Bitcoin Honeypot Address Protocol (BHAP)
This project implements a distributed protocol to create a Bitcoin honeypot address that is quantum-vulnerable by design. The honeypot serves as a public alert: if its funds are ever spent, it signals that a quantum computer has likely broken the ECDLP on secp192r1 (and is approaching the security of Bitcoin's secp256k1). The protocol is implemented in Python and leverages several cryptographic libraries.
The Bitcoin Honeypot Address Protocol (BHAP) is a multi-phase, distributed protocol involving n participants and a coordinator. It ensures:
- Compatibility: The honeypot address is a standard Taproot address, fully compatible with Bitcoin, but with security reduced to that of
secp192r1. - Correctness: Even with up to
k < nmalicious participants, a quantum computer able to breaksecp192r1can retrieve the funds. - Robustness: The honeypot private key is unknown as long as at least one participant is honest.
- Verifiability: All data and steps are publicly verifiable.
- (Pb, db): Public/private keys on
secp256k1(Bitcoin standard). - (Pw, dw): Public/private keys on
secp192r1(weakened for quantum feasibility). - Suffixes
bandwstand for Bitcoin and Weak, respectively.
- Each participant generates a random Bitcoin private key (dbi) and derives the corresponding public key (Pbi) using
secp256k1. - Outputs are saved in
../outputs/participant/keys.
- The coordinator aggregates all Pbi into a single public key (Pb) via elliptic curve point addition.
- Pb is hashed (SHA-256), truncated to 24 bytes, and used as the x-coordinate to derive a point (Pw) on
secp192r1. If invalid, the process repeats. - Results are saved in
../outputs/coordinator/key_agg_output/aggregation_output.txt.
- Participants verify the received Pb and Pw.
- Each dbi is encrypted using ECIES (with AES-CBC) and Pw.
- Outputs (Ei = (Pbi, ci, IVi, Pei)) are saved in
../outputs/participant/ecies_output.
- The coordinator collects all Ei and creates a commitment including Pb, Pw, the number of hashes, and all Ei.
- The commitment is hashed and used to tweak Pb, producing the final Taproot address (HA).
- The address is saved in
../outputs/coordinator/honeypot_address.txt. - A funding transaction is created with an OP_RETURN linking to a webpage with all protocol data.
- In a post-quantum scenario, an attacker with dw can decrypt all ci to recover each dbi.
- All dbi are aggregated to reconstruct the final private key (db) for Pb.
- The tweaked private key is derived and transformed into a wallet descriptor ready to be imported into Bitcoin Core to spend the funds.
- Languages/Libraries: Python,
bitcoinutils,coincurve,cryptography,tinyec,secrets,hashlib - Directory Structure:
outputs/participant/keys: Participant key pairsoutputs/participant/ecies_output: Encrypted keysoutputs/coordinator/key_agg_input: Public keys for aggregationoutputs/coordinator/key_agg_output: Aggregation resultsoutputs/coordinator/honeypot_commitment: Commitment dataoutputs/coordinator/honeypot_address.txt: Final addressoutputs/attacker/bitcoin_core_import.txt: Wallet descriptor
- Zero-Knowledge Proofs: Not yet implemented; would ensure each ciphertext is a valid encryption of a participant's private key.
- Decentralization: Current protocol uses a coordinator; future work should remove this trust assumption.
- Data Hosting: Currently uses centralized web hosting; decentralized storage (e.g., IPFS) is recommended for future versions.
- Mainnet Deployment: Protocol is a proof-of-concept; further improvements are needed for mainnet use.
- Extensive tests for key aggregation, hash-to-curve, and edge cases (see
/tests/). - 100% success rate in all tested scenarios.
- Special tests for invalid points and aggregation edge cases.