BIP: TBD Title: QuBit - P2QRH spending rules Author: Hunter Beast <hunter@surmount.systems> Comments-Summary: No comments yet. Comments-URI: https://github.com/bitcoin/bips/wiki/Comments:BIP-TBD Status: Draft Type: Standards Track License: BSD-3-Clause Created: 2024-06-08
This document proposes a new SegWit output type, with spending rules based on SQIsign signatures. (For more on why SQIsign is chosen, see the Security section.) A constraint is that no hard fork or modifications leading to an increase in block size are necessary. This document is inspired by BIP-341, which introduced the design of the P2TR address format using Schnorr signatures.
This document is licensed under the 3-clause BSD license.
This proposal aims to improve the quantum resistance of Bitcoin's signature security should the Discrete Logarithm Problem which secures Elliptic Curve Cryptography (EC DLP) no longer prove to be computationally hard, likely through quantum advantage. A variant of Shor's algorithm is believed to be capable of deriving the private key from a public key exponentially faster, which here will be referred to as quantum key decryption. This means that doubling the key length, such as using a hypothetical secp512k1 curve, would only make finding the key twice as hard. Shor's algorithm in particular will likely require only 2^21 steps to recover the private key. The computational complexity of this is investigated further in the paper, The impact of hardware specifications on reaching quantum advantage in the fault tolerant regime.
The vulnerability of existing bitcoin addresses is investigated in this Deloitte report. The report estimates that in 2020 approximately 25% of the bitcoin supply is held within addresses vulnerable to quantum attack.
The following table is non-exhaustive, but meant to be informative to the average Bitcoin user.
| Address type | Vulnerable | Prefix | Example |
|---|---|---|---|
| P2PK | Yes | 04 | 0496b538e853519c726a2c91e61ec11600ae1390813a627c66fb8be7947be63c52da7589379515d4e0a604f8141781e62294721166bf621e73a82cbf2342c858ee |
| P2PKH | No | 1 | 1A1zP1eP5QGefi2DMPTfTL5SLmv7DivfNa |
| P2WPKH | No | bc1q | bc1qsnh5ktku9ztqeqfr89yrqjd05eh58nah884mku |
| P2TR | Yes | bc1p | bc1p92aslsnseq786wxfk3ekra90ds9ku47qttupfjsqmmj4z82xdq4q3rr58u |
It should be noted that Taproot addresses are vulnerable in that they encode a 32-byte x-only public key. It's possible Taproot keys are harder for a Shor's implementation to decrypt.
Should quantum advantage manifest, a convention is proposed in spending the full 65-byte P2PK key used by the coinbase output in Block 1 back to itself. It is proposed to call this the Canary address. The reasoning behind this is that this can only be done by Satoshi, and given his absence, this can only be spent by others if there is a significant vulnerability in secp256k1. Should the Canary coins move, that will signal that Bitcoin is presently vulnerable. Without the Canary, or an address like it, there may be some doubt as to whether the coins were moved with keys belonging to the original owner.
As an interesting aside, coinbase outputs to P2PK keys go as far as block 200,000, so it's possible there are between 1-2 million coins that are vulnerable from the first epoch. These coins can be considered "Satoshi's Shield." Any addresses with a balance of less than the original block subsidy of 50 coins can be considered incentive incompatible to capture until all of these are mined.
We first build up a definition of the signature scheme by going through the design choices. Afterwards, we specify the exact encodings and operations.
This is the first in a series of BIPs under a QuBit soft fork. A qubit is a fundamental unit of quantum computing, and the capital B represents its connection to Bitcoin. The name QuBit also rhymes to some extent with SegWit.
It is proposed to use SegWit version 3. This results in addresses that start with bc1r, which could be a useful way to remember that these are [r]esistant addresses, similar to how bc1q corresponds to Se[q]Wit and bc1p corresponds to Ta[p]root. This is referencing the lookup table under BIP-173.
The proposal above also leaves a gap in case it makes sense to use version 2, or bc1z, for implementation of other address formats such as those that employ Cross Input Signature Aggregation (CISA).
The name P2QRH means Pay to Quantum Resistant Hash. This is similar to how P2PKH, as defined in BIP-16.
P2QR addresses will be needed to maintain TapScript compatibility, and will encode the SQIsign public key. P2QRH addresses will use SHA-256 / MD160, similar to BIP-16, to reduce the size of new outputs.
For descriptors, qrh() should be used.
> Further specific details to be defined after step 1 in the process outlined BIP-2
Quaternion isogeny signature algorithms represent the state of the art in post-quantum cryptography, beyond lattice cryptography, especially when key and signature length are major constraints.
Quantum resistant signature algorithms ordered by signature size:
- SPHINCS+ - 17KB
- pqNTRUsign - 702 bytes
- FALCON - 666 bytes
- SQIsign - 177 bytes
- SQIsign2D-West - 148 bytes
- FastSQIsignHD - 107 bytes
- ECDSA - 70-72 bytes
- Schnorr - 64 bytes
TBD
TBD
TBD
TBD
TBD
TBD
TBD
TBD
TBD
To help implementors understand updates to this BIP, we keep a list of substantial changes.
- 2024-06: High level rough draft
TBD
Much gratitude to my co-founder, Kyle Crews for proofreading and editing, and also to Dave C. who provided the name, QuBit.