P2QRH / BIP-360 Update

The Bitcoin Development Community has been presented with significant updates and requests for feedback regarding the post-quantum roadmap, including developments on the P2QRH proposal, now known as BIP-360. The updated BIP-360 draft, accessible here, outlines major revisions since its initial publication, with a particular focus on algorithm selection. The original consideration of SQIsign has been deprecated due to its impractical verification time, which is substantially slower compared to ECC, raising concerns about potential DDoS implications.

In response to these challenges, the proposal has shifted towards prioritizing algorithms that support signature aggregation without excessively enlarging the signatures. This move aims to maintain some level of efficiency akin to Schnorr signatures. The shortlist currently favors FALCON for its signature aggregation capabilities, with SPHINCS+ and CRYSTALS-Dilithium serving as secondary options. However, there are ongoing technical hurdles such as BIP-32 compatibility issues affecting xpub generation in watch-only wallets and considerations on how multisig wallets should be managed under this new framework.

A novel approach to multisig configurations using a merkle tree has been proposed for efficiently encumbering outputs with multiple keys. Yet, this method requires further scrutiny before adoption. An alternative might involve modifying the semantics of OP_CHECKMULTISIG to work within the new system's constraints, although this could introduce additional overhead. The necessity of addressing n/m multisigs as a glaring omission in the specification underscores the need for more thought and community input on this matter.

Moreover, the BIP-360 emphasizes restricting itself to NIST-approved algorithms to ensure FIPS compliance, noting that hardware security modules (HSMs) like those from Securosys already support these algorithms, which is crucial for the secure deployment of federated L2 treasuries.

Additionally, an interim solution named P2TRH has been drafted to address quantum security concerns for Taproot keypath spends specifically. The draft for P2TRH can be viewed here. This strategy involves hashing public keys rather than exposing them directly, benefitting various applications but introducing some trade-offs in terms of overhead and slightly reduced utility in certain scenarios.

The push towards finalizing PQC selections is accompanied by a call to action for more community feedback, particularly through review and comments on the ongoing pull request. The effort to refine and advocate for BIP-360 will continue across several conferences and events, underscoring the importance of community involvement in shaping Bitcoin's quantum-resistant future.