bitcoin/bips
1
0
Fork 0
mirror of https://github.com/bitcoin/bips.git synced 2026-04-20 16:28:39 +00:00
Code Issues Releases Wiki Activity

Merge pull request #2146 from conduition/361/corrections

Browse Source 
Corrections to BIP-0361 on rescue protocols
This commit is contained in:
Jon Atack
2026-04-20 07:49:09 -07:00
committed by GitHub
parent 83c1fc8ed2 da7cc678d5
commit 50c6ce7636
1 changed files with 26 additions and 29 deletions
Download Patch File Download Diff File Expand all files Collapse all files

55
bip-0361.mediawiki
View File

@@ -23,9 +23,7 @@ This proposal follows the implementation of any post-quantum (PQ) output type an
'''Phase A''': Disallows sending of any funds to quantum-vulnerable addresses, hastening the adoption of PQ address types.
'''Phase B''': Renders ECDSA/Schnorr spends invalid, preventing all spending of funds in quantum-vulnerable UTXOs. This is triggered by a well-publicized flag-day five years after activation.
'''Phase C''' (TBD): Pending further research, a separate BIP proposing a method to allow quantum safe recovery of legacy UTXOs, likely via zero knowledge proof of possession of a corresponding BIP-39 seed phrase.
'''Phase B''': Restricts ECDSA/Schnorr spends by encumbering them with a quantum-safe rescue protocol, preventing theft of funds in quantum-vulnerable UTXOs. This is triggered by a well-publicized flag-day five years after activation.
=== Copyright ===
@@ -33,7 +31,7 @@ This document is licensed under the 3-clause BSD license.
=== Motivation ===
We seek to secure the value of the UTXO set and minimize incentives for quantum attacks. This proposal is radically different from any in Bitcoin's history just as the threat posed by quantum computing is radically different from any other threat in Bitcoin's history. Never before has Bitcoin faced an existential threat to its cryptographic primitives. A successful quantum attack on Bitcoin would result in significant economic disruption and damage across the entire ecosystem. Beyond its impact on price, the ability of miners to provide network security may be significantly impacted.
We seek to secure the value of the UTXO set and minimize incentives for quantum attacks. This proposal is radically different from any in Bitcoin's history just as the threat posed by quantum computing is radically different from any other threat in Bitcoin's history. Never before has Bitcoin faced an existential threat to its cryptographic primitives. A successful quantum attack on Bitcoin would result in significant economic disruption and damage across the entire ecosystem. Beyond its impact on price, the ability of miners to provide network security may be significantly impacted.
'''Accelerating quantum progress.'''
@@ -45,7 +43,7 @@ The safety envelope is shrinking by dramatic increases in algorithms even if the
'''Bitcoin's exposed public keys.'''
As of March 1, 2026, over 34% of all bitcoin have revealed a public key on-chain; those UTXOs could be stolen by an attacker with a sufficiently powerful quantum computer.
As of March 1, 2026, over 34% of all bitcoin have revealed a public key on-chain; those UTXOs could be stolen by an attacker with a sufficiently powerful quantum computer.
'''We may not know the attack is underway.'''
@@ -57,7 +55,7 @@ Assuming that quantum computers are able to maintain their current trajectories
'''Impossible to know motivations.'''
Prior to a quantum attack, it is impossible to know the motivations of the attacker. An economically motivated attacker will try to remain undetected for as long as possible, while a malicious attacker will attempt to destroy as much value as possible.
Prior to a quantum attack, it is impossible to know the motivations of the attacker. An economically motivated attacker will try to remain undetected for as long as possible, while a malicious attacker will attempt to destroy as much value as possible.
'''Upgrade inertia.'''
@@ -71,15 +69,15 @@ Coordinating distributed groups is more prone to delay, even if everyone has sim
'''Resilience''': Bitcoin protocol remains secure for the foreseeable future without waiting for a last-minute emergency.
'''Certainty''': Bitcoin users and stakeholders gain certainty that a plan is both in place and being implemented to effectively deal with the threat of quantum theft of bitcoin.
'''Certainty''': Bitcoin users and stakeholders gain certainty that a plan is both in place and being implemented to effectively deal with the threat of quantum theft of bitcoin.
'''Clarity''': A single, publicized timeline aligns the entire ecosystem (wallets, exchanges, hardware vendors).
