BIP-360 Explained: Bitcoin’s First Step Toward Quantum Resistance—But Why Is It Only the “First Step”?
TechFlow Selected TechFlow Selected
BIP-360 Explained: Bitcoin’s First Step Toward Quantum Resistance—But Why Is It Only the “First Step”?
This article explains how BIP-360 reshapes Bitcoin’s quantum defense strategy, analyzes its improvements, and discusses why it has not yet achieved full post-quantum security.
Navigating Web3 tides with focused insightsBy: Cointelegraph
Translated by: AididiaoJP, Foresight News
Key Takeaways
- BIP-360 formally introduces quantum resistance into Bitcoin’s development roadmap for the first time—marking a cautious, incremental technical evolution rather than a radical cryptographic overhaul.
- Quantum risk primarily threatens exposed public keys, not Bitcoin’s SHA-256 hash algorithm. Thus, minimizing public key exposure has become the core security challenge developers are addressing.
- BIP-360 introduces the Pay-to-Merkle-Root (P2MR) script, removing Taproot’s key-path spending option and mandating that all UTXO spends occur exclusively via the script path—thereby minimizing exposure of elliptic curve public keys.
- P2MR preserves smart contract flexibility, still supporting multisig, timelocks, and complex custody structures via Tapscript Merkle trees.
Bitcoin’s design philosophy enables it to withstand severe economic, political, and technological challenges. As of March 10, 2026, its developer team is now tackling an emerging technological threat: quantum computing.
The recently published Bitcoin Improvement Proposal 360 (BIP-360) formally adds quantum resistance to Bitcoin’s long-term technical roadmap for the first time. Although some media reports frame it as a major transformation, the reality is far more measured and gradual.
This article delves into how BIP-360 reduces Bitcoin’s quantum attack surface by introducing the Pay-to-Merkle-Root (P2MR) script and eliminating Taproot’s key-path spending capability. It clarifies the proposal’s improvements, trade-offs, and why it does not yet deliver full post-quantum security.
Sources of Quantum Threat to Bitcoin
Bitcoin’s security rests on cryptographic foundations, primarily the Elliptic Curve Digital Signature Algorithm (ECDSA) and Schnorr signatures introduced with the Taproot upgrade. Classical computers cannot feasibly derive private keys from public keys within reasonable timeframes. However, a sufficiently powerful quantum computer running Shor’s algorithm could solve the elliptic curve discrete logarithm problem, thereby compromising private key security.
Key distinctions:
- Quantum attacks primarily threaten public-key cryptography—not hash functions. Bitcoin’s SHA-256 remains relatively robust against quantum computing; Grover’s algorithm offers only quadratic speedup, not exponential acceleration.
- The real risk arises when public keys are publicly revealed on-chain.
For this reason, the community widely regards public key exposure as the primary quantum risk vector.
Potential Vulnerabilities in Bitcoin as of 2026
Different Bitcoin address types face varying degrees of future quantum threat:
- Reused addresses: When funds are spent from such an address, its public key is revealed on-chain—exposing it to risk once cryptographically relevant quantum computers (CRQCs) emerge.
- Legacy Pay-to-Public-Key (P2PK) outputs: Early Bitcoin transactions directly embedded public keys in transaction outputs.
- Taproot key-path spending: The Taproot upgrade (2021) introduced two spending paths—a concise key path (which reveals an adjusted public key upon spending) and a script path (which reveals specific scripts via Merkle proofs). Among these, the key path represents the most significant theoretical weakness under quantum attack.
BIP-360 was designed specifically to address this key-path exposure issue.
Core of BIP-360: Introducing P2MR
BIP-360 proposes a new output type called Pay-to-Merkle-Root (P2MR). Structurally inspired by Taproot, P2MR makes one critical change: it completely removes the key-path spending option.
Unlike Taproot—which commits to an internal public key—P2MR commits only to the Merkle root of a script tree. Spending a P2MR output involves:
Revealing one leaf script from the script tree.
Providing a Merkle proof confirming that the revealed leaf script belongs to the committed Merkle root.
No public-key-based spending path exists at any point in this process.
Direct consequences of removing key-path spending include:
- Avoiding public key exposure during signature verification.
- Relying entirely on hash-based commitments—more quantum-resistant than public-key schemes.
- Significantly reducing the number of elliptic curve public keys permanently recorded on-chain.
- Offering a substantial reduction in potential attack surface, since hash-based methods hold clear advantages over elliptic curve assumptions under quantum attack.
Features Preserved by BIP-360
A common misconception is that abandoning key-path spending weakens Bitcoin’s smart contract or scripting capabilities. In fact, P2MR fully supports:
- Multisig configurations
- Timelocks
- Conditional payments
- Asset inheritance schemes
- Advanced custody arrangements
BIP-360 implements all these features using Tapscript Merkle trees. This approach retains full scripting functionality while discarding the convenient—but potentially risky—direct signature path.
Background: Satoshi Nakamoto briefly mentioned quantum computing in early forum discussions, noting that if it became practical, Bitcoin could migrate to stronger signature schemes. This indicates that designing for future upgrades was part of Bitcoin’s original conceptual framework.
