P2QRH / BIP-360 Update

The discussion initiated by Matt Corallo focuses on several key aspects and concerns surrounding the BIP 360 proposal, particularly in relation to post-quantum (PQ) cryptographic proposals within the Bitcoin protocol. The conversation delves into the specifics of selective disclosure as outlined in BIP 360, where it is highlighted that the proposal allows for the creation of a Merkle root consisting of public key hashes. This system permits spending from the root by revealing the public keys and their corresponding valid signatures. However, Corallo raises a critical issue regarding the potential vulnerability to quantum adversaries, specifically questioning the mechanism's security against an adversary capable of breaking secp256k1 and then attempting to spend from the root by exploiting the selective disclosure feature.

Further, Corallo critiques the proposed attestation structure intended to accompany the witness, pointing out a potential loophole that could allow the embedding of arbitrary data via selective disclosure, despite the original intention to prevent such actions. This critique extends to question the overall design and its implications on the integrity and security of the protocol.

Regarding multi-signature scenarios, there's an expression of concern over the specification's failure to achieve the claimed 256-bit security, with a hypothetical attack scenario provided to illustrate the feasibility of bypassing the intended security measures through Merkle root collisions. This highlights a significant oversight in the current specification that could undermine the security of multi-signature transactions within the protocol.

Corallo also reflects on the broader implications of introducing multiple PQ schemes to the Bitcoin consensus protocol, suggesting that this approach complicates the protocol without necessarily resolving the core issue of selecting the most appropriate PQ scheme. He emphasizes the importance of careful specification and implementation of new cryptographic schemes to maintain the integrity and security of the protocol, drawing on the motivation behind the creation of libsecp256k1 to argue for a cautious approach to incorporating new cryptographic assumptions.

The email closes with considerations on designing hybrid schemes that offer protection against both classic and quantum attacks, highlighting recent progress in the domain of signature aggregation as a promising avenue for reducing signature size and verification costs, particularly in the context of hash-based signatures and Falcon aggregation. This perspective underscores the ongoing exploration and development efforts in enhancing the security and efficiency of cryptographic protocols within the Bitcoin ecosystem.