BIP 360: Pay to Merkle Root (P2MR)
Authors: Hunter Beast, Ethan Heilman, Isabel Foxen Duke Status: Draft Type: Standards Track Created: 2024-12-17
Abstract
BIP 360 proposes Pay-to-Merkle-Root (P2MR), a new SegWit version 2 output type that provides quantum resistance by removing the quantum-vulnerable key path spend mechanism found in Taproot (P2TR). Previously known as P2QRH and P2TSH in earlier drafts, the proposal was renamed to P2MR to better reflect its design.
The Quantum Threat
Bitcoin’s security relies on the Elliptic Curve Digital Signature Algorithm (ECDSA) and Schnorr signatures on the secp256k1 curve. A sufficiently powerful quantum computer running Shor’s algorithm could:
- Derive private keys from public keys — Breaking the discrete logarithm problem
- Forge signatures — Spending anyone’s coins whose public key is exposed
Public keys are exposed when:
- An address is reused after spending (the most common case historically)
- P2PK outputs are used (early Bitcoin transactions, including Satoshi’s coins)
- Taproot (P2TR) outputs contain the public key directly (not hashed), exposing it before any spend occurs
Design
P2MR operates similarly to Taproot (P2TR) but with a critical difference: it commits only to the Merkle root of the script tree, without an internal key component. This removes the key path spend that makes Taproot outputs vulnerable to quantum attacks on elliptic curve cryptography.
Key differences from P2TR:
- No key path spend — Eliminates the quantum-vulnerable component
- SegWit version 2 — Results in mainnet addresses starting with
bc1z - 32-byte witness program — Commits directly to the script tree Merkle root
- Smaller control block — 1 + 32m bytes (vs. P2TR’s 33 + 32m bytes, where m is the tree depth)
Security Model
P2MR provides protection against long-exposure attacks — where an attacker has extended time to compute a quantum attack against an exposed public key. It does not protect against short-exposure attacks during the brief window between transaction broadcast and confirmation.
For full quantum resistance, future proposals would need to incorporate post-quantum signature algorithms into the script tree leaves themselves.
Significance
BIP 360 represents Bitcoin’s first concrete step toward quantum resistance as a deployable soft fork. Rather than attempting to replace Bitcoin’s entire signature scheme at once, it takes a pragmatic first step by removing the most vulnerable component (the key path) while preserving Taproot’s script path functionality. This incremental approach allows the Bitcoin network to gain quantum resistance against long-exposure attacks without waiting for post-quantum signature standards to fully mature.