pull down to refresh

Draft BIP: p2q - opt-in quantum resistant addressesgithub.com/casey/bips/blob/bip-p2q/bip-p2q.md
1435 sats \ 2 comments \ @Scoresby 13h bitcoin
zaps forwarded to @rodarmor (100%)

You may have heard that taproot addresses are vulnerable to quantum attacks because they expose their public key.

Taproot addresses can be spent via their script path or their key-path. Key-path spending could potentially be compromised if a cryptographically relevant quantum computer becomes relevant. Script path spending is potentially still safe.

One concern with quantum resistance in Bitcoin is that all utxos will probably have to move to new addresses and there us only so much space in each block.

This proposal by @rodarmor allows bitcoiners to migrate to quantum safe addresses before settling on quantum safe signature scheme, expanding the timeline on which such a migration could be done.

A distinct SegWit version enables clean consensus-level disabling of key-path spending via a future soft fork.

P2Q requires no new validation logic today. If quantum computers never threaten ECDLP, P2Q outputs continue working exactly as taproot. If they do, a future soft fork can make single-element witness stacks (key-path spends) invalid for version 3 outputs, forcing all spends through script-path. Full quantum resistance would additionally require a quantum-safe signature scheme or other spending mechanism available via script-path. The details of that future soft fork are out of scope for this proposal.

RationaleRationale

new SegWit version is the cleanest mechanism for creating a class of outputs whose spending rules can be tightened by a future soft fork. It requires no new opcodes, no changes to the signature hashing algorithm, and no changes to the control block format.

BIP 360 (P2MR, SegWit version 2) provides immediate quantum resistance by removing key-path spending entirely. P2Q takes a different approach: it preserves full taproot functionality today and defers key-path disabling to a future soft fork, if and when quantum computers pose a real threat.

Using a NUMS internal key in P2TR does not provide equivalent protection. A quantum computer capable of breaking ECDLP could compute the discrete log of any curve point, including those believed to have no known discrete log, making key-path spendable for any P2TR output.
write
preview
related posts
103 sats \ 0 replies \ @OT 4h

Looks like it's light on the chain too. I might look out for the next Hell Money pod to hear if he talks a bit more about this.

reply
1 sat \ 0 replies \ @Ohtis 13h -102 sats

This makes sense — you get the benefits of Taproot today, but there’s a clear upgrade path if quantum computers ever become a real threat.