From mboxrd@z Thu Jan  1 00:00:00 1970
Delivery-date: Thu, 07 Aug 2025 17:26:14 -0700
Received: from mail-qv1-f62.google.com ([209.85.219.62])
	by mail.fairlystable.org with esmtps  (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
	(Exim 4.94.2)
	(envelope-from <bitcoindev+bncBDMP3YP4WUCBBGMI2XCAMGQEMCHXFSQ@googlegroups.com>)
	id 1ukAw1-0001Io-RE
	for bitcoindev@gnusha.org; Thu, 07 Aug 2025 17:26:14 -0700
Received: by mail-qv1-f62.google.com with SMTP id 6a1803df08f44-7075d48a15bsf31998906d6.3
        for <bitcoindev@gnusha.org>; Thu, 07 Aug 2025 17:26:13 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=googlegroups.com; s=20230601; t=1754612767; x=1755217567; darn=gnusha.org;
        h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post
         :list-id:mailing-list:precedence:reply-to:x-original-sender
         :mime-version:subject:message-id:to:from:date:from:to:cc:subject
         :date:message-id:reply-to;
        bh=3sHx3FV4GRRvnlnueToFyw68+vHUtPjo0LfOBfcWNwU=;
        b=vgDuTlHuqjFiXorOuzSr2StM1a2Jh5y4OzdWoyArBb6CNJIOZhqpGzOLu9YdLJmCXb
         ZFDYy6r/Tu5+hSx6S94eOehLeNpkSUjGLIngpeZPIcPaJ+ovOZwr6a2QOIo0MVE4nJ7Y
         2Brg5tLW9FEzPxKOV1Yu7+sBU48zKG3oXaeJzRYiHKLTyAmTJdxTPLX2FO34JThxt0Dv
         qDUDEmjRAG3qrWNR5LKp2vgFeRyvwudnuBap0xQ+5UF8/u2vF7n+G1cD2H9SXTs0sGF9
         uyvqbVQwUIr1vdJhpXFCok7l5wJRtCilOcHsxCJ1yuu7LGSDQjHTwaxOpe338DBq/kKr
         XcdA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1754612767; x=1755217567;
        h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post
         :list-id:mailing-list:precedence:reply-to:x-original-sender
         :mime-version:subject:message-id:to:from:date:x-beenthere
         :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to;
        bh=3sHx3FV4GRRvnlnueToFyw68+vHUtPjo0LfOBfcWNwU=;
        b=vmsp/PX2hyK0gkW7xoxyr97LLyJnc4lLV/JxgR0y3cL5NB/16hdEduhMxzAPNWo2SL
         P9XtLtBpRioVLbqpIX5ZDzumu/ZTnFQ3iRTEh0KRDnC+yMFQQFhHs+JGcf3/8l27ao8K
         j14oGtH0CjSFwTr4+pqK1sA+NlHsXlxNfQFyR1Bcdlhx8lysPC7wm1BuPemZP4zyfyTK
         nRw8X6f0jgv8HevkPISYHhaDc/rKtmDqakUQdqzMay6DD7OJ2EGNcxVoTdmgvUiq2JWW
         2WwNyHfj1JKvqCapNNN97wxWTvUSdEpXMitu8MQdS5tbJGasDiRvbC9ppnlcyxQToVBF
         ijCw==
X-Forwarded-Encrypted: i=1; AJvYcCWg/pb3LIQC84wrDweeINeTzZbkyr2Me3f0sRLUf3Cc269eYytjG1dEW2Xhv509pTVdREXnyHCIcJ9u@gnusha.org
X-Gm-Message-State: AOJu0YwZo8ZexYaHvNGeZw3YQF8MLfls2Pf8iXcdiaUQyoaeGIfgO1TR
