J. Lopp's Post-Quantum Migration BIP

[stwenhao]

Could it be possible to introduce a post-quantum option based on optional verification?

Possible? Of course. It is rather a question, how many users are willing to accept simplified version. Also, if some new algorithm is expensive to verify, but it allows combining many signatures into one, then it can be still good enough. For example: if the cost of verification is 830 times higher, but if you can combine signatures of 830 people into one, then that cost could be similar to ECDSA or Schnorr (assuming that people can handle 135k times higher signing cost, and produce joined signature fast enough).

Because, in general, it is a cost per signature, not per transaction, or per user. A single transaction can contain a single signature, many signatures, or no signatures at all (or could contain weak keys, and signatures could expose private keys, and rely on Proof of Work to be safe from double-spends).

Also note, that the current stack elements can take up to 520 bytes. If this limit will be left as it is, then bigger keys or signatures can be splitted between many stack elements, and handled in chunks. I can also imagine re-wiring new opcodes as a combination of OP_CHECKSIG and other things (by using OP_CHECKSIG just as some 256-bit calculator), which could mean, that for example some new quantum-safe signature could cost 256 OP_CHECKSIG calls. In the current system, r-value, s-value and sighash is combined into a single element on the stack. But it doesn't have to be that way. In practice, OP_CHECKSIGFROMSTACK or OP_CAT could be avoided in some cases, if signatures could be splitted into separate stack elements, instead of being handled as a single stack push. Maybe just splitting quantum signatures into chunks, will make it easier, to deploy things like batched verification, covenants or vaults.

Another way to rely on optional verification, is to make a decentralized sidechain, and lock coins on just Proof of Work in output scripts. Then, old nodes will only check, if the size of the DER signature is below N bytes, and everyone else can download all data, behind a given signature, and validate it. Then, it could be fully optional, and as long as the majority of quantum nodes is honest, they can produce valid signatures faster, than any attacker can double-spend them. If you have some DER signature below N bytes, and it gets confirmed in 10 minutes, but re-mining it takes a few days or months, then no attacker will be strong enough, to do that in practice. As I said earlier: Proof of Work in output scripts allow us to peg decentralized sidechains to Bitcoin. And they can have any rules, including any new quantum-resistant algorithms.

And later, if some optional paths will be in use on test networks, then it is only a matter of making them mandatory. Because forcing everyone to verify everything from the start may fail, if people wouldn't want to upgrade. But if the danger will be there, and if people will have a choice to switch to something, which is standardized and deployed, then making it mandatory would be much easier. Because today, even if someone would want to force people to switch, then there is nothing deployed to switch to. And I think starting with some optional paths is a good starting point for quantum proposals enthusiasts.

[d5000]

Possible? Of course. It is rather a question, how many users are willing to accept simplified version.

I'd argue that could be related to how the "newstyle Bitcoin transactions" are presented in the software - if Bitcoin Core recognizes them as "official" Bitcoins, then it should be acceptable by most users. They're not traditional UTXOs, so there may be additional challenges in the case of reorgs, but Ethereum has these problems too and seems to work fine.

Also note, that the current stack elements can take up to 520 bytes. If this limit will be left as it is, then bigger keys or signatures can be splitted between many stack elements, and handled in chunks. I can also imagine re-wiring new opcodes as a combination of OP_CHECKSIG and other things (by using OP_CHECKSIG just as some 256-bit calculator),

Very interesting! I think the advantage (apart from "evading" the stack size limit) in this case is that there is less DOS attack potential if the individual calculation steps are smaller. But isn't the complete verification cost (number of operations in a full node per signature) higher in this case?

Another way to rely on optional verification, is to make a decentralized sidechain,

That's of course an option too, but here the acceptance problem would be probably bigger, because the sidechain security will always be at least a bit inferior to the mainchain security. And I think a "post-quantum vault" should be especially interesting for cold storage (hodling for many years/decades), and that use case would be more appropiate for the mainchain.

[stwenhao]

They're not traditional UTXOs

Well, they are very similar. For each OP_CHECKSIG call anywhere, you have a signature, and a quantum-safe data around it, which are committed into r-value of the signature. It is not that much different, than having Segwit commitment in the coinbase transaction, but here, instead of taking additional on-chain bytes, things are simply committed to existing fields, and you replace one 256-bit r-value with another number, and everything else stays the same, from the perspective of today's node.

so there may be additional challenges in the case of reorgs

Proof of Work can solve them. As long as the majority of computing power is in honest hands, it should work. And if that isn't the case, then we are doomed anyway.

but Ethereum has these problems too and seems to work fine

They have a weaker security model, because they rely only on signatures, which means, that no Proof of Work is used to protect their cryptographical primitives, if they will ever be broken.

But isn't the complete verification cost (number of operations in a full node per signature) higher in this case?

It is, but it should be negligible, if you compare it with the cost of executing single OP_CHECKSIG opcode. And also, that kind of flexibility may be needed anyway, if the community wants to have covenants or vaults, or even batch verification, and packing multiple signatures into one. Which means, that if future soft-forks are going to introduce that kind of changes anyway, then quantum versions can simply have a different format, and avoid the need to explicitly introduce new opcodes for new features later, just because to get them, different parts can be moved from output scripts to input scripts, and it could be enough to have "sign any message from the stack" as a working feature, without OP_CAT or other new opcodes, which could open more unwanted use cases.

the sidechain security will always be at least a bit inferior to the mainchain security

It currently is, because there is no Merged Mining. But if it would be possible to mine sidechain and mainchain with the same power, then it would work better.

