BIP-360 Analysis: Bitcoin's First Step Towards Quantum Immunity, But Why Only the "First Step"?

Original Title: btc-42">Bitcoin's quantum upgrade path: What BIP-360 changes and what it does not

Original Source: Cointelegraph

Original Translation: AididiaoJP, Foresight News

Key Points

· BIP-360 formally incorporates quantum resistance into Bitcoin's development roadmap for the first time, marking a cautious, incremental technical evolution rather than a radical cryptographic system overhaul.

· The quantum risk primarily threatens exposed public keys rather than the SHA-256 hash algorithm used by Bitcoin. Therefore, reducing public key exposure has become a core security concern that developers are focusing on.

· BIP-360 introduces a Pay-To-Merkle-Root (P2MR) script, which, by removing the key-path spend option in the Taproot upgrade, enforces that all UTXO spends must go through a script path, thus minimizing the exposure risk of elliptic curve public keys.

· P2MR retains the flexibility of smart contracts, still supporting multi-signature, time locks, and complex custody structures through Tapscript Merkle trees.

Bitcoin's design philosophy enables it to withstand severe economic, political, and technical challenges. As of March 10, 2026, its development team is addressing an emerging technological threat: quantum computing.

A recent Bitcoin Improvement Proposal 360 (BIP-360) formally introduced quantum resistance into Bitcoin's long-term technical roadmap for the first time. Although some media reports tend to describe it as a major overhaul, the reality is more cautious and incremental.

This article will delve into how BIP-360, by introducing the Pay-To-Merkle-Root (P2MR) script and removing Taproot's key-path spend feature, reduces Bitcoin's quantum risk exposure. This article aims to clarify the improvements of this proposal, the introduced trade-offs, and why it has not yet enabled Bitcoin to achieve full post-quantum security.

Threats of Quantum Computing to Bitcoin

Bitcoin's security is built on cryptography, mainly including the Elliptic Curve Digital Signature Algorithm (ECDSA) and the Schnorr signature introduced through the Taproot upgrade. Traditional computers cannot feasibly derive private keys from public keys in a practical time frame. However, a sufficiently powerful quantum computer running Shor's algorithm could potentially break the elliptic curve discrete logarithm problem, thereby compromising private key security.

The key differences are as follows:

· Quantum attacks primarily threaten public key cryptosystems, not hash functions. The SHA-256 algorithm used by Bitcoin is relatively robust against quantum computing. Grover's algorithm only provides a quadratic speedup, not an exponential one.

· The real risk lies in the moment when a public key is exposed on the blockchain.

Based on this, the community generally considers public key exposure to be the primary source of quantum risk.

Potential Vulnerabilities of Bitcoin in 2026

Various address types in the Bitcoin network face different levels of future quantum threats:

· Reused addresses: When funds are spent from such an address, its public key is revealed on the chain, making it vulnerable to future cryptographic quantum computers (CRQC).

· Legacy Pay-to-Public-Key (P2PK) outputs: Early Bitcoin transactions directly embedded the public key in the transaction output.

· Taproot key path spending: The Taproot upgrade (2021) offers two spending paths: a simple key path (which reveals an obfuscated public key upon spending) and a script path (which reveals the specific script through a Merkel proof). Of these, the key path is the primary theoretical weakness under a quantum attack.

BIP-360 is specifically designed to address the issue of key path exposure.

Core Content of BIP-360: Introducing P2MR

The BIP-360 proposal introduces a new output type called Pay-to-Merkel-Roo (P2MR). This type is structurally inspired by Taproot but makes a key change: it completely removes the key path spending option.

Unlike Taproot, which commits to an internal public key, P2MR only commits to the Merkel root of a script tree. The process of spending a P2MR output is as follows:

Reveal a leaf script from the script tree.

Provide a Merkel proof to demonstrate that the leaf script belongs to the committed Merkel root.

Throughout the entire process, there is no pubkey-based spending path.

The direct impacts of removing the key path spending include:

· Avoiding exposure of the public key through direct signature verification.

· All spending paths rely on a hash-based commitment that is more quantum-resistant.

· The number of elliptic curve public keys that exist on the chain long-term will be significantly reduced.

· Compared to schemes relying on elliptic curve assumptions, hash-based methods have a significant advantage in defending against quantum attacks, thus substantially reducing the potential attack surface.

Features Retained by BIP-360

A common misconception is that abandoning the key path spending would weaken Bitcoin's smart contract or script capabilities. In fact, P2MR fully supports the following features:

· Multisig setups

· Timelocks

· Conditional payments

· Asset inheritance schemes

· Advanced custody arrangements

BIP-360 achieves all these functionalities through Tapscript Merkle Trees. This scheme retains full script capabilities while discarding the convenient but potentially risky direct signature path.

Background: Satoshi Nakamoto briefly mentioned quantum computing in early forum discussions and believed that if it became a reality, Bitcoin could transition to a stronger signature scheme. This indicates that reserving flexibility for future upgrades was part of the initial design philosophy.

