cryptoquick
commented at 4:08 pm on September 27, 2024:
none
This spent several months gathering feedback from the mailing list and from other advisors. This is hopefully polished enough to submit upstream.
Let me know if you have any questions or feedback, and of course feel free to submit suggestions.
Thank you for your time.
QuBit - P2QRH spending rules - Final draft before submitting upstream to bitcoin/bips1fa248506e
Add pqNTRUsign to .typos.toml.6f67a3d686
cryptoquick marked this as a draft
on Sep 27, 2024
in
bip-p2qrh.mediawiki:46
in
6f67a3d686outdated
41+|-
42+! Address type !! Vulnerable !! Prefix !! Example
43+|-
44+| P2PK || Yes || 04 || 0496b538e853519c726a2c91e61ec11600ae1390813a627c66fb8be7947be63c52da7589379515d4e0a604f8141781e62294721166bf621e73a82cbf2342c858ee
45+|-
46+| P2PKH || No || 1 || 1A1zP1eP5QGefi2DMPTfTL5SLmv7DivfNa
EthanHeilman
commented at 8:55 pm on September 27, 2024:
It might be worth discussing the conditions under which P2PKH is vulnerable in more detail. While the Deloitte report covers this, this table leaves the impression that P2PKH is safe.
0| P2PKH || No (trusted miner) || 1 || 1A1zP1eP5QGefi2DMPTfTL5SLmv7DivfNa
1| P2PKH (reused) || No || 1 || 1A1zP1eP5QGefi2DMPTfTL5SLmv7DivfNa
cryptoquick
commented at 3:11 pm on September 28, 2024:
I think I’d like to structure that information differently, similar to how I did so on this slide:
I’ll also need to add a 5th case: Unhardened BIP-32 HD wallet keys
cryptoquick
commented at 6:02 pm on September 28, 2024:
This should be resolved now. Let me know if it’s not.
in
bip-p2qrh.mediawiki:33
in
6f67a3d686outdated
28+
29+Mining may one day be vulnerable to disruption by very advanced quantum computers making use of Grover's algorithm. However, Grover's [https://arxiv.org/pdf/1902.02332 scales very poorly] compared to Shor's, requiring 10^40 quantum operations in comparison to 10^8 for running Shor's over ECC. It's for this reason that the primary threat to Bitcoin by quantum computers is to its signature algorithm and not Proof of Work, hence the focus on a new address format.
30+
31+The vulnerability of existing bitcoin addresses is investigated in [https://web.archive.org/web/20240715101040/https://www2.deloitte.com/nl/nl/pages/innovatie/artikelen/quantum-computers-and-the-bitcoin-blockchain.html this Deloitte report]. The report estimates that in 2020 approximately 25% of the bitcoin supply is held within addresses vulnerable to quantum attack.
32+
33+Ordinarily, when a transaction is signed, the public key can be recovered from the signature. This makes a transaction submitted to the mempool vulnerable to quantum attack until it's mined. One way to mitigate this is to submit the transaction directly to a mining pool, which bypasses the mempool. This process is known as an out-of-band transaction. The mining pool must be trusted not to reveal the key to attackers.
EthanHeilman
commented at 8:59 pm on September 27, 2024:
What about public keys that are derived via BIP-32 non-hardened child keys? While the public key is not reused, one might be able to guess and check child keys from revealed public keys and learn the public key for a p2pkh address prior to seeing a signature for that public key. Is there a reason this is not a concern?
cryptoquick
commented at 3:09 pm on September 28, 2024:
That is a concern I haven’t considered. I’ll be sure to add that.
cryptoquick
commented at 1:29 pm on September 30, 2024:
It’s also been added to the new table for scenarios for revealed public keys on bitcoin.
EthanHeilman
commented at 1:19 am on December 18, 2024:
Looks good to me
vostrnad
commented at 10:02 pm on December 20, 2024:
Derivation of child keys (whether hardened or not) requires the chain code, so this is only a concern if the attacker has access to the extended public key (in which case they can just directly convert it to an extended private key).
in
bip-p2qrh.mediawiki:29
in
6f67a3d686outdated
24+
25+=== Motivation ===
26+
27+This proposal aims to improve the quantum resistance of bitcoin's signature security should the Discrete Logarithm Problem (DLP) which secures Elliptic Curve Cryptography (ECC) no longer prove to be computationally hard, likely through quantum advantage by Cryptographically-Relevant Quantum Computers (CRQCs). [https://arxiv.org/pdf/quant-ph/0301141 A variant of Shor's algorithm] is believed to be capable of deriving the private key from a public key exponentially faster than classical means. The application of this variant of Shor's algorithm is herein referred to as quantum key decryption. Note that doubling the public key length, such as with a hypothetical secp512k1 curve, would only make deriving the private key twice as hard. The computational complexity of this is investigated further in the paper, [https://pubs.aip.org/avs/aqs/article/4/1/013801/2835275/The-impact-of-hardware-specifications-on-reaching ''The impact of hardware specifications on reaching quantum advantage in the fault tolerant regime''].
28+
29+Mining may one day be vulnerable to disruption by very advanced quantum computers making use of Grover's algorithm. However, Grover's [https://arxiv.org/pdf/1902.02332 scales very poorly] compared to Shor's, requiring 10^40 quantum operations in comparison to 10^8 for running Shor's over ECC. It's for this reason that the primary threat to Bitcoin by quantum computers is to its signature algorithm and not Proof of Work, hence the focus on a new address format.
EthanHeilman
commented at 9:41 pm on September 27, 2024:
Reading “Benchmarking the quantum cryptanalysis of symmetric, public-key and hash-based cryptographic schemes” it is unclear to me how the number 10^40 for applying Grover to Bitcoin’s POW was arrived at in this BIP. It might be worth creating a footnote that details the derivation of this result from that paper.
cryptoquick
commented at 6:10 pm on September 28, 2024:
Those figures were provided by Pierre-Luc, along with the relevant paper. I’ve included a footnote with his comments.
EthanHeilman
commented at 10:09 pm on September 28, 2024:
I completely agree with your claim that:
It’s for this reason that the primary threat to Bitcoin by quantum computers is to its signature algorithm and not Proof of Work, hence the focus on a new address format.
The math in the footnote is for finding SHA256 preimages, but the text and cited article discusses Bitcoin mining/POW which is only a partial preimage, e.g. find SHA256 output with 75 zeros in front. These partial preimages should be not as hard as finding a full SHA256 preimage.
The quantum safety of Bitcoin POW is a an open question. Is a quantum computer than can do the POW significantly faster than a classic miner an attack or simply better mining technology? Are there other quantum attacks on Bitcoin mining?
I would frame this as symmetric cryptography in Bitcoin, such as preimages in the transactions Merkle tree, rather than mining.
cryptoquick
commented at 6:15 am on September 29, 2024:
Very interesting. I’ll be sure to include that nuance.
cryptoquick
commented at 7:23 am on September 29, 2024:
I’ve reworked the paragraph. Let me know if that works. The 95 zeros figure came from the log2_work message from Bitcoin Core in the latest block… Let me know if that’s not right.
EthanHeilman
commented at 8:56 pm on September 29, 2024:
Bitcoin PoW per hash is ~700 Exahash/second. That roughly $log2(700 * 10^{18} )=2^{68.2}$ per second and $2^{74.5}$ per block. 75 zero bits would more the accurate current number.
There is a big difference between the cost of preimages on SHA256 and HASH160 with a quadratic reduction:
SHA256 as you point out is $2^{128} \approx 10^{40}$ but HASH160 used in P2PKH is $2^{80} \approx 10^{24}$. Still much larger than ECC, but I wanted to call this out because it is unlikely we will ever build a computer classical or quantum that can do $2^{128}$ within the next 100 years whereas Bitcoin currently does $2^{80}$ every 30 minutes.
If I didn’t misunderstand “Applying Grover’s Algorithm to Hash Functions” the cost of a groover preimage attack on a n-bit hash function where you are trying to want to find 1 preimage out of a set of k preimages is $\sqrt{2^{n-\log2{(k)}}}$. Let’s say we are looking for any preimage of a P2PKH output. As of Sept 29 2024 there are 53,102,992 P2PKH in Bitcoin’s UTXO set. This gets us an attack cost of $\sqrt{2^{160-25.66}}=2^{67.17} \approx 10^{20}$.
All of this still supports your argument that the current pressing need in Bitcoin is ECC. It worth having tighter bounds, so we know when we are in danger for the symmetric side of Bitcoin.
cryptoquick
commented at 10:31 pm on September 29, 2024:
All very good points. I’ll make sure those are reflected in the BIP.
cryptoquick
commented at 11:38 am on September 30, 2024:
I’ve published some more updates you can see here:
Also, is P2WPKH not also as vulnerable as P2PKH? I think they both use HASH160, do they not?
EthanHeilman
commented at 1:01 pm on September 30, 2024:
Yes P2WPKH, P2PKH, P2SH all use HASH160 (20 Byte) whereas P2WSH uses SHA256 (32 Byte).
Thanks for the updates and making the changes. My main concern is that if precise numbers are going to be used for Bitcoin and Groovers I want to avoid a situation where the numbers are not representative of the threat. I suspect many people in Bitcoin will use this BIP to educate themselves on quantum attacks. I’ll write up a longer comment during my lunch break today.
EthanHeilman
commented at 5:24 pm on September 30, 2024:
I realize by pointing out the nuances I’ve accidentally caused this section to grow into two large paragraphs, when really all you are trying to do make is the reasonable point that quantum attacks on ECC signatures should be the most immediate concern.
Here is my attempt to get the same point across but without having to get into the details:
The primary threat to Bitcoin by CRQCs is [https://en.bitcoin.it/wiki/Quantum_computing_and_Bitcoin#QC_attacks generally considered to be to its uses of ECC (Ecliptic Curve Cryptography) used in Bitcoin’s signatures and Taproot commitments]. This is because Shor’s algorithm enables a CRQC to break the cryptographic assumptions of ECC in roughly 10^8 ≈ 2^26) quantum operations. While a QRQC could use Grover’s algorithm to gain a quadratic speed up on brute force attacks on the hash functions used in Bitcoin, a significantly more power quantum computer is needed for these attacks to meaningfully impact Bitcoin. For instance a preimage attack on HASH160 using Grover’s algorithm would require at least 10^24 ≈ 2^80 quantum operations.
It does make sense to discuss Grover’s algorithm w.r.t. multi-target preimage attacks against P2SH and P2PKH when discussing the security of address types against a QRQC.
cryptoquick
commented at 1:04 am on October 1, 2024:
230+To help implementors understand updates to this BIP, we keep a list of substantial changes.
231+
232+* 2024-06: High level rough draft
233+* 2024-07: Additional algorithms in PQC table
234+* 2024-08: Add FALCON signatures, update to use NIST standard terminology, add public key sizes.
235+* 2024-09: Additional detail on P2QS. Deprecate P2QR. Postpone SQIsign. Add details on quitness.
jonatack
commented at 10:54 pm on September 27, 2024:
A few non-urgent nits regarding the changelog:
latest version first
use semvar; for the final draft, maybe these should be collapsed to one initial version entry
cryptoquick requested review from jonatack
on Sep 28, 2024
cryptoquick requested review from EthanHeilman
on Sep 28, 2024
cryptoquick force-pushed
on Sep 29, 2024
cryptoquick force-pushed
on Sep 30, 2024
cryptoquick force-pushed
on Sep 30, 2024
QuBit - P2QRHd83c29d59b
in
bip-p2qrh.mediawiki:34
in
7f4456de30outdated
29+Mining may one day be vulnerable to disruption by very advanced quantum computers making use of [https://en.wikipedia.org/wiki/Grover's_algorithm Grover's algorithm]. However, Grover's [https://arxiv.org/pdf/1902.02332 scales very poorly] compared to Shor's. Grover's potentially requires roughly 10^40 quantum operations in comparison to 10^8 for running Shor's over ECC, should no optimization for partial preimages be needed. Partial preimage optimization may lower the difficulty to find a block than the full 256-bit preimage (say, for a number with 75 zero bits in front).<ref>See [https://quantumcomputing.stackexchange.com/a/12847 Sam Jaques on Bitcoin mining].</ref> Regardless of such optimizations, the primary threat to Bitcoin by CRQCs is [https://en.bitcoin.it/wiki/Quantum_computing_and_Bitcoin#QC_attacks generally considered to be to its signature algorithm] and not necessarily Proof of Work, hence the focus on a new address format. Additionally, should quantum mining demonstrate quantum advantage over ASIC miners, miners will transition to operating CRQCs instead.<ref>Grover's algorithm is a quadratic speedup, so instead of 2^256 tries it takes about 2^128 calls to the oracle (which is about 10^38 operations) to get a 256 bit preimage. The number of gates would be some multiple of that number. That's roughly how we get the correct order of magnitude, Mosca did a more finegrained calculation and land ballpark in similar large numbers. The number is so large, it's unclear the exact calculation with all the prefactors so far, contrary to ECC, which is roughly 10^8 operations, including the constant factors. A talk by [https://sam-jaques.appspot.com/papers Sam Jaques] gave some estimate of the size of the machine that would be necessary for Grover to attack hashes and it was a small astronomical body.</ref>
30+
31+It is worth mentioning that any addresses using RIPEMD160 / HASH160 could also be vulnerable to Grover's algorithm.<ref>There is a big difference between the cost of preimages on SHA256 and HASH160 with a quadratic reduction:
32+SHA256 is 2^128 ≈ 10^40 but HASH160 used in P2PKH and P2WPKH is 2^80 ≈ 10^24 quantum operations. This is much larger than ECC, and while it is unlikely a classical or quantum computer that can perform 2^128 within the next 100 years, Bitcoin currently does 2^80 classical operations every 30 minutes. Additionally, with Grover's, [https://bitcoin.stackexchange.com/a/115849/139611 a black box function could sidestep Shor's entirely, and SHA-256, providing the private key itself to a P2PKH or P2SH address.]</ref>
33+
34+The vulnerability of existing bitcoin addresses is investigated in [https://web.archive.org/web/20240715101040/https://www2.deloitte.com/nl/nl/pages/innovatie/artikelen/quantum-computers-and-the-bitcoin-blockchain.html this Deloitte report]. The report estimates that in 2020 approximately 25% of the bitcoin supply is held within addresses vulnerable to quantum attack. As of the time of writing, that number is now closer to 20%.
jonatack
commented at 11:02 pm on September 30, 2024:
Another vulnerability estimation in early 2019: 5M-10M bitcoin
cryptoquick
commented at 1:05 am on October 1, 2024:
Thank you for that, I’ve added that link as a reference.
cryptoquick force-pushed
on Oct 1, 2024
jonatack
commented at 6:09 pm on October 1, 2024:
member
@cryptoquick Can you begin to write up the sections currently marked as TBD, along with a backwards compatibility section (to describe incompatibilities, severity, and suggest mitigations, where applicable/relevant)? We’ve begun to reserve a range of BIP numbers for this topic, pending continued progress here.
typo fixae0936ae6f
Merge pull request #13 from jlopp/patch-3
typo fix
d89b7c5c08
jonatack added the label
PR Author action required
on Oct 9, 2024
jonatack
commented at 3:27 pm on October 21, 2024:
member
12+
13+== Introduction ==
14+
15+=== Abstract ===
16+
17+This document proposes a new SegWit output type, with spending rules based initially-- but not solely-- upon FALCON signatures. (For more on why, see the Rationale and Security sections.) A constraint is that no hard fork or increase in block size is necessary. This document is inspired by [https://github.com/bitcoin/bips/blob/master/bip-0341.mediawiki BIP-341], which introduced the design of the P2TR (Taproot) address type using Schnorr signatures.
murchandamus
commented at 9:32 pm on November 12, 2024:
Some of this might fit better in later parts of this document.
How about something like this:
0This document proposes the introduction of a new output type based on FALCON signatures. This approach for adding a post-quantum secure output type does not require a hard fork or block size increase.
The inspiration by BIP 341 could be mentioned in the acknowledgments, and Rationale and Security being the relevant sections to understand the “Why” seem natural.
in
bip-p2qrh.mediawiki:29
in
53d497e376outdated
24+
25+=== Motivation ===
26+
27+This proposal aims to improve the quantum resistance of bitcoin's signature security should the Discrete Logarithm Problem (DLP) which secures Elliptic Curve Cryptography (ECC) no longer prove to be computationally hard, likely through quantum advantage by Cryptographically-Relevant Quantum Computers (CRQCs). [https://arxiv.org/pdf/quant-ph/0301141 A variant of Shor's algorithm] is believed to be capable of deriving the private key from a public key exponentially faster than classical means. The application of this variant of Shor's algorithm is herein referred to as quantum key decryption. Note that doubling the public key length, such as with a hypothetical secp512k1 curve, would only make deriving the private key twice as hard. The computational complexity of this is investigated further in the paper, [https://pubs.aip.org/avs/aqs/article/4/1/013801/2835275/The-impact-of-hardware-specifications-on-reaching ''The impact of hardware specifications on reaching quantum advantage in the fault tolerant regime''].
28+
29+The primary threat to Bitcoin by CRQCs is [https://en.bitcoin.it/wiki/Quantum_computing_and_Bitcoin#QC_attacks generally considered to be to its breaking of ECC used in signatures and Taproot commitments], hence the focus on a new address format. This is because Shor's algorithm enables a CRQC to break the cryptographic assumptions of ECC in roughly 10^8 quantum operations. While a CRQC could use [https://en.wikipedia.org/wiki/Grover's_algorithm Grover's algorithm] to gain a quadratic speed up on brute force attacks on the hash functions used in Bitcoin, a significantly more powerful CRQC is needed for these attacks to meaningfully impact Bitcoin. For instance, a preimage attack on HASH160<ref>used by P2PKH, P2SH, and P2WPKH addresses, though not P2WSH because it uses 256-bit hashes</ref> using Grover's algorithm would require at least 10^24 quantum operations. As for Grover's application to mining, see [https://quantumcomputing.stackexchange.com/a/12847 Sam Jaques post on this].
murchandamus
commented at 9:36 pm on November 12, 2024:
0The primary threat to Bitcoin by CRQCs is [https://en.bitcoin.it/wiki/Quantum_computing_and_Bitcoin#QC_attacks generally considered to be to its breaking of ECC used in signatures and Taproot commitments], hence the focus on a new address format. This is because Shor's algorithm enables a CRQC to break the cryptographic assumptions of ECC in roughly 10^8 quantum operations. While a CRQC could use [https://en.wikipedia.org/wiki/Grover's_algorithm Grover's algorithm] to gain a quadratic speed up on brute force attacks on the hash functions used in Bitcoin, a significantly more powerful CRQC is needed for these attacks to meaningfully impact Bitcoin. For instance, a preimage attack on HASH160<ref>used by P2PKH, P2SH, and P2WPKH addresses, though not P2WSH because it uses 256-bit hashes</ref> using Grover's algorithm would require at least 10^24 quantum operations. As for Grover's application to mining, see [https://quantumcomputing.stackexchange.com/a/12847 Sam Jaques’ post on this].
in
bip-p2qrh.mediawiki:31
in
53d497e376outdated
26+
27+This proposal aims to improve the quantum resistance of bitcoin's signature security should the Discrete Logarithm Problem (DLP) which secures Elliptic Curve Cryptography (ECC) no longer prove to be computationally hard, likely through quantum advantage by Cryptographically-Relevant Quantum Computers (CRQCs). [https://arxiv.org/pdf/quant-ph/0301141 A variant of Shor's algorithm] is believed to be capable of deriving the private key from a public key exponentially faster than classical means. The application of this variant of Shor's algorithm is herein referred to as quantum key decryption. Note that doubling the public key length, such as with a hypothetical secp512k1 curve, would only make deriving the private key twice as hard. The computational complexity of this is investigated further in the paper, [https://pubs.aip.org/avs/aqs/article/4/1/013801/2835275/The-impact-of-hardware-specifications-on-reaching ''The impact of hardware specifications on reaching quantum advantage in the fault tolerant regime''].
28+
29+The primary threat to Bitcoin by CRQCs is [https://en.bitcoin.it/wiki/Quantum_computing_and_Bitcoin#QC_attacks generally considered to be to its breaking of ECC used in signatures and Taproot commitments], hence the focus on a new address format. This is because Shor's algorithm enables a CRQC to break the cryptographic assumptions of ECC in roughly 10^8 quantum operations. While a CRQC could use [https://en.wikipedia.org/wiki/Grover's_algorithm Grover's algorithm] to gain a quadratic speed up on brute force attacks on the hash functions used in Bitcoin, a significantly more powerful CRQC is needed for these attacks to meaningfully impact Bitcoin. For instance, a preimage attack on HASH160<ref>used by P2PKH, P2SH, and P2WPKH addresses, though not P2WSH because it uses 256-bit hashes</ref> using Grover's algorithm would require at least 10^24 quantum operations. As for Grover's application to mining, see [https://quantumcomputing.stackexchange.com/a/12847 Sam Jaques post on this].
30+
31+The vulnerability of existing bitcoin addresses is investigated in [https://web.archive.org/web/20240715101040/https://www2.deloitte.com/nl/nl/pages/innovatie/artikelen/quantum-computers-and-the-bitcoin-blockchain.html this Deloitte report]. The report estimates that in 2020 approximately 25% of the bitcoin supply is held within addresses vulnerable to quantum attack. As of the time of writing, that number is now closer to 20%. Additionally, cryptographer Peter Wuille estimates even more might be vulnerable, for the reasons provided [https://x.com/pwuille/status/1108085284862713856 here].
murchandamus
commented at 9:37 pm on November 12, 2024:
0The vulnerability of existing bitcoin addresses is investigated in [https://web.archive.org/web/20240715101040/https://www2.deloitte.com/nl/nl/pages/innovatie/artikelen/quantum-computers-and-the-bitcoin-blockchain.html this Deloitte report]. The report estimates that in 2020 approximately 25% of the bitcoin supply is held within addresses vulnerable to quantum attack. As of the time of writing, that number is now closer to 20%. Additionally, cryptographer Pieter Wuille [https://x.com/pwuille/status/1108085284862713856 reasons] even more might be vulnerable.
in
bip-p2qrh.mediawiki:35
in
53d497e376outdated
30+
31+The vulnerability of existing bitcoin addresses is investigated in [https://web.archive.org/web/20240715101040/https://www2.deloitte.com/nl/nl/pages/innovatie/artikelen/quantum-computers-and-the-bitcoin-blockchain.html this Deloitte report]. The report estimates that in 2020 approximately 25% of the bitcoin supply is held within addresses vulnerable to quantum attack. As of the time of writing, that number is now closer to 20%. Additionally, cryptographer Peter Wuille estimates even more might be vulnerable, for the reasons provided [https://x.com/pwuille/status/1108085284862713856 here].