'''Supply Discipline''': Abandoned keys that never migrate remain unspendable, reducing supply, as [https://bitcointalk.org/index.php?topic=198.msg1647#msg1647as Satoshi described].
'''Supply Discipline''': Abandoned keys that never migrate remain unspendable, reducing supply, as [https://bitcointalk.org/index.php?topic=198.msg1647#msg1647as Satoshi described].
== Specification ==
{| class="wikitable"
{| class="wikitable"
|- style="text-align:center;"
! Phase
! What Happens
@@ -92,25 +90,20 @@ Coordinating distributed groups is more prone to delay, even if everyone has sim
| 160,000 blocks (~3 years) after BIP-361 activation.
|-
| B
| At a predetermined block height, nodes reject transactions that rely on ECDSA/Schnorr keys.
| At a predetermined block height, nodes tighten requirements on verification of ECDSA/Schnorr.
| Everyone holding or accepting BTC.
| 2 years after Phase A activation.
|-
| C
| Users with frozen quantum vulnerable funds and a HD wallet seed phrase can construct a quantum safe proof to recover funds.
| Users who failed to migrate funds before Phase B.
| TBD pending research, demand, and consensus.
|}
=== Rationale ===
Even if Bitcoin is not a primary initial target of a cryptographically relevant quantum computer, widespread knowledge that such a computer exists and is capable of breaking Bitcoins cryptography will damage faith in the network .
Even if Bitcoin is not a primary initial target of a cryptographically relevant quantum computer, widespread knowledge that such a computer exists and is capable of breaking Bitcoins cryptography will damage faith in the network.
An attack on Bitcoin may not be economically motivated - an attacker may be politically or maliciously motivated and may attempt to destroy value and trust in Bitcoin rather than extract value. There is no way to know in advance how, when, or why an attack may occur. A defensive position must be taken well in advance of any attack.
An attack on Bitcoin may not be economically motivated - an attacker may be politically or maliciously motivated and may attempt to destroy value and trust in Bitcoin rather than extract value. There is no way to know in advance how, when, or why an attack may occur. A defensive position must be taken well in advance of any attack.
Bitcoin's current signatures (ECDSA/Schnorr) will be a tantalizing target: any UTXO that has ever exposed its public key on-chain could be stolen by a cryptographically relevant quantum computer.
'''Existing Proposals (as of March 2026) are Insufficient. '''
'''Existing Proposals (as of March 2026) are Insufficient. '''
To date, no quantum related proposal provides protection against:
@@ -122,7 +115,7 @@ To date, no quantum related proposal provides protection against:
Any proposal that allows for the quantum theft of "lost" bitcoin is creating a redistribution dilemma. There are 3 types of proposals:
1. Allow anyone to steal vulnerable coins, benefitting those who reach quantum capability earliest.
1. Allow anyone to steal vulnerable coins, benefiting those who reach quantum capability earliest.
2. Allow throttled theft of coins, which leads to RBF battles and ultimately miners subsidizing their revenue from quantum recovered coins.
@@ -130,17 +123,21 @@ Any proposal that allows for the quantum theft of "lost" bitcoin is creating a r
'''Minimizes attack surface'''
By disallowing new spends to quantum vulnerable script types, we minimize the attack surface with each new UTXO.
By disallowing new spends to quantum vulnerable script types, we minimize the attack surface with each new UTXO.
Upgrades to Bitcoin have historically taken many years; this will hasten and speed up the adoption of new quantum resistant script types.
Upgrades to Bitcoin have historically taken many years; this will hasten and speed up the adoption of new quantum resistant script types.
With a clear deadline, industry stakeholders will more readily upgrade existing infrastructure to ensure continuity of services.
With a clear deadline, industry stakeholders will more readily upgrade existing infrastructure to ensure continuity of services.
'''Minimizes loss of access to funds '''
Submitting a zero knowledge proof of possession of a BIP-39 seed phrase corresponding to a public key hash or script hash would provide a trustless means for legacy outputs to be spent in a quantum resistant manner, even after the sunset.
The new tighter verification conditions for using ECDSA and Schnorr to spend coins will be designed to rule out quantum attackers, but to permit spends from the authentic coin-holders. Such rescue protocols rely on asymmetry of knowledge between a quantum attacker and the authentic coin-holder. Any context where an asymmetry exists in favor of the authentic holder can theoretically be turned into a rescue protocol.
