The limitations of cryptographic agility in Bitcoin

In a recent discussion on the Bitcoin Development Mailing List, the topic of integrating quantum-secure signature algorithms alongside current standards was addressed. The conversation highlighted a theoretical debate regarding the potential for competing movements both in support of and against the adoption of new, quantum-secure algorithms versus established ones. Despite acknowledging this debate, it was noted that such discussions are likely to remain confined to online platforms and not significantly impact real-world applications.

The discourse suggested a practical approach for those seeking quantum security without fully committing to unproven algorithms. A hybrid solution was proposed, allowing the use of both BIP340 signatures and those from a new algorithm dubbed "FancySig." This could be achieved through the use of a hybrid locking script requiring signatures from both algorithms or more efficiently by committing the public keys of both BIP340 and FancySig in separate tapscript leaves. Initially, BIP340 could be used exclusively, switching to FancySig only when quantum security becomes a necessity. This method offers enhanced security, particularly if there is no address reuse, as users do not have to choose between algorithms until the moment of spending. Additionally, for added safety, users have the option to reveal only a hybrid leaf if they have concerns at the time of transaction.

The conclusion drawn from this exchange was that there is no immediate need to alter existing assumptions or standards in light of potential advancements in post-quantum (PQ) cryptographic signatures. Instead, the focus should be on developing smart, secure standards for wallet implementations. These standards would provide users with a speculative, quantum-secure fallback, thereby mitigating the risks associated with the adoption of novel cryptographic systems. This perspective underscores the importance of forward-thinking in cryptographic security, emphasizing precaution and adaptability in the face of evolving quantum computing capabilities.