32+
33+Ordinarily, when a transaction is signed, the public key can be recovered from the signature. This makes a transaction submitted to the mempool vulnerable to quantum attack until it's mined. One way to mitigate this is to submit the transaction directly to a mining pool, which bypasses the mempool. This process is known as an out-of-band transaction. The mining pool must be trusted not to reveal the transaction public key to attackers.
34+
35+Not having public keys exposed on-chain is an important step for quantum security. Otherwise funds would need to be spent to new addresses on a regular basis in order to prevent the possibility of a "long-range CRQC attack" recovering the key behind high value addresses. A long-range quantum attack can be considered one performed with chain data, such as that from a used address or one encoded in a spend script. A "short-range quantum attack" would be one performed on keys in the mempool, which is seen as impractical given transaction throughput and block time. As the value being sent increases, so too should the fee in order to commit the transaction to the chain as soon as possible. This makes useless the public key revealed by spending a UTXO, so long as it is never reused.
murchandamus
commented at 9:39 pm on November 12, 2024:
Is this not just a question of time? If the security of the DLP is broken, eventually it could be broken in the time between submission of a transaction and its confirmation. Anyway, an attacker could simply outspend the victim’s transaction to buy more time.
in
bip-p2qrh.mediawiki:33
in
53d497e376outdated
28+
29+The primary threat to Bitcoin by CRQCs is [https://en.bitcoin.it/wiki/Quantum_computing_and_Bitcoin#QC_attacks generally considered to be to its breaking of ECC used in signatures and Taproot commitments], hence the focus on a new address format. This is because Shor's algorithm enables a CRQC to break the cryptographic assumptions of ECC in roughly 10^8 quantum operations. While a CRQC could use [https://en.wikipedia.org/wiki/Grover's_algorithm Grover's algorithm] to gain a quadratic speed up on brute force attacks on the hash functions used in Bitcoin, a significantly more powerful CRQC is needed for these attacks to meaningfully impact Bitcoin. For instance, a preimage attack on HASH160<ref>used by P2PKH, P2SH, and P2WPKH addresses, though not P2WSH because it uses 256-bit hashes</ref> using Grover's algorithm would require at least 10^24 quantum operations. As for Grover's application to mining, see [https://quantumcomputing.stackexchange.com/a/12847 Sam Jaques post on this].
30+
31+The vulnerability of existing bitcoin addresses is investigated in [https://web.archive.org/web/20240715101040/https://www2.deloitte.com/nl/nl/pages/innovatie/artikelen/quantum-computers-and-the-bitcoin-blockchain.html this Deloitte report]. The report estimates that in 2020 approximately 25% of the bitcoin supply is held within addresses vulnerable to quantum attack. As of the time of writing, that number is now closer to 20%. Additionally, cryptographer Peter Wuille estimates even more might be vulnerable, for the reasons provided [https://x.com/pwuille/status/1108085284862713856 here].
32+
33+Ordinarily, when a transaction is signed, the public key can be recovered from the signature. This makes a transaction submitted to the mempool vulnerable to quantum attack until it's mined. One way to mitigate this is to submit the transaction directly to a mining pool, which bypasses the mempool. This process is known as an out-of-band transaction. The mining pool must be trusted not to reveal the transaction public key to attackers.
murchandamus
commented at 9:41 pm on November 12, 2024:
Relying on mining pools to keep transactions private does not feel like a viable security assumption.
cryptoquick
commented at 1:05 am on November 21, 2024:
Agreed, which is why P2QRH is preferable. It’s still worth mentioning, but I’ll be sure to explain this is the entire purpose of P2QRH, to essentially keep the mempool trustless.
in
bip-p2qrh.mediawiki:37
in
53d497e376outdated
32+
33+Ordinarily, when a transaction is signed, the public key can be recovered from the signature. This makes a transaction submitted to the mempool vulnerable to quantum attack until it's mined. One way to mitigate this is to submit the transaction directly to a mining pool, which bypasses the mempool. This process is known as an out-of-band transaction. The mining pool must be trusted not to reveal the transaction public key to attackers.
34+
35+Not having public keys exposed on-chain is an important step for quantum security. Otherwise funds would need to be spent to new addresses on a regular basis in order to prevent the possibility of a "long-range CRQC attack" recovering the key behind high value addresses. A long-range quantum attack can be considered one performed with chain data, such as that from a used address or one encoded in a spend script. A "short-range quantum attack" would be one performed on keys in the mempool, which is seen as impractical given transaction throughput and block time. As the value being sent increases, so too should the fee in order to commit the transaction to the chain as soon as possible. This makes useless the public key revealed by spending a UTXO, so long as it is never reused.
36+
37+It is proposed to implement a Pay to Quantum Resistant Hash (P2QRH) address type that relies on a Post-Quantum Cryptographic (PQC) signature algorithm. This new address type protects transactions submitted to the mempool and helps preserve the free market by reducing the need for private, out-of-band mempool transactions.
murchandamus
commented at 9:42 pm on November 12, 2024:
Rather, this new output type would be expected not be vulnerable at all?
in
bip-p2qrh.mediawiki:39
in
53d497e376outdated
34+
35+Not having public keys exposed on-chain is an important step for quantum security. Otherwise funds would need to be spent to new addresses on a regular basis in order to prevent the possibility of a "long-range CRQC attack" recovering the key behind high value addresses. A long-range quantum attack can be considered one performed with chain data, such as that from a used address or one encoded in a spend script. A "short-range quantum attack" would be one performed on keys in the mempool, which is seen as impractical given transaction throughput and block time. As the value being sent increases, so too should the fee in order to commit the transaction to the chain as soon as possible. This makes useless the public key revealed by spending a UTXO, so long as it is never reused.
36+
37+It is proposed to implement a Pay to Quantum Resistant Hash (P2QRH) address type that relies on a Post-Quantum Cryptographic (PQC) signature algorithm. This new address type protects transactions submitted to the mempool and helps preserve the free market by reducing the need for private, out-of-band mempool transactions.
38+
39+The following table is non-exhaustive but intended to inform the average bitcoin user whether their bitcoin is vulnerable to quantum attack.
murchandamus
commented at 9:45 pm on November 12, 2024:
This feels like it is oversimplifying a bit. This seems to show output types that are generally vulnerable to long-range attacks. Additionally, any reused hash-based addresses are also vulnerable to long-range attacks, and all of the output types below are vulnerable to short-range attacks.
Edit: I see, it is clarified briefly later. Perhaps it would make sense to reorder a bit here.
0The following table is non-exhaustive but intended to inform the average bitcoin user whether their bitcoin is vulnerable to a long-range quantum attack.
in
bip-p2qrh.mediawiki:68
in
53d497e376outdated
63+|-
64+! Scenario !! Type of attack
65+|-
66+| Early addresses (Satoshi's coins, CPU miners, starts with 04) || Long-range
67+|-
68+| Reused addresses (any type, except bc1r) || Long-range
murchandamus
commented at 9:47 pm on November 12, 2024:
What is “bc1r”? It has not been introduced at this point.
in
bip-p2qrh.mediawiki:81
in
53d497e376outdated
76+
77+The only time a short-range attack can occur is when the transaction is in the mempool, whereas a long-range attack occurs when the public key is known well in advance. Short-range attacks require much larger, more expensive CRQCs.
78+
79+Should quantum advantage manifest, a convention is proposed in spending the full 65-byte P2PK key used by the coinbase output in Block 1 back to itself. It is proposed to call the address in Block 1 the [https://mempool.space/address/0496b538e853519c726a2c91e61ec11600ae1390813a627c66fb8be7947be63c52da7589379515d4e0a604f8141781e62294721166bf621e73a82cbf2342c858ee Canary address] since it can only be spent from by others (assuming Satoshi's continued absence) if secp256k1 is broken. Should the Canary coins move, that will signal that reliance on secp256k1 is presently vulnerable. Without the Canary, or an address like it, there may be some doubt as to whether the coins were moved with keys belonging to the original owner.
80+
81+As an interesting aside, coinbase outputs to P2PK keys go as far as block 200,000, so it's possible there are between 1-2 million coins that are vulnerable from the first epoch. These coins can be considered "Satoshi's Shield." Any addresses with a balance of less than the original block subsidy of 50 coins can be considered incentive incompatible to capture until all of these are mined.
murchandamus
commented at 9:51 pm on November 12, 2024:
As of earlier this month, ₿1,723,848 were held in P2PK outputs.
in
bip-p2qrh.mediawiki:87
in
53d497e376outdated
82+
83+It's for the above reason that, for those who wish to be prepared for quantum emergency, it is recommended that no more than 50 bitcoin are kept under a single distinct, unused Native SegWit (P2WPKH, "bc1q") address at a time. This is assuming that the attacker is financially-motivated instead of, for example, a nation state looking to break confidence in Bitcoin. Additionally, this assumes that other vulnerable targets such as central banks have upgraded their cryptography already.
84+
85+The Commercial National Security Algorithm Suite (CNSA) 2.0 has a timeline for software and networking equipment to be upgraded by 2030, with browsers and operating systems fully upgraded by 2033.
86+
87+Lastly, it is worth noting by way of comparison that [https://ethresear.ch/t/how-to-hard-fork-to-save-most-users-funds-in-a-quantum-emergency/18901 Vitalik Buterin's proposed solution] in an Ethereum quantum emergency is quite different from the approach in this BIP. His plan involves a hard fork of the chain, reverting all blocks after a sufficient amount of theft, and using STARKs based on BIP-32 seeds to act as the authoritative secret when signing. These measures are deemed far too heavy-handed for bitcoin.
murchandamus
commented at 9:55 pm on November 12, 2024:
Some of this Motivation section could appear in “Related Work” or “backward compatibility”.
in
bip-p2qrh.mediawiki:98
in
53d497e376outdated
93+
94+It is proposed to use SegWit version 3. This results in addresses that start with bc1r, which could be a useful way to remember that these are quantum [r]esistant addresses (similar to how bc1q corresponds to Se[q]Wit and bc1p corresponds to Ta[p]root). This is referencing the lookup table under [https://github.com/bitcoin/bips/blob/master/bip-0173.mediawiki#bech32 BIP-173].
95+
96+The proposal above also leaves a gap in case it makes sense to use version 2, or bc1z, for implementation of other address formats such as those that employ Cross Input Signature Aggregation (CISA).
97+
98+P2QRH is meant to be implemented on top of P2TR, combining the security of classical Schnorr signatures along with post-quantum cryptography. This is a form of "hybrid cryptography" such that no regression in security is presented should a vulnerability exist in one of the signature algorithms used. One key distinction between P2QRH and P2TR however is that P2QRH will encode a hash of the public key. This is a significant deviation from how Taproot works by itself, but it is necessary to avoid exposing public keys on-chain where they are vulnerable to attack.
murchandamus
commented at 9:57 pm on November 12, 2024:
Does it then even make sense to base the new output type on Taproot rather than e.g. P2WPKH?
cryptoquick
commented at 0:47 am on November 21, 2024:
There’s already things that use taptrees where this kind of cryptographic commitment scheme would be adequate, such as for RGB. It would be nice to also be able to rely on Schnorr signature aggregation even in cases where its security has to be augmented by PQC. Do you know of anything that could be broken if the public key isn’t known in advance? Like MuSig2 or FROST?
murchandamus
commented at 10:09 pm on November 12, 2024:
contributor
This is a quick first skim. Seems fine so far, I left some comments. The Motivation and Rationale seem a bit long, perhaps some of that could be split out into other sections like Related Work, Backward Compatibility, or just tightened a bit.
I’m wondering whether introducing four different signature schemes at once may be a bit too ambitious.
Apply suggestions from review
Co-authored-by: Mark "Murch" Erhardt <murch@murch.one>
0a2ed4a23f
cryptoquick force-pushed
on Nov 21, 2024
cryptoquick requested review from murchandamus
on Nov 21, 2024
cryptoquick
commented at 1:27 am on November 21, 2024:
none
I’m wondering whether introducing four different signature schemes at once may be a bit too ambitious.
SPHINCS and Crystals-DILITHIUM are approved by NIST. Antoine Riard specifically requested the inclusion of SPHINCS on the mailing list, and the alternative proposal implements Crystals-DILITHIUM. FALCON is likely to be approved as as a FIPS standard as well, but it’s not yet official. SQIsign is very attractive for its small public key and signature sizes, but it is only just recently under review.
QuBit - P2QRH spending rulesc92a9b0e4d
cryptoquick force-pushed
on Nov 21, 2024
jonatack removed the label
PR Author action required
on Nov 23, 2024
Add details on attestation structure and parsing. (#14)
* Add details on attestation structure and parsing.
* bip-p2qrh.mediawiki: Separating discussion about Grovers algorithm into
its own section.
* Update phrasing and formatting.
* Kyle fixes
* Add Jeff Bride to acknowledgments
* Apply suggestions from code review
Co-authored-by: Kyle Crews <92337423+CrewsControlSolutions@users.noreply.github.com>
* Updates to clarity.
---------
Co-authored-by: jbride <jbride2001@yahoo.com>
Co-authored-by: Kyle Crews <92337423+CrewsControlSolutions@users.noreply.github.com>
e1b7007cd9
cryptoquick
commented at 10:40 pm on December 3, 2024:
none
Just a note: The content of the BIP should be nearing its final state. Feel free to leave feedback while I work on the test vectors, it’ll take me a while since I’m also making changes to rust-bitcoin in order to support P2QRH and transaction attestation, but I don’t expect any major changes from my side at this point.
MediaWiki formatting fixes60d72942aa
cryptoquick force-pushed
on Dec 5, 2024
MediaWiki formatting fixes2d098d9adf
cryptoquick force-pushed
on Dec 5, 2024
MediaWiki fixes, remove redundant sections. (#16)
* MediaWiki fixes, remove redundant sections.
* Fix link format check
ed4e8627e6
murchandamus
commented at 4:57 pm on December 6, 2024:
contributor
Hey @cryptoquick, just wanted to mention a few quick things:
While I would consider test vectors and reference implementation necessary for a proposal to move to the “Proposed” status, their lack would not necessarily prevent something to be considered for getting a number and be merged as draft.
I have a formatting request: Having lines with over 1000 characters makes it really hard to see what changed between pushes and to give review suggestions. May I suggest that you break the lines in text blocks at e.g. 120 characters?
As an example from my own draft, it’s just much easier to see what exactly was changed when the lines are shorter:
This PR is currently marked as “draft”, please click “ready for review” if/when you want editors to take a look. :)
Update title and formatting.f2426c6656
cryptoquick marked this as ready for review
on Dec 6, 2024
cryptoquick
commented at 5:09 pm on December 6, 2024:
none
murchandamus
commented at 5:20 pm on December 6, 2024:
The preamble is order sensitive:
0 Created: 2024-06-08
1 License: BSD-3-Clause
in
bip-p2qrh.mediawiki:38
in
f2426c6656outdated
33+this is investigated further in the paper,
34+[https://pubs.aip.org/avs/aqs/article/4/1/013801/2835275/The-impact-of-hardware-specifications-on-reaching ''The impact
35+of hardware specifications on reaching quantum advantage in the fault tolerant regime''].
36+
37+The primary threat to Bitcoin by CRQCs is [https://en.bitcoin.it/wiki/Quantum_computing_and_Bitcoin#QC_attacks
38+generally considered to be their potential to break ECC, which is used in signatures and Taproot commitments], hence
murchandamus
commented at 5:24 pm on December 6, 2024:
This feels like a partial repetition of lines 29–31. Perhaps the prior lines should be folded into this introduction of the issue.
in
bip-p2qrh.mediawiki:49
in
f2426c6656outdated
44+and-the-bitcoin-blockchain.html this Deloitte report]. The report estimates that in 2020 approximately 25% of the
45+Bitcoin supply is held within addresses vulnerable to quantum attack. As of the time of writing, that number is now
46+closer to 20%. Additionally, cryptographer Pieter Wuille [https://x.com/pwuille/status/1108085284862713856 reasons]
47+even more might be vulnerable.
48+
49+Ordinarily, when a transaction is signed, the public key can be recovered from the signature. This makes a transaction
murchandamus
commented at 5:26 pm on December 6, 2024:
Most output types require the public key is explicitly stated in the input script and it doesn’t even have to be recovered from the signature.
cryptoquick force-pushed
on Dec 6, 2024
More wrestling with MediaWiki formatting...2e4ad811cf
cryptoquick force-pushed
on Dec 6, 2024
I give up. Removing code and pre blocks.9935005efb
murchandamus
commented at 6:06 pm on December 6, 2024:
The TOC is generated automatically in the richtext view:
murchandamus
commented at 6:12 pm on December 6, 2024:
contributor
I started taking a look, but two additional commits have been made since. I’ll try to take a look next week.
The line break suggestion was meant mostly as a way to make diffs more readable and make it easier to make suggestions in the review. It’s not a fixed rule, so if it breaks stuff, feel free to e.g. leave table rows or links in a single line even if it’s longer than other stuff.
More formatting fixes.cc47f9e370
Apply suggestions from code review
Co-authored-by: Mark "Murch" Erhardt <murch@murch.one>
ff4d2c2819
Address Murch feedback.f206b9745a
Merge branch 'p2qrh' of github.com:cryptoquick/bips into p2qrh70649eaece
MediaWiki formatting.feff8477c0
cryptoquick force-pushed
on Dec 6, 2024
cryptoquick requested review from murchandamus
on Dec 6, 2024
cryptoquick requested review from jonatack
on Dec 6, 2024
cryptoquick renamed this:
Draft: QuBit - P2QRH spending rules
QuBit - P2QRH spending rules
on Dec 9, 2024
murchandamus
commented at 8:50 pm on December 9, 2024:
Sorry, my suggestion had an errant “<” here.
0 Layer: Consensus (soft fork)
in
bip-p2qrh.mediawiki:55
in
e186b52cffoutdated
50+Ordinarily, when a transaction is signed, the public key is explicitly stated in the input script. This means that the
51+public key is exposed on the blockchain when the transaction is spent, making it vulnerable to quantum attack until
52+it's mined. One way to mitigate this is to submit the transaction directly to a mining pool, bypassing the mempool.
53+This process is known as an out-of-band transaction or a private mempool. In this case, the mining pool must be trusted
54+not to reveal the transaction public key to attackers. The problem with this approach is that it requires a trusted
55+third party, which the P2QRH proposal aims to avoid.
EthanHeilman
commented at 2:05 am on December 11, 2024:
0not to reveal the transaction public key to attackers.
Suggest removing unnecessary sentence. If you disagree, resolve this comment.
cryptoquick
commented at 5:02 pm on December 12, 2024:
Actually, I think it provides important context and insight as to what P2QRH specifically addresses given the alternative (private miner mempools), but that’s just my opinion.
in
bip-p2qrh.mediawiki:68
in
e186b52cffoutdated
63+requires more sophisticated CRQCs. As the value being sent increases, so too should the fee in order to commit the
64+transaction to the chain as soon as possible. Once the transaction is mined, it makes useless the public key revealed
65+by spending a UTXO, so long as it is never reused.
66+
67+It is proposed to implement a Pay to Quantum Resistant Hash (P2QRH) address type that relies on a PQC signature
68+algorithm. This new address type protects transactions submitted to the mempool and helps preserve the free market by
EthanHeilman
commented at 2:49 am on December 11, 2024:
Did you mean fee market rather than free market?
cryptoquick
commented at 5:18 pm on December 12, 2024:
Not really, but maybe that might make more sense? The fee market is supposed to be a free market.
in
bip-p2qrh.mediawiki:72
in
e186b52cffoutdated
67+It is proposed to implement a Pay to Quantum Resistant Hash (P2QRH) address type that relies on a PQC signature
68+algorithm. This new address type protects transactions submitted to the mempool and helps preserve the free market by
69+preventing the need for private, out-of-band mempool transactions.
70+
71+The following table is non-exhaustive but intended to inform the average Bitcoin user whether their bitcoin is
72+vulnerable to a long-range quantum attack.
EthanHeilman
commented at 2:54 am on December 11, 2024:
0vulnerable to a long-range quantum attack:
in
bip-p2qrh.mediawiki:115
in
e186b52cffoutdated
110+| Any transaction in the mempool (except for P2QRH) || Short-range
111+|-
112+| Unhardened BIP-32 HD wallet keys || Both Long-range or Short-range
113+|}
114+
115+The only time a short-range attack can occur is when the transaction is in the mempool, whereas a long-range attack
EthanHeilman
commented at 3:00 am on December 11, 2024:
I’d suggest that readability would be improved by having a subsection titled something like “Long Range and Short Range Quantum Attacks” that defines this terminology and consequences are introduced upfront.
Something like:
Long Range and Short Range Quantum Attacks
Long Range Quantum Attack is an attack in which …
Short Range Quantum Attack is an attack in which …
If you disagree with this suggestion, just mark this comment as resolved.
cryptoquick
commented at 4:35 pm on December 13, 2024:
Done!
in
bip-p2qrh.mediawiki:319
in
e186b52cffoutdated
314+For each input, a separate attestation field is used. To know how many attestation fields are present, implementations
315+must count the number of inputs present in the transaction.
316+
317+=== Signature Algorithm Identification ===
318+
319+The specific quantum-resistant signature algorithm used is inferred from the length of the public key and signature.
EthanHeilman
commented at 11:09 pm on December 11, 2024:
0The specific quantum-resistant signature algorithm used is inferred from the length of the public key.
If we infer the signature algorithm from the public key alone, then we will reject a signature which has the wrong length for that algorithm. This makes error handling easier and the output commits to the signature algorithm.
Whereas if we infer the signature algorithm from the public key and the signature then if one of them is wrong, we don’t know the intended signature algorithm.
cryptoquick
commented at 3:29 pm on December 13, 2024:
That’s a good point.
in
bip-p2qrh.mediawiki:322
in
e186b52cffoutdated
317+=== Signature Algorithm Identification ===
318+
319+The specific quantum-resistant signature algorithm used is inferred from the length of the public key and signature.
320+Implementations must recognize the supported algorithms and validate accordingly.
321+
322+Supported algorithms and their NIST Level V parameters:
EthanHeilman
commented at 11:10 pm on December 11, 2024:
Below you discuss supporting secp256k1 as an algorithm for this output. It should probably be included in this list.
cryptoquick
commented at 3:30 pm on December 13, 2024:
I think I’ll just clarify this section is for PQC algorithms.
EthanHeilman
commented at 11:37 pm on December 11, 2024:
contributor
I want to propose an alternative design. Instead of supporting multiple different signature algorithms in the same output and then inferring algorithm based on public key length. Flag signature algorithm based on address prefix, e.g. addresses that start with bc1f only accept FALCON-1024 public keys and signatures.