Practical Impacts of BIP-360
Although BIP-360 appears purely technical, its implications extend broadly across wallets, exchanges, and custodial services. If adopted, it will gradually reshape how new Bitcoin outputs are created, spent, and stored—especially for users prioritizing long-term quantum resistance.
- Wallet support: Wallet applications may offer optional P2MR addresses (potentially prefixed with “bc1z”) as a “quantum-hardened” option for receiving new coins or storing long-term holdings.
- Transaction fees: Since script-path spending introduces additional witness data, P2MR transactions will be slightly larger—and thus marginally more expensive—than Taproot key-path spends. This reflects a deliberate trade-off between security and transaction compactness.
- Ecosystem coordination: Full P2MR deployment requires updates across wallets, exchanges, custodians, and hardware wallets. Related planning and coordination must begin years in advance.
Background: Governments worldwide have begun recognizing the “harvest now, decrypt later” risk—i.e., mass collection and storage of encrypted data today for decryption once quantum computers mature. This mirrors concerns about already-exposed Bitcoin public keys.
Clear Boundaries of BIP-360
While BIP-360 strengthens Bitcoin’s defenses against future quantum threats, it is not a complete cryptographic overhaul. Understanding its limitations is equally critical:
- Existing assets do not auto-upgrade: All legacy unspent transaction outputs (UTXOs) remain vulnerable until users proactively move funds to P2MR outputs. Migration therefore depends entirely on individual user behavior.
- No new post-quantum signatures introduced: BIP-360 does not adopt lattice-based signature schemes (e.g., Dilithium or ML-DSA) or hash-based schemes (e.g., SPHINCS+) to replace ECDSA or Schnorr. It merely eliminates the public key exposure pattern introduced by Taproot’s key path. A full base-layer transition to post-quantum signatures would require a significantly larger protocol change.
- Does not guarantee absolute quantum immunity: Even if a CRQC suddenly becomes operational, mitigating its impact would still require large-scale, high-intensity coordination among miners, nodes, exchanges, and custodians. Long-dormant “sleeping coins” could trigger complex governance dilemmas and impose heavy strain on the network.
Motivations Behind Developers’ Forward-Looking Planning
The trajectory of quantum computing development remains highly uncertain. Some believe practical deployment remains decades away, while others point to IBM’s target of fault-tolerant quantum computers by the late 2020s, Google’s breakthroughs in quantum chips, Microsoft’s research in topological quantum computing, and the U.S. government’s 2030–2035 deadline for cryptographic system migration—all suggesting accelerating progress.
Migrating critical infrastructure takes considerable time. Bitcoin developers emphasize the need for systematic planning across BIP design, software implementation, infrastructure adaptation, and user adoption. Waiting until quantum threats become imminent risks leaving insufficient time for effective response.
If broad community consensus emerges, BIP-360 could roll out via phased soft forks:
- Activation of the new P2MR output type.
- Gradual adoption and support expansion by wallets, exchanges, and custodians.
- User-driven migration of assets to new addresses over several years.
This progression resembles the path taken by Segregated Witness (SegWit) and Taproot—from optional feature to widespread adoption.
Ongoing Community Discussions Around BIP-360
Debate continues within the community regarding the urgency of implementing BIP-360 and its associated costs. Core questions include:
- Is the slight fee increase for long-term holders acceptable?
- Should institutional users lead asset migration to set an example?
- How should “dormant” bitcoins—those never moved—be handled appropriately?
- How should wallet applications accurately communicate the concept of “quantum safety” to users—avoiding unnecessary panic while delivering useful information?
These discussions remain ongoing. While BIP-360 has greatly accelerated deep engagement with these issues, it certainly does not resolve them all.
Background: The theoretical possibility that quantum computers could break contemporary cryptography dates back to mathematician Peter Shor’s 1994 formulation of Shor’s algorithm—well before Bitcoin’s inception. Bitcoin’s planning for future quantum threats is thus, fundamentally, a response to a theoretical breakthrough over three decades old.
Actions Users Can Take Today
Quantum threats are not imminent, so users need not panic. Still, adopting prudent measures is beneficial:
- Adhere strictly to the principle of non-reuse of addresses.
- Always use the latest version of wallet software.
- Stay informed about Bitcoin protocol upgrades.
- Monitor when wallet applications begin supporting P2MR address types.
- Large Bitcoin holders should quietly assess their own risk exposure and consider developing contingency plans.
BIP-360: The First Step Toward a Quantum-Resistant Era
BIP-360 marks Bitcoin’s first concrete step at the protocol level to reduce quantum attack surface. It redefines how new outputs are created, minimizes accidental public key leakage, and lays groundwork for longer-term migration planning.
It does not automatically upgrade existing Bitcoin, retains the current signature scheme, and underscores a fundamental truth: achieving genuine quantum resistance demands careful, ecosystem-wide coordination sustained over time. This requires long-term engineering effort and phased community adoption—not something any single BIP can accomplish alone.
Join TechFlow official community to stay tuned
Telegram:https://t.me/TechFlowDaily
X (Twitter):https://x.com/TechFlowPost
X (Twitter) EN:https://x.com/BlockFlow_News
@Cointelegraph
