formatted bip-0360 as mediawiki #31
Open
+304
−2,450
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
Minor issue: In the merkletree image there is gap between "How the TapTree root..." and the diagram. Probably move it up a bit for so the text and diagrams have consistent gaps. I'm recommend merging these changes as a series of commits to the PR so that we can tell when a change breaks the mediawiki formating |
EthanHeilman
requested changes
Oct 26, 2025
| '''Abstract''' | ||
|
|
||
| === Abstract === | ||
| This document proposes a new output type, Pay-to-Tapscript-Hash (P2TSH), via a soft fork. P2TSH outputs operate with nearly the same functionality as P2TR (Pay-to-Taproot) addresses – but with the key-path spend removed. |
There was a problem hiding this comment.
Suggested change
| This document proposes a new output type, Pay-to-Tapscript-Hash (P2TSH), via a soft fork. P2TSH outputs operate with nearly the same functionality as P2TR (Pay-to-Taproot) addresses – but with the key-path spend removed. | |
| This document proposes a new output type, Pay-to-Tapscript-Hash (P2TSH), via a soft fork. P2TSH outputs operate with nearly the same functionality as P2TR (Pay-to-Taproot) outputs – but with the key-path spend removed. |
| but requires PQ signatures to provide full security against Cryptographically Relevant Quantum Computers (CRQCs). | ||
| P2QRH is designed to provide the foundation necessary for a future soft fork activating PQ signature verification | ||
| in tapscript. | ||
| Through this modification, P2TSH addresses create the option of using Taproot in a manner that is: |
There was a problem hiding this comment.
Suggested change
| Through this modification, P2TSH addresses create the option of using Taproot in a manner that is: | |
| Through this modification, P2TSH outputs create the option of using Taproot in a manner that is: |
We talk discuss output types here, not address types.
| # resistant to any future cryptanalytic approaches that could compromise elliptic curve cryptography (ECC) used by Bitcoin. | ||
| This document is licensed under the 3-clause BSD license. | ||
| It is worth noting that the proposed P2TSH outputs are only resistant to (so-called) “long-exposure attacks” on elliptic curve cryptography (ECC); that is, attacks on public keys exposed for time periods longer than the average time needed to confirm a bitcoin transaction. |
There was a problem hiding this comment.
Suggested change
| It is worth noting that the proposed P2TSH outputs are only resistant to (so-called) “long-exposure attacks” on elliptic curve cryptography (ECC); that is, attacks on public keys exposed for time periods longer than the average time needed to confirm a bitcoin transaction. | |
| It is worth noting that the proposed P2TSH outputs are only resistant to “long-exposure attacks” on elliptic curve cryptography (ECC); that is, attacks on public keys exposed for time periods longer than the average time needed to confirm a bitcoin transaction. |
Given that we are introducing the terminology "long-exposure" I'd drop (so-called), but if you really want it, keep it.
| This document is licensed under the 3-clause BSD license. | ||
| It is worth noting that the proposed P2TSH outputs are only resistant to (so-called) “long-exposure attacks” on elliptic curve cryptography (ECC); that is, attacks on public keys exposed for time periods longer than the average time needed to confirm a bitcoin transaction. | ||
|
|
||
| Protection against more sophisticated quantum attacks - including protection against retrieval of keys exposed in the mempool while a transaction is waiting to be confirmed (a.k.a. “short-exposure attacks”) - may require the introduction of post-quantum signature schemes in Bitcoin addresses. We believe it’s worth considering this path in the future and intend to offer a separate proposal for this purpose upon further research. |
There was a problem hiding this comment.
Suggested change
| Protection against more sophisticated quantum attacks - including protection against retrieval of keys exposed in the mempool while a transaction is waiting to be confirmed (a.k.a. “short-exposure attacks”) - may require the introduction of post-quantum signature schemes in Bitcoin addresses. We believe it’s worth considering this path in the future and intend to offer a separate proposal for this purpose upon further research. | |
| Protection against more sophisticated quantum attacks - including protection against recovering secret keys from public keys exposed in the mempool while a transaction is waiting to be confirmed (a.k.a. “short-exposure attacks”) - may require the introduction of post-quantum signature opcodes. We believe it’s worth considering this path in the future and intend to offer a separate proposal for this purpose upon further research. |
"retrieval of keys exposed in the mempool while a transaction is waiting to be confirmed" is a confusing way to put it. It sounds like we are retrieving public keys from the mempool.
post-quantum signature opcodes Bitcoin addresses --> post-quantum signature opcodes.
