1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
|
Delivery-date: Mon, 02 Jun 2025 20:34:39 -0700
Received: from mail-qv1-f61.google.com ([209.85.219.61])
by mail.fairlystable.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
(Exim 4.94.2)
(envelope-from <bitcoindev+bncBCYMD7OS6ECBBRO27HAQMGQEMNIJB6I@googlegroups.com>)
id 1uMIQA-0008IR-GL
for bitcoindev@gnusha.org; Mon, 02 Jun 2025 20:34:39 -0700
Received: by mail-qv1-f61.google.com with SMTP id 6a1803df08f44-6f2b0a75decsf36031326d6.2
for <bitcoindev@gnusha.org>; Mon, 02 Jun 2025 20:34:38 -0700 (PDT)
ARC-Seal: i=2; a=rsa-sha256; t=1748921672; cv=pass;
d=google.com; s=arc-20240605;
b=N12BsqrMxxGFu/yOEDWyXtCXaNTEtDPorD2WAZEBEKVH3kwQ1fKfVpdykZq5WzqW2v
9l+ipRgRzw8YnZkGrshiLnqTbBmKpnFfnT9MLAXwBlLdIeQ1YLmllQnSIycVLFgZeb5I
Tfn6lkR7RlIOpyG//2xKWiBjMLSCU4Y5rWYxuYAzn/3zlZNqfI4dWFfaxsuAbkIsgI4h
caBhUk1bpK61Epd8tBw0VxgciG9frQjQxDUvKdXSIwsBkSVOYSbqve+gq2T89QSWbQtS
TCcaoDmGavQHlBtHtrME2r1kSBC0iHxH5ZaeS8rAQpv36sWKeOLK5cVtc3PYRV56N9VV
Vh2w==
ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605;
h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post
:list-id:mailing-list:precedence:content-transfer-encoding:cc:to
:subject:message-id:date:from:in-reply-to:references:mime-version
:sender:dkim-signature:dkim-signature;
bh=nm4lDEAJ79ipQxxSnQr4jvEe+KOOzdPlG4O1h0UO/qc=;
fh=tv8QRRerqYBpnfYlvOu7SJQpujd3orxIlhJWnN/uOKk=;
b=N2djerPp/6f+LevBbA53bisRRQZ8TwkTM/S5lIvTL42aYAQK39PU7wO8qmJNVeCpTr
9FrS9cHAuiqhpOF8A3jh63ZpJF8tiZfJUYRk81yZUUAVzj9w61RHDfalW4ZEl8EGE1At
i3bu+eNyGVEGNQuG6Qpm5gLhk4prYy47MTGuOQU0VQfSH/WcHMpEFHdF4dwKxhy+ZXjG
Xv+x6kE4sgxixw2TkCCTU5ZnuLVdHE7XuoaeMDes59IwrKfDVquxj3Z3Hf7xxIXALW8V
9M7JWIyKWqXXBtYKecI2DLyFTB3kINEUbl3ppUWzoLmjgIgBktMRg5reKwTffLswW9nH
xizw==;
darn=gnusha.org
ARC-Authentication-Results: i=2; gmr-mx.google.com;
dkim=pass header.i=@gmail.com header.s=20230601 header.b=Z8w6bmZ9;
spf=pass (google.com: domain of bnagaev@gmail.com designates 2607:f8b0:4864:20::1032 as permitted sender) smtp.mailfrom=bnagaev@gmail.com;
dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com;
dara=pass header.i=@googlegroups.com
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=googlegroups.com; s=20230601; t=1748921672; x=1749526472; darn=gnusha.org;
h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post
:list-id:mailing-list:precedence:x-original-authentication-results
:x-original-sender:content-transfer-encoding:cc:to:subject
:message-id:date:from:in-reply-to:references:mime-version:sender
:from:to:cc:subject:date:message-id:reply-to;
bh=nm4lDEAJ79ipQxxSnQr4jvEe+KOOzdPlG4O1h0UO/qc=;
b=D6yKZkGR/SuCHKFcRgYP5gjTg/acP2GPfQMOzLod8qpcNgKTmtTGo/1PoOJyKO77TV
