@btc-vision/btc-runtime

# Quantum Resistance OP_NET includes built-in quantum-resistant cryptography through ML-DSA (Module-Lattice Digital Signature Algorithm). The `Address` class provides automatic access to ML-DSA public keys without requiring any custom storage. ## Overview Quantum computers pose a threat to traditional cryptographic schemes: | Algorithm | Quantum Threat | OP_NET Status | |-----------|---------------|--------------| | ECDSA | Vulnerable (Shor's algorithm) | Supported (deprecated), transition to ML-DSA | | Schnorr | Vulnerable (Shor's algorithm) | Supported, with transition plan | | ML-DSA | Quantum-resistant | **Fully supported** | ## Quick Start ```typescript import { Blockchain, sha256 } from '@btc-vision/btc-runtime/runtime'; // Verify a signature with quantum resistance const message = new BytesWriter(32); message.writeString('Sign this message'); const messageHash = sha256(message.getBuffer()); // SignaturesMethods.MLDSA ensures quantum-resistant verification const isValid = Blockchain.verifySignature( Blockchain.tx.origin, // Signer's address signature, // Signature bytes messageHash, // Message hash SignaturesMethods.MLDSA // Force ML-DSA (quantum-resistant) ); ``` ## Why Quantum Resistance? ### The Threat - **Public keys are exposed** when addresses send transactions - Quantum computers with ~4000 qubits could derive private keys - Existing signatures remain safe (retroactive attack impossible) - Future transactions from exposed addresses are at risk ### OP_NET's Approach 1. **Dual signature support** - Both Schnorr and ML-DSA signatures 2. **Extended addresses** - Store both Schnorr (taproot) and ML-DSA key references 3. **Built-in key access** - `Address.mldsaPublicKey` property loads keys automatically 4. **Consensus-managed transition** - Automatic migration from Schnorr to ML-DSA ## ML-DSA Security Levels OP_NET supports three ML-DSA security levels, from classical Schnorr to quantum-resistant ML-DSA: ```mermaid --- config: theme: dark --- flowchart LR subgraph OP_NET["OP_NET Security Architecture"] subgraph Classical["Classical Security"] C1["Schnorr 256-bit Classical: Strong Quantum: Broken"] end subgraph PostQuantum["Post-Quantum Security Levels"] Q1["ML-DSA-44 Level2 ~AES-128 Quantum: Strong"] Q2["ML-DSA-65 Level3 ~AES-192 Quantum: Stronger"] Q3["ML-DSA-87 Level5 ~AES-256 Quantum: Strongest"] end QC["Quantum Computer 4000+ qubits"] QC -.->|"Breaks in hours"| C1 QC -.->|"Cannot break"| Q1 QC -.->|"Cannot break"| Q2 QC -.->|"Cannot break"| Q3 end ``` | Level | Name | Public Key | Signature | Private Key | NIST Category | |-------|------|------------|-----------|-------------|---------------| | Level2 | ML-DSA-44 | 1,312 bytes | 2,420 bytes | 2,560 bytes | Category 2 (~AES-128) | | Level3 | ML-DSA-65 | 1,952 bytes | 3,309 bytes | 4,032 bytes | Category 3 (~AES-192) | | Level5 | ML-DSA-87 | 2,592 bytes | 4,627 bytes | 4,896 bytes | Category 5 (~AES-256) | **OP_NET uses ML-DSA-44 (Level2) by default**, balancing security and performance. ### Level Constants ```typescript import { MLDSASecurityLevel, MLDSA44_PUBLIC_KEY_LEN, // 1312 MLDSA44_SIGNATURE_LEN, // 2420 MLDSA65_PUBLIC_KEY_LEN, // 1952 MLDSA65_SIGNATURE_LEN, // 3309 MLDSA87_PUBLIC_KEY_LEN, // 2592 MLDSA87_SIGNATURE_LEN // 4627 } from '@btc-vision/btc-runtime/runtime'; ``` ## ML-DSA Signature Structure The ML-DSA signature format follows FIPS 204: ```mermaid --- config: theme: dark --- flowchart LR subgraph OP_NET["OP_NET Quantum-Resistant Signatures"] subgraph MLDSA["ML-DSA-44 - Level2 - Default"] PK["Public Key 1,312 bytes"] SIG["Signature 2,420 bytes"] SK["Private Key 2,560 bytes"] end subgraph PKComp["Public Key Components"] PK1["rho: seed"] PK2["t1: compressed hint"] end subgraph SigComp["Signature Components"] SIG1["c_tilde: commitment hash"] SIG2["z: response vector"] SIG3["h: hint"] end end ``` ## The Address Class ### Automatic ML-DSA Key Access Every `Address` in OP_NET stores the SHA256 hash of an ML-DSA public key. The full public key is automatically loaded on demand: ```typescript import { Address, Blockchain } from '@btc-vision/btc-runtime/runtime'; // Any address can access its ML-DSA public key const sender: Address = Blockchain.tx.sender; // Get the ML-DSA public key (loaded automatically from the blockchain) const mldsaKey: Uint8Array = sender.mldsaPublicKey; // The key is cached after first access for efficiency const sameKey: Uint8Array = sender.mldsaPublicKey; // Returns cached key ``` **Key points:** - No custom storage needed - the runtime handles key storage - Keys are lazily loaded on first access and cached - The address itself is the SHA256 hash of the ML-DSA public key ### How It Works Internally ```typescript // Address stores 32-byte SHA256 hash of ML-DSA public key class Address extends Uint8Array { protected _mldsaPublicKey: Uint8Array | null = null; // Getter loads key from blockchain on demand public get mldsaPublicKey(): Uint8Array { if (!this._mldsaPublicKey) { this._mldsaPublicKey = loadMLDSAPublicKey(this, MLDSASecurityLevel.Level2); } return this._mldsaPublicKey; } } ``` ## Extended Address `ExtendedAddress` supports dual-key addresses for the quantum transition: ```typescript import { ExtendedAddress } from '@btc-vision/btc-runtime/runtime'; // Create from both key components const extAddr = ExtendedAddress.fromStringPair( '0x' + 'aa'.repeat(32), // Tweaked Schnorr key (taproot) '0x' + 'bb'.repeat(32) // ML-DSA key hash ); // Access the tweaked Schnorr key (for taproot/P2TR) const schnorrKey: Uint8Array = extAddr.tweakedPublicKey; // 32 bytes // Access the ML-DSA public key (inherited from Address) const mldsaKey: Uint8Array = extAddr.mldsaPublicKey; // 1312 bytes (ML-DSA-44) // Generate Bitcoin addresses const p2trAddress: string = extAddr.p2tr(); // "bc1p..." or "tb1p..." ``` ### Dual Key Structure ``` ExtendedAddress (64 bytes reference) +-- tweakedPublicKey: Uint8Array[32] --> Schnorr (taproot) +-- Address bytes: Uint8Array[32] --> SHA256(ML-DSA public key) +-> .mldsaPublicKey loads full key ``` ## ML-DSA Key Generation and Verification Flow The following diagram shows the complete lifecycle from key generation to signature verification: ```mermaid --- config: theme: dark --- sequenceDiagram participant User as 👤 User participant Wallet as Wallet participant Blockchain as OP_NET Runtime participant Contract as Contract Note over User,Blockchain: Key Generation (Off-chain) User->>Wallet: Generate ML-DSA keypair Wallet->>Wallet: Generate random seed Wallet->>Wallet: Expand seed to matrix A Wallet->>Wallet: Sample secret vectors s1, s2 Wallet->>Wallet: Compute t = As1 + s2 Wallet->>Wallet: Public key = (rho, t1) Wallet->>Wallet: Private key = (rho, K, tr, s1, s2, t0) Note over User,Blockchain: Address Creation Wallet->>Wallet: Hash ML-DSA public key (SHA256) Wallet->>Wallet: Store 32-byte hash as Address Wallet->>Blockchain: Register address with full public key Note over User,Contract: Signature Verification User->>Contract: call method(signature, message) Contract->>Contract: Get sender address (32-byte hash) Contract->>Blockchain: verifySignature(address, sig, hash, true) Blockchain->>Blockchain: Load cached ML-DSA public key Note over Blockchain: If not cached, load from storage Blockchain->>Blockchain: Verify ML-DSA signature Blockchain->>Blockchain: Decode signature (c_tilde, z, h) Blockchain->>Blockchain: Reconstruct commitment w' Blockchain->>Blockchain: Verify ||z|| < gamma1 - beta Blockchain->>Blockchain: Verify high-order bits match Blockchain-->>Contract: valid: bool ``` ## Signature Verification ### The Simple Way (Recommended) Just use `Blockchain.verifySignature()` - it handles everything: ```typescript import { Blockchain, sha256 } from '@btc-vision/btc-runtime/runtime'; @method(ABIDataTypes.BYTES) @returns({ name: 'valid', type: ABIDataTypes.BOOL }) public verifySignature(calldata: Calldata): BytesWriter { const signature = calldata.readBytesWithLength(); // Create message hash const message = new BytesWriter(55); message.writeString('Hello, world! This is a test message for MLDSA signing.'); const messageHash = sha256(message.getBuffer()); // Verify with quantum resistance (MLDSA) const isValid = Blockchain.verifySignature( Blockchain.tx.origin, signature, messageHash, SignaturesMethods.MLDSA // Force ML-DSA ); const writer = new BytesWriter(1); writer.writeBoolean(isValid); return writer; } ``` ### Consensus-Aware Verification Let the consensus decide which algorithm to use: ```typescript // During transition: uses Schnorr if allowed, ML-DSA otherwise // After transition: always uses ML-DSA const isValid = Blockchain.verifySignature( signer, signature, messageHash, SignaturesMethods.Schnorr // Let consensus decide (falls back to ML-DSA if Schnorr not allowed) ); ``` ### Direct ML-DSA Verification For cases where you need explicit control: ```typescript import { MLDSASecurityLevel } from '@btc-vision/btc-runtime/runtime'; const isValid = Blockchain.verifyMLDSASignature( MLDSASecurityLevel.Level2, // Security level signer.mldsaPublicKey, // Auto-loaded from address signature, // 2420-byte signature messageHash // 32-byte message hash ); ``` ## Migration Path: Schnorr to ML-DSA OP_NET manages a phased transition from classical to quantum-resistant signatures: ```mermaid --- config: theme: dark --- sequenceDiagram participant User as User/Wallet participant Network as OP_NET Network participant Consensus as Consensus Rules Note over User,Consensus: Phase 1: Transition Period (Current) User->>Network: Submit Schnorr signature Network->>Consensus: Check UNSAFE_QUANTUM_SIGNATURES_ALLOWED Consensus-->>Network: Flag = true Network-->>User: Signature accepted User->>Network: Submit ML-DSA signature Network-->>User: Signature accepted Note over Network: Both signature types valid Note over User,Consensus: Phase 2: Warning Period User->>Network: Submit Schnorr signature Network->>Consensus: Check signature type Consensus-->>Network: Log deprecation warning Network-->>User: Signature accepted (with warning) Note over User: Encouraged to migrate to ML-DSA Note over User,Consensus: Phase 3: Quantum-Safe Only User->>Network: Submit Schnorr signature Network->>Consensus: Check UNSAFE_QUANTUM_SIGNATURES_ALLOWED Consensus-->>Network: Flag = false Network-->>User: Signature REJECTED User->>Network: Submit ML-DSA signature Network-->>User: Signature accepted Note over Network: Only ML-DSA signatures valid ``` The `UNSAFE_QUANTUM_SIGNATURES_ALLOWED` consensus flag controls whether Schnorr signatures are still permitted. When disabled, only ML-DSA signatures will be valid. ## Complete Contract Example ```typescript import { OP_NET, Blockchain, Calldata, BytesWriter, Revert, sha256, ABIDataTypes } from '@btc-vision/btc-runtime/runtime'; @final class QuantumSecureContract extends OP_NET { @method( { name: 'message', type: ABIDataTypes.BYTES }, { name: 'signature', type: ABIDataTypes.BYTES }, ) @returns({ name: 'valid', type: ABIDataTypes.BOOL }) public verifyQuantum(calldata: Calldata): BytesWriter { const message = calldata.readBytesWithLength(); const signature = calldata.readBytesWithLength(); const messageHash = sha256(message); // Always use quantum-resistant verification const isValid = Blockchain.verifySignature( Blockchain.tx.origin, signature, messageHash, SignaturesMethods.MLDSA // Force ML-DSA ); const writer = new BytesWriter(1); writer.writeBoolean(isValid); return writer; } @method( { name: 'signer', type: ABIDataTypes.ADDRESS }, { name: 'message', type: ABIDataTypes.BYTES }, { name: 'signature', type: ABIDataTypes.BYTES }, ) @returns({ name: 'valid', type: ABIDataTypes.BOOL }) public verifyForAddress(calldata: Calldata): BytesWriter { const signer = calldata.readAddress(); const message = calldata.readBytesWithLength(); const signature = calldata.readBytesWithLength(); const messageHash = sha256(message); // Verify for a specific address const isValid = Blockchain.verifySignature( signer, signature, messageHash, SignaturesMethods.MLDSA ); const writer = new BytesWriter(1); writer.writeBoolean(isValid); return writer; } @method({ name: 'owner', type: ABIDataTypes.ADDRESS }) @returns({ name: 'keyLength', type: ABIDataTypes.UINT32 }) public getMLDSAKeyLength(calldata: Calldata): BytesWriter { const owner = calldata.readAddress(); // Access ML-DSA public key - automatically loaded const mldsaKey = owner.mldsaPublicKey; const writer = new BytesWriter(4); writer.writeU32(mldsaKey.length); // 1312 for Level2 return writer; } } ``` ## Solidity vs OP_NET: Quantum Resistance Comparison OP_NET is the first smart contract platform with built-in quantum-resistant