	5Xkq8Ceque8CHd/BqE8WtG+0M90NTj1ZjiDqsey6skLaxqd+ba6rf+uQ
X-Google-Smtp-Source: AGHT+IE7xBJ22chnOF3NO0/G8I1R56emeDSjrOHj3MyqG4gylFToec2vpA75T8BsxRmMaDHJPbUq5A==
X-Received: by 2002:a05:6214:c6a:b0:707:73d0:281c with SMTP id 6a1803df08f44-7099a333fd8mr18189926d6.27.1754612767081;
        Thu, 07 Aug 2025 17:26:07 -0700 (PDT)
X-BeenThere: bitcoindev@googlegroups.com; h=AZMbMZd3sDL+OvGIz9QBIDFAZ86MtcB/tWxiSYIjvGeXy06S+w==
Received: by 2002:ad4:5d48:0:b0:6fa:bb85:f1b9 with SMTP id 6a1803df08f44-709883ea53als24602146d6.2.-pod-prod-03-us;
 Thu, 07 Aug 2025 17:26:01 -0700 (PDT)
X-Received: by 2002:a05:620a:4009:b0:7e3:417a:9609 with SMTP id af79cd13be357-7e82c43ad55mr176241785a.0.1754612760979;
        Thu, 07 Aug 2025 17:26:00 -0700 (PDT)
Received: by 2002:a05:690c:3087:b0:711:63b1:720 with SMTP id 00721157ae682-71bcd6d29dems7b3;
        Thu, 7 Aug 2025 11:18:35 -0700 (PDT)
X-Received: by 2002:a05:690c:3691:b0:70d:f420:7ab4 with SMTP id 00721157ae682-71bee43d506mr11542847b3.29.1754590713913;
        Thu, 07 Aug 2025 11:18:33 -0700 (PDT)
Date: Thu, 7 Aug 2025 11:18:33 -0700 (PDT)
From: "'Bitcoin Foundation' via Bitcoin Development Mailing List" <bitcoindev@googlegroups.com>
To: Bitcoin Development Mailing List <bitcoindev@googlegroups.com>
Message-Id: <4d6ecde7-e959-4e6c-a0aa-867af8577151n@googlegroups.com>
Subject: [bitcoindev] [Draft BIP] Quantum-Resistant Transition Framework for Bitcoin
MIME-Version: 1.0
Content-Type: multipart/mixed; 
	boundary="----=_Part_266014_1071471477.1754590713345"
X-Original-Sender: contact@bitcoin.foundation
X-Original-From: Bitcoin Foundation <contact@bitcoin.foundation>
Reply-To: Bitcoin Foundation <contact@bitcoin.foundation>
Precedence: list
Mailing-list: list bitcoindev@googlegroups.com; contact bitcoindev+owners@googlegroups.com
List-ID: <bitcoindev.googlegroups.com>
X-Google-Group-Id: 786775582512
List-Post: <https://groups.google.com/group/bitcoindev/post>, <mailto:bitcoindev@googlegroups.com>
List-Help: <https://groups.google.com/support/>, <mailto:bitcoindev+help@googlegroups.com>
List-Archive: <https://groups.google.com/group/bitcoindev
List-Subscribe: <https://groups.google.com/group/bitcoindev/subscribe>, <mailto:bitcoindev+subscribe@googlegroups.com>
List-Unsubscribe: <mailto:googlegroups-manage+786775582512+unsubscribe@googlegroups.com>,
 <https://groups.google.com/group/bitcoindev/subscribe>
X-Spam-Score: -1.0 (-)

