BIP-360 In-Depth Analysis: How Does Bitcoin Take Its First Step Toward Quantum Resistance?

Every time quantum computing achieves a technical breakthrough, it forces a reassessment of the timeline for Bitcoin’s long-term security. When Google moved the deadline for post-quantum cryptography migration up to 2029, and when academia demonstrated quantum circuits that can derive a private key from a public key in just 9 minutes, the Bitcoin developer community delivered its own answer. In February 2026, BIP-360 “Pay-to-Merkle-Root (P2MR)” was officially merged into the bitcoin/bips repository, marking the first time Bitcoin formally incorporated anti-quantum capability into an official upgrade path. This is not an aggressive cryptography revolution, but a careful, incremental, structural defense.

Why quantum threats are becoming a structural variable right now?

Over the past week, the field of quantum computing has undergone a fundamental paradigm shift. A paper co-authored by Google’s quantum team and Stanford professor Dan Boneh confirms that with only 1,200–1,400 logical qubits, the elliptic curve digital signature algorithm (ECDSA) that protects Bitcoin can be broken in about 9 minutes. This figure is nearly an order of magnitude lower than the industry’s prior estimate of 10,000 logical qubits. More importantly, Oratomic’s neutral atom architecture shows that this goal can be achieved with only 10,000 physical qubits, while Caltech has already built a neutral atom array containing 6,100 qubits. This means the quantum threat in the lab is moving from theory to engineering verification. For Bitcoin, the risk is not aimed at the SHA-256 hashing algorithm, but rather centers on the public keys exposed on-chain when transactions occur. Once a quantum computer can derive private keys from public keys in reverse, all repeated-use addresses, legacy P2PK outputs, and Taproot key-path spends will be at risk. According to ARK Invest’s estimate, about 34.6% of Bitcoin’s supply (about 6.9 million BTC) may be exposed to this risk.

How does BIP-360 reduce public key exposure at the mechanism level?

The core of BIP-360 is introducing a new output type called Pay-to-Merkle-Root (P2MR). Structurally, this approach borrows from the 2021 Taproot upgrade, but makes one key change: it completely removes the option for key-path spending. In a traditional Taproot transaction, spenders can choose to spend a UTXO either via the key path (exposing an adjusted public key) or via the script path (providing a Merkle proof). The key path is efficient, but the trade-off is writing the public key to the blockchain. P2MR instead forces all UTXO spends to be completed through the script path. Specifically, a P2MR output only commits to the Merkle root of the script tree, not to any internal public key. When a user needs to spend, they only reveal the specific script leaf node and provide the Merkle proof; the entire process avoids on-chain exposure of any elliptic curve public key. This mechanism directly cuts off the most critical entry point for quantum attacks—exposed public keys.

What structural trade-offs are required for security improvements?

Any security upgrade comes with trade-offs, and P2MR is no exception. The most direct cost shows up in transaction fees. Because it uses the script path instead of the compact key path, P2MR transactions must carry more witness data (including the Merkle proof and script content), which increases transaction size and in turn raises fees. For ordinary users, this is an explicit increase in cost. The deeper trade-off is the choice between user experience and security. The reason the key path was designed in the first place is to provide a more economical, faster way to spend. Once that path is removed, all transactions revert to the script path. This strengthens anti-quantum capability, but also sacrifices some efficiency to a certain degree. In addition, P2MR is not a complete post-quantum signature scheme. It does not introduce lattice-based Dilithium signatures or hash-based SPHINCS+ signatures to replace the existing ECDSA and Schnorr signatures. It only plugs the vulnerability of current public key exposure, rather than reshaping Bitcoin’s underlying cryptographic foundation.

What does this mean for the broader crypto industry landscape?

The rollout of BIP-360 is quietly reshaping the direction of the industry’s infrastructure evolution. For wallet providers, supporting P2MR addresses (expected to start with bc1z) will become a new dimension for differentiating the security level of products. Long-term holders can choose to migrate their assets to these anti-quantum addresses, proactively reducing future risk. For exchanges and custodial institutions, this means they need to assess the extent of current users’ public key exposure and prepare corresponding migration guidance mechanisms. The more far-reaching impact is on asset classification. In the future, the market may naturally split into two categories of Bitcoin: one class held long-term in anti-quantum addresses as “safe reserves,” and another class still kept in traditional addresses for frequent trading and therefore with public keys exposed as “circulating assets.” This split may affect liquidity preferences and valuation logic. From the perspective of the technical development path, the emergence of BIP-360 also provides a reference paradigm for other public chains—before fully migrating to post-quantum signatures, how to reduce risk exposure through protocol-layer fine-tuning.

