From mboxrd@z Thu Jan 1 00:00:00 1970 Delivery-date: Fri, 10 Apr 2026 17:34:01 -0700 Received: from mail-oo1-f63.google.com ([209.85.161.63]) by mail.fairlystable.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.94.2) (envelope-from ) id 1wBMIS-0007ZA-HH for bitcoindev@gnusha.org; Fri, 10 Apr 2026 17:34:01 -0700 Received: by mail-oo1-f63.google.com with SMTP id 006d021491bc7-679c5ed0942sf5103128eaf.1 for ; Fri, 10 Apr 2026 17:34:00 -0700 (PDT) ARC-Seal: i=3; a=rsa-sha256; t=1775867634; cv=pass; d=google.com; s=arc-20240605; b=V+Ou+hxDKB8K9NuPaCEJwZw8qiQu+Gl/a1eJ7IT/UYKsZLfF847VcLMRJwMJymbrjM V6Fx6GXqgurw2CHNOSWzXA8CHLT7yhG28fxyHlwVvdg8IwfdrWn9khgkjHUI5nEBEFBx QxwqZ7Fp9uuMdfEX8kO6yM4Z0GoBvaANPDGKOp3mTmaeSJv6DDXdZSbr5M5l7111/S8q O4hLgrY0eGJNWwid3chwxirJaKIIdPsxuymzOkh1hN0Y8Y3dwvoZXx7zTJi4ITQGzCzD xvI9inz+6es/XkKzhbKGVTlM6RAAjdBzg5BajUsRxQZfaFWFFI2w+ofz5GSWWYF8nTSG v5VA== ARC-Message-Signature: i=3; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:sender:dkim-signature :dkim-signature; bh=rw5B9bxVhff0xhpRhFl51zCQiF9BsGkILwX+7qRsqms=; fh=hD18iSponqUlptKredF3dzKgLdS6UtciebO1TRUAb1g=; b=CqrkTT2vq+HjIU3fsoeTiL76s8YYiwpCkWWj0VeZWzIiNvrjBjBkbsYHVYLHcwe1Ei NsORFUiwFgCL4UqcqL8YOmLQnCeTHKdhPleU2ju/8pNMrX+aQjyKa8aNT8qAOY5e4oLW PgFXzQ/P/DhnYXAirHRQeki2YyTTwsiawWrwDLWX6bTXANKJRkfRoQ/amX8k0K26jH/C ETqcT5TTx0fbMDGtnAmnuyvZNyzTeiGtsgQvYSJRQFEUa3r0rEezMFiXDoY495wxCETs jwUHLzNntYaJyJ/cYqOx3KJB5Aim6QCvKtnbxccLSvLQoKmqf7Dj+VSge+VTLOCcS+rz 8Kkw==; darn=gnusha.org ARC-Authentication-Results: i=3; gmr-mx.google.com; dkim=pass header.i=@gmail.com header.s=20251104 header.b=RBBIC27S; arc=pass (i=1); spf=pass (google.com: domain of eth3rs@gmail.com designates 2607:f8b0:4864:20::102c as permitted sender) smtp.mailfrom=eth3rs@gmail.com; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com; dara=pass header.i=@googlegroups.com DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlegroups.com; s=20251104; t=1775867634; x=1776472434; darn=gnusha.org; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:x-original-authentication-results :x-original-sender:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:sender:from:to:cc:subject:date:message-id :reply-to; bh=rw5B9bxVhff0xhpRhFl51zCQiF9BsGkILwX+7qRsqms=; b=oggn1aeGyVfoE/FwRFKX5yYfRHoPsXc/A6sJJt1TNZfLfK17JpVNkDb0lXdEyUYDn8 zv3KOCqX2yevW2dIgQhaMZ8BLilYhfFjzqCOQEzloUOnh2OuQ3Zsmt+79hH7FebZ+Fv1 AxDFWVq+D9J/eaq4ElLfOQmFytdAmXv03GFlvw6A0LMBMSu9iz2sRWBcDaGFUGdHRYPm FY6m4pXiMtWQ7mr3DDOjfP4vIKmLWi0mFRPSkJZoCY9c70gr0sUfJyOd8dvAL9Px5Exz +0eBSO1Nks5QByiwRMaK+GmcJ/MfMJkEyRrm8Xd8mVsEhQ9JSQTfE8Z0jVaeWAlfXGEV R0gw== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1775867634; x=1776472434; darn=gnusha.org; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:x-original-authentication-results :x-original-sender:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:from:to:cc:subject:date:message-id:reply-to; bh=rw5B9bxVhff0xhpRhFl51zCQiF9BsGkILwX+7qRsqms=; b=CW2sguJZkdDod+s8h/9IVNaJylYdkwbbwPNFX61PzMwstU02zDzbd+bK4kzItMGOle