HWfmgPa+pPz3TqesIHjioT+0EpvV6N9mjM8pLKXf7b7DVzcqVKXag6tit3OwqdGuCynY
MEfNrCVkRdZMzo1Ey5/90awO5LH5A0zpEaeFKc66ronbmzsCYKIFW8O6gPccCVjOp1ky
OwoBPC4B5OG9L0RftnKnc2hda7kYv3wAlvc0lWw20HArYh0U8l8yuLklNA0cBDVQjPbM
9p2OCF8cya/pkQP/0YwBETE1ReqbhLxK8oVq6fw1H8EMm6AXkZ94BMpDUGVZN6yvQ4HW
OnLg==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=gmail.com; s=20230601; t=1748921672; x=1749526472; darn=gnusha.org;
h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post
:list-id:mailing-list:precedence:x-original-authentication-results
:x-original-sender:content-transfer-encoding:cc:to:subject
:message-id:date:from:in-reply-to:references:mime-version:from:to:cc
:subject:date:message-id:reply-to;
bh=nm4lDEAJ79ipQxxSnQr4jvEe+KOOzdPlG4O1h0UO/qc=;
b=UnzmGiBByRKnjosv8w8tKQSSlVfiKoTE8xrJnnSasHUQQu8fyTTe7zGYq6EoV1946v
pMi5xEwxR5dqE0Tbn9Sz7wr6IxsCVmAIvi/niaAJxElGZY2HLy+baTbXyZl+Sf0sZv4d
b8z4zgR3TQIDOTA2gUuLdpz01EqvAk2QpOlZEKSc3q6MmiJfuK3SsI92lL/K47MkvmWS
FpSO6q7y5W0WSHvLL5oQzPb/gCXdKgWQnnR7YIohWaj4ze4IpqBSO8HVFg70FFbufEJg
+EIuik/LJoLTXpPwrZQQ8jSF7RMsmT7tjNa7xtQ6VEeitLSUKklEAkUPBYYPvHL3HVG1
fpQw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20230601; t=1748921672; x=1749526472;
h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post
:list-id:mailing-list:precedence:x-original-authentication-results
:x-original-sender:content-transfer-encoding:cc:to:subject
:message-id:date:from:in-reply-to:references:mime-version
:x-beenthere:x-gm-message-state:sender:from:to:cc:subject:date
:message-id:reply-to;
bh=nm4lDEAJ79ipQxxSnQr4jvEe+KOOzdPlG4O1h0UO/qc=;
b=M+FdyTiRKLbZqoA+iRZTtcqTyCQtR5xF8VuIMqiY9nwg4U36tNwKT3gITFHw5fRZcN
iRUKo6FBLAzyTVs4DEmAfL0ZR2O9ywdu+jmHW7QoWxaWcN0r5JIV/XtvUIbfptz6YgN2
fVE16XuepLuTiqZqa3J/YM3qSjrdmSfaDryvEDTRiBsl95axlfzcNcwQC3tIrf/ZLpbn
fAUSvZtZYyHoVqN7YLfUYaIE+1q4ijuPPdzL2Ssx0Cw8ohJqkLTD49Ncp8l9s3tbzCBI
L5ZMvJI4S8qFF94GCs1yfDQhNfyr6kNt1qQAKlhsmsLcLw5wuwu9m57VFAL2TxH0QsuD
/kmA==
Sender: bitcoindev@googlegroups.com
X-Forwarded-Encrypted: i=2; AJvYcCX61dnkA2xaOIV3g8CFzo2w1C7zxsuF2PlABmvmEZwxS6kGKZ+Z3UevR9/FDxBmqrErojbvQTMlOwIW@gnusha.org
X-Gm-Message-State: AOJu0YwuqpMP49XZdt6tJrniLzr8zrBxDu2/FaDvRyv2f++lMnFDPTaf
2rUdNpFo3u+vcb0CPN6STjOdS+2Ae0Ha/ThqC/ZUoWx22V+p+M8Nf9rV
X-Google-Smtp-Source: AGHT+IG31De9MWfS91jsg5RDTvY0pITxC91/fKZdWYn8Rezd7ZJGvX3RNIyiLhqmxbdroKp1dEuobA==
X-Received: by 2002:ad4:5ca5:0:b0:6fa:cdc9:8b09 with SMTP id 6a1803df08f44-6fad1907401mr197256116d6.6.1748921672539;
Mon, 02 Jun 2025 20:34:32 -0700 (PDT)
X-BeenThere: bitcoindev@googlegroups.com; h=AZMbMZeJPfNa+8RhWakg5ia0wcwf1IfjwWTDqoK9habxeYgrCA==
Received: by 2002:a05:6214:cc7:b0:6fa:bedd:25e1 with SMTP id
