Skeptics, including some of Bitcoin’s most respected protocol engineers, pushed back hard, calling the urgency misplaced. The result is that BIP-360 is one of the most technically and politically charged debates Bitcoin has seen in years.

What is Bitcoin’s quantum vulnerability actually?

Bitcoin ownership rests on digital signatures. Historically, the network used Elliptic Curve Digital Signature Algorithm (ECDSA), and since the Taproot upgrade in 2021, it also supports Schnorr signatures via BIP340. Both rely on the same underlying elliptic curve, secp256k1. Generating a public key from a private key is straightforward. Reversing that operation is considered computationally infeasible for classical computers.

A sufficiently large fault-tolerant quantum computer running Shor’s algorithm could, in theory, solve the elliptic-curve discrete logarithm problem and derive private keys from exposed public keys. The operative phrase is “exposed public keys,” because this is where the actual risk concentrates:

• Pay-to-Public-Key (P2PK) outputs: Bitcoin’s earliest address format, used in Satoshi’s original coins, stores public keys directly on-chain and is fully exposed.
• Taproot (P2TR) outputs: Include an exposed, tweaked public key on-chain in the key-path spend mechanism, making them vulnerable during the window between broadcast and confirmation.
• Reused addresses: Any address used more than once has its public key exposed on-chain permanently after the first spend.

Importantly, as Blockstream CEO Adam Back has emphasized, Bitcoin does not use encryption in the traditional sense. The threat is specifically to digital signatures that expose public keys, not to the SHA-256 hashing used in mining, which faces a much weaker secondary risk through Grover’s algorithm and would require far more impractical quantum hardware to degrade meaningfully.

pro-tip for quantum FUD promoters. bitcoin does not use encryption. get your basics right or it's a tell.

— Adam Back (@adam3us) December 18, 2025

 

Why Quantum Hardware Progress Changed the Conversation

The quantum threat to Bitcoin is not new. What changed at the end of 2024 and into 2025 was the pace of hardware development, pulling the theoretical danger closer to engineering reality.

Several developments sharpened concern among protocol researchers:

• In Dec. 2024, Google’s Willow chip demonstrated scalable quantum error correction for the first time, addressing what had long been considered one of the hardest unsolved problems in quantum hardware.
• Microsoft’s Majorana 1 chip added further credibility to competing architectures maturing in parallel.
• Qubit efficiency gains have dramatically reduced hardware estimates. Five years ago, experts estimated that breaking 2048-bit RSA would require tens of millions of physical qubits. In 2025, Google researchers revised that estimate to less than a million physical qubits. A preprint called “The Pinnacle Architecture” suggested fewer than 100,000 qubits may suffice, though that figure remains disputed.
• NIST finalized post-quantum standards in 2024, including ML-DSA (Dilithium) and SLH-DSA (SPHINCS+), anchoring the candidate set for institutional migration.
• The US federal government has mandated the phase-out of ECDSA cryptography entirely by 2035.

 

Professor Scott Aaronson of the University of Texas said in November 2025 that a fault-tolerant quantum computer running Shor’s algorithm before the next US presidential election is “a live possibility.” Antonio Sanso from Ethereum’s post-quantum team has stated that researchers have cleared the key theoretical obstacles and now face a purely engineering challenge.

 

What BIP-360 actually proposes

Hunter Beast, senior protocol engineer at MARA, cryptographic researcher Ethan Heilman, and technical communications specialist Isabel Foxen Duke co-authored BIP-360. The proposal introduces a new Bitcoin output type called Pay-to-Merkle-Root (P2MR), and it describes it as a “conservative first step” toward quantum resistance.

 

How P2MR differs from Taproot

P2MR mirrors Taproot’s P2TR output format but introduces one critical structural change: it removes the key-path spend mechanism entirely.

• In P2TR (Taproot), a tweaked public key is embedded directly in the output and exposed on-chain, creating the quantum-vulnerable surface that Shor’s algorithm could theoretically exploit.
• In P2MR, the output commits only to the Merkle root of a Tapscript tree, with no internal public key.
• Spends must reveal a script path and a Merkle proof rather than a direct signature against a public key.
• P2TR outputs continue to exist on the network unchanged; P2MR is an addition, not a replacement

 

What BIP-360 does not do

The BIP-360 authors are careful to note what the proposal does not solve:

• It does not introduce a post-quantum signature scheme itself. It describes this as a future follow-on proposal.
• It addresses “long-exposure” quantum attacks, where a public key sits on-chain long enough for a powerful enough quantum computer to derive the private key, but not yet “short-exposure” attacks during the broadcast-to-confirmation window.
• A merge into the BIP repository carries no activation signal. BIPs are merged as part of the open documentation process; activation requires a separate consensus-building process and a soft fork.

