BIP-360: QuBit - Pay to Quantum Resistant Hash

[cryptoquick]

This spent several months gathering feedback from the mailing list and from other advisors. This is hopefully polished enough to submit upstream.

Let me know if you have any questions or feedback, and of course feel free to submit suggestions.

Thank you for your time.

[jonatack]

Interesting (the question of resistance to quantum computing may have resurged lately with the publication of https://scottaaronson.blog/?p=8329, see also https://x.com/n1ckler/status/1839215426091249778).

[jonatack]

@cryptoquick Can you begin to write up the sections currently marked as TBD, along with a backwards compatibility section (to describe incompatibilities, severity, and suggest mitigations, where applicable/relevant)? We've begun to reserve a range of BIP numbers for this topic, pending continued progress here.

[jonatack]

@cryptoquick ping for an update here. Have you seen https://groups.google.com/g/bitcoindev/c/p8xz08YTvkw / https://github.com/chucrut/bips/blob/master/bip-xxxx.md? It may be interesting to review each other and possibly collaborate.

[kayabaNerve]

Sorry for being late, but was any thought been given to the feasibility of cryptographic multisig for the algorithms named?

Raccoon has a few threshold signature protocols which can drop in with the originally defined Raccoon (so long as parameters are mutual).

https://eprint.iacr.org/2024/1291
https://eprint.iacr.org/2024/184
https://eprint.iacr.org/2024/496

This would avoid the on-chain cost of several signatures and provide indistinguishability.

[cryptoquick]

@kayabaNerve This BIP supports multisig. Maybe threshold signatures can be added once they're more mature.

[kayabaNerve]

I'm aware of the on-chain multisig possible with this proposal, which would have non-trivial scalability limits.

Raccoon was one of the PQ signature algorithms submitted to the NIST competition for additional schemes, alongside SQIsign. It isn't explicitly/inherently a threshold signature and just has threshold signature schemes available. I'd question if it is too immature given the (currently rather) unique benefits provided.

[vostrnad]

It seems intuitive that a short range attack would require a more powerful QC than a long range attack, but is this just intuition or is it rooted in actual science? In the former case this text needs more "may"s and "it is believed"s, and in the latter case a link to relevant research.

[cryptoquick]

Yes, I will add this section:

<ref name="short-range">
In the paper
[https://arxiv.org/pdf/2306.08585 How to compute a 256-bit elliptic curve private key with only 50 million Toffoli gates]
the authors estimate that CRQC with 28 million superconducting physical qubits would take 8.3 seconds to calculate a
256-bit key, while a CRQC with 6.9 million physical qubits would take 58 seconds. This implies that a CRQC with 4x as
many qubits would be roughly 7 times faster.
</ref>

[murchandamus]

Sorry for the many comments. I’m glad that someone is looking into this topic, but it seems to me that there are still many unknowns with the topic, and I’m not sure the proposal is already at a level where it provides sufficient information for anyone to fashion an implementation.

[murchandamus]

I’m fairly lost here. The multiple public keys and tree construction seems to be mentioned for the first time here. If there was rationale for this tree construction, I missed it. It’s not clear to me what this tree construction achieves. How many of the public keys can be provided directly in the form of their hashes? When you mention MAST, I assume you mean "Merklized Alternative Script Trees", so one would spend by revealing only a single key from the tree and satisfy its spending conditions? Altogether, this section is hard to follow for me.

[cryptoquick]

I've tried to add more supporting information. Let me know if that's better.

[murchandamus]

I think I’m slowly getting the gist of it, but it might help to cover the abstract idea briefly at a higher level before getting into all the details.

[jonatack]

BIP114 is also named "MAST" (Merkelized Abstract Syntax Trees), so perhaps write out the MAST you are referring to here.

[murchandamus]

Should the flag not be considered a boolean array? 0x01 for witness, 0x02 for attestation, 0x03 for witness and attestation? Is it possible for an attestation to appear without a witness section?

[cryptoquick]

I've considered this, and yes, it might make sense if we've completely transitioned away from classical cryptography. I'll be sure to factor that in.

