From mboxrd@z Thu Jan 1 00:00:00 1970 Delivery-date: Fri, 26 Jun 2026 07:14:36 -0700 Received: from mail-oo1-f59.google.com ([209.85.161.59]) by mail.fairlystable.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.94.2) (envelope-from ) id 1wd7KG-0002x8-0q for bitcoindev@gnusha.org; Fri, 26 Jun 2026 07:14:36 -0700 Received: by mail-oo1-f59.google.com with SMTP id 006d021491bc7-69e88e3107dsf127645eaf.2 for ; Fri, 26 Jun 2026 07:14:35 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1782483269; cv=pass; d=google.com; s=arc-20260327; b=bm2uQzR4yEEfFyeg1eiHK+shqA/utJe/Z8dWq72/uOvlorY2TShqJXvhr09Nci7wxz J3Um0BmyZWGtzX1R2N462F4RWuYZd99vhy55uRzh0uIry0i63XCBjLIIY9HzQjz+B77u gCA3ooTeVeQT611prXoq+6rmRTF1IpYlID5XfRv6L3GNkKm64vbGgUfVnX2SO9tBU6jV qEbFW2C7jFRU7IsBbYEz5sAXB4j484TsLUMzerscmz77VS3vASwj9Lz2WYwiQXM/JmFD +2V8+nrqOaAP75eKI4Ym2YPTFuCPHtIw4Isw6cCvYwD0/RYG1kca8au3qGkVrqkNgpI6 1hww== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20260327; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:mime-version:feedback-id:references :in-reply-to:message-id:subject:cc:from:to:date:sender :dkim-signature; bh=tiIY5UQRe1DomBLFbItM2dPSn3yt46OM4xSwFkQsn+Q=; fh=LCEFAYBvKjEf/xO7X2EgQ5n3c1t1Rvekymgk2u+xbL8=; b=YqIrB16l+A7rtP6ZmM6C/TJc8AExTpEDN2VJzRE7LCrSz2VFJbPjsd8B6+WuS95N0O f6SIj+NnCCmbag7zcrnMeX7GL9rUQSZhc8yQrrwHajdlF2BusV8iJ8ta939tB8u/68fB PbxnGdgkHqKdV/PJfJbBdL8SHHKeKsuM+lilMOrO12X9+W1Rt0Utk06Vs6zZCgpPjkfG EXNIm/tV+BykHodB8Yx9v/+4qUA2Ct01OoYEVZtIg76NLnaaNkWAbHP772iAd8ttbOej 4bxSe2/lcJJ1i/6/MkB18pZxdDM7vq9qR9pFXp8WtjSpEbQwmurGrgAx39x53b/JL0ox AEcg==; darn=gnusha.org ARC-Authentication-Results: i=2; gmr-mx.google.com; dkim=pass header.i=@wuille.net header.s=protonmail header.b=jaPtBGBn; spf=pass (google.com: domain of bitcoin-dev@wuille.net designates 109.224.244.22 as permitted sender) smtp.mailfrom=bitcoin-dev@wuille.net; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=wuille.net DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlegroups.com; s=20251104; t=1782483269; x=1783088069; darn=gnusha.org; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:x-original-authentication-results :x-original-sender:content-type:mime-version:feedback-id:references :in-reply-to:message-id:subject:cc:from:to:date:sender:from:to:cc :subject:date:message-id:reply-to:content-type; bh=tiIY5UQRe1DomBLFbItM2dPSn3yt46OM4xSwFkQsn+Q=; b=g3xkB64qmAeOSptPHaLEdZEzalzJKMrW1cV690lbHtH/M1Q7WlARpDlyyhUE39vocg oYu/AH2UGNAlg+YSKWmMEN9u5ziDUi07XrDHkhEZ9uQsNiGPT89uh0POi67wuoZVoxxo +LiK0bdBCNwYBabq4FFGd3zCRE3aQFIsLn6X45n0mLiZvRC3mnmOxT0dS3IbrYh8AZng kQDsmC+RV2Jsr9WjTZ1WOC/1/EweNAZX6A69LKRSoVI5ZnSOgbXZo6aOAbTwfb99hfjV T/MEDdTfC+F6ctSue43Kmvrpzm++SPOV5MeWfvbRIr+bwTY94XSfoYsR9EYL7Azxafmf Rw5A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1782483269; x=1783088069; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:x-original-authentication-results :x-original-sender:content-type:mime-version:feedback-id:references :in-reply-to:message-id:subject:cc:from:to:date:x-beenthere :x-gm-message-state:sender:from:to:cc:subject:date:message-id :reply-to:content-type; bh=tiIY5UQRe1DomBLFbItM2dPSn3yt46OM4xSwFkQsn+Q=; b=Vlc5fF4QHMOBvkwMRbvpGLetECDS5weDVzae4XEUku59NxZpaAK/tNqnL4toZatvHi ks2/4VcZwIcq7B69QXR1sudtC6+Snj5OuKkNCqm3gruNT1jWTmeRFUJXcO+HnDuJVKfm 7/63plCpQsyHxFGYTFKLnepFq7tg7oUwTJV94q2i3p5N0E+1iILvVHdwdZPbax50lV7w bORanh955araYOqdF+9HVaTjn6jHiH5ULcdprJ7j4TBmBu4Ra0Zj6FoP+nqroiABiy1B nTxlg731SyU0Ww4QRrvxwyDdf9YIcSFp+K5QlVoJgfL08HtSkm2okc8IaKh9apqKu21/ YVyg== Sender: bitcoindev@googlegroups.com X-Forwarded-Encrypted: i=2; AHgh+RreNTxN7xvNeLTrK0OCSItN8yo7ZCSJTnG1rV+K1gVUywJ7U0xXzMTuVjT6Rph8tzaoQd10cNpMcL8j@gnusha.org X-Gm-Message-State: AOJu0Yz+mshNPbGNfn4zm/nO8HCbvmNLxCIFld1ofEx1Bgn2I/Sq89gL PbG//mtSoEfFWpTjepwjbSkb66+ekWcBqq/T5Bwvg939XO26QCElf8fz X-Received: by 2002:a05:6870:9608:b0:430:27a4:e9cf with SMTP id 586e51a60fabf-44811e6948cmr3181639fac.5.1782483269479; Fri, 26 Jun 2026 07:14:29 -0700 (PDT) X-BeenThere: bitcoindev@googlegroups.com; h="AX0PUUfpvkDNL8mJZs9LF+16Bbvj/dFo6XRDrpprzGtAIUGtwA==" Received: by 2002:a05:6871:d807:b0:43d:1d34:8bbb with SMTP id 586e51a60fabf-446df18a254ls4583007fac.0.