This makes it straightforward to add new post-quantum signature algorithms and lets you streamline this design by only needing to support one post-quantum signature algorithm.
This avoids using length as a signaling mechanism. Currently length works, but what if two algorithms have the same length public key? Do we lengthen one?
Supporting multiple signature algorithms in the same output is likely to increase complexity for other protocols. Say a payment channel where the two parties are using different signature algorithms. I don’t see this as a strong reason not to do this, but I think the BIP needs a justification for this additional complexity.
Is the reason you are doing multisig outside of script, because of the stack element limitations of some these bigger signatures? Are there any issues with the values on the attestation stack being larger than 520?
in
bip-p2qrh.mediawiki:524
in
e186b52cffoutdated
519+One consideration for choosing an algorithm is its maturity. secp256k1 was already 8 years old by the time it was
520+chosen as Bitcoin's curve. Isogeny cryptography when it was first introduced was broken over a weekend.
521+
522+Ideally SQIsign also proves to be flexible enough to support
523+[https://www.pierrickdartois.fr/homepage/wp-content/uploads/2022/04/Report_OSIDH_DARTOIS.pdf Isogeny Diffie-Hellman] to
524+replace ECDH applications, and also provide methods for the key tweaking necessary to support TapScript for P2QR
EthanHeilman
commented at 0:44 am on December 12, 2024:
What about just using a merklized structure for tapscript so we don’t need to depend on signature specifies? The output could be HASH256(HASH256(pubkey),scriptroot) where scriptroot = HASH256(merkletree of scripts). You’d get the taproot privacy benefits of not revealing that a script spend path exists when doing a key spend. If no script spend path exists simply choosing scriptroot to be a random number, if a script spend path exists, include a random number as one of the branches of your merkle tree.
The main downside of this merklized approach is that each spend has to push an additional 32 bytes. However given the size of post-quantum signatures and public keys, this additional 32 bytes shouldn’t matter much.
cryptoquick
commented at 3:33 pm on December 13, 2024:
That’s a great point. You’re right, we should use a merkle tree to allow branch exclusions. We can distinguish between hashes and x-only public keys because x-only public keys will be accompanied by a signature, whereas a hash would not, and so it would be considered and excluded branch.
cryptoquick
commented at 3:58 pm on December 18, 2024:
442+For example, for CRYSTALS-Dilithium Level V, a single signature is 4,595 bytes, a substantial increase over current
443+ECDSA or Schnorr signatures.
444+
445+==== Performance Impact ====
446+
447+Verification of quantum-resistant signatures will be computationally more intensive, and any attestation discount will
EthanHeilman
commented at 0:47 am on December 12, 2024:
What about using a STARK over all the post-quantum signatures included in a block by the miner to accelerate verification? Is there anything about this design that would prevent adding such a feature?
cryptoquick
commented at 3:34 pm on December 13, 2024:
As we discussed privately, a STARKS-based approach would be out of scope for this BIP, but alternative approaches specified in separate BIPs are certainly welcome.
QbitsCode
commented at 11:11 am on December 13, 2024:
none
Sorry for coming late with this important PR, we have just shared 3 proposed pqc algorithms that guarantee elimination of quantum computer risk.
That’s a great start! I see from your documentation here you’re intending to use the same PQC signature algorithms we’ve selected, which is validating of the approach recommended for this BIP.
cryptoquick
commented at 3:46 pm on December 13, 2024:
none
I want to propose an alternative design. Instead of supporting multiple different signature algorithms in the same output and then inferring algorithm based on public key length. Flag signature algorithm based on address prefix, e.g. addresses that start with bc1f only accept FALCON-1024 public keys and signatures.
The problem with that approach is that there’s only so many OP_NUMs to prefix the address type with for each signature type. If new signature algorithms were added, I would imagine they would be added in batches, so that bc1f would indicate a superset of multiple algorithms.
This makes it straightforward to add new post-quantum signature algorithms and lets you streamline this design by only needing to support one post-quantum signature algorithm.
This avoids using length as a signaling mechanism. Currently length works, but what if two algorithms have the same length public key? Do we lengthen one?
Yes, we would lengthen one.
Supporting multiple signature algorithms in the same output is likely to increase complexity for other protocols. Say a payment channel where the two parties are using different signature algorithms. I don’t see this as a strong reason not to do this, but I think the BIP needs a justification for this additional complexity.
In the case of a payment channel, it’s a 2-of-2 multisig agreed to by both parties. If either party finds the signature algorithms proposed unacceptable, the channel simply won’t be funded.
Is the reason you are doing multisig outside of script, because of the stack element limitations of some these bigger signatures? Are there any issues with the values on the attestation stack being larger than 520?
Partly for that reason, and also, because I want this to use stricter validation rules than all that script expresses.
Update to use merkle tree for attestation commitment. Update LR & SR quantum attack scenarios.85a347b5a2
cryptoquick requested review from EthanHeilman
on Dec 13, 2024
junaga
commented at 7:50 am on December 16, 2024:
none
Hi, Sorry for the ping, This is too complicated for me. Is there no way to simplify or generalize this?
QbitsCode
commented at 7:03 pm on December 16, 2024:
none
Yesterday, we pushed it with a simplified and holistic version.
cryptoquick
commented at 7:34 pm on December 16, 2024:
none
Hi, Sorry for the ping, This is too complicated for me. Is there no way to simplify or generalize this?
Perhaps a good summary is this:
In this BIP we suggest a new address format beginning with bc1r that introduces the capability for users to generate addresses that can receive payments signed using quantum-resistant keys and signatures.
It really is that simple, but there are the details for why this needs to happen and how it should happen and this tries to cover those in a comprehensive enough manner, or at least, as comprehensive as we can be without test vectors.
in
bip-p2qrh.mediawiki:34
in
85a347b5a2outdated
29+the cryptographic assumptions of Elliptic Curve Cryptography (ECC), which secures Bitcoin's signatures and Taproot
30+commitments. Specifically, [https://arxiv.org/pdf/quant-ph/0301141 Shor's algorithm] enables a CRQC to solve the
31+Discrete Logarithm Problem (DLP) exponentially faster than classical methods<ref name="shor">Shor's algorithm is
32+believed to need 10^8 operations to break a 256-bit elliptic curve public key.</ref>, allowing the derivation of private
33+keys from public keys—a process referred to as quantum key decryption. Importantly, simply increasing the public key
34+length (e.g., using a hypothetical secp512k1 curve) would only make deriving the private key twice as hard, offering
murchandamus
commented at 8:57 pm on December 17, 2024:
I assume that the doubling from the example here is meant to be relevant for the duplication of the effort:
0keys from public keys—a process referred to as quantum key decryption. Importantly, simply doubling the public key
1length (e.g., using a hypothetical secp512k1 curve) would only make deriving the private key twice as hard, offering
in
bip-p2qrh.mediawiki:47
in
85a347b5a2outdated
42+
43+The vulnerability of existing Bitcoin addresses is investigated in
44+[https://web.archive.org/web/20240715101040/https://www2.deloitte.com/nl/nl/pages/innovatie/artikelen/quantum-computers-
45+and-the-bitcoin-blockchain.html this Deloitte report]. The report estimates that in 2020 approximately 25% of the
46+Bitcoin supply is held within addresses vulnerable to quantum attack. As of the time of writing, that number is now
47+closer to 20%. Additionally, cryptographer Pieter Wuille [https://x.com/pwuille/status/1108085284862713856 reasons]
murchandamus
commented at 8:59 pm on December 17, 2024:
“Additionally” could be read as being related:
0closer to 20%. Independently, cryptographer Pieter Wuille [https://x.com/pwuille/status/1108085284862713856 reasons]
in
bip-p2qrh.mediawiki:81
in
85a347b5a2outdated
76+|-
77+! Address type !! Vulnerable !! Prefix !! Example
78+|-
79+| P2PK || Yes || 04 ||
80+0496b538e853519c726a2c91e61ec11600ae1390813a627c66fb8be7947be63c52da7589379515d4e0a604f8141781e62294721166bf621e73a82cbf
81+2342c858ee
murchandamus
commented at 9:04 pm on December 17, 2024:
Sorry for being imprecise when I suggested line breaks. I meant that it would be preferable for lines of flowing text to be limited in length as it can be hard to see what exactly changed for extremely long lines
It is fine for tables and code samples to be longer, as line breaks can add confusion or introduce errors in those cases.
in
bip-p2qrh.mediawiki:161
in
85a347b5a2outdated
156+the capital B refers to Bitcoin. The name QuBit also rhymes to some extent with SegWit.
157+
158+It is proposed to use SegWit version 3. This results in addresses that start with bc1r, which could be a useful way to
159+remember that these are quantum (r)esistant addresses (similar to how bc1q corresponds to Se(q)Wit and bc1p corresponds
160+to Ta(p)root). This is referencing the lookup table under
161+[https://github.com/bitcoin/bips/blob/master/bip-0173.mediawiki#bech32 BIP-173].
murchandamus
commented at 9:14 pm on December 17, 2024:
Some schemes already assume that higher native segwit versions follow lower segwit versions. It seems that skipping a version should have a stronger motivation as a similar mnemonic could be crafted as easily for version 2: bc1(z), corresponds to “(z)ecure addresses” or to addresses that “let the user rest e(z)”.
cryptoquick
commented at 9:47 pm on December 20, 2024:
159+remember that these are quantum (r)esistant addresses (similar to how bc1q corresponds to Se(q)Wit and bc1p corresponds
160+to Ta(p)root). This is referencing the lookup table under
161+[https://github.com/bitcoin/bips/blob/master/bip-0173.mediawiki#bech32 BIP-173].
162+
163+The proposal above also leaves a gap in case it makes sense to use version 2, or bc1z, for implementation of other
164+address formats such as those that employ Cross Input Signature Aggregation (CISA).
murchandamus
commented at 9:16 pm on December 17, 2024:
I’m not sure that is a pressing concern.
cryptoquick
commented at 9:47 pm on December 20, 2024:
Removed. Nobody cares about CISA anymore :joy_cat:
murchandamus
commented at 9:51 pm on December 20, 2024:
Oh, I don’t mean that people don’t care about CISA anymore. I just don’t think we would need to skip a version to keep space for it, when there isn’t even a concrete proposal yet.
in
bip-p2qrh.mediawiki:138
in
85a347b5a2outdated
133+
134+It's for the above reason that, for those who wish to be prepared for quantum emergency, it is recommended that no more
135+than 50 bitcoin are kept under a single, distinct, unused Native SegWit (P2WPKH, "bc1q") address at a time. This is
136+assuming that the attacker is financially motivated instead of, for example, a nation state looking to break confidence
137+in Bitcoin. Additionally, this assumes that other vulnerable targets such as central banks have upgraded their
138+cryptography by this time.
murchandamus
commented at 9:26 pm on December 17, 2024:
While maybe a sensible recommendation, this feels a bit digressive.
cryptoquick
commented at 9:49 pm on December 20, 2024:
Maybe, but BIPs are read by many kinds of people with different backgrounds and motivations, and I think it’s important to provide background on Satoshi’s Shield in order to not be fearmongering. It’s important that readers have a proper perspective of the threat this addresses, you know?
I see. The PR title doesn’t refer to the GitHub status of “draft, not ready for review”, only that it is a BIP draft as yet without a number – once there is a number, then the title becomes “BIP <number>: …” instead. I unified a few titles yesterday to make it easier for me to follow the various PRs.
cryptoquick
commented at 4:10 pm on December 18, 2024:
none
Are there any remaining obstacles keeping this from getting a BIP number?
jonatack
commented at 4:14 pm on December 18, 2024:
member
I have a range of numbers in mind for QC resistance BIPs to run by the other editors and am re-reviewing here.
jonatack
commented at 7:14 pm on December 18, 2024:
Please update the BIP number (on line 2), filename, and the created date to 2024-12-18 (date of BIP number assignment) and add a corresponding BIP draft entry to the repo root README file.
cryptoquick
commented at 9:49 pm on December 18, 2024:
Done!
jonatack
commented at 7:27 pm on December 18, 2024:
member
Assigned BIP number 360.
jonatack renamed this:
BIP draft: QuBit - P2QRH spending rules
BIP-360: QuBit - P2QRH spending rules
on Dec 18, 2024
cryptoquick force-pushed
on Dec 18, 2024
cryptoquick force-pushed
on Dec 18, 2024
P2QRH assigned BIP number 360.85348c01ff
cryptoquick force-pushed
on Dec 18, 2024
cryptoquick requested review from jonatack
on Dec 18, 2024
QbitsCode
commented at 11:49 pm on December 18, 2024:
This proposal uses SQIsign signatures, an isogeny-based quantum-resistant signature scheme, to enhance the protocol’s quantum security. While SQIsign has shown promising performance and compact signature sizes, it is worth noting that SQIsign is not part of the NIST PQC standardization process. This choice reflects a consideration of alternatives beyond NIST’s selected algorithms, aiming to balance quantum resistance with efficiency and practical implementation constraints. Future analysis and community feedback will determine its suitability for adoption. All other pq alogrithms of Group 1 & 2 highlighted in pqcBitcoin repo are confirmed NIST standard and tested.
cryptoquick
commented at 2:35 pm on February 25, 2025:
Somehow you’ve reviewed an older version of this BIP. SQIsign has been removed.
kayabaNerve
commented at 7:41 am on December 19, 2024:
none
Sorry for being late, but was any thought been given to the feasibility of cryptographic multisig for the algorithms named?
Raccoon has a few threshold signature protocols which can drop in with the originally defined Raccoon (so long as parameters are mutual).
This would avoid the on-chain cost of several signatures and provide indistinguishability.
cryptoquick
commented at 1:32 pm on December 19, 2024:
none
@kayabaNerve This BIP supports multisig. Maybe threshold signatures can be added once they’re more mature.
kayabaNerve
commented at 2:37 pm on December 19, 2024:
none
I’m aware of the on-chain multisig possible with this proposal, which would have non-trivial scalability limits.
Raccoon was one of the PQ signature algorithms submitted to the NIST competition for additional schemes, alongside SQIsign. It isn’t explicitly/inherently a threshold signature and just has threshold signature schemes available. I’d question if it is too immature given the (currently rather) unique benefits provided.
in
bip-0360.mediawiki:39
in
85348c01ffoutdated
34+length (e.g., using a hypothetical secp512k1 curve) would only make deriving the private key twice as hard, offering
35+insufficient protection. The computational complexity of this attack is further explored in
36+[https://pubs.aip.org/avs/aqs/article/4/1/013801/2835275/The-impact-of-hardware-specifications-on-reaching ''The impact
37+of hardware specifications on reaching quantum advantage in the fault-tolerant regime''].
38+
39+This proposal aims to mitigate these risks by introducing a Pay to Quantum Resistant Hash (P2QRH) address type that
vostrnad
commented at 11:13 pm on December 19, 2024:
This proposal defines a new output type, not address type. An address is merely an encoding of an output script, and in this case an existing address type (Bech32m) is used.
0This proposal aims to mitigate these risks by introducing a Pay to Quantum Resistant Hash (P2QRH) output type that
in
bip-0360.mediawiki:63
in
85348c01ffoutdated
58+spent to new addresses on a regular basis in order to prevent the possibility of a "long-range CRQC attack" recovering
59+the key behind high-value addresses. A long-range quantum attack can be considered one performed with chain data, such
60+as that from a used address or one encoded in a spend script. This is likely to be more common early on, as early
61+quantum computers must be run for longer in order to overcome errors caused by noise. A "short-range quantum attack"
62+would be one performed on keys in the mempool, which is seen as much more difficult given the block time, and so it
63+requires more sophisticated CRQCs. As the value being sent increases, so too should the fee in order to commit the
vostrnad
commented at 11:13 pm on December 19, 2024:
It seems intuitive that a short range attack would require a more powerful QC than a long range attack, but is this just intuition or is it rooted in actual science? In the former case this text needs more “may"s and “it is believed"s, and in the latter case a link to relevant research.
cryptoquick
commented at 5:28 pm on December 20, 2024:
Yes, I will add this section:
0<ref name="short-range">
1In the paper
2[https://arxiv.org/pdf/2306.08585 How to compute a 256-bit elliptic curve private key with only 50 million Toffoli gates]
3the authors estimate that CRQC with 28 million superconducting physical qubits would take 8.3 seconds to calculate a
4256-bit key, while a CRQC with 6.9 million physical qubits would take 58 seconds. This implies that a CRQC with 4x as
5many qubits would be roughly 7 times faster.
6</ref>
in
bip-0360.mediawiki:71
in
85348c01ffoutdated
66+
67+It is proposed to implement a Pay to Quantum Resistant Hash (P2QRH) address type that relies on a PQC signature
68+algorithm. This new address type protects transactions submitted to the mempool and helps preserve the free market by
69+preventing the need for private, out-of-band mempool transactions.
70+
71+The following table is non-exhaustive but intended to inform the average Bitcoin user whether their bitcoin is
vostrnad
commented at 11:13 pm on December 19, 2024:
Since there are only 7 standard output types relevant to this discussion, does the table really need to be non-exhaustive?
(P2PK, P2PKH, P2MS, P2SH, P2WPKH, P2WSH, P2TR)
in
bip-0360.mediawiki:77
in
85348c01ffoutdated
72+vulnerable to a long-range quantum attack:
73+
74+{| class="wikitable"
75+|+ Vulnerable address types
76+|-
77+! Address type !! Vulnerable !! Prefix !! Example
vostrnad
commented at 11:13 pm on December 19, 2024:
0|+ Vulnerable output types
1|-
2! Type !! Vulnerable !! Prefix !! Example
vostrnad
commented at 11:14 pm on December 19, 2024:
To prevent formatting breaks, I’d recommend using a 33-byte (compressed) key instead.
in
bip-0360.mediawiki:90
in
85348c01ffoutdated
85+| P2WPKH || No || bc1q || bc1qsnh5ktku9ztqeqfr89yrqjd05eh58nah884mku
86+|-
87+| P2TR || Yes || bc1p || bc1p92aslsnseq786wxfk3ekra90ds9ku47qttupfjsqmmj4z82xdq4q3rr58u
88+|}
89+
90+It should be noted that Taproot addresses are vulnerable in that they encode a 32-byte x-only public key, from which a
vostrnad
commented at 11:14 pm on December 19, 2024:
0It should be noted that Taproot outputs are vulnerable in that they encode a 32-byte x-only public key, from which a
in
bip-0360.mediawiki:94
in
85348c01ffoutdated
89+
90+It should be noted that Taproot addresses are vulnerable in that they encode a 32-byte x-only public key, from which a
91+full public key can be reconstructed.
92+
93+If a key is recovered by a CRQC it can also be trivially checked to see if any child keys were produced using an
94+unhardened [https://github.com/bitcoin/bips/blob/master/bip-0032.mediawiki BIP-32] derivation path.
vostrnad
commented at 11:14 pm on December 19, 2024:
Can you elaborate? Child keys depend not only on the parent key but also on the chain code.
cryptoquick
commented at 6:32 pm on December 20, 2024:
96+==== Long Range and Short Range Quantum Attacks ====
97+
98+Long Range Quantum Attack is an attack in which the public key has been exposed on the blockchain for an extended
99+period of time, giving an attacker ample opportunity to break the cryptography. This affects:
100+
101+* Early addresses (Satoshi's coins, CPU miners, starts with 04)
vostrnad
commented at 11:14 pm on December 19, 2024:
0* P2PK outputs (Satoshi's coins, CPU miners, starts with 04)
in
bip-0360.mediawiki:104
in
85348c01ffoutdated
99+period of time, giving an attacker ample opportunity to break the cryptography. This affects:
100+
101+* Early addresses (Satoshi's coins, CPU miners, starts with 04)
102+* Reused addresses (any type, except P2QRH)
103+* Taproot addresses (starts with bc1p)
104+* Unhardened BIP-32 HD wallet keys
vostrnad
commented at 11:14 pm on December 19, 2024:
Shouldn’t this say “BIP-32 extended public keys” instead?
cryptoquick
commented at 6:32 pm on December 20, 2024:
I don’t think so, if I understand @EthanHeilman ’s feedback, but I could be wrong.
murchandamus
commented at 8:08 pm on December 20, 2024:
I’m not sure, but I could see that you would need the entire xpub, not just the parent public key.
in
bip-0360.mediawiki:117
in
85348c01ffoutdated
112+Short-range attacks require much larger, more expensive CRQCs since they must be executed within the short window
113+before a transaction is mined. Long-range attacks can be executed over a longer timeframe since the public key remains
114+exposed on the blockchain indefinitely.
115+
116+Should quantum advantage manifest, a convention is proposed in spending the full 65-byte P2PK key used by the coinbase
117+output in Block 1 back to itself. It is proposed to call the address in Block 1 the
vostrnad
commented at 11:14 pm on December 19, 2024:
You can’t “spend” a key, only an output.
What do you mean by “full key”?
Why do we require sending back to the same key?
in
bip-0360.mediawiki:118
in
85348c01ffoutdated
113+before a transaction is mined. Long-range attacks can be executed over a longer timeframe since the public key remains
114+exposed on the blockchain indefinitely.
115+
116+Should quantum advantage manifest, a convention is proposed in spending the full 65-byte P2PK key used by the coinbase
117+output in Block 1 back to itself. It is proposed to call the address in Block 1 the
118+[https://mempool.space/address/0496b538e853519c726a2c91e61ec11600ae1390813a627c66fb8be7947be63c52da7589379515d4e0a604f81
vostrnad
commented at 11:14 pm on December 19, 2024:
Link doesn’t work, please fix.
in
bip-0360.mediawiki:123
in
85348c01ffoutdated
118+[https://mempool.space/address/0496b538e853519c726a2c91e61ec11600ae1390813a627c66fb8be7947be63c52da7589379515d4e0a604f81
119+41781e62294721166bf621e73a82cbf2342c858ee
120+Canary address] since it can only be spent from by others (assuming Satoshi's continued absence) if secp256k1 is
121+broken. Should the Canary coins move, that will signal that reliance on secp256k1 is presently vulnerable. Without the
122+Canary, or an address like it, there may be some doubt as to whether the coins were moved with keys belonging to the
123+original owner.
vostrnad
commented at 11:14 pm on December 19, 2024:
This still leaves in the possibility that Satoshi comes back and spends the coins. Why don’t we choose coins that we know nobody knows the private key for, i.e. coins locked to a NUMS point?
cryptoquick
commented at 6:37 pm on December 20, 2024:
Is there an example of that? If so, a link would be very helpful.
vostrnad
commented at 8:12 pm on December 23, 2024:
I only managed to find two non-empty addresses that use an obvious NUMS point containing around 0.02 BTC in total:
1D8eDztgv79J59V7UBBpNGnRE6hjstqKb5, whose uncompressed public key’s x-coordinate is the SHA-256 hash of the secp256k1 generator point in uncompressed form (see BIP341).
Given this lack of funds locked in NUMS addresses and Murch’s other criticisms (which I agree with) I’d recommend completely removing the concept of canary coins from the BIP.
in
bip-0360.mediawiki:127
in
85348c01ffoutdated
122+Canary, or an address like it, there may be some doubt as to whether the coins were moved with keys belonging to the
123+original owner.
124+
125+Coinbase outputs to P2PK keys go as far as block 200,000, so there are, at the time of writing, 1,723,848 coins that
126+are vulnerable from the first epoch at the time of writing in P2PK outputs alone. The majority of these have a
127+block reward of 50 coins each, and there are roughly 34,000 distinct P2PK addresses that are vulnerable. These coins
vostrnad
commented at 11:14 pm on December 19, 2024:
There’s no such thing as a “P2PK address”; P2PK scripts don’t have a standardized address format. (What mempool.space shows is just the raw public key, not an address, not least because you can’t send to it using any commonly used wallet software.)
0block reward of 50 coins each, and there are roughly 34,000 distinct P2PK scripts that are vulnerable. These coins
in
bip-0360.mediawiki:142
in
85348c01ffoutdated
137+in Bitcoin. Additionally, this assumes that other vulnerable targets such as central banks have upgraded their
138+cryptography by this time.
139+
140+The Commercial National Security Algorithm Suite (CNSA) 2.0 has a timeline for software and networking equipment to be
141+upgraded by 2030, with browsers and operating systems fully upgraded by 2033. According to NIST IR 8547, Elliptic Curve
142+Cryptography is planned to be disallowed within the US Federal government after 2035. An exception is made for hybrid
vostrnad
commented at 11:14 pm on December 19, 2024:
0Cryptography is planned to be disallowed within the US federal government after 2035. An exception is made for hybrid
in
bip-0360.mediawiki:160
in
85348c01ffoutdated
155+This is the first in a series of BIPs under a QuBit soft fork. A qubit is a fundamental unit of quantum computing, and
156+the capital B refers to Bitcoin. The name QuBit also rhymes to some extent with SegWit.
157+
158+It is proposed to use SegWit version 3. This results in addresses that start with bc1r, which could be a useful way to
159+remember that these are quantum (r)esistant addresses (similar to how bc1q corresponds to Se(q)Wit and bc1p corresponds
160+to Ta(p)root). This is referencing the lookup table under
vostrnad
commented at 11:14 pm on December 19, 2024:
In the case of SegWit and Taproot these are just coincidences. I would leave this out.
in
bip-0360.mediawiki:173
in
85348c01ffoutdated
168+should a vulnerability exist in one of the signature algorithms used. One key distinction between P2QRH and P2TR
169+however is that P2QRH will encode a hash of the public key. This is a significant deviation from how Taproot works by
170+itself, but it is necessary to avoid exposing public keys on-chain where they are vulnerable to attack.
171+
172+P2QRH uses a 32-byte HASH256 (specifically SHA-256 twice-over, which is similar to that used in
173+[https://github.com/bitcoin/bips/blob/master/bip-0016.mediawiki#specification BIP-16]) of the public key to reduce the
vostrnad
commented at 11:14 pm on December 19, 2024:
BIP16 doesn’t use double SHA-256 though?
in
bip-0360.mediawiki:175
in
85348c01ffoutdated
170+itself, but it is necessary to avoid exposing public keys on-chain where they are vulnerable to attack.
171+
172+P2QRH uses a 32-byte HASH256 (specifically SHA-256 twice-over, which is similar to that used in
173+[https://github.com/bitcoin/bips/blob/master/bip-0016.mediawiki#specification BIP-16]) of the public key to reduce the
174+size of new outputs and also to increase security by not having the public key available on-chain. This hash serves as
175+a minimal cryptographic commitment to a public key. It goes into the output spend script, which does not receive the
vostrnad
commented at 11:15 pm on December 19, 2024:
What’s an “output spend script”?
cryptoquick
commented at 5:06 pm on December 20, 2024:
Also known as the scriptpubkey. Is that the preferred terminology?
murchandamus
commented at 7:29 pm on December 20, 2024:
I prefer either “input script” and “output script” or “scriptSig” and “scriptPubKey”. I don’t think I’ve seen “output spend script” before.
in
bip-0360.mediawiki:197
in
85348c01ffoutdated
192+increase in economic activity. An increase in the witness discount would not only impact node runners but those with
193+inscriptions would also have the scarcity of their non-monetary assets affected. The only way to prevent these effects
194+while also increasing the discount is to have a completely separate witness—a "quantum witness." Because it is meant
195+only for public keys and signatures, we call this section of the transaction the attestation.
196+
197+To address the risk of arbitrary data being stored using P2QRH (QuBit) addresses, very specific rules will be applied
vostrnad
commented at 11:15 pm on December 19, 2024:
0To address the risk of arbitrary data being stored using P2QRH (QuBit) outputs, very specific rules will be applied
in
bip-0360.mediawiki:227
in
85348c01ffoutdated
222+time-tested, and well-reviewed. Lattice cryptography is relatively new and introduces novel security assumptions to
223+Bitcoin, but their signatures are smaller and might be considered by some to be an adequate alternative to hash-based
224+signatures. SQIsign is much smaller; however, it is based on a very novel form of cryptography known as supersingular
225+elliptic curve quaternion isogeny, and at the time of writing, is not yet approved by NIST or the broader PQC community.
226+
227+In the distant future, following the implementation of the P2QRH address format in a QuBit soft fork, there will likely
vostrnad
commented at 11:15 pm on December 19, 2024:
0In the distant future, following the implementation of the P2QRH output type in a QuBit soft fork, there will likely
in
bip-0360.mediawiki:305
in
85348c01ffoutdated
300+This allows for inclusion of a Taproot MAST merkle root in the attestation, which makes P2QRH a quantum-resistant
301+version of Taproot.
302+
303+=== Transaction Serialization ===
304+
305+Following BIP-141, the transaction serialization is modified to include a new attestation field after the witness field:
vostrnad
commented at 11:15 pm on December 19, 2024:
This is a bit inaccurate: you can’t just modify the existing serialization format because existing nodes still need to receive transactions in that format. Instead you’re creating a new format and keeping both (actually 3 now).
By the way, will you not also need to introduce e.g. a qtxid, similar to wtxid?
0Following BIP-141, a new transaction serialization format is introduced to include an attestation field after the witness field:
in
bip-0360.mediawiki:319
in
85348c01ffoutdated
314+
315+=== Attestation Structure ===
316+
317+The attestation field consists of:
318+
319+* <code>num_pubkeys</code>: The number of public keys (VarInt encoded).
vostrnad
commented at 11:15 pm on December 19, 2024:
530+chosen as Bitcoin's curve. Isogeny cryptography when it was first introduced was broken over a weekend.
531+
532+Ideally SQIsign also proves to be flexible enough to support
533+[https://www.pierrickdartois.fr/homepage/wp-content/uploads/2022/04/Report_OSIDH_DARTOIS.pdf Isogeny Diffie-Hellman] to
534+replace ECDH applications, and also provide methods for the key tweaking necessary to support TapScript for P2QR
535+addresses. Additionally, isogeny-based post-quantum cryptography is based on higher-order elliptic curves, and so it
vostrnad
commented at 11:15 pm on December 19, 2024:
0outputs. Additionally, isogeny-based post-quantum cryptography is based on higher-order elliptic curves, and so it
in
bip-0360.mediawiki:591
in
85348c01ffoutdated
586+* 2024-09-27 - Initial draft proposal
587+
588+== Acknowledgements ==
589+
590+This document is inspired by [https://github.com/bitcoin/bips/blob/master/bip-0341.mediawiki BIP-341], which introduced
591+the design of the P2TR (Taproot) address type using Schnorr signatures.
vostrnad
commented at 11:15 pm on December 19, 2024:
0the design of the P2TR (Taproot) output type using Schnorr signatures.
cryptoquick requested review from vostrnad
on Dec 20, 2024
Fixes, typos, formatting.990d8a87b5
in
bip-0360.mediawiki:34
in
4b8b6470e6outdated
29+the cryptographic assumptions of Elliptic Curve Cryptography (ECC), which secures Bitcoin's signatures and Taproot
30+commitments. Specifically, [https://arxiv.org/pdf/quant-ph/0301141 Shor's algorithm] enables a CRQC to solve the
31+Discrete Logarithm Problem (DLP) exponentially faster than classical methods<ref name="shor">Shor's algorithm is
32+believed to need 10^8 operations to break a 256-bit elliptic curve public key.</ref>, allowing the derivation of private
33+keys from public keys—a process referred to as quantum key decryption. Importantly, simply increasing the public key
34+length (e.g., using a hypothetical secp512k1 curve) would only make deriving the private key twice as hard, offering
murchandamus
commented at 7:55 pm on December 20, 2024:
I assume that “twice” specifically corresponds to doubling the length rather than “increasing it”.
0keys from public keys—a process referred to as quantum key decryption. Importantly, simply doubling the public key
1length (e.g., using a hypothetical secp512k1 curve) would only make deriving the private key twice as hard, offering
in
bip-0360.mediawiki:47
in
4b8b6470e6outdated
42+
43+The vulnerability of existing Bitcoin addresses is investigated in
44+[https://web.archive.org/web/20240715101040/https://www2.deloitte.com/nl/nl/pages/innovatie/artikelen/quantum-computers-
45+and-the-bitcoin-blockchain.html this Deloitte report]. The report estimates that in 2020 approximately 25% of the
46+Bitcoin supply is held within addresses vulnerable to quantum attack. As of the time of writing, that number is now
47+closer to 20%. Additionally, cryptographer Pieter Wuille [https://x.com/pwuille/status/1108085284862713856 reasons]
murchandamus
commented at 7:57 pm on December 20, 2024:
It sounds like the two are related, but rather you are citing two independent resources. Also, Pieter has previously espoused the opinion that he is not a cryptographer.
0closer to 20%. Independently, cryptographer Pieter Wuille [https://x.com/pwuille/status/1108085284862713856 reasons]
murchandamus
commented at 8:01 pm on December 20, 2024:
Also I think Pieter has previously mentioned that he wouldn’t consider himself a cryptographer, so maybe just go with “Bitcoin developer”
in
bip-0360.mediawiki:75
in
4b8b6470e6outdated
70+
71+As the value being sent increases, so too should the fee in order to commit the transaction to the chain as soon as
72+possible. Once the transaction is mined, it makes useless the public key revealed by spending a UTXO, so long as it is
73+never reused.
74+
75+It is proposed to implement a Pay to Quantum Resistant Hash (P2QRH) address type that relies on a PQC signature
murchandamus
commented at 8:03 pm on December 20, 2024:
0It is proposed to implement a Pay to Quantum Resistant Hash (P2QRH) output type that relies on a PQC signature
in
bip-0360.mediawiki:76
in
4b8b6470e6outdated
71+As the value being sent increases, so too should the fee in order to commit the transaction to the chain as soon as
72+possible. Once the transaction is mined, it makes useless the public key revealed by spending a UTXO, so long as it is
73+never reused.
74+
75+It is proposed to implement a Pay to Quantum Resistant Hash (P2QRH) address type that relies on a PQC signature
76+algorithm. This new address type protects transactions submitted to the mempool and helps preserve the free market by
murchandamus
commented at 8:03 pm on December 20, 2024:
0algorithm. This new output type protects transactions submitted to the mempool and helps preserve the free market by
murchandamus
commented at 8:05 pm on December 20, 2024:
It should perhaps be reiterated in the context of this table that their funds are only safe in P2PKH, P2SH, P2WPKH, and P2WSH outputs if they haven’t used the address before.
in
bip-0360.mediawiki:124
in
4b8b6470e6outdated
119+
120+Short Range Quantum Attack is an attack that must be executed quickly while a transaction is still in the mempool,
121+before it gets mined into a block. This affects:
122+
123+* Any transaction in the mempool (except for P2QRH)
124+* Unhardened BIP-32 HD wallet keys
murchandamus
commented at 8:10 pm on December 20, 2024:
146+
147+It's for the above reason that, for those who wish to be prepared for quantum emergency, it is recommended that no more
148+than 50 bitcoin are kept under a single, distinct, unused Native SegWit (P2WPKH, "bc1q") address at a time. This is
149+assuming that the attacker is financially motivated instead of, for example, a nation state looking to break confidence
150+in Bitcoin. Additionally, this assumes that other vulnerable targets such as central banks have upgraded their
151+cryptography by this time.
murchandamus
commented at 8:32 pm on December 20, 2024:
This whole part about the Canary and Satoshi’s Shield feels a bit like an excursion from the main topic. Anyway, if I were to attack anything, I wouldn’t go after Satoshi’s coins. First because it would raise suspicion immediately, and secondly, because e.g., the Binance Cold Wallet 34xp4vRoCGJym3xR7yCVPFHoCNxv4Twseo currently holds ₿248,597.53479136 and is a reused address.
cryptoquick
commented at 9:58 pm on December 20, 2024:
I understand that perspective, but as the first BIP related to quantum computing, I wanted to appropriately set the stage even for skeptics. The Canary address is meant to be a flag in the sand that people can hopefully agree that if Satoshi is expected never to return, then this is a logical place to check to agree that Bitcoin is unequivocally compromised.
murchandamus
commented at 7:41 pm on December 23, 2024:
I don’t get it. If you could compromise an output script worth 50 ₿ or an output script worth 250 k₿, how does the former serve as a canary, i.e., an early warning?!
vostrnad
commented at 8:13 pm on December 23, 2024:
I agree, attempting to create a convention for canary coins seems inherently flawed and out of scope for this BIP.
cryptoquick
commented at 10:46 pm on December 23, 2024:
Okay, I’ll remove it.
in
bip-0360.mediawiki:173
in
4b8b6470e6outdated
168+This is the first in a series of BIPs under a QuBit soft fork. A qubit is a fundamental unit of quantum computing, and
169+the capital B refers to Bitcoin. The name QuBit also rhymes to some extent with SegWit.
170+
171+It is proposed to use SegWit version 3. This results in addresses that start with bc1r, which could be a useful way to
172+remember that these are quantum (r)esistant addresses. This is referencing the lookup table under
173+[https://github.com/bitcoin/bips/blob/master/bip-0173.mediawiki#bech32 BIP-173].
murchandamus
commented at 8:35 pm on December 20, 2024:
I’m not convinced by this rationale for skipping ahead in the versions. A similar mnemonic could be made up for bc1z e.g., “(z)ecure against quantum”.
cryptoquick
commented at 10:00 pm on December 20, 2024:
I think a better use for bc1z would be P2TRH, which is a follow-up BIP I want to introduce as an alternative should this BIP fail to gather consensus.
As for bc1r, I think to some degree aesthetics matter. “Resistant” should be the word that comes to mind.
in
bip-0360.mediawiki:176
in
4b8b6470e6outdated
171+It is proposed to use SegWit version 3. This results in addresses that start with bc1r, which could be a useful way to
172+remember that these are quantum (r)esistant addresses. This is referencing the lookup table under
173+[https://github.com/bitcoin/bips/blob/master/bip-0173.mediawiki#bech32 BIP-173].
174+
175+The proposal above also leaves a gap in case it makes sense to use version 2, or bc1z, for implementation of other
176+address formats such as those that employ Cross Input Signature Aggregation (CISA).
murchandamus
commented at 8:37 pm on December 20, 2024:
I would prefer using native segwit versions as proposals come up rather than leaving space for things with an uncertain timeline.
in
bip-0360.mediawiki:186
in
4b8b6470e6outdated
181+however is that P2QRH will encode a hash of the public key. This is a significant deviation from how Taproot works by
182+itself, but it is necessary to avoid exposing public keys on-chain where they are vulnerable to attack.
183+
184+P2QRH uses a 32-byte HASH256 (specifically SHA-256 twice-over) of the public key to reduce the size of new outputs and
185+also to increase security by not having the public key available on-chain. This hash serves as a minimal cryptographic
186+commitment to a public key. It goes into the scriptPubKey, which does not receive the witness discount.
murchandamus
commented at 8:40 pm on December 20, 2024:
Would this perhaps better be described as a Witness Program?
in
bip-0360.mediawiki:213
in
4b8b6470e6outdated
208+to spending from the witness stack in SegWit v3 outputs. A fixed signature size will be necessary for spending the
209+output, and the output must be spendable to be considered valid within node consensus. A fixed signature size will also
210+be helpful to disambiguate between signature types without an additional version byte, as SQIsign signatures are
211+substantially smaller than FALCON signatures. Consequently, the correct signature algorithm can be inferred through
212+byte length. The public key and signature will be pushed separately to the attestation stack. Multiple signatures can
213+be included in order to support multisig applications, and also for spending multiple inputs.
murchandamus
commented at 8:43 pm on December 20, 2024:
It might generally make sense to separate the description of the output type mechanics from the serialization format into different sections.
cryptoquick
commented at 10:07 pm on December 20, 2024:
Good suggestion. I’ve moved this section and the next to a section after the ScriptPubKey section called Output Mechanics.
in
bip-0360.mediawiki:235
in
4b8b6470e6outdated
230+The inclusion of these four cryptosystems: SPHINCS+, CRYSTALS-Dilithium, FALCON, and SQIsign have various advocates
231+within the community due to their varying security assumptions. Hash-based cryptosystems are more conservative,
232+time-tested, and well-reviewed. Lattice cryptography is relatively new and introduces novel security assumptions to
233+Bitcoin, but their signatures are smaller and might be considered by some to be an adequate alternative to hash-based
234+signatures. SQIsign is much smaller; however, it is based on a very novel form of cryptography known as supersingular
235+elliptic curve quaternion isogeny, and at the time of writing, is not yet approved by NIST or the broader PQC community.
murchandamus
commented at 8:51 pm on December 20, 2024:
I have no clue about the trade-offs here, but wouldn’t it make the proposal much more viable if it picked only one and added hooks to introduce another later in case we change our mind as we learn more?
cryptoquick
commented at 10:16 pm on December 20, 2024:
It’s in the interest of supporting hybrid cryptography, especially for high value outputs, such as cold wallets used by exchanges. I’ll be sure to add that explanation, if it helps.
As for viability, I can explain that a separate libbitcoinpqc library could be developed as a drop-in analogue to libsecp256k1.
in
bip-0360.mediawiki:241
in
4b8b6470e6outdated
236+
237+In the distant future, following the implementation of the P2QRH output type in a QuBit soft fork, there will likely
238+be a need for Pay to Quantum Secure (P2QS) addresses. These will require specialized quantum hardware for signing,
239+while still [https://quantum-journal.org/papers/q-2023-01-19-901/ using public keys that are verifiable via classical
240+means]. Additional follow-on BIPs will be needed to implement P2QS. However, until specialized quantum cryptography
241+hardware is widespread, quantum resistant addresses should be an adequate intermediate solution.
murchandamus
commented at 8:54 pm on December 20, 2024:
This begs the question how Quantum Resistant and Quantum Secure are distinguished.
cryptoquick
commented at 11:23 pm on December 20, 2024:
Good question. I’ve added more details on that.
in
bip-0360.mediawiki:254
in
4b8b6470e6outdated
249+To integrate P2QRH into existing wallet software and scripts, we introduce a new output descriptor function
250+<code>qrh()</code>. This function represents a P2QRH output, similar to how <code>wpkh()</code> and <code>tr()</code>
251+are used for P2WPKH and P2TR outputs, respectively.
252+
253+The <code>qrh()</code> function takes the HASH256 of the concatenated HASH256 of the quantum-resistant public keys as
254+its argument. For example:
murchandamus
commented at 8:57 pm on December 20, 2024:
It’s not clear to me why we are suddenly talking about multiple public keys here.
cryptoquick
commented at 11:22 pm on December 20, 2024:
I’ve added some more details, let me know if that helps.
306+
307+This merkle tree construction creates an efficient cryptographic commitment to multiple public keys while enabling
308+selective disclosure.
309+
310+This allows for inclusion of a Taproot MAST merkle root in the attestation, which makes P2QRH a quantum-resistant
311+version of Taproot.
murchandamus
commented at 9:08 pm on December 20, 2024:
I’m fairly lost here. The multiple public keys and tree construction seems to be mentioned for the first time here. If there was rationale for this tree construction, I missed it. It’s not clear to me what this tree construction achieves. How many of the public keys can be provided directly in the form of their hashes? When you mention MAST, I assume you mean “Merklized Alternative Script Trees”, so one would spend by revealing only a single key from the tree and satisfy its spending conditions? Altogether, this section is hard to follow for me.
cryptoquick
commented at 11:21 pm on December 20, 2024:
I’ve tried to add more supporting information. Let me know if that’s better.
murchandamus
commented at 8:53 pm on December 23, 2024:
I think I’m slowly getting the gist of it, but it might help to cover the abstract idea briefly at a higher level before getting into all the details.
BIP114 is also named “MAST” (Merkelized Abstract Syntax Trees), so perhaps write out the MAST you are referring to here.
in
bip-0360.mediawiki:321
in
4b8b6470e6outdated
316+
317+ [nVersion][marker][flag][txins][txouts][witness][attestation][nLockTime]
318+
319+* <code>marker</code>: <code>0x00</code> (same as SegWit)
320+
321+* <code>flag</code>: <code>0x02</code> (indicates the presence of both witness and attestation data)
murchandamus
commented at 9:10 pm on December 20, 2024:
Should the flag not be considered a boolean array? 0x01 for witness, 0x02 for attestation, 0x03 for witness and attestation? Is it possible for an attestation to appear without a witness section?
cryptoquick
commented at 10:42 pm on December 20, 2024:
I’ve considered this, and yes, it might make sense if we’ve completely transitioned away from classical cryptography. I’ll be sure to factor that in.
in
bip-0360.mediawiki:347
in
4b8b6470e6outdated
342+
343+* <code>signature_length</code>: compact size length of the signature.
344+* <code>signature</code>: The signature bytes.
345+
346+This structure repeats for each input, in order, for flexibility in supporting multisig schemes and various
347+quantum-resistant algorithms.
murchandamus
commented at 9:12 pm on December 20, 2024:
I haven’t thought a lot about this, but given the goal of extensibility, it might be good to add a byte to indicate a signature type for more flexibility?
cryptoquick
commented at 10:59 pm on December 20, 2024:
As I go into in the Signature Algorithm Identification section, we just use the length of the key and signature to indicate signature type. If there’s overlap, an extra byte is added.
in
bip-0360.mediawiki:391
in
4b8b6470e6outdated
386+
387+* Valid signatures corresponding to the public key(s) and the transaction data.