 

The BIP-360 team has also flagged a meaningful tradeoff: removing the key-path spend from Taproot eliminates the public key tweak mechanism that Lightning Network constructions, BitVM, Ark, and Point Time-Locked Contracts (PTLCs) rely on. Hunter Beast has acknowledged this would be a real loss, suggesting isogeny-based cryptography as a potential future workaround.

Register and unlock all content immediately

Create a free account to get full access to all our content.

 

The Skeptics’ Case: Why Many Developers Are Not Panicking

The merge did not silence BIP-360’s critics. Some of Bitcoin’s most technically credentialed voices have pushed back firmly on the urgency framing, and their arguments deserve serious engagement.

Adam Back’s position

Adam Back, co-founder and CEO of Blockstream and the inventor of Hashcash, has been the most prominent skeptic. His arguments are technical rather than dismissive:

• He points to research that argues that Taproot’s designers built it with quantum readiness in mind and that the key-path tweak remains secure against post-quantum threats.
• He maintains that if a Cryptographically Relevant Quantum Computer (CRQC) ever appeared, Bitcoin could simply disable key-path spends through an emergency soft fork without needing to pre-emptively restructure the output format.
• He estimates Bitcoin faces no serious quantum threat for 20 to 40 years and argues that loud public warnings cause confusion and market panic rather than useful technical action.
• Researchers from Blockstream have proposed hash-based signature approaches through Blockstream Research as an alternative, more conservative path.

 

The engineering gap and governance concern

Jan3 CEO Samson Mow drew attention to the fundamental gap between current quantum hardware and what would be needed to threaten Bitcoin. Quantum computers cannot yet factor numbers at scales relevant to Bitcoin’s key sizes, and the jump from laboratory demonstrations to a CRQC capable of attacking secp256k1 remains enormous.

A deeper concern among skeptical developers is not whether quantum computers will eventually arrive, but whether a rushed upgrade could itself create risks. BIP-360’s P2MR removes features that significant parts of Bitcoin’s second-layer ecosystem depend on, and reaching consensus on that tradeoff in Bitcoin’s conservative governance model is not a fast process.

 

Where the real exposure sits today

Whatever position one takes on the timeline, the on-chain vulnerability picture is concrete. Roughly 25% of all Bitcoin, estimated at between four and six million BTC, sits in address types where public keys are already permanently exposed on-chain:

• Early P2PK outputs, including coins widely attributed to Satoshi Nakamoto.
• Reused P2PKH addresses where the public key was revealed during a prior spend.
• Some Taproot outputs with exposed key-path public keys.

 

Below is a list of output types and their susceptibility to long exposure attacks:

 

 

 

BlackRock’s iShares Bitcoin Trust (IBIT) amended its prospectus in May 2025 to include disclosures on quantum computing risk, warning that a sufficiently advanced quantum computer could compromise Bitcoin’s cryptographic foundations. That an institutional product of that scale is flagging quantum risk to investors marks a meaningful shift in how seriously the threat is being taken outside developer circles. 

Bitcoin analyst Willy Woo separately noted that Taproot’s share of transactions dropped from 42% in 2024 to around 20%, an unprecedented decline for Bitcoin’s newest address format, suggesting users may be quietly acting on their concerns.

Additionally, a researcher from Blockstream, Jonas Nick, has introduced a post-quantum signature scheme called SHRIMPS designed to protect Bitcoin from potential quantum-computing threats. It is a hash-based, multi-device signature scheme which is designed to remain secure even after quantum computers eventually break current cryptographic standards. The scheme would allow multiple devices initialized from the same seed to independently generate signatures, thus potentially improving operational security and eliminating single point-of-failure risks.

 

The urgency debate in plain terms

The core disagreement between BIP-360 supporters and skeptics is not whether quantum computers will eventually threaten Bitcoin. The disagreement is about three specific questions:

• Timeline: Is the threat 5 years away, 15 years away, or 40 years away? Estimates range widely, even among credentialed researchers.
• Governance timing: Should Bitcoin begin the multi-year consensus and migration process now, or wait for clearer technical signals?
• Tradeoffs: Is the loss of Taproot key-path features worth accepting today to reduce quantum exposure earlier?

 

Vitalik Buterin has cited forecasting models from Metaculus suggesting roughly a 20% chance of cryptographically relevant quantum computers arriving before 2030, with a median projection around 2040.