You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: bip-0361.mediawiki
+15-43Lines changed: 15 additions & 43 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -19,13 +19,13 @@
19
19
20
20
=== Abstract ===
21
21
22
-
This proposal follows the implementation of a post-quantum (PQ) output type and introduces a pre-announced sunset of legacy ECDSA/Schnorr signatures. It turns quantum security into a private incentive: fail to upgrade and you will certainly lose access to your funds, creating a certainty where none previously existed.
22
+
This proposal follows the implementation of any post-quantum (PQ) output type and introduces a pre-announced sunset of legacy ECDSA/Schnorr signatures. It turns quantum security into a private incentive: fail to upgrade and you will encounter additional friction to access your funds, creating a certainty where none previously existed.
23
23
24
24
'''Phase A''': Disallows sending of any funds to quantum-vulnerable addresses, hastening the adoption of PQ address types.
25
25
26
-
'''Phase B''': Renders ECDSA/Schnorr spends invalid, preventing all spending of funds in quantum-vulnerable UTXOs. This is triggered by a well-publicized flag-day roughly five years after activation.
26
+
'''Phase B''': Renders ECDSA/Schnorr spends invalid, preventing all spending of funds in quantum-vulnerable UTXOs. This is triggered by a well-publicized flag-day five years after activation.
27
27
28
-
'''Phase C''' (optional): Pending further research and demand, a separate BIP proposing a method to allow quantum safe recovery of legacy UTXOs, potentially via ZK proof of possession of a corresponding BIP-39 seed phrase.
28
+
'''Phase C''' (TBD): Pending further research, a separate BIP proposing a method to allow quantum safe recovery of legacy UTXOs, likely via zero knowledge proof of possession of a corresponding BIP-39 seed phrase.
29
29
30
30
=== Copyright ===
31
31
@@ -45,7 +45,7 @@ The safety envelope is shrinking by dramatic increases in algorithms even if the
45
45
46
46
'''Bitcoin's exposed public keys.'''
47
47
48
-
Roughly 25% of all bitcoin have revealed a public key on-chain; those UTXOs could be stolen with sufficient quantum power.
48
+
As of March 1, 2026, over 34% of all bitcoin have revealed a public key on-chain; those UTXOs could be stolen by an attacker with a sufficiently powerful quantum computer.
49
49
50
50
'''We may not know the attack is underway.'''
51
51
@@ -108,9 +108,17 @@ Even if Bitcoin is not a primary initial target of a cryptographically relevant
108
108
109
109
An attack on Bitcoin may not be economically motivated - an attacker may be politically or maliciously motivated and may attempt to destroy value and trust in Bitcoin rather than extract value. There is no way to know in advance how, when, or why an attack may occur. A defensive position must be taken well in advance of any attack.
110
110
111
-
Bitcoin's current signatures (ECDSA/Schnorr) will be a tantalizing target: any UTXO that has ever exposed its public key on-chain (roughly 25 % of all bitcoin) could be stolen by a cryptographically relevant quantum computer.
111
+
Bitcoin's current signatures (ECDSA/Schnorr) will be a tantalizing target: any UTXO that has ever exposed its public key on-chain could be stolen by a cryptographically relevant quantum computer.
112
112
113
-
'''Existing Proposals are Insufficient. '''
113
+
'''Existing Proposals (as of March 2026) are Insufficient. '''
114
+
115
+
To date, no quantum related proposal provides protection against:
116
+
117
+
1. Short-range attacks.
118
+
119
+
2. Long-range attacks due to address re-use.
120
+
121
+
3. Long-range attacks against already exposed public keys in P2PK or P2TR outputs.
114
122
115
123
Any proposal that allows for the quantum theft of "lost" bitcoin is creating a redistribution dilemma. There are 3 types of proposals:
116
124
@@ -130,7 +138,7 @@ With a clear deadline, industry stakeholders will more readily upgrade existing
130
138
131
139
'''Minimizes loss of access to funds '''
132
140
133
-
If there is sufficient demand and research proves possible, submitting a ZK proof of knowledge of a BIP-39 seed phrase corresponding to a public key hash or script hash would provide a trustless means for legacy outputs to be spent in a quantum resistant manner, even after the sunset.
141
+
Submitting a zero knowledge proof of possession of a BIP-39 seed phrase corresponding to a public key hash or script hash would provide a trustless means for legacy outputs to be spent in a quantum resistant manner, even after the sunset.
134
142
135
143
{| class="wikitable"
136
144
|- style="text-align:center;"
@@ -165,42 +173,6 @@ If true, the corollary is:
165
173
166
174
The timelines that we are proposing are meant to find the best balance between giving ample ability for account owners to migrate while maintaining the integrity of the overall ecosystem to avoid catastrophic attacks.
167
175
168
-
== Deployment ==
169
-
170
-
For Bitcoin mainnet, testnet4, and signet, this BIP is deployed by "version bits" with the name "postquantum" and bit 5, using [[bip-0009.mediawiki|BIP9]] modified to use a lower threshold, with an additional ''min_activation_height'' parameter and replacing the state transition logic for the DEFINED, STARTED and LOCKED_IN states as follows:
171
-
172
-
case DEFINED:
173
-
if (GetMedianTimePast(block.parent) >= starttime) {
For Bitcoin mainnet, the starttime is epoch timestamp 1798761600 (midnight 1 January 2027 UTC), the threshold is 1815 blocks (90%) instead of 1916 blocks (95%), and the min_activation_height is block 709632.
199
-
200
-
For Bitcoin testnet4, the starttime is epoch timestamp 1798761600 (midnight 1 January 2027 UTC), the threshold is 1512 blocks (75%), and the min_activation_height is block 0.
201
-
202
-
For Bitcoin signet, the starttime is epoch timestamp 1798761600 (midnight 1 January 2027 UTC), the threshold is 1512 blocks (75%), and the min_activation_height is block 0.
203
-
204
176
=== Backward Compatibility ===
205
177
206
178
As a series of soft forks, older nodes will continue to operate without modification. Non-upgraded nodes, however, will consider all post-quantum witness programs as anyone-can-spend scripts. They are strongly encouraged to upgrade in order to fully validate the new programs.
0 commit comments