388+
389+3. For multi-signature schemes, all required public keys and signatures must be provided for that input within the
390+attestation. Public keys that are not needed can be excluded by including their hash in the attestation accompanied
391+with an empty signature. This includes classical Schnorr signatures.
murchandamus
commented at 9:14 pm on December 20, 2024:
For a multisignature scheme, would you need to reveal multiple leafs from the pubkey tree? From what I understood the tree can only hold public keys, not scripts. How then is the threshold communicated? Wouldn’t a spender be able to reveal only their own key and provide a signature for that?
cryptoquick
commented at 11:03 pm on December 20, 2024:
That’s a good point. Does that need to be committed to in the output or just expressed in the attestation?
murchandamus
commented at 7:46 pm on December 23, 2024:
If it’s not committed to in advance, you are building either a 1-of-n or a 0-of-n scheme, depending on the minimum value for the threshold.
cryptoquick
commented at 10:18 pm on December 23, 2024:
That makes sense. So, we essentially need to commit to a script hash. I’m thinking we just do a bunch of consecutive data pushes of PKHs and they correspond to leaves on a binary tree. This is then included in the witness. Keys in the attestation are hashed and compared to the PKHs in the v3 witness. Like this:
Notice, all 5 PKHs need to be committed to in advance in the script hash. Maybe we need to introduce a concept like QPKH? QuBit public key hash? And QSH for script hashes? Or would APKH / ASH be better, for attestation?
What do you think? This I think will obviate the necessity for a merkle tree, as recommended by @EthanHeilman. If 3 public keys aren’t included and don’t hash to any of the public keys in the script hash, then the transaction fails.
murchandamus
commented at 9:22 pm on December 20, 2024:
contributor
Sorry for the many comments. I’m glad that someone is looking into this topic, but it seems to me that there are still many unknowns with the topic, and I’m not sure the proposal is already at a level where it provides sufficient information for anyone to fashion an implementation.
murchandamus
commented at 9:27 pm on December 20, 2024:
After having just read the BIP again, I’m not sure why the term “QuBit” appears in the title. Wouldn’t the main topic simply be:
0 Title: Pay to Quantum Resistant Hash
in
bip-0360.mediawiki:169
in
990d8a87b5outdated
164+[https://quantumcomputing.stackexchange.com/a/12847 Sam Jaques’ post on this].
165+
166+=== Rationale ===
167+
168+This is the first in a series of BIPs under a QuBit soft fork. A qubit is a fundamental unit of quantum computing, and
169+the capital B refers to Bitcoin. The name QuBit also rhymes to some extent with SegWit.
murchandamus
commented at 9:36 pm on December 20, 2024:
Is the intention to make a group of several BIPs that are intended to be activated together like SegWit? Otherwise I’m not sure whether I get the purpose of introducing the term “QuBit” here.
cryptoquick
commented at 11:07 pm on December 20, 2024:
That is the idea, yes. QuBit is the name of the soft fork, similar to SegWit and Taproot.
in
bip-0360.mediawiki:597
in
990d8a87b5outdated
592+* 2024-11-20 - Clarifications based on feedback from Murch. Remove some sections that are not yet ready.
593+* 2024-10-21 - Replace XMSS with CRYSTALS-Dilithium due to NIST approval and size constraints.
594+* 2024-09-30 - Refactor the ECC vs PoW section. Swap quitness for attestation.
595+* 2024-09-29 - Update section on PoW to include partial-preimage.
596+* 2024-09-28 - Add Winternitz, XMSS signatures, and security assumption types to PQC table. Omit NIST Level I table. Add spend script specification. Add revealed public key scenario table.
597+* 2024-09-27 - Initial draft proposal
murchandamus
commented at 9:46 pm on December 20, 2024:
I don’t think “Address feedback form vostrnad”, “Update title and formatting”, “MediaWiki formatting fixes”, etc. are substantial changes that need to be tracked in the Changelog. Maybe this list could be compressed a bit.
murchandamus
commented at 9:48 pm on December 20, 2024:
contributor
After going over the editor checklist, I’m not sure why the term “QuBit” is introduced.
Altogether, it feels like Motivation and Rationale are giving a very broad overview of the topic, straying maybe a bit too far for a document describing “Spending Rules”. Perhaps the document could be more concise in several sections, and the corresponding information could be provided outside of the BIP and just linked, or moved to the footnotes.
Updates based on Murch and vostrnad feedback.0fdd8c3edc
Fix title change in README.208a987f2f
cryptoquick
commented at 11:20 pm on December 20, 2024:
none
@murchandamus@vostrnad Thank you for taking the time to review. I realize this is a long BIP and there’s a lot to go over, but I think it’s important as the first quantum BIP to go into the problem in detail. In that way it’s similar to BIP-52.
For context, I also intend to introduce a QuBit activation BIP, and a P2TRH BIP separate from QuBit. Additionally, I realize that there’s some sections here that are underspecified. That will come with test vectors and an implementation, which I’m working towards.
in
bip-0360.mediawiki:36
in
208a987f2foutdated
31+Discrete Logarithm Problem (DLP) exponentially faster than classical methods<ref name="shor">Shor's algorithm is
32+believed to need 10^8 operations to break a 256-bit elliptic curve public key.</ref>, allowing the derivation of
33+private keys from public keys—a process referred to as quantum key decryption. Importantly, simply doubling the public
34+key length (e.g., using a hypothetical secp512k1 curve) would only make deriving the private key twice as hard,
35+offering insufficient protection. The computational complexity of this attack is further explored in
36+[https://pubs.aip.org/avs/aqs/article/4/1/013801/2835275/The-impact-of-hardware-specifications-on-reaching ''The impact of hardware specifications on reaching quantum advantage in the fault-tolerant regime''].
murchandamus
commented at 8:02 pm on December 23, 2024:
Collaboration nit: Please don’t reformat a paragraph when you change just a couple words. Keep the line breaks at the same place to make it easier to spot the changes:
It’s much easier to review
0 believed to need 10^8 operations to break a 256-bit elliptic curve public key.</ref>, allowing the derivation of private
1-keys from public keys—a process referred to as quantum key decryption. Importantly, simply increasing the public key
2+keys from public keys—a process referred to as quantum key decryption. Importantly, simply doubling the public key
3 length (e.g., using a hypothetical secp512k1 curve) would only make deriving the private key twice as hard, offering
4 insufficient protection. The computational complexity of this attack is further explored in
5-[https://pubs.aip.org/avs/aqs/article/4/1/013801/2835275/The-impact-of-hardware-specifications-on-reaching ''The impact
6-of hardware specifications on reaching quantum advantage in the fault-tolerant regime''
7+[https://pubs.aip.org/avs/aqs/article/4/1/013801/2835275/The-impact-of-hardware-specifications-on-reaching ''The impact of hardware specifications on reaching quantum advantage in the fault-tolerant regime''].
than
0-believed to need 10^8 operations to break a 256-bit elliptic curve public key.</ref>, allowing the derivation of private
1-keys from public keys—a process referred to as quantum key decryption. Importantly, simply increasing the public key
2-length (e.g., using a hypothetical secp512k1 curve) would only make deriving the private key twice as hard, offering
3-insufficient protection. The computational complexity of this attack is further explored in
4-[https://pubs.aip.org/avs/aqs/article/4/1/013801/2835275/The-impact-of-hardware-specifications-on-reaching ''The impact
5-of hardware specifications on reaching quantum advantage in the fault-tolerant regime''].
6+believed to need 10^8 operations to break a 256-bit elliptic curve public key.</ref>, allowing the derivation of
7+private keys from public keys—a process referred to as quantum key decryption. Importantly, simply doubling the public
8+key length (e.g., using a hypothetical secp512k1 curve) would only make deriving the private key twice as hard,
9+offering insufficient protection. The computational complexity of this attack is further explored in
10+[https://pubs.aip.org/avs/aqs/article/4/1/013801/2835275/The-impact-of-hardware-specifications-on-reaching ''The impact of hardware specifications on reaching quantum advantage in the fault-tolerant regime''].
because all the linebreaks were readjusted after the “private” at the end of the first line was moved to the second line.
cryptoquick
commented at 9:51 pm on December 23, 2024:
Good point
in
bip-0360.mediawiki:103
in
208a987f2foutdated
98+| P2TR || Yes || bc1p || bc1p92aslsnseq786wxfk3ekra90ds9ku47qttupfjsqmmj4z82xdq4q3rr58u
99+|-
100+| P2QRH || No || bc1r || bc1r8rt68aze8tek87cnz4ndnvfzk6tk93jv39n4lmpu5a4yw453rcpszsft3z
101+|}
102+
103+Note: Funds are only safe in P2PKH, P2SH, P2WPKH, and P2WSH outputs if they haven't used the address before.
murchandamus
commented at 8:19 pm on December 23, 2024:
Address reuse can refer to just receiving funds to the same address multiple times, but that in itself is not unsafe. Here we specifically mean that it becomes vulnerable the input script has been revealed.
Maybe add a ¹ to distinguish P2QRH from the mentioned output types:
0{| class="wikitable"
1|+ Vulnerable output types
2|-
3! Type !! Vulnerable !! Prefix !! Example
4|-
5| P2PK || Yes || Varies || 2103203b768951584fe9af6d9d9e6ff26a5f76e453212f19ba163774182ab8057f3eac
6|-
7| P2PKH || No¹ || 1 || 1A1zP1eP5QGefi2DMPTfTL5SLmv7DivfNa
8|-
9| P2MS || Yes || Varies || 52410496ec45f878b62c46c4be8e336dff7cc58df9b502178cc240e...
10|-
11| P2SH || No¹ || 3 || 3FkhZo7sGNue153xhgqPBcUaBsYvJW6tTx
12|-
13| P2WPKH || No¹ || bc1q || bc1qsnh5ktku9ztqeqfr89yrqjd05eh58nah884mku
14|-
15| P2WSH || No¹ || bc1q || bc1qvhu3557twysq2ldn6dut6rmaj3qk04p60h9l79wk4lzgy0ca8mfsnffz65
16|-
17| P2TR || Yes || bc1p || bc1p92aslsnseq786wxfk3ekra90ds9ku47qttupfjsqmmj4z82xdq4q3rr58u
18|-
19| P2QRH || No || bc1r || bc1r8rt68aze8tek87cnz4ndnvfzk6tk93jv39n4lmpu5a4yw453rcpszsft3z
20|}
2122¹ Funds in P2PKH, P2SH, P2WPKH, and P2WSH outputs become vulnerable to long-range quantum attacks when their input script is revealed. An address is no longer safe against long-range quantum attacks after funds from it have been spent.
in
bip-0360.mediawiki:109
in
208a987f2foutdated
104+
105+It should be noted that Taproot outputs are vulnerable in that they encode a 32-byte x-only public key, from which a
106+full public key can be reconstructed.
107+
108+Derivation of child keys (whether hardened or not) requires the chain code, so this is only a concern if the attacker
109+has access to the extended public key (in which case they can just directly convert it to an extended private key).
murchandamus
commented at 8:30 pm on December 23, 2024:
Your new text seems to be responding to the thought of the removed sentence. How about this combination of the original and new version:
0If an extended public key’s (xPub’s) parent private key of is recovered by CRQC, the attacker also recovers
1the entire extended private key, whether it uses hardened or unhardened derivation.
in
bip-0360.mediawiki:119
in
208a987f2foutdated
114+period of time, giving an attacker ample opportunity to break the cryptography. This affects:
115+
116+* P2PK outputs (Satoshi's coins, CPU miners, starts with 04)
117+* Reused addresses (any type, except P2QRH)
118+* Taproot addresses (starts with bc1p)
119+* Wallet descriptor extended public keys, commonly known as "xpubs"
murchandamus
commented at 8:32 pm on December 23, 2024:
I am not sure what you mean with “Wallet descriptor extended public keys”. Did you mean wallet descriptors and extended public keys?
0* Extended public keys, commonly known as "xpubs"
1* Wallet descriptors
in
bip-0360.mediawiki:280
in
208a987f2foutdated
275+Hash Computation section.
276+
277+=== Output Mechanics ===
278+
279+To address the risk of arbitrary data being stored using P2QRH (QuBit) outputs, very specific rules will be applied
280+to spending from the witness stack in SegWit v3 outputs. A fixed signature size will be necessary for spending the
murchandamus
commented at 8:48 pm on December 23, 2024:
This is confusing. We don’t “spend from the witness stack”. From what I understand meanwhile, the public keys and public key hashes are provided in the attestation, and any signatures are provided in the witness. Under the assumption that the threshold of necessary keys is pre-committed and I understand that right, how about:
0To prevent storage of arbitrary data using P2QRH (QuBit) outputs,
1the witness stack for inputs spending segwit v3 outputs is limited to the fixed-size signatures necessary for spending the
in
bip-0360.mediawiki:311
in
208a987f2foutdated
306+For example with 4 public keys:
307+
308+ h1 = HASH256(pubkey1)
309+ h2 = HASH256(pubkey2)
310+ h3 = HASH256(pubkey3)
311+ h4 = HASH256(pubkey4)
murchandamus
commented at 8:52 pm on December 23, 2024:
Have you considered making this tagged hashes to mitigate some of the general issues with Satoshi-style merkle trees?
cryptoquick
commented at 9:54 pm on December 23, 2024:
I have not. I’m not familiar with the problem with Satoshi-style merkle trees. Wouldn’t tagged hashes require additional data?
murchandamus
commented at 5:10 pm on December 26, 2024:
No, they’re the same cost, you just prefix the hashing process with the tag. The advantage is that it prevents any collisions or hashing the same things at different levels of the tree in different contexts. They could for example be used to disambiguate the different types of cryptographic schemes on the public key commitment level for free, or for distinguishing public key hashes from inner node hashes. I’m not sure they’re necessary here, but they clean-up a whole category of issues, so they might be useful.
cryptoquick
commented at 9:41 pm on December 26, 2024:
That makes sense. That might be a good idea, if we are using Merkle trees.
murchandamus
commented at 8:54 pm on December 23, 2024:
contributor
Just a few quick responses to the edits
Apply suggestions from code review
Co-authored-by: Mark "Murch" Erhardt <murch@murch.one>
8eb35c89a3
Fix broken link.d9bb0ffef1
Remove Canary section.0ae69db70a
murchandamus
commented at 5:11 pm on December 26, 2024:
contributor
This is all that I have at this time from an editorial standpoint. It would be good if this proposal got more feedback and/or endorsements from domain experts in the next steps.
mraksoll4
commented at 5:52 pm on December 30, 2024:
none
the main problem that I see is decryptor wallets, as well as a master private key and a master public key, curves allow us to use something like this, but post-quantum algorithms do not provide such an opportunity (in current implementations)
if use clasic logic with key pool , we simple get key pairs and use them
but how are we going to associate a key obtained from master keys with post quantum keys?
cryptoquick
commented at 5:06 am on January 1, 2025:
none
@mraksoll4 All PQC algos will of course need to be compatible with BIP-32 HD wallet-style key derivation. There are definitely PQC libraries out there that just assume you’ll never want to bring your own entropy, and so they don’t provide a field or argument to provide that, but the intention behind the implementation of this BIP is that there will be a custom PQC library for bitcoin specifically that will implement things like this. So, your concern, while valid, is an implementation detail, and doesn’t really have much bearing on the BIP itself.
mraksoll4
commented at 4:22 pm on January 1, 2025:
none
@mraksoll4 All PQC algos will of course need to be compatible with BIP-32 HD wallet-style key derivation. There are definitely PQC libraries out there that just assume you’ll never want to bring your own entropy, and so they don’t provide a field or argument to provide that, but the intention behind the implementation of this BIP is that there will be a custom PQC library for bitcoin specifically that will implement things like this. So, your concern, while valid, is an implementation detail, and doesn’t really have much bearing on the BIP itself.
Well, we have no problems with private keys, and also with generating from a seed, I have already implemented for experiments on the liboqs library the use of my own seed for falcon and dilithium to obtain a pair of keys, as well as obtaining a public key from a private one.
There are also no problems with multi-signature, the signature itself can be merged.
but we have a problem with obtaining public keys from the master public key ; due to the design of post quantum algorithms, we do not have the ability to obtain public keys from other public keys through predictable mathematical operations as in ecdsa.
although perhaps I don’t fully understand how we get the master public key.
first we need to solve the problem of key hierarchy, or we will have to forget about generating public keys without cration the private key, although for example in Falcon you don’t need the entire private key but only part of it to reconstruct the public key
0 1/* 2* This function reconstructs the public key from a given private key. 3* It decodes the private key components (f and g) from the secret key
4*and uses them to regenerate the corresponding public key (h). 5* The generated public key is then encoded into the provided pk array. 6* 7* public (pk): The output buffer where the public key will be stored (must be at least PQCLEAN_FALCON512_CLEAN_CRYPTO_PUBLICKEYBYTES in size). 8* private (sk): The input secret key (private key) in byte array format (must be PQCLEAN_FALCON512_CLEAN_CRYPTO_SECRETKEYBYTES in size). 9* Return value: 0 on success, -1 on error.10*/11int12PQCLEAN_FALCON1024_CLEAN_crypto_sign_pubkey_from_privkey(
13 uint8_t *pk, const uint8_t *sk) {
14 union {
15 uint8_t b[FALCON_KEYGEN_TEMP_10];
16 uint64_t dummy_u64;
17 fpr dummy_fpr;
18 } tmp;
19 int8_t f[1024], g[1024], F[1024];
20 uint16_t h[1024];
21 size_t u, v;
2223/*24* Decode the private key.25*/26if (sk[0] !=0x50+10) {
27return-1;
28 }
29 u =1;
30 v = PQCLEAN_FALCON1024_CLEAN_trim_i8_decode(
31 f, 10, PQCLEAN_FALCON1024_CLEAN_max_fg_bits[10],
32 sk + u, PQCLEAN_FALCON1024_CLEAN_CRYPTO_SECRETKEYBYTES - u);
33if (v ==0) {
34return-1;
35 }
36 u += v;
37 v = PQCLEAN_FALCON1024_CLEAN_trim_i8_decode(
38 g, 10, PQCLEAN_FALCON1024_CLEAN_max_fg_bits[10],
39 sk + u, PQCLEAN_FALCON1024_CLEAN_CRYPTO_SECRETKEYBYTES - u);
40if (v ==0) {
41return-1;
42 }
4344/*45* Reconstruct the public key using f and g by calling the compute_public function.46*/47if (!PQCLEAN_FALCON1024_CLEAN_compute_public(h, f, g, 10, tmp.b)) {
48return-1;
49 }
5051/*52* Encode public key.53*/54 pk[0] =0x00+10;
55 v = PQCLEAN_FALCON1024_CLEAN_modq_encode(
56 pk +1, PQCLEAN_FALCON1024_CLEAN_CRYPTO_PUBLICKEYBYTES -1,
57 h, 10);
58if (v != PQCLEAN_FALCON1024_CLEAN_CRYPTO_PUBLICKEYBYTES -1) {
59return-1;
60 }
6162return0;
63}
in
bip-0360.mediawiki:44
in
0ae69db70aoutdated
39+relies on post-quantum cryptographic (PQC) signature algorithms. By adopting PQC, Bitcoin can enhance its quantum
40+resistance without requiring a hard fork or block size increase.
41+
42+The vulnerability of existing Bitcoin addresses is investigated in
43+[https://web.archive.org/web/20240715101040/https://www2.deloitte.com/nl/nl/pages/innovatie/artikelen/quantum-computers-
44+and-the-bitcoin-blockchain.html this Deloitte report]. The report estimates that in 2020 approximately 25% of the
jonatack
commented at 10:34 pm on January 2, 2025:
nit, let’s avoid a line break in the url here, and s/estimates/estimated/
0-[https://web.archive.org/web/20240715101040/https://www2.deloitte.com/nl/nl/pages/innovatie/artikelen/quantum-computers-
1-and-the-bitcoin-blockchain.html this Deloitte report]. The report estimates that in 2020 approximately 25% of the
2+[https://web.archive.org/web/20240715101040/https://www2.deloitte.com/nl/nl/pages/innovatie/artikelen/quantum-computers-and-the-bitcoin-blockchain.html this Deloitte report]. The report estimated that in 2020 approximately 25% of the
cryptoquick
commented at 9:29 pm on March 13, 2025:
42+The vulnerability of existing Bitcoin addresses is investigated in
43+[https://web.archive.org/web/20240715101040/https://www2.deloitte.com/nl/nl/pages/innovatie/artikelen/quantum-computers-
44+and-the-bitcoin-blockchain.html this Deloitte report]. The report estimates that in 2020 approximately 25% of the
45+Bitcoin supply is held within addresses vulnerable to quantum attack. As of the time of writing, that number is now
46+closer to 20%. Independently, Bitcoin developer Pieter Wuille [https://x.com/pwuille/status/1108085284862713856 reasons]
47+even more might be vulnerable.
jonatack
commented at 10:41 pm on January 2, 2025:
0even more addresses might be vulnerable, representing 5M to 10M bitcoin.
in
bip-0360.mediawiki:65
in
0ae69db70aoutdated
60+quantum computers must be run for longer in order to overcome errors caused by noise. A "short-range quantum attack"
61+would be one performed on keys in the mempool, which is seen as much more difficult given the block time, and so it
62+requires more sophisticated CRQCs.<ref name="short-range">
63+In the paper
64+[https://arxiv.org/pdf/2306.08585 How to compute a 256-bit elliptic curve private key with only 50 million Toffoli gates]
65+the authors estimate that CRQC with 28 million superconducting physical qubits would take 8.3 seconds to calculate a
jonatack
commented at 10:48 pm on January 2, 2025:
0the authors estimate that a CRQC with 28 million superconducting physical qubits would take 8.3 seconds to calculate a
103+¹ Funds in P2PKH, P2SH, P2WPKH, and P2WSH outputs become vulnerable to long-range quantum attacks when their input script is revealed. An address is no longer safe against long-range quantum attacks after funds from it have been spent.
104+
105+It should be noted that Taproot outputs are vulnerable in that they encode a 32-byte x-only public key, from which a
106+full public key can be reconstructed.
107+
108+If an extended public key’s (xPub’s) parent private key of is recovered by CRQC, the attacker also recovers
jonatack
commented at 10:56 pm on January 2, 2025:
0If the parent private key of an extended public key (xpub) is recovered by a CRQC, the attacker also recovers
in
bip-0360.mediawiki:113
in
0ae69db70aoutdated
108+If an extended public key’s (xPub’s) parent private key of is recovered by CRQC, the attacker also recovers
109+the entire extended private key, whether it uses hardened or unhardened derivation.
