You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This document proposes the introduction of a new output type using signatures based on Post-Quantum Cryptography (PQC).
20
+
This document proposes the introduction of a new output type Pay to Quantum Resistant Hash (P2QRH) allowing the use of Post-Quantum Cryptography (PQC) in Bitcoin.
20
21
This approach for adding a post-quantum secure output type does not require a hard fork or block size increase.
21
22
22
23
=== Copyright ===
@@ -39,7 +40,7 @@ offering insufficient protection. The computational complexity of this attack is
39
40
[https://pubs.aip.org/avs/aqs/article/4/1/013801/2835275/The-impact-of-hardware-specifications-on-reaching ''The impact of hardware specifications on reaching quantum advantage in the fault-tolerant regime''].
40
41
41
42
This proposal aims to mitigate these risks by introducing a Pay to Quantum Resistant Hash (P2QRH) output type that
42
-
relies on PQC signature algorithms. By adopting PQC, Bitcoin can enhance its quantum
43
+
makes tapscript quantum resistant and enables the use of PQC signature algorithms. By adopting PQC, Bitcoin can enhance its quantum
43
44
resistance without requiring a hard fork or block size increase.
44
45
45
46
The vulnerability of existing Bitcoin addresses<refname="address-vulnerability">A vulnerable Bitcoin address is any
@@ -80,7 +81,7 @@ possible. Once the transaction is mined, it makes useless the public key reveale
80
81
never reused.
81
82
82
83
It is proposed to implement a Pay to Quantum Resistant Hash (P2QRH) output type that relies on a PQC signature
83
-
algorithm. This new output type protects transactions submitted to the mempool and helps preserve the free market by
84
+
algorithm. This new output type protects transactions submitted to the mempool and helps preserve the fee market by
84
85
preventing the need for private, out-of-band mempool transactions.
85
86
86
87
The following table is intended to inform the average Bitcoin user whether their bitcoin is vulnerable to a long-exposure
@@ -176,60 +177,103 @@ It is proposed to use SegWit version 3. This results in addresses that start wit
176
177
remember that these are quantum (r)esistant addresses. This is referencing the lookup table under
Because it goes into the scriptPubKey, it does not receive a witness or attestation discount.
194
-
195
-
Post-quantum public keys are generally larger than those used by ECC, depending on the security level.
196
-
Originally BIP-360 proposed NIST Level V, 256-bit security, but this was changed to NIST Level I, 128-bit security
197
-
due to concerns over the size of the public keys, the time it would take to verify signatures, and being generally
198
-
deemed "overkill".
199
-
200
-
Support for FALCON signatures will be introduced first, with the intention of adding other post-quantum
201
-
algorithms as they are approved. By way of comparison, FALCON signatures are roughly 20x larger than Schnorr signatures.
202
-
FALCON has recently been approved by NIST. NIST approval streamlines implementations through establishing
203
-
consensus in the scientific and developer community. This means, to maintain present transaction throughput, an
204
-
increase in the witness discount will likely be desired in a QuBit soft fork. That will be specified in a future QuBit
205
-
BIP.
206
-
207
-
An increase in the witness discount must not be taken lightly. It must be resistant to applications that might take
208
-
advantage of this discount (e.g., storage of arbitrary data as seen with "inscriptions") without a corresponding
180
+
We believe any approach to augment Bitcoin with quantum resistance should meet the following requirements. Any
181
+
upgrade to Bitcoin's quantum resistance should:
182
+
183
+
**Change as little as possible.** Unless absolutely necessary should reuse existing Bitcoin code, standards and the
184
+
existing expectations of how to use Bitcoin.
185
+
186
+
**The upgrade must be gentle, staged and low cost.** Rather than require that wallets and exchanges immediately support
187
+
post-quantum signatures we must provide a way for them to gentle move to greater quantum resistance in small steps. This
188
+
is critical because an upgrade path which requires too much effort up front is unlikely to be adopted prior to a
189
+
a state of quantum emergency. The earlier the ecosystem begins upgrading to quantum resistance, the lower the number of
190
+
coins at risk when quantum attacks become practical.
191
+
192
+
**Use NIST standardized post-quantum signature algorithms.** These algorithms have gotten the most scrutiny
193
+
and are likely to be most well supported and well studied going forward. The entire Bitcoin ecosystem will benefit
194
+
from using the most popular post-quantum signature algorithms including leveraging hardware acceleration
195
+
instructions, commodity trusted hardware, software libraries and cryptography research.
