Is the proposed BIP 360 the correct way to achieve quantum attack resistance?

[d5000]

So basically your freakout is similar to miners about next halving?

Freakout? Lol no. I'm only in the camp that "we should plan a bit ahead, but no rush". And BIP 360, in its new iteration, seems a good way forward to me.

What I don't understand is how adding new type of addresses is going to give quantum protection to bitcoin, unless all bitcoin is moved from old to new addresses?

Only re-used addresses (where the public key was published on chain, i.e. people have spent money from that address) and some special kinds of addresses which are barely used (P2PK, and some P2TR) are vulnerable currently.

So it's not that everybody must move. Most people can relax and wait.

Once the new addresses arrive, it may be an option for those who hodl large amounts of coins and thus wouldn't be worried about the fees.

It has of course to be said that the current BIP-360 does not include quantum-secure cryptography yet (this is a second step and probably years ahead). But they allow to create Taproot scripts without the P2TR vulnerability more easily.

[stwenhao]

and some P2TR

Not some. All P2TR. If you can spend by key, then you can completely ignore all TapScript behind it. And even if someone used some NUMS point, then still: when secp256k1 will be broken, private keys for these points will be known, too.

The only unaffected P2TR or P2PK are those with invalid public keys, but they cannot be moved by anyone.

[hmbdofficial]

The only unaffected P2TR or P2PK are those with invalid public keys, but they cannot be moved by anyone.

If P2Pk with an invalid public key is accepted into the blockchain and it is not spendable is that not following the Morden consensus? I was thinking it shouldn’t be accepted because of the checksig. because I read that this might only occur due to errors from wallet software or malicious crafting.

[stwenhao]

If you use "020000000000000000000000000000000000000000000000000000000000000004 OP_CHECKSIG", then it is difficult to move, but it is mathematically spendable. But if you use "020000000000000000000000000000000000000000000000000000000000000005 OP_CHECKSIG", then it is unspendable, and will never be moved by anyone.

For Taproot equivalents, bc1pqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqzqln7y9h is difficult to move, but potentially spendable. However, bc1pqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqzs2jkusy is unspendable.

I was thinking it shouldn’t be accepted because of the checksig.

Scripts are validated, when coins are spent, not when they are created. Also, rejecting invalid public keys would slow down validation.

There are around 0x80000000000000000000000000000000a2a8918ca85bafe22016d0b997e4df60 unspendable public keys in 256-bit range. And a lot of more ways to make unspendable scripts, like "OP_2 OP_2 OP_ADD OP_5 OP_EQUAL".