Why a proposed change could reshape how you use Bitcoin
Bitcoin’s world constantly balances innovation with caution. From scaling debates to security upgrades, the community has historically taken slow but deliberate action when it comes to updating the network’s core protocol. Recently, a new proposal has stirred conversation among developers and users alike: a plan to reduce Bitcoin’s vulnerability to future quantum computer attacks but at a cost in fees and privacy. This article explores what that plan entails, why it matters, and how it could influence Bitcoin’s future.
What Is the Quantum Threat to Bitcoin?
At its core, Bitcoin’s security relies heavily on cryptography. Specifically, Bitcoin uses a digital signature algorithm known as ECDSA (Elliptic Curve Digital Signature Algorithm) and its evolution, Schnorr to sign transactions and verify authenticity. This cryptography is considered secure against attacks from classical computers because deriving a private key from a public key is computationally infeasible. However, quantum computers, if they become powerful enough, could potentially solve these problems much faster, threatening cryptographic systems like the ones Bitcoin uses.
Quantum computing may sound like science fiction today, but research suggests that sufficiently powerful quantum machines could exist within the next decade. Such machines might be capable of breaking Bitcoin’s signatures, exposing private keys and allowing attackers to steal funds directly from wallets once public keys are revealed on the blockchain. This is sometimes referred to as a “long exposure” attack, where public keys are visible on chain for extended periods and could be cracked offline by a quantum adversary.
Importantly, the quantum threat is theoretical at this stage. Many experts consider it distant, with some estimating that a practical quantum threat to Bitcoin remains at least a decade away. However, the potential risk is serious enough that developers and cryptographers are evaluating mitigation strategies now because changing Bitcoin’s core cryptography later could be extremely difficult once the threat becomes imminent.
The New Proposal: Pay to Merkle Root (BIP-360)
In early 2026, Bitcoin developers merged a new proposal into the Bitcoin Improvement Proposals (BIP) repository: Pay-to-Merkle-Root (BIP-360). This proposal doesn’t change anything on the network yet it merely documents a new output type that could eventually be adopted. Importantly, it does not automatically activate or enforce any changes on Bitcoin.
Rather than immediate rollout, BIP-360 describes a method for creating outputs that avoid exposing public keys on chain. The idea is simple in concept: remove the common “key path” spend option that reveals a public key when a transaction is made. Instead, Bitcoin outputs would commit only to a Merkle root of a script tree hence the name Pay to Merkle Root. This means wallets and users would have to spend using scripts rather than the standard key-signature method, which prevents long-term exposure of keys visible in the blockchain’s history.
That’s the essence of the proposal: reduce Bitcoin’s exposure to future quantum attacks by eliminating one of the ways public keys are revealed and stored on chain.
How BIP-360 Would Work
Rather than a mandatory switch, BIP-360 is intended as an optional migration path. If adopted, Bitcoin wallets and services would begin supporting the new output type, starting with a new address format (likely bc1z, corresponding to SegWit version 2). Users who want to reduce their long-exposure risk could generate these addresses and move funds to them.
In practice, this process would look similar to past soft forks in Bitcoin history. For example, when SegWit was introduced, wallets and exchanges gradually added support and users slowly migrated their funds. Adoption was optional and took months or years to become widespread. BIP-360’s adoption timeline if it ever activates would likely follow a similar path.
Critically, existing Taproot outputs (the current modern address type for Bitcoin) would remain valid and usable under current rules. Nothing would break overnight, and funds in older address types would not be automatically moved or “upgraded.” The key word here is optional. Users who prioritize long-term security might opt in, while others could remain with Taproot or other address types.
Trade Offs: Fees and Privacy
BIP-360 has a clear trade off: higher fees and reduced privacy.
The reason has to do with how transactions are validated. Under Taproot, the most common spend type (called “key path” spend) is compact and efficient. It typically reveals only a signature, which is relatively small in size. Under BIP-360, every spend must reveal a script and provide a Merkle proof for the script path used. This additional data means BIP-360 spends are larger in size which translates into higher transaction fees.
In Bitcoin, transaction fees are based on the size of the transaction in bytes: the bigger the transaction data, the higher the fee required to include it in a block. BIP-360 transactions, because they include additional script data, will cost more to send than equivalent Taproot transactions.