6a1803df08f44-6fac5d969ddls134694506d6.2.-pod-prod-04-us; Mon, 02 Jun 2025
20:34:28 -0700 (PDT)
X-Received: by 2002:a05:6214:5193:b0:6e8:f2d2:f123 with SMTP id 6a1803df08f44-6fad190fe0amr244284906d6.13.1748921668764;
Mon, 02 Jun 2025 20:34:28 -0700 (PDT)
Received: by 2002:a05:620a:5806:b0:7c5:495f:5415 with SMTP id af79cd13be357-7d210ccc135ms85a;
Mon, 2 Jun 2025 16:12:35 -0700 (PDT)
X-Received: by 2002:a05:620a:172a:b0:7ca:eb5b:6de9 with SMTP id af79cd13be357-7d0a4e5268emr1867180685a.42.1748905954645;
Mon, 02 Jun 2025 16:12:34 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1748905954; cv=none;
d=google.com; s=arc-20240605;
b=NKMJW3JZtkvsTtimBZLVCgZ9QgBJJ6FBHY0NB3rpQfW+ED8UbQHKbezQCP+ytPPUcA
r1Cd3txXQaIpNqzQwuTuqhycCcG+e2uZ3ID0WAUR38IEZ/oRlMUwb7ndYgg6rGyAd39y
VRUn8dMCZZwc5C8kASvzdHZMY7xxqAhpmQLF/qgcrP8oT+L3WNU9IlVH41p4AVLAZnoc
b5mqMIe3dTZzz/mHmiSvysKYUxd4JjrKJW/JGLIqmYeMzoDVpJTg165MKWK4UCnhV8k5
ErcAE53BvaKsYOKJaSRmcZPdUfxtp6M1DHcVdBvoHZYTzPbAW8aJmesakoxwCmyS+QNc
TsEA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605;
h=content-transfer-encoding:cc:to:subject:message-id:date:from
:in-reply-to:references:mime-version:dkim-signature;
bh=3sH124DPt0urKULadyclwqH2RdqwgJI84daFY2MLS14=;
fh=e79b22hAuSaC6/8oKXuBX7NFmH7iXgOLPA7D5tCVfno=;
b=CqNQX0umnLU7I2F1YW0rUyTusNOpBFUN2kxAKk7GcwfVKYiKnOhF7FTkjU6kjlhBCo
z4byoAu708GfqbTeXp3SE2fOAI+zvW8fYqg7aZI6WXo2ZRlDONIAoDLQykpKVq58IgB1
sfuAvNoBenVN3oPl1DtQGCGR3FgIKWa4w27ftpaZqIlcM0i5wrxS4M8rWdu10pEBMDZp
7VqLfGOINm2A3YVkiNN4lGNDVUDX5OmuRCMoXuvBQNOUWfYkXwAhs1w9h1yYcOrI524j
nuYCIKxfu7jqXYaP43jlnzWFZVf/AMuad7XwBWiVlGC174zssD8C0FubF811XsLsy2pS
RFCw==;
dara=google.com
ARC-Authentication-Results: i=1; gmr-mx.google.com;
dkim=pass header.i=@gmail.com header.s=20230601 header.b=Z8w6bmZ9;
spf=pass (google.com: domain of bnagaev@gmail.com designates 2607:f8b0:4864:20::1032 as permitted sender) smtp.mailfrom=bnagaev@gmail.com;
dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com;
dara=pass header.i=@googlegroups.com
Received: from mail-pj1-x1032.google.com (mail-pj1-x1032.google.com. [2607:f8b0:4864:20::1032])
by gmr-mx.google.com with ESMTPS id 6a1803df08f44-6fac6de9b69si4573526d6.2.2025.06.02.16.12.34
for <bitcoindev@googlegroups.com>
(version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128);
Mon, 02 Jun 2025 16:12:34 -0700 (PDT)
Received-SPF: pass (google.com: domain of bnagaev@gmail.com designates 2607:f8b0:4864:20::1032 as permitted sender) client-ip=2607:f8b0:4864:20::1032;
Received: by mail-pj1-x1032.google.com with SMTP id 98e67ed59e1d1-312b0d83a10so1381467a91.0
for <bitcoindev@googlegroups.com>; Mon, 02 Jun 2025 16:12:34 -0700 (PDT)
