In the quest to prepare the Bitcoin ecosystem to handle future quantum computing threats, Bitcoin developers have officially submitted BIP-360 into the Bitcoin Improvement Proposal repository. This milestone will place quantum resistance properly on Bitcoin’s technical roadmap for the first time ever. The proposal, which was co-authored by Hunter Beast (senior protocol engineer at MARA), cryptographic researcher Ethan Hellman, and technical communications specialist Foxen Duke, introduces a new output type known as Pay-to-Merkle-Root (P2MR) . This output type is designed to function similarly to Bitcoin’s Taproot addresses while eliminating the quantum-vulnerable spending method that makes current addresses susceptible to attack if sufficiently advanced quantum computers emerge. Pay-to-Merkle-Root removes Taproot’s vulnerability P2MR operates with a very similar functionality to Pay-to-Taproot (P2TR) outputs (Bitcoin’s most advanced address format, and introduced in 2021). However, there is one major difference- P2TR removes the “key-path spend” option that allows users to spend directly with a signature against a public key. According to the BIP-360 specification , this key-path mechanism creates the primary quantum vulnerability in Taproot because it exposes a tweaked public key on-chain, potentially allowing sufficiently powerful quantum computers running Shor’s algorithm to obtain the corresponding private key. On the other hand, P2MR commits exclusively to the Merkle root of a Tapscript tree without including an internal public key. When users are spending from a P2MR output, they must reveal a script path (provide a leaf script from the Merkle tree along with the proof showing its inclusion). Experts explained that because hashing algorithms are generally considered more quantum-secure than elliptic curve signatures, this method offers a lot more quantum resistance. This new technical structure preserves Bitcoin’s smart contract flexibility. Users will still be able to create complex spending conditions through Tapscript (the scripting language that enables features like multi-signature wallets, time-locked transactions, and conditional payments). However, forcing all spends through the script path and eliminating direct public key exposure allows P2MR to drastically reduce the attack surface for quantum computers. Other analysts also discovered that Taproot addresses (beginning with “bc1p”), Pay-to-Public-Key (P2PK) outputs, and reused addresses are some of Bitcoin’s vulnerable address types due to the fact that public keys would be visible in scenarios like the ones mentioned in this report. P2MR addresses, which would begin with “bc1z” under current proposals, will offer protection against this exposure, but it might incur slightly higher transaction fees due to the additional witness data required for script path spends. How far away is the quantum threat to Bitcoin? The urgency behind BIP-360 originates from accelerating quantum computing development across multiple fronts. Industry roadmaps led by the likes of IBM, Google, Microsoft, Amazon and Intel suggest that quantum computers may be able to decrypt the Elliptic Curve Digital Signature Algorithm (ECDSA) cryptography used for Bitcoin’s public-private key encryption “in as little as 5 years” according to analysis by the BIP-360 team. Recent breakthroughs have intensified these concerns as well. Google launching its “Willow” quantum chip in December 2025, and Microsoft’s progress on Majorana 1 chip development brought quantum computing’s potential threat to Bitcoin further into the light. While experts debate the exact timeline for when “Cryptographically Relevant Quantum Computers” (CRQCs) will emerge, the pace of development has convinced protocol engineers that preparation cannot wait for certainty. Government agencies have already started preparing the transition. The US federal government issued a directive to phase out ECDSA cryptography entirely by 2035. This timeline was given as a result of the government recognizing that the migration timeline for critical infrastructure takes years (or even decades). The National Security Agency’s CNSA 2.0 framework also calls for quantum-safe systems by 2030, while the National Institute of Standards includes ML-DSA (Dillithium) and SLH-DSA (SPHINCS+) as approved algorithms for federal use. “While the amount of time we have to prepare for a quantum event is uncertain, it seems reasonable to ensure that Bitcoin is prepared for a range of possible outcomes,” the BIP-360 team said. “Additionally, we must consider the total time needed for an effective transition—at the BIP level, the software level, the infrastructure level, and the user-transition level. A smooth and effective QR transition plan for Bitcoin could take several years to execute—with more prep time inevitably leading to better security outcomes for all.” The smartest crypto minds already read our newsletter. Want in? Join them .
