From: Jonas Nick <jonasd.nick@gmail•com>
To: bitcoindev@googlegroups.com
Subject: Re: [bitcoindev] P2QRH / BIP-360 Update
Date: Fri, 21 Feb 2025 08:54:02 +0000 [thread overview]
Message-ID: <5667eb21-cd56-411d-a29f-81604752b7c4@gmail.com> (raw)
In-Reply-To: <8797807d-e017-44e2-b419-803291779007n@googlegroups.com>
Hi Hunter,
Thanks for your work on BIP 360. I think now is a good time to develop and
discuss concrete PQ proposals. I have a few questions and comments regarding
some aspects of the proposal:
Selective disclosure
---
From, the output contains a root of a Merkle tree of public key hashes and
spending from this output requires revealing the public keys and their
corresponding valid signatures. More concretely, if the user creates root
R = MerkleRoot([hash(public_key_falcon_1024), hash(public_key_secp256k1)]),
they can spend from R by revealing both public keys and corresponding signatures.
The BIP also mentions that the public keys can be selectively disclosed:
> When spending, if a public key hash is provided in the attestation with an
> empty signature, that hash will be used directly in the merkle tree computation
> rather than hashing the full public key.
What prevents an quantum adversary, upon observing a spend from R, from breaking
public_key_secp256k1 and then spending from R by providing
[
hash(public_key_falcon_1024),
empty string,
public_key_secp256k1,
a secp256k1 signature forgery
]?
Attestation structure
---
The BIP proposes to an attestation structure alongside the witness which is
supposed to contain BIP 360 public keys and signatures (instead having them in
the witness). The purpose of this structure is to assign a higher weight
discount than the witness. The "Rationale" and "Output Mechanics" sections the
BIP describe that, since the attestation structure only contains public keys and
signatures, storage of arbitrary data ("inscriptions") is prevented.
Leaving aside that there may be creative ways to embed arbitrary data in public
keys and signatures as well, selective disclosure of the Merkle tree appears to
allow embedding arbitrary data. For instance, a user can create root
R = MerkleRoot(data, hash(public_key_secp256k1)]),
where data is an arbitrary 256-bit string. What prevents the user from
pretending that data is the hash of a public key and providing
[
data,
empty string,
public_key_secp256k1,
a secp256k1 signature forgery
]
in the attestation structure to spend from R?
Multi-signature 256-bit security
---
The BIP briefly discusses multi-signature scenarios in the script validation
section, but the details seem incomplete. From what I can infer, the current
specification fails to achieve the claimed 256-bit security.
The potential attack would work as follows:
1. The victim provides their public key pk to the adversary.
2. The adversary finds two public keys pk' and pk'' such that
MerkleRoot(MultiSig[pk, pk']) = MerkleRoot([pk''])
3. The adversary convinces the victim to send coins to MerkleRoot(MultiSig[pk,
pk']) and then steals the coins by opening the Merkle tree root to [pk''] and
providing a signature for pk''.
Since the Merkle root is the 256-bit output of SHA256, the adversary can find
this collision with about 2^128 operations.
If I remember correctly, this attack was discussed on the mailing list in the
context of segwit and it's the reason why P2WSH (unlike P2PKH) requires 256-bit
hashes.
General comments
---
I think one of the main questions that the BIP does not currently address is how
it affects the worst-case validation cost of a block.
Regarding your question:
> But if the intention was for 256 bits of security, should level V security be
> the default?
I don't know what Satoshi's intentions were, but the secp256k1 specification
clearly indicates 128-bit "strength" ([0], Table 1). I believe that's fairly
well known in the technical Bitcoin space.
I am not quite convinced that adding three PQ schemes to the Bitcoin consensus
protocol is a great solution to the problem of not being sure which exact scheme
to pick. Offloading this decision to users does not really solve this problem.
Moreover, this adds massive complexity and new cryptographic assumptions to the
protocol. Remember that one of the main motivations behind libsecp256k1, was
that general purpose cryptographic libraries are not well suited for consensus
systems. So all new cryptographic schemes added to the consensus protocol need
to be exceptionally well specified and implemented. That said, it makes a lot of
sense to design a hybrid scheme that also provides security against a classic
attacker through an established signature scheme (as BIP 360 proposes).
Lastly, I agree that non-interactive aggregation of PQ schemes might be
promising, as it could mitigate about signature size and verification cost if
aggregation is applied on the transaction level. Recently, there has been
progress on the security of aggregating hash-based signatures [1] and Falcon
[2].
[0] https://www.secg.org/sec2-v2.pdf
[1] https://eprint.iacr.org/2025/055
[2] https://eprint.iacr.org/2024/311 (Unfortunately, this only beats trivial
aggregation (concatenation of signatures) when the number of signatures is
greater than about 110)
Jonas
--
You received this message because you are subscribed to the Google Groups "Bitcoin Development Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an email to bitcoindev+unsubscribe@googlegroups•com.
To view this discussion visit https://groups.google.com/d/msgid/bitcoindev/5667eb21-cd56-411d-a29f-81604752b7c4%40gmail.com.
next prev parent reply other threads:[~2025-02-21 10:18 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-02-19 15:40 Hunter Beast
2025-02-19 17:23 ` Dustin Ray
2025-02-19 22:57 ` Hunter Beast
2025-02-20 22:11 ` Matt Corallo
2025-02-23 20:33 ` Hunter Beast
2025-02-21 8:54 ` Jonas Nick [this message]
2025-02-23 20:58 ` Hunter Beast
2025-02-24 13:17 ` Jonas Nick
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=5667eb21-cd56-411d-a29f-81604752b7c4@gmail.com \
--to=jonasd.nick@gmail$(echo .)com \
--cc=bitcoindev@googlegroups.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox