Giving teeth to expected EC disabling: P2XX(-T)(-ML)
169 views
Skip to first unread message
Pieter Wuille
Jun 25, 2026, 2:31:10 PM (3 days ago) Jun 25
to Bitcoin Development Mailing List
Hi all,
In parallel to the threads[1][2][3] discussing the P2TRv2 and P2MR
concepts, I'd like to talk about the possibility of codifying in the
consensus rules the (expectation of) the disabling of EC opcodes/paths
within the new output type.
The motivation for this is that while P2TRv2 has a "soft" built-in
expectation of a future softfork that will disable EC opcodes/paths (just
within the new output type itself) at the right time, its consensus rules
are identical to P2TR (with the exception of PQC opcodes, if those aren't
also added to P2TR). Plans and intent of protocol designers are one thing,
but the future ecosystem isn't beholden to those: the only certainty is the
adopted consensus rules themselves. Without confidence that the intended
disabling will happen, it becomes unclear what CRQC-resistance the P2TRv2
type offers. Meanwhile, P2MR as formulated doesn't need/have such an
expectation, but would still benefit from it, as users are otherwise
restricted to (IMO) extremely onerous restrictions on public key sharing.
To some extent, this is an unsolvable problem: we cannot codify plans that
depend on outside-world conditions like CRQCs existing. Still,
approximations exist which can be added as automatic triggers for this EC
disabling, along with the new output type itself:
* Tripwire (P2XX-T): use the presence of a NUMS point spend as trigger
(suggested by Tadge Dryja[4]).
Specifically, as part of the softfork definition, a NUMS point is
picked. Whenever a transaction is mined whose input contains a successful
"<NUMS> OP_CHECKSIG", EC opcodes/paths are disabled within the new
output type, as of the next block.
Note that the tripwire isn't intended as a replacement for the expected
future EC-disabling softfork; instead, it puts an upper bound on that
disabling.
* Miner Lockdown (P2XX-ML): allow a hashrate majority/threshold to trigger
the disabling, allowing a faster reaction time to urgent CRQC threats.
Practically, this can be achieved by bundling the expected EC-disabling
softfork with the softfork that introduces the new output type, but
giving the disabling one a separate, and very long or infinite,
activation window. This means that in addition to expecting the future
ecosystem to decide when Q-day is too close, the hashrate majority is
allowed to make that call too. (suggested offline by Sjors Provoost)
* Combination (P2XX-T-ML): trigger EC disabling either through Tripwire, or
through Miner Lockdown.
I believe P2TR-T and P2MR-T are unambiguous improvements over P2TRv2 and
P2MR respectively. This is because:
* With Tripwire, anyone with a CRQC can, without permission, disable the EC
paths/opcodes in the new output type for everyone. Because of that
possibility, disabling is something all users of the new output type need
to be prepared for at all times, and thus the later EC-disabling softfork
cannot be considered confiscatory. That could otherwise be a reason to
oppose the future EC-disabling softfork.
Consider P2TR and P2TRv2. If there are no differences in consensus rules
between them, it is worth asking why the future ecosystem should be
expected to disable EC paths & opcodes in one but not the other, just
based on earlier-stated plans. With Tripwire, disabling EC in P2TR-T is
categorically non-confiscatory, making doing it there an objective
choice.
* Relatedly, for the same reason it likely convinces users and wallet
developers to test, more seriously, the usability of the expected PQC
paths, as not doing so inevitably means risking burning those coins. This
is especially important for P2MR, which has some incentives to use it
beyond CRQC-protecting coins.
* The only downside I see is some additional technical complexity. The
ability to sign with a NUMS point is an unequivocal proof that the
secp256k1 ECDLP assumption no longer holds, and is thus a clear upper
bound on when EC ought not to be used anymore. Note that this differs
from a canary (an idea which has also been discussed) that uses a weaker
curve, as the goal of those is to be predictive. The point here is
specifically to just be an upper bound.
To me, this makes both P2MR-T and P2TR-T more "Later"-style (as I've
defined it in [5] and follow-ups) than P2MR and P2TRv2 respectively, which
I consider an improvement for both. There still is an expectation of a
later softfork that disables the EC paths/opcodes within the PQC output
type, and thus the tripwire isn't actually expected to ever trigger. Still,
I believe that its presence changes the game theory and incentives around
usage of the output type, and future consensus changes.
Of course, it cannot help with deciding what the right time for the
EC-disabling softfork is, but it can help make it happen. The same is true
for the Miner Lockdown idea. I'm a bit more hesitant about that, as it may
be empowering the (collective of) miners too much. They always have the
ability to just disallow EC spends of course, but the Miner Lockdown idea
makes network nodes start enforcing the same rule too, making it
irreversible. On the other hand, it is still opt-in (users deciding to move
coins to the new output type), and this becomes them choosing to give
miners a Lockdown button, which can presumably be used on shorter notice
than the ecosystem can agree on a consensus change (even if it's
pre-planned).
I'd prefer to keep the discussion here just about adding the Tripwire
and/or Miner Lockdown ideas, rather than MR vs TR, as I think this is
orthogonal to the distinction between those.