196
+
197
+
**Hedge against unexpected attacks on signature algorithms.** This is motivated by two factors. First,
198
+
Bitcoin must enable parties to hold coins securely for decades if not centuries. The history of cryptography is
199
+
one of unexpected breakthroughs in attacks. Thus, Bitcoin should enable the user of multiple signature algorithms
200
+
to hedge against the failure of any particular algorithm. Second, Many post-quantum algorithms are relatively new
201
+
and while it unlikely that a NIST standardized post-quantum signature algorithm will be broken, prudence dictates
202
+
that we plan for the worst. For these reasons we are proposing two post-quantum signature algorithms, one which
203
+
is intended as a performant replacement for Schnorr signatures and a far more conservative choice which provides
204
+
maximal assurance against unexpected attacks. Regardless of quantum attacks this maximal secure signature algorithm
205
+
is both a natural and valuable feature for Bitcoin to have.
206
+
207
+
Using these guiding principles, we propose the following design for P2QRH.
208
+
209
+
To change as little as possible, we designed P2QRH to be P2TR with the quantum vulnerable key-spend path removed.
210
+
Thus, rather than committing to a public key as P2TR does, P2QRH simply commits to the root
211
+
of the tapleaf merkle tree. This allows P2QRH to leverage the existing, mature and battle tested tapleaf code.
212
+
This reduces the implementation burden on wallets, exchanges, and parties in the Bitcoin ecosystem
213
+
since they can reuse the code they already have. P2QRH is a simplification of P2TR which removes
214
+
the quantum vulnerable key-spend in P2TR
215
+
216
+
P2QRH will support both Schnorr and PQC signatures. This provides a gentle upgrade path for users, wallets and exchanges.
217
+
Users can move from P2TR to P2QRH without simultaneously having to change from Schnorr signatures to PQC signatures.
218
+
This change alone protects against long-range quantum attacks. Then wallets can provide full quantum resistance by
219
+
adding support for PQC signatures as an additional tapleaf alongside Schnorr signatures<refname="mattleaf">Inspired by Matt Corallo's discussion of this idea on the Bitcoin-dev mailing list [https://groups.google.com/g/bitcoindev/c/oQKezDOc4us/m/T1vSMkZNAAAJ Re: P2QRH / BIP-360 Update]</ref>.
220
+
In the event of that quantum attacks become practical, users in such outputs are fully protected as the P2QRH output
221
+
commits to a PQC signature.
222
+
223
+
In looking at PQC signatures to support we follow our principle of using NIST standardized algorithms. As discussed above
224
+
NIST approval streamlines implementations establishes consensus in the scientific and developer community, sends a
225
+
strong signal that these algorithms will be well supported. Post-quantum public keys are generally larger than those
226
+
used by ECC, depending on the security level. Originally BIP-360 proposed NIST Level V, 256-bit security, but this was
227
+
changed to NIST Level I, 128-bit security due to concerns over the size of the public keys, the time it would take to
228
+
verify signatures, and being generally deemed "overkill".
229
+
230
+
We considered the NIST approved SLH-DSA (SPHINCS+), ML-DSA (CRYSTALS-Dilithium), and FN-DSA (FALCON). Of these three algorithms,
231
+
SLH-DSA has the largest signature size, but is the most conservative choice from a security perspective. This is because SLH-DSA
232
+
is based on well studied and time-tested hash-based cryptography. Both FN-DSA and ML-DSA signatures are significantly
233
+
smaller than SLH-DSA signatures. However, FN-DSA and ML-DSA are based on lattice-based cryptography which is relatively
234
+
new and introduces novel security assumptions to Bitcoin.
235
+
236
+
We choose to support Schnorr, ML-DSA, and SLH-DSA. As discussed earlier, supporting Schnorr in P2QRH
237
+
enables a gentle upgrade path. Additionally removing Schnorr from P2QRH tapscripts would add complexity, whereas
238
+
including requires no changes at all and provides maintains compatibility with tapscript. As ML-DSA and FN-DSA are
239
+
both similar lattice-based designs we choose to only support ML-DSA as the additional value of supporting FN-DSA is
240
+
marginal and would increase implementation cost. ML-DSA is intended to be the default PQC signature algorithm in
241
+
P2QRH as it provides a good balance of security, performance and signature size and is likely to the most widely
242
+
supported PQC signature algorithm. SLH-DSA has a radically different design than ML-DSA and provides an effective hedge
243
+
against unexpected attacks on signature algorithms on ML-DSA and Schnorr.
