P2MR Could Offer Conservative First Step Toward Quantum-Resistant Bitcoin
Bitcoin Improvement Proposal (BIP) 360, still under review and not yet activated, proposes P2MR as a quantum-resistant alternative to Pay-to- Taproot (P2TR) by committing directly to the Merkle root of a Tapscript tree without including a public key for key-path spending. In practical terms, it behaves like a Taproot output that only ever uses the script path.
That distinction matters because Taproot’s key-path spend exposes a public key. Under current cryptography, deriving a private key from a public key is computationally infeasible. But sufficiently powerful quantum computers running Shor’s algorithm could, in theory, reverse elliptic curve cryptography. P2MR simply removes that exposed key from the equation.
Importantly, P2MR does not introduce new signature schemes or opcodes. It preserves full Tapscript (BIP 342) functionality and Merkleized Abstract Syntax Tree (MAST)-style script trees, including leaf versions, control blocks and annex data — minus the internal public key. Wallets can reuse much of their existing Taproot code.
The outputs remain 32-byte hashes, tagged as “TapBranch,” offering 128-bit collision resistance comparable to P2WSH. Developers describe it as a conservative first step toward quantum resistance rather than a sweeping cryptographic overhaul.
The proposal has already undergone multiple rewrites and renames. Originally drafted in 2024 as P2QRH (“Pay to Quantum Resistant Hash”), it became P2TSH (“Pay-to-Tapscript-Hash”) in late 2025 before settling on P2MR (“Pay-to-Merkle-Root”) after community feedback that the name should more accurately reflect what the output commits to.
For now, BIP 360 remains a draft pull request and has not been merged or scheduled for activation. Discussion continues across the bitcoin developer mailing list and community forums.
Why Quantum Concerns Exist
Bitcoin’s primary quantum vulnerability lies in signature schemes, not hashing. Addresses that expose public keys on-chain are the most susceptible because Shor’s algorithm could theoretically compute private keys from those public keys.
Legacy Pay-to-Public-Key (P2PK) addresses embed public keys directly in the locking script and hold roughly 1.7 million BTC, making them prime long-range targets. Reused Pay-to-Public-Key-Hash (P2PKH) addresses become vulnerable once a spend reveals the public key. Taproot’s key-path spend also reveals a tweaked public key.
Estimates of at-risk bitcoin range widely. Some analyses suggest 20% to 50% of supply could be exposed under certain definitions, while others argue only a small fraction would pose meaningful market disruption. The timeline for cryptographically relevant quantum computers is generally projected years or decades away, but uncertainty fuels debate.
P2MR does not solve short-exposure risk during a mempool window, and it does not introduce post-quantum signatures. Instead, it addresses what developers call the “long-exposure” threat — coins sitting for years with publicly visible keys.
In effect, P2MR allows users — particularly long-term holders or participants in Lightning, BitVM or Ark-style protocols — to migrate funds into outputs that eliminate the most obvious ECC exposure while preserving Taproot’s scripting benefits. It is evolutionary, not revolutionary.
For a network that prefers incremental soft forks to sweeping redesigns, that tone is deliberate. Quantum alarms may be distant, but BIP 360 signals that developers are at least checking the exits — calmly, methodically and with their cryptographic homework in hand.
FAQ ❓
- What is P2MR in Bitcoin’s BIP 360?
P2MR (Pay-to-Merkle-Root) is a proposed output type that removes Taproot’s key-path spend while preserving full Tapscript functionality. - Why are some bitcoin addresses vulnerable to quantum attacks?
Addresses that expose public keys on-chain could, in theory, allow a quantum computer using Shor’s algorithm to derive private keys. - Does BIP 360 introduce post-quantum signatures?
No, it is a conservative step that does not add new signature schemes or opcodes. - Is BIP 360 active on Bitcoin today?
No, it remains a draft pull request under active review with no activation timeline.
免责声明:本文章仅代表作者个人观点,不代表本平台的立场和观点。本文章仅供信息分享,不构成对任何人的任何投资建议。用户与作者之间的任何争议,与本平台无关。如网页中刊载的文章或图片涉及侵权,请提供相关的权利证明和身份证明发送邮件到support@aicoin.com,本平台相关工作人员将会进行核查。