[murchandamus]

I haven’t thought a lot about this, but given the goal of extensibility, it might be good to add a byte to indicate a signature type for more flexibility?

[cryptoquick]

As I go into in the Signature Algorithm Identification section, we just use the length of the key and signature to indicate signature type. If there's overlap, an extra byte is added.

[murchandamus]

For a multisignature scheme, would you need to reveal multiple leafs from the pubkey tree? From what I understood the tree can only hold public keys, not scripts. How then is the threshold communicated? Wouldn’t a spender be able to reveal only their own key and provide a signature for that?

[cryptoquick]

That's a good point. Does that need to be committed to in the output or just expressed in the attestation?

[murchandamus]

If it’s not committed to in advance, you are building either a 1-of-n or a 0-of-n scheme, depending on the minimum value for the threshold.

[cryptoquick]

That makes sense. So, we essentially need to commit to a script hash. I'm thinking we just do a bunch of consecutive data pushes of PKHs and they correspond to leaves on a binary tree. This is then included in the witness. Keys in the attestation are hashed and compared to the PKHs in the v3 witness. Like this:

OP_3
OP_PUSHBYTES_32
d81fd577272bbe73308c93009eec5dc9fc319fc1ee2e7066e17220a5d47a1a5
OP_PUSHBYTES_32
8314578be2faea34b9f1f8ca078f8621acd4bc22897b03daa422b9bf56646b3
OP_PUSHBYTES_32
ec3afff0b2b66e8152e9018fe3be3fc92b30bf886b3487a525997d00fd9dae1
OP_PUSHBYTES_32
2d012dce5d5275854adc3106572a5d1e12d4211b228429f5a7b2f7ba92eb047
OP_PUSHBYTES_32
b49b496684b02855bc32f5daefa2e2e406db4418f3b86bca5195600951c7db9
OP_5
OP_CHECKMULTISIG

Notice, all 5 PKHs need to be committed to in advance in the script hash. Maybe we need to introduce a concept like QPKH? QuBit public key hash? And QSH for script hashes? Or would APKH / ASH be better, for attestation?

What do you think? This I think will obviate the necessity for a merkle tree, as recommended by @EthanHeilman. If 3 public keys aren't included and don't hash to any of the public keys in the script hash, then the transaction fails.

[murchandamus]

After going over the editor checklist, I’m not sure why the term "QuBit" is introduced.

Altogether, it feels like Motivation and Rationale are giving a very broad overview of the topic, straying maybe a bit too far for a document describing "Spending Rules". Perhaps the document could be more concise in several sections, and the corresponding information could be provided outside of the BIP and just linked, or moved to the footnotes.

[murchandamus]

Is the intention to make a group of several BIPs that are intended to be activated together like SegWit? Otherwise I’m not sure whether I get the purpose of introducing the term "QuBit" here.

[cryptoquick]

That is the idea, yes. QuBit is the name of the soft fork, similar to SegWit and Taproot.

[cryptoquick]

@murchandamus @vostrnad Thank you for taking the time to review. I realize this is a long BIP and there's a lot to go over, but I think it's important as the first quantum BIP to go into the problem in detail. In that way it's similar to BIP-52.

Regardless, I've made updates to satisfy your recommendations the best I can, here's a diff for your convenience:
0fdd8c3

For context, I also intend to introduce a QuBit activation BIP, and a P2TRH BIP separate from QuBit. Additionally, I realize that there's some sections here that are underspecified. That will come with test vectors and an implementation, which I'm working towards.

[murchandamus]

Just a few quick responses to the edits

[murchandamus]

Have you considered making this tagged hashes to mitigate some of the general issues with Satoshi-style merkle trees?

[cryptoquick]

I have not. I'm not familiar with the problem with Satoshi-style merkle trees. Wouldn't tagged hashes require additional data?

[murchandamus]

No, they’re the same cost, you just prefix the hashing process with the tag. The advantage is that it prevents any collisions or hashing the same things at different levels of the tree in different contexts. They could for example be used to disambiguate the different types of cryptographic schemes on the public key commitment level for free, or for distinguishing public key hashes from inner node hashes. I’m not sure they’re necessary here, but they clean-up a whole category of issues, so they might be useful.

