Bitcoin has moved closer to addressing the long-term security risks posed by quantum computing after BIP 360 was accepted into the Bitcoin Improvement Proposals (BIPs) repository. The draft proposal introduces Pay to Merkle Root (P2MR), which supporters describe as an early step toward making Bitcoin more resilient if quantum computers eventually become powerful enough to attack today’s cryptography.
The proposal is not live on the network. BIP 360 is still in the review and discussion stage, and no protocol changes have been activated yet, according to multiple reports.
What BIP 360 proposes
BIP 360 introduces a new output type called Pay to Merkle Root (P2MR). Bitcoin Core developer “Murch” announced on February 11 that BIP 360 had been accepted into the BIPs repository, according to reports that attribute the update to Murch.
The proposal is co-authored by Hunter Beast, Ethan Heilman, and Isabel Foxen Duke, according to reporting on the draft. While the acceptance signals growing attention to quantum risks in Bitcoin’s technical roadmap, the documents describing BIP 360 emphasize it as an incremental step rather than a complete post-quantum overhaul.
Bitfinex’s education note describes P2MR as “Taproot-like script trees, but no key-path,” meaning spending would require revealing a script path plus a Merkle proof rather than relying on a key-path spend. That trade-off could increase witness size, but it is presented as a way to reduce long-lived public-key exposure patterns that are most concerning in “harvest now, attack later” scenarios.
Why quantum computing matters for Bitcoin
Bitcoin ownership relies on digital signatures, using ECDSA historically and supporting Schnorr signatures with Taproot (BIP340), and both depend on the same elliptic curve, secp256k1. Bitfinex explains that a sufficiently powerful, fault-tolerant quantum computer running Shor’s algorithm could theoretically derive private keys from exposed public keys, allowing attackers to forge signatures and steal funds.
Bitfinex also discusses Grover’s algorithm as a secondary concern, saying it does not “break” SHA-256 but could reduce the work needed for proof-of-work in theory, raising potential mining-economics and centralization questions only if quantum mining could outpace today’s ASICs. In that framing, Shor-related risks are considered more urgent because they target Bitcoin’s ownership layer if a meaningful quantum breakthrough occurs.
On timing, Bitfinex says cryptographically relevant attacks would likely require millions of physical qubits with enough error correction to produce stable logical qubits, and it cites one report suggesting such machines could need to be roughly 100,000× more powerful than publicly known systems today. It adds that views vary, with many discussions clustering in the mid-2030s to mid-2040s, and stresses that coordinated responses would need to be planned well in advance.
How much bitcoin could be exposed
Several reports spotlight how much bitcoin could be “at risk” if quantum computers eventually threaten current encryption. One report says about 7 million bitcoins, valued at about $440 billion, could be at risk and states this includes 1 million BTC attributed to Satoshi Nakamoto. Another report puts the figure at approximately 6.98 million BTC valued at $440 billion, underscoring that estimates can differ even when describing the same broad concern.
Bitfinex argues the real exposure is narrower than headlines suggest and depends on when public keys become visible on-chain. It says long-exposure risk includes early P2PK outputs, reused addresses linked to keys revealed in earlier spends, and Taproot (P2TR) outputs that commit to a public key in the UTXO itself, creating a “harvest now, attack later” risk profile.
By contrast, Bitfinex says P2PKH (legacy) and P2WPKH (SegWit) reveal the public key only when spent, creating a shorter “mempool race” window that would require an attacker to derive the private key and broadcast a conflicting spend before confirmation. It adds that estimates vary widely, citing claims that 20–50% of supply could be vulnerable under broad assumptions, while another widely cited report places the concentrated, materially exposed subset closer to about 10,200 BTC.
Debate over what to do next
The quantum discussion has also sparked debate over whether and how Bitcoin should treat vulnerable coins, especially long-dormant holdings. Phemex describes a split between proposals to freeze vulnerable coins and objections that such a move would undermine Bitcoin’s principles of neutrality and immutability.
On the “do not freeze” side, Tether CEO Paolo Ardoino is described as favoring allowing vulnerable old coins to circulate again rather than changing consensus rules, while Digital Citizen Fund CEO Roya Mahboob is described as warning that freezing old addresses would undermine immutability. Phemex similarly reports Ardoino and Mahboob as arguing against intervention and adds that they see any inflationary effects from lost coins returning to circulation as temporary.
Other voices emphasize upgrades and migration. Jameson Lopp is described as suggesting a soft-fork approach to migrate vulnerable tokens to quantum-resistant addresses to prevent wealth redistribution by quantum attackers. Phemex also reports that Nima Beni and Georgii Verbitskii stress maintaining Bitcoin’s structure and point toward upgrading cryptography to quantum-resistant signatures.
