Essential cookies are required for sign-in and cannot be turned off. The other categories default to off.

/
Sign in / Sign up

← openxiv:cs.CE.2026.00001 · cs.CE

Toward Protocol-Level Quantum Safety in Bitcoin A Formal, Adversarial, and Invariant-Driven Treatment

Explainer at the level of an undergraduate in the field. Read the original paper.

For a curious high-schooler For an undergraduate in the field For a researcher in an adjacent area

Assumes 1–2 courses of background. Domain terms may appear without definition.

This paper provides a rigorous framework for ensuring that Bitcoin remains secure against quantum computers at the protocol level, not just for individual transactions. The authors first build a formal model of Bitcoin’s core state machine, explicitly defining the UTXO set, transactions, and deterministic transition functions for both transactions and blocks. They then state three critical safety invariants—no double-spend, state consistency, and determinism—and prove that every valid transaction preserves these invariants, assuming collision-resistant transaction IDs. To capture quantum threats, they model a quantum polynomial-time adversary with Shor’s algorithm and network control, then define security goals via a game-based authorization game where the adversary tries to create an unauthorized spend. Their key construction for post-quantum authorization uses a commit-and-reveal witness program, replacing ECDSA/Schnorr signatures with a post-quantum signature scheme that is existentially unforgeable against chosen-message attacks. They prove, through a tight game-hopping reduction, that any successful unauthorized spend of a post-quantum output would break the underlying signature or hash binding assumptions. They also show that the sighash commitment axiom prevents cross-input and cross-transaction witness replay attacks, and that adversarial network control (mempool races, reorgs) cannot bypass the post-quantum authorization. Finally, they formalize the migration dilemma: you cannot migrate all legacy outputs to post-quantum without either freezing unmigrated outputs or accepting theft under Shor’s algorithm, and they provide a formal migration trace model. All results are backed by exhaustive TLA+ model checking (zero invariant violations across 492 states) and Coq-mechanized proofs of spend predicate totality, determinism, and parsing canonicality. The method is essentially: model the protocol as a state machine, define invariants and security games, construct a post-quantum authorization scheme, prove security reductions under explicit axioms, and verify the model with formal tools.

AI-generated (deepseek-v4-flash) · created 2026-05-28

Explainers are best-effort summaries — they round corners. For the authoritative claims, read the paper itself.