Add BIP: QES2 – Hybrid PQC-based Digital Signature Algorithm #1830

pull j1729labs wants to merge 5 commits into bitcoin:master from j1729labs:bip-QES2 changing 1 files +607 −0
  1. j1729labs commented at 8:03 am on April 18, 2025: none

    Summary: This pull request introduces a new Bitcoin Improvement Proposal (BIP) for QES2, a hybrid digital signature algorithm that combines post-quantum cryptography (PQC) with traditional ECDSA. The proposal aims to address the potential vulnerabilities posed by quantum computing while preserving backward compatibility with existing Bitcoin infrastructure.

    Details:

    Abstract: QES2 leverages a dual-signature mechanism to incorporate both a post-quantum signature and a classical ECDSA signature into Bitcoin transactions.

    Motivation: With the emerging threat of quantum computers, classical cryptographic methods may become vulnerable. QES2 presents a transitional solution that enhances security during the shift towards quantum-safe systems.

    Specification: The BIP outlines the structure, key generation, signing, and verification methods for the hybrid scheme.

    Rationale: The hybrid approach ensures that if one signature method is compromised, the other still provides protection, offering a balanced trade-off between security and backward compatibility.

    Reference Implementation: A reference implementation will be linked later for further review and testing.

  2. Create bip-newproposal.mediawiki 7f9114f662
  3. Update bip-newproposal.mediawiki 5414a5c56a
  4. Update bip-newproposal.mediawiki 3a34446077
  5. Update bip-newproposal.mediawiki 28c2aa8a7f
  6. Update bip-newproposal.mediawiki 11a563aeaf
  7. cryptoquick commented at 3:29 pm on April 18, 2025: none
    Would it make sense to just add QES2 support to BIP-360?
  8. in bip-newproposal.mediawiki:330 in 11a563aeaf 
    325+Taproot Compatibility
326+--------------------
327+
328+QES2 can be integrated with BIP-340 (Taproot) by:
329+
330+1. Using the QES2-based signature in place of the Schnorr signature
    cryptoquick commented at 3:49 pm on April 18, 2025:
    You specify QES2 as ECDSA, but ECDSA doesn’t support all that Schnorr does. This seems like a step backwards that could break Taproot compatibility. Would it not make sense to implement QES2 with Schnorr and remove mention of ECDSA?
    murchandamus commented at 1:08 pm on April 23, 2025:
    Like @cryptoquick, I’m confused that this proposal focuses only on ECDSA signatures, when about 1/3 of all existing UTXOs use the P2TR output type that employs BIP340 signatures. Could you please provide rationale for this approach and further address the implications for existing P2TR outputs intended to be spent via the scriptpath?
  9. in bip-newproposal.mediawiki:581 in 11a563aeaf 
    576+
577+1. **Dilithium Security**: The Dilithium signature is secure against quantum adversaries under the hardness assumptions of Module-LWE and Module-SIS problems.
578+
579+2. **ECDSA Security**: While vulnerable to quantum attacks, ECDSA remains secure against classical adversaries.
580+
581+3. **Binding Property**: The ECDSA signature validates the Dilithium signature, creating a binding that requires breaking both schemes or finding hash collisions to forge.
    cryptoquick commented at 3:53 pm on April 18, 2025:
    Why is it necessary to sign the PQ signature? Can’t it just be included separately and still benefit from the same guarantees if committed to in the same address as BIP-360 does?
  10. cryptoquick commented at 3:54 pm on April 18, 2025: none
    Just some questions
  11. jonatack commented at 5:54 pm on April 18, 2025: member
    Hi @j1729labs, have you posted about this to the bitcoin-dev mailing list at https://groups.google.com/g/bitcoindev? Please refer to https://github.com/bitcoin/bips/blob/master/bip-0002.mediawiki#user-content-BIP_workflow for details. Thanks!
  12. jonatack added the label New BIP on Apr 18, 2025
  13. murchandamus commented at 11:42 pm on April 18, 2025: contributor
