The change matters less because it “solves” quantum risk today, and more because it formalizes a specific, opt-in path that preserves Taproot’s script-tree functionality while removing the spending route considered most problematic under a quantum-threat model.
Bitcoin Devs Make First Formal Quantum-Resistance MoveIn BIP terms, the proposal is scoped as “Consensus (soft fork)” and defines P2MR as a new SegWit v2 output that commits directly to the Merkle root of a script tree, rather than to a tweaked public key as in Pay-to-Taproot (P2TR). The practical implication is straightforward: P2MR outputs can only be spent via script-path logic; the key-path spend is removed entirely.
The BIP’s abstract frames the goal in terms of minimizing changes while providing an option set for users who want additional protection:
A key element of the BIP is definitional discipline: it distinguishes “long exposure” attacks (where public keys are available on-chain for extended periods) from “short exposure” attacks, which would target public keys revealed briefly in the mempool during an unconfirmed spend.
The document is explicit that P2MR is not a complete quantum shield. “It is worth noting that proposed P2MR outputs are only resistant to ‘long exposure attacks’ on elliptic curve cryptography; that is, attacks on keys exposed for time periods longer than needed to confirm a spending transaction,” the BIP states.
That split is also why the proposal emphasizes tapscript compatibility. It positions P2MR as a script-tree output type that could, if Bitcoin ever adopts post-quantum signature opcodes, provide a cleaner upgrade runway than older script mechanisms that don’t support tapscript’s evolution path.
The proposal also doesn’t pretend the swap is free. By removing key-path spends, P2MR gives up Taproot’s most compact witness path (a single Schnorr signature). The BIP estimates that a minimal P2MR spend witness is 37 bytes larger than a Taproot key-path spend, though it can be smaller than an equivalent Taproot script-path spend because P2MR’s control block omits an internal public key.
Privacy shifts too. Because every spend is script-path, P2MR users necessarily reveal they are spending from a script tree—something Taproot key-path spends can avoid signaling.
Anduro said the update also “addresses criticism about Bitcoin devs not taking the quantum threat seriously,” and noted the addition of Isabel Foxen Duke as co-author to make the BIP clearer “to the general public, not just the Bitcoin developer community.”
BIP-360 remains in “Draft” status. But its merge into the canonical repository is still a meaningful process marker: it moves the quantum-safety conversation from abstract worry and mailing-list hypotheticals toward a specific consensus change proposal that wallets, libraries, and reviewers can now analyze line-by-line.
If the debate has a next phase, it’s likely to center on whether “prepared not scared” opt-ins like P2MR are sufficient groundwork or whether Bitcoin will eventually need to grapple directly with post-quantum signatures and the operational realities of migrating value at scale.
At press time, BTC traded at $66,558.
