From mboxrd@z Thu Jan 1 00:00:00 1970 Delivery-date: Wed, 11 Feb 2026 10:55:25 -0800 Received: from mail-oa1-f64.google.com ([209.85.160.64]) by mail.fairlystable.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.94.2) (envelope-from ) id 1vqFMy-00048i-VM for bitcoindev@gnusha.org; Wed, 11 Feb 2026 10:55:25 -0800 Received: by mail-oa1-f64.google.com with SMTP id 586e51a60fabf-4040b9ea153sf15319004fac.1 for ; Wed, 11 Feb 2026 10:55:24 -0800 (PST) ARC-Seal: i=2; a=rsa-sha256; t=1770836119; cv=pass; d=google.com; s=arc-20240605; b=IPH2K7eAMYZqFbdhCDW2bzVhMBbhWCNZQTZtuzBXyx/kffbMYwZsUdyxJCGaPWD4UN GCEY1CDeiKTvdIsrnMQyG10ahmkzoVAFDcbCgmWGTWiCYB1LSIlBJbjqJpaySjrA8ipD Z+bsjxEgia3rxYg1+I2a2DJoUO0HHcEL2AE8XQe4xQ7H80bvlQ5h3BR//f04CDAQCkVH h8TK1YQ3/Ebdhh0qkBhOytDNpOF0oFURDoafxQWSCcAlxeoFF30lDU9X0velZcdEKN0o LyRdOWeaXRf0A7Wwp9liG2l20RHO/cIVppsKYZttF36cfz7TDKQsTXkowDDbgogj+7yY CTrA== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:content-transfer-encoding :in-reply-to:from:content-language:references:cc:to:subject :mime-version:date:message-id:sender:dkim-signature; bh=koGuF4/gRvEYIToxmc0JaHyF5P5RZFR+JE/gUWEtPJ0=; fh=x715PQWkIhNuppDM9DdtPLPSFSLbKrhucXXhRMbu768=; b=Nbgu7nLvmbiteJhmz2k7lvQxkgoSOKmJfPrqebVGG/BJaWAhaByevnS59TsyetSQzn i383pvcnoJMMci6zGGuSAEOV5jzNuYFpdPoTIeNQ8m8Tvk3H5toE102ayz6+WQSKOiYM fWADk0i/juPjsaAvOn0+84NRkABi0HqkzdCQAEYyUsnTVbVRwYFCzAwoVH9/xO8GY0iw HK5OD905gN88IANFQwU/CjRn4ORrAxcPv7JyxHf+j7pVTzlxtBp+FPDMZRupEPaTULu+ VPOyX/KAp+DOyv11odZ9be/CoxIx70cfqN9zqPeZwXHJauxhlJrwkwymCqVunN8tb7Fm PSVw==; darn=gnusha.org ARC-Authentication-Results: i=2; gmr-mx.google.com; dkim=pass header.i=@mattcorallo.com header.s=1770834062 header.b=Fo16d3Qj; dkim=pass header.i=@clients.mail.as397444.net header.s=1770834064 header.b=Kzhphkdu; spf=pass (google.com: domain of lf-lists@mattcorallo.com designates 69.59.18.99 as permitted sender) smtp.mailfrom=lf-lists@mattcorallo.com; dmarc=pass (p=NONE sp=REJECT dis=NONE) header.from=mattcorallo.com DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlegroups.com; s=20230601; t=1770836119; x=1771440919; darn=gnusha.org; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:x-original-authentication-results :x-original-sender:content-transfer-encoding:in-reply-to:from :content-language:references:cc:to:subject:mime-version:date :message-id:sender:from:to:cc:subject:date:message-id:reply-to; bh=koGuF4/gRvEYIToxmc0JaHyF5P5RZFR+JE/gUWEtPJ0=; b=u8xj1lzgYF8MeHzIf8gY5gQ1pvGbgRhmKT0IA85GaCpslfxEU5nzNYC5MLUrEEmf49 gj4pyTBv8krT/PwFizMNBItdjDc1PeOhPnvg88YWxZ1fKrh+gcFw/Bz40ir8OLTuY/OD YIh+tlDMhAa/fI1m5tB7F7kzB4zEfT3gp5Cjg7fBUe0eqrFFQ36Za4gn0d0bAGpcic9A WbtTQvUpq3gHH5JNETnUmlCfo8LcekvVg2HiCYl9K00LIeVFspndlKDmofXy/aqGhkdm VTivkKs+bIh7f3S0zk5OUhzknaH1E436kczyfGfp9s1pNC/Gj+j6KuvUa1AHQLh00TnS iemg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1770836119; x=1771440919; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:x-original-authentication-results :x-original-sender:content-transfer-encoding:in-reply-to:from :content-language:references:cc:to:subject:mime-version:date :message-id:x-beenthere:x-gm-message-state:sender:from:to:cc:subject :date:message-id:reply-to; bh=koGuF4/gRvEYIToxmc0JaHyF5P5RZFR+JE/gUWEtPJ0=; b=TzRFeWtgMKy1FJlxF/MwkU7Oveoxzc4EgbiqJRcuz1vZpJ8mu3tt/dgfH6zAOuzdqQ +QMYgCljYFXlGP2F0BVmQg00o2Vc4/l8CyFfGEUWgS6/fbZgtIdJvyrj88uqXXw8D+zR 6R57o9lVv+U80Igbcsa/Oek20ugP8l6N0dlTtyaybHAJlg6PD+OyarAUdDblcQjV0xba T1AajmBV5vAVL/WvjZItPrKHRrtlPz+TmNGwqubg5tK13Y3Q4qjC5yutC2aEyNj7HsbQ VW8CcjVshORJ3YuMWwLsmVi3f11cp+nOW3DgSG1+U/H6Rh3pL7T3KLucPWl49RTogghM kIyw== Sender: bitcoindev@googlegroups.com X-Forwarded-Encrypted: i=2; AJvYcCUubRZ6vq9vgmsh/gRyXw+21za5rEkitSB35bEV81bWrkzHEJl58RbhTOP8F3LNLmcEeYd/zkd3DWvv@gnusha.org X-Gm-Message-State: AOJu0YySOhkVNdQ5Lf2jFJ/HtRoA/8OPfNcq5bv0cw6sW88uGaEOgmJH 02lfo17tSncTGhnQGkZ8VYRJTcrUmjRKi/Uc5+x04xejjrFjaz709c1h X-Received: by 2002:a05:6871:7401:b0:3f6:1f88:caa7 with SMTP id 586e51a60fabf-40ec71d27c5mr43497fac.56.1770836118828; Wed, 11 Feb 2026 10:55:18 -0800 (PST) X-BeenThere: bitcoindev@googlegroups.com; h="AV1CL+HkqzUtONLK0BgEJx3FjJi0wP7C3PAhzZ6EjnPhv9zafA==" Received: by 2002:a05:6870:63a9:b0:3ff:c482:532 with SMTP id 586e51a60fabf-40a74d962bbls4099372fac.1.-pod-prod-06-us; Wed, 11 Feb 2026 10:55:14 -0800 (PST) X-Received: by 2002:a05:6808:1787:b0:45c:94e7:ba96 with SMTP id 5614622812f47-4637b86b2bbmr169762b6e.38.1770836114216; Wed, 11 Feb 2026 10:55:14 -0800 (PST) Received: by 2002:a05:620a:124e:b0:892:e292:65ef with SMTP id af79cd13be357-8cb33766c50ms85a; Wed, 11 Feb 2026 10:53:55 -0800 (PST) X-Received: by 2002:a05:6214:1cce:b0:894:6c73:7e79 with SMTP id 6a1803df08f44-89727899bb2mr8847526d6.18.1770836034295; Wed, 11 Feb 2026 10:53:54 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1770836034; cv=none; d=google.com; s=arc-20240605; b=avsTD/948/7ZvkZpzNUft5bJDmcKqs1yWpyDogKQprInwI7owKxOEHwbUg+rT3eCME 0B7dNWuDH9lmgE7rFGMb9EYAOd918X6OsSt3aVN7U7457uLDIg/IftgFawQkfeZaI/D+ K9sjS1pg+TFfpPtLvDGL/Mvc/AW68qfL24W3A5KGN0wZXIpcQ/UhTxNfwVCPmunyVvRX WmnFTal0zjbhPBLWL0Q7UYtXNK0gZEHuhMHMxYZi818Bq4lW/w+SbMAk5mYblrMQ9l/Z S9wnGGg7S74rwMH9a/UA9hHN2dOq9W8UmMcQ4tc2vkNUGXydsF6LxNNSHQBrCkHtQqQt 0+Sw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=content-transfer-encoding:in-reply-to:from:content-language :references:cc:to:subject:mime-version:date:message-id :dkim-signature:dkim-signature; bh=kdJ3Nzi988PMDDaWCjyzcqYpwaoKnqyxFpDVBTraaHA=; fh=tPNyYMnxE1hUuBu2X3CBsnCe9ajHVR1Dn3o2h68HrU4=; b=TDyAAPyEXM24k/nnH5bGVhvQtS8OPu42hWJo7SzGWf2btFamoU50j0aMhBdiTKa5IW tUvrbca1AU52R2kNLzmGJSmPi2ZBps8hEYl+rtXvPJU68mPF0imPjFotVfwrI1hmdqVS H/bYsqawJ7FvrKe6YapYW7C+m0pmu9fgYKd/BYGWIStJXPTjQv0vEdhQMp28xtwwAtMN EZgwnRJkomoNZtAArFAm2A1e72hCseG88hLAA4MLACNRMshhqoD0N4GTM4bVr1nsOVpW kyF7pD1RfAvhg3rN9gmARNhawBPHwGblLhKY7lpkNARd+XxOITxgvgKw9UWonTXCEU8k ki2g==; dara=google.com ARC-Authentication-Results: i=1; gmr-mx.google.com; dkim=pass header.i=@mattcorallo.com header.s=1770834062 header.b=Fo16d3Qj; dkim=pass header.i=@clients.mail.as397444.net header.s=1770834064 header.b=Kzhphkdu; spf=pass (google.com: domain of lf-lists@mattcorallo.com designates 69.59.18.99 as permitted sender) smtp.mailfrom=lf-lists@mattcorallo.com; dmarc=pass (p=NONE sp=REJECT dis=NONE) header.from=mattcorallo.com Received: from mail.as397444.net (mail.as397444.net. [69.59.18.99]) by gmr-mx.google.com with ESMTPS id af79cd13be357-8cb2b1893d6si8636785a.7.2026.02.11.10.53.54 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 11 Feb 