Bvfp5N3DDrwZKJfzbFwNqa6wbRJ00EKjQ9mv5JiLpIBxQiTGG61C+r+e/gFS8n5kMsEE aYO/T6PTYgu074w6iGeV9KnG8Vj9jc9p0JEwGf+uPU8w3EBKILYKlKxZ20pUcWAx0YI6 iToH/2lJ3XOl1FLcyR34Ic9EyI0DlKLDISL+n56RoHTu9tYuFLkfGMnzs31Q5MeZTaF/ fEKqD8Z15x6ZkzkpFRPg3r6UrOIkyR+Y9P2r8HSmrFr6o/j6wdy+6fhyRiq20O7F2zqV zGyA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1775867634; x=1776472434; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:x-original-authentication-results :x-original-sender:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:x-gm-gg:x-beenthere:x-gm-message-state :sender:from:to:cc:subject:date:message-id:reply-to; bh=rw5B9bxVhff0xhpRhFl51zCQiF9BsGkILwX+7qRsqms=; b=grborA/OLGp/KPjcx3q29LzJvOVH+cWTgjTVmHNG7oTqndw8jir8JLul1zMPqDPcUc 1gKlDdP8e64VZcaiWJqCx39oE1Ea99DtPbSqWKQ0Dm+D8gWipbxwswxv7DlCpxrifYcZ PuDyDp9K82NzO7s8ueI6VlPnRVVqpdFfKLGyw+Bx6sRxzb7jZsH46LNlMTjz0/gO55Gv FhhVt9ZWOPNuShxhRckj+dYuY3oFcfl2ur9p+dE/P7etEqBL8N2PWAP9BqwASKumfGl8 AzB7MLbel4sY8VnVmwOseJPCCdW7A6XPpZvJA+Bi9IvSBP7tZcioKRzlkv9fGCuT1BSW Pzlw== Sender: bitcoindev@googlegroups.com X-Forwarded-Encrypted: i=3; AJvYcCUNogQiOgIsfl3+1Thh3KxvWVxHljIBij6GJlYGTcEJF6/BSSFlC2JMyEgoDqM5xmRwTapdf3fwfrdK@gnusha.org X-Gm-Message-State: AOJu0YwfqWmIzvM2cIpE6I7YKg3Ff6v8qz5Q3o5838BGb3ODzrYA85U7 ImPBuVmae5Igwrh2PK07GC+RXpxXEp6gg0uy/Ogrl7sJeenHzFLZvM/J X-Received: by 2002:a05:6820:1b1a:b0:67e:3f0d:422a with SMTP id 006d021491bc7-68be5e56d2emr2677038eaf.8.1775867633914; Fri, 10 Apr 2026 17:33:53 -0700 (PDT) X-BeenThere: bitcoindev@googlegroups.com; h="AYAyTiJfLF4dWzX0+XvCQgltcbUyWia0H9SZ0yCAhtrp/xt+qA==" Received: by 2002:a05:6871:3591:b0:416:1b5c:16df with SMTP id 586e51a60fabf-423dd9d9554ls796041fac.2.-pod-prod-08-us; Fri, 10 Apr 2026 17:33:48 -0700 (PDT) X-Forwarded-Encrypted: i=3; AJvYcCVCJi+ptl+XAFJGvLEAp6a0y2TYWYv3pMVaazJmoMPZnbN4RWS+CWQNOiTo739UxpagzwFJZkEj86ko@googlegroups.com X-Received: by 2002:a05:6808:f86:b0:467:2a6e:ada8 with SMTP id 5614622812f47-4789e7221a2mr2962867b6e.25.1775867628475; Fri, 10 Apr 2026 17:33:48 -0700 (PDT) Received: by 2002:a05:620a:1009:b0:8d0:26c1:4847 with SMTP id af79cd13be357-8dc6fda27e7ms85a; Fri, 10 Apr 2026 17:21:10 -0700 (PDT) X-Forwarded-Encrypted: i=3; AJvYcCXVw8Ksq7tmU6594JWLWCW0tlV/I9OqGCFZE6UQJy7vaUnMT/bUWlEoZF0H1WH4FR/rl+NVNxRlqEey@googlegroups.com X-Received: by 2002:a05:6122:21a7:b0:56d:4511:9367 with SMTP id 71dfb90a1353d-56f3b999c34mr2514361e0c.0.1775866869384; Fri, 10 Apr 2026 17:21:09 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1775866869; cv=pass; d=google.com; s=arc-20240605; b=L9qTukSBUkOuxGp6JGyrNt96ctdsaCEhAadAOJM30AAYUh2Asq0Jk63dXhu24/gQK4 BbGCZ+x5qiHsC2dE25keikMBuMY4eB5CLEiGB9VyeK8FB7w1h99PB7/q3ZZQza64GsOJ QYAX0eUMzvt5VG7TmhV/w/BAHJYKRVbfuD0oLPx/ON+M0OQiFm4WFleRnNMErHJeL90Z WxwTXGF2jS1kqEF0jzXbuh17tcoTJxGS8Tr/4/exm1nt46VRMEk/3KMJ4oTgAziqtypN AD3goYwXNzXvFo4BnZU6ees2exZXXrRGSRdqfWaxh6c8ukl43KroTTYqMg68ht+IEwuM QmeQ== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:dkim-signature; bh=QwcH6/fpoZMrcP5GqNFRfvxOwv6uotsWYFsp86GtxE0=; fh=fD83GUmq4PCSYJwiIG/rNGz3wlEsa5AsMthQnLuhqMg=; b=g5kslaIMCZbsqcPIEAUOcXhPaadPwANjG7e/zEDRx6UWEIqaNYs1ufIa9OA68UeTZ6 