- Bitcoin developers have officially released BIP-360. It proposes P2MR, a Taproot-like output without “key-path”.
- Bitcoin developers primarily have one risk in mind: If a public key is public for a long time, a future quantum computer could use it to calculate the private key.
An updated version of BIP-360 is in the official Bitcoin BIP repository merged on GitHub been. The draft (“Pay-to-Merkle-Root”, P2MR) proposes a new output type via soft fork: Taproot logic via Tapscript and script trees is retained in the core, but the key path spend is eliminated. It is precisely this key path that is considered a weak point in the quantum context.
In short: P2MR is “Taproot without Key Path”. The output only commits to the Merkle root of a script tree (32 bytes) and no longer to an internal key. Anyone who issues such an output can only do so via the script path; a key path spend simply no longer exists.
First step towards Bitcoin quantum security
The draft is very consciously based on a specific threat model: so-called “long exposure” attacks. This refers to situations in which public keys or spend scripts have been open for so long that a future “cryptographically relevant quantum computer” with Shor could derive private keys from public keys. P2MR is intended to mitigate exactly this risk with elliptic curve cryptography – nothing more, but also nothing less.
According to the text, P2MR is not sufficient for “short exposure”, i.e. cases in which a public key is only visible for a short time (e.g. in the mempool). This could require post-quantum signatures in Bitcoin later. The authors suggest a separate proposal for this, but only after further research.
The implementation is also important: BIP-360 is designed as a soft fork and should not touch existing Taproot outputs. P2MR runs on SegWit v2 (Bech32m); corresponding mainnet addresses would start with bc1z.
Without SegWit v2/P2MR support, nodes and wallets do not understand these expenses. The draft also reminds that non-updated nodes generally treat SegWit v2 outputs as “anyone-can-spend”, but in practice typically neither relay nor mine them.
The price for the additional hardness in the long exposure model is quite concrete: P2MR swaps the slim Taproot key path for a spend that is always “Script Path” – and therefore always looks like “Script Path”. In a simple example calculation, a minimum P2MR witness is 37 bytes larger than a Taproot key path witness (signature only).
With deeper script trees, the overhead increases by 32 m bytes (m = Merkle tree depth). Conversely, P2MR is 32 bytes smaller than an equivalent Taproot script path spend because an internal public key no longer needs to be carried in the control block.
When it comes to privacy, the trade-off is also rather sober: Anyone who uses P2MR inevitably signals “script path” when spending because there is no longer a key path. This is less a “leak” than a structural feature, but it is a visible feature.
BIP-360 names Hunter Beast, Ethan Heilman and Isabel Foxen Duke as authors. Anduro, a research-focused company working on quantum-resistant approaches to Bitcoin, commented on X:
“Bitcoin has taken an important step towards future quantum resistance. […] BIP also addresses criticism that Bitcoin developers are not taking the quantum threat seriously.”
The next exciting phase only begins after the draft status. If BIP-360 progresses, the debate will probably revolve less around the basic principle of “Taproot without Key Path” – but rather around the follow-up questions:
How does Bitcoin address short exposure? Which post-quantum signatures are realistic? Which upgrade mechanism does this work smoothly? Which opcode strategy is practical? And above all: How do wallets and users manage a migration that does not fail in reality due to UX, coordination and inertia?
No Comments