Posted by Tadge Dryja
May 28, 2025/17:14 UTC
The discussion centers around the challenge of fortifying Bitcoin against potential threats posed by quantum computers, specifically focusing on the viability and necessity of implementing post-quantum (PQ) cryptography within the Bitcoin protocol. The primary concern is whether quantum computers capable of breaking the current secp256k1 cryptographic keys will materialize and, if so, when this might occur. This uncertainty makes it difficult to reach a consensus on integrating significant changes into Bitcoin, especially those that could alter its existing features and security guarantees.
A proposed solution involves a soft fork that introduces a PQ signature scheme while simultaneously disallowing new outputs based on secp256k1. However, this approach carries the risk of being premature or unnecessary if quantum computing does not advance as feared. An alternative strategy mentioned is a commit/reveal scheme that would allow Bitcoin to continue operating securely even after the advent of quantum computing, without preemptively defining a PQ signature scheme. This method draws inspiration from a proposal by Tim Ruffing, but differs in its use of a smaller, hash-based commitment rather than encryption, and it describes activation through a soft fork.
The proposed commit/reveal scheme is particularly aimed at protecting keys that are hashes of public keys or scripts, with unknown public keys to the network. It is compatible with taproot, provided there's a script-path in the key, as direct keypath spends would become insecure under quantum attack scenarios. The scheme assumes a quantum-capable attacker can derive private keys from public keys and has some level of mining power to influence transactions.
Two types of attacks are outlined: one where an attacker could steal coins by preempting a user's transaction with a fraudulent commitment and spending transaction, and another involving a bit flipping attack that could permanently freeze outputs. To combat these, the scheme includes a unique commitment structure comprising three elements: a hash of the pubkey, a proof of knowledge of the pubkey that commits to a transaction, and the transaction ID itself. This structure allows for verification of commitments by nodes and provides a mechanism to protect against unauthorized spending by ensuring only the first valid commitment for a given address ID can be spent.
The implementation of this scheme requires maintaining a new database of commitments alongside the existing UTXO set, with considerations for storage space and the prevention of pubkey reuse. Activation of the commit/reveal requirement could be triggered by evidence of quantum computation capabilities, functioning as a soft fork to ensure backward compatibility with transactions that conform to the new rules.
In conclusion, the suggested PQ commit/reveal scheme offers a potential path forward for Bitcoin to enhance its resilience against quantum computing threats without immediate, drastic changes to its underlying infrastructure. This approach advocates for preparedness and adaptability, emphasizing the importance of not reusing addresses and incorporating script paths in taproot outputs as preventive measures. The hope is to provide peace of mind to Bitcoin holders and suggest best practices for users and wallets in anticipation of future developments in quantum computing.
TLDR
We’ll email you summaries of the latest discussions from authoritative bitcoin sources, like bitcoin-dev, lightning-dev, and Delving Bitcoin.
We'd love to hear your feedback on this project?
Give Feedback