Bitcoin Takes Step Towards Quantum Fix as Experts Diverge on Urgency of Threat

Bitcoin developers have taken another step towards addressing the risk posed by future quantum computers, merging BIP 360 into the Bitcoin Improvement Proposals GitHub repository as the long-running debate over the timeline intensifies.

BIP 360 introduces a new output type called Pay-to-Merkle-Root, or P2MR. The design disables a technical feature called key-path spending, which exposes public keys when coins are spent, and lays the groundwork for adding post-quantum signature schemes in future soft forks. The merge does not activate the change, but rather moves the proposal into formal review.

Ethan Heilman, a cryptographic researcher and BIP 360 co-author, told Decrypt that the proposal addresses a specific weakness in Taproot, an upgrade added to the Bitcoin network in 2021.

“The key spend is not quantum-safe because it exposes the public key,” he said, “which means that a quantum attacker could attack the key spend and steal your funds, even if the script spend was totally safe.”

Pay-to-Merkle-Root removes the vulnerable portion of Taproot while preserving its ability to upgrade.

“This is important,” he said, “because it removes the quantum-vulnerable key path spend.”

The debate around how best to address a future quantum threat stems from Shor’s algorithm, which could derive private keys from public keys if run on a sufficiently powerful, fault-tolerant quantum computer.

In a recent public discussion, Caltech president Thomas Rosenbaum said he expects fault-tolerant quantum systems to emerge within years.

“We will, I believe, create a functioning, fault-tolerant quantum computer in five to seven years,” he told the audience, adding that the United States must rethink how it protects sensitive information. Recent developments in quantum computing support Rosenbaum’s claims.

In September, Caltech said researchers kept more than 6,000 qubits—the basic units of quantum information—coherent, meaning stable in their quantum state, with 99.98% accuracy. One month later, IBM reported creating a 120-qubit entangled state, linking 120 qubits so they functioned as a single system, which it described as the largest and most stable demonstration of its kind to date.

Despite recent advances, Heilman said precise forecasts for quantum computing advancements are unreliable.

“There’s no good, concrete way of actually predicting it on a timescale of more than one or two or three years out,” he said. “I would be really surprised if it happens within the next five years. I think about it as uncertainty and as a risk that increases with time.”

The U.S. National Institute of Standards and Technology has set post-quantum migration targets stretching into the mid-2030s. At the same time, cypherpunk and co-founder and Chief Security Officer of Bitcoin wallet developer Casa, Jameson Lopp, suggested that quantum machines able to threaten modern cryptography may be decades away.

“Right now, we’re several orders of magnitude away from having a cryptographically relevant quantum computer, at least as far as we know,” Loop told Decrypt. “If innovation in quantum computing continues at a similar, fairly linear rate, it’s going to take many years—probably over a decade, maybe even several decades—before we get to that point.”

Loop said the greater concern may not be quantum hardware, but the Bitcoin community’s growing resistance to change.

“It’s the nature of network protocols to ossify over time,” he said, referring to the process of turning to bone. “What it really means is that it becomes harder and harder to reach consensus in a decentralized network made up of many different nodes.”

According to Heilman, activating a proposal requires “rough consensus” across miners, node operators, businesses, and users, followed by the release of a separate activation client that typically requires about 95% support over a sustained period before the change locks in.

Still, some in the blockchain industry view the quantum risk as speculative or driven by fear, arguing that if large-scale quantum systems arrive, they would likely target centralized infrastructure before individual wallets.

Heilman acknowledged that there is a small but real chance that physical limits could prevent quantum computers from ever scaling to the point where they threaten Bitcoin.

“But I treat it very much like something which is uncertain,” he said. “It is important for Bitcoin to be valuable, useful, and take existential risks seriously, even if there is some uncertainty over how dangerous they actually are.”