Bitcoin’s P2MR Proposal Pushes Post-Quantum Readiness as Experts Debate the Timeline

Bitcoin quietly took a meaningful step toward post-quantum security: developers merged BIP 360 into the Bitcoin Improvement Proposals repository, moving Pay-to-Merkle-Root (P2MR) into formal review. It’s not live code; it’s scaffolding. But the choice of scaffolding matters more than the calendar. If quantum advances arrive on a shorter fuse, Bitcoin’s ability to coordinate and ship a safe pivot becomes the real variable.

What BIP 360 actually changes - P2MR introduces a new output type that removes Taproot’s key-path spending—the route that reveals a public key when coins are spent. - That exposure is the soft spot for a future Shor’s algorithm attack on a sufficiently powerful, fault-tolerant quantum computer. - By eliminating the public-key-revealing path while preserving Taproot’s upgrade qualities, P2MR prepares the network for later soft forks that can slot in post-quantum signature schemes.

Ethan Heilman, a co-author of BIP 360, frames the vulnerability directly: key-path spending under Taproot (activated in 2021) reveals public keys at spend, inviting a quantum-enabled adversary to target that path even if script-path spending is robust. P2MR closes that window without locking Bitcoin out of future upgrades.

Why the clock is contested Forecasting the quantum curve remains guesswork beyond the near term. Caltech president Thomas Rosenbaum recently suggested fault-tolerant quantum systems are within five to seven years, pointing to fresh lab results: last September, Caltech reported maintaining coherence for over 6,000 qubits with 99.98% accuracy, and in October, IBM described a 120-qubit entangled state—the largest and most stable of its kind to date. Others are less prescriptive. Heilman argues anything beyond a few years becomes unreliable and says he’d be surprised to see a practical threat inside five years. Jameson Lopp, Casa’s co-founder and Chief Security Officer, goes further, noting we are several orders of magnitude away from a cryptographically relevant machine; if progress stays roughly linear, it could take over a decade, perhaps several. NIST’s own migration targets stretch into the mid-2030s.

Where the real risk concentrates I’ve seen security postures fail not for lack of algorithms, but for lack of coordination. Bitcoin’s upgrade path requires rough consensus across miners, node operators, businesses, and users, followed by a separate activation client that generally seeks around 95% sustained support before lock-in. That governance friction is healthy most days; it can be brittle under time pressure. Lopp warns about protocol ossification—the tendency for widely used network rules to harden over time—making consensus harder as stakes and participants grow. This is the vector that worries me more than any qubit count: a community that waits for certainty may find it only after the window for a calm transition has narrowed.

A measured read on the threat There’s a reasonable camp that views quantum risk as speculative today, expecting attackers to prioritize centralized targets long before chasing individual wallets. There’s also the non-zero possibility, as Heilman notes, that physical limits keep quantum computers from scaling to the point of breaking Bitcoin’s cryptography at all. Both can be true while still justifying P2MR. Good engineering trims attack surfaces early and leaves multiple doors open for future migrations, especially when timelines are noisy.

Pragmatic path forward - Treat P2MR as risk-priced optionality. It reduces exposure now and keeps the network flexible for post-quantum signatures later. - Socialize the activation mechanics well ahead of any urgency. The 95% expectation is achievable when the change is minimally disruptive and widely understood. - Keep the quantum discourse grounded in empirical milestones. Lab coherence and entanglement results are impressive; cryptographic relevance is a higher bar.

Bitcoin doesn’t need to predict the exact arrival of a fault-tolerant machine. It needs to be structurally ready to move, with fewer sharp edges and a clear lane for upgrades. BIP 360 does that: it removes a known quantum-exposed path, retains Taproot’s upgrade vector, and buys time—time the network can convert into consensus when it matters.