110+
111+==== Long Range and Short Range Quantum Attacks ====
112+
113+Long Range Quantum Attack is an attack in which the public key has been exposed on the blockchain for an extended
jonatack
commented at 10:57 pm on January 2, 2025:
0A Long Range Quantum Attack is an attack in which the public key has been exposed on the blockchain for an extended
in
bip-0360.mediawiki:122
in
0ae69db70aoutdated
117+* Reused addresses (any type, except P2QRH)
118+* Taproot addresses (starts with bc1p)
119+* Extended public keys, commonly known as "xpubs"
120+* Wallet descriptors
121+
122+Short Range Quantum Attack is an attack that must be executed quickly while a transaction is still in the mempool,
jonatack
commented at 10:58 pm on January 2, 2025:
0A Short Range Quantum Attack is an attack that must be executed quickly while a transaction is still in the mempool,
in
bip-0360.mediawiki:123
in
0ae69db70aoutdated
118+* Taproot addresses (starts with bc1p)
119+* Extended public keys, commonly known as "xpubs"
120+* Wallet descriptors
121+
122+Short Range Quantum Attack is an attack that must be executed quickly while a transaction is still in the mempool,
123+before it gets mined into a block. This affects:
jonatack
commented at 10:58 pm on January 2, 2025:
0before it is mined into a block. This affects:
in
bip-0360.mediawiki:132
in
0ae69db70aoutdated
127+Short-range attacks require much larger, more expensive CRQCs since they must be executed within the short window
128+before a transaction is mined. Long-range attacks can be executed over a longer timeframe since the public key remains
129+exposed on the blockchain indefinitely.
130+
131+Coinbase outputs to P2PK keys go as far as block 200,000, so there are, at the time of writing, 1,723,848 coins that
132+are vulnerable from the first epoch at the time of writing in P2PK outputs alone. The majority of these have a
jonatack
commented at 11:00 pm on January 2, 2025:
Duplicate “at the time of writing” in this sentence.
in
bip-0360.mediawiki:151
in
0ae69db70aoutdated
146+The Commercial National Security Algorithm Suite (CNSA) 2.0 has a timeline for software and networking equipment to be
147+upgraded by 2030, with browsers and operating systems fully upgraded by 2033. According to NIST IR 8547, Elliptic Curve
148+Cryptography is planned to be disallowed within the US federal government after 2035. An exception is made for hybrid
149+cryptography, which is the use of ECC and post-quantum algorithms together.
150+
151+Although CRQCs could pose a threat to the signatures used in Bitcoin, a smaller threat is to Bitcoin's hash algorithms.
0Although the main threat posed by CRQCs is to the signatures used in Bitcoin, a smaller threat is to Bitcoin's hash algorithms.
in
bip-0360.mediawiki:245
in
0ae69db70aoutdated
240+
241+ qrh(HASH256(HASH256(pubkey1) <nowiki>||</nowiki> HASH256(pubkey2) <nowiki>||</nowiki> ...))
242+
243+This function allows wallets to manage P2QRH addresses and outputs while accommodating multiple public keys of varying
244+lengths, such as in multisig schemes, while keeping the public keys hidden until the time of spending. At a minimum,
245+there should be two public keys in a P2QRH output, one that makes use of classical cryptography and one that makes use
0there should be two public keys in a P2QRH output: one key that makes use of classical cryptography, and one that makes use
in
bip-0360.mediawiki:268
in
0ae69db70aoutdated
263+
264+Where:
265+
266+* <code>OP_PUSHNUM_3</code> (<code>0x03</code>) indicates SegWit version 3.
267+* <nowiki><hash></nowiki> is the 32-byte HASH256 of the merkle root of a tree of public key hashes, as defined in the
268+Hash Computation section.
268+Hash Computation section.
269+
270+=== Output Mechanics ===
271+
272+To prevent storage of arbitrary data using P2QRH (QuBit) outputs,
273+the witness stack for inputs spending segwit v3 outputs is limited to the fixed-size signatures necessary for spending the
The other references in this document are to “SegWit”
0the witness stack for inputs spending SegWit v3 outputs is limited to the fixed-size signatures necessary for spending the
in
bip-0360.mediawiki:390
in
0ae69db70aoutdated
385+ * Public Key Length: 128 bytes
386+ * Signature Length: 335 bytes
387+
388+Implementations must reject public keys and signatures that do not match expected lengths for supported algorithms.
389+
390+If there a new algorithm is added, and one of the byte sizes overlaps, then an additional byte should be prepended to the
0If a new algorithm is added, and one of the byte sizes overlaps, then an additional byte should be prepended to the
in
bip-0360.mediawiki:570
in
0ae69db70aoutdated
565+outputs. Additionally, isogeny-based post-quantum cryptography is based on higher-order elliptic curves, and so it
566+might be possible to implement Isogeny Schnorr signatures.
567+
568+Signature verification speed as it compares to Schnorr or ECDSA isn't seen as high a consideration as signature size
569+due to block space being the primary fee constraint. As a P2QRH implementation materializes, a benchmark will be added
570+for performance comparison. Fortunately, SQIsign signatures are substantially faster to verify than it is to generate
0for performance comparison. Fortunately, SQIsign signatures are substantially faster to verify than they are to generate
in
bip-0360.mediawiki:516
in
0ae69db70aoutdated
511+| [https://en.wikipedia.org/wiki/Lamport_signature Lamport signature] || 1977 || 8,192 bytes || 16,384 bytes ||
512+Hash-based cryptography
513+|-
514+| [https://eprint.iacr.org/2011/191.pdf Winternitz signature] || 1982 || 2,368 bytes<ref name="winternitz">Winternitz
515+signatures are much smaller than Lamport signatures due to efficient chunking, but computation is much higher,
516+especially with high values for w. Winternitz values are for w of 4.</ref> || 2,368 bytes || Hash-based cryptography
Should the caveat and consequences be mentioned here that Winternitz signatures are one-time?
in
bip-0360.mediawiki:581
in
0ae69db70aoutdated
576+security levels for post-quantum cryptography. NIST security level I provides security equivalent to 128-bit keys, and
577+security level V provides 256-bit security.
578+
579+== Test Vectors and Reference Code ==
580+
581+TBD
mraksoll4
commented at 2:12 am on January 3, 2025:
First, it is necessary to solve a rather simple and complex problem: key structure tree of priv and pub keys. Since in post-quantum algorithms there are not even approximate solutions, possible it will be universal since almost all of them are built on lattices
Well, what’s important is that we only have a problem with generating public keys from a master public key or xpub, there are no problems with private keys, in almost any algorithm you can feed a seed to get a pair of keys and, as in the example above, reconstruct the public key from part of the private one.
cryptoquick
commented at 8:41 pm on January 14, 2025:
@jonatack I haven’t had much time to focus on that part. Ideally I could add them as a separate pull request.
jonatack
commented at 1:45 am on January 3, 2025:
member
Did another review pass. Updated the PR title, as it looks like the BIP is now named “Pay to Quantum Resistant Hash.”
I did write a response in the mailing list many months ago, but it never showed up. Not sure what happened. I really don’t want to repeat my analysis… It was a good amount of work that was lost.
Address suggestions from jonatack's review.c1b9047655
cryptoquick requested review from jonatack
on Jan 14, 2025
cryptoquick requested review from murchandamus
on Jan 14, 2025
murchandamus
commented at 5:04 pm on January 16, 2025:
contributor
And is it not in your send folder?
in
bip-0360.mediawiki:136
in
c1b9047655outdated
138-transition Bitcoin to implement post-quantum security.
139+are vulnerable from the first epoch in P2PK outputs alone. The majority of these have a block reward of 50 coins each,
140+and there are roughly 34,000 distinct P2PK scripts that are vulnerable. These coins can be considered
141+"Satoshi's Shield." Any addresses with a balance of less than the original block subsidy of 50 coins can be considered
142+cryptoeconomically incentive incompatible to capture until all of these are mined, and these addresses serve to provide
143+time to transition Bitcoin to implement post-quantum security.
murchandamus
commented at 5:06 pm on January 16, 2025:
Once someone just starts stealing ~5% of the supply, it seems that it would be too late?
cryptoquick
commented at 9:14 pm on January 23, 2025:
I don’t think anything can be done about the vulnerability of Satoshi’s coins without also introducing confiscatory changes. They do serve a useful purpose, however, in that they provide cover to the migration of smaller value transactions in the mempool.
I’m just thinking worst case scenario, where the process to upgrade Bitcoin’s quantum security takes much longer than we all expect.
katesalazar
commented at 11:15 pm on March 5, 2025:
Old coins have always been circulating supply to all concerns. Either way I’m not sure how whoever exactly holds those old coins is on topic to this BIP, except for the canary argument only.
cryptoquick
commented at 5:08 pm on January 16, 2025:
none
And is it not in your send folder?
I composed it in the Google GUI … Last I checked there wasn’t a way to check back on it.
in
bip-0360.mediawiki:318
in
c1b9047655outdated
312@@ -315,8 +313,9 @@ keys from the transaction while still proving they were part of the original com
313 This merkle tree construction creates an efficient cryptographic commitment to multiple public keys while enabling
314 selective disclosure.
315316-This allows for inclusion of a Taproot MAST merkle root in the attestation, which makes P2QRH a quantum-resistant
317-version of Taproot.
318+This allows for inclusion of a [https://github.com/bitcoin/bips/blob/master/bip-0114.mediawiki BIP-114] Taproot
319+Merkelized Abstract Syntax Tree (MAST) merkle root in the attestation, which makes P2QRH a quantum-resistant
320+version of Taproot transactions.
murchandamus
commented at 5:08 pm on January 16, 2025:
Taproot does not use an Abstract Syntax Tree. It uses an Alternative Script Tree. Also the term “MAST” is not used in the Taproot BIPs in this context, they refer to the concept as “script tree”.
cryptoquick
commented at 9:20 pm on March 13, 2025:
47-even more addresses might be vulnerable, representing 5M to 10M bitcoin.
48+[https://web.archive.org/web/20240715101040/https://www2.deloitte.com/nl/nl/pages/innovatie/artikelen/quantum-computers-and-the-bitcoin-blockchain.html this Deloitte report].
49+The report estimates that in 2020 approximately 25% of the Bitcoin supply is held within addresses vulnerable to
50+quantum attack. As of the time of writing, that number is now closer to 20%. Independently, Bitcoin developer Pieter
51+Wuille [https://x.com/pwuille/status/1108085284862713856 reasons] even more addresses might be vulnerable, representing
52+5M to 10M bitcoin.
murchandamus
commented at 5:13 pm on January 16, 2025:
As described above, please don’t reformat the entire paragraph when you change a single line. Moving all the line breaks makes it needlessly difficult to see what actually changed about the text.
cryptoquick
commented at 5:24 pm on January 16, 2025:
Sorry, I just noticed that it was over 120 characters in length, which was something you requested earlier.
murchandamus
commented at 6:56 pm on January 21, 2025:
Ah, I see. Let me clarify: I would suggest that you generally aim for a limited line length so that suggestions left in review refer to a limited amount of text and it is easy to see what changed. When you add a word or two in a change that pushes the line to a slightly larger length, you can either just leave it a bit longer, or you break just that line into two lines, leaving the rest of the lines without changes. That way it is still easy to say what was changed about the text. If that leaves an occasional line a little longer or some lines shorter, it is still easy to review and doesn’t change the visual appearance of the final document.
If you instead reformat the entire paragraph, a diff will highlight everything as changed which makes it more time consuming to review.
murchandamus
commented at 5:15 pm on January 16, 2025:
contributor
If you sent it from there, it should be in your “Sent” or “Drafts” folder, unless you deleted it.
cryptoquick
commented at 5:18 pm on January 16, 2025:
none
I don’t see anything like that here…
murchandamus
commented at 5:20 pm on January 16, 2025:
contributor
Oh, I thought you meant from the GUI of a Gmail account.
murchandamus
commented at 5:21 pm on January 16, 2025:
contributor
I’m a bit confused that another review was requested from me. As I said in my prior review:
This is all that I have at this time from an editorial standpoint. It would be good if this proposal got more feedback and/or endorsements from domain experts in the next steps.
I don’t think this needs another review from me, but rather it needs more engagement and support from other domain experts. Personally, I’m pretty skeptical about the approach of introducing a multitude of different signature schemes at once.
mraksoll4
commented at 5:25 pm on January 16, 2025:
none
To start, I think we need to create a “skeleton” for integrating signature algorithms, such as Falcon-512 - 1024, as it seems to be the most optimal candidate at the moment. Since Falcon-512 - 1024 but it does not support key derivation for private and public keys, we can introduce an additional field in the wallet.dat to store the keys specifically for post-quantum signature algorithms.
Naturally, the descriptor would also need to be designed to handle single keys, ensuring compatibility with Falcon . This “skeleton” would serve as a foundation for integrating Falcon and similar post-quantum algorithms into the system. It will allow us to expand functionality while maintaining separation from existing ECDSA or other elliptic-curve-based algorithms.
I’m already trying to implement something similar using the available API, with slight extensions such as key generation from a seed and deriving a public key from a private key to match the expected logic
mraksoll4
commented at 5:28 pm on January 16, 2025:
none
cryptoquick
commented at 5:57 pm on January 16, 2025:
none
I’m a bit confused that another review was requested from me. As I said in my prior review:
This is all that I have at this time from an editorial standpoint. It would be good if this proposal got more feedback and/or endorsements from domain experts in the next steps.
I don’t think this needs another review from me, but rather it needs more engagement and support from other domain experts. Personally, I’m pretty skeptical about the approach of introducing a multitude of different signature schemes at once.
That makes sense. I’ll try to solicit more feedback from SMEs. The only reason I re-requested review was because I was hoping to get an approval and merge, but I’m not sure how far off we are from that.
The reason four were proposed to be introduced was, not only does it make sense from a hybrid cryptography perspective (some may sign high-value transactions with multiple types for redundancy), it’s also possible that this early on, there might be vulnerabilities in the PQC algorithms chosen. There is skepticism about algorithms that make more modern security assumptions. Some prefer hash-based algorithms like SPHINCS, which was a strong preference from people like Antoine Riard and Matthew Corallo. There are problems with SPHINCS, however, in that it’s quite large, and also it doesn’t support signature aggregation so far as I’m aware.
Do you think it might make sense to edit this to omit the specific signature algorithms? The only problem with that is, that makes it so I can’t implement valid test vectors, and when I eventually go to implement BIP-360, it’s unclear from the spec which algorithms to support.
My stance has evolved on this over time… In my opinion, we should wait as long as possible until PQC algos are better understood, verified, and implemented. That said, P2QRH, as it was introduced on the mailing list, is meant to just be a concrete starting point for these discussions, and it’s essentially an imperfect compromise between multiple different competing interests.
Additionally, I’d like to have another conversation around how multisig should work. Currently specified is a merkle tree approach, but I’m considering instead going with an approach similar to P2SH as I outlined in one of my comments. I’m not sure if that should go into this PR or into a separate PR.
I also would like to work on an alternative BIP, one that’s more conservative and informed by lessons learned from this BIP, for Pay to Taproot Hash (P2TRH, with SegWit v2 addresses), but I’m reticent to open multiple BIP PRs at once. I think it makes sense as a sort of stopgap for those who rely on signature aggregation such as FROST multisig, and it’s a much less heavy a lift. It would be less controversial due to lack of PQC algo bikeshedding, and while it’s imperfect because it doesn’t make the mempool trustless to use, we can then point to P2QRH as the proposal to support if that’s where community consensus is.
So, yes, there are a lot of considerations to be had here. I’m also likely going to need to deprecate SQIsign due to its terrible performance (100,000 times more computationally expensive to verify than ECDSA according to @EthanHeilman), and I might also want to include RACCOON because there’s definitely demand for signature aggregation. Additionally, I’ve heard concerns about the constants chosen for FALCON in favor or NTRU Prime, but there are also people working on signature aggregation for FALCON which could improve the utility of the proposal.
One other possibility is that we make signature aggregation a requirement for any PQC algo included from this point forward so as to not have a significant reduction in functionality available with Taproot / Schnorr signatures. This requirement, which has been expressed to me by a number of users, would dramatically narrow down the number of valid signature algorithm candidates.
@mraksoll4
Since Falcon-512 - 1024 but it does not support key derivation for private and public keys
I believe this is actually an implementation detail. pqclean is unsuitable for bitcoin pqc because of its lack of BIP-32 support, but it might be useful as a basis. It just lacks an API to provide your own entropy, but that’s not the fault of the signature algorithm, it’s instead the fault of the implementation, which can be corrected in a more unified bitcoin pqc library designed in support of this BIP.
mraksoll4
commented at 6:18 pm on January 16, 2025:
none
most post-quantum algorithms that are not yet cracked are lattice structures (unless we want the signature size to be several megabytes) their mathematical basis does not allow for tweaks, as in eleptic curves. These are different mathematical structures, for example RSA, the problem with dilithium and falcon is that there is no analogous G, even potential components f and g are secrets
This is not native functions of of clean , i created self based at exist function ( you can see it via added memory cleanse .. native does not clear temp buffers )
0#include <stddef.h> 1#include <string.h> 2#include <stdio.h> 3 4#include "api.h" 5#include "inner.h" 6#include "memory_cleanse.h" 7 8#define NONCELEN 40 9 10#include "randombytes.h" 11/* keypair from fixed seed*/ 12int 13PQCLEAN_FALCON512_CLEAN_crypto_sign_keypair_from_fseed(
14 uint8_t *pk, uint8_t *sk, const uint8_t *seed) {
15 union {
16 uint8_t b[FALCON_KEYGEN_TEMP_9];
17 uint64_t dummy_u64;
18 fpr dummy_fpr;
19 } tmp;
20 int8_t f[512], g[512], F[512];
21 uint16_t h[512];
22 inner_shake256_context rng;
23 size_t u, v;
24 25/* 26* Checking the input seed parameter. 27* If the seed is NULL, return an error. 28*/ 29if (seed == NULL) {
30return-1; // Error: seed is not provided. 31 }
32 33/* 34* Initialize the SHAKE256 random number generator using the seed. 35* We now pass the seed directly to the generator. 36*/ 37 38/* 39* print seed for debug
40*/ 41 print_hex_debug("Generated Seed Keypair from fseed 1", seed, 48);
42 43 inner_shake256_init(&rng);
44 inner_shake256_inject(&rng, seed, 48);
45 46/* 47* print seed for debug
48*/ 49 print_hex_debug("Generated Seed Keypair from fseed 2", seed, 48);
50 51 memory_cleanse((void*)seed, 48);
52 inner_shake256_flip(&rng);
53 PQCLEAN_FALCON512_CLEAN_keygen(&rng, f, g, F, NULL, h, 9, tmp.b);
54 inner_shake256_ctx_release(&rng);
55 56 memory_cleanse(&rng, sizeof(inner_shake256_context));
57 58/* 59* Encode private key. 60*/ 61 sk[0] =0x50+9;
62 u =1;
63 v = PQCLEAN_FALCON512_CLEAN_trim_i8_encode(
64 sk + u, PQCLEAN_FALCON512_CLEAN_CRYPTO_SECRETKEYBYTES - u,
65 f, 9, PQCLEAN_FALCON512_CLEAN_max_fg_bits[9]);
66if (v ==0) {
67 memory_cleanse(f, sizeof(f));
68 memory_cleanse(g, sizeof(g));
69 memory_cleanse(F, sizeof(F));
70 memory_cleanse(h, sizeof(h));
71 memory_cleanse(tmp.b, sizeof(tmp.b));
72return-1;
73 }
74 u += v;
75 v = PQCLEAN_FALCON512_CLEAN_trim_i8_encode(
76 sk + u, PQCLEAN_FALCON512_CLEAN_CRYPTO_SECRETKEYBYTES - u,
77 g, 9, PQCLEAN_FALCON512_CLEAN_max_fg_bits[9]);
78if (v ==0) {
79 memory_cleanse(f, sizeof(f));
80 memory_cleanse(g, sizeof(g));
81 memory_cleanse(F, sizeof(F));
82 memory_cleanse(h, sizeof(h));
83 memory_cleanse(tmp.b, sizeof(tmp.b));
84return-1;
85 }
86 u += v;
87 v = PQCLEAN_FALCON512_CLEAN_trim_i8_encode(
88 sk + u, PQCLEAN_FALCON512_CLEAN_CRYPTO_SECRETKEYBYTES - u,
89 F, 9, PQCLEAN_FALCON512_CLEAN_max_FG_bits[9]);
90if (v ==0) {
91 memory_cleanse(f, sizeof(f));
92 memory_cleanse(g, sizeof(g));
93 memory_cleanse(F, sizeof(F));
94 memory_cleanse(h, sizeof(h));
95 memory_cleanse(tmp.b, sizeof(tmp.b));
96return-1;
97 }
98 u += v;
99if (u != PQCLEAN_FALCON512_CLEAN_CRYPTO_SECRETKEYBYTES) {
100 memory_cleanse(f, sizeof(f));
101 memory_cleanse(g, sizeof(g));
102 memory_cleanse(F, sizeof(F));
103 memory_cleanse(h, sizeof(h));
104 memory_cleanse(tmp.b, sizeof(tmp.b));
105return-1;
106 }
107108 memory_cleanse(f, sizeof(f));
109 memory_cleanse(g, sizeof(g));
110 memory_cleanse(F, sizeof(F));
111112/*113* Encode public key.114*/115 pk[0] =0x00+9;
116 v = PQCLEAN_FALCON512_CLEAN_modq_encode(
117 pk +1, PQCLEAN_FALCON512_CLEAN_CRYPTO_PUBLICKEYBYTES -1,
118 h, 9);
119if (v != PQCLEAN_FALCON512_CLEAN_CRYPTO_PUBLICKEYBYTES -1) {
120 memory_cleanse(h, sizeof(h));
121 memory_cleanse(tmp.b, sizeof(tmp.b));
122return-1;
123 }
124125 memory_cleanse(h, sizeof(h));
126 memory_cleanse(tmp.b, sizeof(tmp.b));
127128return0;
129}
130131/*132* This function reconstructs the public key from a given private key.133* It decodes the private key components (f and g) from the secret key
134*and uses them to regenerate the corresponding public key (h).135* The generated public key is then encoded into the provided pk array.136*137* public (pk): The output buffer where the public key will be stored (must be at least PQCLEAN_FALCON512_CLEAN_CRYPTO_PUBLICKEYBYTES in size).138* private (sk): The input secret key (private key) in byte array format (must be PQCLEAN_FALCON512_CLEAN_CRYPTO_SECRETKEYBYTES in size).139* Return value: 0 on success, -1 on error.140*/141int142PQCLEAN_FALCON512_CLEAN_crypto_sign_pubkey_from_privkey(
143 uint8_t *pk, const uint8_t *sk) {
144 union {
145 uint8_t b[FALCON_KEYGEN_TEMP_9];
146 uint64_t dummy_u64;
147 fpr dummy_fpr;
148 } tmp;
149 int8_t f[512], g[512];
150 uint16_t h[512];
151 size_t u, v;
152153/*154* Decode the private key.155*/156if (sk[0] !=0x50+9) {
157return-1;
158 }
159 u =1;
160 v = PQCLEAN_FALCON512_CLEAN_trim_i8_decode(
161 f, 9, PQCLEAN_FALCON512_CLEAN_max_fg_bits[9],
162 sk + u, PQCLEAN_FALCON512_CLEAN_CRYPTO_SECRETKEYBYTES - u);
163if (v ==0) {
164return-1;
165 }
166 u += v;
167 v = PQCLEAN_FALCON512_CLEAN_trim_i8_decode(
168 g, 9, PQCLEAN_FALCON512_CLEAN_max_fg_bits[9],
169 sk + u, PQCLEAN_FALCON512_CLEAN_CRYPTO_SECRETKEYBYTES - u);
170if (v ==0) {
171return-1;
172 }
173174/*175* Reconstruct the public key using f and g by calling the compute_public function.176*/177if (!PQCLEAN_FALCON512_CLEAN_compute_public(h, f, g, 9, tmp.b)) {
178 memory_cleanse(f, sizeof(f));
179 memory_cleanse(g, sizeof(g));
180 memory_cleanse(tmp.b, sizeof(tmp.b));
181 memory_cleanse(h, sizeof(h));
182return-1;
183 }
184185/*186* Encode public key.187*/188 pk[0] =0x00+9;
189 v = PQCLEAN_FALCON512_CLEAN_modq_encode(
190 pk +1, PQCLEAN_FALCON512_CLEAN_CRYPTO_PUBLICKEYBYTES -1,
191 h, 9);
192if (v != PQCLEAN_FALCON512_CLEAN_CRYPTO_PUBLICKEYBYTES -1) {
193 memory_cleanse(f, sizeof(f));
194 memory_cleanse(g, sizeof(g));
195 memory_cleanse(tmp.b, sizeof(tmp.b));
196 memory_cleanse(h, sizeof(h));
197return-1;
198 }
199200// Securely clear sensitive buffers
201 memory_cleanse(f, sizeof(f));
202 memory_cleanse(g, sizeof(g));
203 memory_cleanse(tmp.b, sizeof(tmp.b));
204 memory_cleanse(h, sizeof(h));
205return0;
206}
cryptoquick
commented at 6:20 pm on January 16, 2025:
none
@mraksoll4 I’m not sure I understand the point you’re trying to make.
mraksoll4
commented at 6:31 pm on January 16, 2025:
none
@mraksoll4 I’m not sure I understand the point you’re trying to make.