cryptography. Solidity and the EVM have no quantum resistance capabilities. ### Feature Comparison Table | Feature | Solidity/EVM | OP_NET | OP_NET Advantage | |---------|--------------|-------|-----------------| | **Quantum-Safe Signatures** | Not supported | ML-DSA (FIPS 204) | Future-proof security | | **Post-Quantum Algorithm** | None | ML-DSA-44/65/87 | NIST standardized | | **Dual-Key Architecture** | Not available | Schnorr + ML-DSA | Smooth transition | | **Key Loading** | Manual storage/derivation | Automatic via `Address` | Zero setup required | | **Consensus Migration** | Not applicable | Built-in transition plan | Network-coordinated | | **Security Levels** | ECDSA only | 3 ML-DSA levels | Flexible security | | **Algorithm Selection** | Fixed (ECDSA) | Consensus-aware | Automatic switching | ### Quantum Threat Analysis | Algorithm | Shor's Algorithm Impact | Grover's Algorithm Impact | Status in OP_NET | |-----------|------------------------|---------------------------|-----------------| | ECDSA (Solidity) | **Broken** (polynomial time) | Weakened | N/A | | ECDSA (OP_NET) | **Broken** (polynomial time) | Weakened | Deprecated | | Schnorr (OP_NET) | **Broken** (polynomial time) | Weakened | Transition only | | ML-DSA (OP_NET) | **Secure** | Minimal impact | **Recommended** | ### Security Level Comparison | Security Level | Solidity | OP_NET ML-DSA | NIST Category | Quantum Security | |----------------|----------|--------------|---------------|------------------| | ~AES-128 equivalent | ECDSA (broken by quantum) | ML-DSA-44 (Level2) | Category 2 | **Secure** | | ~AES-192 equivalent | Not available | ML-DSA-65 (Level3) | Category 3 | **Secure** | | ~AES-256 equivalent | Not available | ML-DSA-87 (Level5) | Category 5 | **Secure** | ### Key and Signature Size Comparison | Metric | Solidity (ECDSA) | OP_NET (Schnorr) | OP_NET (ML-DSA-44) | OP_NET (ML-DSA-87) | |--------|------------------|-----------------|-------------------|-------------------| | Public Key Size | 33/65 bytes | 32 bytes | 1,312 bytes | 2,592 bytes | | Signature Size | 65 bytes | 64 bytes | 2,420 bytes | 4,627 bytes | | Private Key Size | 32 bytes | 32 bytes | 2,560 bytes | 4,896 bytes | | Quantum Safe | **No** | **No** | **Yes** | **Yes** | ### Capability Matrix | Capability | Solidity | OP_NET | |------------|:--------:|:-----:| | ECDSA verification (Ethereum) | Yes | Yes (deprecated) | | ECDSA verification (Bitcoin) | No | Yes (deprecated) | | Schnorr verification | No | Yes | | ML-DSA-44 verification | No | Yes | | ML-DSA-65 verification | No | Yes | | ML-DSA-87 verification | No | Yes | | Automatic public key loading | No | Yes | | Quantum-resistant addresses | No | Yes | | Dual-key addresses | No | Yes | | Consensus-aware algorithm | No | Yes | | Phased migration support | No | Yes | ### Timeline: Quantum Threat vs Platform Readiness | Timeframe | Quantum Computer Status | Solidity Status | OP_NET Status | |-----------|------------------------|-----------------|--------------| | **2024-2025** | Early NISQ era (~1000 qubits) | Vulnerable (no plan) | ML-DSA ready | | **2026-2030** | Scaling (~4000+ qubits possible) | **Critical risk** | Dual-key transition | | **2030+** | Cryptographically relevant | **Funds at risk** | ML-DSA only (secure) | ### Migration Path Comparison ```mermaid --- config: theme: dark --- flowchart LR subgraph Solidity["Solidity/EVM - No Migration Path"] S1["ECDSA Only"] --> S2["No quantum option"] S2 --> S3["Fork required?"] S3 --> S4["Funds at risk"] end subgraph OP_NET["OP_NET - Built-in Migration"] O1["Schnorr (current)"] --> O2["Dual-key period"] O2 --> O3["ML-DSA only"] O3 --> O4["Quantum secure"] end ``` ### Signature Verification Comparison #### Solidity: No Quantum Protection ```solidity // Solidity - Vulnerable to quantum attacks // There is NO way to add quantum resistance to Solidity/EVM function verify(bytes32 hash, uint8 v, bytes32 r, bytes32 s) external view returns (bool) { address recovered = ecrecover(hash, v, r, s); return recovered == expectedSigner; // CRITICAL VULNERABILITIES: // - ECDSA is broken by Shor's algorithm // - No update path to quantum-safe algorithms // - All funds signed with exposed public keys at