Each technological breakthrough in quantum computing forces a reassessment of Bitcoin’s long-term security timeline. When Google moved the post-quantum cryptography migration deadline up to 2029, and when academia demonstrated a quantum circuit capable of deriving a private key from a public key in just nine minutes, the Bitcoin developer community responded in kind. In February 2026, BIP-360, "Pay-to-Merkle-Root (P2MR)," was officially merged into the bitcoin/bips repository, marking the first time quantum resistance has been integrated into Bitcoin’s formal upgrade path. This is not a radical cryptographic revolution, but rather a cautious and incremental structural defense.
Why Has the Quantum Threat Become a Structural Variable Now?
Over the past week, the quantum computing field underwent a fundamental paradigm shift. A paper jointly published by Google’s quantum team and Stanford professor Dan Boneh confirmed that with just 1,200–1,400 logical quantum bits, it’s possible to break Bitcoin’s Elliptic Curve Digital Signature Algorithm (ECDSA) in about nine minutes. This figure is nearly an order of magnitude lower than previous industry estimates of 10,000 logical qubits. Even more crucially, Oratomic’s neutral atom architecture suggests that only 10,000 physical qubits are needed to achieve this, while Caltech has already built a neutral atom array with 6,100 qubits. This means quantum threats in the lab are moving from theory to engineering validation.
For Bitcoin, the risk isn’t aimed at the SHA-256 hash algorithm, but rather at public keys exposed on-chain during transactions. Once quantum computers can reverse-engineer private keys from public keys, all reused addresses, legacy P2PK outputs, and Taproot key-path spends will be at risk. According to ARK Invest estimates, roughly 34.6% of Bitcoin’s supply—about 6.9 million BTC—may be exposed to this risk.
How Does BIP-360 Mechanically Reduce Public Key Exposure?
The core of BIP-360 is the introduction of a new output type called Pay-to-Merkle-Root (P2MR). Structurally, it draws on the Taproot upgrade from 2021 but makes a critical change: it completely removes the key-path spend option.
In traditional Taproot transactions, spenders can choose to spend UTXOs via the key path (exposing the tweaked public key) or the script path (providing a Merkle proof). The key path is efficient but comes at the cost of writing the public key to the blockchain. P2MR, however, mandates that all UTXO spends must go through the script path. Specifically, P2MR outputs only commit to the Merkle root of the script tree, without committing to any internal public key. When users need to spend, they simply reveal the specific script leaf and provide a Merkle proof—no elliptic curve public key is exposed on-chain throughout the process. This mechanism directly cuts off the primary entry point for quantum attacks: exposed public keys.
What Structural Trade-Offs Are Required for Enhanced Security?
Every security upgrade comes with trade-offs, and P2MR is no exception. The most direct cost is in transaction fees. Because it uses the script path instead of the simpler key path, P2MR transactions must carry more witness data (including Merkle proofs and script content), increasing transaction size and, consequently, fees. For everyday users, this is a visible increase in cost.
A deeper trade-off lies between user experience and security. The key path was designed to offer a more economical and faster spending option. Removing this pathway means all transactions revert to the script path, which strengthens quantum resistance but sacrifices some efficiency. Furthermore, P2MR is not a fully post-quantum signature scheme. It doesn’t introduce lattice-based Dilithium signatures or hash-based SPHINCS+ signatures to replace ECDSA and Schnorr. Instead, it plugs the current vulnerability of public key exposure without overhauling Bitcoin’s cryptographic foundation.
What Does This Mean for the Crypto Industry Landscape?
The rollout of BIP-360 is quietly reshaping the evolution of industry infrastructure. For wallet providers, supporting P2MR addresses (expected to start with bc1z) will become a new dimension for differentiating product security levels. Long-term holders can choose to migrate assets to these quantum-resistant addresses, proactively reducing future risk. For exchanges and custodians, this means evaluating the public key exposure of existing user assets and preparing migration guidance mechanisms.
The broader impact is on asset classification. In the future, the market may naturally split Bitcoin into two categories: "secure reserves" stored long-term in quantum-resistant addresses, and "circulating assets" left in traditional addresses, frequently traded and with exposed public keys. This split could affect liquidity preferences and valuation logic. From a technical development perspective, BIP-360 also offers other blockchains a reference model—how to reduce risk exposure at the protocol level before fully migrating to post-quantum signatures.
What Paths Might Future Evolution Take?
The technical path for BIP-360 is relatively clear, but its adoption in society remains uncertain. Technically, the most likely scenario is a phased soft fork: first, activate the new P2MR output type, allowing users to opt in; then, wallets, exchanges, and custodians gradually add support; finally, users migrate assets over several years. This process mirrors the adoption of SegWit and Taproot.
However, building social consensus may be more challenging than technical implementation. BTQ Technologies has already deployed a working implementation of BIP-360 on the Bitcoin quantum testnet, attracting over 50 miners and mining more than 100,000 blocks. But this testnet operates independently of Bitcoin’s mainnet, bypassing main chain governance. For BIP-360 to enter Bitcoin’s core codebase, broad consensus among miners, developers, and users is still needed. BTQ President Christopher Tam put it bluntly: "This is a social issue. There are some ‘high priests’ in the Bitcoin community who need to be convinced."
What Potential Risks Need to Be Flagged?
While BIP-360 is an important preventive upgrade, its limitations shouldn’t be overlooked. First, existing assets won’t be automatically protected. All old UTXOs remain at risk of public key exposure until users actively move them to P2MR outputs. This means that even after the upgrade, the network will still contain many vulnerable assets for a long time—especially early addresses mined by Satoshi and long-dormant "sleeping coins."
Second, BIP-360 is not the endpoint. Once truly usable cryptographically relevant quantum computers (CRQCs) appear, merely reducing public key exposure won’t be enough; a full migration to post-quantum signature schemes will be necessary.
Third, there are significant differences between the testnet and mainnet. The BTQ testnet uses a one-minute target block time to speed up iterative testing, which differs from Bitcoin’s ten-minute mainnet block interval. Solutions validated on the testnet will need their security boundaries reassessed when migrating to mainnet.
Finally, quantum technology is advancing rapidly. Google’s 2029 migration deadline and the US federal government’s NSM-10 directive setting an April 2026 post-quantum cryptography migration deadline are compressing the industry’s response window.
Summary
The introduction of BIP-360 marks Bitcoin’s shift from passive response to quantum threats toward proactive defense. By removing Taproot’s key path and mandating script path spends, it significantly reduces the risk of public key exposure on-chain. But this is neither the endpoint nor a panacea. It’s a cautious, incremental technical preparation that buys time for a future full migration to post-quantum signatures.
For the crypto industry, understanding BIP-360’s significance isn’t about seeing it as the ultimate solution, but about recognizing that at the threshold of a cryptographic paradigm shift, early planning and systematic preparation are far more important than emergency response. The countdown to quantum computing has begun, and Bitcoin’s developers and ecosystem participants are meeting this thirty-year theoretical challenge with a structural code modification.
FAQ
Q: Will BIP-360 make Bitcoin completely immune to quantum attacks?
No. BIP-360 only reduces the risk of public key exposure; it doesn’t replace the current elliptic curve signature algorithm. Once truly usable cryptographically relevant quantum computers emerge, a full migration to post-quantum signature schemes will still be necessary.
Q: What should ordinary users do now?
Quantum threats aren’t imminent, so there’s no need to panic. However, users should start practicing address reuse avoidance, monitor when wallet apps begin supporting P2MR address types, and stay updated on Bitcoin protocol upgrade developments.
Q: How are P2MR addresses different from existing addresses?
P2MR addresses are expected to start with bc1z and belong to SegWit version 2 output types. The key difference is that all spends are forced through the script path, preventing direct public key exposure on-chain.
Q: When will BIP-360 be activated on Bitcoin’s mainnet?
BIP-360 is currently in Draft status and hasn’t been merged into Bitcoin’s core codebase. The activation timeline depends on the progress of community consensus and is not yet determined.
Q: Why not upgrade directly to post-quantum signatures?
Post-quantum signature schemes (such as lattice-based signatures) are much larger in size and would place significant demands on Bitcoin’s block space and node performance. BIP-360 is a gradual solution that reduces risk while maintaining current network efficiency, buying time for more comprehensive upgrades.
