You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: bip-0360.mediawiki
+8-8Lines changed: 8 additions & 8 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -113,7 +113,7 @@ The following output types are fundamentally vulnerable to long exposure attacks
113
113
* Reused outputs*
114
114
* Tapscript outputs (starts with bc1p)
115
115
116
-
\*Funds in P2PKH, P2SH, P2WPKH, P2WSH, and P2TSH outputs can become vulnerable to long exposure quantum attacks anytime their script reveals a public key.
116
+
<nowiki>*</nowiki> Funds in P2PKH, P2SH, P2WPKH, P2WSH, and P2TSH outputs can become vulnerable to long exposure quantum attacks anytime their script reveals a public key.
117
117
118
118
Note: Extended public keys, commonly known as "xpubs," and wallet descriptors also reveal quantum vulnerable public key information. For further clarification on quantum attack vectors, please refer to the [[#Glossary|Glossary of Terms]].
119
119
@@ -231,7 +231,7 @@ A P2TSH output is a native SegWit output (see [[bip-0141.mediawiki|BIP 141]]) wi
231
231
** If ''q ≠ r'', fail.
232
232
** Execute the script, according to the applicable script rules, using the witness stack elements excluding the script ''s'', the control block ''c'', and the annex ''a'' if present, as initial stack. This implies that for the future leaf versions (non-''0xC0'') the execution must succeed.
233
233
234
-
The steps above follow the script-path spend logic from [[bip-0341.mediawiki|BIP 341]] with the following changes:
234
+
The steps above follow the scriptpath spend logic from [[bip-0341.mediawiki|BIP 341]] with the following changes:
235
235
236
236
* The witness program is the taptree Merkle root and not a tweaked public key. This means that we skip directly to the BIP 341 spend path taptree Merkle tree validation.
237
237
* We compute the taptree Merkle root ''r'' and compare it directly to the witness program ''q''.
Thus, the P2TSH input would be 103 - 66 = 37 bytes larger than a P2TR key path spend input.
273
273
274
-
If the Merkle tree has more than a single leaf, then the Merkle path must be included in the control block, increasing the size by ''32 * m'' bytes. This would make such input 37 + 32 * m bytes larger than a P2TR key path spend input.<ref>If ''m >= 8'', then the compact size will use 3 bytes rather than 1 byte</ref>
274
+
If the Merkle tree has more than a single leaf, then the Merkle path must be included in the control block, increasing the size by ''32 * m'' bytes, where m is the depth of the Merkle tree. This would make such input 37 + 32 * m bytes larger than a P2TR key path spend input.<ref>If ''m >= 8'', then the compact size will use 3 bytes rather than 1 byte</ref>
275
275
276
276
P2TSH witness ''(103 + 32*m bytes)'':
277
277
@@ -322,7 +322,7 @@ Test vector data for creation of P2TSH UTXOs can be found [https://github.com/bi
322
322
323
323
These test vectors build off of the test vectors for [[bip-0341.mediawiki|BIP 341]] (Taproot). One important distinction is that the P2TSH test vectors do not include keypath spend scenarios.
324
324
325
-
Also included are test vectors in [https://github.com/bitcoin/bips/tree/master/bip-0360/ref-impl/rust rust implementation] and [https://github.com/bitcoin/bips/tree/master/bip-0360/ref-impl/python python implementation]. One of these tests demonstrates a tapleaf tapscript that requires a secp256k1 signature to spend the P2TSH UTXO (modeled after one of the extremely valuable examples provided by [https://learnmeabitcoin.com/technical/upgrades/taproot/#example-3-script-path-spend-signature this Taproot script-path spend example]. Similar to BIP 341 test vectors, all signatures are created with an all-zero (0x0000...0000) [[bip-0340.mediawiki|BIP 340]] auxiliary randomness array.
325
+
Also included are test vectors in [https://github.com/bitcoin/bips/tree/master/bip-0360/ref-impl/rust rust implementation] and [https://github.com/bitcoin/bips/tree/master/bip-0360/ref-impl/python python implementation]. One of these tests demonstrates a tapleaf tapscript that requires a secp256k1 signature to spend the P2TSH UTXO (modeled after one of the extremely valuable examples provided by [https://learnmeabitcoin.com/technical/upgrades/taproot/#example-3-script-path-spend-signature this Taproot scriptpath spend example]. Similar to BIP 341 test vectors, all signatures are created with an all-zero (0x0000...0000) [[bip-0340.mediawiki|BIP 340]] auxiliary randomness array.
326
326
327
327
==Related Work==
328
328
@@ -382,7 +382,7 @@ Tapscript-native output types are the category of output types that support taps
382
382
383
383
'''Pay-to-Tapscript-Hash (P2TSH)'''
384
384
385
-
A tapscript-native output type with nearly identical formatting to Pay-to-Taproot (P2TR), with the quantum-vulnerable key path spend removed.
385
+
A tapscript-native output type, similar to to Pay-to-Taproot (P2TR), but with the quantum-vulnerable key path spend removed.
386
386
387
387
==Footnotes==
388
388
@@ -394,11 +394,11 @@ To help implementers understand updates to this BIP, we keep a list of substanti
394
394
395
395
* 2025-09-17 - Rewrote BIP for clarity and renamed from P2QRH to P2TSH
396
396
* 2025-07-20 - Changed the Witness Version from 3 to 2.
397
-
* 2025-07-07 - P2QRH is now a P2TR with the vulnerable key-path spend removed. Number of PQ signature algorithms supported reduced from three to two. PQ signature algorithm support is now added via opcodes or tapleaf version.
397
+
* 2025-07-07 - P2QRH is now a P2TR with the vulnerable keypath spend removed. Number of PQ signature algorithms supported reduced from three to two. PQ signature algorithm support is now added via opcodes or tapleaf version.
398
398
* 2025-03-18 - Correct inconsistencies in commitment and attestation structure. Switch from Merkle tree commitment to sorted vector hash commitment. Update descriptor format.
399
399
* 2025-03-12 - Add verification times for each algorithm. 256 to 128 (NIST V to NIST I). Add key type bitmask. Clarify multisig semantics.
400
400
* 2025-02-23 - More points of clarification from review. Update dead link.
401
-
* 2025-01-20 - Remove SQIsign from consideration due to significant performance concerns. Refactor language from long-range attack to long exposure so as to not be confused with the language around block re-org attacks.
401
+
* 2025-01-20 - Remove SQIsign from consideration due to significant performance concerns. Refactor language from longrange attack to long exposure so as to not be confused with the language around block re-org attacks.
402
402
* 2024-12-18 - Assigned BIP number.
403
403
* 2024-12-13 - Update to use Merkle tree for attestation commitment. Update LR & SR quantum attack scenarios.
404
404
* 2024-12-01 - Add details on attestation structure and parsing.
0 commit comments