    Please take another look at the formatting. The document’s syntax doesn’t seem to be MediaWiki, and especially the preamble does currently not conform to the required formatting.
  14. murchandamus added the label PR Author action required on Apr 18, 2025
  15. in bip-newproposal.mediawiki:129 in 11a563aeaf 
    124+- ``OP_QES2_CHECKSIG`` is a new opcode that verifies the entire chained signature scheme
125+
126+New Opcode
127+~~~~~~~~~~
128+
129+We introduce a new opcode, tentatively assigned as ``OP_QES2_CHECKSIG (0xba)``, that performs verification of the hybrid QES2 signature by checking both the ECDSA signature (which validates the PQC signature) and the Dilithium signature itself.
    murchandamus commented at 1:02 pm on April 23, 2025:
    Opcode 186 was designated OP_CHECKSIGADD by BIP 342.
  16. in bip-newproposal.mediawiki:421 in 11a563aeaf 
    416+======================
417+
418+This BIP maintains backward compatibility through several mechanisms:
419+
420+1. **Opt-in Deployment**: QES2 addresses are distinct from traditional addresses
421+2. **Traditional Scripts**: Existing P2PKH, P2SH, P2WPKH, and P2WSH scripts continue to function normally
    murchandamus commented at 1:10 pm on April 23, 2025:
    As mentioned, this does not address P2TR outputs which make up about 1/3 of all existing UTXOs.
  17. in bip-newproposal.mediawiki:594 in 11a563aeaf 
    589+   Where Adv_X(A) represents the advantage of an adversary A against scheme X.
590+
591+Acknowledgments
592+==============
593+
594+This proposal builds on the work of several other BIPs, including BIP-340, BIP-341, and BIP-342 (Taproot), and incorporates concepts from ongoing research in post-quantum cryptography for blockchains.
    murchandamus commented at 1:12 pm on April 23, 2025:
    I’m confused that this proposal mentions BIP 340 several times, but insufficiently addresses BIP 340 signatures.
  18. in bip-newproposal.mediawiki:117 in 11a563aeaf 
    112+
113+This BIP introduces a new script template:
114+
115+.. code-block::
116+
117+   <pq_signature_push> <ecdsa_signature_push> <pubkey_push> OP_QES2_CHECKSIG
    murchandamus commented at 1:14 pm on April 23, 2025:
    Please provide more detail how this new script template would be used in transactions. How is it split between output script, input script, witness section, or a newly introduced transaction section? How would this transaction be serialized? If it is intended to be a soft fork, what mechanism is used to allow unupgraded nodes to accept transactions using this signature scheme?
  19. in bip-newproposal.mediawiki:11 in 11a563aeaf 
     6+:Comments-URI: https://github.com/bitcoin/bips/wiki/Comments:BIP-XXXX
 7+:Status: Draft
 8+:Type: Standards Track
 9+:Created: 2025-04-18
10+:License: BSD-2-Clause
11+:Requires: 340, 341, 342
    murchandamus commented at 1:30 pm on April 23, 2025:
    The document must start with the preamble adhering to the required format. Beyond the formatting needing to be amended, the title is too long and the authors need to be on separate lines with the format Name <addr@dom.ain>.
  20. murchandamus changes_requested
  21. murchandamus commented at 1:30 pm on April 23, 2025: contributor

    Thanks for your submission. The content of this document shows potential, however it is still lacking some important details (see other review comments). It also currently does not meet the formatting requirements for the BIPs process. Please fix the formatting to conform to the MediaWiki syntax and amend the Preamble to use preformatted text with the required formatting.

    As this document is currently not ready to be merged, I’m turning it into a Draft pull request at this time.

  22. murchandamus marked this as a draft on Apr 23, 2025


j1729labs cryptoquick murchandamus jonatack

Labels
New BIP PR Author action required

github-metadata-mirror

This is a metadata mirror of the GitHub repository bitcoin/bips. This site is not affiliated with GitHub. Content is generated from a GitHub metadata backup.
generated: 2025-05-09 21:10 UTC
This site is hosted by @0xB10C
More mirrored repositories can be found on mirror.b10c.me