Author: BitMEX Research
Source: https://www.bitmex.com/blog/Taproot%20Quantum%20Spend%20Paths?category=Research
Abstract : This article discusses the topic of making Bitcoin quantum-resistant, focusing on Taproot. Taproot is actually a very useful tool on the road to upgrading Bitcoin to quantum security. We will advocate a new, quantum-safe version of Taproot, and a corresponding paradigm: a wallet capable of spending the same amount of money using either a quantum-safe scripting leaf or a quantum-fragile scripting leaf. This allows users to consistently use the quantum-fragile method to spend Bitcoin, benefiting from smaller signatures; and then switch to the quantum-safe method as the "Qday" (the point at which a quantum computer can factor elliptic curve points) approaches. Given the uncertainty of the specific date of Qday, and the long-term security required for any proposal to freeze coins, this feature may not only be useful, but even necessary.
Overview
This article is a sequel to our July 2025 article on quantum-safe signatures ( Chinese translation ). In this article, we will discuss a new quantum-safe spending method and how it can be perfectly paired with Taproot. Again, we emphasize that we are not experts in quantum computers, and to our knowledge, the largest number that quantum computers have factored is 15! However, we believe that making Bitcoin more quantum-resistant is a realistic goal and something worth our effort and consideration.
Some critics argue that Bitcoin developers in recent years have either not done enough or been focused enough on important issues, such as making Bitcoin more secure for quantum computers. They have also been accused of being distracted by meaningless upgrades, such as Taproot. However, this article attempts to explain precisely why the Taproot upgrade is extremely useful in making Bitcoin quantum-safe.
Key spending path and BIP-360
Of course, Taproot outputs already exist today, and compared to traditional output types—P2PKH, P2SH, P2WPKH, and P2WSH—they are more vulnerable to quantum computers because these traditional output types hide the public key until the funds are spent. Therefore, from a quantum security perspective, the Taproot upgrade brings Bitcoin back to the 2010s, when the P2PK output type was still prevalent. Like Taproot, P2PK exposes the public key on the blockchain when funds are received.
However, this weakness can be addressed with a very simple soft fork upgrade. A new version of Taproot, a quantum-safe type of Taproot, can be created that completely removes the key path cost method, leaving only the script path cost method. This is BIP-360 , the proposal we endorse. This upgrade will elevate Taproot to the same level as P2PKH, P2SH, P2WPKH, and P2WSH (from a quantum-safe perspective). The remaining quantum computing risk lies in the possibility that funds could be stolen by the quantum computer after a transaction is broadcast to the network but before it is confirmed as a block.
Taproot and quantum security upgrades are a perfect match
From a quantum resilience perspective, the next step is to add a quantum-safe taproot spending method through another soft fork, possibly via OP_CAT , or perhaps by adding a hash-based quantum-safe signature scheme (which would be more direct). This quantum-safe redemption scheme can then be enabled as a leaf script in the new Taproot type.
This is where Taproot's huge advantage lies. With these two upgrades—disabling key spending paths and adding a quantum-safe tapleaf spending system—it's possible to create addresses that give users quantum-safe spending options. For example, a Bitcoin address could have two taproot script leaves, one quantum-safe and the other quantum-fragile. Such addresses allow users to upgrade their wallets to ensure their Bitcoin is secure against quantum computers, while still retaining the ability to use the smaller, quantum-fragile signature until the very last moment. In simpler terms, this means users still only provide one address when receiving funds, but when spending, they can choose either a quantum-safe or a quantum-fragile spending method.
Of course, an address can have multiple spending methods, which existed before Taproot, for example, using P2SH. However, if using P2SH, the user must publish the complete redemption script; while with Taproot, unused spending methods are hidden by a quantum-safe hash function.
Bitcoin addresses with multiple spending methods can also be displayed in the graphical user interface of wallet software. For example, the Liana wallet already supports selecting one of several customized script spending paths to spend Bitcoin. Therefore, the aforementioned quantum-safe wallet can adopt the same logic: one is a "Quantum-Safe Spending" button, and the other is a "Quantum-Fragile Spending" button.
