Published on: 2021-07-09T23:25:06+00:00
The implementation of Winternitz signatures in Bitcoin is not straightforward due to the lack of a limited-repeat construct in SCRIPT. However, it can be emulated using `OP_IF` and brute force, although this would result in a more complex and longer SCRIPT. Winternitz signatures offer smaller signature sizes but require more instructions in SCRIPT. Merkle signatures, on the other hand, trade shorter pubkeys for longer signatures, which is not advantageous in the post-SegWit Bitcoin context where both pubkeys and signatures are stored in the witness area.Jeremy Rubin proposed using OP_CAT or a similar operation to make Bitcoin "quantum safe" by signing an EC signature. This scheme uses Lamport signatures, which are quantum secure but require at least 20 contiguous bytes. To implement Winternitz, a limited-repeat construct is needed, but it is not available in SCRIPT. The commitment scheme in Taproot allows secure opening of the commitment to a message even with a quantum computer. Additionally, Schnorr signatures have a stronger non-malleability property than ECDSA, making them binding to the approved transaction. Once Lamport signed in Schnorr, even a quantum computer cannot steal the funds.Ethan Heilman suggested using Winternitz one-time signatures or OP_CAT to compress Lamport signatures and make Bitcoin "quantum safe". Jeremy Rubin explored using OP_CAT for signing EC signatures in Segwit V0 and Tapscript. Rubin's proposal involves signing a HASH160 digest of the signature, which is resistant to quantum computers even if they crack ECDSA keys. The script required for this approach is long but fits within the program space and stack size limits for Bitcoin scripts. Rubin suggests that expanding to a ternary representation could further reduce the cost.ZmnSCPxj responded to Rubin's proposal, noting that while Lamport signatures are resistant to quantum computing, they are large in size. ZmnSCPxj suggested using Winternitz OTS instead, but it requires a limited-repeat construct not available in SCRIPT. Merkle signatures trade shorter pubkeys for longer signatures, which is a loss compared to Lamport in the post-SegWit Bitcoin context. ZmnSCPxj also pointed out that OP_CAT cannot be directly soft-forked to Segwit V0 because it modifies the stack, requiring a new opcode. Taproot and Schnorr signatures are mentioned as potential options for making Bitcoin quantum-proof.A proposal has been made to use Lamport signatures to sign longer messages in Bitcoin script arithmetic and make it quantum-proof. However, Lamport signatures are too large for the current block size limit. It may be possible to compress them using Winternitz OTS or OP_CAT to build a merkle tree and derive the full signature during script execution from shorter seed values. Rubin's construction uses an OP_CAT-like operation to sign up to 20 bytes, combined with the HASH160 digest, to create a "quantum safe" signature algorithm. The commitment scheme in Taproot can nest this script inside a Tapscript path, adding more security. More analysis is needed to ensure the security against quantum computers before using it in production.Jeremy Rubin proposed using an OP_CAT operation to sign an EC signature and make Bitcoin "quantum safe". The construction uses Lamport signatures, which are quantum secure but require at least 20 contiguous bytes. The commitment scheme can nest inside a Tapscript path, providing additional security. Schnorr signatures are mentioned as having a stronger non-malleability property than ECDSA. The large size of Lamport signatures raises questions about their implementation.In his blog post, Jeremy Rubin explains how OP_CAT or a similar operation can be used to make Bitcoin "quantum safe" by signing an EC signature. This approach works in both Segwit V0 and Tapscript. By signing the HASH160 digest of the signature, even if a quantum computer cracks ECDSA, it cannot malleate the content of what was signed. Lamport signatures are mentioned as a 5-byte signing scheme that is quantum secure but requires at least 20 contiguous bytes. Rubin suggests using a new opcode, OP_SUBSTRINGEQUALVERIFY, to check a splice of a string for equality. The script fits within the limits, and expanding to a ternary representation could make it more efficient. The commitment scheme in Taproot can be securely opened to a message even with a quantum computer. Additionally, Schnorr signatures have a stronger non-malleability property than ECDSA, making them binding to the approved transaction. Many Lamport keys can be committed inside a taproot tree to make keys reusable.In summary, there have been proposals to use Winternitz signatures, OP_CAT, and other methods to make Bitcoin quantum-proof. These approaches aim to enhance security against quantum computers by using quantum-secure signatures and alternative operations. However, there are challenges such as limited-repeat constructs, size limitations, and the need for further analysis.
Updated on: 2023-08-02T04:22:34.747297+00:00