It isn't the address that has the signature schemes.
|
|
||
| Protection against more sophisticated quantum attacks - including protection against retrieval of keys exposed in the mempool while a transaction is waiting to be confirmed (a.k.a. “short-exposure attacks”) - may require the introduction of post-quantum signature schemes in Bitcoin addresses. We believe it’s worth considering this path in the future and intend to offer a separate proposal for this purpose upon further research. | ||
|
|
||
| This document additionally defines specific quantum attack-vectors and new terms that we are concerned with in this proposal. |
There was a problem hiding this comment.
Suggested change
| This document additionally defines specific quantum attack-vectors and new terms that we are concerned with in this proposal. | |
| This document additionally defines "short exposure" and "long exposure" attacks, and other new terminology. |
What are these other new terms?
| P2QRH quantum resistance comes from removing the P2TR key path spend. Consequently, it cannot make use of Taproot's optimization | ||
| where P2TR key path spends do not require including a Merkle path in the P2TR input. If the Merkle tree only has a single leaf script, | ||
| no Merkle path is needed in the control block, giving us a 1-byte control block. | ||
| [size] signature (1 + 64 bytes = 65 bytes), |
There was a problem hiding this comment.
We should get rid of double returns in pre blocks. It takes up space, makes it harder to read and is inconsistent with what we do elsewhere
|
|
||
| [size] signature (1 + 64 bytes = 65 bytes) | ||
| </source> | ||
| </pre> |
There was a problem hiding this comment.
Why did we move from source to pre here? What does the pre tag have that source doesn't?
|
|
||
| To keep P2QRH small and simple, we have opted not to raise the stack element size limit as part of P2QRH, but instead make this change when | ||
| adding PQ signatures. That said, we are not strongly opposed to putting this increase in P2QRH. | ||
| 1) Minimize changes to the network – we should reuse existing Bitcoin code and preserve existing software behavior, workflows, user expectations and compatibility whenever possible. |
There was a problem hiding this comment.
We use mediawiki enumeration else where, why are use using "1)" here rather than "-"? Why make this change, it seems to only add inconsistency?
| **** If ''k<sub>j</sub> ≥ e<sub>j</sub>'': ''k<sub>j+1</sub> = hash<sub>TapBranch</sub>(e<sub>j</sub> || k<sub>j</sub>)''. | ||
| ** Let ''r = hash<sub>QuantumRoot</sub>(k<sub>m</sub>)''. | ||
| ** If ''q ≠ r'', fail. | ||
| ** Let ''v = c[0] & 0xfe'' be the ''leaf version'' (as defined in [https://github.com/cryptoquick/bips/blob/p2qrh/bip-0341.mediawiki BIP 341]). To maintain ''leaf version'' encoding compatibility the last bit of c[0] is unused and must be 1 [<nowiki/>[https://github.com/cryptoquick/bips/blob/p2qrh/bip-0360.mediawiki#cite_note-12 6]]. |
There was a problem hiding this comment.
If we are going to link to a BIP we shouldn't be linking to the BIP on the fork. Mediawiki has a nice way of handling this, see original.
Why
(as defined in [https://github.com/cryptoquick/bips/blob/p2qrh/bip-0341.mediawiki BIP 341])
vs.
(as defined in [[bip-0341.mediawiki|BIP 341]])
| ** Let ''r = hash<sub>QuantumRoot</sub>(k<sub>m</sub>)''. | ||
| ** If ''q ≠ r'', fail. | ||
| ** Let ''v = c[0] & 0xfe'' be the ''leaf version'' (as defined in [https://github.com/cryptoquick/bips/blob/p2qrh/bip-0341.mediawiki BIP 341]). To maintain ''leaf version'' encoding compatibility the last bit of c[0] is unused and must be 1 [<nowiki/>[https://github.com/cryptoquick/bips/blob/p2qrh/bip-0360.mediawiki#cite_note-12 6]]. | ||
| ** Let ''k0 = hashTapLeaf(v || compact_size(size of s) || s)''; also call it the ''tapleaf hash''. |
There was a problem hiding this comment.