Thoughts?
--
Pieter
[1]: https://groups.google.com/g/bitcoindev/c/Qy4gwAGTK2w/m/_CjQ8xvdAAAJ
[2]: https://groups.google.com/g/bitcoindev/c/p8AVEmAtWdA/m/T7UWqgnvAAAJ
[3]: https://delvingbitcoin.org/t/public-key-recovery-for-ec-leaves-in-p2mr-bip-360/2603
[4]: https://groups.google.com/g/bitcoindev/c/8O857bRSVV8/m/8nr6I5NIAwAJ
[5]: https://groups.google.com/g/bitcoindev/c/p8AVEmAtWdA/m/Gona1fr3AgAJ
In parallel to the threads[1][2][3] discussing the P2TRv2 and P2MR
concepts, I'd like to talk about the possibility of codifying in the
consensus rules the (expectation of) the disabling of EC opcodes/paths
within the new output type.
The motivation for this is that while P2TRv2 has a "soft" built-in
expectation of a future softfork that will disable EC opcodes/paths (just
within the new output type itself) at the right time, its consensus rules
are identical to P2TR (with the exception of PQC opcodes, if those aren't
also added to P2TR). Plans and intent of protocol designers are one thing,
but the future ecosystem isn't beholden to those: the only certainty is the
adopted consensus rules themselves. Without confidence that the intended
disabling will happen, it becomes unclear what CRQC-resistance the P2TRv2
type offers. Meanwhile, P2MR as formulated doesn't need/have such an
expectation, but would still benefit from it, as users are otherwise
restricted to (IMO) extremely onerous restrictions on public key sharing.
To some extent, this is an unsolvable problem: we cannot codify plans that
depend on outside-world conditions like CRQCs existing. Still,
approximations exist which can be added as automatic triggers for this EC
disabling, along with the new output type itself:
* Tripwire (P2XX-T): use the presence of a NUMS point spend as trigger
(suggested by Tadge Dryja[4]).
Specifically, as part of the softfork definition, a NUMS point is
picked. Whenever a transaction is mined whose input contains a successful
"<NUMS> OP_CHECKSIG", EC opcodes/paths are disabled within the new
output type, as of the next block.
Note that the tripwire isn't intended as a replacement for the expected
future EC-disabling softfork; instead, it puts an upper bound on that
disabling.
* Miner Lockdown (P2XX-ML): allow a hashrate majority/threshold to trigger
the disabling, allowing a faster reaction time to urgent CRQC threats.
Practically, this can be achieved by bundling the expected EC-disabling
softfork with the softfork that introduces the new output type, but
giving the disabling one a separate, and very long or infinite,
activation window. This means that in addition to expecting the future
ecosystem to decide when Q-day is too close, the hashrate majority is
allowed to make that call too. (suggested offline by Sjors Provoost)
* Combination (P2XX-T-ML): trigger EC disabling either through Tripwire, or
through Miner Lockdown.
I believe P2TR-T and P2MR-T are unambiguous improvements over P2TRv2 and
P2MR respectively. This is because:
* With Tripwire, anyone with a CRQC can, without permission, disable the EC
paths/opcodes in the new output type for everyone. Because of that
possibility, disabling is something all users of the new output type need
to be prepared for at all times, and thus the later EC-disabling softfork
cannot be considered confiscatory. That could otherwise be a reason to
oppose the future EC-disabling softfork.
Consider P2TR and P2TRv2. If there are no differences in consensus rules
between them, it is worth asking why the future ecosystem should be
expected to disable EC paths & opcodes in one but not the other, just
based on earlier-stated plans. With Tripwire, disabling EC in P2TR-T is
categorically non-confiscatory, making doing it there an objective
choice.
* Relatedly, for the same reason it likely convinces users and wallet
developers to test, more seriously, the usability of the expected PQC
paths, as not doing so inevitably means risking burning those coins. This
is especially important for P2MR, which has some incentives to use it
beyond CRQC-protecting coins.
* The only downside I see is some additional technical complexity. The
ability to sign with a NUMS point is an unequivocal proof that the
secp256k1 ECDLP assumption no longer holds, and is thus a clear upper
bound on when EC ought not to be used anymore. Note that this differs
from a canary (an idea which has also been discussed) that uses a weaker
curve, as the goal of those is to be predictive. The point here is
specifically to just be an upper bound.
To me, this makes both P2MR-T and P2TR-T more "Later"-style (as I've
defined it in [5] and follow-ups) than P2MR and P2TRv2 respectively, which
I consider an improvement for both. There still is an expectation of a
later softfork that disables the EC paths/opcodes within the PQC output
type, and thus the tripwire isn't actually expected to ever trigger. Still,
I believe that its presence changes the game theory and incentives around
usage of the output type, and future consensus changes.