-pod-prod-01-us; Fri, 26 Jun 2026 07:14:24 -0700 (PDT) X-Received: by 2002:a05:6808:1a0f:b0:48a:b15b:1400 with SMTP id 5614622812f47-4943c5c91admr362580b6e.19.1782483264209; Fri, 26 Jun 2026 07:14:24 -0700 (PDT) Received: by 2002:a05:620a:e1b:b0:8f9:4d19:af67 with SMTP id af79cd13be357-92a546a07d0ms85a; Fri, 26 Jun 2026 07:10:44 -0700 (PDT) X-Received: by 2002:a05:622a:105:b0:51a:8c9c:7f46 with SMTP id d75a77b69052e-51a8c9c841amr2676381cf.57.1782483043570; Fri, 26 Jun 2026 07:10:43 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1782483043; cv=none; d=google.com; s=arc-20260327; b=VHcGeRDcKhieWQLBNxNGpzC4CXiXbySC1sbIQT8X5DAH4tFnKHXo9/udqaeN+6DLJ9 4azK+yCpUsGMLhIKp+BkEt8RAXtjLBERlPZqUuSux3ZvBXku6MCb84zjX5M/DEOYdhWK 51j7cYVrSPDbKrV8mrEkR49x7kB8yb7dHnR9LQwC1ivIkjPlwcHIwz0O8ILpJEoxja8D Z7KJ+nEHClNSPjrIQ+yf9eVIcyESeChodobAAezLzO6MfH8Qkg0g1eGPrvxDVytr46gi QsmSf/LUOG51tCj7WnK6AsAM2ui15VYeUBuc4XOHrZ5Ak0a5moEF2HawVvClsxuFsAA9 HOzg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20260327; h=content-transfer-encoding:mime-version:feedback-id:references :in-reply-to:message-id:subject:cc:from:to:date:dkim-signature; bh=0F8+Lh1XDV+9LlRr51zhnWg4jrEVo4mA+1TSRR2MZjY=; fh=HPA68ncp94B6BejhD2JPlI/1BWvELD7xBdD10WX68Vw=; b=FHEBA5zs4qe0C+pUZLR8gZWPLdIT+I15qs93MzMfcDpotsO+2rfL3ODVtRuMwyAqzX EJP3rgfG8t/9uXb8S0axtqyiruwBx9j7CBm1NbtbmwnYEF6w7oOMXFYFYNOoiq9JTwQN KdkkJxrKvrKYyM9l/70a8dWwiISpsT3prH1tMAggX4xnhGwS5pHsY+ZhZuUh52EN2Wsj /vRluIKYMPHUrte7TFzV7++alEe6PVDHMhJIbtnY6tOtIbahsGb5n/EHDL8EQP55WPkc oJlf5mue42IOnSqMDPdowt+5LllW6gZBBiXhuKDnVjBxZgG2eq7whl7FDNpOMHbUA3Br 9IwQ==; dara=google.com ARC-Authentication-Results: i=1; gmr-mx.google.com; dkim=pass header.i=@wuille.net header.s=protonmail header.b=jaPtBGBn; spf=pass (google.com: domain of bitcoin-dev@wuille.net designates 109.224.244.22 as permitted sender) smtp.mailfrom=bitcoin-dev@wuille.net; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=wuille.net Received: from mail-24422.protonmail.ch (mail-24422.protonmail.ch. [109.224.244.22]) by gmr-mx.google.com with ESMTPS id d75a77b69052e-51a515c9e7fsi4128381cf.1.2026.06.26.07.10.43 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 26 Jun 2026 07:10:43 -0700 (PDT) Received-SPF: pass (google.com: domain of bitcoin-dev@wuille.net designates 109.224.244.22 as permitted sender) client-ip=109.224.244.22; Date: Fri, 26 Jun 2026 14:10:39 +0000 To: Nagaev Boris From: Pieter Wuille Cc: Bitcoin Development Mailing List Subject: Re: [bitcoindev] Giving teeth to expected EC disabling: P2XX(-T)(-ML) Message-ID: In-Reply-To: References: Feedback-ID: 19463299:user:proton X-Pm-Message-ID: b123b519943d61f0888ae379950d5b064c40523e MIME-Version: 1.0 Content-Type: text/plain; charset="UTF-8" X-Original-Sender: bitcoin-dev@wuille.net X-Original-Authentication-Results: gmr-mx.google.com; dkim=pass header.i=@wuille.net header.s=protonmail header.b=jaPtBGBn; spf=pass (google.com: domain of bitcoin-dev@wuille.net designates 109.224.244.22 as permitted sender) smtp.mailfrom=bitcoin-dev@wuille.net; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=wuille.net Precedence: list Mailing-list: list bitcoindev@googlegroups.com; contact bitcoindev+owners@googlegroups.com List-ID: X-Google-Group-Id: 786775582512 List-Post: , List-Help: , List-Archive: , List-Unsubscribe: , X-Spam-Score: 2.3 (++) Hi Boris, See responses inline below. On