8a2P2W6bOwe5nMFy2DUnUwBmS7IGlZqEJnt19n5XSeZ2KP123mcBjLIxeKVVEebAgek5 pL3R3dlxcSuQDvrd/hVyfXU1/VIZLDKre665pw3LIw1OQ/JQRyMA33CuVYWxMoFyS6n2 yGXTJPvFirBErIVCf1WNHVMKRm/LVsVCmVjHk0fSqAwPodsvrm96LIa9R45jwyAbrbGh H8V9lfRtt40xqnm5h8IHGoPlbHtzL/ZDZ4deUtgsS2nDwxyAyZ3bikl7EWBwItPkvSSt C6BA==; dara=google.com ARC-Authentication-Results: i=2; gmr-mx.google.com; dkim=pass header.i=@gmail.com header.s=20251104 header.b=RBBIC27S; arc=pass (i=1); spf=pass (google.com: domain of eth3rs@gmail.com designates 2607:f8b0:4864:20::102c as permitted sender) smtp.mailfrom=eth3rs@gmail.com; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com; dara=pass header.i=@googlegroups.com Received: from mail-pj1-x102c.google.com (mail-pj1-x102c.google.com. [2607:f8b0:4864:20::102c]) by gmr-mx.google.com with ESMTPS id 71dfb90a1353d-56f3b809db3si146334e0c.2.2026.04.10.17.21.09 for (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Fri, 10 Apr 2026 17:21:09 -0700 (PDT) Received-SPF: pass (google.com: domain of eth3rs@gmail.com designates 2607:f8b0:4864:20::102c as permitted sender) client-ip=2607:f8b0:4864:20::102c; Received: by mail-pj1-x102c.google.com with SMTP id 98e67ed59e1d1-35d9c7bf9a1so2451215a91.3 for ; Fri, 10 Apr 2026 17:21:09 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1775866868; cv=none; d=google.com; s=arc-20240605; b=GygARa7IxtswwKc1HGqrqEXTBoVjlCcr3dc4tQBF43mNT+76ryBYblQCg8rBj0pusT J+Jn9KdDja39+5nG9RDp8lzJI3C2Usptcmv9YXgmJ0fcJK5x7bQ+vbthqmTZ6kbgj1I3 dXXUc1kSWRcz3K7V5eR78AScbM1CYC7O+WDZKasKeeQ2nopiq3Dj+4K6jaFCodHqet0y mbHD6SvEQ7nA59RrGF0mCGIiBZcF2QAGOT28Pt3jtbsPiz/Ms6rYkncOrJNBcTvHwAYo OR7c2fE8fpr2WjDcurspbObicwzZFyLcJTLjivpYMP8cPBYU2/jiwlnBagOMTQiaAlaK hK/w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:dkim-signature; bh=QwcH6/fpoZMrcP5GqNFRfvxOwv6uotsWYFsp86GtxE0=; fh=fD83GUmq4PCSYJwiIG/rNGz3wlEsa5AsMthQnLuhqMg=; b=W1hIWoJxHl8GegVc8V5ZHiLzbZJtIiryCUPzHi7TYxg5+wHmvkErREh+1VKy1SCr5X EbxDFH+t38StVU6eIa2mmeYBk5qRE45DHC2TqUKPJTAkioFkLTBnmgof4hBGMRVcikHF matfonKRcwhmc+Irm377mixE5Zv3hN4KXxI1GFXYbKrEainYgvquF/H+4b4+sithvWS2 93C4Flihov8athXetDa2UEUvrrzZh8Uhz4jU1+Z4Cpogq3dT/uxnimMYKOaTTLhoe8ve Jh8QNF0OLPAaDTUr/G4WxB8yajuYbCYr6ltHw3Z1rtY3IbZyYzQw7ZN7sTOzpbBLiYZZ lD9w==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; arc=none X-Forwarded-Encrypted: i=1; AJvYcCVlsClXynef5HsRfL8vQrFZ9Snfr2baAvYsu9hJmATWtZENCHJVFVMdEQOn05tbV9mbTp5k6e/E96Vz@googlegroups.com X-Gm-Gg: AeBDiet6p6zXZbsYe5IhCOE5D5ICEWI4n21ms/wy9lNhC1YLSnqkF1ka1HLZX4SkNqJ aMsmJ4/VurvPcZmCUfeNtZ9uV0TZTr3ghvJn5VZUtV7uC0Ji/VkZNfZkJQCfx5HIVlCHkx7x6xS oE+6vyiUuEarR/NXpy5B9yJZMIxDLaoTPYGrEmsW29a8u90wh5cbr6RXhmxHSrGl+97RQwgsEBY OQ6zwz5ZxQGCS6owEvqkH5hlKz6VHUdckWElQNZ6IOTlYF7OwYoAf3vY/YaacXjYbZzXHXSa7BN ztjYYC2eW4N0VOMhpZKfIAZYHUl57+Au2EsNsWHA7TO83elMePDGqPXSFoWWyPPsxwaVcPcPore /66p+2Zj3Qp00M+qbcsoEPpk5lKBZDCk2dT+kByba6MOgAuvtmEaEAcwbnVIs2/R3VSbgHdeG6W F8d35/M14RUBZs9Dmy251oFdmuh11l4Mz20nJ4/BCW9JQjCZ/TCSMs+gmLWNo8aAc6ARI/Co8+u 