Of course, it cannot help with deciding what the right time for the
EC-disabling softfork is, but it can help make it happen. The same is true
for the Miner Lockdown idea. I'm a bit more hesitant about that, as it may
be empowering the (collective of) miners too much. They always have the
ability to just disallow EC spends of course, but the Miner Lockdown idea
makes network nodes start enforcing the same rule too, making it
irreversible. On the other hand, it is still opt-in (users deciding to move
coins to the new output type), and this becomes them choosing to give
miners a Lockdown button, which can presumably be used on shorter notice
than the ecosystem can agree on a consensus change (even if it's
pre-planned).
I'd prefer to keep the discussion here just about adding the Tripwire
and/or Miner Lockdown ideas, rather than MR vs TR, as I think this is
orthogonal to the distinction between those.
Thoughts?
--
Pieter
[1]: https://groups.google.com/g/bitcoindev/c/Qy4gwAGTK2w/m/_CjQ8xvdAAAJ
[2]: https://groups.google.com/g/bitcoindev/c/p8AVEmAtWdA/m/T7UWqgnvAAAJ
[3]: https://delvingbitcoin.org/t/public-key-recovery-for-ec-leaves-in-p2mr-bip-360/2603
[4]: https://groups.google.com/g/bitcoindev/c/8O857bRSVV8/m/8nr6I5NIAwAJ
[5]: https://groups.google.com/g/bitcoindev/c/p8AVEmAtWdA/m/Gona1fr3AgAJ
Nagaev Boris
Jun 26, 2026, 5:41:46 AM (2 days ago) Jun 26
to Pieter Wuille, Bitcoin Development Mailing List
Hi Pieter,
I think Tripwire is an improvement to all "Later" versions of P2MR,
P2TRv2, and P2TRH. Given coin owners have pre-agreed to later
lockdown, having an upper bound does not harm.
For Miner Lockdown, I see a potential false-positive activation. A
large classical theft may happen, be misinterpreted as a CRQC event,
and miners may lock the EC path with the best intentions, but it turns
out to be a false alarm. Shouldn't there be a mechanism for
reactivation in this case? We have historical examples of bugs causing
large-scale or initially mysterious thefts: Milk Sad, Android
SecureRandom 2013, and the LuBian 2020 theft. A similar event in the
future could be confused with Q-day, and miners could push the button.
Can you elaborate on the scope of EC disabling, please? Does it
disable only the main EC path (e.g. key spend in the case of Taproot
v2) or all EC involving paths? What will happen to scripts using
something else in addition to EC? Some useful constructions may
include an EC opcode, e.g. hybrid EC-PQ signatures or HTLCs. Maybe it
makes sense to disable the main spending path and keep hash-protected
supplementary paths available?
Best,
Boris
> --
> You received this message because you are subscribed to the Google Groups "Bitcoin Development Mailing List" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to bitcoindev+...@googlegroups.com.
> To view this discussion visit https://groups.google.com/d/msgid/bitcoindev/yHRpA2LEJ2AugT4W2KiWO3ggSims4GuHBkr6rWtE-e1uVC2wh3ZqD4bUDyxXq1iEuPrezhZZeqDoG7uBLNvjbW0sk_UTorI1Pkz6LcKhXRA%3D%40wuille.net.
--
Best regards,
Boris Nagaev
I think Tripwire is an improvement to all "Later" versions of P2MR,
P2TRv2, and P2TRH. Given coin owners have pre-agreed to later
lockdown, having an upper bound does not harm.
For Miner Lockdown, I see a potential false-positive activation. A
large classical theft may happen, be misinterpreted as a CRQC event,
and miners may lock the EC path with the best intentions, but it turns
out to be a false alarm. Shouldn't there be a mechanism for
reactivation in this case? We have historical examples of bugs causing
large-scale or initially mysterious thefts: Milk Sad, Android
SecureRandom 2013, and the LuBian 2020 theft. A similar event in the
future could be confused with Q-day, and miners could push the button.
Can you elaborate on the scope of EC disabling, please? Does it
disable only the main EC path (e.g. key spend in the case of Taproot
v2) or all EC involving paths? What will happen to scripts using
something else in addition to EC? Some useful constructions may
include an EC opcode, e.g. hybrid EC-PQ signatures or HTLCs. Maybe it
makes sense to disable the main spending path and keep hash-protected
supplementary paths available?
Best,
Boris
> You received this message because you are subscribed to the Google Groups "Bitcoin Development Mailing List" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to bitcoindev+...@googlegroups.com.
> To view this discussion visit https://groups.google.com/d/msgid/bitcoindev/yHRpA2LEJ2AugT4W2KiWO3ggSims4GuHBkr6rWtE-e1uVC2wh3ZqD4bUDyxXq1iEuPrezhZZeqDoG7uBLNvjbW0sk_UTorI1Pkz6LcKhXRA%3D%40wuille.net.
--
Best regards,
Boris Nagaev
Sjors Provoost
Jun 26, 2026, 7:18:36 AM (2 days ago) Jun 26
to Nagaev Boris, Pieter Wuille, Bitcoin Development Mailing List
Hi Boris and Pieter,
I agree that the potential for premature activation is a downside of Miner Lockdown. It could come with a very long window (years) between signalling and activation. That way users who consider it premature can mass migrate back to P2TR, only to return to P2TRv2 / P2TMR at a moment of their choosing.
