Quick clarification on what this DOES and DOESN'T do:
DOES NOT: Make Bitcoin consensus quantum-secure
- On-chain, your TX is still 100% BIP-340 Schnorr
- A quantum attacker who breaks secp256k1 could still spend on-chain
- This is NOT a consensus change proposal
DOES: Provide quantum resistance at the wallet/custody layer
- Defence-in-depth: Attacker needs BOTH your Schnorr key AND your PQ key
- Quantum insurance: If Bitcoin soft-forks to PQ, your PQ attestations prove ownership
- "Harvest now" resistance: Recording your transactions today doesn't help future decryption
- Policy enforcement: Custody can require dual-sig validation before broadcast
The security gap this addresses:
Standard Taproot:
- Quantum security: ~0 bits (Shor's algorithm breaks ECDLP)
- Current estimates: 2330 logical qubits needed, achievable 2030-2040+
Built this to answer:
1. What's the real integration cost? (Answer: ~0.5-3ms overhead)
2. Is wallet-level PQ enforcement viable? (Answer: Yes, today)
3. Could this inform future Bitcoin soft-forks? (Answer: Reference impl)
Quick clarification on what this DOES and DOESN'T do:
DOES NOT: Make Bitcoin consensus quantum-secure - On-chain, your TX is still 100% BIP-340 Schnorr - A quantum attacker who breaks secp256k1 could still spend on-chain - This is NOT a consensus change proposal
DOES: Provide quantum resistance at the wallet/custody layer - Defence-in-depth: Attacker needs BOTH your Schnorr key AND your PQ key - Quantum insurance: If Bitcoin soft-forks to PQ, your PQ attestations prove ownership - "Harvest now" resistance: Recording your transactions today doesn't help future decryption - Policy enforcement: Custody can require dual-sig validation before broadcast
The security gap this addresses:
Standard Taproot: - Quantum security: ~0 bits (Shor's algorithm breaks ECDLP) - Current estimates: 2330 logical qubits needed, achievable 2030-2040+
PQ-PSBT Hybrid (wallet layer): - ML-DSA-65: ~128-bit post-quantum (NIST Level III) - ML-DSA-87: ~192-bit post-quantum (NIST Level V) - Falcon-512: ~103-bit post-quantum (NIST Level I) - Falcon-1024: ~230-bit post-quantum (NIST Level V)
Threat model improvement: - Classical attacker today: 0× (secp256k1 already secure) - Quantum attacker (on-chain): 0× (consensus still Schnorr) - Quantum attacker (wallet/custody): ∞ (goes from ~0-bit to 128-230-bit) - Soft-fork migration: Priceless (cryptographic ownership proof)
Technical achievements: - 136/136 tests passing - BIP-341 compliance, 4 PQ algorithms, security - Real crypto: coincurve (libsecp256k1), bech32, pqcrypto (NIST C) - Zero mocks, full BIP-341 sighash implementation
Performance: - ML-DSA-65: 0.5ms sign, 3,309B sigs - Falcon-512: 3.2ms sign, 657B sigs
Built this to answer: 1. What's the real integration cost? (Answer: ~0.5-3ms overhead) 2. Is wallet-level PQ enforcement viable? (Answer: Yes, today) 3. Could this inform future Bitcoin soft-forks? (Answer: Reference impl)
Not seeking funding. Looking for: - Cryptographic review - Academic collaboration - Performance feedback
The "harvest now, decrypt later" threat is real - this is one approach to quantum insurance while Bitcoin consensus evolves.
Happy to answer questions.