7UslNAH X-Received: by 2002:a17:90b:1c11:b0:35d:9f60:827 with SMTP id 98e67ed59e1d1-35e428d1ceamr5486500a91.29.1775866868411; Fri, 10 Apr 2026 17:21:08 -0700 (PDT) MIME-Version: 1.0 References: <0vqF88LoOnY4GiUB4vf-MdeZpTAtR70tokS3cLwt2DX0e6_fD1X_wyhPwWEdIdm6R88AULObIU08CWsb5QfeoaM5c4yXPqN5wHyCrqMCtfQ=@protonmail.com> <6wBygQ_pK40ZpU_CMXfzIy-6LkthOmEh-xd2g9bwUl-f8w2K6G4rUWJEssE2zeJgxyipGe2GrFH9y_TUUI48asqfh7dhi9A2rl7NpWyFW1o=@proton.me> <765490aa-5df3-4619-86cc-17570b6d3e99@mattcorallo.com> In-Reply-To: <765490aa-5df3-4619-86cc-17570b6d3e99@mattcorallo.com> From: Ethan Heilman Date: Fri, 10 Apr 2026 20:20:32 -0400 X-Gm-Features: AQROBzB_nCH6XEKBmAQGMrFAVRK0glt-7ffOMZNQdxIHXKIrRuEAHSK-pgiH8WI Message-ID: Subject: Re: [bitcoindev] In defense of a PQ output type To: Matt Corallo Cc: conduition , Antoine Poinsot , Bitcoin Development Mailing List Content-Type: multipart/alternative; boundary="000000000000dc3091064f24393a" X-Original-Sender: eth3rs@gmail.com X-Original-Authentication-Results: gmr-mx.google.com; dkim=pass header.i=@gmail.com header.s=20251104 header.b=RBBIC27S; arc=pass (i=1); spf=pass (google.com: domain of eth3rs@gmail.com designates 2607:f8b0:4864:20::102c as permitted sender) smtp.mailfrom=eth3rs@gmail.com; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com; dara=pass header.i=@googlegroups.com Precedence: list Mailing-list: list bitcoindev@googlegroups.com; contact bitcoindev+owners@googlegroups.com List-ID: X-Google-Group-Id: 786775582512 List-Post: , List-Help: , List-Archive: , List-Unsubscribe: , X-Spam-Score: -0.5 (/) --000000000000dc3091064f24393a Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable > IMO even something like P2MR's additional cost will strongly discourage adoption. I don't agree. Over time as quantum attacks become a bigger and bigger concern for holders, wallets will want to show that they can offer security against CRQCs. This is especially true for wallets focused on high value Bitcoin outputs. Even if someone thinks there is only a 2% chance they lose all their Bitcoin because of a quantum computer, that 2% chance will keep them up at night. P2MR would have 17.25 more vBytes, an 11% overhead. P2TR 1 input, 2 output - key path spend. 154 vbytes P2MR 1 input, 2 output - spending a schnorr sig leaf of a P2MR output with two leafs: 1. PQ sig leaf and 2. Schnorr sig leaf. 171.25 vbytes I'm stacking the deck against P2MR here. Under some circumstances P2MR has lower fees than P2TR. It is hard to imagine someone holding significant quantities of Bitcoin not wanting to pay 50 sats to ensure their Bitcoin isn't stolen by a quantum computer. On Fri, Apr 10, 2026 at 7:10=E2=80=AFPM Matt Corallo wrote: > > > On 4/10/26 1:03 PM, conduition wrote: > >> But as mentioned above I do not see why any addition of hash based > signatures to tapscript should require any kind of community consensus on > future disablement of insecure spend paths > > > > I think Antoine's point here