In the other direction, there's a a positive incentive to not wait too long: the 100 block coinbase maturity makes them more vulnerable to short-range attacks (for P2TRv2, but not P2TMR).
I think it's important that a proposal involving the eventual trimming of its own spending paths, includes the activation mechanism(s) for such trimming. At least some of the mechanisms.
I'm also worried that miners don't want to carry such heavy burden of responsibility, and deal with political pressure (in both directions). In that case they would oppose inclusion of ML in the two-stage proposal, and that would be very useful to learn early on.
- Sjors
> Op 26 jun 2026, om 05:40 heeft Nagaev Boris <bna...@gmail.com> het volgende geschreven:
>
> Hi Pieter,
>
> I think Tripwire is an improvement to all "Later" versions of P2MR,
> P2TRv2, and P2TRH. Given coin owners have pre-agreed to later
> lockdown, having an upper bound does not harm.
>
> For Miner Lockdown, I see a potential false-positive activation. A
> large classical theft may happen, be misinterpreted as a CRQC event,
> and miners may lock the EC path with the best intentions, but it turns
> out to be a false alarm. Shouldn't there be a mechanism for
> reactivation in this case? We have historical examples of bugs causing
> large-scale or initially mysterious thefts: Milk Sad, Android
> SecureRandom 2013, and the LuBian 2020 theft. A similar event in the
> future could be confused with Q-day, and miners could push the button.
> [...]
> Best,
> Boris
>
>
> On Thu, Jun 25, 2026 at 1:31 PM Pieter Wuille <bitco...@wuille.net> wrote:
>>
>> Hi all,
>>
>> In parallel to the threads[1][2][3] discussing the P2TRv2 and P2MR
>> concepts, I'd like to talk about the possibility of codifying in the
>> consensus rules the (expectation of) the disabling of EC opcodes/paths
>> within the new output type.
[...]
>> Specifically, as part of the softfork definition, a NUMS point is
>> picked. Whenever a transaction is mined whose input contains a successful
>> "<NUMS> OP_CHECKSIG", EC opcodes/paths are disabled within the new
>> output type, as of the next block.
>>
>> Note that the tripwire isn't intended as a replacement for the expected
>> future EC-disabling softfork; instead, it puts an upper bound on that
>> disabling.
>>
>> * Miner Lockdown (P2XX-ML): allow a hashrate majority/threshold to trigger
>> the disabling, allowing a faster reaction time to urgent CRQC threats.
>>
>> Practically, this can be achieved by bundling the expected EC-disabling
>> softfork with the softfork that introduces the new output type, but
>> giving the disabling one a separate, and very long or infinite,
>> activation window. This means that in addition to expecting the future
>> ecosystem to decide when Q-day is too close, the hashrate majority is
>> allowed to make that call too. (suggested offline by Sjors Provoost)
>>
[...]
I agree that the potential for premature activation is a downside of Miner Lockdown. It could come with a very long window (years) between signalling and activation. That way users who consider it premature can mass migrate back to P2TR, only to return to P2TRv2 / P2TMR at a moment of their choosing.
In the other direction, there's a a positive incentive to not wait too long: the 100 block coinbase maturity makes them more vulnerable to short-range attacks (for P2TRv2, but not P2TMR).
I think it's important that a proposal involving the eventual trimming of its own spending paths, includes the activation mechanism(s) for such trimming. At least some of the mechanisms.
I'm also worried that miners don't want to carry such heavy burden of responsibility, and deal with political pressure (in both directions). In that case they would oppose inclusion of ML in the two-stage proposal, and that would be very useful to learn early on.
- Sjors
> Op 26 jun 2026, om 05:40 heeft Nagaev Boris <bna...@gmail.com> het volgende geschreven:
>
> Hi Pieter,
>
> I think Tripwire is an improvement to all "Later" versions of P2MR,
> P2TRv2, and P2TRH. Given coin owners have pre-agreed to later
> lockdown, having an upper bound does not harm.
>
> For Miner Lockdown, I see a potential false-positive activation. A
> large classical theft may happen, be misinterpreted as a CRQC event,
> and miners may lock the EC path with the best intentions, but it turns
> out to be a false alarm. Shouldn't there be a mechanism for
> reactivation in this case? We have historical examples of bugs causing
> large-scale or initially mysterious thefts: Milk Sad, Android
> SecureRandom 2013, and the LuBian 2020 theft. A similar event in the
> future could be confused with Q-day, and miners could push the button.
> Best,
> Boris
>
>
> On Thu, Jun 25, 2026 at 1:31 PM Pieter Wuille <bitco...@wuille.net> wrote:
>>
>> Hi all,
>>
>> In parallel to the threads[1][2][3] discussing the P2TRv2 and P2MR
>> concepts, I'd like to talk about the possibility of codifying in the
>> consensus rules the (expectation of) the disabling of EC opcodes/paths
>> within the new output type.
>> Specifically, as part of the softfork definition, a NUMS point is
>> picked. Whenever a transaction is mined whose input contains a successful
>> "<NUMS> OP_CHECKSIG", EC opcodes/paths are disabled within the new
>> output type, as of the next block.