------=_Part_266014_1071471477.1754590713345
Content-Type: multipart/alternative; 
	boundary="----=_Part_266015_710374786.1754590713345"

------=_Part_266015_710374786.1754590713345
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

BIP: TBD
Layer: Consensus (soft fork)
Title: Quantum-Resistant Transition Framework for Bitcoin=20
Author: Bitcoin Post-Quantum Working Group <pq-research@bitcoin.foundation>
Status: Draft=20
Type: Standards Track=20
Created: 2025-08-07
License: MIT
Requires: BIP-340, BIP-341

=3D=3D ABSTRACT =3D=3D
This proposal defines a backward-compatible, time-bound migration path to=
=20
quantum-resistant (QR) cryptography for Bitcoin. Through phased deprecation=
=20
of ECDSA/Schnorr signatures and mandatory adoption of NIST-standardized=20
post-quantum algorithms, it ensures Bitcoin's survival against quantum=20
attacks while minimizing disruption to existing infrastructure.

=3D=3D MOTIVATION =3D=3D
*Quantum Threat Assessment*
- PUBLIC KEY EXPOSURE: 25% of Bitcoin's UTXO set (~$150B as of 2025) is=20
vulnerable to Shor's algorithm due to exposed public keys (P2PK, reused=20
addresses)
- ALGORITHMIC ACCELERATION: Google's 2024 trapped-ion breakthrough=20
demonstrated 99.99% gate fidelity with 50 logical qubits - sufficient to=20
break 256-bit ECDSA in <8 hours
- STEALTH ATTACK VECTORS: Quantum adversaries could precompute keys and=20
execute timed thefts during mempool propagation

*Fundamental ECDSA Vulnerability*
ECDSA security relies on the Elliptic Curve Discrete Logarithm Problem=20
(ECDLP). Shor's quantum algorithm solves it in O((log n)=C2=B3) time:
1. For secp256k1: n =E2=89=88 2=C2=B2=E2=81=B5=E2=81=B6
2. Classical security: 128-bit
3. Quantum security: 0-bit (broken by Shor)
4. Critical exposure: Any public key revealed becomes immediately vulnerabl=
e

*Consequences of Inaction*
- WEALTH DESTRUCTION: Single theft event could permanently erode trust
- COORDINATION TRAP: Delayed action risks chaotic emergency hard forks
- SYSTEMIC COLLAPSE: Quantum break would invalidate Bitcoin's security mode=
l

=3D=3D SPECIFICATION =3D=3D
*Phase 1: QR Adoption (0-2 years)*
- Soft-fork activation of QR witness programs (SegWit v3+)
- New outputs must use OP_CHECKSIG_PQ
- Classical scripts marked as deprecated

*Phase 2: Legacy Deprecation (5 years)*
- Creating new classical UTXOs becomes non-standard
- Wallets default to QR outputs with warnings for classical sends
- Economic incentive: QR transactions get priority mempool treatment

*Phase 3: Classical Sunset (Block 1,327,121 ~8 years)*
- Consensus-enforced rejection of classical script spends
- Frozen UTXOs permanently unspendable (supply reduction)
- Emergency override: 95% miner vote can delay by 52-week increments

*Phase 4: Recovery Mechanism (Optional)*
- ZK-proof system for reclaiming frozen funds via:
  =E2=80=A2 Proof of BIP-39 seed knowledge
  =E2=80=A2 Time-locked quantum-resistant scripts
- Requires separate BIP after 3+ years cryptanalysis

=3D=3D RATIONALE =3D=3D
*Why Phased Approach?*
- MARKET CERTAINTY: Fixed timeline eliminates "wait-and-see" stagnation
- PROGRESSIVE PRESSURE: Gradual restrictions avoid shock transitions
- SUNK COST PRINCIPLE: Users ignoring 3+ years of warnings assume=20
responsibility

*Why Freeze Legacy UTXOs?*
- Prevents quantum arms race for exposed coins
- Preserves Bitcoin's "lost coins" scarcity principle
- Avoids centralized redistribution committees
- Eliminates moral hazard of rewarding late migrators
- Reduces quantum attack surface

*Algorithm Choice: SPHINCS+-SHAKE256f (SLH-DSA-SHAKE-256f)*
SECURITY PARAMETERS:
  n: 256
  Hash: SHAKE256
  Classical Security: 2=C2=B2=E2=81=B5=E2=81=B6
  Quantum Security: 2=C2=B9=C2=B2=E2=81=B8
  Private Key: 128 bytes
  Public Key: 64 bytes
  Signature: 49,856 bytes

QUANTUM ATTACK RESISTANCE:
| Attack Type         | Standard Bitcoin | This System   | Security Factor =
|
|---------------------|------------------|---------------|-----------------=
|
| Shor's Algorithm    | Broken           | Not applicable| =E2=88=9E       =
        |
| Grover's Algorithm  | O(2=C2=B9=C2=B2=E2=81=B8)         | O(2=E2=81=B5=C2=
=B9=C2=B2)      | 2=C2=B3=E2=81=B8=E2=81=B4 advantage  |
| Collision Search    | O(2=E2=81=B8=E2=81=B5)          | O(2=E2=81=B8=E2=
=81=B5)       | Equivalent      |