is that if we introduce a PQC opcode to > tapscript but choose NOT to deploy P2MR, and then encourage people to use > that opcode in P2TR script leaves, then we are locking ourselves into the > assumption that the community will later disable P2TR key-path spending - > otherwise those addresses will be compromised by a CRQC and the PQC leaf > script is useless. > > Right, but you cut my quote off and appear to be responding to a point I > didn't make? The very next > few words that you cut were "not only is it a likely prerequisite for an > alternative output type". > Yes, we have to figure out what kind of output type we want, whether P2MR > (360), P2TRv2 or just > P2TR. There are strong arguments for each. But none of that has any > bearing on whether we add hash > based signatures to tapscript. We have to add hash based signatures to > tapscript first no matter > what output type we want! > > >> Adding a PQ output type which no one will use (eg one where use of the > hash-based signature is mandatory, which drives fees up hugely and has al= l > the drawbacks you mention) is not a risk mitigation strategy - it does no= t > materially allow for any migration and doesn't accomplish much of anythin= g. > But as mentioned above I do not see why any addition of hash based > signatures to tapscript > > > > I don't think anyone is suggesting deployment of an output type with > mandatory hash-based signatures. That would be borderline unusable for > anyone but large companies and wealthy elites. > > > > Every decent proposal I've seen has suggested using PQC in tandem with > ECC across multiple tapscript leaves, whether in some bastardized variant > of P2TR, or in BIP360's P2MR. > > IMO even something like P2MR's additional cost will strongly discourage > adoption. We have a very > long history with Bitcoin wallets not only refusing to adopt new features > but actively making some > of the worst possible design decisions from a Bitcoin PoV. IMO we should > very strongly not give them > any excuse, even if that's just fees. > > Matt > > -- > You received this message because you are subscribed to the Google Groups > "Bitcoin Development Mailing List" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to bitcoindev+unsubscribe@googlegroups.com. > To view this discussion visit > https://groups.google.com/d/msgid/bitcoindev/765490aa-5df3-4619-86cc-1757= 0b6d3e99%40mattcorallo.com > . > --=20 You received this message because you are subscribed to the Google Groups "= Bitcoin Development Mailing List" group. To unsubscribe from this group and stop receiving emails from it, send an e= mail to bitcoindev+unsubscribe@googlegroups.com. To view this discussion visit https://groups.google.com/d/msgid/bitcoindev/= CAEM%3Dy%2BUYBQoocr95ucutw_9QoTuyRcpGPTf_1wgazzK3nbFyyQ%40mail.gmail.com. --000000000000dc3091064f24393a Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
>=C2=A0 IMO even something like P2MR's additional cost will strongly discourage= adoption.

