Taproot Quantum Spend Paths

Abstract: In this piece on making Bitcoin quantum resilient, we talk about Taproot. Taproot is actually an extremely helpful tool, when it comes to upgrading Bitcoin for quantum safety. We would advocate for a new quantum safe version of Taproot and a model where wallets have the ability to spend the same Bitcoin outputs both with a quantum safe tapleaf and a quantum vulnerable tapleaf. This way, users can keep spending Bitcoin in a quantum vulnerable way, benefitting from the efficiency of smaller signatures, almost right up until “Qday”. Given the uncertainty as to when Qday may happen and the long margin of safety any coin freeze will require, this property is not only desirable, but probably necessary.

Overview

Following on from our July 2025 piece on hash based quantum safe signatures, in this piece, we explore how a new quantum safe way of spending Bitcoin could integrate extremely well with Taproot. Once again, we want to caveat that we have no expertise on quantum computers and as far as we can tell, the highest number a quantum computer has factorised is 15! Nevertheless, we believe trying to make Bitcoin more quantum resilient is a solid objective and something worth working on and reasoning about.

Some have criticised the Bitcoin developers in recent years, either for not doing enough or not focusing enough on important issues like making Bitcoin secure against quantum computers. Developers have been accused of being distracted on pointless upgrades, such as Taproot. However, as we attempt to explain in this piece, the Taproot upgrade is actually highly advantageous, when it comes to making Bitcoin quantum resilient.

The Key Path & BIP-360

Of course, Taproot outputs as exists today, are more vulnerable to quantum computers than more traditional outputs like P2PKH, P2SH, P2WPKH and P2WSH, which hide the public key until the funds are spent. The Taproot upgrade therefore sends Bitcoin all the way back to the 2010 era, in terms of quantum security, when P2PK was popular. P2PK, like Taproot, exposes the public key on the blockchain when one receives funds.

However, this Taproot weakness can be disabled with a relatively simple softfork upgrade. A new Taproot version could be created, a quantum Taproot type, which removes the key-path spend method, leaving only the script path as a spend option. This is what BIP-360 now does and this is a proposal we would support. This upgrade would bring Taproot in line with P2PKH, P2SH, P2WPKH and P2WSH in terms of quantum security. In that the quantum risk is that the funds could be stolen by a quantum computer in the period between when the transaction is broadcast and confirmed by the miners.

Taproot Works Well With Quantum Upgrades

The next step, in terms of quantum resistance, could be to add a quantum safe way to spend Bitcoin via another softfork, perhaps via OP_CAT or by adding a hash based quantum safe signature scheme more directly. This new quantum safe redemption scheme could then be enabled as a tapleaf script in the new Taproot type.

This is where Taproot has significant advantages. Taproot is actually extremely helpful, when it comes to upgrading for quantum resistance. With these two upgrades in place, disabling the key path and adding a quantum safe tapleaf spend system, an address can be generated giving users quantum safe optionality. For instance, a Bitcoin address could be generated with two tapleaf spend paths, a quantum safe one and a quantum vulnerable one. This enables people to upgrade their Bitcoin wallets, to keep their Bitcoin safe from quantum computers, but to still retain the advantages of a smaller quantum vulnerable signature size, right up until the last moment. To clarify, this means users can receive Bitcoin at one address and then reserve the choice of whether to spend those coins in a quantum safe or quantum vulnerable way.

Of course, multi spend options were available before Taproot, for instance with P2SH. However, with P2SH, one needs to publish the entire redeem script to spend, in contrast, with Taproot, unused parts of the spending options are hidden behind a quantum safe hash function.

Multiple spending methods for Bitcoin can be implemented in the graphical user interface of wallets. For instance Liana wallet already supports spending the same Bitcoin with a choice of multiple custom tapleaf spending paths. This could be implemented for quantum safety, it would be as simple as a “quantum safe spend” button and a “quantum vulnerable spend” button.

A key problem associated with getting users to upgrade to a new quantum safe wallet, is the significantly higher fees. With this solution, this problem is largely mitigated away, with users able to upgrade to a quantum safe wallet, without a significant fee increases. Only after “Qday” happens, would users need to use large quantum safe signatures. Given the huge uncertainties over the timing of the development of quantum computers, this optionality is very valuable in our view.

The Freeze Debate

In a recent episode of the Citadel Dispatch podcast, Matt Odell and Matt Corallo discussed under which scenarios there should be a coin freeze, in response to the potential risks posed from quantum computers. Odell was mostly against a freeze and Corallo was somewhat in favour, in certain circumstances. A freeze is unpopular with certain people. Arguments are often made comparing a coin freeze with stealing. Analogies can be made comparing freezing quantum vulnerable coins to freezing coins belonging to North Korea or other criminals, which obviously almost everyone opposes. Comparing freezing quantum vulnerable coins to freezing North Korean government coins is not something we agree with, but this is an argument for another day, however our point is that these arguments are gaining traction among some people. Therefore, in our view there is considerable uncertainty as to whether a freeze will happen. Even if it does happen, working out the timing of a freeze is going to be quite complicated.

Freeze Timing Issue

In addition to there being conflicting considerations, pushing time pressure in opposing directions, it is not like we just need to settle on just one date. There are potentially four dates to consider, as the below image illustrates.

Illustrative Coin Freeze Timeline

Given the uncertainty over when or if Qday will ever happen and the long time horizon that is likely to be required to get a freeze to work effectively, while respecting Bitcoin’s censorship resistance properties as much as possible, there is probably considerable risk that the final freeze happens either far too soon or far too early. Perhaps many years too soon or many years too early.

One of the fantastic properties of the tapleaf quantum approach is that the new taproot quantum type should never be frozen. At least we would oppose any freeze associated with the new quantum safe Taproot type, even the quantum vulnerable paths, until after Qday. The idea here is that this is a new output type designed for quantum safety and that users who have upgraded here are prepared for quantum computers.

Therefore, people can continue to spend their coins in a quantum vulnerable way, using the quantum vulnerable tapleaf, almost right up until Qday. With this approach, it doesn’t matter as much if the safety buffer period was too long, with quantum development being unexpectedly stalled for decades, because people can continue spending Bitcoin using the efficient quantum vulnerable tapleaf. Once Qday finally happens, the final transition should be relatively easy, with people just needing to be aware to select the quantum safe spend path in their wallets. After Qday, the wallets could be upgraded, with the quantum vulnerable spend path options removed from the GUI. Eventually, there could be a post Qday softfork banning the use of the quantum vulnerable path.

​BitMEX Blog 

Weiterlesen