[BIP] P2WOTS: 64 Slot Winternitz UTXO's (witness version three)
46 views
Skip to first unread message
opus lux
Jun 8, 2026, 6:12:48 PM (yesterday) Jun 8
to bitco...@googlegroups.com
Hi all,
I's like to officially propose P2WOTS (Pay-to-Winternitz-One-Time-Signature), a new native Bitcoin output type using witness version three. It provides post quantum security using only SHA-256 and contains no elliptic curve key material anywhere.
The 34 byte scriptPubKey commits to a Merkle Key Tree over 64 independent WOTS+ one time key pairs.
This construction directly solves the WOTS+ one time signing limitation, each spend consumes a fresh independent slot key, making address reuse safe without ever violating the one time property.
BIP draft PR:
Looking forward to technical feedback from the community.
Regards,
Opus Lux
Nagaev Boris
Jun 8, 2026, 6:35:02 PM (yesterday) Jun 8
to opus lux, bitco...@googlegroups.com
Hi Opus Lux,
Thanks for working on this!
What do you think about SHRINCS signature scheme?
https://github.com/BlockstreamResearch/shrincs-specification
https://github.com/BlockstreamResearch/shrincs-cpp/ - C++ implementation
https://delvingbitcoin.org/t/shrincs-324-byte-stateful-post-quantum-signatures-with-static-backups/2158/
It uses an asymmetric tree, saving signature size for lower indices,
putting the leaves closer to the Merkle root. Also it includes a
stateless fallback to SPHINCS+ in case a signer lost the state (the
slot counter). Also it utilizes a constant sum optimization in WOTS to
save some space on shrinking the sum digest.
Best,
Boris
> --
> You received this message because you are subscribed to the Google Groups "Bitcoin Development Mailing List" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to bitcoindev+...@googlegroups.com.
> To view this discussion visit https://groups.google.com/d/msgid/bitcoindev/LB_O7FqGG5kTYN96-MClXIl7retn-UyDlPQbVhVOnxlMO5i-h1Oq1NDhAkaZUqx--yeNW38X8p90IulPeSDLJzhJd5UwHYvFEzc8YhVWvtU%3D%40proton.me.
--
Best regards,
Boris Nagaev
Thanks for working on this!
What do you think about SHRINCS signature scheme?
https://github.com/BlockstreamResearch/shrincs-specification
https://github.com/BlockstreamResearch/shrincs-cpp/ - C++ implementation
https://delvingbitcoin.org/t/shrincs-324-byte-stateful-post-quantum-signatures-with-static-backups/2158/
It uses an asymmetric tree, saving signature size for lower indices,
putting the leaves closer to the Merkle root. Also it includes a
stateless fallback to SPHINCS+ in case a signer lost the state (the
slot counter). Also it utilizes a constant sum optimization in WOTS to
save some space on shrinking the sum digest.
Best,
Boris
> You received this message because you are subscribed to the Google Groups "Bitcoin Development Mailing List" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to bitcoindev+...@googlegroups.com.
> To view this discussion visit https://groups.google.com/d/msgid/bitcoindev/LB_O7FqGG5kTYN96-MClXIl7retn-UyDlPQbVhVOnxlMO5i-h1Oq1NDhAkaZUqx--yeNW38X8p90IulPeSDLJzhJd5UwHYvFEzc8YhVWvtU%3D%40proton.me.
--
Best regards,
Boris Nagaev
opus lux
Jun 8, 2026, 7:21:05 PM (24 hours ago) Jun 8
to bitco...@googlegroups.com
To clarify, this proposal has been under active discussion on Delving Bitcoin for several weeks prior to this mailing list post. Including replies from Murch:
A live signet with full P2WOTS support is live for testing and a wallet demo can be interacted with from my website. I will resubmit the BIP pull request once sufficient mailing list discussion has taken place here as well.
Happy to answer any technical questions!
Regards,
Opus Lux
conduition
Jun 8, 2026, 8:58:30 PM (22 hours ago) Jun 8
to opus lux, bitco...@googlegroups.com
Including replies from Murch
...where he dipped out after accusing you of being a bot. Your delving thread OP even seems to include your LLM's thinking output 😂
In any case, this proposal is strictly worse than BIP360:
- It doesn't offer any flexibility with respect to gradual migration. The complete absence of usable EC spending paths would ensure absolutely nobody will migrate to it before Q-day, which is the whole goal of introduce a PQ address format today.
- The lack of scripting capability means Bitcoin would lose all the benefits of script after Q-day: no more lightning, no ARK, no DLCs, timelocks, covenants, etc.
- Where did the number 64 came from? What makes you think 64 signatures is enough? Or not too much?
- The proposal uses 256-bit hash functions, which is drastically overkill and results in signatures over 1 kilobyte. They could be much smaller if you use modern hash-based cryptography with tweaked hash functions as in SPHINCS.
- The proposal offers no solution for signers who need to create more than 64 signatures, or signers who cannot reliably track state.
- The "specification" is full of off-by-one typos, especially in security-critical array-indexing operators.
- You represent the 6-bit key index with a 32-byte witness element??
- The hash functions in the signing and verification algorithms appear to be different, so the scheme is probably not even correct, let alone sound.
- Many variables are not defined or explained.
- "Nobody watching the UTXO set knows: How many slots the tree contains..." Really? nobody knows how many slots there are? Even though the number of slots is a fixed constant?
If there is a human reading this reply, I recommend you first start by exploring the literature on hash-based cryptography before attempting to create a BIP for it. If you want to use AI to generate stuff cool, you do you, but make sure you can at least verify its output is reasonable.
regards,
conduition
--
You received this message because you are subscribed to the Google Groups "Bitcoin Development Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an email to bitcoindev+...@googlegroups.com.
Reply all
Reply to author
Forward
0 new messages