{| class="wikitable"
For instance, most wallets built since its introduction in 2012 have used [[bip-0032.mediawiki|BIP-32]] to construct deterministic HD wallets which derive Bitcoin keypairs from a seed. Any BIP-32 wallet which uses a hardened derivation step in its key-paths can thus satisfy a rescue protocol which uses BIP-32 hardened key derivation to prove knowledge of a parent XPriv which a quantum attacker would be very unlikely to know. [https://groups.google.com/g/bitcoindev/c/Q06piCEJhkI Current research on ZK-STARK-based rescue protocols] suggest proofs could be efficiently scaled, and [https://groups.google.com/g/bitcoindev/c/uUK6py0Yjq0/m/57bQJ3VSCQAJ commit/reveal protocols can likely do so even more efficiently] at the expense of a more challenging multi-step security model.
It remains to be seen how much of the legacy Bitcoin supply can be theoretically covered by such rescue protocols. If one or more rescue protocols can be designed to cover the majority of the Bitcoin supply, then restricting ECDSA/Schnorr verification will be at most mildly confiscatory, and will come at little expense to the overall integrity of the Bitcoin network.
{| class="wikitable"
|- style="text-align:center;"
! Stakeholder
! Incentive to Upgrade
@@ -161,9 +158,9 @@ Submitting a zero knowledge proof of possession of a BIP-39 seed phrase correspo
| Economic incentive diminishes as sunset nears, stolen coins cannot be spent after Q-day.
|}
'''Key Insight''': As mentioned earlier, the proposal turns quantum security into a private incentive to upgrade.
'''Key Insight''': As mentioned earlier, the proposal turns quantum security into a private incentive to upgrade.
This is not an offensive attack, rather, it is defensive: our thesis is that the Bitcoin ecosystem wishes to defend itself and its interests against those who would prefer to do nothing and allow a malicious actor to destroy both value and trust.
This is not an offensive attack, rather, it is defensive: our thesis is that the Bitcoin ecosystem wishes to defend itself and its interests against those who would prefer to do nothing and allow a malicious actor to destroy both value and trust.
"Lost coins only make everyone else's coins worth slightly more. Think of it as a donation to everyone." - Satoshi Nakamoto
@@ -171,12 +168,12 @@ If true, the corollary is:
"Quantum recovered coins only make everyone else's coins worth less. Think of it as a theft from everyone."
The timelines that we are proposing are meant to find the best balance between giving ample ability for account owners to migrate while maintaining the integrity of the overall ecosystem to avoid catastrophic attacks.
The timelines that we are proposing are meant to find the best balance between giving ample ability for account owners to migrate while maintaining the integrity of the overall ecosystem to avoid catastrophic attacks.
=== Backward Compatibility ===
As a series of soft forks, older nodes will continue to operate without modification. Non-upgraded nodes, however, will consider all post-quantum witness programs as anyone-can-spend scripts. They are strongly encouraged to upgrade in order to fully validate the new programs.
Non-upgraded wallets can receive and send bitcoin from non-upgraded and upgraded wallets until Phase A. After Phase A, they can no longer receive from any other wallets and can only send to upgraded wallets. After Phase B, both senders and receivers will require upgraded wallets. Phase C, if activated in conjunction with Phase B, may be soft forkable, otherwise it would likely require a loosening of consensus rules (a hard fork) to allow vulnerable funds to be recovered.
Non-upgraded wallets can receive and send bitcoin from non-upgraded and upgraded wallets until Phase A. After Phase A, they can no longer receive from any other wallets and can only send to upgraded wallets. After Phase B, both senders and receivers will require upgraded wallets.
Phase C is also compatible with an "Hourglass" style BIP for spending P2PK encumbered funds, provided such a BIP has activated by the time Phase C activates. BIP-361 authors support Hourglass for P2PK because it's not possible to construct a proof of HD wallet ownership for UTXOs created before BIP-32 existed.
This BIP is also compatible with an "Hourglass" style BIP for spending P2PK encumbered funds, provided such a BIP has activated by the time Phase B activates. BIP-361 authors support Hourglass for P2PK because it's not currently believed possible to construct a rescue protocol for P2PK UTXOs, as no knowledge asymmetry is known.