You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This function allows wallets to manage P2QRH addresses and outputs while accommodating multiple public keys of varying
267
-
lengths, such as in multisig schemes, while keeping the public keys hidden until the time of spending. At a minimum,
268
-
there should be two public keys in a P2QRH output: one key that makes use of classical cryptography, and one that makes use
269
-
of a PQC algorithm chosen within the wallet.
265
+
Where:
266
+
267
+
* <code>threshold</code> is an integer specifying the minimum number of signatures required
268
+
* <code>keytype</code> is the hex value representing the key type (0x01 for secp256k1, 0x02 for FALCON-512, 0x04 for CRYSTALS-Dilithium Level I, 0x08 for SPHINCS+-128s)
269
+
* <code>[hash1, hash2, ...]</code> is an array of HASH256 hashes of public keys for the corresponding algorithm type
This represents a 3-of-5 multisig for each key type, with a total of 20 keys: 5 keys per type (3 full public keys and 2
279
+
hashes) across 4 different key types.
280
+
281
+
Internally, the descriptor computes the HASH256 of the concatenated HASH256 of all the quantum-resistant public keys,
282
+
with the threshold and key type bitmask prepended. For each key in the descriptor:
283
+
284
+
- If it is already a hash (indicated in the descriptor), it is used directly
285
+
- If it is a public key, HASH256 is applied to it first
286
+
287
+
This approach ensures that all items in the vector are HASH256 values, whether they originated from raw public keys or
288
+
were provided as hashes. During spending, this allows for selective disclosure of public keys, where some keys can
289
+
remain hidden (represented only by their hashes) while others are fully revealed with their corresponding public keys.
290
+
This flexibility is particularly valuable in multisig schemes where not all keys need to be revealed to satisfy the
291
+
threshold requirement. At a minimum, there should be two different key types in a P2QRH output: one key that makes use
292
+
of classical cryptography, and one that makes use of a PQC algorithm chosen within the wallet.
293
+
294
+
Also, it's important to note that order of keys and hashes in the descriptor matters and is based on the original
295
+
public key values, in addition to the key type. Additionally, qrh() does not compile to script, but instead, describes
296
+
what's needed to compute the scriptPubKey hash commitment and also to reveal the attestation needed to spend the
297
+
output.
270
298
271
299
=== Address Format ===
272
300
@@ -686,7 +714,7 @@ seeds to act as the authoritative secret when signing. These measures are deemed
686
714
687
715
To help implementors understand updates to this BIP, we keep a list of substantial changes.
688
716
689
-
* 2025-03-18 - Correct inconsistencies in commitment and attestation structure. Switch from merkle tree commitment to sorted vector hash commitment.
717
+
* 2025-03-18 - Correct inconsistencies in commitment and attestation structure. Switch from merkle tree commitment to sorted vector hash commitment. Update descriptor format.
690
718
* 2025-03-12 - Add verification times for each algorithm. 256 -> 128 (NIST V -> NIST I). Add key type bitmask. Clarify multisig semantics.
691
719
* 2025-02-23 - More points of clarification from review. Update dead link.
692
720
* 2025-01-20 - Remove SQIsign from consideration due to significant performance concerns. Refactor language from long-range attack to long-exposure so as to not be confused with the language around block re-org attacks.
0 commit comments