Changes to BIP-360 - Pay to Quantum Resistant Hash (P2QRH)

The recent modifications to the Bitcoin Improvement Proposal 360 (BIP-360) introduce significant advancements aimed at enhancing Bitcoin's resilience against quantum computing threats. The primary change involves the transition of Pay to Quantum Resistant Hash (P2QRH) to a script-only version of Taproot (P2TR), effectively removing the quantum-vulnerable key-spend pathway. This modification ensures that P2QRH outputs are committed directly to the tapleaf merkle root, which is computed by taproot, thereby augmenting security against potential quantum computing attacks. The scriptPubKey for a P2QRH output has been defined as OP_PUSHNUM_3 OP_PUSHBYTES_32, reflecting these changes.

These alterations leverage the existing taproot infrastructure, allowing for seamless integration and understanding among users familiar with P2TR. Moreover, by eliminating the taptweak steps and focusing on script and tapleaf support, this approach not only simplifies the implementation but also significantly enhances protection against long-exposure attacks, which are anticipated to become feasible before short-exposure ones. Importantly, this strategy offers an alternative to disabling key-spends in P2TR on Q-Day, the point at which quantum attacks may become viable, thus providing the ecosystem ample time to adapt without the pressure of imminent threats or emergency consensus changes.

Furthermore, the proposal outlines a forward-looking plan concerning Post-Quantum (PQ) signatures, decoupling their specification from BIP-360 to allow for independent consideration and development. This strategic separation facilitates ongoing progress on P2QRH while avoiding premature commitments to specific PQ signature algorithms. An informational section within BIP-360 suggests incorporating tapscript PQ signature verification opcodes for ML-DSA (CRYSTALS-Dilithium) and SLH-DSA (SPHINCS+) through OP_SUCCESSx opcodes. This proposed method offers a flexible framework for activating PQ signature algorithms separately if desired and establishes a blueprint for integrating new signature algorithms in the future without necessitating new tapleaf versions. A comprehensive specification for these PQ signatures is expected to be detailed in an upcoming BIP, further contributing to the robustness and quantum resistance of the Bitcoin protocol.