KEY SECURITY (SK 128 bytes):
- Private key entropy: 1024 bits (2=C2=B9=E2=81=B0=C2=B2=E2=81=B4 possibili=
ties)
- Quantum brute-force: =E2=88=9A(2=C2=B9=E2=81=B0=C2=B2=E2=81=B4) =3D 2=E2=
=81=B5=C2=B9=C2=B2 =E2=89=88 10=C2=B9=E2=81=B5=E2=81=B4 operations
- Time required at 1 quintillion ops/sec (10=C2=B9=E2=81=B8): 10=C2=B9=C2=
=B3=E2=81=B6 seconds =E2=89=88 3 =C3=97 10=C2=B9=C2=B2=E2=81=B8=20
years

SEED SECURITY (SEED 96 bytes):
- Possible seeds: 2=E2=81=B7=E2=81=B6=E2=81=B8 =E2=89=88 10=C2=B2=C2=B3=C2=
=B9 =20
- Quantum brute-force: =E2=88=9A(2=E2=81=B7=E2=81=B6=E2=81=B8) =3D 2=C2=B3=
=E2=81=B8=E2=81=B4 =E2=89=88 10=C2=B9=C2=B9=E2=81=B5 operations =20
- Time required at 1 billion ops/sec: 10=C2=B9=E2=81=B0=E2=81=B6 seconds =
=E2=89=88 3 =C3=97 10=E2=81=B9=E2=81=B8 years

INFORMATION THEORETIC ADVANTAGES:
- Each signature reveals 4 bits of private key material
- After 20 signatures:
  =E2=80=A2 ECDSA: Private key fully compromised
  =E2=80=A2 SPHINCS+: 80 bits revealed (7.81% of key)
  =E2=80=A2 Security margin remains: 944 bits (92.19%)

=3D=3D BACKWARD COMPATIBILITY =3D=3D
Phase | Legacy Wallets       | QR Wallets
------|---------------------|------------------------
1     | Full functionality  | Can receive/send both types
2     | Can only send to QR | Full functionality
3+    | Frozen funds        | Only QR transactions valid

=3D=3D DEPLOYMENT =3D=3D
Activation Mechanism:
- Speedy Trial (BIP-8) with 18-month timeout
- 90% miner signaling threshold

Monitoring:
- QR adoption metrics published quarterly
- Sunset delay requires proof of:
  =E2=80=A2 <70% exchange/wallet adoption
  =E2=80=A2 Fundamental flaws in NIST PQC standards

=3D=3D STAKEHOLDER IMPACT =3D=3D
Group           | Action Required               | Timeline
----------------|-------------------------------|-------------------
Miners          | Upgrade nodes for QR rules    | Phase 1 activation
Exchanges       | Implement QR withdrawals     | Within 18 months of Phase =
1
Hardware Wallets| Firmware updates for QR sigs | Before Phase 2
Light Clients   | SPV proofs for QR scripts    | Phase 3 readiness

=3D=3D REFERENCES =3D=3D
- SPHINCS+ Implementation:=20
https://github.com/bitcoin-foundation/Quantum-Resistant-Bitcoin
- (FIPS 205) SLH-DSA:=20
https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.205.pdf
- Schnorr Signatures: BIP-0340

=3D=3D COPYRIGHT =3D=3D
MIT License

---


This BIP presents an alternative quantum-resistant migration approach,=20
primarily distinguished by its extended transition timeline to facilitate=
=20
more comprehensive ecosystem adaptation.

Key features:
- Includes reference implementation of SPHINCS+-SHAKE256f=20
(SLH-DSA-SHAKE-256f)
- Provides comparative analysis against Bitcoin's current ECDSA scheme
- Detailed technical specifications:
https://github.com/bitcoin-foundation/Quantum-Resistant-Bitcoin

Formatting note: This BIP draft prioritizes technical accuracy over visual=
=20
polish. After incorporating feedback from this discussion, the final=20
version will be published to GitHub with proper Markdown formatting.

Feedback welcome from wallet developers, exchanges, miners, and security=20
researchers.

--=20
You received this message because you are subscribed to the Google Groups "=
Bitcoin Development Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an e=
mail to bitcoindev+unsubscribe@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/bitcoindev/=
4d6ecde7-e959-4e6c-a0aa-867af8577151n%40googlegroups.com.