I meant that the capabilities of elliptic curves cannot and should not be directly projected onto post-quantum algorithms. A different approach is needed. BIP32 and the ability to derive public keys from public keys is a unique feature of elliptic curves. Even isogeny-based cryptography, which no longer holds against certain attacks, doesn’t support such functionality. The key difference lies in the underlying mathematical structures.
But we can still build a key tree for private keys using abstractions on top of the seed.
The problem lies specifically with public keys.
cryptoquick
commented at 6:35 pm on January 16, 2025:
none
No, it’s not. BIP-32 doesn’t rely on key tweaking. It just produces entropy (private keys) in a deterministic way.
I think you’re confused because you’re only working from one implementation. For example, this implementation of FALCON would support BIP-32:
As far as I understand, this also works directly with key pairs. Earlier, I mentioned that we can manipulate the seed to generate child key pairs. The issue lies in the fact that we cannot derive public keys from other public key
0shake256(seed + some data + some data + index)=seed (48 bytes) -->int1PQCLEAN_FALCON512_CLEAN_crypto_sign_keypair_from_fseed(
2 uint8_t *pk, uint8_t *sk, const uint8_t *seed)
cryptoquick
commented at 6:52 pm on January 16, 2025:
none
I see your point now. For example, using an xpub alone to generate more keys for, say, a watch-only wallet, might not be possible with FALCON.
I’ll need to think about that.
mraksoll4
commented at 7:05 pm on January 16, 2025:
none
I see your point now. For example, using an xpub alone to generate more keys for, say, a watch-only wallet, might not be possible with FALCON.
I’ll need to think about that.
Yes, but nothing prevents us from using single keys for watch-only wallets. For example, if a user tries to export an xpub for a post-quantum algorithm, we could display a message like:
“Post-quantum algorithm [name] does not support xpub keys. You need to explicitly export the key using a command to retrieve it from the descriptor or key cache.”
Alternatively, we could provide a list of existing keys in a serialized format. For instance:
Generate 2000 keys on-demand when the user requests a key list.
Offer an option to save the corresponding private keys to wallet.dat or not, securely wiping the buffer after generation.
This approach would give flexibility while acknowledging the limitations of post-quantum algorithms and maintaining compatibility with watch-only and partially signed setups.
mraksoll4
commented at 7:25 pm on January 16, 2025:
none
There is another option where multiple addresses can be linked to a single key pair through key packing and unpacking using additional parameters, with the index influencing the final address. However, this approach has limited practical value. While it makes it impossible to determine any connection between the addresses before a transaction is conducted, it resembles the concept of non-hardened derivation.
Remove SQIsign from consideration due to significant performance concerns. Refactor language from long-range attack to long-exposure so as to not be confused with the language around block re-org attacks.b75003e64b
murchandamus
commented at 7:07 pm on January 21, 2025:
contributor
Do you think it might make sense to edit this to omit the specific signature algorithms? The only problem with that is, that makes it so I can’t implement valid test vectors, and when I eventually go to implement BIP-360, it’s unclear from the spec which algorithms to support.
Perhaps it would make sense to describe the general output type mechanism, and then to have a separate BIP per signature algorithm to plug in?
Fix typo.5e568e3141
cryptoquick
commented at 9:04 pm on January 23, 2025:
none
That’s an interesting idea. Do you think it would make sense to showcase the new transaction structure and commitment scheme, which by default still requires Schnorr signatures, just without the additional signature algorithms? Then the test vectors for this BIP would only be for secp256k1, and then we work out the requirements for specific PQC algorithms into a separate BIP…?
This would have the advantage that it would simplify large sections of the BIP dedicated to signature algorithm selection and we can have those discussions separately.
The only problem with that is, it really takes the fangs out of BIP-360 as a quantum hardening BIP. It does make the improvement that it secures Taproot against long exposure attacks, so we don’t need a BIP, like say, Pay to Taproot Hash. Do you think it might make sense to implement just one algorithm in this also, maybe FALCON? Maybe we make the stipulation that FALCON is provisional and that a more authoritative set of signature algorithms will be provided in a separate BIP?
One argument for having a separate P2TRH BIP is that it’s a much simpler implementation, since it doesn’t require a change to transaction structure and commitment scheme. I’ve already worked on a draft of that, but it’s not polished and I’m not sure if I want to announce it since we might go with an abbreviated BIP-360.
mraksoll4
commented at 9:08 pm on January 23, 2025:
none
I believe the solution would be to use multithreading for signing and verification processes to mitigate the slowness of post-quantum algorithms. In my opinion, the most promising algorithms so far are lattice-based ones. Ideally, they should be used in combination with hash-based approaches, such as sponge constructions like Keccak (e.g., SHA-3, SHAKE256).
SHAKE256 will be convenient for replacing HMAC when working with seeds for building derivations. Additionally, I believe the approach should be independent of ECDSA to avoid even the slightest potential vulnerability. As for the address, it should either be purely post-quantum-based or a hybrid of public keys.
In the case of hybrid public keys, for each ECDSA-derived child address generation, there should be an automatic request for parallel derivation of a corresponding public key - using a post-quantum algorithm (if the attestation field method is used).
I’m talking about real-world scenarios that are already available now. So, while there might be something new in the future, it’s likely that the evolution of post-quantum addresses will follow a similar path as P2SH -> Taproot.
Regarding old addresses, there could be a separate rule with flexible timeframes where the attestation field would be required
for subsequent transactions, even for existing ones, in case of a critical situation—such as the emergence of a real threat of address compromise. This would act as a kind of “hotfix” that could be activated if necessary to minimize damage to the network, provided it is approved by a majority (enforcing a “ONLYPOSTQUANTUMCANPAY” mechanism).
Fix typo.8c0f798293
cryptoquick
commented at 9:31 pm on January 23, 2025:
none
Some things are not easy to multithread, such as WASM implementations, like that used by BDK web wallets, so we can’t rely on that to address those concerns. SQIsign’s performance was particularly terrible, and so it was removed.
Ideally, they should be used in combination with hash-based approaches, such as sponge constructions like Keccak (e.g., SHA-3, SHAKE256)
Given that the threat Grover’s poses is more remote than the threat posed by Shor’s, I’d really rather restrict this BIP to only changes to signature algorithms and not to any hash functions used by Bitcoin.
I believe the approach should be independent of ECDSA to avoid even the slightest potential vulnerability.
Absolutely not. It’s fine to support secp256k1 even in a post-quantum regime so long as it’s combined with PQC.
mraksoll4
commented at 9:30 pm on January 24, 2025:
none
Some things are not easy to multithread, such as WASM implementations, like that used by BDK web wallets, so we can’t rely on that to address those concerns. SQIsign’s performance was particularly terrible, and so it was removed.
Ideally, they should be used in combination with hash-based approaches, such as sponge constructions like Keccak (e.g., SHA-3, SHAKE256)
Given that the threat Grover’s poses is more remote than the threat posed by Shor’s, I’d really rather restrict this BIP to only changes to signature algorithms and not to any hash functions used by Bitcoin.
I believe the approach should be independent of ECDSA to avoid even the slightest potential vulnerability.
Absolutely not. It’s fine to support secp256k1 even in a post-quantum regime so long as it’s combined with PQC.
It’s more convenient to store a separate descriptor with a separate seed for post quantum addresses and separation of generation; in addition to security, this is convenient if we later want to add more signature algorithms
in case of combination it is also important what do we want to use for quantum algorithm as a seed? If keys are what they are and convert them to 48 bytes of seed, then what is the point? It will be enough for an attacker to crack ecdsa, because they are connected, if they have their keygen with their seed and are connected almost exclusively by paths, that is, an additional level of protection. Sha3 algorithms are less susceptible to Sha256 problems, shake256 is simply convenient as a converter for obtaining good cryptographic bytes from combined paths with a base seed.
this is a simplified scheme without scripts, in a real scheme we also include scripts
in essence, 2 signature algorithms converge for us through the use of 1 path in relation to the child keys of ecdsa, simultaneously requesting for the attestation field a public key for PQ, or a private key when we need a signature
it is also possible to do caching, but due to the fact that the keys are huge, this should be optional for anyone who needs it, for everyday use we store only the master and the paths associated with it
cryptoquick
commented at 3:23 pm on February 7, 2025:
none
@mraksoll4 That makes sense. Just so you’re aware, this BIP is for the consensus layer. A separate BIP will be needed to describe wallet behavior in the application layer.
mraksoll4
commented at 0:48 am on February 8, 2025:
none
@mraksoll4 That makes sense. Just so you’re aware, this BIP is for the consensus layer. A separate BIP will be needed to describe wallet behavior in the application layer.
Honestly, this descriptor logic has completely broken my brain… Need to create not just a separate descriptor but an entirely separate seed storage. In principle, there’s no major issue in implementing an HMAC-like derivation using SHA3 and Shake256, where it will be necessary to operate with seeds (though FIPS prohibits any form of derivation if certification is required). The optimal version remains the padded Falcon 512 with a fixed signature size—1024 already seems excessive to me.
cryptoquick
commented at 6:28 am on February 10, 2025:
none
The optimal version remains the padded Falcon 512 with a fixed signature size—1024 already seems excessive to me.
Falcon 1024 corresponds to NIST Level V which corresponds to 256 bits of security. I originally thought that would be analogous to the security level provided by secp256k1, so there would be no regression in security assumptions. Technically that’s not true due to Pollard’s rho attack (Ideally a cryptographer could help demystify this assumption), but the intention was clearly there to use 256 bit security was there when Satoshi chose the curve.
mraksoll4
commented at 12:44 pm on February 10, 2025:
none
The optimal version remains the padded Falcon 512 with a fixed signature size—1024 already seems excessive to me.
Falcon 1024 corresponds to NIST Level V which corresponds to 256 bits of security. I originally thought that would be analogous to the security level provided by secp256k1, so there would be no regression in security assumptions. Technically that’s not true due to Pollard’s rho attack (Ideally a cryptographer could help demystify this assumption), but the intention was clearly there to use 256 bit security was there when Satoshi chose the curve.
As far as I remember falcon 512 ≈ secp256k1 security as an acceptable minimum ≈ AES-128
that is, for a classical system they are approximately equal, but secp256k1 has a vulnerability in the case of a quantum environment; post-quantum algorithms try to solve this problem. Most likely, the choice fell on secp256k1 256 bits (it seems even smaller there) as a balance between security and performance when Satoshi chose what to use.
The primary security relied on the system of change addresses, since it was assumed that no one would reuse the same address and that the address space would be sufficient even considering the change addresses.
In fact, when executing a transaction there should be at least two outputs - one for the intended transaction and one for the change. However, it turned out that many people needed to reuse the same address.
in
bip-0360.mediawiki:398
in
8c0f798293outdated
393+OP_PUSHNUM_3 <32-byte hash>
394+
395+2. The attestation must include:
396+
397+* The quantum-resistant public key(s) whose HASH256 concatenated and hashed again matches the <nowiki><hash></nowiki> in
398+the <code>scriptPubKey</code>.
jonasnick
commented at 2:47 pm on February 20, 2025:
Can you clarify whether all leafs (all public keys) must be revealed or whether it is sufficient to reveal only the leaf hashes (and at least a single public key I suppose).
mraksoll4
commented at 0:49 am on February 21, 2025:
Ideally, if an address is being reused, to save space we can store a virtual link to the existing public key if it has already been revealed.
For greater address security, it makes sense to also hash the key from the post quantum algorithm in sha3
Regarding the level of security, it is possible to consider a system where for multi-signature addresses you can use a more secure version of the algorithm; for regular addresses where new addresses for change can be created, we can use a lighter version of the algorithm.
using Falcon as an example
Falcon 512 for regular address.
Falcon 1024 for Multisig (since such addresses will not change and here it will also be useful to use a link if the public key has already been revealed)
when I tried to make a test solution, I got stuck on organizing the storage of additional keys in the db. I even had an idea of completely separate storage up to a separate wallet.dat, that is, when creating a wallet, we have a choice of transition, and the wallet will be able to only generate post quantum addresses, from the rest only accept without generating old types of addresses, transferring all types to legacy + format. If we need old types of addresses, we will have to use a separate wallet.dat.
cryptoquick
commented at 9:04 pm on February 23, 2025:
@jonasnick The point of using a merkle tree was to make it so that it is sufficient to reveal only the leaf hashes. However, without committing to multisig semantics in the output, there is a flaw in the security here. So, I think I’ll need to add quorum and total bytes to the hash as well. One question is, will this also need to include a byte for the key type so that multisigs can be committed to separately based on which signature algorithm is used.
@mraksoll4 I don’t think we’ll need to go back to using wallet.dat. Keys can be deterministically generated from the seed and then provided to libbitcoinpqc. There won’t be full BIP-32 compatibility, but partial support.
mraksoll4
commented at 9:47 am on February 24, 2025:
we still need to cache keys, for classic descriptors on ecc we cache them, also we need to store seed somewhere…
jonasnick
commented at 2:06 pm on February 24, 2025:
Ideally, there would be an algorithmic (pseudocode) description of the algorithm. Right now, it’s not clear how exactly the Merkle tree is built. For example, the BIP appears to require revealing all leaves for the Merkle tree instead of using regular Merkle inclusion proofs whose size (for a single element proof) is only logarithmic in the number of elements. Also, does the BIP support a number of public keys that’s not a power of two?
cryptoquick
commented at 4:52 pm on February 24, 2025:
does the BIP support a number of public keys that’s not a power of two?
That’s a good point. The BIP doesn’t specify how NPOT merkle trees should be treated. That will be one scenario I’d want to think through when working on the test vectors. Do you have a suggestion on how that should be handled?
the BIP appears to require revealing all leaves for the Merkle tree instead of using regular Merkle inclusion proofs whose size (for a single element proof) is only logarithmic in the number of elements.
I’m not sure I understand this. The public keys don’t need to be revealed, only the hash of the public key.
jonasnick
commented at 11:09 am on February 25, 2025:
I’m not sure I understand this. The public keys don’t need to be revealed, only the hash of the public key.
Example:
0 H(H(A,B), H(C,D))
1 / \
2 H(A,B) H(C,D)
3 / \ / \
4 A B C D
I’m saying that, with the BIP as currently written, proving inclusion of D (be it a hash or any other element) requires revealing A, B, C. However, the point of Merkle trees is that an inclusion proof for D only requires C and H(A,B).
cryptoquick
commented at 2:43 pm on February 25, 2025:
Thanks for clarifying. First, this is skipping the step of H(A), H(B), etc. Then, only H(A,B), H(C), and D need to be revealed if only spending D. This behavior is defined in this paragraph:
0When spending, if a public key hash is provided in the attestation with an empty signature, that hash will be used
1directly in the merkle tree computation rather than hashing the full public key. This allows excluding unused public
2keys from the transaction while still proving they were part of the original commitment.
Does that address your point?
mraksoll4
commented at 4:49 pm on February 25, 2025:
need to do a hardened key derevation on the KMAC function (using shake256), no manupulation with public keys is possible at all, so it cannot be non-hardened derevation.
It is possible to manipulate the seed.
For speed, the keys will have to be cached, watch only wallets will not work with tree, only with single public keys.
In fact, we have an initializing seed, then we build child keys from it. Since we almost always get keys in pairs from the seed, we clear the extra ones from memory, a lot of mem cleans is needed even in the library itself ( example pqclean don’t have them , liboqs also not add them , as they use pqclear solutions as base )
but adding any key derivation automatically removes the possibility of talking about NIST certification
jonasnick
commented at 8:35 pm on February 25, 2025:
@cryptoquick I don’t think it addresses my point. My overall point is that the script validation section should have a clear algorithmic specification.
Moreover, the script validation section clearly says
The attestation must include:
The quantum-resistant public key(s) whose HASH256 concatenated and hashed again matches the in the scriptpubkey
This means, if read literally, that <hash> = H(H(pk1), ..., H(pkn)). There’s no mention of the Merkle tree computation.
Also, I don’t understand how the paragraph you quote would permit a regular Merkle proof. It clearly says “a public key hash is provided in the attestation”, which, in my example, would be A, B, C and D, but not H(A, B) (note that in the example, A, B, C, and D are public key hashes). H(A, B) is not a public key hash; it can be referred to as an “inner node” for example.
As for the inner node feedback, that’s a good point… I’m not sure this can be considered a sparse merkle tree in that case… All public keys or key hashes will need to be provided in order to validate the output script commitment hash. I think I’m going to need to make an edit to clarify that point, and make the point that this is not a sparse merkle tree, it’s just a way to make a deterministic commitment to a single hash.
At that point, I guess I have to ask, does it make sense to use a merkle tree at all? Why not a vector of public keys or their hashes?
Also, X-only public keys will collide with SHA-256 hashes in either data structure. I think it would make sense to specify 33 byte compressed public keys in that case.
kayabaNerve
commented at 5:57 pm on February 20, 2025:
none
The optimal version remains the padded Falcon 512 with a fixed signature size—1024 already seems excessive to me.
Falcon 1024 corresponds to NIST Level V which corresponds to 256 bits of security. I originally thought that would be analogous to the security level provided by secp256k1, so there would be no regression in security assumptions. Technically that’s not true due to Pollard’s rho attack (Ideally a cryptographer could help demystify this assumption), but the intention was clearly there to use 256 bit security was there when Satoshi chose the curve.
Bitcoin only achieves 128-bit security in both its curve and its choice of hash function (SHA-256 only has 128-bit security against arbitrary collisions). While I won’t comment on Satoshi’s intent, I don’t believe it’s reasonable to seek a 256-bit security level, solely a level expected to at-worst decay to 128-bit.
in
bip-0360.mediawiki:46
in
8c0f798293outdated
41+
42+The vulnerability of existing Bitcoin addresses is investigated in
43+[https://web.archive.org/web/20240715101040/https://www2.deloitte.com/nl/nl/pages/innovatie/artikelen/quantum-computers-and-the-bitcoin-blockchain.html this Deloitte report].
44+The report estimates that in 2020 approximately 25% of the Bitcoin supply is held within addresses vulnerable to
45+quantum attack. As of the time of writing, that number is now closer to 20%. Independently, Bitcoin developer Pieter
46+Wuille [https://x.com/pwuille/status/1108085284862713856 reasons] even more addresses might be vulnerable, representing
jonatack
commented at 10:09 pm on February 20, 2025:
Just learned this link is now dead, as that developer deleted his account.
tsusanka
commented at 11:05 am on February 23, 2025:
23+
24+This document is licensed under the 3-clause BSD license.
25+
26+=== Motivation ===
27+
28+The primary threat to Bitcoin from Cryptoanalytically-Relevant Quantum Computers (CRQCs) is their potential to break
This can be valuable to have a footnote pointing that Cryptoanalytically-Relevant Quantum Computers is an object which is only defined with loosely characteristics in quantum physics as of today. It could be understood in the context of this BIP / bitcoin that it’s a hardware-agnostic computer supposed to have the architecture to keep coherent a sufficient number of logical qubits to be able to run the Shor algorithm in an efficient fashion.
For the context of bitcoin, at least simplifying a bit, I do not think we have to reason further than on a basic quantum computer being able to computer Shor’s algorithm or Grover’s algorithm. At least, even if the energy consumed starts to matter, especially to analyze the comparison w.r.t to miners I think it matters less from a cryptanalysis viewpoint.
in
bip-0360.mediawiki:42
in
8c0f798293outdated
37+
38+This proposal aims to mitigate these risks by introducing a Pay to Quantum Resistant Hash (P2QRH) output type that
39+relies on PQC signature algorithms. By adopting PQC, Bitcoin can enhance its quantum
40+resistance without requiring a hard fork or block size increase.
41+
42+The vulnerability of existing Bitcoin addresses is investigated in
I think it can be valuable to come with a practical definition of a vulnerable bitcoin address and not only giving quantitative estimate of the exposed scriptpubkeys. E.g a vulnerable bitcoin address is a scriptpubkey type exposing as raw bytes in a block an elliptic curve public key solvable by a run of the Shor’s algorithm.
cryptoquick
commented at 9:12 pm on March 13, 2025:
46+Wuille [https://x.com/pwuille/status/1108085284862713856 reasons] even more addresses might be vulnerable, representing
47+5M to 10M bitcoin.