Practical Implications of BIP-360

While BIP-360 may appear to be a purely technical improvement, its impact will have wide-reaching implications across wallets, exchange platforms, and custody services. If the proposal is adopted, it will gradually reshape how new Bitcoin outputs are created, spent, and managed, especially for users who value long-term quantum resistance.

· Wallet Support: Wallet applications may offer optional P2MR addresses (potentially starting with 'bc1z') as a "quantum-hardened" option for users to receive new coins or store assets for the long term.

· Transaction Fees: Since adopting a script path will introduce more witness data, P2MR transactions will be slightly larger compared to Taproot key path spending, potentially leading to slightly higher transaction fees. This reflects the trade-off between security and transaction efficiency.

· Ecosystem Coordination: Full deployment of P2MR requires wallets, exchanges, custody providers, hardware wallets, and other parties to update accordingly. The related planning and coordination work needs to start several years in advance.

Background: Governments worldwide have started to pay attention to the risk of "collect first, decrypt later," which entails collecting and storing a large amount of encrypted data now to be decrypted in the future once quantum computers emerge. This strategy mirrors the potential concerns about Bitcoin's already exposed public keys.

The Explicit Boundaries of BIP-360

While BIP-360 enhances Bitcoin's defense against future quantum threats, it is not a complete overhaul of the cryptographic system. Understanding its limitations is equally crucial:

· Existing assets do not auto-upgrade: All old Unspent Transaction Outputs (UTXOs) remain vulnerable until users voluntarily move funds to a P2MR output. Therefore, the migration process entirely depends on users' individual actions.

· Does not introduce new post-quantum signatures: BIP-360 does not adopt lattice-based signature schemes (like Dilithium or ML-DSA) or hash-based signature schemes (like SPHINCS+) to replace the existing ECDSA or Schnorr signatures. It only removes the public key exposure pattern from the Taproot key path. A much larger protocol change would be needed to fully transition to post-quantum signatures at the base layer.

· Cannot provide absolute quantum immunity: Even if a practical Cryptographically Relevant Quantum Computer (CRQC) suddenly emerges in the future, resisting its impact will require large-scale, high-intensity collaboration among miners, nodes, exchanges, and custody providers. Long-dormant "lost coins" may pose complex governance issues and put significant pressure on the network.

Motivations for Developers' Forward-looking Planning

The technological development path of quantum computing is fraught with uncertainty. Some perspectives suggest that its practicality is still decades away, while others point to IBM's fault-tolerant quantum computing goals in the late 2020s, Google's breakthrough in quantum chips, Microsoft's research on topological quantum computing, and the U.S. government's set transition period for the 2030-2035 cryptographic systems as signs that progress is accelerating.

The migration of critical infrastructure requires a lengthy time horizon. Bitcoin developers emphasize that systematic planning is necessary across various aspects, from BIP design, software implementation, infrastructure adaptation to user adoption. If action is postponed until the quantum threat looms large, there may be a passive response due to insufficient time.

If the community reaches widespread consensus, BIP-360 may be advanced through a phased soft-fork approach:

· Activate the P2MR new output type.

· Wallets, exchanges, and custodians gradually add support for it.

· Users progressively migrate their assets to new addresses over several years.

This process is similar to the path from optional to widespread adoption experienced by Segregated Witness (SegWit) and the Taproot upgrade in previous years.

Extensive Discussion Around BIP-360

There is still ongoing discussion within the community regarding the urgency of implementing BIP-360 and its potential costs. Key issues include:

· Is a slight fee increase for long-term holders acceptable?

· Should institutional users be the first to migrate assets to demonstrate the process?

· How should "dormant" bitcoins that will never be moved be handled?

· How should wallet apps accurately convey the concept of "quantum security" to users, avoiding unnecessary panic while providing effective information?

These discussions are still ongoing. The proposal of BIP-360 has greatly spurred in-depth discussions on related issues but has by no means concluded all questions.

Background: Quantum computers could potentially break current cryptographic assumptions, dating back to mathematician Peter Shor's Shor's algorithm in 1994, which predates the creation of Bitcoin. Therefore, Bitcoin's planning for future quantum threats is fundamentally a response to this theoretical breakthrough that has been in existence for over thirty years.

Actions Users Can Currently Take

Currently, the quantum threat is not imminent, and users need not be overly concerned. However, taking some cautious measures is beneficial:

· Adhere to the principle of not reusing addresses.

· Always use the latest version of wallet software.

· Stay informed about developments related to Bitcoin protocol upgrades.

· Note when wallet applications begin supporting the P2MR address type.

· Users holding a significant amount of Bitcoin should quietly assess their own risk exposure and consider devising an appropriate contingency plan.

BIP-360: The First Step Towards the Post-Quantum Era

BIP-360 marks Bitcoin's first concrete step at the protocol level to reduce quantum risk exposure. It redefines how new outputs are constructed, minimizing accidental key reveal and laying the groundwork for future long-term migration strategies.

It does not autonomously upgrade existing bitcoins, preserving the current signature scheme, and underscores a fact: achieving true quantum resistance requires a cautious, ecosystem-wide, ongoing effort. This relies on long-term engineering practice and phased community adoption, rather than the immediate impact of a single BIP proposal.

Original Article Link