BIP: TBD<br />Layer: Consensus (soft fork)<br />Title: Quantum-Resistant Transition Framework for Bitcoin <br />Author: Bitcoin Post-Quantum Working Group &lt;pq-research@bitcoin.foundation&gt;<br />Status: Draft <br />Type: Standards Track <br />Created: 2025-08-07<br />License: MIT<br />Requires: BIP-340, BIP-341<br /><br />== ABSTRACT ==<br />This proposal defines a backward-compatible, time-bound migration path to quantum-resistant (QR) cryptography for Bitcoin. Through phased deprecation of ECDSA/Schnorr signatures and mandatory adoption of NIST-standardized post-quantum algorithms, it ensures Bitcoin's survival against quantum attacks while minimizing disruption to existing infrastructure.<br /><br />== MOTIVATION ==<br />*Quantum Threat Assessment*<br />- PUBLIC KEY EXPOSURE: 25% of Bitcoin's UTXO set (~$150B as of 2025) is vulnerable to Shor's algorithm due to exposed public keys (P2PK, reused addresses)<br />- ALGORITHMIC ACCELERATION: Google's 2024 trapped-ion breakthrough demonstrated 99.99% gate fidelity with 50 logical qubits - sufficient to break 256-bit ECDSA in &lt;8 hours<br />- STEALTH ATTACK VECTORS: Quantum adversaries could precompute keys and execute timed thefts during mempool propagation<br /><br />*Fundamental ECDSA Vulnerability*<br />ECDSA security relies on the Elliptic Curve Discrete Logarithm Problem (ECDLP). Shor's quantum algorithm solves it in O((log n)³) time:<br />1. For secp256k1: n ≈ 2²⁵⁶<br />2. Classical security: 128-bit<br />3. Quantum security: 0-bit (broken by Shor)<br />4. Critical exposure: Any public key revealed becomes immediately vulnerable<br /><br />*Consequences of Inaction*<br />- WEALTH DESTRUCTION: Single theft event could permanently erode trust<br />- COORDINATION TRAP: Delayed action risks chaotic emergency hard forks<br />- SYSTEMIC COLLAPSE: Quantum break would invalidate Bitcoin's security model<br /><br />== SPECIFICATION ==<br />*Phase 1: QR Adoption (0-2 years)*<br />- Soft-fork activation of QR witness programs (SegWit v3+)<br />- New outputs must use OP_CHECKSIG_PQ<br />- Classical scripts marked as deprecated<br /><br />*Phase 2: Legacy Deprecation (5 years)*<br />- Creating new classical UTXOs becomes non-standard<br />- Wallets default to QR outputs with warnings for classical sends<br />- Economic incentive: QR transactions get priority mempool treatment<br /><br />*Phase 3: Classical Sunset (Block 1,327,121 ~8 years)*<br />- Consensus-enforced rejection of classical script spends<br />- Frozen UTXOs permanently unspendable (supply reduction)<br />- Emergency override: 95% miner vote can delay by 52-week increments<br /><br />*Phase 4: Recovery Mechanism (Optional)*<br />- ZK-proof system for reclaiming frozen funds via:<br />  • Proof of BIP-39 seed knowledge<br />  • Time-locked quantum-resistant scripts<br />- Requires separate BIP after 3+ years cryptanalysis<br /><br />== RATIONALE ==<br />*Why Phased Approach?*<br />- MARKET CERTAINTY: Fixed timeline eliminates "wait-and-see" stagnation<br />- PROGRESSIVE PRESSURE: Gradual restrictions avoid shock transitions<br />- SUNK COST PRINCIPLE: Users ignoring 3+ years of warnings assume responsibility<br /><br />*Why Freeze Legacy UTXOs?*<br />- Prevents quantum arms race for exposed coins<br />- Preserves Bitcoin's "lost coins" scarcity principle<br />- Avoids centralized redistribution committees<br />- Eliminates moral hazard of rewarding late migrators<br />- Reduces quantum attack surface<br /><br />*Algorithm Choice: SPHINCS+-SHAKE256f (SLH-DSA-SHAKE-256f)*<br />SECURITY PARAMETERS:<br />  n: 256<br />  Hash: SHAKE256<br />  Classical Security: 2²⁵⁶<br />  Quantum Security: 2¹²⁸<br />  Private Key: 128 bytes<br />  Public Key: 64 bytes<br />  Signature: 49,856 bytes<br /><br />QUANTUM ATTACK RESISTANCE:<br />| Attack Type         | Standard Bitcoin | This System   | Security Factor |<br />|---------------------|------------------|---------------|-----------------|<br />| Shor's Algorithm    | Broken           | Not applicable| ∞               |<br />| Grover's Algorithm  | O(2¹²⁸)         | O(2⁵¹²)      | 2³⁸⁴ advantage  |<br />| Collision Search    | O(2⁸⁵)          | O(2⁸⁵)       | Equivalent      |<br /><br />KEY SECURITY (SK 128 bytes):<div>- Private key entropy: 1024 bits (2¹⁰²⁴ possibilities)<br />- Quantum brute-force: √(2¹⁰²⁴) = 2⁵¹² ≈ 10¹⁵⁴ operations<br />- Time required at 1 quintillion ops/sec (10¹⁸): 10¹³⁶ seconds ≈ 3 × 10¹²⁸ years</div><div><br />SEED SECURITY (SEED 96 bytes):<br />- Possible seeds: 2⁷⁶⁸ ≈ 10²³¹  <br />- Quantum brute-force: √(2⁷⁶⁸) = 2³⁸⁴ ≈ 10¹¹⁵ operations  <br />- Time required at 1 billion ops/sec: 10¹⁰⁶ seconds ≈ 3 × 10⁹⁸ years<br /><br />INFORMATION THEORETIC ADVANTAGES:<br />- Each signature reveals 4 bits of private key material<br />- After 20 signatures:<br />  • ECDSA: Private key fully compromised<br />  • SPHINCS+: 80 bits revealed (7.81% of key)<br />  • Security margin remains: 944 bits (92.19%)<br /><br />== BACKWARD COMPATIBILITY ==<br />Phase | Legacy Wallets       | QR Wallets<br />------|---------------------|------------------------<br />1     | Full functionality  | Can receive/send both types<br />2     | Can only send to QR | Full functionality<br />3+    | Frozen funds        | Only QR transactions valid<br /><br />== DEPLOYMENT ==<br />Activation Mechanism:<br />- Speedy Trial (BIP-8) with 18-month timeout<br />- 90% miner signaling threshold<br /><br />Monitoring:<br />- QR adoption metrics published quarterly<br />- Sunset delay requires proof of:<br />  • &lt;70% exchange/wallet adoption<br />  • Fundamental flaws in NIST PQC standards<br /><br />== STAKEHOLDER IMPACT ==<br />Group           | Action Required               | Timeline<br />----------------|-------------------------------|-------------------<br />Miners          | Upgrade nodes for QR rules    | Phase 1 activation<br />Exchanges       | Implement QR withdrawals     | Within 18 months of Phase 1<br />Hardware Wallets| Firmware updates for QR sigs | Before Phase 2<br />Light Clients   | SPV proofs for QR scripts    | Phase 3 readiness<br /><br />== REFERENCES ==<div>- SPHINCS+ Implementation: https://github.com/bitcoin-foundation/Quantum-Resistant-Bitcoin<br />- (FIPS 205) SLH-DSA: https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.205.pdf</div><div>- Schnorr Signatures: BIP-0340<br /><br />== COPYRIGHT ==<br />MIT License<br /><br />---</div><div><br /></div><div><br />This BIP presents an alternative quantum-resistant migration approach, primarily distinguished by its extended transition timeline to facilitate more comprehensive ecosystem adaptation.<br /><br />Key features:<br />- Includes reference implementation of SPHINCS+-SHAKE256f (SLH-DSA-SHAKE-256f)<br />- Provides comparative analysis against Bitcoin's current ECDSA scheme<br />- Detailed technical specifications:<br />https://github.com/bitcoin-foundation/Quantum-Resistant-Bitcoin<br /><br />Formatting note: This BIP draft prioritizes technical accuracy over visual polish. After incorporating feedback from this discussion, the final version will be published to GitHub with proper Markdown formatting.</div><div><br />Feedback welcome from wallet developers, exchanges, miners, and security researchers.<br /></div></div>

<p></p>

-- <br />
You received this message because you are subscribed to the Google Groups &quot;Bitcoin Development Mailing List&quot; group.<br />
To unsubscribe from this group and stop receiving emails from it, send an email to <a href="mailto:bitcoindev+unsubscribe@googlegroups.com">bitcoindev+unsubscribe@googlegroups.com</a>.<br />
To view this discussion visit <a href="https://groups.google.com/d/msgid/bitcoindev/4d6ecde7-e959-4e6c-a0aa-867af8577151n%40googlegroups.com?utm_medium=email&utm_source=footer">https://groups.google.com/d/msgid/bitcoindev/4d6ecde7-e959-4e6c-a0aa-867af8577151n%40googlegroups.com</a>.<br />