>>
>> Note that the tripwire isn't intended as a replacement for the expected
>> future EC-disabling softfork; instead, it puts an upper bound on that
>> disabling.
>>
>> * Miner Lockdown (P2XX-ML): allow a hashrate majority/threshold to trigger
>> the disabling, allowing a faster reaction time to urgent CRQC threats.
>>
>> Practically, this can be achieved by bundling the expected EC-disabling
>> softfork with the softfork that introduces the new output type, but
>> giving the disabling one a separate, and very long or infinite,
>> activation window. This means that in addition to expecting the future
>> ecosystem to decide when Q-day is too close, the hashrate majority is
>> allowed to make that call too. (suggested offline by Sjors Provoost)
>>
Pieter Wuille
Jun 26, 2026, 10:14:29 AM (2 days ago) Jun 26
to Nagaev Boris, Bitcoin Development Mailing List
Hi Boris,
See responses inline below.
On Friday, June 26th, 2026 at 5:41 AM, Nagaev Boris wrote:
> For Miner Lockdown, I see a potential false-positive activation. A large
> classical theft may happen, be misinterpreted as a CRQC event, and miners
> may lock the EC path with the best intentions, but it turns out to be a
> false alarm. Shouldn't there be a mechanism for reactivation in this case?
> We have historical examples of bugs causing large-scale or initially
> mysterious thefts: Milk Sad, Android SecureRandom 2013, and the LuBian
> 2020 theft. A similar event in the future could be confused with Q-day,
> and miners could push the button.
I agree that's a concern, but of course, if this happens, no coins are
lost, just inefficient to access. As Sjors mentions, it's possible for
users to move back to P2TR temporarily, but that of course goes counter to
the CRQC-protection goal, and if it happens at scale, chain capacity
problems may cause chaos.
Adding the ability to revert is a possibility, but I'm not sure it's all
that much better than realizing there is also the possibility of adding a
new P2TRv3 / P2MRv2 / ... that is in a pre-lockdown state?
> Can you elaborate on the scope of EC disabling, please? Does it disable
> only the main EC path (e.g. key spend in the case of Taproot v2) or all EC
> involving paths?
I agree with Antoine that it necessarily must disable all usage of EC
inside the new output type, so that includes taproot key path spending (if
present), and making any execution of an OP_CHECK* opcode with a non-empty
signature for an EC pubkey cause the transaction to be invalid. Anything
else falls short of the goal of making it possible for users to keep
sharing public keys. This should be the case for all disabling, whether
through Tripwire, Miner Lockdown, or a future softfork.
> What will happen to scripts using something else in addition to EC? Some
> useful constructions may include an EC opcode, e.g. hybrid EC-PQ
> signatures or HTLCs. Maybe it makes sense to disable the main spending path
> and keep hash-protected supplementary paths available?
My thinking is that hybrid signature schemes, if desired, should be dealt
with at the opcode level, and not the script level. That is, there would be
(only) an OP_CHECKHYBRIDECSQISIGN opcode, not an expectation to use both
OP_CHECKSIG and OP_CHECKSQISIGN. My reason for this is that I think the
question of what level of security is appropriate (i.e., whether schemes
should be protected with a layer of EC hybridity) should be a consensus
decision, not an individual one.
Thinking about it, maybe that means it makes sense to completely separate
PQC scripts and (pure-)EC scripts at the script leaf level, by having
separate script leaf versions for them. That rules out some potentially
useful ways of using conditionals that have PQC and pure-EC branches, but
those do seem pretty error prone (as mixing the two within one execution
trace would be unusable post EC-disabling).
Practically, my thinking is that due to the low cryptographic assumptions
needed for hash-based schemes, those wouldn't need hybridization with EC
(though the statefulness of some variants is worrying). I don't think
schemes relying on other assumptions feel ready in terms of confidence for
adding to Bitcoin to me, but that can change.
Cheers,
--
Pieter
See responses inline below.
On Friday, June 26th, 2026 at 5:41 AM, Nagaev Boris wrote:
> For Miner Lockdown, I see a potential false-positive activation. A large
> classical theft may happen, be misinterpreted as a CRQC event, and miners
> may lock the EC path with the best intentions, but it turns out to be a
> false alarm. Shouldn't there be a mechanism for reactivation in this case?
> We have historical examples of bugs causing large-scale or initially
> mysterious thefts: Milk Sad, Android SecureRandom 2013, and the LuBian
> 2020 theft. A similar event in the future could be confused with Q-day,
> and miners could push the button.
lost, just inefficient to access. As Sjors mentions, it's possible for
users to move back to P2TR temporarily, but that of course goes counter to
the CRQC-protection goal, and if it happens at scale, chain capacity
problems may cause chaos.
Adding the ability to revert is a possibility, but I'm not sure it's all
that much better than realizing there is also the possibility of adding a
new P2TRv3 / P2MRv2 / ... that is in a pre-lockdown state?