2026 10:53:54 -0800 (PST) Received-SPF: pass (google.com: domain of lf-lists@mattcorallo.com designates 69.59.18.99 as permitted sender) client-ip=69.59.18.99; X-DKIM-Note: Keys used to sign are likely public at X-DKIM-Note: https://as397444.net/dkim/mattcorallo.com and X-DKIM-Note: https://as397444.net/dkim/clients.mail.as397444.net X-DKIM-Note: For more info, see https://as397444.net/dkim/ Received: by mail.as397444.net with esmtpsa (TLS1.3) (Exim) (envelope-from ) id 1vqFLU-000000086TE-2gJy; Wed, 11 Feb 2026 18:53:52 +0000 Message-ID: <22073a56-1cbf-4ba9-a2ea-46c621d4619c@mattcorallo.com> Date: Wed, 11 Feb 2026 13:53:51 -0500 MIME-Version: 1.0 Subject: Re: [bitcoindev] Algorithm Agility for Bitcoin to maintain security in the face of quantum and classic breaks in the signature algorithms To: Ethan Heilman , Jonas Nick Cc: bitcoindev@googlegroups.com References: Content-Language: en-US From: Matt Corallo In-Reply-To: Content-Type: text/plain; charset="UTF-8"; format=flowed Content-Transfer-Encoding: quoted-printable X-Original-Sender: lf-lists@mattcorallo.com X-Original-Authentication-Results: gmr-mx.google.com; dkim=pass header.i=@mattcorallo.com header.s=1770834062 header.b=Fo16d3Qj; dkim=pass header.i=@clients.mail.as397444.net header.s=1770834064 header.b=Kzhphkdu; spf=pass (google.com: domain of lf-lists@mattcorallo.com designates 69.59.18.99 as permitted sender) smtp.mailfrom=lf-lists@mattcorallo.com; dmarc=pass (p=NONE sp=REJECT dis=NONE) header.from=mattcorallo.com Precedence: list Mailing-list: list bitcoindev@googlegroups.com; contact bitcoindev+owners@googlegroups.com List-ID: X-Google-Group-Id: 786775582512 List-Post: , List-Help: , List-Archive: , List-Unsubscribe: , X-Spam-Score: -0.8 (/) On 2/10/26 11:44 AM, Ethan Heilman wrote: > > If Bitcoin disables Taproot key path spends before Q-day, then doing t= his via=C2=A0Taproot instead of=20 > BIP 360 would be preferable. >=20 > I worry about making the transition to quantum-safe outputs depend on a c= ontentious debate over a=20 > confiscatory soft fork. Uncertainty over whether the soft fork would be r= eleased and if released=20 > would be activated means that wallets and custodians are unlikely to have= invested the resources=20 > into upgrading to support script only P2TR. For what its worth I do not see a scenario where a decision ultimately made= by the market will pick=20 the fork side with materially, say 5-10x higher, supply, over the side with= lower supply...supply=20 and demand is king, especially with the "confiscatory" nature is basically = nil as ~all wallets today=20 use seedphrases, which could still be spent with a ZK proof-of-seedphrase := ). > The benefit of BIP 360's P2MR (Pay-to-Merkle-Root)=C2=A0+ SLH_DSA is that= it avoids this controversy by=20 > being opt-in and non-confiscatory. This also means that BIP 360 + SLH_DSA= is likely to activated=20 > early, allowing wallets and custodians ample time to build support after = activation. The drawback being that it will see zero relevant adoption until its way to= o late. The only entities that would reasonably adopt something like this are large= custodians, who aren't=20 worth worrying about as they'll easily migrate all their coins over the cou= rse of a few days or=20 weeks in an emergency scenario, and highly specialty wallets. The point of = any PQ soft fork today is=20 if it can actually drive wallets to start making progress on PQ deployment.