An estimated $415 billion to $650 billion in Bitcoin holdings remains exposed to quantum risk, based on figures cited in the analysis accompanying BIP-360. That scale of potential exposure has made the proposal’s introduction of Pay-to-Merkle-Root, or P2MR, a notable step in Bitcoin’s longer-term security planning.
BIP-360 was merged into the repository as a soft-fork proposal that replaces Taproot’s key-path spend option with a model that requires script-path spending. The structural goal is to reduce Bitcoin’s public-key attack surface against long-term “harvest now, decrypt later” threats while preserving the flexibility of script-based transactions.
How P2MR changes the quantum-risk profile
Under the proposal, P2MR commits only to a Merkle root of scripts and disables direct public-key reveals during spending. That design specifically targets the main quantum attack vector by limiting the public-key exposure a cryptographically relevant quantum computer could exploit to derive private keys.
The proposal preserves important script functionality even as it changes the spending pattern. Multisig setups, timelocks, and other advanced Tapscript features remain available through Merkle-tree paths, while the new structure also creates a future upgrade path for post-quantum signature schemes without requiring a hard fork.
In practical terms, BIP-360 aims to mitigate long-term harvesting attacks by eliminating key-path spends and forcing all spending activity through script paths. That means adversaries would no longer be able to collect routinely exposed public keys from this output type for later decryption if quantum capabilities mature.
The proposal is deliberately limited in scope. It does not replace ECDSA or Schnorr, and it does not retroactively secure UTXOs whose public keys have already been revealed on-chain through older address formats or prior spending activity. The authors estimate the amount of already exposed Bitcoin ranges from roughly 1.7 million BTC in narrower categories to more than 6.7 million BTC when P2PK, Taproot, and reused addresses are included.
Why adoption will be gradual
BIP-360 also leaves one important class of threat unresolved. It does not eliminate short-exposure attacks in which a public key revealed between broadcast and confirmation could still be exploited by a sufficiently fast adversary. Its protections apply only to newly created outputs, meaning wallets, exchanges, custodians, and users must actively adopt the new output type before they benefit from it.
The authors and contributors present the proposal as an incremental defensive measure rather than a full cryptographic reset. A complete move to post-quantum signature algorithms would require a much broader protocol change and extensive coordination across the Bitcoin ecosystem.
That makes the transition period especially important. One co-author estimated that implementation and broad adoption could take as long as seven years, creating a prolonged window in which some UTXOs may be hardened while many legacy holdings remain vulnerable. The result could be a highly uneven security landscape during migration.
Exchanges, custodians, and wallet providers will need to integrate P2MR support, revise custody workflows, and build migration plans for balances already considered exposed. At the same time, commentary cited alongside the proposal pointed to the NSA’s CNSA 2.0 guidance and NIST’s timetable for phasing out ECC in federal systems as broader signals that the industry may face growing pressure to prepare.
Markets are therefore more likely to see a gradual operational impact than an immediate structural shift. BIP-360 reduces a meaningful vulnerability, but the broader urgency will still depend on how quantum computing develops and how quickly the industry can coordinate additional changes beyond this first defensive step.
