consensus: P2DPKH 20-byte hash may undermine post-quantum security guarantees #33
Description
Summary
The current default Dilithium address type (P2DPKH) uses RIPEMD-160(SHA-256(pubkey)), producing a 20-byte (160-bit) commitment. While this matches Bitcoin's classical P2PKH security, it may undermine the post-quantum security guarantees that Dilithium is meant to provide.
The concern
Quantum algorithms reduce hash security margins:
| Attack | Classical | Quantum (Grover/BHT) |
|---|---|---|
| Preimage (find key matching address) | 2^160 | 2^80 |
| Collision (find two keys, same address) | 2^80 | 2^53 |
For a chain specifically designed to be quantum-resistant, 2^80 preimage resistance and 2^53 collision resistance are uncomfortably low. These are the same margins that motivate moving away from ECDSA in the first place.
By comparison, P2MR uses a 32-byte (256-bit) Merkle root commitment:
| Attack | Classical | Quantum |
|---|---|---|
| Preimage | 2^256 | 2^128 |
| Collision | 2^128 | 2^85 |
This provides proper post-quantum security margins (128-bit quantum security).
Why this matters
- BTQ's value proposition is quantum resistance. Using a 160-bit hash as the default address format creates a weaker link in the security chain than the Dilithium signatures themselves.
- An attacker with a quantum computer doesn't need to break Dilithium — they could target the address hash instead.
- The preimage attack (2^80 quantum) is the practical concern: given a
bc1q...P2DPKH address, find a Dilithium key that hashes to it.
Recommendation
Once P2MR wallet support lands (see #32), consider:
- Deprecating P2DPKH as the default address type in favor of P2MR
- Updating
getnewdilithiumaddressto default to P2MR output type (or adding a prominent recommendation) - Policy-level discouragement of 160-bit hash outputs long-term
This is not urgent — the classical security is fine and quantum computers capable of Grover's algorithm at scale don't exist yet — but it should be part of the roadmap for a chain that markets itself as quantum-safe.
References
- Grover's algorithm: O(2^(n/2)) preimage search on n-bit hashes
- BHT (Brassard-Hoyer-Tapp) algorithm: O(2^(n/3)) collision search on n-bit hashes
- Related: rpc: Add user-friendly RPCs for BIP-360 P2MR address creation and spending #32 (P2MR RPC support)