Author: Jeremy 2021-07-09 22:52:56
Published on: 2021-07-09T22:52:56+00:00
In a recent thread on the Bitcoin-dev mailing list, Ethan Heilman suggested that Winternitz one-time signatures or OP_CAT could be used to compress Lamport signatures and make Bitcoin "quantum safe". Jeremy Rubin replied that he had already explored using OP_CAT for signing EC signatures in both Segwit V0 and Tapscript. Rubin's blog post explains how this works in detail, but the basic idea is to sign a HASH160 digest of the signature, which would be resistant to quantum computers even if they can crack ECDSA keys. The script required to do this is quite long, but it fits within the program space and stack size limits for Bitcoin scripts. Rubin suggests that the protocol could be made more efficient by expanding to a ternary representation, which would reduce the cost by about 20 bytes per bit, for a savings of around 3200 bytes or 1/3 cheaper. Rubin also notes that the commitment scheme in Taproot could be used to nest this script inside a Tapscript path, making the signature binding to the approved transaction. However, there are still some questions around the security of this method against quantum computers, and more analysis is needed before relying on it for production use.
Updated on: 2023-06-15T00:15:18.792232+00:00