risk // - No way to add ML-DSA or other PQC algorithms } // Even with precompiles, no quantum-safe option exists // EIP proposals for PQC have not been implemented ``` #### OP_NET: Built-in Quantum Resistance ```typescript // OP_NET - Quantum-resistant @method( { name: 'hash', type: ABIDataTypes.BYTES32 }, { name: 'signature', type: ABIDataTypes.BYTES }, ) @returns({ name: 'valid', type: ABIDataTypes.BOOL }) public verify(calldata: Calldata): BytesWriter { const hash = calldata.readBytes(32); const signature = calldata.readBytesWithLength(); // ML-DSA provides quantum resistance // FIPS 204 standardized algorithm // Public key loaded automatically from address const valid = Blockchain.verifySignature( this.expectedSigner.value, signature, hash, SignaturesMethods.MLDSA // Force quantum-resistant ML-DSA ); const writer = new BytesWriter(1); writer.writeBoolean(valid); return writer; } // Advantages: // - ML-DSA is quantum-resistant (lattice-based) // - NIST standardized (FIPS 204) // - Automatic key loading from address // - Consensus-managed transition // - No code changes needed for migration ``` ### Public Key Access Comparison ```solidity // Solidity - Must store or derive public key contract SolidityContract { // Must manually store public keys mapping(address => bytes) public publicKeys; function registerKey(bytes calldata pubkey) external { // Verify key matches address require(address(uint160(uint256(keccak256(pubkey)))) == msg.sender); publicKeys[msg.sender] = pubkey; } // No way to store/use ML-DSA keys (1,312+ bytes each!) // Storage costs would be prohibitive } ``` ```typescript // OP_NET - Automatic key access @final class OPNetContract extends OP_NET { public getPublicKey(calldata: Calldata): BytesWriter { const user = calldata.readAddress(); // ML-DSA public key loaded automatically! // No storage needed - runtime handles it const mldsaKey = user.mldsaPublicKey; // 1,312 bytes // Key is cached after first access const writer = new BytesWriter(4); writer.writeU32(mldsaKey.length); return writer; } } ``` ### Why OP_NET for Quantum Security? | Solidity Limitation | OP_NET Solution | |---------------------|----------------| | ECDSA only (quantum vulnerable) | ML-DSA (quantum resistant) | | No update path | Built-in consensus migration | | Must store large keys manually | Automatic key loading | | No NIST PQC algorithms | FIPS 204 ML-DSA | | Single key per address | Dual-key architecture | | Fixed algorithm forever | Consensus-aware selection | | Fork required for PQC | Smooth transition built-in | | All funds at risk | Protected from day one | ### Cost Comparison | Operation | Solidity | OP_NET Cost | Notes | |-----------|----------|------------|-------| | Store ML-DSA public key | Not practical (1,312 bytes) | 0 | OP_NET loads automatically | | Store ML-DSA signature | Not practical (2,420 bytes) | N/A | Not stored, verified | | Quantum-safe verification | Not possible | Standard | No additional cost | | Key migration | Contract redeploy | Consensus-managed | No user action needed | ## Best Practices 1. **Use `Address.mldsaPublicKey`** - Don't store ML-DSA keys manually; the Address class handles key loading and caching automatically (see [The Address Class](#the-address-class)) 2. **Force ML-DSA for high-security operations** - Pass `SignaturesMethods.MLDSA` to `Blockchain.verifySignature()` for critical operations (see [Signature Verification](#signature-verification)) 3. **Use consensus-aware verification for general use** - Pass `SignaturesMethods.Schnorr` (the default) to let the network decide which algorithm to use during the transition period. When Schnorr is no longer allowed by consensus, it automatically falls back to ML-DSA 4. **Document security level** - When using quantum-resistant signatures, document the ML-DSA level in your contract comments: ```typescript /** * Security Note: This contract uses ML-DSA-44 for quantum resistance. * ML-DSA-44 provides NIST Category 2 security (~AES-128 equivalent). * For higher security requirements, ML-DSA-65 or ML-DSA-87 may be used. */ ``` --- **Navigation:** - Previous: [Signature Verification](./signature-verification.md) - Next: [Bitcoin Scripts](./bitcoin-scripts.md)