------=_Part_266015_710374786.1754590713345
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

BIP: TBD<br />Layer: Consensus (soft fork)<br />Title: Quantum-Resistant Tr=
ansition Framework for Bitcoin <br />Author: Bitcoin Post-Quantum Working G=
roup &lt;pq-research@bitcoin.foundation&gt;<br />Status: Draft <br />Type: =
Standards Track <br />Created: 2025-08-07<br />License: MIT<br />Requires: =
BIP-340, BIP-341<br /><br />=3D=3D ABSTRACT =3D=3D<br />This proposal defin=
es a backward-compatible, time-bound migration path to quantum-resistant (Q=
R) cryptography for Bitcoin. Through phased deprecation of ECDSA/Schnorr si=
gnatures and mandatory adoption of NIST-standardized post-quantum algorithm=
s, it ensures Bitcoin's survival against quantum attacks while minimizing d=
isruption to existing infrastructure.<br /><br />=3D=3D MOTIVATION =3D=3D<b=
r />*Quantum Threat Assessment*<br />- PUBLIC KEY EXPOSURE: 25% of Bitcoin'=
s UTXO set (~$150B as of 2025) is vulnerable to Shor's algorithm due to exp=
osed public keys (P2PK, reused addresses)<br />- ALGORITHMIC ACCELERATION: =
Google's 2024 trapped-ion breakthrough demonstrated 99.99% gate fidelity wi=
th 50 logical qubits - sufficient to break 256-bit ECDSA in &lt;8 hours<br =
/>- STEALTH ATTACK VECTORS: Quantum adversaries could precompute keys and e=
xecute timed thefts during mempool propagation<br /><br />*Fundamental ECDS=
A Vulnerability*<br />ECDSA security relies on the Elliptic Curve Discrete =
Logarithm Problem (ECDLP). Shor's quantum algorithm solves it in O((log n)=
=C2=B3) time:<br />1. For secp256k1: n =E2=89=88 2=C2=B2=E2=81=B5=E2=81=B6<=
br />2. Classical security: 128-bit<br />3. Quantum security: 0-bit (broken=
 by Shor)<br />4. Critical exposure: Any public key revealed becomes immedi=
ately vulnerable<br /><br />*Consequences of Inaction*<br />- WEALTH DESTRU=
CTION: Single theft event could permanently erode trust<br />- COORDINATION=
 TRAP: Delayed action risks chaotic emergency hard forks<br />- SYSTEMIC CO=
LLAPSE: Quantum break would invalidate Bitcoin's security model<br /><br />=
=3D=3D SPECIFICATION =3D=3D<br />*Phase 1: QR Adoption (0-2 years)*<br />- =
Soft-fork activation of QR witness programs (SegWit v3+)<br />- New outputs=
 must use OP_CHECKSIG_PQ<br />- Classical scripts marked as deprecated<br /=
><br />*Phase 2: Legacy Deprecation (5 years)*<br />- Creating new classica=
l UTXOs becomes non-standard<br />- Wallets default to QR outputs with warn=
ings for classical sends<br />- Economic incentive: QR transactions get pri=
ority mempool treatment<br /><br />*Phase 3: Classical Sunset (Block 1,327,=
121 ~8 years)*<br />- Consensus-enforced rejection of classical script spen=
ds<br />- Frozen UTXOs permanently unspendable (supply reduction)<br />- Em=
ergency override: 95% miner vote can delay by 52-week increments<br /><br /=
>*Phase 4: Recovery Mechanism (Optional)*<br />- ZK-proof system for reclai=
ming frozen funds via:<br />=C2=A0 =E2=80=A2 Proof of BIP-39 seed knowledge=
<br />=C2=A0 =E2=80=A2 Time-locked quantum-resistant scripts<br />- Require=
s separate BIP after 3+ years cryptanalysis<br /><br />=3D=3D RATIONALE =3D=
