A new quantum-safe transaction scheme for Bitcoin achieves approximately 118-bit second pre-image resistance against attacks leveraging Shor’s algorithm, despite relying on the pre-image resistance of the RIPEMD-160 hash function. Developed by Avihu Mordechai Levy of StarkWare, the QSB scheme modifies an existing construction, replacing its non-quantum-safe component, a signature-size-based proof-of-work puzzle, with a hash-to-sig puzzle. Remarkably, implementation of this quantum-resistant layer is estimated to cost only a few hundred dollars in off-chain GPU resources. The scheme fits within Bitcoin’s legacy script constraints of 201 opcodes and 10,000 bytes, meaning it can be deployed without requiring a network-altering soft fork.
Quantum-Safe Bitcoin: QSB Scheme Introduction
A scheme promises to shield Bitcoin transactions from quantum computing threats without requiring a network-altering soft fork. StarkWare’s QSB scheme, detailed by Avihu Mordechai Levy, addresses the vulnerability of Bitcoin’s signature schemes, ECDSA and Schnorr, to attacks from sufficiently powerful quantum computers. This is notable because RIPEMD-160 is considered a relatively weak hash, yet QSB achieves approximately 118-bit second pre-image resistance under the Shor threat model, roughly half under Grover’s algorithm. Levy explains that the scheme fits within Bitcoin’s legacy script constraints of 201 opcodes and 10,000 bytes, avoiding the complexities of a network upgrade. The implementation cost is surprisingly low; estimates suggest an off-chain GPU cost of a few hundred dollars to implement the quantum resistance, a figure that dramatically undercuts expectations for the expense of post-quantum cryptography. QSB derives a cryptographically strong identifier of the spending transaction and verifies a Lamport signature over that identifier.
However, the scheme isn’t without limitations. Levy cautions that it should be considered a last-resort measure due to scaling issues and a more complex user experience for transaction generation, and it does not yet fully cover all Bitcoin use cases, such as Lightning Network channels. He states that improvements can be made on all three fronts, emphasizing the need for continued research toward a more efficient and user-friendly solution through protocol-level changes.
Binohash Foundation & Transaction Identifiers
The pursuit of quantum-resistant cryptography for Bitcoin has yielded several approaches, but many require substantial protocol changes or introduce significant performance overhead. This is achieved through a modification of the earlier Binohash construction, addressing vulnerabilities related to signature size checks and sighash flag uncertainty. QSB replaces a potentially exploitable proof-of-work puzzle, reliant on signature size, with a “hash-to-sig puzzle” leveraging the pre-image resistance of the RIPEMD-160 hash function. “We replace the signature-size-based PoW puzzle with a hash-to-sig puzzle,” explains Levy, detailing the core innovation. The scheme fits within Bitcoin’s legacy script constraints of 201 opcodes and 10,000 bytes.
StarkWare’s Avihu Mordechai Levy is addressing a critical vulnerability in Bitcoin’s fundamental transaction structure, focusing on the quantum threat to ECDSA and Schnorr signatures. While existing constructions like Binohash offer partial solutions, Levy’s Quantum Safe Bitcoin (QSB) scheme represents a refinement designed to operate within the stringent limitations of Bitcoin’s legacy script constraints. A key innovation lies in replacing the non-quantum-safe component, the signature-size-based proof-of-work puzzle, with a hash-to-sig puzzle.
We present QSB, a Quantum Safe Bitcoin transaction scheme that requires no changes to the Bitcoin protocol and remains secure even in the presence of Shor’s algorithm.
Developed by StarkWare, this approach, dubbed QSB, sidesteps the need for a Bitcoin soft fork by operating within Bitcoin’s legacy script constraints of 201 opcodes and 10,000 bytes. While neither Binohash nor the scheme can use Taproot or SegWit, restricting them to legacy script execution, QSB manages to function within these limits. The scheme also incorporates “bonus keys” to optimize performance within the tight opcode budget, further enhancing its practicality.