> Can you elaborate on the scope of EC disabling, please? Does it disable
> only the main EC path (e.g. key spend in the case of Taproot v2) or all EC
> involving paths?
inside the new output type, so that includes taproot key path spending (if
present), and making any execution of an OP_CHECK* opcode with a non-empty
signature for an EC pubkey cause the transaction to be invalid. Anything
else falls short of the goal of making it possible for users to keep
sharing public keys. This should be the case for all disabling, whether
through Tripwire, Miner Lockdown, or a future softfork.
> What will happen to scripts using something else in addition to EC? Some
> useful constructions may include an EC opcode, e.g. hybrid EC-PQ
> signatures or HTLCs. Maybe it makes sense to disable the main spending path
> and keep hash-protected supplementary paths available?
with at the opcode level, and not the script level. That is, there would be
(only) an OP_CHECKHYBRIDECSQISIGN opcode, not an expectation to use both
OP_CHECKSIG and OP_CHECKSQISIGN. My reason for this is that I think the
question of what level of security is appropriate (i.e., whether schemes
should be protected with a layer of EC hybridity) should be a consensus
decision, not an individual one.
Thinking about it, maybe that means it makes sense to completely separate
PQC scripts and (pure-)EC scripts at the script leaf level, by having
separate script leaf versions for them. That rules out some potentially
useful ways of using conditionals that have PQC and pure-EC branches, but
those do seem pretty error prone (as mixing the two within one execution
trace would be unusable post EC-disabling).
Practically, my thinking is that due to the low cryptographic assumptions
needed for hash-based schemes, those wouldn't need hybridization with EC
(though the statefulness of some variants is worrying). I don't think
schemes relying on other assumptions feel ready in terms of confidence for
adding to Bitcoin to me, but that can change.
Cheers,
--
Pieter
conduition
Jun 26, 2026, 2:22:57 PM (2 days ago) Jun 26
to Pieter Wuille, Nagaev Boris, Bitcoin Development Mailing List
Hi Pieter,
Thanks for voicing this, I'm generally very supporting of the tripwire idea. It's an easy win for any PQ output type.
I have a few comments on the specifics.
> Specifically, as part of the softfork definition, a NUMS point is picked. Whenever a transaction is mined whose input contains a successful "<NUMS> OP_CHECKSIG", EC opcodes/paths are disabled within the new output type, as of the next block.
Mining an on-chain spend isn't the only option. The signature by (or discrete log of) the NUMS point is itself a sufficient and succinct proof that EC spending ought to be disabled. We don't need a trustless "honeypot"/"reward"/"bounty" for the CRQC, since we're already assuming the CRQC is cooperative. We don't need the "tripwire proof" to be included on-chain except for posterity (i.e. nodes bootstrapping after Q-day, to know when to enact the new consensus rules retroactively). All a validator node today needs is to see the signature/discrete log of the NUMS point, anywhere, at any time, to know that EC spending ought to be disabled immediately.
It could be in an OP_RETURN, it could be a new field in a block, it could be a simple P2P message or just seeing a TX containing the tripwire proof appear in the mempool. Maybe requiring the tripwire proof to be mined is simple to implement for validators, but relying on that alone runs the risk of miners censoring or purposefully delaying the inclusion of the tripwire proof in a block. So it might be worth the extra complexity engineering of a more highly reactive solution.
I'm not sure what the best option here is yet, but I just wanted to point out the tripwire doesn't have to be a UTXO spend, and we should discuss more options and their trade-offs.
> Miner Lockdown (P2XX-ML): allow a hashrate majority/threshold to trigger the disabling, allowing a faster reaction time to urgent CRQC threats.
I'll echo the others' concerns here about early activation, and add that miners may actually be incentivized to trigger this activation early if given the chance, since doing so will massively pump their fee revenue (though perhaps at a cost to the price of Bitcoin itself). This could be more of a concern as the subsidy drops lower and miners with sunk cost seek to recoup their up-front hardware investment.
Generally I think this is a good idea though, and might be worth the risk especially because, as you stated, early activation will not confiscate any meaningful amount of coins. But it should also be possible for nodes to reject a bad-faith early activation.
The more important question is, how do you propose to technically achieve this? How does "majority hashpower" enact the disabling? My fear is that the reaction time will actually be very slow, because for us to measure "majority hashpower" we typically measure this over an epoch of many blocks. Otherwise a random minority miner could luck their way into a few blocks that signal for EC disabling, and so trigger the fork early.
The activation window would need to be spread out, and the further it is spread out the less time miners have to react, if they even react at all.
> I agree with Antoine that it necessarily must disable all usage of EC inside the new output type, so that includes taproot key path spending (if present), and making any execution of an OP_CHECK* opcode with a non-empty signature for an EC pubkey cause the transaction to be invalid. Anything else falls short of the goal of making it possible for users to keep sharing public keys. This should be the case for all disabling, whether through Tripwire, Miner Lockdown, or a future softfork.
This will confiscate coins held in hybrid scripts and in multisigs whose parties use different sig-schemes, e.g. <ec_pubkey> CHECKSIG <pq_pubkey> CHECKSIG.