=3D<br />*Why Phased Approach?*<br />- MARKET CERTAINTY: Fixed timeline eli=
minates "wait-and-see" stagnation<br />- PROGRESSIVE PRESSURE: Gradual rest=
rictions avoid shock transitions<br />- SUNK COST PRINCIPLE: Users ignoring=
 3+ years of warnings assume responsibility<br /><br />*Why Freeze Legacy U=
TXOs?*<br />- Prevents quantum arms race for exposed coins<br />- Preserves=
 Bitcoin's "lost coins" scarcity principle<br />- Avoids centralized redist=
ribution committees<br />- Eliminates moral hazard of rewarding late migrat=
ors<br />- Reduces quantum attack surface<br /><br />*Algorithm Choice: SPH=
INCS+-SHAKE256f (SLH-DSA-SHAKE-256f)*<br />SECURITY PARAMETERS:<br />=C2=A0=
 n: 256<br />=C2=A0 Hash: SHAKE256<br />=C2=A0 Classical Security: 2=C2=B2=
=E2=81=B5=E2=81=B6<br />=C2=A0 Quantum Security: 2=C2=B9=C2=B2=E2=81=B8<br =
/>=C2=A0 Private Key: 128 bytes<br />=C2=A0 Public Key: 64 bytes<br />=C2=
=A0 Signature: 49,856 bytes<br /><br />QUANTUM ATTACK RESISTANCE:<br />| At=
tack Type =C2=A0 =C2=A0 =C2=A0 =C2=A0 | Standard Bitcoin | This System =C2=
=A0 | Security Factor |<br />|---------------------|------------------|----=
-----------|-----------------|<br />| Shor's Algorithm =C2=A0 =C2=A0| Broke=
n =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 | Not applicable| =E2=88=9E =C2=A0 =C2=
=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 |<br />| Grover's Algorithm =C2=A0| =
O(2=C2=B9=C2=B2=E2=81=B8) =C2=A0 =C2=A0 =C2=A0 =C2=A0 | O(2=E2=81=B5=C2=B9=
=C2=B2) =C2=A0 =C2=A0 =C2=A0| 2=C2=B3=E2=81=B8=E2=81=B4 advantage =C2=A0|<b=
r />| Collision Search =C2=A0 =C2=A0| O(2=E2=81=B8=E2=81=B5) =C2=A0 =C2=A0 =
=C2=A0 =C2=A0 =C2=A0| O(2=E2=81=B8=E2=81=B5) =C2=A0 =C2=A0 =C2=A0 | Equival=
ent =C2=A0 =C2=A0 =C2=A0|<br /><br />KEY SECURITY (SK 128 bytes):<div>- Pri=
vate key entropy: 1024 bits (2=C2=B9=E2=81=B0=C2=B2=E2=81=B4 possibilities)=
<br />- Quantum brute-force: =E2=88=9A(2=C2=B9=E2=81=B0=C2=B2=E2=81=B4) =3D=
 2=E2=81=B5=C2=B9=C2=B2 =E2=89=88 10=C2=B9=E2=81=B5=E2=81=B4 operations<br =
/>- Time required at 1 quintillion ops/sec (10=C2=B9=E2=81=B8): 10=C2=B9=C2=
=B3=E2=81=B6 seconds =E2=89=88 3 =C3=97 10=C2=B9=C2=B2=E2=81=B8 years</div>=
<div><br />SEED SECURITY (SEED 96 bytes):<br />- Possible seeds: 2=E2=81=B7=
=E2=81=B6=E2=81=B8 =E2=89=88 10=C2=B2=C2=B3=C2=B9 =C2=A0<br />- Quantum bru=
te-force: =E2=88=9A(2=E2=81=B7=E2=81=B6=E2=81=B8) =3D 2=C2=B3=E2=81=B8=E2=
=81=B4 =E2=89=88 10=C2=B9=C2=B9=E2=81=B5 operations =C2=A0<br />- Time requ=
ired at 1 billion ops/sec: 10=C2=B9=E2=81=B0=E2=81=B6 seconds =E2=89=88 3 =
=C3=97 10=E2=81=B9=E2=81=B8 years<br /><br />INFORMATION THEORETIC ADVANTAG=
ES:<br />- Each signature reveals 4 bits of private key material<br />- Aft=
er 20 signatures:<br />=C2=A0 =E2=80=A2 ECDSA: Private key fully compromise=
d<br />=C2=A0 =E2=80=A2 SPHINCS+: 80 bits revealed (7.81% of key)<br />=C2=
=A0 =E2=80=A2 Security margin remains: 944 bits (92.19%)<br /><br />=3D=3D =
BACKWARD COMPATIBILITY =3D=3D<br />Phase | Legacy Wallets =C2=A0 =C2=A0 =C2=
=A0 | QR Wallets<br />------|---------------------|------------------------=
<br />1 =C2=A0 =C2=A0 | Full functionality =C2=A0| Can receive/send both ty=