244
+
245
+
P2QRH is designed to enable parties holding Bitcoin to combine the security of classical Schnorr signatures along
246
+
with both post-quantum signatures. This allows the construction of outputs such that funds are still secure
247
+
even if two of the three the signature algorithms are completely broken. This is motivated by the usecase of securely
248
+
storing Bitcoins in a cold wallet for extended periods of time (50 to 100 years).
249
+
250
+
While it might be seen as a maintenance burden for Bitcoin ecosystem devs to support two additional distinct signature
251
+
algorithms--and it most certainly is--the ramifications of a chain broken through cryptanalytic breakthroughs,
252
+
quantum or otherwise, should provide sufficient motivation. The complexity involved in supporting multiple signature
253
+
algorithms should be seen as an acceptable compromise for maintained security of Bitcoin during a regime of quantum advantage.
254
+
255
+
To improve the viability of the activation client and adoption by wallets and libraries, a library akin to
256
+
libsecp256k1 will be developed. This library, libbitcoinpqc, will support the new PQC signature algorithms
257
+
and can be used as a reference for other language-native implementations.
258
+
259
+
260
+
==== Future Considerations ====
261
+
262
+
We recognize that the size of CRYSTALS-Dilithium and SPHINCS+ signatures is a significant concern. By way of comparison with
263
+
Schnorr signatures, SPHINCS+ signatures are roughly 120x larger and CRYSTALS-Dilithium is roughly 40x larger. This means to
264
+
maintain present transaction throughput, an increase in the witness discount may be desired.
265
+
266
+
An increase in the witness discount must not be taken lightly. Parties make take advantage of this discount for purposes other than
267
+
authorizing transactions (e.g., storage of arbitrary data as seen with "inscriptions") and just without a corresponding
209
268
increase in economic activity. An increase in the witness discount would not only impact node runners but those with
210
-
inscriptions would also have the scarcity of their non-monetary assets affected. The only way to prevent these effects
211
-
while also increasing the discount is to have a completely separate witness--a "quantum witness." Because it is meant
212
-
only for public keys and signatures, we call this section of the transaction the attestation.
213
-
214
-
Additionally, it should be noted, whether an output with a P2QRH spend script corresponds to a PQC signature is not
215
-
known until the output is spent.
216
-
217
-
While it might be seen as a maintenance burden for Bitcoin ecosystem devs to go from a single cryptosystem
218
-
implementation to three additional distinct PQC cryptosystems--and it most certainly is--the ramifications of a chain
219
-
broken through extrinsic factors should provide sufficient motivation. An increase in software maintenance everywhere
220
-
signatures are used should be seen as an acceptable compromise for maintained integrity of Bitcoin transfers during a
221
-
regime of quantum advantage.
222
-
223
-
The inclusion of these three cryptosystems: SPHINCS+, CRYSTALS-Dilithium, and FALCON have various advocates
224
-
within the community due to their varying security assumptions. Hash-based cryptosystems are more conservative,
225
-
time-tested, and well-reviewed. Lattice cryptography is relatively new and introduces novel security assumptions to
226
-
Bitcoin, but their signatures are smaller and might be considered by some to be an adequate alternative to hash-based
227
-
signatures.
228
-
229
-
The reason multiple cryptosystems are included is in the interest of supporting hybrid cryptography, especially for
230
-
high value outputs, such as cold wallets used by exchanges. To improve the viability of the activation client and
231
-
adoption by wallets and libraries, a library akin to libsecp256k1 will be developed. This library, libbitcoinpqc,
232
-
will support the new PQC cryptosystems and can be used as a reference for other language-native implementations.
269
+
inscriptions would have the scarcity of their non-monetary assets affected.
270
+
271
+
There was some hope of designing P2QRH such that discounted public keys and signatures could not be repurposed for the storage of
272
+
arbitrary data by requiring that they successfully be verified before being written to Bitcoin's blockchain, a.k.a. "JPEG resistance".
273
+
Later research <ref>
274
+
Bas Westerbaan (2025), [https://groups.google.com/g/bitcoindev/c/5Ff0jdQPofo jpeg resistance of various post-quantum signature schemes]</ref>
275
+
provided strong evidence that this was not a feasible approach for the NIST approved Post-Quantum signature algorithms.
276
+
It is an open question if Post-Quantum signature algorithms can be designed with to provide JPEG resistance property.
233
277
234
278
In the distant future, following the implementation of the P2QRH output type in a QuBit soft fork, there will likely
235
279
be a need for Pay to Quantum Secure (P2QS) addresses. A distinction is made between cryptography that's merely resistant
0 commit comments