Key conclusions

• BIP-360 formally puts quantum resistance on the Bitcoin roadmap for the first time. It represents a measured, gradual step rather than a radical cryptographic change.

• Quantum risk is primarily focused on exposed public keys rather than Bitcoin’s SHA-256 hashing, which makes public key exposure a prime target for creators of major security vulnerabilities.

• BIP-360 introduces the Pay-to-Merkle-Root (P2MR) option, which removes the option to spend on a Taproot key track and forces all spend to be through script paths to minimize elliptic curve exposure.

• The flexibility of sharp contracts remains intact as P2MR still supports multisig, time locks, and complicated custody structures via Tapscript Merkle trees.

Bitcoin was built to withstand hostile economic, political and technical scenarios. Since March 10, 2026, its creators have been preparing to face an emerging threat: quantum computing.

The recent publication of Bitcoin Improvement Proposal 360 (BIP-360) officially adds quantum resilience to Bitcoin’s long-term technical roadmap for the first time. While some headlines portray this change as dramatic, the reality is much more measured and gradual.

This article examines how BIP-360 introduces Pay-to-Merkle-Root (P2MR) to reduce Bitcoin’s quantum exposure by removing spending on the key Taproot path. It explains what the proposal improves, what compromises it introduces and why it does not yet provide Bitcoin with full post-quantum security.

Why Quantum Computing Is a Risk for Bitcoin

For security reasons, Bitcoin relies on cryptography, primarily the Elliptic Curve Digital Signature Algorithm (ECDSA) and Schnorr signatures introduced via Taproot. Ordinary computers cannot actually obtain a private key from a public key. However, a powerful quantum computer running Shor’s algorithm can crack the discrete logarithms of the elliptic curve, revealing these keys.

Key distinctions include:

• Quantum attacks hit public key cryptography the hardest, not hashing.

• Bitcoin’s SHA-256 remains relatively powerful in the fight against quantum methods. Grover’s algorithm only provides quadratic speedup, not exponential speedup.

• The real risk comes when public keys are exposed on the blockchain.

This is why the community is focusing on public key disclosure as the main quantum risk vector.

Bitcoin vulnerabilities in 2026

Not every address type on the Bitcoin network faces the same level of future quantum threat:

• Reused addresses: The spending exposes the public key on-chain, leaving it exposed to a future cryptographic quantum computer (CRQC).

• Legacy public key (P2PK) payment results: Early Bitcoin transactions directly embedded public keys in the transaction results.

• Taproot key path issues: Uterus (2021) offers two paths: a compact key path (which exposes the corrected public key on spend) or a script path (which exposes scripts using Merkle proof). The key path is the main theoretical tender point of a quantum attack.

BIP-360 directly targets exposure to this key pathway.

What BIP-360 introduces: P2MR

BIP-360 adds a modern output type, Pay-to-Merkle-Root (P2MR), modeled after Taproot but with one critical change. Completely removes the key path spend option.

Instead of engaging with an internal public key such as Taproot, P2MR only engages with the Merkle root of the script tree. To be released:

There is no public key-based spending path.

Eliminating key track spend means:

• No access to the public key for direct signature control.

• All spending paths are based on shortcut commitments.

• The long-term elliptic curve of public key exposure declines rapidly.

Shortcut-based methods are much more resistant to quantum attacks than elliptic curve assumptions. This significantly reduces the attack surface.

What BIP-360 retains

A common misconception is that cutting spending on a key track weakens sharp contracts or scripts. This is not the case. P2MR fully supports:

• Multisig configurations

• Time locks

• Conditional payments

• Inheritance patterns

• Advanced care

BIP-360 implements all of these functions through Tapscript Merkle trees. While the process retains full scripting capabilities, the convenient but vulnerable direct signature shortcut disappears.

Did you know? Briefly about Satoshi Nakamoto found quantum computing in early forum discussions, suggesting that if it becomes practical, Bitcoin could migrate to stronger signature schemes. This shows that retrofit flexibility has always been part of the design philosophy.