What paths might future evolution follow?

BIP-360’s technical path is relatively clear, but its path to social adoption remains highly uncertain. From a technical evolution standpoint, the most likely scenario is phased soft-fork rollout: first activating the new P2MR output type to allow users to choose to use it proactively; then having wallets, exchanges, and custodians gradually increase support; and finally, users migrating assets progressively over the next few years. This process is similar to the adoption path of SegWit and Taproot. However, building social consensus may be more challenging than implementing the technology. BTQ Technologies has already deployed a working implementation of BIP-360 on Bitcoin’s quantum testnet, attracting more than 50 miners and mining over 100,000 blocks. But this testnet runs independently of the Bitcoin mainnet, bypassing the governance process of the main chain. For BIP-360 to truly enter Bitcoin Core’s codebase, broad consensus among miners, developers, and users is still required. BTQ president Christopher Tam put it bluntly: “This is a social problem. There are some ‘high priests’ in the Bitcoin community that need to be convinced.”

What potential risks need to be warned about?

Although BIP-360 is an important preventive upgrade, its limitations are also not to be ignored. First, existing assets do not automatically get protected. Until users actively move all old UTXOs to P2MR outputs, the risk of public key exposure remains. This means that even after the upgrade is complete, there will still be a large amount of vulnerable assets in the network for the long term—especially early Satoshi-era mining addresses and dormant “sleeping coins” that have not moved for years. Second, BIP-360 is not the endpoint. Once genuinely usable cryptography-relevant quantum computers (CRQC) appear, simply reducing public key exposure will no longer be enough to handle the threat; migration to a complete post-quantum signature scheme will still be necessary. Third, there is a significant difference between the testnet and the mainnet. BTQ’s testnet uses a 1-minute target block time to accelerate iteration testing, which differs from Bitcoin mainnet’s 10-minute block interval. Even if a solution passes verification on the testnet, the security boundary still needs to be reassessed when migrating to the mainnet. Finally, progress in quantum technology is still accelerating. Google’s migration deadline of 2029, and the post-quantum cryptography migration deadline after April 2026 under the U.S. federal government NSM-10 directive, both compress the time window for industry response.

Summary

The proposal of BIP-360 marks Bitcoin’s shift from passively responding to quantum threats to actively building layers of defense. By removing the Taproot key path and forcing the use of the script path, it significantly reduces the risk of on-chain public key exposure. But this is neither the end nor a universal cure. It is a cautious, incremental technical preparation that buys time for a future full migration to post-quantum signatures. For the crypto industry, understanding the significance of BIP-360 is not about viewing it as a final solution, but about recognizing this: at the critical point of cryptographic paradigm change, early planning and system design matter far more than emergency response. The countdown to quantum computing has already begun, and Bitcoin’s developers and ecosystem participants are responding to a theoretical challenge that spans three decades with a structural code change.

FAQ

Q: Can BIP-360 make Bitcoin completely immune to quantum attacks?

No. BIP-360 only reduces the risk of public key exposure and does not replace the existing elliptic curve signature algorithms. If truly usable cryptography-relevant quantum computers emerge, migration to a complete post-quantum signature scheme will still be required.

Q: What do ordinary users need to do now?

At present, the quantum threat is not imminent, so users do not need to panic. But they can start developing the habit of not reusing addresses, watch for when wallet applications begin supporting the P2MR address type, and continue to track changes in Bitcoin protocol upgrades.

Q: How is a P2MR address different from existing addresses?

A P2MR address is expected to start with bc1z and belongs to the SegWit version 2 output type. Its core difference is that it forces all spending to occur via the script path, avoiding direct exposure of the public key on-chain.

Q: When will BIP-360 activate on Bitcoin’s mainnet?

At present, BIP-360 is still in Draft status and has not yet been merged into Bitcoin Core’s codebase. The exact activation time depends on how quickly community consensus is reached, and there is no clear timeline yet.

Q: Why not upgrade directly to post-quantum signatures?

Post-quantum signature schemes (such as lattice-based signatures) are larger in size, creating significant pressure on Bitcoin’s block space and node performance. BIP-360 is an incremental approach: while reducing risk, it maintains network efficiency and leaves time for a more thorough upgrade.