Signature Size PoW Puzzle Weaknesses
Many assume Bitcoin’s inherent cryptographic challenges require complex, future-proof solutions. However, a recent scheme, QSB, demonstrates a surprising vulnerability within existing proof-of-work puzzles, revealing a potential weakness exploitable even with relatively modest computational resources. The core issue lies in reliance on signature size checks, specifically the assumption of a minimal r value within ECDSA signatures. An adversary possessing quantum computing capabilities could circumvent this check by calculating the smallest possible r value, equal to one, effectively breaking the puzzle for all transactions created with the current minimum. This vulnerability, detailed by Avihu Mordechai Levy of StarkWare, isn’t merely theoretical; it highlights a critical flaw in schemes like Binohash that depend on signature size, not specific ECDSA characteristics. “Once r = 1 is found, it could be used going forward to strengthen these schemes,” Levy notes, “But all transactions created before that point, using the current rmin, would be vulnerable.” Addressing this requires a shift away from signature-size-based puzzles, a move QSB achieves by implementing a hash-to-sig puzzle dependent solely on the pre-image resistance of RIPEMD-160.
We believe improvements can be made on all three fronts, though it would not be the most straightforward path. To the extent that the quantum threat is believed to be real, it remains necessary to continue the ongoing effort to research and implement the best possible solution for Bitcoin, one that is maximally efficient, user-friendly, and answers Bitcoin’s needs, through protocol-level changes.
RIPEMD-160 Hash-to-Sig Puzzle Implementation
This isn’t simply about repurposing an existing hash; the construction fundamentally alters how transaction identifiers are created and verified on the Bitcoin network. The scheme hashes a transaction-bound public key via RIPEMD-160 and checks whether the output is a valid DER signature, an event with probability approximately 2 to the power of negative forty-six. This contrasts sharply with the often-prohibitive expenses associated with other proposed quantum-resistant solutions. Avihu Mordechai Levy explains that the modification addresses issues present in earlier schemes, specifically replacing a signature-size-based proof-of-work puzzle with this hash-to-sig approach, and eliminating uncertainty around the sighash flag.
Addressing Sighash Flag Uncertainties
Beyond the immediate threat to Bitcoin’s signature schemes, vulnerabilities surrounding the sighash flag present a subtle but significant challenge to quantum-resistant transaction designs. Existing quantum-safe proposals, including those building on Linus’ Binohash construction, initially grappled with uncertainties stemming from the sighash flag’s limited visibility within Bitcoin Script. These flags dictate which parts of a transaction are signed, and ambiguity could allow an attacker to manipulate the transaction details even with a quantum-resistant signature in place. Specifically, earlier iterations identified “ANYONECANPAY|NONE” as a potential attack vector, capable of undermining the security guarantees of the scheme. The scheme eliminates the sighash flag uncertainty because the puzzle’s signature is hardcoded with SIGHASH_ALL. This modification ensures a consistent and verifiable transaction identifier, preventing malicious alterations. The team’s approach doesn’t simply patch a vulnerability; it fundamentally alters the security profile by removing a degree of freedom for attackers.
This is achieved without increasing the computational burden or exceeding Bitcoin’s legacy script constraints of 201 opcodes and 10,000 bytes. The resulting scheme achieves approximately 118-bit second pre-image resistance, at an estimated off-chain GPU cost of a few hundred dollars. This targeted solution demonstrates a pragmatic approach to fortifying Bitcoin against future cryptographic challenges.
StarkWare’s Avihu Mordechai Levy is tackling the challenge of quantum-resistant Bitcoin transactions with a scheme designed to function within the network’s existing limitations. This contrasts sharply with the often-assumed high costs associated with implementing post-quantum cryptography. The current implementation, however, provides a functional pathway toward mitigating the quantum threat without necessitating a disruptive soft fork.
The viability of quantum-safe Bitcoin transactions without a network-wide upgrade hinges on practical considerations beyond cryptographic strength, as demonstrated by the QSB scheme. “The user experience for generating the transaction is more complex than standard Bitcoin usage,” explains Avihu Mordechai Levy of StarkWare, highlighting a potential impediment to widespread adoption. The scheme does not yet cover all Bitcoin use cases; integration with the Lightning Network, for example, remains an open problem.
Leave a comment