Translator's Note: In the Liana Wallet interface, different spending methods are selected using different buttons: the regular spending method is the "Send" button, and the emergency spending method is the "Recovery" button.
A key issue in upgrading users to quantum-secure wallets is the significantly higher transaction fees (for quantum-secure spending methods). Our solution greatly mitigates this problem, as users upgrade to a quantum-secure wallet without immediately facing soaring fees. Only after "Qday" will users need to use a larger quantum-secure signature scheme. Given the highly uncertain pace of quantum computer development, this ability to choose is invaluable.
Discussion about freezing currency
In a recent episode of the Citadel Dispatch podcast, Matt Odell and Matt Corallo discussed under what circumstances a soft fork to freeze coins should be implemented to address potential risks from quantum computers. Odell is largely against freezing wallets, while Corallo is somewhat supportive of freezing coins in certain situations. Some people are unwelcoming of the idea of freezing coins. A common argument is to equate freezing with theft. An analogy might be comparing freezing quantum-fragile coins to freezing coins belonging to North Korea (or criminals), something almost everyone would object to. We disagree with comparing freezing quantum-fragile coins to freezing North Korean coins, but that's another topic; we simply want to say that these arguments are attracting some attention. Therefore, from our perspective, there is considerable uncertainty about whether coins will actually be frozen. Even if a freeze does occur, calculating the timing of such a freeze is extremely complex.
Freeze Timing Table
| factor | explain | Impact on timing |
|---|---|---|
| Some people will oppose the freeze | Freezing the currency could be controversial, therefore a soft fork with a currency freeze might only gain a small degree of consensus, even as we approach Qday. | Postpone the freeze time |
| To prevent people from losing their money because they don't have time to move. | We might need to set a sufficiently long delay between freezing the soft fork activation and the actual freeze to allow time for people to move their coins. People might store their keys in hard-to-access cold storage, might not hear news about quantum computers, or even have time locks on their wallets. | Postpone the freeze time |
| To avoid freezing and activating after Qday, some coins were still lost due to quantum computing attacks. | If the freeze date is too late, millions of dollars worth of coins could be stolen. Therefore, we may need a sufficiently large security margin between the expected Qday and the freeze activation date. | Freeze earlier |
Besides considering the opposite direction and letting time pressure oscillate back and forth, we might not just need to arrive at a single date. We might need to consider four dates, as shown in the diagram below.
Currency Freeze Timing Diagram
Given the uncertainty surrounding whether and when Qday will arrive, and the long time required for a currency freeze to be truly meaningful, while also respecting Bitcoin's censorship resistance as much as possible, the risk of a currency freeze arriving too early or too late is considerable. It might happen several years early, or it might not happen until several years after Qday.
One of the brilliances of the Taproot output, which combines quantum security with quantum fragility, is that this new quantum-safe Taproot output will never be frozen. At least, we will oppose any freezing schemes related to this quantum-safe Taproot output, and even any quantum-fragile path that disables it, until Qday truly arrives. The reason for this is that this is a new type of output designed for quantum security, and therefore, users migrating to this output are clearly already prepared for quantum computers.
Therefore, people can continue to use quantum-fragile signatures to spend their coins until Qday. Using this method, it's less important whether the safety buffer period will be too long (prematurely freezing) (e.g., due to an unexpected decades-long stagnation in quantum computing development), as people will continue to use efficient quantum-fragile scripting trees to spend Bitcoin. Once Qday arrives, the final transition will be relatively simple, as people will only need to be prompted by their wallet software to use quantum-safe spending paths. After Qday, wallet software can also be upgraded to remove the quantum-fragile spending option from the graphical user interface. Ultimately, there could be a post-Qday soft fork that disables quantum-fragile spending paths under the quantum-safe Taproot output type.
(over)
