Bitcoin Developers Kick Off Quantum-Safety Track With BIP-360

Bitcoin’s quantum-security discussion just gained a concrete new artifact in the code-and-spec pipeline: an updated draft of BIP-360 has been merged into the official Bitcoin Improvement Proposals repository, proposing a Taproot-adjacent output type designed to limit exposure to future quantum key-recovery attacks.

The change matters less because it “solves” quantum risk today, and more because it formalizes a specific, opt-in path that preserves Taproot’s script-tree functionality while removing the spending route considered most problematic under a quantum-threat model.

Bitcoin Devs Make First Formal Quantum-Resistance Move

Anduro, a research-focused platform incubated by Marathon Digital (MARA), said on X that the merged update “introduces Pay-to-Merkle-Root (P2MR), a proposed new output type that omits Taproot’s quantum-vulnerable key-path spend while preserving compatibility with Tapscript and script trees.”

In BIP terms, the proposal is scoped as “Consensus (soft fork)” and defines P2MR as a new SegWit v2 output that commits directly to the Merkle root of a script tree, rather than to a tweaked public key as in Pay-to-Taproot (P2TR). The practical implication is straightforward: P2MR outputs can only be spent via script-path logic; the key-path spend is removed entirely.

The BIP’s abstract frames the goal in terms of minimizing changes while providing an option set for users who want additional protection:

“This document proposes a new output type: Pay-to-Merkle-Root (P2MR), via a soft fork. P2MR outputs operate with nearly the same functionality as P2TR (Pay-to-Taproot) outputs, but with the key path spend removed.” It adds that the intended protection is against “long exposure attacks by Cryptographically Relevant Quantum Computers (CRQCs),” as well as “future cryptanalytic approaches that may compromise the elliptic curve cryptography (ECC) used by Bitcoin.”

A key element of the BIP is definitional discipline: it distinguishes “long exposure” attacks (where public keys are available on-chain for extended periods) from “short exposure” attacks, which would target public keys revealed briefly in the mempool during an unconfirmed spend.

The document is explicit that P2MR is not a complete quantum shield. “It is worth noting that proposed P2MR outputs are only resistant to ‘long exposure attacks’ on elliptic curve cryptography; that is, attacks on keys exposed for time periods longer than needed to confirm a spending transaction,” the BIP states.

“Protection against more sophisticated quantum attacks, including protection against private key recovery from public keys exposed in the mempool while a transaction is waiting to be confirmed (a.k.a. ‘short exposure attacks’), may require the introduction of post-quantum signatures in Bitcoin.” The authors add they “intend to offer a separate proposal for this purpose upon further research.”

That split is also why the proposal emphasizes tapscript compatibility. It positions P2MR as a script-tree output type that could, if Bitcoin ever adopts post-quantum signature opcodes, provide a cleaner upgrade runway than older script mechanisms that don’t support tapscript’s evolution path.

Anduro highlighted that the change is designed as a soft fork and “does not affect existing Taproot outputs.” P2MR would be a new output type (with bech32m addresses starting with bc1z) rather than a retrofit of existing bc1p Taproot UTXOs.

The proposal also doesn’t pretend the swap is free. By removing key-path spends, P2MR gives up Taproot’s most compact witness path (a single Schnorr signature). The BIP estimates that a minimal P2MR spend witness is 37 bytes larger than a Taproot key-path spend, though it can be smaller than an equivalent Taproot script-path spend because P2MR’s control block omits an internal public key.

Privacy shifts too. Because every spend is script-path, P2MR users necessarily reveal they are spending from a script tree—something Taproot key-path spends can avoid signaling.

Anduro said the update also “addresses criticism about Bitcoin devs not taking the quantum threat seriously,” and noted the addition of Isabel Foxen Duke as co-author to make the BIP clearer “to the general public, not just the Bitcoin developer community.”

BIP-360 remains in “Draft” status. But its merge into the canonical repository is still a meaningful process marker: it moves the quantum-safety conversation from abstract worry and mailing-list hypotheticals toward a specific consensus change proposal that wallets, libraries, and reviewers can now analyze line-by-line.

If the debate has a next phase, it’s likely to center on whether “prepared not scared” opt-ins like P2MR are sufficient groundwork or whether Bitcoin will eventually need to grapple directly with post-quantum signatures and the operational realities of migrating value at scale.

At press time, BTC traded at $66,558.