Original compilation: AididiaoJP, Foresight News

This article explains how BIP-360 reshapes Bitcoin’s quantum defense strategy, analyzes its improvements, and discusses why it has not yet achieved comprehensive post-quantum security.

重要なポイント

• BIP-360 formally incorporates quantum resistance into Bitcoin’s development roadmap for the first time, marking a prudent, incremental technological evolution rather than a radical overhaul of the 暗号graphic system.
• Quantum risk primarily threatens exposed public keys, not the SHA-256 hash algorithm used by Bitcoin. Therefore, reducing public key exposure has become the core security issue developers are focusing on solving.
• BIP-360 introduces the Pay-to-Merkle-Root (P2MR) script. By removing the key path spending option from the Taproot upgrade, it forces all UTXO spending to go through the script path, thereby minimizing the risk of elliptic curve public key exposure.
• P2MR retains the flexibility of smart contracts, still supporting multi-signature, timelocks, and complex custody structures through the Tapscript Merkle tree.

Bitcoin’s design philosophy enables it to withstand severe economic, political, and technological challenges. As of March 10, 2026, its developer team is beginning to address an emerging technological threat: quantum computing.

The recently released Bitcoin Improvement Proposal 360 (BIP-360) formally lists quantum resistance in Bitcoin’s long-term technical roadmap for the first time. Although some media reports tend to portray it as a major change, the reality is more cautious and incremental.

This article will delve into how BIP-360 reduces Bitcoin’s quantum risk exposure by introducing the Pay-to-Merkle-Root (P2MR) script and removing Taproot’s key path spending functionality. It aims to clarify the proposal’s improvements, the trade-offs it introduces, and why it does not yet make Bitcoin fully post-quantum secure.

Sources of Quantum Computing Threats to Bitcoin

Bitcoin’s security is built on cryptographic foundations, primarily the Elliptic Curve Digital Signature Algorithm (ECDSA) and Schnorr signatures introduced via the Taproot upgrade. Traditional computers cannot feasibly derive a private key from a public key within a reasonable timeframe. However, a sufficiently capable quantum computer running Shor’s algorithm could potentially break the elliptic curve discrete logarithm problem, thereby compromising private key security.

The key distinctions are as follows:

• Quantum attacks primarily threaten public-key cryptography, not hash functions. The SHA-256 algorithm used by Bitcoin is relatively robust against quantum computing. Grover’s algorithm only provides a quadratic speedup, not an exponential one.
• The real risk lies in the moment a public key is revealed on the blockchain.

Based on this, the community generally views public key exposure as the primary source of quantum risk.

Potential Vulnerabilities in Bitcoin by 2026

Different types of addresses in the Bitcoin network face varying degrees of future quantum threats:

• Reused addresses: When funds are spent from such an address, its public key is revealed on-chain, making it vulnerable if a cryptographically relevant quantum computer (CRQC) emerges in the future.
• Legacy Pay-to-Public-Key (P2PK) outputs: Early Bitcoin transactions directly embedded public keys into transaction outputs.
• Taproot key path spending: The Taproot upgrade (2021) provided two spending paths: a concise key path (which exposes a tweaked public key upon spending) and a script path (which exposes a specific script via a Merkle proof). The key path is the main theoretical weak point under a quantum attack.

BIP-360 is designed precisely to address this key path exposure issue.

The Core of BIP-360: Introducing P2MR

The BIP-360 proposal adds a new output type called Pay-to-Merkle-Root (P2MR). This type structurally draws from Taproot but makes one critical change: it completely removes the key path spending option.

Unlike Taproot, which commits to an internal public key, P2MR only commits to the Merkle root of a script tree. The process for spending a P2MR output is:

Reveal a leaf script from the script tree.

Provide a Merkle proof confirming that the leaf script belongs to the committed Merkle root.

Throughout this process, there is no spending path based on a public key.

The direct impact of removing the key path spending includes:

• Avoiding public key exposure from direct signature verification.
• All spending paths rely on more quantum-resistant hash-based commitments.
• A significant reduction in the number of elliptic curve public keys that persist long-term on the chain.
• Hash-based methods offer significant advantages over schemes relying on elliptic curve assumptions in resisting quantum attacks, thereby drastically reducing the potential attack surface.

Functionality Preserved by BIP-360

A common misconception is that abandoning the key path spending weakens Bitcoin’s smart contract or scripting capabilities. In fact, P2MR fully supports the following functionalities:

• Multi-signature configurations
• Timelocks
• Conditional payments
• Asset inheritance schemes
• Advanced custody arrangements

BIP-360 implements all the above through the Tapscript Merkle tree. This scheme retains full scripting capability while discarding the convenient but potentially risky direct signature path.

Background: Satoshi Nakamoto briefly mentioned quantum computing in early forum discussions, suggesting that if it became a reality, Bitcoin could migrate to stronger signature schemes. This indicates that building flexibility for future upgrades was part of the initial design philosophy.

Practical Impact of BIP-360

Although BIP-360 appears to be a purely technical improvement, its impact will broadly affect wallets, exchanges, and custody services. If adopted, it will gradually reshape how new Bitcoin outputs are created, spent, and stored, particularly having a profound impact on users who prioritize long-term quantum resistance.

• Wallet Support: Wallet applications may offer optional P2MR addresses (potentially starting with “bc1z”) as a “quantum-hardened” option for users to receive new coins or store long-term holdings.
• Transaction Fees: Since using the script path introduces more witness data, P2MR transactions will be slightly larger than Taproot key path spends, potentially leading to a small increase in transaction fees. This represents a trade-off between security and transaction compactness.
• Ecosystem Coordination: Full deployment of P2MR requires corresponding updates from wallets, exchanges, custodians, and hardware wallets. Related planning and coordination work needs to start years in advance.