I would suggest to enforce the disabling by running spend validation as normal, but failing at the end if EC-checksig operations have occurred without any PQ-checksig ops. This also implicitly disables P2TR-style key-spending and Boris' EC recovery scheme in P2TRH and P2MR, because such spends wouldn't involve a PQ signature.
> My thinking is that hybrid signature schemes, if desired, should be dealt with at the opcode level, and not the script level. That is, there would be (only) an OP_CHECKHYBRIDECSQISIGN opcode, not an expectation to use both OP_CHECKSIG and OP_CHECKSQISIGN.
>
- Complexity & fragility. A hybrid scheme necessitates a brand new Schnorr signature scheme because combiners like Bird-of-Prey don't use Schnorr as a black-box. Expands the scope of implementation a lot.
- Lack of value. Strong unforgability (one of the main selling points of hybridization) is not security-critical because witnesses don't affect TXIDs anymore. At best a hybrid scheme would provide a minor ~5%-10% improvement in witness size over a naive scripting approach, and this is still less efficient than keeping keys compartmentalized in isolated spending paths.
- Redundancy. Deploying SHRINCS as a standalone opcode is already needed for post-Q-day spending, so taking that opcode as a-given, users will already have access to hybridization techniques by using hybrid scripts.
- Security. Standalone SHRINCS uses fewer cryptographic assumptions than BIP340. Adding Schnorr hybridization thus hedges only against implementation flaws or state reuse, both of which can be effectively mitigated against.
We thus concluded that deploying a hybrid scheme doesn't seem to offer much unique value, and comes at the expense of great risk and effort in adding a new checksig algorithm, which very few people will use anyway since they have much cheaper options (separate leaf scripts).
I suspect hybrid script users will exist, but will likely be limited to major custodians, high-security vaults, and other such address-reusers. Dedicated hybrid signature algorithms may be desirable in the future with other signature schemes, but I doubt we'll be doing this with SHRINCS anytime soon.
regards,
conduition
>
Thanks for voicing this, I'm generally very supporting of the tripwire idea. It's an easy win for any PQ output type.
I have a few comments on the specifics.
> Specifically, as part of the softfork definition, a NUMS point is picked. Whenever a transaction is mined whose input contains a successful "<NUMS> OP_CHECKSIG", EC opcodes/paths are disabled within the new output type, as of the next block.
It could be in an OP_RETURN, it could be a new field in a block, it could be a simple P2P message or just seeing a TX containing the tripwire proof appear in the mempool. Maybe requiring the tripwire proof to be mined is simple to implement for validators, but relying on that alone runs the risk of miners censoring or purposefully delaying the inclusion of the tripwire proof in a block. So it might be worth the extra complexity engineering of a more highly reactive solution.
I'm not sure what the best option here is yet, but I just wanted to point out the tripwire doesn't have to be a UTXO spend, and we should discuss more options and their trade-offs.
> Miner Lockdown (P2XX-ML): allow a hashrate majority/threshold to trigger the disabling, allowing a faster reaction time to urgent CRQC threats.
Generally I think this is a good idea though, and might be worth the risk especially because, as you stated, early activation will not confiscate any meaningful amount of coins. But it should also be possible for nodes to reject a bad-faith early activation.
The more important question is, how do you propose to technically achieve this? How does "majority hashpower" enact the disabling? My fear is that the reaction time will actually be very slow, because for us to measure "majority hashpower" we typically measure this over an epoch of many blocks. Otherwise a random minority miner could luck their way into a few blocks that signal for EC disabling, and so trigger the fork early.
The activation window would need to be spread out, and the further it is spread out the less time miners have to react, if they even react at all.
> I agree with Antoine that it necessarily must disable all usage of EC inside the new output type, so that includes taproot key path spending (if present), and making any execution of an OP_CHECK* opcode with a non-empty signature for an EC pubkey cause the transaction to be invalid. Anything else falls short of the goal of making it possible for users to keep sharing public keys. This should be the case for all disabling, whether through Tripwire, Miner Lockdown, or a future softfork.
I would suggest to enforce the disabling by running spend validation as normal, but failing at the end if EC-checksig operations have occurred without any PQ-checksig ops. This also implicitly disables P2TR-style key-spending and Boris' EC recovery scheme in P2TRH and P2MR, because such spends wouldn't involve a PQ signature.
> My thinking is that hybrid signature schemes, if desired, should be dealt with at the opcode level, and not the script level. That is, there would be (only) an OP_CHECKHYBRIDECSQISIGN opcode, not an expectation to use both OP_CHECKSIG and OP_CHECKSQISIGN.
>
> Practically, my thinking is that due to the low cryptographic assumptions needed for hash-based schemes, those wouldn't need hybridization with EC (though the statefulness of some variants is worrying).
In the SHRINCS proposal we elect not to introduce a hybrid EC+PQ signature scheme, for a few reasons:
- Complexity & fragility. A hybrid scheme necessitates a brand new Schnorr signature scheme because combiners like Bird-of-Prey don't use Schnorr as a black-box. Expands the scope of implementation a lot.
