BIP-360 and Bitcoin's quantum migration, explained

Bitcoin runs on signature schemes that a large quantum computer could break. That has been true since day one and mostly ignorable, because the hardware didn't exist. In 2026 the conversation stopped being hypothetical in one specific sense: Bitcoin now has a concrete migration proposal in its official repository. BIP-360 defines the first post-quantum output type, and its companion, BIP-361, puts an expiry date on the old signatures. Here is what each one does and what it would mean for anyone holding BTC.
What is BIP-360?
BIP-360 introduces a new output type called Pay-to-Merkle-Root (P2MR). If you followed the earlier drafts, you may know it under a different name: it started as P2QRH (Pay to Quantum Resistant Hash), was renamed P2TSH in September 2025, and settled on P2MR in February 2026, when the proposal was merged into the official BIP repository.
Structurally, P2MR is Taproot with the risky part removed. A Taproot output commits to a public key and lets you spend either with that key or through a script tree. P2MR drops the key-path spend entirely and commits only to the Merkle root of the script tree. No public key appears on-chain when the output is created, which is the whole point: a quantum attacker running Shor's algorithm needs a public key to derive the private one, and P2MR never hands them one until spend time.
Status as of mid-2026: merged as a draft, running on at least one dedicated testnet (BTQ's Bitcoin Quantum testnet shipped a P2MR implementation in March), not activated on mainnet, no activation date. Merging a BIP means the idea is specified, not that the network has agreed to it.
Why does Bitcoin need a quantum migration at all?
ECDSA and Schnorr, the two signature schemes securing every bitcoin today, rely on elliptic curve math that Shor's algorithm breaks outright once someone builds a big enough quantum machine. Nobody credible will give you a date for that machine. The problem is that Bitcoin can't move fast, so it can't afford to wait for one.
The exposure isn't evenly distributed. A quantum attacker needs your public key, and in principle Bitcoin only reveals it when you spend. In practice, key exposure is everywhere: as of March 2026 roughly 6.5 million BTC, about a third of the supply, sits in outputs whose public keys are already visible on-chain. Around 1.7 million of those are in ancient pay-to-public-key outputs from the early years, including the coins attributed to Satoshi Nakamoto. Address reuse leaks keys too: spend from an address once and every remaining coin on it is exposed.
Those keys can't be un-revealed. Anyone can copy the chain today and attack the exposed keys whenever the hardware arrives, the same logic as harvest-now-decrypt-later attacks on encrypted traffic. For a fuller comparison of which signature schemes break and what replaces them, see the FAQ on our landing page.
How would the migration work for holders?
BIP-360 only creates the safe destination. The forcing function is BIP-361, "Post Quantum Migration and Legacy Signature Sunset", published as a draft in April 2026. It phases the old cryptography out on a schedule.
Phase A, roughly three years after activation: the network stops accepting sends to quantum-vulnerable address types. You can still spend old coins, you just can't park new ones in unsafe outputs.
Phase B, roughly five years after activation: ECDSA and Schnorr spends become invalid. Coins still sitting in vulnerable outputs at that point are frozen.
Phase C, still research: a possible recovery path for frozen coins, likely a zero-knowledge proof that you possess the BIP-39 seed behind the key, without revealing the key itself.
For an active holder the mechanics are ordinary: once P2MR (or whatever wins) activates, you send your coins to a new output type, the same way people migrated to SegWit or Taproot. The hard case is dormant coins. Whoever doesn't move within the window loses access, and that includes lost keys and Satoshi's stack. This is the most contested part of the whole plan. One camp argues frozen coins are better than a quantum thief spending them and crashing the market; the other says confiscating coins for their owners' safety breaks the promise Bitcoin was built on. That argument is not settled, and BIP-361 may change shape because of it.
Two things you can do today cost nothing: stop reusing addresses, and don't leave significant funds on an address that has already signed a transaction.
What does this mean for the rest of the ecosystem?
Bitcoin's plan is a retrofit, and retrofits are expensive. Post-quantum signatures are big: an ML-DSA-44 signature runs about 2.4 KB against 64 bytes for Schnorr, close to a 40x jump that shows up directly in blockspace and fees. Then comes the political part: activation needs consensus, the phases run three to five years, and Phase C is unsolved. Optimistically, Bitcoin completes this in the 2030s. Every other pre-quantum chain faces the same project with less research behind it.
The alternative is not to retrofit at all. NOXY is built post-quantum from genesis: every account signs with ML-DSA-44, the lattice-based scheme NIST standardized as FIPS 204, starting from the first block. There are no legacy outputs to sunset and no migration window for holders to miss, because there is nothing to migrate from. The trade-offs Bitcoin is negotiating over a decade were design inputs here.
BIP-360 is worth cheering for regardless of where you sit. Bitcoin surviving a quantum transition is good for everyone in the industry. Watch for two things next: whether an activation mechanism gets proposed for P2MR, and whether Phase C research produces a credible recovery scheme before Phase B's freeze makes the question urgent.