= A new address type that=20 is 10x more expensive to transact with is going to see ~zero adoption in "c= onsumer wallets" until=20 its urgent, at which point its obviously way, way too late. Hell, *any* PQ soft fork is going to see limited adoption in "consumer wall= ets" until its urgent,=20 hence why I think the community will be basically forced to disable insecur= e spend paths and only=20 allow spends via ZK proof-of-seedphrase. But at least something that doesn'= t also 10x transaction=20 costs might reasonably be adopted by default by wallets that don't use seed= phrases like Bitcoin Core. > > We could define a new SegWit version that is a copy of Taproot. The ne= w version number simply=20 > signals that the owner=C2=A0consents to a future deactivation of key path= spends. Unlike BIP 360, this > approach would still require actually disabling the key path before Q-day= , but=C2=A0it is not=20 > confiscatory and allows using Taproot's benefits until then (with a=C2=A0= privacy hit from having two=20 > versions of Taproot in parallel). >=20 > Let's call this P2TRD (Pay-to-Tap-Root-Disablable). BIP 360 evolved from = this P2TRD idea, to=20 > minimize the following hazards in P2TRD. >=20 > 1.=C2=A0 P2TRD requires a=C2=A0soft fork that depends on accurately predi= cting Q-day or when EC Schnorr is=20 > classically broken. We must not only predict Q-day but also convince the = community that the=20 > prediction is correct. If we mess up the timing, Bitcoin is significantly= harmed. This means that=20 > people will constantly be yelling that we are messing up the timing. It w= ill make quantum FUD worse=20 > not better. No it doesn't - it requires a soft fork when the risk is imminent, but it h= appening somewhat before=20 that time is okay too. > 2.=C2=A0 P2TRD (Pay-to-Tap-Root-Disablable) to be non-confiscatory users = must create a script spend that=20 > replicates their key spend, But users and wallets are likely to screw thi= s up and not create script=20 > spends. The is no way to see if a wallet is actually creating the script = spend on the blockchain. I mean people can create invalid addresses today in plenty of ways. How is = this unique? > 3. To be safe from long-exposure attacks P2TRD can't use the same public = key for the script spend as=20 > the key spend. Since wallets will prefer the key spend to the script spen= d, a user might not realize=20 > if they lost the keying material for their script spend until after activ= ation. It would almost certainly just be a key derived from the seedphrase via ano= ther hash function, so=20 there's no real risk of this. Matt --=20 You received this message because you are subscribed to the Google Groups "= Bitcoin Development Mailing List" group. To unsubscribe from this group and stop receiving emails from it, send an e= mail to bitcoindev+unsubscribe@googlegroups.com. To view this discussion visit https://groups.google.com/d/msgid/bitcoindev/= 22073a56-1cbf-4ba9-a2ea-46c621d4619c%40mattcorallo.com.