Friday, June 26th, 2026 at 5:41 AM, Nagaev Boris wrote: > For Miner Lockdown, I see a potential false-positive activation. A large > classical theft may happen, be misinterpreted as a CRQC event, and miners > may lock the EC path with the best intentions, but it turns out to be a > false alarm. Shouldn't there be a mechanism for reactivation in this case? > We have historical examples of bugs causing large-scale or initially > mysterious thefts: Milk Sad, Android SecureRandom 2013, and the LuBian > 2020 theft. A similar event in the future could be confused with Q-day, > and miners could push the button. I agree that's a concern, but of course, if this happens, no coins are lost, just inefficient to access. As Sjors mentions, it's possible for users to move back to P2TR temporarily, but that of course goes counter to the CRQC-protection goal, and if it happens at scale, chain capacity problems may cause chaos. Adding the ability to revert is a possibility, but I'm not sure it's all that much better than realizing there is also the possibility of adding a new P2TRv3 / P2MRv2 / ... that is in a pre-lockdown state? > Can you elaborate on the scope of EC disabling, please? Does it disable > only the main EC path (e.g. key spend in the case of Taproot v2) or all EC > involving paths? I agree with Antoine that it necessarily must disable all usage of EC inside the new output type, so that includes taproot key path spending (if present), and making any execution of an OP_CHECK* opcode with a non-empty signature for an EC pubkey cause the transaction to be invalid. Anything else falls short of the goal of making it possible for users to keep sharing public keys. This should be the case for all disabling, whether through Tripwire, Miner Lockdown, or a future softfork. > What will happen to scripts using something else in addition to EC? Some > useful constructions may include an EC opcode, e.g. hybrid EC-PQ > signatures or HTLCs. Maybe it makes sense to disable the main spending path > and keep hash-protected supplementary paths available? My thinking is that hybrid signature schemes, if desired, should be dealt with at the opcode level, and not the script level. That is, there would be (only) an OP_CHECKHYBRIDECSQISIGN opcode, not an expectation to use both OP_CHECKSIG and OP_CHECKSQISIGN. My reason for this is that I think the question of what level of security is appropriate (i.e., whether schemes should be protected with a layer of EC hybridity) should be a consensus decision, not an individual one. Thinking about it, maybe that means it makes sense to completely separate PQC scripts and (pure-)EC scripts at the script leaf level, by having separate script leaf versions for them. That rules out some potentially useful ways of using conditionals that have PQC and pure-EC branches, but those do seem pretty error prone (as mixing the two within one execution trace would be unusable post EC-disabling). Practically, my thinking is that due to the low cryptographic assumptions needed for hash-based schemes, those wouldn't need hybridization with EC (though the statefulness of some variants is worrying). I don't think schemes relying on other assumptions feel ready in terms of confidence for adding to Bitcoin to me, but that can change. Cheers, -- Pieter -- You received this message because you are subscribed to the Google Groups "Bitcoin Development Mailing List" group. To unsubscribe from this group and stop receiving emails from it, send an email to bitcoindev+unsubscribe@googlegroups.com. To view this discussion visit https://groups.google.com/d/msgid/bitcoindev/A54QKCjvV0Tnk26mHFZrbAKPHdYh6Ol1XWTetB3y1skuSaoLtBZnvNlYD2hSqQtp6oYt85rqvK4w-JMsDJOm3nPrYgkN94E9jlxxCPZsKZw%3D%40wuille.net.