Background: Governments have begun to pay attention to the “harvest now, decrypt later” risk, which involves collecting and storing encrypted data en masse today for future decryption when quantum computers arrive. This strategy mirrors the potential concern regarding Bitcoin’s exposed public keys.

The Clear Boundaries of BIP-360

Although BIP-360 enhances Bitcoin’s defense against future quantum threats, it is not a complete cryptographic system overhaul. Understanding its limitations is equally crucial:

• Existing Assets Are Not Automatically Upgraded: All old unspent transaction outputs (UTXOs) remain vulnerable until users actively move funds to P2MR outputs. Therefore, the migration process depends entirely on individual user actions.
• Does Not Introduce New Post-Quantum Signatures: BIP-360 does not adopt lattice-based signature schemes (like Dilithium or ML-DSA) or hash-based signature schemes (like SPHINCS+) to replace the existing ECDSA or Schnorr signatures. It only removes the public key exposure pattern introduced by the Taproot key path. A full transition to post-quantum signatures at the base layer would require a much larger protocol change.
• Does Not Provide Absolute Quantum Immunity: Even if a functional CRQC suddenly emerged in the future, resisting its impact would still require large-scale, intensive coordination among miners, nodes, exchanges, and custodians. Long-dormant “sleeping coins” could trigger complex governance challenges and place immense pressure on the network.

Motivations for Developers’ Forward-Looking Planning

The technological development path of quantum computing is fraught with uncertainty. Some believe its practical application is still decades away, while others point to IBM’s goal for fault-tolerant quantum computers by the late 2020s, Google’s breakthroughs in quantum chips, Microsoft’s research in topological quantum computing, and the U.S. government’s 2030-2035 timeline for transitioning cryptographic systems as indicators of accelerating progress.

Migrating critical infrastructure requires long timeframes. Bitcoin developers emphasize the need for systematic planning across all stages: from BIP design and software implementation to infrastructure adaptation and user adoption. Waiting until the quantum threat is imminent could lead to insufficient time for action.

If a broad community consensus is reached, BIP-360 could be advanced through a phased soft fork approach:

• Activate the new P2MR output type.
• Wallets, exchanges, and custodians gradually add support for it.
• Users migrate assets to new addresses incrementally over several years.

This process is similar to the path from optional to widespread adoption experienced by previous upgrades like Segregated Witness (SegWit) and Taproot.

Broad Discussion Surrounding BIP-360

There is ongoing discussion within the community regarding the urgency of implementing BIP-360 and its potential costs. Core topics include:

• Is the slight fee increase for long-term holders acceptable?
• Should institutional users lead the asset migration to set an example?
• How should “sleeping” Bitcoins that may never be moved be properly handled?
• How should wallet applications accurately convey the concept of “quantum security” to users, avoiding unnecessary panic while providing effective information?

These discussions are still ongoing. The proposal of BIP-360 has greatly advanced the in-depth discussion of related issues but is far from providing デフィnitive answers to all questions.

Background: The theoretical concept that quantum computers could break current cryptography dates back to 1994 when mathematician Peter Shor proposed Shor’s algorithm, long before Bitcoin’s creation. Therefore, Bitcoin’s planning for future quantum threats is essentially a response to this theoretical breakthrough that is already over thirty years old.

Measures Users Can Currently Take

Currently, the quantum threat is not imminent, and users need not be overly concerned. However, taking some prudent measures is beneficial:

• Adhere to the principle of not reusing addresses.
• Always use the latest version of wallet software.
• Stay informed about Bitcoin protocol upgrade developments.
• Pay attention to when wallet applications begin supporting the P2MR address type.
• Users holding significant amounts of Bitcoin should quietly assess their own risk exposure and consider developing corresponding contingency plans.

BIP-360: The First Step Towards a Quantum-Resistant Era

BIP-360 marks the first concrete step for Bitcoin in reducing quantum risk exposure at the protocol level. It redefines how new outputs are created, minimizes the accidental leakage of public keys, and lays the groundwork for future long-term migration planning.

It does not automatically upgrade existing Bitcoin, preserves the current signature system, and highlights the fact that achieving true quantum-resistant security requires a carefully coordinated, ecosystem-wide, sustained effort. This relies on long-term engineering practice and phased community adoption, not something a single BIP proposal can accomplish overnight.

この記事はインターネットから得たものです。 BIP-360 Explained: The First Step Towards a Quantum-Resistant EraThe Clear Boundaries of BIP-360

Related: The “Ultimate Projection” by Silicon Valley’s Smartest Minds: What Should We “All-In” on in 2026?

On one side, inflation is receding, AI is accelerating its penetration, and capital markets are stirring; on the other side, geopolitical friction, rising institutional uncertainty, and widespread skepticism about whether “the next round of growth truly exists” prevail. Against this backdrop, the globally influential tech business podcast *All-In Podcast* released its annual ultimate predictions: Hosted by renowned Silicon Valley angel investor (early investor in Uber and Robinhood) Jason Calacanis, the episode featured three heavyweight guests: “SPAC King” Chamath, “Science Sultan” David Friedberg, and David Sacks, known to the outside world as the White House’s first “AI and Crypto Czar.” These top minds, controlling hundreds of billions of dollars and deeply versed in the logic of power and capital, engaged in a fiery debate around politics, technology, investment, and the geopolitical…