From mboxrd@z Thu Jan 1 00:00:00 1970 Delivery-date: Mon, 07 Jul 2025 08:28:14 -0700 Received: from mail-ot1-f63.google.com ([209.85.210.63]) by mail.fairlystable.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.94.2) (envelope-from ) id 1uYnlN-00042n-N8 for bitcoindev@gnusha.org; Mon, 07 Jul 2025 08:28:14 -0700 Received: by mail-ot1-f63.google.com with SMTP id 46e09a7af769-735abe7be85sf2774218a34.1 for ; Mon, 07 Jul 2025 08:28:13 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1751902087; cv=pass; d=google.com; s=arc-20240605; b=BwBFD2VGHZWqUxUKAT3adP4bvsGh3GKOJ2GE3WfaCbQFjl6YOORZH+0mSqBxg3hXna XPHeRJTapJIeGu92gVqvaL6YscRRGWb2QopmCv5MQFVfI32YYFq6sb7BoLujSOlj1AxV MLRdp9YpOOYHHyGn6yDkUmuonNpbJJXcDEuj6aZJvYlgV4yKmf7kkESjwSvhPJnBoo+P dS1suZ9bEG84ldpp2BS+m7ySeSIaBn+NuDEv+fwSx+5v1LGEENjReeNxIUX5RPEFH7aW WvYBSlJ2i+grYUcV4Qt12WfMbIiCa8SO0m9sU0aFazhrwXVw2dNczZXPQvg150Xk0Us9 RItg== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:to:subject:message-id:date:from :mime-version:sender:dkim-signature:dkim-signature; bh=tDSQDrA/Sxf7tqiGX2nbipDbOzNjF9oJBwcCORqRsvc=; fh=+75QBANSEkPM+v2MQnboy8HPuNpuy1qszHLZN8QqbyA=; b=UJwD0a/osdMcja7JohmP4RUCHjSpRsO0Wd7xIfN27za5Tdi5oEuVSXSFLvvOs8WOEy NiDSE/JdBv+iyt3etAqLA4yib5g/Ukp7stGf//CdJW5gjAavl/770UHkkLbn0ubQ5je4 TNUjGL8moZfTOR3EW57knA329CRdMyiWVabfm1ztTD3K4rfTh5lFh61RxpSnwNasQlzm Bk1m6pBeMIZgIJnnrgFWq/vZ1wzxFHIBBOnIjkg1IPqJ6vSb3YELjP249gaYg3WNjTrB CyWsNMY/nSWJQGZFozs3B6UA8/VuYMRbOIZbYUVoC/1ZzrfQVXxhhAe5JNSVHgsCK75K 90qw==; darn=gnusha.org ARC-Authentication-Results: i=2; gmr-mx.google.com; dkim=pass header.i=@gmail.com header.s=20230601 header.b=A6HWgq5f; spf=pass (google.com: domain of eth3rs@gmail.com designates 2a00:1450:4864:20::531 as permitted sender) smtp.mailfrom=eth3rs@gmail.com; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com; dara=pass header.i=@googlegroups.com DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlegroups.com; s=20230601; t=1751902087; x=1752506887; darn=gnusha.org; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:x-original-authentication-results :x-original-sender:to:subject:message-id:date:from:mime-version :sender:from:to:cc:subject:date:message-id:reply-to; bh=tDSQDrA/Sxf7tqiGX2nbipDbOzNjF9oJBwcCORqRsvc=; b=cKj5DPLoeTY50u1FiE56IpxfDsC+qwkiekYr0o0ViPYYQHy+YcMKjdhrBRrExXH0sv N0bdxrJb3/kzoNK2ZhJcTIRH/0wmxtQEDWihIdU5nj7HeZ+4hLzaSE/09pfkb/H/Rdvd aa1TfipvyTSYCnHGRbmrRJ7XMY4Rp7R8w2vZxViMToCxi21hmS0BuK3RM4fHuRhmyGKm e665KgtjU3GQUhJ2ZNdwaVivO6CRsWHt8VXYB0KGFtjKqdbz+DyE9SYA5Wkb6hT3qYHi A3lWNY/0jmS6sZzq1lyN0REOX8LNcvzAO3rpdEEUd/VoM+NalJU97Qch4BOfNxV4suc5 ccCA== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1751902087; x=1752506887; darn=gnusha.org; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:x-original-authentication-results :x-original-sender:to:subject:message-id:date:from:mime-version:from :to:cc:subject:date:message-id:reply-to; bh=tDSQDrA/Sxf7tqiGX2nbipDbOzNjF9oJBwcCORqRsvc=; b=C6exxJtfnUJOD2kSWbsRaeu7pafIV4dLNfOiNrUzRq5AGUa3pyQlZea5RSoiHxaBGM FZSHZlU0EnsIwmq7i95VvHxZprnDzL0NGzWeEgx5ekK5mDjGZeBD0xA3gfdQI7qTt3qy T1HrwgzxWNu4i55edT6++O5JAtw/53L2HWShEJyn1F2MYXLjVyMH2p8MufTDSYEo2bhM qhGPSr/6BNFK834klXgvmu0IEXPlsI//uoK3w8hn6LdGkHdkHAxmzcYsdPhhdycNwgj/ 9lSjEUSTcMM8xPw2yeUIYFVgewi7GYMWv+1tsPGtEUFEtnPZdCmGqgdYhNo0vUHW70iX cmZA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1751902087; x=1752506887; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:x-original-authentication-results :x-original-sender:to:subject:message-id:date:from:mime-version :x-beenthere:x-gm-message-state:sender:from:to:cc:subject:date :message-id:reply-to; bh=tDSQDrA/Sxf7tqiGX2nbipDbOzNjF9oJBwcCORqRsvc=; b=iRc4YoIbzu8ECqAKNfmw/dWzegTszCZkflNm0VTKsoKUnjafUuJlNpWzAHITziY8pc SUPjBYwUhW6lPvGdt4YExoCBbcdGFita5HvrpPB8tlmxiFOyVuEsOfVEKmLkZHqCWzV9 gfMJUKKkuaW0QY7uLgNh3qJAqkGZfnCFIkfJQ17oXV5JD3zxKhHmJ2U0Lu31Es+l9T3h w/4Ql2PUUH4eZ/Ifzww5Qj1RZbtfkyiQAbg3U6cAdxaTAQx6yUDBdJmPMIQV1OOqArbe nbmYTEYYmv7mVdHD6f7gsirOG6k2/B2tiFhathAtw+0M7FRa+hCNoBxy2jmz9dhDiv8D YIAw== Sender: bitcoindev@googlegroups.com X-Forwarded-Encrypted: i=2; AJvYcCU5ojlK8jhifZrAiff0WdvD30Cu4m5rdYsIEfdxIL4bgPCLvH7MP0y190CkXODhxE2ipOoavT6kRRsh@gnusha.org X-Gm-Message-State: AOJu0YyEJDlE/wGMBfWqNSG00OFfsOYmXdeWnf4Rkp3R6hMQFbkxrYMR LrkNN+oWoDZoq3D2NnKPATcMl2GL4MdbArGKCEPrsQsL4zVV4Cr7WJxg X-Google-Smtp-Source: AGHT+IH3INfv+ayK0bZod7crSg6U+JyerP6c1Ccu0gjMN+8qJvBZZUrCiYA/Q7TfihTCSnszk2F+RA== X-Received: by 2002:a05:6830:2c05:b0:73a:d3f6:8b22 with SMTP id 46e09a7af769-73ca0577d52mr8421982a34.11.1751902087516; Mon, 07 Jul 2025 08:28:07 -0700 (PDT) X-BeenThere: bitcoindev@googlegroups.com; h=AZMbMZd6lZNhFEUvZ50gBSobBthN4Xk3Vy8WcxAbeBMiNhpjNw== Received: by 2002:a05:6870:5486:b0:2e8:f5c9:64cb with SMTP id 586e51a60fabf-2f79b14beb4ls1271462fac.0.-pod-prod-00-us; Mon, 07 Jul 2025 08:28:04 -0700 (PDT) X-Received: by 2002:a05:6808:6d8d:b0:401:e9e:5042 with SMTP id 5614622812f47-40d02a56551mr10270979b6e.15.1751902084037; Mon, 07 Jul 2025 08:28:04 -0700 (PDT) Received: by 2002:a50:ccde:0:b0:609:bcd7:3415 with SMTP id 4fb4d7f45d1cf-60c86878d63msa12; Mon, 7 Jul 2025 08:23:28 -0700 (PDT) X-Received: by 2002:a05:6402:1d54:b0:5f3:26bb:8858 with SMTP id 4fb4d7f45d1cf-60fd6e5c176mr11701598a12.34.1751901806463; Mon, 07 Jul 2025 08:23:26 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1751901806; cv=none; d=google.com; s=arc-20240605; b=eOS/2x8xrFA4SRiOdhm2B1vYK02T8VI3L8USJR9Gs4nKwNlM5NEdJY0z3Y/PVhL/ZO S5ZVUnvhhQlBDufuaerMlZamH/ArmjRG48cvE+tPuuh5k51DmQ1l+w8uk00e7iNc3ifv FMpfpICFmgo4nT42T32rD7PXJx9sEPnlrLRxAcdejiPxF+4J4IzwhzMMCIpLm+TC1yEs oNvWMp/TXHoIDNnNzwnVAPrxZOnxVVTQU0Oxpq4UzHHmrNoXIxbzit1p8EtNswisB1KS BB6o7wujuCZexKNyUwEZQR4lkNFk/Iv+OhbqlgRHeKY7e687DhLWZ08HAg/oZXgCrqAU