Also, Proof of Work can be used in many places, not only to validate sidechains. It is also possible to form Lightning Network channels with new opcodes and features (for example related to quantum signatures), and use Proof of Work in output scripts, to protect on-chain interactions from being double-spent. Then, if attacking the network would require some resources, it would be much harder to close some channel with some old state (because it would have less Proof of Work and less fees, so it could be easily detected, and ignored by mainchain nodes, without going into all details behind second layers).

[QuantumPenisJamesonLopp]

This is from the #bitcoin IRC channel on Libera Chat:

Hi, I looking for someone to talk about this: https://github.com/bitcoin/bips/pull/1895

The header in the BIP at https://github.com/bitcoin/bips/pull/1895/files clearly shows that Jameson Lopp has very strong conflict of interest and the proposal may not be as independent as it's pretends to be.

Example, there is in the header as "AUTHOR" the "Pauli Group" along with the so called "Quantum Security and Defence" and "QB.TC". Pauli Group is nothing more than a company that SELLING Bitcoin wallets that claims to be "Quantum-Safe". The "Quantum Security and Defence" is a very generic description title that doesn't sound too promising or for that matter legit their domains Creation Date is 2024-05-31T13:25:02Z. "QB.TC"'s domain Creation Date is 2025-04-03T16:23:20.682Z. On the other hand "Pauli Group"'s domain registered early but apparently they don't know what is DNSSEC while claiming to be super cryptographers. I see a pattern here. I think the BIP proposal is nothing more than an attack on Bitcoin itself to serve the interest of a very few corporation that selling Bitcoin wallets and claiming to be amazing cryptographers etc.

Another interesting person who is an "AUTHOR" in that BIP proposal is no other than this guy: https://kitcaster.com/ian-smith/ who worked for  "NASA, Oracle, VISA, and Boeing" I wouldn't be proud if I was him for working for VISA and Boeing. Anyway he also doesn't look to be someone whose interest is improving Bitcoin without filling his pocket.

The last "AUTHOR" on that BIP is "Joe Ross" who also works for QB.TC but apparently he was too shy to use his company email address (just like the above mentioned Ian Smith who definitely only created that gmail address to use it on this BIP in order to hide who is him and what company he runs).

Here on Libera more than 300+ people sitting in the #bitcoin channel and I wonder if anyone else care about this or it's doesn't matter? Or just fck Bitcoin and we merge that PR with Jameson Lopp's and the other corporate fuckers BIP proposal? On BitcoinTalk I seen a topic about this BIP proposal and many people clearly against it.

NOTE: Jameson Lopp's WikiPedia page (https://en.wikipedia.org/wiki/Jameson_Lopp) is under the process of deletion that is endorsed by a WikiPedia Admin and another user.

Also worth noting that the user murchandamus on GitHub banned an user for 7 days for criticizing Jameson Lopp's BIP proposal. Well, the user murchandamus is working for bitgo.com and Jameson Lopp who also worked for bitgo.com are best buddies. There is a strong conflict of interest regarding the BIP and I have that feeling that is going to be forced on us, like it or not. If you dare to criticize it in any way you will be banned like that user on GitHub.

[highalch]

In a way satoshi's stash and other old "lost coins" will serve as a canary given that they will likely be the first target.

I'm pretty sure that if there's any malicious actor with quantum power,
that canary will be in tradfi as there are much weaker links there.

[Satofan44]

Also worth noting that the user murchandamus on GitHub banned an user for 7 days for criticizing Jameson Lopp's BIP proposal. Well, the user murchandamus is working for bitgo.com and Jameson Lopp who also worked for bitgo.com are best buddies.

Good information. While people sometimes tend to jump to calling out logical fallacies when they are not, information like this can be very helpful. The proposal is very radical and if it is fueled by conflicted interests it can be quickly dismissed.

There is a strong conflict of interest regarding the BIP and I have that feeling that is going to be forced on us, like it or not. If you dare to criticize it in any way you will be banned like that user on GitHub.

I've said it before, how a rejection of quantum proposals is handled is going to determine the future of Bitcoin more than any hacks relating to old coins could ever do. However, as of now I do not know what is going to happen. I have tried to contact gmaxwell to give input on this topic, but sadly he has not said anything about it.  

In a way satoshi's stash and other old "lost coins" will serve as a canary given that they will likely be the first target.

I'm pretty sure that if there's any malicious actor with quantum power,
that canary will be in tradfi as there are much weaker links there.

Where this amount of value is involved there is no place for gut feelings. You feeling pretty sure is pretty useless and it won't save the network from damage if you end up being wrong.

[nameisnotknown]

This topic is related: https://bitcointalk.org/index.php?topic=5553484.0

[WhyFhy]

This topic is related: https://bitcointalk.org/index.php?topic=5553484.0

That proposals a no-go from me.

[BayAreaCoins]

NOTE: Jameson Lopp's WikiPedia page (https://en.wikipedia.org/wiki/Jameson_Lopp) is under the process of deletion that is endorsed by a WikiPedia Admin and another user.

Also worth noting that the user murchandamus on GitHub banned an user for 7 days for criticizing Jameson Lopp's BIP proposal. Well, the user murchandamus is working for bitgo.com and Jameson Lopp who also worked for bitgo.com are best buddies. There is a strong conflict of interest regarding the BIP and I have that feeling that is going to be forced on us, like it or not. If you dare to criticize it in any way you will be banned like that user on GitHub.

Fuck Jameson Lopp, he's a scrub and sketchy af.

Any proposal of his that is aimed at scrubbing old timers Bitcoins should be basically disregarded IMO.

He did a shit job with Testnet 4, too.  He's an half ass ADHD thinker, coder, and funded by others.  He's a satellite investor/coder for hire.  Trash.

Basically a sock puppet.

No-go.