Bitcoin’s Draft BIP 360 Introduces P2MR in Push Toward Quantum Resistance

Bitcoin developers have updated draft BIP 360 to introduce Pay-to-Merkle-Root (P2MR), a proposed output type designed to reduce long-term quantum risk while retaining Taproot’s scripting flexibility. The proposal removes Taproot’s key-path spend entirely, aiming squarely at the portion of modern bitcoin addresses most exposed to future quantum attacks.

P2MR Could Offer Conservative First Step Toward Quantum-Resistant Bitcoin

Bitcoin Improvement Proposal (BIP) 360, still under review and not yet activated, proposes P2MR as a quantum-resistant alternative to Pay-to- Taproot (P2TR) by committing directly to the Merkle root of a Tapscript tree without including a public key for key-path spending. In practical terms, it behaves like a Taproot output that only ever uses the script path.

That distinction matters because Taproot’s key-path spend exposes a public key. Under current cryptography, deriving a private key from a public key is computationally infeasible. But sufficiently powerful quantum computers running Shor’s algorithm could, in theory, reverse elliptic curve cryptography. P2MR simply removes that exposed key from the equation.

Importantly, P2MR does not introduce new signature schemes or opcodes. It preserves full Tapscript (BIP 342) functionality and Merkleized Abstract Syntax Tree (MAST)-style script trees, including leaf versions, control blocks and annex data — minus the internal public key. Wallets can reuse much of their existing Taproot code.

The outputs remain 32-byte hashes, tagged as “TapBranch,” offering 128-bit collision resistance comparable to P2WSH. Developers describe it as a conservative first step toward quantum resistance rather than a sweeping cryptographic overhaul.

The proposal has already undergone multiple rewrites and renames. Originally drafted in 2024 as P2QRH (“Pay to Quantum Resistant Hash”), it became P2TSH (“Pay-to-Tapscript-Hash”) in late 2025 before settling on P2MR (“Pay-to-Merkle-Root”) after community feedback that the name should more accurately reflect what the output commits to.

For now, BIP 360 remains a draft pull request and has not been merged or scheduled for activation. Discussion continues across the bitcoin developer mailing list and community forums.

Why Quantum Concerns Exist

Bitcoin’s primary quantum vulnerability lies in signature schemes, not hashing. Addresses that expose public keys on-chain are the most susceptible because Shor’s algorithm could theoretically compute private keys from those public keys.

Legacy Pay-to-Public-Key (P2PK) addresses embed public keys directly in the locking script and hold roughly 1.7 million BTC, making them prime long-range targets. Reused Pay-to-Public-Key-Hash (P2PKH) addresses become vulnerable once a spend reveals the public key. Taproot’s key-path spend also reveals a tweaked public key.

Estimates of at-risk bitcoin range widely. Some analyses suggest 20% to 50% of supply could be exposed under certain definitions, while others argue only a small fraction would pose meaningful market disruption. The timeline for cryptographically relevant quantum computers is generally projected years or decades away, but uncertainty fuels debate.

P2MR does not solve short-exposure risk during a mempool window, and it does not introduce post-quantum signatures. Instead, it addresses what developers call the “long-exposure” threat — coins sitting for years with publicly visible keys.

In effect, P2MR allows users — particularly long-term holders or participants in Lightning, BitVM or Ark-style protocols — to migrate funds into outputs that eliminate the most obvious ECC exposure while preserving Taproot’s scripting benefits. It is evolutionary, not revolutionary.

For a network that prefers incremental soft forks to sweeping redesigns, that tone is deliberate. Quantum alarms may be distant, but BIP 360 signals that developers are at least checking the exits — calmly, methodically and with their cryptographic homework in hand.

FAQ ❓

• What is P2MR in Bitcoin’s BIP 360?

P2MR (Pay-to-Merkle-Root) is a proposed output type that removes Taproot’s key-path spend while preserving full Tapscript functionality.

• Why are some bitcoin addresses vulnerable to quantum attacks?

Addresses that expose public keys on-chain could, in theory, allow a quantum computer using Shor’s algorithm to derive private keys.

• Does BIP 360 introduce post-quantum signatures?

No, it is a conservative step that does not add new signature schemes or opcodes.

• Is BIP 360 active on Bitcoin today?

No, it remains a draft pull request under active review with no activation timeline.