From: Ethan Heilman <eth3rs@gmail.com>
To: Matt Corallo <lf-lists@mattcorallo.com>
Cc: conduition <conduition@proton.me>,
Antoine Poinsot <darosior@protonmail.com>,
Bitcoin Development Mailing List <bitcoindev@googlegroups.com>
Subject: Re: [bitcoindev] In defense of a PQ output type
Date: Fri, 10 Apr 2026 20:20:32 -0400 [thread overview]
Message-ID: <CAEM=y+UYBQoocr95ucutw_9QoTuyRcpGPTf_1wgazzK3nbFyyQ@mail.gmail.com> (raw)
In-Reply-To: <765490aa-5df3-4619-86cc-17570b6d3e99@mattcorallo.com>
[-- Attachment #1: Type: text/plain, Size: 4276 bytes --]
> IMO even something like P2MR's additional cost will strongly discourage
adoption.
I don't agree.
Over time as quantum attacks become a bigger and bigger concern for
holders, wallets will want to show that they can offer security against
CRQCs. This is especially true for wallets focused on high value Bitcoin
outputs. Even if someone thinks there is only a 2% chance they lose all
their Bitcoin because of a quantum computer, that 2% chance will keep them
up at night.
P2MR would have 17.25 more vBytes, an 11% overhead.
P2TR 1 input, 2 output - key path spend. 154 vbytes
P2MR 1 input, 2 output - spending a schnorr sig leaf of a P2MR output with
two leafs: 1. PQ sig leaf and 2. Schnorr sig leaf. 171.25 vbytes
I'm stacking the deck against P2MR here. Under some circumstances P2MR has
lower fees than P2TR.
It is hard to imagine someone holding significant quantities of Bitcoin not
wanting to pay 50 sats to ensure their Bitcoin isn't stolen by a quantum
computer.
On Fri, Apr 10, 2026 at 7:10 PM Matt Corallo <lf-lists@mattcorallo.com>
wrote:
>
>
> On 4/10/26 1:03 PM, conduition wrote:
> >> But as mentioned above I do not see why any addition of hash based
> signatures to tapscript should require any kind of community consensus on
> future disablement of insecure spend paths
> >
> > I think Antoine's point here is that if we introduce a PQC opcode to
> tapscript but choose NOT to deploy P2MR, and then encourage people to use
> that opcode in P2TR script leaves, then we are locking ourselves into the
> assumption that the community will later disable P2TR key-path spending -
> otherwise those addresses will be compromised by a CRQC and the PQC leaf
> script is useless.
>
> Right, but you cut my quote off and appear to be responding to a point I
> didn't make? The very next
> few words that you cut were "not only is it a likely prerequisite for an
> alternative output type".
> Yes, we have to figure out what kind of output type we want, whether P2MR
> (360), P2TRv2 or just
> P2TR. There are strong arguments for each. But none of that has any
> bearing on whether we add hash
> based signatures to tapscript. We have to add hash based signatures to
> tapscript first no matter
> what output type we want!
>
> >> Adding a PQ output type which no one will use (eg one where use of the
> hash-based signature is mandatory, which drives fees up hugely and has all
> the drawbacks you mention) is not a risk mitigation strategy - it does not
> materially allow for any migration and doesn't accomplish much of anything.
> But as mentioned above I do not see why any addition of hash based
> signatures to tapscript
> >
> > I don't think anyone is suggesting deployment of an output type with
> mandatory hash-based signatures. That would be borderline unusable for
> anyone but large companies and wealthy elites.
> >
> > Every decent proposal I've seen has suggested using PQC in tandem with
> ECC across multiple tapscript leaves, whether in some bastardized variant
> of P2TR, or in BIP360's P2MR.
>
> IMO even something like P2MR's additional cost will strongly discourage
> adoption. We have a very
> long history with Bitcoin wallets not only refusing to adopt new features
> but actively making some
> of the worst possible design decisions from a Bitcoin PoV. IMO we should
> very strongly not give them
> any excuse, even if that's just fees.
>
> Matt
>
> --
> You received this message because you are subscribed to the Google Groups
> "Bitcoin Development Mailing List" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to bitcoindev+unsubscribe@googlegroups.com.
> To view this discussion visit
> https://groups.google.com/d/msgid/bitcoindev/765490aa-5df3-4619-86cc-17570b6d3e99%40mattcorallo.com
> .
>
--
You received this message because you are subscribed to the Google Groups "Bitcoin Development Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an email to bitcoindev+unsubscribe@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/bitcoindev/CAEM%3Dy%2BUYBQoocr95ucutw_9QoTuyRcpGPTf_1wgazzK3nbFyyQ%40mail.gmail.com.
[-- Attachment #2: Type: text/html, Size: 5204 bytes --]
next prev parent reply other threads:[~2026-04-11 0:34 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-04-09 18:58 'Antoine Poinsot' via Bitcoin Development Mailing List
2026-04-09 20:31 ` [bitcoindev] " Dplusplus
2026-04-09 21:17 ` [bitcoindev] " Olaoluwa Osuntokun
2026-04-09 22:46 ` Matt Corallo
2026-04-10 17:03 ` 'conduition' via Bitcoin Development Mailing List
2026-04-10 20:33 ` Matt Corallo
2026-04-11 0:20 ` Ethan Heilman [this message]
2026-04-11 1:04 ` 'Hayashi' via Bitcoin Development Mailing List
2026-04-11 1:25 ` Antoine Riard
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CAEM=y+UYBQoocr95ucutw_9QoTuyRcpGPTf_1wgazzK3nbFyyQ@mail.gmail.com' \
--to=eth3rs@gmail.com \
--cc=bitcoindev@googlegroups.com \
--cc=conduition@proton.me \
--cc=darosior@protonmail.com \
--cc=lf-lists@mattcorallo.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox