BIP-360: QuBit - Pay to Quantum Resistant Hash #1670
Conversation
There was a problem hiding this comment.
Interesting (the question of resistance to quantum computing may have resurged lately with the publication of https://scottaaronson.blog/?p=8329, see also https://x.com/n1ckler/status/1839215426091249778).
cryptoquick
force-pushed
the
p2qrh
branch
2 times, most recently
from
b6ed2c3 to
d6d15ad
Compare
cryptoquick
force-pushed
the
p2qrh
branch
2 times, most recently
from
0608cc1 to
a595bf0
Compare
cryptoquick
force-pushed
the
p2qrh
branch
2 times, most recently
from
19d4592 to
7f4456d
Compare
|
@cryptoquick Can you begin to write up the sections currently marked as TBD, along with a backwards compatibility section (to describe incompatibilities, severity, and suggest mitigations, where applicable/relevant)? We've begun to reserve a range of BIP numbers for this topic, pending continued progress here. |
jonatack
added
the
PR Author action required
|
@cryptoquick ping for an update here. Have you seen https://groups.google.com/g/bitcoindev/c/p8xz08YTvkw / https://github.com/chucrut/bips/blob/master/bip-xxxx.md? It may be interesting to review each other and possibly collaborate. |
bip-0360.mediawiki
Outdated
|
|
||
| ==== Sighash Calculation ==== | ||
|
|
||
| The sighash for P2QRH outputs follows the same procedure as defined in BIP-0143 for SegWit transactions: |
There was a problem hiding this comment.
Is there any reason why this is based on SegWit's BIP-0143 instead of Taproot which brought some reasonable changes? See https://github.com/bitcoin/bips/blob/master/bip-0341.mediawiki#signature-validation-rules
There was a problem hiding this comment.
That's a good catch, I hadn't thought of that. I'll get that updated.
- [x] Add verification times - [x] 256 -> 128 (NIST V -> NIST I) - [x] Multisig threshold and bitmask bytes - [x] Bitmask for all four signature types - [x] Taproot compatibility
|
I just pushed some updates. They can be found here: I appreciate everyone's feedback so far. There have been nearly 300 comments on this pull request, which is great and I won't complain about the attention. Lots of feedback has been helpful, including about the multisig merkle tree hashing mechanism and the suggestion to use NIST I cryptography as NIST V has repeatedly been deemed overkill. Additionally, some oversights around sighash flags and Taproot compatibility were addressed. BIP-360 is not the perfect solution, and it never was supposed to be. It is, however, the best compromise between various technical requirements I can come up with, and I hope that the technical decisions made are sensible when viewed in combination. As the first BIP to address quantum security, I intend it to be the most mature and conservative solution to the problem. I hope now I've addressed all the holes present in the design. My next steps are to build the test vectors json using a fork of rust-bitcoin, which I will call rust-bitcoin-pqc. I will also be making a library called libbitcoinpqc, written in C but with Rust bindings included, and eventually I will integrate these into a fork of BDK I will call QBDK. |
|
@cryptoquick I re-read through the review feedback of the past four months, but it is difficult and laborious to try to understand what you did to concretely address each comment. Would you please indicate in response to each comment the link to the commit patch with the relevant change you made, and particular for the review feedback from @jonasnick and @vostrnad above? There is also review feedback marked as resolved, but without a reply. Please help reviewers connect the dots :) Those pointers would be very helpful, I think, in determining what was done and/or remains to be done in response, and would aid review. |
|
@jonatack Thank you for the advice! I went back and did my best to provide some links to the relevant changes. Hope that helps. Also, I've made a note to address this concern I overlooked: https://github.com/bitcoin/bips/pull/1670/files#r1994349769 I'd appreciate any thoughts you have on that. Thanks! |
…ch from merkle tree commitment to sorted vector hash commitment.
|
In the above changeset I rethought how we do the SegWit v3 scriptPubKey hash commitment... I think the merkle tree is nonsense at this point, since it cannot be sparse because all public key hashes must be known in advance in order to compute a complete commitment. Even in selective disclosure, all hashes have to be provided. @EthanHeilman originally suggested the merkle tree to me, so maybe there's something I'm missing, but for now I'm going back to concatenated hashes. Hopefully this simplifies the BIP a bit, also. I also made sure we're more declarative of keytypes and thresholds in the attestation because bytes there will be cheap, especially if there's an increased attestation discount. The reason the attestation exists is because it can be discounted separately and its functionality limited to fixed signature operations. |
|
In the above changeset I also updated the descriptor format to show a more complete example of how I expect selectively disclosed threshold multisigs to work. |
|
Is there somethin in a horizon, how can we reflect the current progression in percent. A clarfication meeting was requested to accelerate finalizing pqcBitcoin but no feedback. |
|
@QbitsCode A community call isn't a bad idea. If there is one, we'll most likely announce it in our Telegram group. |
There was a problem hiding this comment.
People appear to agree conceptually that we should be looking into PQ, but skimming the conversation on this PR, I must admit that I am a bit concerned regarding the seeming lack of approach buy-in.
There seem to be concerns about e.g., introducing too many different PQ Signature schemes introducing unnecessary complexity, the resulting scheme dropping support for existing features, and uncertainty about the properties of the attestation structure's properties. It also seems to me that it is not clear to me what the priority is:
If this is developing an emergency PQ-response that might be deployed on short notice, it would seem that going for less complexity would be fruiltful. If we are going for a fully-fledged, comprehensive response to PQ, it should e.g., not gratuitously drop support for scripting in outputs—don’t we still want HTLCs in a PQ future?
While you are reconsidering the structure of the attestation, perhaps it would be good to take another step back and collect more input on the big picture design goals before jumping back into the tweaking details of another variant of the same approach.
|
Thanks for chiming in once more, Murch.
You have good timing with this, since I just published libbitcoinpqc, which should be a one-stop shop focal point for PQC needed for BIP-360, similar to how libsecp256k1 was for BIP-340. You can check out that work here: The algorithmic complexity shouldn't be so bad now that it's abstracted in a useful way.
I'm not dropping support for witness scripts. The attestation is just like putting additional locks on coins in an address, in addition to whatever is expected to happen in the witness. I expect this to be compatible with a lot that's already been developed for Lightning and Taproot. I would like to verify that in practice however. A good start to that would be post quantum-flavored versions of rust-bitcoin, BDK, and LDK.
Perhaps, but another alternative is to put the work needed into proving out this design. There's too many variables to consider without something concrete to work from and think about. I'm definitely willing to do that in order to prove that BIP-360 works in various scenarios. |
bip-0360.mediawiki
Outdated
| This design maintains compatibility for [https://github.com/bitcoin/bips/blob/master/bip-0114.mediawiki BIP-114] | ||
| Taproot Merkelized Alternative Script Tree (MAST) merkle root in the commitment, which makes P2QRH a | ||
| quantum-resistant version of Taproot transactions. The TapScript itself must however be provided in the witness, |
There was a problem hiding this comment.
Did you mean to refer to BIP 341 here?
This comment was marked as spam.
This comment was marked as spam.
Sorry, something went wrong.
This comment was marked as spam.
This comment was marked as spam.
Sorry, something went wrong.
|
the idea itself is quite simple, we have a separate address, a separate storage of keys, a double signature. In the case of old wallets ignore the new pq signature when verify, new ones read both. but we will most likely have to forgot about derevation logic in new address type atleast for now, yes it will make the wallet file thicker, and the blockchain will become thicker. But it will provide additional security, also do not forget that unlike the same ETH, Bitcoin blockchain can be kept on HDD without problems and pruned, when ETH only requires super fast SSD.. and there pq signatures will be real problem. |
This comment was marked as off-topic.
This comment was marked as off-topic.
|
@cryptoquick any update here? |
|
@jonatack I'm waiting for Ethan to finish his rewrite before adding new changes. Please bear with us, the wait will be worth it! |
This comment has been minimized.
This comment has been minimized.
This comment was marked as duplicate.
This comment was marked as duplicate.
|
@EthanHeilman has joined the chat. |
* Rewrote rationale * Fix bolded principles * Actually fix bold * Updates to talk about signature + public key size rather than just signature size * Took a pass over rationale * Started work on specification * Adds example tapscript hybrid signatures * More work on the specification * Cleans up TODO * Fixing grammar, other minor changes * SHL --> SLH * Apply suggestions from code review Co-authored-by: Hunter Beast <[email protected]> * Adds discussion of SQIsign * Fixes broken llink to libbitcoinpqc Co-authored-by: Hunter Beast <[email protected]> * Fixes writing in SQIsign section Co-authored-by: Hunter Beast <[email protected]> * Add rational section on big signatures and public keys * Fixes typos * Adds script validation from BIP 341 * Add commas * Add design section, stack element size increase now in PQ sigs * Fixes typo * Fixes typos and formatting Co-authored-by: Hunter Beast <[email protected]> * Add authorship to readme * Add diagram of P2QRH merke tree, scriptPubKey and Witness * Remove completed todo * Add security section * Clean up wording, moves some things around * Minor rewording * Review suggestions Co-authored-by: Hunter Beast <[email protected]> * Clarified size differences * Changed header size and order * does --> doUpdate bip-0360.mediawiki Co-authored-by: Hunter Beast <[email protected]> * Add related work section * Better scale figure * Respond to review comments * remove double space Co-authored-by: Armin Sabouri <[email protected]> * Address review comments * Addressing Ademan comments * Sync source svg * Address review * Addresses review * Apply suggestions from code review Co-authored-by: Joey Yandle <[email protected]> * Update bip-0360.mediawiki Co-authored-by: Joey Yandle <[email protected]> * Update bip-0360.mediawiki Co-authored-by: Joey Yandle <[email protected]> * Addressing review comments * Addressing reviews --------- Co-authored-by: Hunter Beast <[email protected]> Co-authored-by: Armin Sabouri <[email protected]> Co-authored-by: Joey Yandle <[email protected]>
|
The latest has been merged. This is a very different BIP now and took a lot of time and effort. We'll be making an announcement to the mailing list soon. Thanks everyone to who reviewed, and thanks @EthanHeilman for all the help as co-author. |
This spent several months gathering feedback from the mailing list and from other advisors. This is hopefully polished enough to submit upstream.
Let me know if you have any questions or feedback, and of course feel free to submit suggestions.
Thank you for your time.