Hi all,
I'd like to propose a variant of the commit/reveal schemes being discussed for
quantum resistance, but with a different goal and timeline. This builds on ideas
from the recent thread "Post-Quantum commit / reveal Fawkescoin variant as a
soft fork" but targets a different use case.
## The Problem
Current discussions focus on emergency reactive measures - what to do *after*
quantum computers arrive. But this leaves users in a difficult position:
1. They can't prove ownership of their coins without revealing pubkeys (and thus
becoming vulnerable)
2. Moving coins to quantum-safe addresses early reveals which addresses are
active vs. abandoned
3. There's no way to prepare for migration without exposing yourself
## Pre-emptive Commit/Reveal
What if users could commit *today* to future migration transactions, without
revealing which UTXOs they control?
The idea is simple:
- Users create and sign transactions moving their funds to quantum-safe
addresses
- They compute a Merkle tree of all these transactions
- They publish only the root hash (e.g., in an OP_RETURN)
- This can be done today, with no consensus changes
If/when quantum computers become a threat:
- We soft fork to require at least n confirmations on quantum vulnerable
transactions
- Transactions work as always but can't be spent for n blocks
- If attacked, the victim can reveal the commitment to execute the recovery
transaction
## Key Advantages
1. **No consensus changes needed now** - Users can start protecting themselves
immediately
2. **Privacy preserved** - The commitment reveals nothing about which UTXOs you
own
3. **Efficient** - One hash can commit to migrations for all your UTXOs or even
the UTXOs of several users
4. **Flexible** - Works whether or not a quantum computer ever actually appears
## Differences from Tadge's Proposal
While Tadge's proposal solves post-quantum spending where any pubkey reveal is
dangerous, this proposal is about preparation:
- **Timing**: Pre-quantum (can start now) vs. post-quantum (activates after QC
appears)
- **Scope**: Migration to quantum-safe addresses for all address types in the
worst case vs. general spending of hashed pubkeys
Both use the same cryptographic primitive (commit/reveal) but for different
phases of the quantum transition.
This approach lets users protect their funds without waiting for consensus
changes or revealing their holdings. It's a "poison pill" against quantum
attackers - they might steal coins, but pre-committed owners can reclaim them.
Would love to hear thoughts on this approach.
Leo Wandersleb
--
You received this message because you are subscribed to the Google Groups "Bitcoin
Development Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion visit
https://groups.google.com/d/msgid/bitcoindev/2c3b7e1c-95dd-4773-a88f-f2cdb37acf4a%40gmail.com.
