant hash-based commitments.

· The number of elliptic curve public keys existing long-term on the chain will be significantly reduced.

· Methods based on hashing offer significant advantages over those relying on elliptic curve assumptions in resisting quantum attacks, thereby greatly reducing the potential attack surface.

Functionality Retained by BIP-360

A common misconception is that abandoning the key path spend weakens Bitcoin's smart contract or scripting capabilities. In fact, P2MR fully supports the following:

· Multisig configurations

· Timelocks

· Conditional payments

· Inheritance schemes

· Advanced custody arrangements

BIP-360 achieves all this through the Tapscript Merkle tree. This approach retains full scripting capability while sacrificing the convenient but potentially risky direct signing path.

Background: Satoshi Nakamoto briefly mentioned quantum computing in early forum discussions, suggesting that if it became a reality, Bitcoin could migrate to a stronger signature scheme. This indicates that building flexibility for future upgrades was part of the initial design philosophy.

Practical Impact of BIP-360

Although BIP-360 appears to be a purely technical improvement, its impact will broadly affect wallets, exchanges, and custody services. If adopted, it will gradually reshape how new Bitcoin outputs are created, spent, and custodied, especially for users prioritizing long-term quantum resistance.

· Wallet Support: Wallet applications will likely offer optional P2MR addresses (potentially starting with 'bc1z') as a 'quantum-hardened' option for users receiving new coins or storing long-term holdings.

· Transaction Fees: Since using a script path introduces more witness data, P2MR transactions will be slightly larger than Taproot key path spends, potentially leading to a modest increase in fees. This represents a trade-off between security and transaction compactness.

· Ecosystem Coordination: Full deployment of P2MR requires updates from wallets, exchanges, custodians, and hardware wallets. Related planning and coordination efforts need to start years in advance.

Background: Governments have begun focusing on the 'harvest now, decrypt later' risk, which involves collecting and storing encrypted data en masse today to be decrypted by future quantum computers. This strategy mirrors the potential concern over exposed Bitcoin public keys.

The Defined Limits of BIP-360

Although BIP-360 enhances Bitcoin's defense against future quantum threats, it is not a complete cryptographic overhaul. Understanding its limitations is equally crucial:

· Existing assets are not automatically upgraded: All old unspent transaction outputs (UTXOs) remain vulnerable until users actively move funds to P2MR outputs. Therefore, the migration process depends entirely on individual user action.

· Does not introduce new post-quantum signatures: BIP-360 does not adopt lattice-based signature schemes (like Dilithium or ML-DSA) or hash-based signature schemes (like SPHINCS+) to replace the current ECDSA or Schnorr signatures. It only removes the public key exposure pattern introduced by the Taproot key path. A full transition to post-quantum signatures at the base layer would require a much larger protocol change.

· Does not provide absolute quantum immunity: Even if a functional CRQC suddenly appeared, resisting its impact would require large-scale, high-intensity coordination among miners, nodes, exchanges, and custodians. Long-dormant 'sleeping coins' could pose complex governance challenges and put immense pressure on the network.

Motivation for Developers' Proactive Planning

The development path of quantum computing is uncertain. Some believe practical applications are decades away, while others point to IBM's goal for fault-tolerant quantum computers by the late 2020s, Google's breakthroughs in quantum chips, Microsoft's research in topological quantum computing, and the U.S. government's 2030-2035 deadline for transitioning cryptographic systems as signs of accelerating progress.

Migrating critical infrastructure takes a long time. Bitcoin developers emphasize the need for systematic planning across all stages: BIP design, software implementation, infrastructure adaptation, and user adoption. Waiting until the quantum threat is imminent could lead to being unprepared due to lack of time.

If broad community consensus is reached, BIP-360 could be implemented via a soft fork in phases:

· Activate the new P2MR output type.

· Wallets, exchanges, and custodians gradually add support for it.

· Users incrementally migrate assets to the new addresses over several years.

This process is similar to the path from optional to widespread adoption seen with previous upgrades like Segregated Witness (SegWit) and Taproot.

Ongoing Discussion Surrounding BIP-360

There is ongoing discussion within the community regarding the urgency of implementing BIP-360 and its potential costs. Core topics include:

· Is the slight fee increase acceptable for long-term holders?

· Should institutional users lead the asset migration to set an example?

· How should 'dormant' Bitcoins that may never be moved be handled appropriately?

· How should wallet applications accurately communicate the concept of 'quantum safety' to users, avoiding unnecessary panic while providing effective information?

These discussions are ongoing. The proposal of BIP-360 has greatly advanced the in-depth discussion of related issues but is far from providing all the answers.

Background: The theoretical concept that quantum computers could break current cryptography dates back to 1994 when mathematician Peter Shor proposed Shor's algorithm, long before Bitcoin existed. Therefore, Bitcoin's planning for future quantum threats is essentially a response to this theoretical breakthrough, which is over thirty years old.

Measures Users Can Take Now

Currently, the quantum threat is not imminent, and users need not be overly worried. However, taking some prudent measures is beneficial:

· Adhere to the principle of not reusing addresses.

· Always use the latest version of wallet software.

· Stay informed about Bitcoin protocol upgrade developments.

· Watch for when wallet applications begin supporting the P2MR address type.

· Holders of significant amounts of Bitcoin should quietly assess their risk exposure and consider formulating corresponding contingency plans.

BIP-360: The First Step Towards a Quantum-Resistant Era

BIP-360 marks the first concrete step Bitcoin has taken at the protocol level to reduce quantum risk exposure. It redefines how new outputs are created, minimizes the accidental leakage of public keys, and lays the groundwork for future long-term migration planning.

It does not automatically upgrade existing Bitcoin, retains the current signature system, and highlights the fact that achieving true quantum resistance requires a carefully coordinated, ecosystem-wide sustained effort. This relies on long-term engineering practice and phased community adoption, not something a single BIP can accomplish overnight.