[Draft BIP] Quantum-Resistant Transition Framework for Bitcoin

The critique offered by the Bitcoin Foundation on a proposal for enhancing Bitcoin's quantum resilience highlights several key misunderstandings and areas of improvement. Firstly, the assertion that 50 logical qubits are sufficient to break 256-bit ECC discrete logarithm is significantly underestimated. The actual requirement to undermine such encryption standards is in the realm of thousands or even millions of qubits, with current knowledge indicating a need for approximately 1536 qubits, as opposed to the claim made in the proposal. This discrepancy points to a fundamental misunderstanding of the computational power required for such tasks.

Furthermore, the concept of "0-bit security" and the misinterpretation of Shor's algorithm's big-O complexity were met with skepticism. The criticism extends to an oversight in the proposal regarding the inherent security limitations of Bitcoin addresses under naive SHA256 or secp256k1 birthday attacks, which are already confined to a theoretical maximum of 128 bits of security. This limitation renders the pursuit of 256-bit flavors of SLH-DSA unnecessary, given the disproportionate increase in signature sizes it would entail.

The proposal also neglects consideration of alternative cryptographic signing algorithms suited for specific contexts, such as ML-DSA and SQISign, which hold promise for applications in low-latency, resource-constrained environments like Lightning Network nodes. Additionally, the suggestion to freeze UTXOs without a predefined unlocking mechanism is critiqued for its potential to necessitate a hard fork, a scenario previously discussed and cautioned against in earlier conversations within the community.

Misconceptions about the SLH-DSA's operation were addressed; specifically, the incorrect claim that each signature exposes part of the private key material. In reality, the algorithm operates through a deterministic derivation of preimages and a chain of One-Time Signature (OTS) certification signatures, maintaining a bounded probability of successful forgery over a defined number of messages.

Lastly, the proposed BIP draft's reliance on an outdated pyspx Python module for a SPHINCS+ implementation was criticized for non-compliance with the standards. The critique concludes with advice for the proposer to engage more collaboratively with ongoing efforts towards making Bitcoin quantum-resistant, specifically by reviewing existing proposals and discussions, such as BIP360, to better contribute to the development of a secure, future-proofed Bitcoin protocol.