Furthermore, a common benefit of Taproot is privacy: because key-path spends look like any other single-signature spend, they reveal minimal information about the user’s script structure or spending intentions. BIP 360 changes this. Every transaction reveals which script path was used and this revelation generates additional information on chain. This could make it easier for observers to infer wallet structures or behavior from blockchain data.
So while BIP-360 reduces one form of attack surface, it does so at the price of higher fees and potentially weaker privacy for users.
Why the Debate Matters
Even though BIP-360 exists in a draft state and may never be widely adopted, it highlights a broader debate within the Bitcoin community: how and when to prepare for long-term risks.
Some argue that quantum computers are still too distant a threat to justify changes that could make Bitcoin more expensive or less private today. CoinShares, a well known digital asset manager, has estimated that a practical quantum threat is at least a decade away and that only a small fraction of Bitcoin mostly in older address formats is truly vulnerable even if powerful quantum machines were developed soon.
Others point out that preparedness requires time. Bitcoin’s upgrade process is slow by design there is no central authority that can push through changes quickly. Any modification involving wallets, exchanges, node software, and miner consensus requires careful testing, debate, and coordination. Waiting until a threat is certain could mean waiting too long.
Moreover, discussions around quantum risk have drawn attention not just from developers, but also from mainstream finance. Prominent financial leaders have publicly expressed concern about Bitcoin’s future security in light of emerging technologies, signaling that broader stakeholders are paying attention to long-term risks.
Quantum Risk in Context: Real or Hype?
It’s worth reiterating that quantum risk to Bitcoin remains largely theoretical for now. Today’s quantum computers lack the scale and error correction needed to break widely used cryptographic systems like ECDSA or Schnorr. Even the most optimistic projections suggest that quantum machines capable of breaking Bitcoin’s cryptography are years or decades away giving networks like Bitcoin time to evolve.
Furthermore, a significant portion of Bitcoin’s supply is already relatively safe from quantum risk because many modern address types (like Pay to Public Key Hash or P2SH) do not expose public keys until funds are spent. Research indicates that only certain legacy outputs hold public keys that could be exploited in the quantum future and many of those coins are inactive or held in small UTXOs that would not pose systemic risk even if compromised.
Nevertheless, the idea of “quantum safe” upgrades speaks to a larger truth: Bitcoin was never meant to be static. Its value and utility depend on the network’s ability to adapt when necessary. The discussion around BIP 360 is less about imminent danger, and more about building out options for risk mitigation long before the risk becomes reality.
What Comes Next for Bitcoin?
BIP-360’s presence in the Bitcoin Improvement Proposal repository does not guarantee activation. In fact, it could remain a documented idea for years without ever gaining consensus. But its existence increases awareness of quantum exposure and encourages deeper exploration of cryptographic resilience in cryptocurrency.
Key next steps should BIP-360 gain traction would include:
Development and review by Bitcoin core developers
Wallets and exchanges implementing support for the new address type
Debate and signaling among node operators and economic participants
Potential soft fork activation if consensus is reached
Each phase would take significant time and coordination underscoring why developers advocate starting early.
At the same time, other solutions such as post-quantum signature schemes or enhancements to existing address formats remain in research and development. Ultimately, Bitcoin’s long-term security might incorporate a combination of approaches rather than a single fix.
Thoughts
Bitcoin’s journey from academic curiosity to global financial phenomenon has always been shaped by careful deliberation, slow consensus, and thoughtful engineering. The recent proposal to adopt a new address type aimed at reducing quantum exposure continues this tradition and illustrates the complexity of balancing security, cost, and privacy in a decentralized system.
While quantum computers remain a distant concern for now, the conversation around mitigation strategies is real and ongoing. BIP-360 and similar proposals offer a glimpse into how Bitcoin might evolve to meet the challenges of tomorrow while honoring its commitment to decentralization and trustless operation.
Whether or not this particular proposal ever sees widespread use, it stimulates valuable debate about what Bitcoin’s future should look like and how to prepare for uncertainties without sacrificing the core advantages that made Bitcoin revolutionary in the first place.
