bitcoin-dev
Trivial QC signatures with clean upgrade path
Posted on: December 16, 2024 01:30 UTC
Matt Corallo proposes the activation of OP_CAT in Bitcoin to facilitate experimentation with post-quantum (PQ) signature algorithms, offering a more flexible approach than OP_CTV for implementing general-purpose covenants.
This suggestion stems from the belief that selecting a definitive PQ signature algorithm for Bitcoin may take considerable time, and allowing for diverse experimental solutions could be beneficial. The idea is to permit various parties to test their own PQ solutions while the community works toward consensus on a long-term standard.
Corallo outlines that starting with a less efficient but provably secure post-quantum algorithm, such as Winternitz signatures within BitVM, could serve as an interim solution. He explains that using OP_CAT, a public key could be reduced to a single 32-byte hash, with signatures maintaining a size of 1KB. Although verifying these signatures would require about 4KB in Bitcoin script—deemed expensive—this method would temporarily accommodate institutions and individuals transitioning to PQ wallets, thereby buying time for a more permanent resolution within the Bitcoin core.
However, he highlights a significant limitation of current PQ proposals: only Pay-to-Witness-Script-Hash (P2WSH) addresses can achieve post-quantum security, not Pay-to-Taproot (P2TR) addresses. To address this, Corallo suggests the development of a new version of P2TR that either eliminates the key path (making it script-only) or incorporates a PQ signature mechanism. This adaptation aims to ensure broader post-quantum security across Bitcoin's transaction types, preparing the network for future cryptographic standards and threats.