Hardforking Bitcoin to SLH-DSA Bitcoin's transition to a post-quantum cryptographic algorithm like SLH-DSA (Stateless Hash-Based Digital Signature Algorithm) would be a significant and complex undertaking. Here's an analysis of the potential process and implications: Motivation for the Transition The primary reason for considering a transition to SLH-DSA would be to protect Bitcoin against potential threats from quantum computers. While quantum computers capable of breaking Bitcoin's current elliptic curve cryptography are not yet a reality, the cryptocurrency community is increasingly aware of the need to prepare for this eventuality. Technical Aspects of the Transition Signature Scheme Replacement The current Bitcoin protocol uses the Elliptic Curve Digital Signature Algorithm (ECDSA) for transaction signatures. Replacing this with SLH-DSA would require substantial changes to the core protocol[1]. Key and Signature Sizes One of the main challenges in implementing SLH-DSA for Bitcoin would be dealing with the increased key and signature sizes: Algorithm Public Key Size Signature Size ECDSA 33 bytes 71-73 bytes SLH-DSA 32-64 bytes 7,856-49,216 bytes The significantly larger signature sizes of SLH-DSA would have implications for block size, transaction throughput, and network bandwidth requirements[1]. Performance Considerations SLH-DSA is known for its strong security properties but comes with performance costs. It has longer signing times compared to ECDSA, which could affect transaction processing speeds[1]. Implementation ChallengesConsensus Changes Implementing SLH-DSA would require a hard fork of the Bitcoin network, as it involves fundamental changes to the consensus rules. This would need widespread agreement among miners, node operators, and users. Backward Compatibility The transition would need to address backward compatibility issues, potentially requiring a period where both ECDSA and SLH-DSA signatures are supported to allow users time to migrate their funds to new addresses. Wallet Software Updates All Bitcoin wallet software would need to be updated to support the new signature scheme, including key generation, signing, and verification processes. Potential BenefitsQuantum Resistance The primary benefit would be Bitcoin's resistance to attacks from quantum computers, ensuring the long-term security of the network[1]. Conservative Security Approach SLH-DSA is considered a conservative choice for post-quantum cryptography, as it relies on the well-studied security of hash functions rather than newer mathematical problems like lattices[1]. Potential DrawbacksIncreased Resource Requirements The larger signature sizes would increase the storage and bandwidth requirements for running Bitcoin nodes, potentially leading to increased centralization. Transaction Costs Larger signatures could result in higher transaction fees, as more blockchain space would be required for each transaction. Complexity The transition process itself would be complex and risky, potentially introducing vulnerabilities if not executed correctly. Conclusion While transitioning Bitcoin to SLH-DSA is technically possible, it would be a monumental undertaking requiring extensive planning, testing, and community consensus. The cryptocurrency community would need to carefully weigh the long-term security benefits against the short-term disruption and increased resource requirements. As quantum computing advances, this topic is likely to become increasingly relevant in discussions about Bitcoin's future. Citations: [1] We wrote the code, and the code won | Trail of Bits Blog https://blog.trailofbits.com/2024/08/15/we-wrote-the-code-and-the-code-won/ [2] SLotH -- An SLH-DSA/SPHINCS+ Hash-Based Signature Accelerator https://github.com/slh-dsa/sloth [3] Cryptographic Right Answers: Post Quantum Edition - Latacora https://www.latacora.com/blog/2024/07/29/crypto-right-answers-pq/ Is your feature related to a problem, if so please describe it. https://www.csoonline.com/article/3562701/chinese-researchers-break-rsa-encryption-with-a-quantum-computer.html/amp/ -- You received this message because you are subscribed to the Google Groups "Bitcoin Development Mailing List" group. To unsubscribe from this group and stop receiving emails from it, send an email to bitcoindev+unsubscribe@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/bitcoindev/0e40068e-6840-49a2-a800-a1f34a0ad9ccn%40googlegroups.com.