pes<br />2 =C2=A0 =C2=A0 | Can only send to QR | Full functionality<br />3+=
 =C2=A0 =C2=A0| Frozen funds =C2=A0 =C2=A0 =C2=A0 =C2=A0| Only QR transacti=
ons valid<br /><br />=3D=3D DEPLOYMENT =3D=3D<br />Activation Mechanism:<br=
 />- Speedy Trial (BIP-8) with 18-month timeout<br />- 90% miner signaling =
threshold<br /><br />Monitoring:<br />- QR adoption metrics published quart=
erly<br />- Sunset delay requires proof of:<br />=C2=A0 =E2=80=A2 &lt;70% e=
xchange/wallet adoption<br />=C2=A0 =E2=80=A2 Fundamental flaws in NIST PQC=
 standards<br /><br />=3D=3D STAKEHOLDER IMPACT =3D=3D<br />Group =C2=A0 =
=C2=A0 =C2=A0 =C2=A0 =C2=A0 | Action Required =C2=A0 =C2=A0 =C2=A0 =C2=A0 =
=C2=A0 =C2=A0 =C2=A0 | Timeline<br />----------------|---------------------=
----------|-------------------<br />Miners =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=
=A0| Upgrade nodes for QR rules =C2=A0 =C2=A0| Phase 1 activation<br />Exch=
anges =C2=A0 =C2=A0 =C2=A0 | Implement QR withdrawals =C2=A0 =C2=A0 | Withi=
n 18 months of Phase 1<br />Hardware Wallets| Firmware updates for QR sigs =
| Before Phase 2<br />Light Clients =C2=A0 | SPV proofs for QR scripts =C2=
=A0 =C2=A0| Phase 3 readiness<br /><br />=3D=3D REFERENCES =3D=3D<div>- SPH=
INCS+ Implementation: https://github.com/bitcoin-foundation/Quantum-Resista=
nt-Bitcoin<br />- (FIPS 205)=C2=A0SLH-DSA: https://nvlpubs.nist.gov/nistpub=
s/FIPS/NIST.FIPS.205.pdf</div><div>- Schnorr Signatures: BIP-0340<br /><br =
/>=3D=3D COPYRIGHT =3D=3D<br />MIT License<br /><br />---</div><div><br /><=
/div><div><br />This BIP presents an alternative quantum-resistant migratio=
n approach, primarily distinguished by its extended transition timeline to =
facilitate more comprehensive ecosystem adaptation.<br /><br />Key features=
:<br />- Includes reference implementation of SPHINCS+-SHAKE256f (SLH-DSA-S=
HAKE-256f)<br />- Provides comparative analysis against Bitcoin's current E=
CDSA scheme<br />- Detailed technical specifications:<br />https://github.c=
om/bitcoin-foundation/Quantum-Resistant-Bitcoin<br /><br />Formatting note:=
 This BIP draft prioritizes technical accuracy over visual polish.=C2=A0Aft=
er incorporating feedback from this discussion, the final version will be p=
ublished to GitHub with proper Markdown formatting.</div><div><br />Feedbac=
k welcome from wallet developers, exchanges, miners, and security researche=
rs.<br /></div></div>

<p></p>

-- <br />
You received this message because you are subscribed to the Google Groups &=
quot;Bitcoin Development Mailing List&quot; group.<br />
To unsubscribe from this group and stop receiving emails from it, send an e=
mail to <a href=3D"mailto:bitcoindev+unsubscribe@googlegroups.com">bitcoind=
ev+unsubscribe@googlegroups.com</a>.<br />
To view this discussion visit <a href=3D"https://groups.google.com/d/msgid/=
bitcoindev/4d6ecde7-e959-4e6c-a0aa-867af8577151n%40googlegroups.com?utm_med=
ium=3Demail&utm_source=3Dfooter">https://groups.google.com/d/msgid/bitcoind=
ev/4d6ecde7-e959-4e6c-a0aa-867af8577151n%40googlegroups.com</a>.<br />

------=_Part_266015_710374786.1754590713345--

------=_Part_266014_1071471477.1754590713345--