- Lack of value. Strong unforgability (one of the main selling points of hybridization) is not security-critical because witnesses don't affect TXIDs anymore. At best a hybrid scheme would provide a minor ~5%-10% improvement in witness size over a naive scripting approach, and this is still less efficient than keeping keys compartmentalized in isolated spending paths.
- Redundancy. Deploying SHRINCS as a standalone opcode is already needed for post-Q-day spending, so taking that opcode as a-given, users will already have access to hybridization techniques by using hybrid scripts.
- Security. Standalone SHRINCS uses fewer cryptographic assumptions than BIP340. Adding Schnorr hybridization thus hedges only against implementation flaws or state reuse, both of which can be effectively mitigated against.
We thus concluded that deploying a hybrid scheme doesn't seem to offer much unique value, and comes at the expense of great risk and effort in adding a new checksig algorithm, which very few people will use anyway since they have much cheaper options (separate leaf scripts).
I suspect hybrid script users will exist, but will likely be limited to major custodians, high-security vaults, and other such address-reusers. Dedicated hybrid signature algorithms may be desirable in the future with other signature schemes, but I doubt we'll be doing this with SHRINCS anytime soon.
regards,
conduition
> --
> You received this message because you are subscribed to the Google Groups "Bitcoin Development Mailing List" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to bitcoindev+...@googlegroups.com.
> To view this discussion visit https://groups.google.com/d/msgid/bitcoindev/A54QKCjvV0Tnk26mHFZrbAKPHdYh6Ol1XWTetB3y1skuSaoLtBZnvNlYD2hSqQtp6oYt85rqvK4w-JMsDJOm3nPrYgkN94E9jlxxCPZsKZw%3D%40wuille.net.
> You received this message because you are subscribed to the Google Groups "Bitcoin Development Mailing List" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to bitcoindev+...@googlegroups.com.
>
Anthony Towns
Jun 27, 2026, 5:58:42 AM (yesterday) Jun 27
to Pieter Wuille, Bitcoin Development Mailing List
On Thu, Jun 25, 2026 at 05:42:35PM +0000, Pieter Wuille wrote:
> * Tripwire (P2XX-T): use the presence of a NUMS point spend as trigger
> (suggested by Tadge Dryja[4]).
>
> Specifically, as part of the softfork definition, a NUMS point is
> picked. Whenever a transaction is mined whose input contains a successful
> "<NUMS> OP_CHECKSIG", EC opcodes/paths are disabled within the new
> output type, as of the next block.
A slight variant of this approach would be to have a 128 byte value
> * Tripwire (P2XX-T): use the presence of a NUMS point spend as trigger
> (suggested by Tadge Dryja[4]).
>
> Specifically, as part of the softfork definition, a NUMS point is
> picked. Whenever a transaction is mined whose input contains a successful
> "<NUMS> OP_CHECKSIG", EC opcodes/paths are disabled within the new
> output type, as of the next block.
"aRsm", such that P = N+a*G, N is the BIP-341 NUMS point, and Rs is a
BIP340 signature of m by P. That would allow the victim of post-quantum
theft via a key-path spend of a BIP341 NUMS IPK to trigger the tripwire,
in addition to someone who has direct access to a CRQC.
I think it could make sense to have the tripwire be included in the
block via the coinbase witness commitment output, rather than having it
be locked to a transaction, so you only having to check the coinbase for
the magic rather than every transaction. That would require a separate
P2P message to relay the necessary ECDL-break proof to miners, and would
probably need stratumv2 or a getblocktemplate update in order for the node
to be able to tell pools to actually include that info in the coinbase.
> * Miner Lockdown (P2XX-ML): allow a hashrate majority/threshold to trigger
> the disabling, allowing a faster reaction time to urgent CRQC threats.
> The same is true
> for the Miner Lockdown idea. I'm a bit more hesitant about that, as it may
> be empowering the (collective of) miners too much. They always have the
> ability to just disallow EC spends of course, but the Miner Lockdown idea
> makes network nodes start enforcing the same rule too, making it
> irreversible.
Some potential ways of making that less dangerous:
> for the Miner Lockdown idea. I'm a bit more hesitant about that, as it may
> be empowering the (collective of) miners too much. They always have the
> ability to just disallow EC spends of course, but the Miner Lockdown idea
> makes network nodes start enforcing the same rule too, making it
> irreversible.
* Have it require a 100% signalling threshold, instead of 90%/95%
* Have it have a longer signalling period (4032 blocks?)
* Have it be continually soft-forked out (URSF-style):
a) 100% signalling activates it, at any time
b) as at 2026-07-01, 100% signalling is invalid prior to 2026-12-31
c) as at 2026-10-01, 100% signalling is invalid prior to 2026-03-31
d) as at 2027-01-01, 100% signalling is invalid prior to 2026-06-30
e) as at 2027-04-01, danger signs! 100% signalling remains valid after
2026-06-30
f) as at 2027-07-01, signalling actually starts
(alternatively, if three to six months lead time was too long,
a secondary soft-fork could be done on as soon as the danger
signs appear that indepdently disables EC spends immediately,
and also forces 100% signalling from 2027-07-01 for backwards
compatibility)
Cheers,
aj
Reply all
Reply to author
Forward
0 new messages