One of the things that gets people really worked up about the quantum threat to Bitcoin is that a lot of the mitigations require everyone to move all their coins...and the coins that don't move become vulnerable to theft.

Roasbeef proposed a new method for Bitcoiners to adopt a quantum resistant scheme without requiring everyone to move their coins before the threat arrives, but which doesn't expose people who don't move their coins to loss of coins. It requires a soft fork.

In some ways it reminds me of Casey Rodarmor's proposal (#1445101), although they are pretty different from each other.

Here's a bit of a refresher on Taproot addresses, skip down to the section about Roasbeef's method if you already know this.

Two different ways of spending coins in Taproot addressesTwo different ways of spending coins in Taproot addresses

One of the cool things about Taproot addresses is that you don't have to reveal all the different ways your coins can be spent. You might have coins that can be spent with any 2 of five different signatures, or just 1 signature after 16 months. You can have a lot of possible ways to spend your coins, but none of this is directly stored in the output's locking script on chain.

What does get stored is a single public key. Using cryptographic magic this public key is created by taking a standard public key and "tweaking" it with the Merkle root of all your different locking scripts.

Any of the locking scripts can be satisfied to move your coins...or you can use the private key that corresponds to your address's tweaked public key.

The two ways to spend from a Taproot addressThe two ways to spend from a Taproot address

Use the script path by satisfying a script that is a leaf in Merkle tree who's root is hashed and tweaked to become your public key, or
Use the key path by providing a signature from the specific private key that matches this public key

Taproot and quantum vulnerabilityTaproot and quantum vulnerability

You've probably heard by now that Taproot addresses are vulnerable to quantum computers (should such computers ever become large enough and stable enough to derive private keys from bitcoin public keys). The reason for this is because of that second way you can spend coins in Taproot addresses: the tweaked hash that merkle root for all your spending paths is also a real public key and it's stored on chain for all to see.

Roasbeef's method for quantum-proofing Taproot addressesRoasbeef's method for quantum-proofing Taproot addresses

Given that the Taproot commitment scheme is post-quantum secure, in the future we can deploy a soft fork to disable the keyspend path, and force all Taproot spends to instead flow through the script path (not my idea, commonly discussed amongst developers, not sure who proposed it first). At that point, Taproot starts to resemble BIP-360.

That works for script path spends, but then leaves all the BIP-86 wallets in a bad position, as they generated outputs that provably don't commit to a script path at all.

A 2023 paper (Protecting Quantum Procrastinators with Signature Lifting: A Case Study in Cryptocurrencies) proposed a solution to this, namely seed lifting (use BIP-32 as the one-way function to the Picnic PQ Signature scheme) to provide a post-quantum proof of secret information a quantum attacker wouldn't be able to easily obtain.

The downside of that is that it reveals the secret BIP 32 seed, exposing other non migrated UTXOs of a user.

With this project I've cobbled together a series of projects to be able to generate a zk-STARK proof that a Taproot output public key was generated via BIP-32 invocation of a BIP-86 derivation path.

In the future a variant of this scheme can be used to enable wallets that generated the private keys via BIP-86, to have a post quantum safe exit path in case they don't bother moving their coins in time to the yet-to-be-decided post quantum signature scheme.

Read his whole proposal on the mailing list. I do like these proposals that don't involve abandoning people who don't migrate (although, I guess since this only applies to Taproot addresses, it wouldn't help with addresses that have exposed public keys for other reasons and yet are unwilling or unable to migrate).

1 sat \ 2 replies \ @BallLightning 8 Apr

I have always wondered why isnt there a pay to taproot hash type address.

1 sat \ 1 reply \ @Filiprogrammer 8 Apr

Why is the public key directly included in the output? While typical earlier constructions store a hash of a script or a public key in the output, this is rather wasteful when a public key is always involved. To guarantee batch verifiability, the public key must be known to every verifier, and thus only revealing its hash as an output would imply adding an additional 32 bytes to the witness. Furthermore, to maintain 128-bit collision security for outputs, a 256-bit hash would be required anyway, which is comparable in size (and thus in cost for senders) to revealing the public key directly. While the usage of public key hashes is often said to protect against ECDLP breaks or quantum computers, this protection is very weak at best: transactions are not protected while being confirmed, and a very large portion of the currency's supply is not under such protection regardless. Actual resistance to such systems can be introduced by relying on different cryptographic assumptions, but this proposal focuses on improvements that do not change the security model.

https://github.com/bitcoin/bips/blob/master/bip-0341.mediawiki#cite_note-2

1 sat \ 0 replies \ @nitter 8 Apr

https://twiiit.com/pwuille/status/1108085284862713856

0 sats \ 0 replies \ @b4b12dfbc3 9 Apr freebie

The thing most people miss: BIP-86 wallets have no script commitment at all. The tweaked pubkey just sits on-chain. Hashing wouldn't buy you much since 256-bit hash is the same size as the key anyway. What the zk-STARK angle buys you is proving BIP-32 derivation without touching your seed, so your other unmigrated UTXOs stay cold. That's the part worth thinking through.