BIP-360: Bitcoin’s Quantum Wild West

Author’s note: This take is written from the perspective that quantum threats to elliptical curve cryptography could be closer than publicly acknowledged. Perhaps I will publish a follow-up that presents the reasons.

Bitcoin began as a social experiment in cryptography

In the pre-2014 days, builders on Bitcoin didn't wait around for Core signature standards. Code was shipped and real-world battle-tested with fingers crossed. The Core devs had in effect taken a paradoxically cautious yet bold approach: There is a better chance to reach proper standards if they emerge from actual usage than if attempts are made to guess and impose them upfront.

After years of chaos, broken wallets, ownership-impacting incidents, and hard-earned lessons, the dust finally settled into some solid standards we rely on today. Given all that transpired, the relatively scant adoption during that early time turned out to be a blessing.

Now, fifteen years into Bitcoin’s life and adoption, higher valuation, and positive global reputation, we have interestingly spiraled 360 degrees towards the bleeding edge of chaos again. This time in the form of addressing the need to accommodate post-quantum cryptography (PQC). The question isn’t if quantum computing can become a threat, but how Bitcoin can adapt in time while leaving room for proper standards to emerge. Devs must account for the fact that these newer cryptographic algorithms have arguably not reached sufficient battle-tested status at the hands of academia much less the real world.

Enter BIP-360. The “break-glass” plan for Bitcoin’s early-phase post-quantum era, an ongoing effort to strike a happy medium between rigidity and flexibility.

What BIP-360 is (and isn’t)

Instead of a new signature standard, BIP-360 is a framework. The “concrete scaffolding” that developers hope will be ready at least before that inevitable great and potentially terrible day when the public becomes aware that ECDSA got popped by quantum. Think of this BIP currently as a proposed set of hooks in consensus that will help future-proof the protocol to loosely support PQC without forcing builders to use a particular post-quantum algorithm.

The current draft splits it into two:

• P2QRH – Pay-to-Quantum-Resistant-Hash. Basically, script glue that lets you move coins behind a hash commitment compatible with PQC.
  
• A future companion BIP will describe the actual post-quantum signatures once the dust settles between FALCON (currently in the lead), SPHINCS+, CRYSTALS-Dilithium, and whatever else survives the cryptanalytic battle.
  

BIP-360’s P2QRH is a fire escape. A hatch nobody wants to use out of necessity, but when the smoke comes, if it’s there, you’ll be glad if you’re able to use it correctly.

History rhymes

But now with fame, AI, better hardware, and higher stakes.

From 2010 to 2014, Bitcoin was running wild. Less standards, more trial and error. It was a time rife with Android wallet bugs (e.g. bad SecureRandom), reused nonces, and deterministic-signing wars. Many wallets were signing ECDSA with PRNGs so pathetically weak (or non-existent) that host environs could be cloned or simple formulas used to pull private keys like loose threads. In all, many wallet owners became victims, including some exchanges. Blood-letting was how today’s standards and best-practices were earned.

Now let’s shift to a realistic near future. Let’s say oncoming quantum circumstances dictate break-glass implementations. Builders roll their own PQC stacks through a framework before standards solidify. We get creativity and real battle-testing at the cost of fragmentation that fosters a potentially prolific garden bed of vulnerabilities, but with some very important differences than before. A new environment and threat surface.

And with Bitcoin’s adoption, valuation and reputation much greater than before, so are the stakes.

Deliberately loose

BIP-360 is both genius and cursed, and whatever state it’s in, it may end up being the only sane option we have. Lock-in standards prematurely and the whole thing could break before China bans Bitcoin again. On the other hand, stay too loose and you get something akin to – and potentially more impactful than – the original signature-malleability mess.

Some engineers in academia call the loose approach future-proofing and avoiding premature optimization, but relative old-timers like me call doing this with heavily adopted systems “lighting a match in a fireworks factory.” Don’t get me wrong. I feel positive about achieving and maintaining anti-fragility through social experimentation, cost acknowledged. I’m up for it. If I stand back far enough the fireworks make for a good show. When it comes down to it, the event stream might determine there isn’t a choice anyway.

Past lessons to always drag forward

1. Novelty is sacred. Bad “randomness” can kill faster than bad math.
2. Consensus dies by inconsistency. Two clients disagreeing on serial layout is all it takes.
3. Standards are written postmortem. The beginnings of BIP-62 and SegWit can be likened to autopsies of a mutant life-form that had an accident.

Keep that wisdom close, but also understand that PQC and the zeitgeist bring a new class of demons.

The new threat surface

PQC isn’t exactly elegant. For Bitcoin it means a soup of algorithms variously involving lattices, polynomials, and rejection sampling loops that will displace ECDSA.

• Algorithmic fragility: one bright grad student cracks a lattice and that entire keyspace collapses.

• Signature bloat: each signature can swell many times larger than current ones (potentially many kilobytes VS a mere 71 bytes). Ballooning mempools and the chain footprint can significantly increase the burden that nodes and the network must shoulder. This translates to more friction and higher cost for decentralization.

• Hybrid downgrade traps: wallets that try to support both classical and quantum signatures risk getting tricked into the weaker path.

• Consensus landmines: flexible formats can mean misalignment bugs, parsing edge cases, and a redux of the old signature-malleability days.

Where things stand

“🌞 Good morning. The threat clock doesn’t care if the code isn’t ready. Have a nice day. 🙂“

• BIP-360 is still a draft. No merge or activation, still solidifying.
• SQIsign axed for performance and DoS risk. Moved on to hash-based scaffolding.
• ~25% of all BTC already sits behind pubkeys that are particularly ripe for “harvest now, decrypt later”; low-hanging fruit for a shadow-institutional quantum adversary.
• My take on community mood: a minority with the express smarts for urgency, many in disbelief, and shills who flippantly deny the seriousness who probably want to dump on oblivious bystanders.

The storage nightmare

Bitcoin’s ideal post-quantum future probably should look more modular than monolithic.

This is a bit of an aside, but worth a brief mention. A few kilobytes per PQC signature doesn’t sound bad until you multiply by any reasonable demand projection. 20KB? Fuhgeddaboudit.

Even if there is some grand breakthrough in cost-effective storage technology in the near future, it shouldn’t be an excuse to neglect good architecture and code. Approaching the next era, expect a lot more discussion around ZK, off-chain proof stores and Merkle-aggregated commitments. Validation math on-chain and bytes pushed elsewhere.

Last call

BIP-360 gives the Bitcoin community a blueprint for post-quantum survival.
Whether it gets developed, adopted and used properly before it’s too late, is the social layer’s problem.

Centralized solutions can adapt and move comparatively fast. Can Bitcoin’s open network make it in time?

Quantum Computing doesn’t care about ideologies. Perhaps we’d do well to think about how to prepare for Bitcoin’s next big social experiment; the PQC wild west.