It looks like someone went in an removed the subscript formatting. Why? How is this better?
| * 2025-01-20 - Remove SQIsign from consideration due to significant performance concerns. Refactor language from long-range attack to long-exposure so as to not be confused with the language around block re-org attacks. | ||
| * 2024-12-18 - Assigned BIP number. | ||
| * 2024-12-13 - Update to use Merkle tree for attestation commitment. Update LR & SR quantum attack scenarios. | ||
| * 2024-12-13 - Update to use Merkle tree for attestation commitment. Update LR & SR quantum attack scenarios. |
There was a problem hiding this comment.
Suggested change
| * 2024-12-13 - Update to use Merkle tree for attestation commitment. Update LR & SR quantum attack scenarios. | |
| * 2024-12-13 - Update to use Merkle tree for attestation commitment. Update LR & SR quantum attack scenarios. |
| * 2025-07-07 - P2QRH is now a P2TR with the vulnerable key-path spend removed. Number of PQ signature algorithms supported reduced from three to two. PQ signature algorithm support is now added via opcodes or tapleaf version. | ||
| * 2025-03-18 - Correct inconsistencies in commitment and attestation structure. Switch from Merkle tree commitment to sorted vector hash commitment. Update descriptor format. | ||
| * 2025-03-12 - Add verification times for each algorithm. 256 -> 128 (NIST V -> NIST I). Add key type bitmask. Clarify multisig semantics. | ||
| * 2025-03-12 - Add verification times for each algorithm. 256 -> 128 (NIST V -> NIST I). Add key type bitmask. Clarify multisig semantics. |
There was a problem hiding this comment.
Suggested change
| * 2025-03-12 - Add verification times for each algorithm. 256 -> 128 (NIST V -> NIST I). Add key type bitmask. Clarify multisig semantics. | |
| * 2025-03-12 - Add verification times for each algorithm. 256 -> 128 (NIST V -> NIST I). Add key type bitmask. Clarify multisig semantics. |
| * [https://delvingbitcoin.org/t/proposing-a-p2qrh-bip-towards-a-quantum-resistant-soft-fork/956?u=cryptoquick Delving Bitcoin discussion] | ||
| * [https://bitcoinops.org/en/newsletters/2024/06/14/ Bitcoin Optech newsletter] | ||
| * [https://bitcoinops.org/en/podcast/2024/06/18/#draft-bip-for-quantum-safe-address-format Bitcoin Optech discussion transcript] | ||
| '''Long-Exposure Attacks''' |
There was a problem hiding this comment.
I'd suggest moving Long-Exposure and Short-Exposure when we first use them outside the abstract
|
|
||
| We understand that this subject is controversial and veiled in uncertainty; and hope to offer users flexible options - tailored to their level of concern - that are relatively unobtrusive to existing network architecture. | ||
|
|
||
| This is an issue that has been discussed with some regularity in [https://bitcointalk.org/index.php?topic=133425.0 Bitcoin forums] since at least 2013 – and there is clearly user demand for increased quantum protection. |
There was a problem hiding this comment.
This should be moved to related work
Comment on lines
+381
to
+383
| In this proposal, we adopt a “prepared not scared” approach to the possible advancement of quantum computing – and offer Bitcoin users an option for increased protection if they so choose. | ||
|
|
||
| We understand that this subject is controversial and veiled in uncertainty; and hope to offer users flexible options - tailored to their level of concern - that are relatively unobtrusive to existing network architecture. |
There was a problem hiding this comment.
This should be moved to rationale. Standards typically don't have conclusions as they are mostly concerned with how, not why, with why living in rationale. Only one other BIP has a conclusion.
| P2TSH does not, by itself, protect against short-exposure quantum attacks, but such attacks can be mitigated by the future activation of post-quantum signatures in Bitcoin. | ||
|
|
||
| In comparison, the size of currently used signature algorithms are: | ||
| Combined with P2TSH, the introduction of post-quantum signature schemes would provide more comprehensive quantum resistance to P2TSH outputs – including protection from short-exposure attacks. |
There was a problem hiding this comment.
Suggested change
| Combined with P2TSH, the introduction of post-quantum signature schemes would provide more comprehensive quantum resistance to P2TSH outputs – including protection from short-exposure attacks. | |
| Combined with P2TSH, post-quantum signature schemes would provide comprehensive quantum resistance to P2TSH outputs – including protection from short-exposure attacks. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
formats bip-0360 as mediawiki and adds updated image of merkle tree/root construction