Bitcoin’s BIP-360 proposal has been merged into the official BIPs repository, introducing Pay-to-Merkle-Root, or P2MR, as a new output type intended to reduce Bitcoin’s long-term exposure to quantum threats. The proposal matters because it changes spending structure in a way that directly affects migration planning for custodians, exchanges, and treasury managers.
Authored by Hunter Beast, Ethan Heilman, and Isabel Foxen Duke, BIP-360 presents P2MR as a soft-fork proposal that keeps Taproot-style scripting while removing the key-path spend. By disabling the key-path route, the design aims to prevent the routine on-chain exposure of aggregated public keys that a future quantum attacker could exploit.
P2MR changes the spending model, not the signature system
The proposal defines P2MR as structurally similar to a P2TR output under BIP 341, but with one important difference. Every P2MR output must be spent through the script path, creating a framework intended to reduce long-duration quantum exposure. As the specification states, “A P2MR output is similar to a P2TR output as defined in BIP 341; however, unlike P2TR outputs we disable the key path spend for the benefit of quantum.”
That design keeps Tapscript functionality and related privacy features available while forcing all spending activity through scripts. The practical result is a cleaner path for eventually integrating post-quantum signature primitives into Bitcoin scripts once those standards are ready.
BIP-360 does not, however, introduce post-quantum signatures on its own. The proposal does not alter Bitcoin’s SHA-256 proof-of-work or replace the current signature model, but instead narrows the long-exposure attack surface created when public keys remain visible on-chain for extended periods. In that sense, it is a preparatory change rather than a complete quantum-security solution.
The distinction between long-term and short-term exposure remains central to the proposal’s limits. While P2MR is designed to reduce the risk of public keys being harvested over time by a quantum adversary using Shor’s algorithm, it does not solve the short-exposure threat that would exist between transaction broadcast and confirmation. That risk would remain until post-quantum signatures are broadly adopted.
Migration, costs, and adoption timelines
Because the change is structured as an opt-in soft fork, its effect will depend on implementation across the broader ecosystem. Wallets, exchanges, and custodians will need to support P2MR and build migration paths before the proposal can provide meaningful protection at scale. The proposal’s authors and later coverage described that transition as a multi-year process.
Industry commentary tied to the proposal outlined an adoption horizon of roughly seven years. That timeline implies a prolonged period in which older address formats could remain exposed, creating what the proposal’s framing described as a potential “quantum danger zone” during the transition.
For firms managing Bitcoin infrastructure, the trade-offs are both operational and economic. Script-path spends are typically more expensive and less convenient than key-path spends, meaning service providers will have to weigh cost, usability, privacy, and security as they decide how and when to support P2MR. That makes standards sequencing especially important, since full quantum resistance still depends on future post-quantum signature schemes being standardized and added to scripts.
The proposal therefore reduces one category of structural exposure without eliminating the broader quantum threat today. Firms will need to stage migration carefully, track the development of post-quantum standards, and update custody and signing systems in a way that limits operational disruption while addressing evolving risk.
