How Bitcoin’s Path to Quantum-Resistance Could Look

Seems to rear its head and then disappear again, but the threat of quantum computing to Bitcoin's ECDSA will become more pertinent in the next 5-10 years as logical qubits capability increases. This article breaks down the potential pathways towards quantum resistance.

Excerpt from the article:

At a high level, Bitcoin’s path to quantum resistance reduces to two distinct—but complementary—objectives.

First, the protocol must minimize the exposure of public keys onchain, reducing the immediate attack surface available to a quantum adversary.

Second, it must eventually replace its existing signature schemes with post-quantum alternatives, ensuring long-term security against CRQCs.

The good news is that there’s already some traction on the first front—exposure minimization. One of the most prominent proposals in this direction is BIP-360.

As currently formulated, BIP-360 introduces a new output type called Pay-to-Merkle-Root (P2MR). Conceptually similar to Taproot, P2MR removes the key-path component present in P2TR outputs—a mechanism that commits a tweaked public key onchain, leaving it indefinitely exposed to quantum attacks. Instead, P2MR commits only to a Merkle root of spending conditions, ensuring that no public key is revealed onchain until the moment of spending.

In practical terms, BIP-360 is a deliberately conservative upgrade. It addresses Taproot’s exposure to long-range quantum attacks, and little else. It meaningfully reduces the long-range attack surface and buys time—but it does not, on its own, make Bitcoin quantum-resistant. As the proposer puts it:

“BIP 360 is step one. It proposes a quantum-resistant output type that has the upgradability and features of P2TR without the quantum vulnerability. If we want full quantum safety, we also need step two: adopting a post-quantum signature algorithm."