[cryptoquick]

That makes sense. That might be a good idea, if we are using Merkle trees.

[murchandamus]

I think I’m slowly getting the gist of it, but it might help to cover the abstract idea briefly at a higher level before getting into all the details.

[murchandamus]

This is all that I have at this time from an editorial standpoint.It would be good if this proposal got more feedback and/or endorsements from domain experts in the next steps.

[murchandamus]

No, they’re the same cost, you just prefix the hashing process with the tag. The advantage is that it prevents any collisions or hashing the same things at different levels of the tree in different contexts. They could for example be used to disambiguate the different types of cryptographic schemes on the public key commitment level for free, or for distinguishing public key hashes from inner node hashes. I’m not sure they’re necessary here, but they clean-up a whole category of issues, so they might be useful.

[mraksoll4]

the main problem that I see is decryptor wallets, as well as a master private key and a master public key, curves allow us to use something like this, but post-quantum algorithms do not provide such an opportunity (in current implementations)

if use clasic logic with key pool , we simple get key pairs and use them

but how are we going to associate a key obtained from master keys with post quantum keys?

[cryptoquick]

@mraksoll4 All PQC algos will of course need to be compatible with BIP-32 HD wallet-style key derivation. There are definitely PQC libraries out there that just assume you'll never want to bring your own entropy, and so they don't provide a field or argument to provide that, but the intention behind the implementation of this BIP is that there will be a custom PQC library for bitcoin specifically that will implement things like this. So, your concern, while valid, is an implementation detail, and doesn't really have much bearing on the BIP itself.

[mraksoll4]

@mraksoll4 All PQC algos will of course need to be compatible with BIP-32 HD wallet-style key derivation. There are definitely PQC libraries out there that just assume you'll never want to bring your own entropy, and so they don't provide a field or argument to provide that, but the intention behind the implementation of this BIP is that there will be a custom PQC library for bitcoin specifically that will implement things like this. So, your concern, while valid, is an implementation detail, and doesn't really have much bearing on the BIP itself.

Well, we have no problems with private keys, and also with generating from a seed, I have already implemented for experiments on the liboqs library the use of my own seed for falcon and dilithium to obtain a pair of keys, as well as obtaining a public key from a private one.

There are also no problems with multi-signature, the signature itself can be merged.

but we have a problem with obtaining public keys from the master public key ; due to the design of post quantum algorithms, we do not have the ability to obtain public keys from other public keys through predictable mathematical operations as in ecdsa.

although perhaps I don’t fully understand how we get the master public key.

how start you can see at base examle .

open-quantum-safe/liboqs#2031

first we need to solve the problem of key hierarchy, or we will have to forget about generating public keys without cration the private key, although for example in Falcon you don't need the entire private key but only part of it to reconstruct the public key

/*
 * This function reconstructs the public key from a given private key.
 * It decodes the private key components (f and g) from the secret key
 * and uses them to regenerate the corresponding public key (h).
 * The generated public key is then encoded into the provided pk array.
 * 
 * public (pk):  The output buffer where the public key will be stored (must be at least PQCLEAN_FALCON512_CLEAN_CRYPTO_PUBLICKEYBYTES in size).
 * private (sk):  The input secret key (private key) in byte array format (must be PQCLEAN_FALCON512_CLEAN_CRYPTO_SECRETKEYBYTES in size).
 * Return value: 0 on success, -1 on error.
 */
int 
PQCLEAN_FALCON1024_CLEAN_crypto_sign_pubkey_from_privkey(
    uint8_t *pk, const uint8_t *sk) {
    union {
        uint8_t b[FALCON_KEYGEN_TEMP_10];
        uint64_t dummy_u64;
        fpr dummy_fpr;
    } tmp;
    int8_t f[1024], g[1024], F[1024];
    uint16_t h[1024];
    size_t u, v;