X-Gm-Gg: ASbGncs7MiUPrAF2pYrgEAmcrYAs/1+eBFktY9Ndrztm6G4+cjkfvbf4FchYOGqLFdK
nPA5lGEC4LzMG/QtZhfBu2ptOjxjpOLdN75PjS6yy94cRBasUIaFH94cUfngLKP3aszhoJBrtpc
0Mvc6wzwUyxxXWvaMoD+Wg7TMIm51WHF4=
X-Received: by 2002:a17:90b:35c3:b0:312:1b53:5e98 with SMTP id
98e67ed59e1d1-3125049b92bmr16878024a91.34.1748905953524; Mon, 02 Jun 2025
16:12:33 -0700 (PDT)
MIME-Version: 1.0
References: <2c3b7e1c-95dd-4773-a88f-f2cdb37acf4a@gmail.com>
In-Reply-To: <2c3b7e1c-95dd-4773-a88f-f2cdb37acf4a@gmail.com>
From: Nagaev Boris <bnagaev@gmail.com>
Date: Mon, 2 Jun 2025 20:11:57 -0300
X-Gm-Features: AX0GCFvwf2m2bGrG4SC89yMRV0Lk_Y2aBCGh9CHJFAQwjdb7d3wCxzwyBj1s6lU
Message-ID: <CAFC_Vt7z5Vj=r90J8RoH3sC5592BO4G9U3L9gdcX+D3DruC1PQ@mail.gmail.com>
Subject: Re: [bitcoindev] Pre-emptive commit/reveal for quantum-safe migration (poison-pill)
To: Leo Wandersleb <lwandersleb@gmail.com>
Cc: Bitcoin Development Mailing List <bitcoindev@googlegroups.com>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Original-Sender: bnagaev@gmail.com
X-Original-Authentication-Results: gmr-mx.google.com; dkim=pass
header.i=@gmail.com header.s=20230601 header.b=Z8w6bmZ9; spf=pass
(google.com: domain of bnagaev@gmail.com designates 2607:f8b0:4864:20::1032
as permitted sender) smtp.mailfrom=bnagaev@gmail.com; dmarc=pass
(p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com; dara=pass header.i=@googlegroups.com
Precedence: list
Mailing-list: list bitcoindev@googlegroups.com; contact bitcoindev+owners@googlegroups.com
List-ID: <bitcoindev.googlegroups.com>
X-Google-Group-Id: 786775582512
List-Post: <https://groups.google.com/group/bitcoindev/post>, <mailto:bitcoindev@googlegroups.com>
List-Help: <https://groups.google.com/support/>, <mailto:bitcoindev+help@googlegroups.com>
List-Archive: <https://groups.google.com/group/bitcoindev
List-Subscribe: <https://groups.google.com/group/bitcoindev/subscribe>, <mailto:bitcoindev+subscribe@googlegroups.com>
List-Unsubscribe: <mailto:googlegroups-manage+786775582512+unsubscribe@googlegroups.com>,
<https://groups.google.com/group/bitcoindev/subscribe>
X-Spam-Score: -0.5 (/)
Hi Leo,
Thanks for sharing your proposal, a very interesting approach! I have
a few questions and comments:
> Users create and sign transactions moving their funds to quantum-safe add=
resses
> 1. **No consensus changes needed now** - Users can start protecting thems=
elves
> immediately
How would users prepare transactions moving funds to quantum-safe
addresses now, before such address types exist? We would need to know
the structure of a quantum-safe address to create the transaction.
