Toward Protocol-Level Quantum Safety in Bitcoin A Formal, Adversarial, and Invariant-Driven Treatment

Assumes deep technical literacy. Bridges to the closest neighbouring fields.

**Problem Statement:** Achieving quantum-safe Bitcoin requires more than securing individual transactions; it demands a global safety property of the consensus state machine ensuring no unauthorized state transitions under any quantum-capable adversary. Current approaches lack a formal protocol-level treatment, leaving vulnerabilities in mempool races, reorganizations, and migration of legacy outputs. **Method:** The paper specifies a rigorous execution model with explicit UTXO state, total validation predicates, and deterministic transition functions for transactions and blocks, including a network/scheduler model for adversarial scheduling and reorganizations. Security goals are defined via game-based semantics against quantum polynomial-time (QPT) adversaries, separating safety from liveness and stating concrete invariants (authorization integrity, state consistency, determinism). A consensus-level post-quantum authorization construction uses commit-and-reveal witness programs, with a complete game-hopping reduction proving that unauthorized spends imply a break of underlying PQ signatures or hash binding (tight, non-rewinding). Cross-input and cross-transaction replay attacks are excluded via sighash commitment axioms, and network execution is formalized as traces to show adversarial control does not bypass PQ authorization. The migration dilemma is formalized: protocol-level quantum safety requires either freezing unmigrated legacy outputs or accepting theft under Shor, with a migration trace model providing monotonicity guarantees. **Main Results:** All invariants are proved preserved across valid transitions, and the game-hopping reduction establishes that any unauthorized spend contradicts the PQ assumptions. The TLA+ model exhaustively checks 492 states with zero invariant violations and produces a concrete counterexample for the migration dilemma; Coq mechanization proves spend predicate totality, determinism, and parse canonicality. **Limitations:** The security proofs rely on the quantum random oracle model and specific PQ primitives (signatures, hash binding), whose post-quantum security remains an active research area. The formal model abstracts from certain real-world network nondeterminism and does not address liveness under adversarial delays. The migration dilemma shows an inherent trade-off: no fully protocol-level quantum safety is possible without either freezing legacy outputs or accepting a theft window.

AI-generated (deepseek-v4-flash) · created 2026-05-27