I don't agree.

Over time as quantum attacks be= come a bigger and bigger concern for holders, wallets will want to show tha= t they can offer security against CRQCs. This is especially true for wallet= s focused on high value Bitcoin outputs. Even if someone thinks there is on= ly a 2% chance they lose all their Bitcoin because of a quantum computer, t= hat 2% chance will keep them up at night.

P2MR would have 17.25 more= vBytes, an 11% overhead.

P2TR 1 input, 2 output - key path spend. 1= 54 vbytes
P2MR=20 1 input, 2 output - spending a=C2=A0schnorr sig leaf of a P2MR output with = two leafs: 1. PQ sig leaf and 2. Schnorr sig leaf.=C2=A0171.25 vbytes
I'm stacking the deck against=C2=A0P2MR here. Under some circumstance= s P2MR has lower fees than P2TR.

It is hard to imagine someone holdi= ng significant quantities of Bitcoin not wanting to pay 50 sats=C2=A0to ens= ure their Bitcoin isn't stolen by a quantum computer.


=
On Fri, Apr 10, 2026 at 7:10=E2=80=AFPM Matt Corallo <lf-lists@mattcorallo.com> wrot= e:


On 4/10/26 1:03 PM, conduition wrote:
>> But as mentioned above I do not see why any addition of hash based= signatures to tapscript should require any kind of community consensus on = future disablement of insecure spend paths
>
> I think Antoine's point here is that if we introduce a PQC opcode = to tapscript but choose NOT to deploy P2MR, and then encourage people to us= e that opcode in P2TR script leaves, then we are locking ourselves into the= assumption that the community will later disable P2TR key-path spending - = otherwise those addresses will be compromised by a CRQC and the PQC leaf sc= ript is useless.

Right, but you cut my quote off and appear to be responding to a point I di= dn't make? The very next
few words that you cut were "not only is it a likely prerequisite for = an alternative output type".
Yes, we have to figure out what kind of output type we want, whether P2MR (= 360), P2TRv2 or just
P2TR. There are strong arguments for each. But none of that has any bearing= on whether we add hash
based signatures to tapscript. We have to add hash based signatures to taps= cript first no matter
what output type we want!

>> Adding a PQ output type which no one will use (eg one where use of= the hash-based signature is mandatory, which drives fees up hugely and has= all the drawbacks you mention) is not a risk mitigation strategy - it does= not materially allow for any migration and doesn't accomplish much of = anything. But as mentioned above I do not see why any addition of hash base= d signatures to tapscript
>
> I don't think anyone is suggesting deployment of an output type wi= th mandatory hash-based signatures. That would be borderline unusable for a= nyone but large companies and wealthy elites.
>
> Every decent proposal I've seen has suggested using PQC in tandem = with ECC across multiple tapscript leaves, whether in some bastardized vari= ant of P2TR, or in BIP360's P2MR.

IMO even something like P2MR's additional cost will strongly discourage= adoption. We have a very
long history with Bitcoin wallets not only refusing to adopt new features b= ut actively making some
of the worst possible design decisions from a Bitcoin PoV. IMO we should ve= ry strongly not give them
any excuse, even if that's just fees.

Matt

--
You received this message because you are subscribed to the Google Groups &= quot;Bitcoin Development Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an e= mail to bitcoindev+unsubscribe@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/bitcoindev/7= 65490aa-5df3-4619-86cc-17570b6d3e99%40mattcorallo.com.

--
You received this message because you are subscribed to the Google Groups &= quot;Bitcoin Development Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an e= mail to bitcoind= ev+unsubscribe@googlegroups.com.
To view this discussion visit https://groups.google.com/= d/msgid/bitcoindev/CAEM%3Dy%2BUYBQoocr95ucutw_9QoTuyRcpGPTf_1wgazzK3nbFyyQ%= 40mail.gmail.com.
--000000000000dc3091064f24393a--