bitcoin-dev

Trivial QC signatures with clean upgrade path

Trivial QC signatures with clean upgrade path

Original Postby Matt Corallo

Posted on: December 15, 2024 21:42 UTC

The debate on quantum computing (QC) robustness in Bitcoin's signature scheme has highlighted several critical considerations and proposals.

Quantum computers capable of breaking current encryption methods like elliptic curves (EC) are anticipated to be developed within the next two decades, adhering to NSA recommendations and suggesting that we have time to upgrade Bitcoin's security protocols. However, the possibility exists that such quantum computers may never come to fruition due to potential fundamental scaling constraints. Despite this uncertainty, the development of quantum computing is expected to provide a warning period due to its immense resource requirements, signaling when an upgrade to Bitcoin's security measures becomes necessary.

The consensus within the community points towards hash-based signatures, specifically SPHINCS/SPHINCS+, as the only viable candidates for post-QC signature security within Bitcoin's consensus mechanism today. This is because other post-QC security assumptions, like Lattices and Supersingular Elliptic Curve Isogeny, are deemed insufficient for securing coins today and are considered bad candidates due to the potential for future cryptographic research to render them obsolete. The discussion also highlights the impracticality of waiting for opcode additions like OP_CAT, which are mired in complexities and uncertainties, including those surrounding miner extractable value (MEV) issues and Bitcoin's future developments.

A proposed solution involves leveraging taproot to build a scheme that provides post-QC security without requiring immediate action from wallet developers or users. Taproot script-path spends, which incorporate the internal key in their hash, offer a method for creating transactions that are secure against quantum computing threats. By adding a new opcode, similar to OP_CHECKSIG but for verifying post-QC non-one-time-use signatures, wallets could construct taproot outputs containing an alternative spending condition secure against QC attacks. This approach would allow for the soft-fork disabling of key-path taproot spends in favor of QC-secure paths once quantum computing becomes a tangible threat.

However, this proposal is not without its drawbacks, notably the potential for non-upgraded funds to be confiscated once QC becomes a reality. To mitigate this, two alternatives are suggested: requiring explicit opt-in for the scheme or allowing key-path spends for wallets that can prove their script-path is a Nothing-Up-My-Sleeve (NUMS) point. Each option has its trade-offs, including on-chain fingerprint concerns and the impact on existing wallets not committed to a NUMS point.

The discussion also touches upon the broader implications for Bitcoin's proof of work (PoW) in a post-QC world, suggesting that modifications to Bitcoin's PoW hash function might delay quantum computing's impact on mining. However, such considerations are speculative and dependent on future developments in quantum computing technology.