Hi Jonas,

On Selective Disclosure,

I think we're going to need to add simple multisig semantics to the attestation due to its lack of script capability. Would that help? Separate multisig semantics like quorum and total would be needed for each class of key, so that even if Schnorr signatures can be broken (or one or two of the other PQC signatures even), they don't count towards the quorum of the other signature types.

On Attestation structure,

What prevents arbitrary data being hashed and then included in the attestation is, each signature public key pair must be able to verify the transaction message in order to be considered a valid transaction. In other words, each public key and signature pair is validated against the transaction message upon transaction verification.

On Multisignature 256-bit security,

To be honest, I've read this a couple of times and I will admit I don't understand this attack. Can you provide more details on how it works, and how it might be possible to mitigate?

On General comments,

I agree with the worst-case transaction verification concern. I'll need to put some work into detailing NIST I variants and their signature verification times, and then computing worst-case scenarios for different discount constants.

On 128-bit security... Yes, I'm coming to realize that too. It's been a common point of feedback.

On adding three schemes, there are a couple of advantages of this. First, wallets can automatically decide how many signatures to add based on the amount being spent. This then acts as a sort of MEV opportunity for miners, because the higher the value of the transaction, the more signatures might be included, which increases fee revenue. Also, it addresses Matt's concern about security assumptions. There's a strong desire for SLH-DSA support, even though it's so large. However, from a practicality standpoint (thinking of plebs), it will make sense to include the smaller ML-DSA and FN-DSA also. While it does increase complexity, I believe that a libbitcoinpqc library, as mentioned in the BIP, will serve as a useful analogue to libsecp256k1. It's also worth noting that in my position at Anduro, I have resources to put into building such a library. Hopefully this can help meet the expectation of a well specified and implemented consensus level library.

On signature aggregation, yes, I'm excited to see those developments in FN-DSA, and maybe we can see that filter into SLH-DSA as well. Hopefully those improvements will be ready once the time comes to activate.



On Friday, February 21, 2025 at 3:18:35 AM UTC-7 Jonas Nick wrote:
Hi Hunter,

Thanks for your work on BIP 360. I think now is a good time to develop and
discuss concrete PQ proposals. I have a few questions and comments regarding
some aspects of the proposal:

Selective disclosure
---

From, the output contains a root of a Merkle tree of public key hashes and
spending from this output requires revealing the public keys and their
corresponding valid signatures. More concretely, if the user creates root

R = MerkleRoot([hash(public_key_falcon_1024), hash(public_key_secp256k1)]),

they can spend from R by revealing both public keys and corresponding signatures.

The BIP also mentions that the public keys can be selectively disclosed:

> When spending, if a public key hash is provided in the attestation with an
> empty signature, that hash will be used directly in the merkle tree computation
> rather than hashing the full public key.

What prevents an quantum adversary, upon observing a spend from R, from breaking
public_key_secp256k1 and then spending from R by providing

[
hash(public_key_falcon_1024),
empty string,
public_key_secp256k1,
a secp256k1 signature forgery
]?


Attestation structure
---

The BIP proposes to an attestation structure alongside the witness which is
supposed to contain BIP 360 public keys and signatures (instead having them in
the witness). The purpose of this structure is to assign a higher weight
discount than the witness. The "Rationale" and "Output Mechanics" sections the
BIP describe that, since the attestation structure only contains public keys and
signatures, storage of arbitrary data ("inscriptions") is prevented.

Leaving aside that there may be creative ways to embed arbitrary data in public
keys and signatures as well, selective disclosure of the Merkle tree appears to
allow embedding arbitrary data. For instance, a user can create root

R = MerkleRoot(data, hash(public_key_secp256k1)]),

where data is an arbitrary 256-bit string. What prevents the user from
pretending that data is the hash of a public key and providing

[
data,
empty string,
public_key_secp256k1,
a secp256k1 signature forgery
]

in the attestation structure to spend from R?


Multi-signature 256-bit security
---

The BIP briefly discusses multi-signature scenarios in the script validation
section, but the details seem incomplete. From what I can infer, the current
specification fails to achieve the claimed 256-bit security.

The potential attack would work as follows:
1. The victim provides their public key pk to the adversary.
2. The adversary finds two public keys pk' and pk'' such that
MerkleRoot(MultiSig[pk, pk']) = MerkleRoot([pk''])
3. The adversary convinces the victim to send coins to MerkleRoot(MultiSig[pk,
pk']) and then steals the coins by opening the Merkle tree root to [pk''] and
providing a signature for pk''.

Since the Merkle root is the 256-bit output of SHA256, the adversary can find
this collision with about 2^128 operations.

If I remember correctly, this attack was discussed on the mailing list in the
context of segwit and it's the reason why P2WSH (unlike P2PKH) requires 256-bit
hashes.


General comments
---

I think one of the main questions that the BIP does not currently address is how
it affects the worst-case validation cost of a block.

Regarding your question:
> But if the intention was for 256 bits of security, should level V security be
> the default?

I don't know what Satoshi's intentions were, but the secp256k1 specification
clearly indicates 128-bit "strength" ([0], Table 1). I believe that's fairly
well known in the technical Bitcoin space.

I am not quite convinced that adding three PQ schemes to the Bitcoin consensus
protocol is a great solution to the problem of not being sure which exact scheme
to pick. Offloading this decision to users does not really solve this problem.
Moreover, this adds massive complexity and new cryptographic assumptions to the
protocol. Remember that one of the main motivations behind libsecp256k1, was
that general purpose cryptographic libraries are not well suited for consensus
systems. So all new cryptographic schemes added to the consensus protocol need
to be exceptionally well specified and implemented. That said, it makes a lot of
sense to design a hybrid scheme that also provides security against a classic
attacker through an established signature scheme (as BIP 360 proposes).

Lastly, I agree that non-interactive aggregation of PQ schemes might be
promising, as it could mitigate about signature size and verification cost if
aggregation is applied on the transaction level. Recently, there has been
progress on the security of aggregating hash-based signatures [1] and Falcon
[2].

[0] https://www.secg.org/sec2-v2.pdf
[1] https://eprint.iacr.org/2025/055
[2] https://eprint.iacr.org/2024/311 (Unfortunately, this only beats trivial
aggregation (concatenation of signatures) when the number of signatures is
greater than about 110)

Jonas

--
You received this message because you are subscribed to the Google Groups "Bitcoin Development Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an email to bitcoindev+unsubscribe@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/bitcoindev/16d7adca-a01e-40c5-9570-31967ee339ecn%40googlegroups.com.