ENfA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=to:subject:message-id:date:from:mime-version:dkim-signature; bh=QSlSBp1WtEVckNkzG5WXMcxXZ4x54mohNH4+otF8ZuQ=; fh=DMP0F9ULS1guKiqimntQRCN8ZraraesEgQuVcn7F0Z0=; b=Ql4vgF1NMRkq56xKInKh50cpWN15x7lO/agrqB/nUg9WoOVETiMQbG+cgCsLd/uq93 dl8iS9Sd/L9lGFKLAb4WEaZgBxnFJhd0l7Sri91x37AhZ58JUuNkz3X5lN7azoVpTOeo iCZ/uUQEyFqDBXwT1WXBKVLH4KKJFM5t/BNhoOnbZ0J8lv/OvURKZci2Is4RCnVsYhIx 18j9yEutW7Dr46xT8WD+qj1bNBb+JATOl6QoIduXJF00SkWJ1Vu4DghaeVckLE8C20RJ JWNJPqn1g/gj9nmR81hFdAjM09B2tJEgMonzr4RLuls5B0dm45keAHqvTn5HXDsqf8la sfuA==; dara=google.com ARC-Authentication-Results: i=1; gmr-mx.google.com; dkim=pass header.i=@gmail.com header.s=20230601 header.b=A6HWgq5f; spf=pass (google.com: domain of eth3rs@gmail.com designates 2a00:1450:4864:20::531 as permitted sender) smtp.mailfrom=eth3rs@gmail.com; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com; dara=pass header.i=@googlegroups.com Received: from mail-ed1-x531.google.com (mail-ed1-x531.google.com. [2a00:1450:4864:20::531]) by gmr-mx.google.com with ESMTPS id 4fb4d7f45d1cf-60fcb0cd7aesi261111a12.5.2025.07.07.08.23.26 for (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Mon, 07 Jul 2025 08:23:26 -0700 (PDT) Received-SPF: pass (google.com: domain of eth3rs@gmail.com designates 2a00:1450:4864:20::531 as permitted sender) client-ip=2a00:1450:4864:20::531; Received: by mail-ed1-x531.google.com with SMTP id 4fb4d7f45d1cf-60bfcada295so5338078a12.1 for ; Mon, 07 Jul 2025 08:23:26 -0700 (PDT) X-Gm-Gg: ASbGnctRn/N4NnsyHKJnWVka6uoEpEcttwYs9IBxqAbVrPE+MvGXWYisv5/fIapRFdC r53IvXdr/o1+tMlgkDihY587M4HuxZa36/Q5/ZOn30JJvbQ/YMqc6Vkhic6ch0TARAtnnEUWQmk un+zb5AUfGQIk79CjZ+taTPRyu59x4gKcNhc31ecEdptg/6np22WNkaDveXICdGhwns0GJ+uCnT /Z+ X-Received: by 2002:a17:907:6d04:b0:ae0:34d4:28a5 with SMTP id a640c23a62f3a-ae3fe3dafd3mr1206116966b.0.1751901805357; Mon, 07 Jul 2025 08:23:25 -0700 (PDT) MIME-Version: 1.0 From: Ethan Heilman Date: Mon, 7 Jul 2025 11:22:49 -0400 X-Gm-Features: Ac12FXw30TNsHGKX_gkcYMNTJkoXsCyosXovVBeq2YXOMSV_PqOQR1QRlZTw-vY Message-ID: Subject: [bitcoindev] Changes to BIP-360 - Pay to Quantum Resistant Hash (P2QRH) To: Bitcoin Development Mailing List Content-Type: multipart/alternative; boundary="000000000000ca30560639586cee" X-Original-Sender: eth3rs@gmail.com X-Original-Authentication-Results: gmr-mx.google.com; dkim=pass header.i=@gmail.com header.s=20230601 header.b=A6HWgq5f; spf=pass (google.com: domain of eth3rs@gmail.com designates 2a00:1450:4864:20::531 as permitted sender) smtp.mailfrom=eth3rs@gmail.com; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com; dara=pass header.i=@googlegroups.com Precedence: list Mailing-list: list bitcoindev@googlegroups.com; contact bitcoindev+owners@googlegroups.com List-ID: X-Google-Group-Id: 786775582512 List-Post: , List-Help: , List-Archive: , List-Unsubscribe: , X-Spam-Score: -0.5 (/) --000000000000ca30560639586cee Content-Type: text/plain; charset="UTF-8" We made the following changes to BIP-360 (Pay to Quantum Resistant Hash) PR : - P2QRH (Pay to Quantum Resistant Hash) is now taproot (P2TR) but with the quantum vulnerable key-spend path removed. - PQ signatures have been moved to a future BIP (coming soon). - The plan for PQ signatures is to redefine OP_SUCCESSx opcodes: OP_CHECKMLSIG Below we go into these changes one by one, see BIP-360 PR for full details (BIP-360 mediawiki render as of 7/7/2025 ). P2QRH is now script-spend only P2TR (taproot), i.e. no quantum vulnerable key-spend. P2QRH outputs commit directly to the tapleaf merkle root computed by taproot. The scriptPubKey for a P2QRH output is: OP_PUSHNUM_3 OP_PUSHBYTES_32 Advantages of this approach 1. We can reuse taproot code, but just skip taptweak steps. 2. Everyone who understands P2TR, already understands P2QRH. 3. By supporting tapscript and tapleaf, it supports everything that supports tapscript. 4. P2QRH protects tapscript outputs against long-exposure attacks. This is a big win because long-exposure attacks will be practical before short-exposure attacks. Note: protecting against short-exposure attacks requires PQ signatures. 5. P2QRH gives us similar functionality as the much discussed option of disabling key-spends in P2TR on Q-Day (when quantum attacks become practical), but with the added benefit that the ecosystem can upgrade well before Q-Day. This removes the risks of attempting a consensus change during an emergency or acting too late. We moved PQ signatures specification out of BIP-360 so that P2QRH can be debated independently of the debate over PQ signature algorithms. This allows us to move forward on P2QRH without forcing a commitment to any particular algorithm. BIP-360 includes a purely informational plan for adding PQ signature algorithms to tapscript. This plan to add tapscript PQ signature verification opcodes for ML-DSA (CRYSTALS-Dilithium) and SLH-DSA (SPHINCS+) via OP_SUCCESSx. This allows separate activation of PQ signature algorithms if desired and provides a pattern for adding new signature algorithms in the future. No new tapleaf version needed. The full specification will be given in a new BIP. See BIP-360 for details. Thanks, Ethan and Hunter -- You received this message because you are subscribed to the Google Groups "Bitcoin Development Mailing List" group. To unsubscribe from this group and stop receiving emails from it, send an email to bitcoindev+unsubscribe@googlegroups.com. To view this discussion visit https://groups.google.com/d/msgid/bitcoindev/CAEM%3Dy%2BW%3DrtU2PLmHve6pUVkMQQmqT67KOg%3D9hp5oMspuHrgMow%40mail.gmail.com. --000000000000ca30560639586cee Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable

We made the following changes to BIP-360 (Pay to Quantum Resistant Hash) PR:


  • P2QRH (Pay to Quantum Re= sistant Hash) is now taproot (P2TR) but with the quantum vulnerable key-spe= nd path removed.

  • <= p dir=3D"ltr" style=3D"line-height:1.38;margin-top:0pt;margin-bottom:0pt" r= ole=3D"presentation">PQ signatures have been moved = to a future BIP (coming soon).

  • The plan for PQ = signatures is to redefine OP_SUCCESSx opcodes: OP_CHECKMLSIG


Below we go into these changes one by one, see BIP-360 PR for full det= ails (BIP-360 mediawiki render as of 7/7/2025).

P2Q= RH is now script-spend only P2TR (taproot), i.e. no quantum vulnerable key-= spend. P2QRH outputs commit directly to the tapleaf merkle root computed by= taproot.

The scriptPubKey for a P2QRH output is:

OP_PUSH= NUM_3 OP_PUSHBYTES_32 <tapleaf merkle root>


Advantages of th= is approach


    We can reuse taproot code, but just skip taptweak steps.

  1. Everyone who understands P2TR, already understan= ds P2QRH.

  2. By supporting tapscript and taple= af, it supports everything that supports tapscript.

  3. P2QRH protects tapscript outputs against long-exposure attacks. Th= is is a big win because long-exposure attacks will be practical before shor= t-exposure attacks. Note: protecting against short-exposure attacks require= s PQ signatures.

  4. P2QRH gives us similar func= tionality as the much discussed option of disabling key-spends in P2TR on Q= -Day (when quantum attacks become practical), but with the added benefit th= at the ecosystem can upgrade well before Q-Day. This removes the risks of a= ttempting a consensus change during an emergency or acting too late.=


We moved PQ signatures specification out of BIP-360 so that P2= QRH can be debated independently of the debate over PQ signature algorithms= . This allows us to move forward on P2QRH without forcing a commitment to a= ny particular algorithm.

BIP-360 includes a purely informati= onal plan for adding PQ signature algorithms to tapscript. This plan to add= tapscript PQ signature verification opcodes for ML-DSA (CRYSTALS-Dilithium= ) and SLH-DSA (SPHINCS+) via OP_SUCCESSx. This allows separate activation o= f PQ signature algorithms if desired and provides a pattern for adding new = signature algorithms in the future. No new tapleaf version needed. The full= specification will be given in a new BIP.

See BIP-360 for = details.

Thanks,
Ethan and Hunter

--
You received this message because you are subscribed to the Google Groups &= quot;Bitcoin Development Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an e= mail to bitcoind= ev+unsubscribe@googlegroups.com.
To view this discussion visit https://groups.google.= com/d/msgid/bitcoindev/CAEM%3Dy%2BW%3DrtU2PLmHve6pUVkMQQmqT67KOg%3D9hp5oMsp= uHrgMow%40mail.gmail.com.
--000000000000ca30560639586cee--