    /*
     * Decode the private key.
     */
    if (sk[0] != 0x50 + 10) {
        return -1;
    }
    u = 1;
    v = PQCLEAN_FALCON1024_CLEAN_trim_i8_decode(
            f, 10, PQCLEAN_FALCON1024_CLEAN_max_fg_bits[10],
            sk + u, PQCLEAN_FALCON1024_CLEAN_CRYPTO_SECRETKEYBYTES - u);
    if (v == 0) {
        return -1;
    }
    u += v;
    v = PQCLEAN_FALCON1024_CLEAN_trim_i8_decode(
            g, 10, PQCLEAN_FALCON1024_CLEAN_max_fg_bits[10],
            sk + u, PQCLEAN_FALCON1024_CLEAN_CRYPTO_SECRETKEYBYTES - u);
    if (v == 0) {
        return -1;
    }

    /*
     * Reconstruct the public key using f and g by calling the compute_public function.
     */
    if (!PQCLEAN_FALCON1024_CLEAN_compute_public(h, f, g, 10, tmp.b)) {
        return -1;
    }

    /*
     * Encode public key.
     */
    pk[0] = 0x00 + 10;
    v = PQCLEAN_FALCON1024_CLEAN_modq_encode(
            pk + 1, PQCLEAN_FALCON1024_CLEAN_CRYPTO_PUBLICKEYBYTES - 1,
            h, 10);
    if (v != PQCLEAN_FALCON1024_CLEAN_CRYPTO_PUBLICKEYBYTES - 1) {
        return -1;
    }

    return 0;
}

[jonatack]

Did another review pass. Updated the PR title, as it looks like the BIP is now named "Pay to Quantum Resistant Hash."

Have you read the mail list discussion at https://groups.google.com/g/bitcoindev/c/8O857bRSVV8? It might be good to weigh in there if you're inclined.

Most important of the comments below: #1670 (comment) and #1670 (comment).

[jonatack]

nit, let's avoid a line break in the url here, and s/estimates/estimated/

-[https://web.archive.org/web/20240715101040/https://www2.deloitte.com/nl/nl/pages/innovatie/artikelen/quantum-computers-
-and-the-bitcoin-blockchain.html this Deloitte report]. The report estimates that in 2020 approximately 25% of the
+[https://web.archive.org/web/20240715101040/https://www2.deloitte.com/nl/nl/pages/innovatie/artikelen/quantum-computers-and-the-bitcoin-blockchain.html this Deloitte report]. The report estimated that in 2020 approximately 25% of the

[jonatack]

Suggested change

	even more might be vulnerable.
	even more addresses might be vulnerable, representing 5M to 10M bitcoin.

[jonatack]

Suggested change

	the authors estimate that CRQC with 28 million superconducting physical qubits would take 8.3 seconds to calculate a
	the authors estimate that a CRQC with 28 million superconducting physical qubits would take 8.3 seconds to calculate a

[jonatack]

ISTM all of the No¹ entries ought to be Yes¹ or If revealed¹...

[jonatack]

Suggested change

	If an extended public key’s (xPub’s) parent private key of is recovered by CRQC, the attacker also recovers
	If the parent private key of an extended public key (xpub) is recovered by a CRQC, the attacker also recovers

[jonatack]

BIP114 is also named "MAST" (Merkelized Abstract Syntax Trees), so perhaps write out the MAST you are referring to here.

[jonatack]

Suggested change

	If there a new algorithm is added, and one of the byte sizes overlaps, then an additional byte should be prepended to the
	If a new algorithm is added, and one of the byte sizes overlaps, then an additional byte should be prepended to the

[jonatack]

Suggested change

	for performance comparison. Fortunately, SQIsign signatures are substantially faster to verify than it is to generate
	for performance comparison. Fortunately, SQIsign signatures are substantially faster to verify than they are to generate

[jonatack]

Should the caveat and consequences be mentioned here that Winternitz signatures are one-time?

[jonatack]

Any timeline for adding these?

[mraksoll4]

First, it is necessary to solve a rather simple and complex problem: key structure tree of priv and pub keys. Since in post-quantum algorithms there are not even approximate solutions, possible it will be universal since almost all of them are built on lattices

Well, what’s important is that we only have a problem with generating public keys from a master public key or xpub, there are no problems with private keys, in almost any algorithm you can feed a seed to get a pair of keys and, as in the example above, reconstruct the public key from part of the private one.