48+
49+Ordinarily, when a transaction is signed, the public key is explicitly stated in the input script. This means that the
50+public key is exposed on the blockchain when the transaction is spent, making it vulnerable to quantum attack until
51+it's mined. One way to mitigate this is to submit the transaction directly to a mining pool, bypassing the mempool.
I think this is a good description of why revealing the public key to a mining pool only do not solve quantum attack exposure - Though this is a simplification as if the mining pool is in open access given the block template has to be distributed to all pool miners as a job (— unless you assume a miner only gets a candidate header from the pool which is SPV-mining). A quantum attacker would just have to register to the mining pool to get a view of the public key.
cryptoquick
commented at 9:28 pm on February 23, 2025:
Agreed. I’ll also include a section on how block reorg attacks also don’t make this a secure solution.
63+In the paper
64+[https://arxiv.org/pdf/2306.08585 How to compute a 256-bit elliptic curve private key with only 50 million Toffoli gates]
65+the authors estimate that a CRQC with 28 million superconducting physical qubits would take 8.3 seconds to calculate a
66+256-bit key, while a CRQC with 6.9 million physical qubits would take 58 seconds. This implies that a CRQC with 4x as
67+many qubits would be roughly 7 times faster.
68+</ref>
I don’t think the distinction between long-exposure and short-exposure quantum attack in the bitcoin context is that relevant, for few reasons:
Communicating bip-32 xpubs with all its standardized derivation paths is a reality for all kind of consumer and users wallets. If you give an xpub to a third-party, this third-party can know exploit it for a quantum attack, even if there is never a coin transfer to the derived address on the public chain.
This is seeing the “mempool” as a black box where in fact there is at least 2 major components: the main memory buffer of transactions (i.e CTxMempool in bc) and the transaction-relay stack, where inv, getdata, tx messages are flowing among nodes. As soon as the tx message is outgoing from the orignal broadcasting node the hash-committed spending script (i.e witnessScript or redeemScript ) can be discovered either by a network listener (if no bip324 encryption respected on the link) or by the peer node, while the transaction might never get into the mempool (e.g too low fees, not standard, etc).
As you’re pointing the objective criteria by which to dissociate between short-term and long-term exposure appears to be the “block time” and this is one sounds more in the chain versus mempool one. In average block time is of ~600 seconds in bitcoin and while the exact hashrate existent during a retarget period cannot be measured (it’s a kind of random walk to find a block), the probabilistic measure of the network hashrate can be linked back to some energy consumption estimation that can be roughly analyzed in equivalence to the energy consumed to run a quantum computer.
So I think a better long-exposure vs short-exposure kind of heuristic definition in the bitcoin world would be better grounded on the computational difficulty to mine a block according to the consensus rules.
cryptoquick
commented at 9:34 pm on February 23, 2025:
Hmm. I’m not sure I understand the point you’re making. The separation of long-exposure and short-exposure was developed to highlight that keys exposed for a long time are more vulnerable, and additionally, a more powerful quantum computer is required to effect short range attacks, as explained in the “short-exposure” ref. This is also address a point in several papers I’ve seen that assume that a quantum attacker must be able to solve the key within minutes or hours, when in fact there are many keys already exposed.
ariard
commented at 9:01 pm on February 23, 2025:
none
Reviewed only the new “Motivation” section so far.
I think it’s a good idea to indeed dissociate the output type itself (P2QRH) from the supported post-quantum signature algorithm (FALCON, SPHINCS+, etc) and ensuring the output type can be indifferently committed in a new witness program, as a new taproot leaf version or in the future as a g’root / grafroot style construction.
Updates based on Antoine Riard's feedback and others.32c0a3d816
in
bip-0360.mediawiki:206
in
32c0a3d816outdated
201+
202+Additionally, it should be noted, whether an output with a P2QRH spend script corresponds to a PQC signature is not
203+known until the output is spent.
204+
205+While it might be seen as a maintenance burden for Bitcoin ecosystem devs to go from a single cryptosystem
206+implementation to four additional distinct PQC cryptosystems—and it most certainly is—the ramifications of a chain
jonasnick
commented at 2:07 pm on February 24, 2025:
0implementation to three additional distinct PQC cryptosystems—and it most certainly is—the ramifications of a chain
It’s three now, right?
cryptoquick
commented at 4:43 pm on February 24, 2025:
It is, thanks.
in
bip-0360.mediawiki:493
in
32c0a3d816outdated
488+term. Developers may need to optimize signature verification implementations, especially by implementing caching for
489+key generation.
490+
491+==== Algorithm Selection ====
492+
493+Introducing four quantum-resistant algorithms to the Bitcoin ecosystem provides users with the option to select an
jonasnick
commented at 2:07 pm on February 24, 2025:
0Introducing three quantum-resistant algorithms to the Bitcoin ecosystem provides users with the option to select an
in
bip-0360.mediawiki:34
in
32c0a3d816outdated
29+A Cryptoanalytically-Relevant Quantum Computer is an ''object'' which is only loosely defined by ''characteristics'' in quantum physics as of today. It could be understood in the context of this BIP and in bitcoin that it's a ''hardware-agnostic'' computer supposed to have the architecture to keep ''coherent'' a sufficient number of logical qubits to be able to run the Shor algorithm in an efficient fashion.</ref>
30+is their potential to break the cryptographic assumptions of Elliptic Curve Cryptography (ECC), which secures Bitcoin's signatures and Taproot
31+commitments. Specifically, [https://arxiv.org/pdf/quant-ph/0301141 Shor's algorithm] enables a CRQC to solve the
32+Discrete Logarithm Problem (DLP) exponentially faster than classical methods<ref name="shor">Shor's algorithm is
33+believed to need 10^8 operations to break a 256-bit elliptic curve public key.</ref>, allowing the derivation of
34+private keys from public keys—a process referred to as quantum key decryption. Importantly, simply doubling the public
jonasnick
commented at 2:10 pm on February 24, 2025:
nit: I tried to look up “quantum key decryption” because it struck me as a very confusing term, but I didn’t find any references.
cryptoquick
commented at 4:32 pm on February 24, 2025:
I’ll change it to, “a process referred to here”
in
bip-0360.mediawiki:228
in
32c0a3d816outdated
223+be a need for Pay to Quantum Secure (P2QS) addresses. A distinction is made between cryptography that's merely resistant
224+to quantum attack, and cryptography that's secured by specialized quantum hardware. P2QRH is resistant to quantum
225+attack, while P2QS is quantum secure. These will require specialized quantum hardware for signing, while still
226+[https://quantum-journal.org/papers/q-2023-01-19-901/ using public keys that are verifiable via classical means].
227+Additional follow-on BIPs will be needed to implement P2QS. However, until specialized quantum cryptography
228+hardware is widespread, quantum resistant addresses should be an adequate intermediate solution.
jonasnick
commented at 2:12 pm on February 24, 2025:
nit: I’d remove that paragraph because it’s highly speculative and doesn’t affect the design of this BIP as far as I can tell.
cryptoquick
commented at 4:45 pm on February 24, 2025:
I might argue it just needs an update, to capture discussions here and on the mailing list. I’d like to add a rationale for why this is an imperfect solution, and why it doesn’t need to be perfect. Signature aggregation for example can be added in a separate BIP and output type.
in
bip-0360.mediawiki:178
in
32c0a3d816outdated
173+post-quantum cryptography. This is a form of hybrid cryptography such that no regression in security is presented
174+should a vulnerability exist in one of the signature algorithms used. One key distinction between P2QRH and P2TR
175+however is that P2QRH will encode a hash of the public key. This is a significant deviation from how Taproot works by
176+itself, but it is necessary to avoid exposing public keys on-chain where they are vulnerable to attack.
177+
178+P2QRH uses a 32-byte HASH256 (specifically SHA-256 twice-over) of the public key to reduce the size of new outputs and
jonasnick
commented at 2:15 pm on February 24, 2025:
Is there a rationale for double SHA-256?
cryptoquick
commented at 4:42 pm on February 24, 2025:
I’m just assuming it could increase the difficulty of running Grover’s algorithm. It’s hard to know whether that assumption would hold up in practice since solving Grover’s for SHA-256 in a quantum circuit is still theoretical. I figured it also couldn’t hurt to use the same function as is used for PoW. It just might make things more secure in ways we can’t foresee.
jonasnick
commented at 11:01 am on February 25, 2025:
I don’t see how it would make a difference. It would just result in running SHA256 twice per Grover iteration instead of once. Why not hash 10 times then.
Anyway, in my experience, you will get the same questions about various design choices (like this one) over and over. The best way I know to deal with this to document them early and thoroughly, for example using footnotes as in BIP 341 or BIP 327.
cryptoquick
commented at 2:37 pm on February 25, 2025:
Yes, I’ve updated the BIP based on your feedback like so:
0P2QRH uses a 32-byte HASH256 (specifically SHA-256 twice-over) of the public key to reduce the size of new outputs and
1also to increase security by not having the public key available on-chain. While HASH256 uses double SHA-256 like
2Bitcoin's Proof of Work, this does not meaningfully increase quantum resistance compared to single SHA-256, as both
3provide approximately 2^128 security against Grover's algorithm. The practical impact of quantum attacks on SHA-256
4remains theoretical since quantum circuits for SHA-256 are still theoretical, but using the same hash function as
5Proof of Work maintains consistency with Bitcoin's existing security model.
in
bip-0360.mediawiki:115
in
32c0a3d816outdated
110+
111+It should be noted that Taproot outputs are vulnerable in that they encode a 32-byte x-only public key, from which a
112+full public key can be reconstructed.
113+
114+If the parent private key of an extended public key (xpub) is recovered by a CRQC, the attacker also recovers
115+the entire extended private key, whether it uses hardened or unhardened derivation.
jonasnick
commented at 2:28 pm on February 24, 2025:
This is a bit unclear to me. Do you mean “private key corresponding to an extended public key” (and not the parent of the public key)?
And such an attack not only allows recovering the extended private key (which is trivial, as it’s the same as the private key of the extended public key + the chaincode), but more importantly, it allows computing any of the child private keys.
Co-authored-by: Jonas Nick <jonasd.nick@gmail.com>
913cf79722
Updates based on Jonas Nick's feedback.5a1459bb17
QbitsCode
commented at 5:54 am on February 25, 2025:
none
Greetings all, can we have virtual clarification meeting. Thanks
mraksoll4
commented at 4:13 pm on March 2, 2025:
none
Considering Microsoft’s advances with their quantum chip, the threat is no longer imaginary but quite real.
katesalazar
commented at 6:17 pm on March 5, 2025:
contributor
Sorry for the delayed read.
I only wanna comment that I just read the current version (and only the current version) of the doc these days, the libbitcoinpqc line left me a small implementation detail smell. Found #1670 (review) about that, I see it seems that line perhaps was not originally in your vision.
I understand nothing technical about this, but the text doesn’t leave me with a fully good vibe specially the witness version skip (https://github.com/bitcoin/bips/pull/1670#discussion_r1889231215 and #1670 (review)), I guess I would appreciate if you shared a draft of your P2TRH proposal that you used to give meaning to the version skip - less vaporbipping is best for everybody.
I don’t understand the technical details of Taproot, but two things come to my mind, (1) can’t you apply hashing in a Taproot script (and then P2TRH is not really necessary)? and (2) have you done, or will you do, economic analysis on P2TRH impact in the transaction fee for the coin owner?
I appreciate your struggle anyway and wish you the best about it.
cryptoquick
commented at 7:23 pm on March 5, 2025:
none
I only wanna comment that I just read the current version (and only the current version) of the doc these days, the libbitcoinpqc line left me a small implementation detail smell. Found #1670 (comment) about that, I see it seems that line perhaps was not originally in your vision.
You make a good point, and I’m glad you saw that discussion point. Would you recommend I remove that?
I understand nothing technical about this, but the text doesn’t leave me with a fully good vibe specially the witness version skip (#1670 (comment) and #1670 (comment)), I guess I would appreciate if you shared a draft of your P2TRH proposal that you used to give meaning to the version skip - less vaporbipping is best for everybody.
Sure, I shared my P2TRH proposal in my latest update, in case you haven’t seen it:
After reading that, let me know your opinion on the witness version skip.
I don’t understand the technical details of Taproot, but two things come to my mind, (1) can’t you apply hashing in a Taproot script (and then P2TRH is not really necessary)? and (2) have you done, or will you do, economic analysis on P2TRH impact in the transaction fee for the coin owner?
The problem is that no matter what is put in the script, a CRQC can derive the key needed to initiate a root level keypath spend.
The punchline is that going with P2TRH would have added 8.25 vB to every Taproot transaction.
I appreciate your struggle anyway and wish you the best about it.
Thanks, and your feedback is much appreciated! As a fellow contributor, I’m curious, do you recommend I also submit P2TRH to BIPs?
katesalazar
commented at 8:56 pm on March 5, 2025:
contributor
do you recommend I also submit P2TRH to BIPs?
@cryptoquick know your peer… I’ve done few and casual administrivia and cleaning up here and there, but I don’t understand cryptography or other advanced math by myself, and not sure I can even. Therefore I don’t comment on BIP content, often not even on BIP structure and style.
mark-nesbitt
commented at 1:36 pm on March 7, 2025:
none
@cryptoquick I really appreciate this BIP – I learned about it from the Bitcoin Season 2 podcast you did.
I read the BIP and still need to digest it, but I’m trying to summarize the proposal. Would you say this is accurate:
This BIP introduces a new address type that supports quantum resistant public keys. Because new ciphers are at significantly greater risk of being broken, a single address can require multiple public keys. The user can construct an address using 3 types of QR public keys and a standard, non-QR resistant ECDSA pubkey. The user can define a multisig construction such that only a subset of these keys need provide a digital signature in order to spend the output. For those only concerned with security against quantum computers, the most logical construction would be a 4/4 multsig with keys of each of the 4 pubkey types.
EDIT: Updated the above language to capture multisig component.
This raised a question in my mind. Have you considered eliminating the additional complexity required to support multisig? Perhaps it would be a simpler, cleaner BIP to address one and only one need: quantum resistance. The end user can choose 1,2,3 or 4 pub keys, 1 of each type, and there must be n/n signatures to spend.
I’m supposing that the answer is “QR multisig is a valid use case – we why not support it?” I think that’s totally valid, but was just wondering if those were your thoughts and whether you think there’s value in the simplicity gains from eliminating the need for multisig.
in
bip-0360.mediawiki:337
in
5a1459bb17outdated
332+When spending, if a public key hash is provided in the attestation with an empty signature, that hash will be used
333+directly in the merkle tree computation rather than hashing the full public key. This allows excluding unused public
334+keys from the transaction while still proving they were part of the original commitment.
335+
336+This merkle tree construction creates an efficient cryptographic commitment to multiple public keys while enabling
337+selective disclosure.
mark-nesbitt
commented at 2:04 pm on March 7, 2025:
Is this BIP also attempting to support a multisig use case, where some but not all the QR pub keys require a signature?
If yes, I’m curious to know if you’ve considered relaxing that requirement. Perhaps it would be a simpler, cleaner BIP to address one and only one need: quantum resistance.
If no, wouldn’t there only ever be 4 pubkeys? That would make me think a Merkle structure for hashing/revealing the keys is unnecessary, as all 4 keys are always needed to spend the output.
mark-nesbitt
commented at 3:55 pm on March 7, 2025:
Having reread, I answered my own question: the BIP is supporting multisig. I’ll close this comment and ask in the PR comment section about your thoughts on relaxing that requirement
cryptoquick
commented at 10:05 am on March 11, 2025:
none
A merkle tree is still needed to support multiple kinds of keys. The only differences are that multisig will require some multisig specific bytes committed to in the address hash and revealed in the attestation, and hashes will be supported in a sparse merkle tree. I think it’s important we still preserve the use case of multisig to support self-custody and L2s.
Merge branch 'master' into p2qrh to fix BIP-119 linter issue6f3748e4b6
in
bip-0360.mediawiki:433
in
6f3748e4b6outdated
428+attestation. Public keys that are not needed can be excluded by including their hash in the attestation accompanied
429+with an empty signature. This includes classical Schnorr signatures.
430+
431+==== Sighash Calculation ====
432+
433+The sighash for P2QRH outputs follows the same procedure as defined in BIP-0143 for SegWit transactions:
I appreciate everyone’s feedback so far. There have been nearly 300 comments on this pull request, which is great and I won’t complain about the attention. Lots of feedback has been helpful, including about the multisig merkle tree hashing mechanism and the suggestion to use NIST I cryptography as NIST V has repeatedly been deemed overkill. Additionally, some oversights around sighash flags and Taproot compatibility were addressed.
BIP-360 is not the perfect solution, and it never was supposed to be. It is, however, the best compromise between various technical requirements I can come up with, and I hope that the technical decisions made are sensible when viewed in combination. As the first BIP to address quantum security, I intend it to be the most mature and conservative solution to the problem.
I hope now I’ve addressed all the holes present in the design. My next steps are to build the test vectors json using a fork of rust-bitcoin, which I will call rust-bitcoin-pqc. I will also be making a library called libbitcoinpqc, written in C but with Rust bindings included, and eventually I will integrate these into a fork of BDK I will call QBDK.
jonatack
commented at 7:25 pm on March 13, 2025:
member
@cryptoquick I re-read through the review feedback of the past four months, but it is difficult and laborious to try to understand what you did to concretely address each comment.
Would you please indicate in response to each comment the link to the commit patch with the relevant change you made, and particular for the review feedback from @jonasnick and @vostrnad above?
There is also review feedback marked as resolved, but without a reply. Please help reviewers connect the dots :)
Those pointers would be very helpful, I think, in determining what was done and/or remains to be done in response, and would aid review.
cryptoquick
commented at 10:56 pm on March 13, 2025:
none
@jonatack Thank you for the advice! I went back and did my best to provide some links to the relevant changes. Hope that helps.
Also, I’ve made a note to address this concern I overlooked:
I’d appreciate any thoughts you have on that. Thanks!
Correct inconsistencies in commitment and attestation structure. Switch from merkle tree commitment to sorted vector hash commitment.61faee6cb3
cryptoquick
commented at 9:57 am on March 18, 2025:
none
In the above changeset I rethought how we do the SegWit v3 scriptPubKey hash commitment… I think the merkle tree is nonsense at this point, since it cannot be sparse because all public key hashes must be known in advance in order to compute a complete commitment. Even in selective disclosure, all hashes have to be provided. @EthanHeilman originally suggested the merkle tree to me, so maybe there’s something I’m missing, but for now I’m going back to concatenated hashes. Hopefully this simplifies the BIP a bit, also.
I also made sure we’re more declarative of keytypes and thresholds in the attestation because bytes there will be cheap, especially if there’s an increased attestation discount. The reason the attestation exists is because it can be discounted separately and its functionality limited to fixed signature operations.
Update descriptor format.e6e7207808
cryptoquick force-pushed
on Mar 18, 2025
cryptoquick
commented at 3:50 pm on March 18, 2025:
none
In the above changeset I also updated the descriptor format to show a more complete example of how I expect selectively disclosed threshold multisigs to work.
QbitsCode
commented at 8:44 pm on March 19, 2025:
none
Is there somethin in a horizon, how can we reflect the current progression in percent. A clarfication meeting was requested to accelerate finalizing pqcBitcoin but no feedback.
cryptoquick
commented at 7:53 am on March 20, 2025:
none
@QbitsCode A community call isn’t a bad idea. If there is one, we’ll most likely announce it in our Telegram group.
murchandamus
commented at 4:17 pm on March 21, 2025:
contributor
People appear to agree conceptually that we should be looking into PQ, but skimming the conversation on this PR, I must admit that I am a bit concerned regarding the seeming lack of approach buy-in.
There seem to be concerns about e.g., introducing too many different PQ Signature schemes introducing unnecessary complexity, the resulting scheme dropping support for existing features, and uncertainty about the properties of the attestation structure’s properties. It also seems to me that it is not clear to me what the priority is:
If this is developing an emergency PQ-response that might be deployed on short notice, it would seem that going for less complexity would be fruiltful. If we are going for a fully-fledged, comprehensive response to PQ, it should e.g., not gratuitously drop support for scripting in outputs—don’t we still want HTLCs in a PQ future?
While you are reconsidering the structure of the attestation, perhaps it would be good to take another step back and collect more input on the big picture design goals before jumping back into the tweaking details of another variant of the same approach.
cryptoquick
commented at 4:28 pm on March 21, 2025:
none
Thanks for chiming in once more, Murch.
There seem to be concerns about e.g., introducing too many different PQ Signature schemes introducing unnecessary complexity
You have good timing with this, since I just published libbitcoinpqc, which should be a one-stop shop focal point for PQC needed for BIP-360, similar to how libsecp256k1 was for BIP-340. You can check out that work here:
https://github.com/cryptoquick/libbitcoinpqc
The algorithmic complexity shouldn’t be so bad now that it’s abstracted in a useful way.
If we are going for a fully-fledged, comprehensive response to PQ, it should e.g., not gratuitously drop support for scripting in outputs—don’t we still want HTLCs in a PQ future?
I’m not dropping support for witness scripts. The attestation is just like putting additional locks on coins in an address, in addition to whatever is expected to happen in the witness. I expect this to be compatible with a lot that’s already been developed for Lightning and Taproot. I would like to verify that in practice however. A good start to that would be post quantum-flavored versions of rust-bitcoin, BDK, and LDK.
While you are reconsidering the structure of the attestation, perhaps it would be good to take another step back and collect more input on the big picture design goals before jumping back into the tweaking details of another variant of the same approach.
Perhaps, but another alternative is to put the work needed into proving out this design. There’s too many variables to consider without something concrete to work from and think about. I’m definitely willing to do that in order to prove that BIP-360 works in various scenarios.
in
bip-0360.mediawiki:392
in
e6e7207808
387+3. When a secp256k1 key is specified in the key type bitmask, how many keys it commits to is unambiguous.
388+4. If multiple keys need to be committed to, they must be aggregated, which saves on transaction size.
389+
390+This design maintains compatibility for [https://github.com/bitcoin/bips/blob/master/bip-0114.mediawiki BIP-114]
391+Taproot Merkelized Alternative Script Tree (MAST) merkle root in the commitment, which makes P2QRH a
392+quantum-resistant version of Taproot transactions. The TapScript itself must however be provided in the witness,
This is a metadata mirror of the GitHub repository
bitcoin/bips.
This site is not affiliated with GitHub.
Content is generated from a GitHub metadata backup.
generated: 2025-04-05 05:10 UTC
This site is hosted by @0xB10C More mirrored repositories can be found on mirror.b10c.me