Practical implications of BIP-360

BIP-360 may seem like a purely technical improvement, but its impact will be felt at the wallet, exchange and deposit levels. If activated, it will gradually change how modern Bitcoin outputs are created, issued, and secured, especially for users who prioritize long-term quantum resilience.

• Wallets could introduce optional P2MR addresses (possibly starting with “bc1z”) as a “quantum hardened” choice for new coins or long-term investments.

• Transactions will be slightly larger (more witness data from script paths), which may increase fees slightly compared to spending on the key Taproot path. Safety goes hand in hand with compactness.

• Full implementation would require updating wallets, exchanges, custodians and hardware wallets. Planning should start several years in advance.

Did you know? Governments are already preparing for the “collect now, decrypt later” risk, where encrypted data is stored today awaiting future quantum decryption. This strategy reflects concerns about exposed Bitcoin public keys.

Which BIP-360 clearly doesn’t do

While BIP-360 strengthens Bitcoin in the face of future quantum threats, it is not a sweeping change to cryptography. Understanding its limitations is as important as understanding its innovations:

• No automatic update of existing coins: Old, unspent transaction outputs (UTXO) remain vulnerable until users manually transfer funds to P2MR outputs. Migration depends on user behavior.

• No new post-quantum signatures: BIP-360 does not replace ECDSA or Schnorr with network-based (for example, Dilithium or ML-DSA) or hash-based (for example, SPHINCS+) schemes. It only removes the Taproot key path exposure pattern. A full transition of the base layer to post-quantum signatures would require much larger changes.

• No complete quantum immunity: A sudden breakthrough in CRQC would still require massive coordination between miners, nodes, exchanges and custodians. Dormant coins can cause complex management issues, which can result in network stress.

Why developers are working now

Quantum progress is uncertain. Some believe it is a matter of several decades. Others point to IBM’s late 2020s fault tolerance goals, Google’s chip advances, Microsoft’s topology research and U.S. government changes planned for the years 2030-2035.

Critical infrastructure migrations take many years. Bitcoin developers emphasize planning throughout BIP’s design, software, infrastructure, and user adoption. Waiting for the certainty of quantum progress may leave insufficient time to upgrade infrastructure.

If consensus is reached, a gradual soft fork may occur:

1. Activate P2MR output type

2. Wallets, exchanges and custodians are adding support

3. Gradual migration of users over the years

This reflects the optional and then widespread adoption of SegWit and Taproot.

Broader debate around BIP-360

There is an ongoing debate about urgency and cost. Questions discussed include:

• Are modest fee increases acceptable to HODLers?

• Should institutions lead migration?

• What about coins that never move?

• How should wallets signal “quantum security” without causing unnecessary anxiety?

This is an ongoing conversation. BIP-360 moves the discussion forward, but does not close it.

Did you know? The idea that quantum computers could threaten cryptography goes back to ancient times 1994when mathematician Peter Shor introduced Shor’s algorithm, long before Bitcoin existed. Bitcoin’s future quantum planning is essentially a response to a 30-year-old theoretical breakthrough.

What users can do now

For now, there is no reason to panic because quantum threats are not immediate. Prudent steps you can take include:

• Never reuse addresses

• Stick to up-to-date wallet software

• Stay tuned for protocol update news

• Beware of P2MR support in wallets

Large farm owners should quietly map exposures and consider contingency plans.

BIP-360: The first step towards quantum resistance

BIP-360 represents Bitcoin’s first concrete step towards limiting its quantum exposure at the protocol level. It redefines how new results are created, minimizes public key leaks, and sets the stage for long-term migration planning.

It does not automatically change existing coins, keeps current signatures intact, and highlights the need for careful, coordinated, ecosystem-wide efforts. True quantum resistance will come from continuous engineering and incremental implementation, not a single BIP.