Either an existing address type would need to support some form of
quantum protection already (e.g., WOTS implemented via BitVM), or we
would still need a softfork to introduce a new address type.
Additionally, a future softfork (or possibly a hardfork, see below)
would still be required to enforce the new spending rules.
> - If attacked, the victim can reveal the commitment to execute the recove=
ry
> transaction
Wouldn't such a recovery transaction require a hardfork? As far as I
understand, it wouldn't be valid under current consensus rules.
Enabling it would require relaxing existing rules, which would imply a
hardfork.
Best,
Boris
On Mon, Jun 2, 2025 at 6:12=E2=80=AFPM Leo Wandersleb <lwandersleb@gmail.co=
m> wrote:
>
> Hi all,
>
> I'd like to propose a variant of the commit/reveal schemes being discusse=
d for
> quantum resistance, but with a different goal and timeline. This builds o=
n ideas
> from the recent thread "Post-Quantum commit / reveal Fawkescoin variant a=
s a
> soft fork" but targets a different use case.
>
> ## The Problem
>
> Current discussions focus on emergency reactive measures - what to do *af=
ter*
> quantum computers arrive. But this leaves users in a difficult position:
>
> 1. They can't prove ownership of their coins without revealing pubkeys (a=
nd thus
> becoming vulnerable)
> 2. Moving coins to quantum-safe addresses early reveals which addresses a=
re
> active vs. abandoned
> 3. There's no way to prepare for migration without exposing yourself
>
> ## Pre-emptive Commit/Reveal
>
> What if users could commit *today* to future migration transactions, with=
out
> revealing which UTXOs they control?
>
> The idea is simple:
> - Users create and sign transactions moving their funds to quantum-safe a=
ddresses
> - They compute a Merkle tree of all these transactions
> - They publish only the root hash (e.g., in an OP_RETURN)
> - This can be done today, with no consensus changes
>
> If/when quantum computers become a threat:
> - We soft fork to require at least n confirmations on quantum vulnerable
> transactions
> - Transactions work as always but can't be spent for n blocks
> - If attacked, the victim can reveal the commitment to execute the recove=
ry
> transaction
>
> ## Key Advantages
>
> 1. **No consensus changes needed now** - Users can start protecting thems=
elves
> immediately
> 2. **Privacy preserved** - The commitment reveals nothing about which UTX=
Os you own
> 3. **Efficient** - One hash can commit to migrations for all your UTXOs o=
r even
> the UTXOs of several users
> 4. **Flexible** - Works whether or not a quantum computer ever actually a=
ppears
>
> ## Differences from Tadge's Proposal
>
> While Tadge's proposal solves post-quantum spending where any pubkey reve=
al is
> dangerous, this proposal is about preparation:
>
> - **Timing**: Pre-quantum (can start now) vs. post-quantum (activates aft=
er QC
> appears)
> - **Scope**: Migration to quantum-safe addresses for all address types in=
the
> worst case vs. general spending of hashed pubkeys
>
> Both use the same cryptographic primitive (commit/reveal) but for differe=
nt
> phases of the quantum transition.
>
> This approach lets users protect their funds without waiting for consensu=
s
> changes or revealing their holdings. It's a "poison pill" against quantum
> attackers - they might steal coins, but pre-committed owners can reclaim =
them.
>
> Would love to hear thoughts on this approach.
>
> Leo Wandersleb
>
> --
> You received this message because you are subscribed to the Google Groups=
"Bitcoin Development Mailing List" group.
> To unsubscribe from this group and stop receiving emails from it, send an=
email to bitcoindev+unsubscribe@googlegroups.com.
> To view this discussion visit https://groups.google.com/d/msgid/bitcoinde=
v/2c3b7e1c-95dd-4773-a88f-f2cdb37acf4a%40gmail.com.
--=20
Best regards,
Boris Nagaev
--=20
You received this message because you are subscribed to the Google Groups "=
Bitcoin Development Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an e=
mail to bitcoindev+unsubscribe@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/bitcoindev/=
CAFC_Vt7z5Vj%3Dr90J8RoH3sC5592BO4G9U3L9gdcX%2BD3DruC1PQ%40mail.gmail.com.
|