BIP-360: QuBit - Pay to Quantum Resistant Hash

bip-0360.mediawiki

@@ -40,11 +40,11 @@ relies on post-quantum cryptographic (PQC) signature algorithms. By adopting PQC
 resistance without requiring a hard fork or block size increase.
 
 The vulnerability of existing Bitcoin addresses is investigated in
-[https://web.archive.org/web/20240715101040/https://www2.deloitte.com/nl/nl/pages/innovatie/artikelen/quantum-computers-
-and-the-bitcoin-blockchain.html this Deloitte report]. The report estimates that in 2020 approximately 25% of the
-Bitcoin supply is held within addresses vulnerable to quantum attack. As of the time of writing, that number is now
-closer to 20%. Independently, Bitcoin developer Pieter Wuille [https://x.com/pwuille/status/1108085284862713856 reasons]
-even more addresses might be vulnerable, representing 5M to 10M bitcoin.
+[https://web.archive.org/web/20240715101040/https://www2.deloitte.com/nl/nl/pages/innovatie/artikelen/quantum-computers-and-the-bitcoin-blockchain.html this Deloitte report].
+The report estimates that in 2020 approximately 25% of the Bitcoin supply is held within addresses vulnerable to
+quantum attack. As of the time of writing, that number is now closer to 20%. Independently, Bitcoin developer Pieter
+Wuille [https://x.com/pwuille/status/1108085284862713856 reasons] even more addresses might be vulnerable, representing
+5M to 10M bitcoin.
 
 Ordinarily, when a transaction is signed, the public key is explicitly stated in the input script. This means that the
 public key is exposed on the blockchain when the transaction is spent, making it vulnerable to quantum attack until
@@ -79,7 +79,7 @@ The following table is intended to inform the average Bitcoin user whether their
 quantum attack:
 
 {| class="wikitable"
-|+ Vulnerable output types
+|+ Output types vulnerable to long-range attacks on unspent addresses
 |-
 ! Type !! Vulnerable !! Prefix !! Example
 |-
@@ -129,13 +129,11 @@ before a transaction is mined. Long-range attacks can be executed over a longer
 exposed on the blockchain indefinitely.
 
 Coinbase outputs to P2PK keys go as far as block 200,000, so there are, at the time of writing, 1,723,848 coins that
-are vulnerable from the first epoch at the time of writing in P2PK outputs alone. The majority of these have a
-block reward of 50 coins each, and there are roughly 34,000 distinct P2PK scripts that are vulnerable. These coins
-can be
-considered "Satoshi's Shield." Any addresses with a balance of less than the original block subsidy of 50 coins can be
-considered cryptoeconomically incentive incompatible to capture until all of these are mined, and these addresses serve
-to provide time to
-transition Bitcoin to implement post-quantum security.
+are vulnerable from the first epoch in P2PK outputs alone. The majority of these have a block reward of 50 coins each,
+and there are roughly 34,000 distinct P2PK scripts that are vulnerable. These coins can be considered
+"Satoshi's Shield." Any addresses with a balance of less than the original block subsidy of 50 coins can be considered
+cryptoeconomically incentive incompatible to capture until all of these are mined, and these addresses serve to provide
+time to transition Bitcoin to implement post-quantum security.
 
 It's for the above reason that, for those who wish to be prepared for quantum emergency, it is recommended that no more
 than 50 bitcoin are kept under a single, distinct, unused Native SegWit (P2WPKH, "bc1q") address at a time. This is
@@ -148,12 +146,12 @@ upgraded by 2030, with browsers and operating systems fully upgraded by 2033. Ac
 Cryptography is planned to be disallowed within the US federal government after 2035. An exception is made for hybrid
 cryptography, which is the use of ECC and post-quantum algorithms together.
 
-Although the main threat posed by CRQCs is to the signatures used in Bitcoin, a smaller threat is to Bitcoin's hash algorithms.
-In particular, while a CRQC could use [https://en.wikipedia.org/wiki/Grover's_algorithm Grover's algorithm] to gain a
-quadratic speedup on brute-force attacks on the hash functions used in Bitcoin, a significantly more powerful CRQC is
-needed for these attacks to meaningfully impact Bitcoin. For instance, a preimage attack on HASH160 <ref name="hash160">
-Used by P2PKH, P2SH, and P2WPKH addresses, though not P2WSH because it uses 256-bit hashes.</ref> using Grover's
-algorithm would require at least 10^24 quantum operations. As for Grover's application to mining, see
+Although the main threat posed by CRQCs is to the signatures used in Bitcoin, a smaller threat is to Bitcoin's hash
+algorithms. In particular, while a CRQC could use [https://en.wikipedia.org/wiki/Grover's_algorithm Grover's algorithm]
+to gain a quadratic speedup on brute-force attacks on the hash functions used in Bitcoin, a significantly more powerful
+CRQC is needed for these attacks to meaningfully impact Bitcoin. For instance, a preimage attack on
+HASH160 <ref name="hash160">Used by P2PKH, P2SH, and P2WPKH addresses, though not P2WSH because it uses 256-bit hashes.</ref>
+using Grover's algorithm would require at least 10^24 quantum operations. As for Grover's application to mining, see
 [https://quantumcomputing.stackexchange.com/a/12847 Sam Jaques’ post on this].
 
 === Rationale ===
@@ -315,8 +313,9 @@ keys from the transaction while still proving they were part of the original com
 This merkle tree construction creates an efficient cryptographic commitment to multiple public keys while enabling
 selective disclosure.
 
-This allows for inclusion of a Taproot MAST merkle root in the attestation, which makes P2QRH a quantum-resistant
-version of Taproot.
+This allows for inclusion of a [https://github.com/bitcoin/bips/blob/master/bip-0114.mediawiki BIP-114] Taproot
+Merkelized Abstract Syntax Tree (MAST) merkle root in the attestation, which makes P2QRH a quantum-resistant
+version of Taproot transactions.
 
 === Transaction Serialization ===
 
@@ -513,7 +512,9 @@ Hash-based cryptography
 |-
 | [https://eprint.iacr.org/2011/191.pdf Winternitz signature] || 1982 || 2,368 bytes<ref name="winternitz">Winternitz
 signatures are much smaller than Lamport signatures due to efficient chunking, but computation is much higher,
-especially with high values for w. Winternitz values are for w of 4.</ref> || 2,368 bytes || Hash-based cryptography
+especially with high values for w. Winternitz values are for w of 4. It's worth noting that Winternitz signatures can
+only safely be used one time per public key. If addresses are reused, private key information might be leaked, allowing
+attackers to spend future outputs assigned to the same address.</ref> || 2,368 bytes || Hash-based cryptography
 |-
 | [https://sphincs.org/data/sphincs+-r3.1-specification.pdf SPHINCS+ Rd. 3.1 (FIPS 205 - SLH-DSA)] || 2015 || 29,792
 bytes || 64 bytes || Hash-based cryptography