From mboxrd@z Thu Jan 1 00:00:00 1970 Delivery-date: Tue, 03 Jun 2025 05:00:03 -0700 Received: from mail-oo1-f60.google.com ([209.85.161.60]) by mail.fairlystable.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.94.2) (envelope-from ) id 1uMQJG-0007S5-5j for bitcoindev@gnusha.org; Tue, 03 Jun 2025 05:00:03 -0700 Received: by mail-oo1-f60.google.com with SMTP id 006d021491bc7-605fbf2d4b6sf3725655eaf.2 for ; Tue, 03 Jun 2025 05:00:02 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1748951996; cv=pass; d=google.com; s=arc-20240605; b=LmGjZwx/B9sVYSZmKzB4oSaLyXBwURdZpsK2kVg1ep/DVYo5gN3QRV4iDVwiK+/8FH +l8VnhOSnqDpN7KS08JR6gKO5/Xfr+GsgiOtNcHjJsIQ507f/XpqTHIX3SRcemAZY0kj KnJvvr9xCmcbk7IaGs3WCVQgfIcy9jcRvA4qIfsr92gXUcy/Ysad/K7m6wyxa30Mrg+y N7wdqjcT1o7ULh6sMFPrwJ+8ui+QIzHoRDNYZ8RFgJZg29mkXPaUGagf73/QSdLTIaQh VkM1LMBwct7hhTd9W374e6Nr/dMc31D1zzUkIHI9iAPuwPJ2gCaG4mQjFRyS8CqCFBqd XsfQ== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:content-transfer-encoding :in-reply-to:from:content-language:references:cc:to:subject :user-agent:mime-version:date:message-id:sender:dkim-signature :dkim-signature; bh=++J0xI7NPCYC6Fo5lZba9WOHVbn9cQegbc1eP8MbmVA=; fh=MUPo2OP6gxhYC3w7f0QWdVHTMNOCXCq7zAoriQ9xZ3A=; b=JXRVOldwPhzO3EUfL3np1atvOH7ivqjg4SBeHjueKSSfISJ66jM6KbKAHmI/3Cy+3q SaWHZj5yR9gE7It0zy6TO1CEJsfEEn6cJ5dkhXgEO3YrjTRV3CqV8OkBxFe+eOwUePtV PwDAxa7u6l6JHn4aPpFr00wCpCqNcTguVQa9Pnql4fPBvlFZ17kEff2SNv3HeedSStmv atOExeIiC1ycNUkdttWteu02d4QKJ7/30tIjZFQSuIFjFvXMMrrMft/IR1xibJSAkRcK r77UZn5KMpI9d4BeIkFJvLKBNi32ffybRs3fEQLdoJwlXVNjjAKphAUDCUv6YuoEDgZa 5jQw==; darn=gnusha.org ARC-Authentication-Results: i=2; gmr-mx.google.com; dkim=pass header.i=@gmail.com header.s=20230601 header.b=XUGPcuPL; spf=pass (google.com: domain of lwandersleb@gmail.com designates 2a00:1450:4864:20::332 as permitted sender) smtp.mailfrom=lwandersleb@gmail.com; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com; dara=pass header.i=@googlegroups.com DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlegroups.com; s=20230601; t=1748951996; x=1749556796; darn=gnusha.org; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:x-original-authentication-results :x-original-sender:content-transfer-encoding:in-reply-to:from :content-language:references:cc:to:subject:user-agent:mime-version :date:message-id:sender:from:to:cc:subject:date:message-id:reply-to; bh=++J0xI7NPCYC6Fo5lZba9WOHVbn9cQegbc1eP8MbmVA=; b=F9XFRSUgVybTbkG2/sVNDY7OICBa4tBpbbSSOFyHEye+O01AkTBBDC3uOA+gcr1Dku vURCwCvOIusgETcXIBY9DsKzLJxQkgDCIh5bl3Ek2QxbgPPYA/MOrLuvN62Bv2iR0Ohc gA6ZVVzJ2C7WGGyJa3jrZ8+1rYttma1+hGPaXOHLHjk57beeD1e1bkbhyuv0DpUlsf12 4JdNaH3rYMd64l8A+kp6/XxQXWX6jvwQva51IRdBkSyzLYVsuSyWBwcyhw3XokH7adTJ vNMOvF/SRj5lDyq4pf3uXV3rDRS/kEZTuqp3aktLFYRV1p3H1c45eknrgcienIYaZqbt MOyg== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1748951996; x=1749556796; darn=gnusha.org; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:x-original-authentication-results :x-original-sender:content-transfer-encoding:in-reply-to:from :content-language:references:cc:to:subject:user-agent:mime-version :date:message-id:from:to:cc:subject:date:message-id:reply-to; bh=++J0xI7NPCYC6Fo5lZba9WOHVbn9cQegbc1eP8MbmVA=; b=d6ZkhYQH9Z23QRA3571TEfq215zB39y9r2r5SNJJQF9xYR+6RddejN1LzID442dfrZ jC35RanL+4EfUD4UUU7DIbhPmCuZbqxchrEGiDXkHZYpF/jnwXyc9WaQmhME/gS1f6Q+ JQV6NW7Jg6pj9rJPgnEgu1jopDAhSUVdeVTM3cnyr8ZfNl0sBeBB89nwHKqwpx+6HWKy HpIfLRyYodxj5COEBrb77eB4KsrY584X9Q/hEHE7gWj5z+9yczp9CkMGRLyYnsQyoxL2 4AfEgHoCV9EReJOvKUcT/TybFDwE7oZQeWv2pBtBZYeMCx6YbZXdvqNbKhrglUBvZMVN de4A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1748951996; x=1749556796; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:x-original-authentication-results :x-original-sender:content-transfer-encoding:in-reply-to:from :content-language:references:cc:to:subject:user-agent:mime-version :date:message-id:x-beenthere:x-gm-message-state:sender:from:to:cc :subject:date:message-id:reply-to; bh=++J0xI7NPCYC6Fo5lZba9WOHVbn9cQegbc1eP8MbmVA=; b=ISaLu36To1xY3IxWCchu1lt7INvx+r4EUAqxG1+1B0OhZ5EppEHNZlNK3trf6PTxNr g4ojw2rMrNx8CdABKIUTxL44V6ygm13j2KiQJZyJy/556GLWBj6lKQ+RZVx4QL2BJdKg ibNQ/DvYneI3w2KRtS27j1Hmyjysr5uQeJH4w393eHOXMzyH5HIqqaPXPZU7HVxXeBEL 3DdWWC6uxEY/5qGbchkHjwmTEqFlu+0+aaWsVlYugg6dUVcQYvVSwZjiDd7Itmz+PKnF ljJibQz2whK1qKg0cuKZA5z+Nw5SPw/A6BRKBn82k//iXcvV4jXNvXvB0bWu2IEWuV1m uOjQ== Sender: bitcoindev@googlegroups.com X-Forwarded-Encrypted: i=2; AJvYcCVOu5URl5RXTu9AJ3bAYwGY5s4n0R5NEw7Iw7ywFnQIuZlttt8CBGvtLYkcScYhf9oQG65b9J7PxR8Y@gnusha.org X-Gm-Message-State: AOJu0YxOuWPGIPCvGDRzZBWYpiyWFEHfTNAHgFHprD+xOdyy7VIypxxq ylZj4iGZmlnqA/0ehFHIH0xACdCdFhkVo5RRkUjYa+rt06fdWlZxlYmf X-Google-Smtp-Source: AGHT+IFoJKwlh2yW1ll/gHJoZWOYQ7fYivgB+7DeKafIJX1NgYDXxgiBm97GPou8mYMEdDgt0iKxag== X-Received: by 2002:a05:6820:260b:b0:60e:d47d:f616 with SMTP id 006d021491bc7-60ed47dfa6fmr5743031eaf.3.1748951996050; Tue, 03 Jun 2025 04:59:56 -0700 (PDT) X-BeenThere: bitcoindev@googlegroups.com; h=AZMbMZd+JwdRI4Z98eeu/Qk9+U56GUwJI/YtQGF/pzYk4WGKEw== Received: by 2002:a05:6820:315:b0:60e:d4f6:a313 with SMTP id 006d021491bc7-60ed4f6a50als838975eaf.2.-pod-prod-03-us; Tue, 03 Jun 2025 04:59:51 -0700 (PDT) X-Received: by 2002:a05:6808:3389:b0:3f8:498c:9ef4 with SMTP id 5614622812f47-40679721f47mr9876330b6e.24.1748951991544; Tue, 03 Jun 2025 04:59:51 -0700 (PDT) Received: by 2002:a05:6504:556:b0:2b1:9626:e73d with SMTP id a1c4a302cd1d6-2b1a1c9c4f0msc7a; Tue, 3 Jun 2025 04:51:06 -0700 (PDT) X-Received: by 2002:a05:6512:220b:b0:553:2dce:3aad with SMTP id 2adb3069b0e04-5533b8e0fd7mr4943069e87.7.1748951464578; Tue, 03 Jun 2025 04:51:04 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1748951464; cv=none; d=google.com; s=arc-20240605; b=Wm1GoLi3ArzBDuX7xeYPU7eC7nfVq+bX/XcMy5seMo4bkDGQpRRwpcUz07tDt0vu+o 7wTn/KVaHcS9YBME4v31TDRAckM0dGdSTVtyNJp1LsN59bwOQZTw6LvsQoJxjop8+eWT Cu4rxFNWfYnEtEKgE5GyAAFW84M1GFWkkSInjv6fXG+nPNmIdQTPb+cAM1dDaejRrWSD wmDfTbUr0QR6n9kKe/WzmJinnc8ZoDM7LfUr4FVzR59iTJdxs3ZEih8ReyTioBI6MSUf 6zoOgnsyHHwbBgCpkPJnJn/4BkDMegSTS3fPjCZ75J6z9PvN3+z6LBSvGsoyDWu/ZxcK RFtw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=content-transfer-encoding:in-reply-to:from:content-language :references:cc:to:subject:user-agent:mime-version:date:message-id :dkim-signature; bh=y99N1P6zxx/G8oWvgxa3rAK4Urgqhu/xlzL1gcQV9ZU=; fh=HPA68ncp94B6BejhD2JPlI/1BWvELD7xBdD10WX68Vw=; b=Jo4+uTSGB9B1WojdKkhnwPBG4WgLv9myvNe235rp8uapNetL7lDVJXW5qEuVo7h0hV nKV6EzrfFY+t6Zc2NK2nHSBC3nrbD0O0O4Z/Xfug7u/tJxGhYWVF8RALbrRA7EYoyVOs 9fPn/IoFNqNKXZDV0JERy0AaPn/akwdHipQY6sXkbRrGhTO0lU0JlgZFWFg+SX5He94s TZnduAn/GPu7EYtMU6YCyFrybs7OFgGTf1R166Ba6/AAObS0UHvxzk1hynOQ4HHOaDRl mhsW2uO9xJtPpAOo6MvvmBO6Aw9lTjeASszg9iBm+Tc5Ute6POZuW4Ua1m6KVOAdcEG/ K11A==; dara=google.com ARC-Authentication-Results: i=1; gmr-mx.google.com; dkim=pass header.i=@gmail.com header.s=20230601 header.b=XUGPcuPL; spf=pass (google.com: domain of lwandersleb@gmail.com designates 2a00:1450:4864:20::332 as permitted sender) smtp.mailfrom=lwandersleb@gmail.com; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com; dara=pass header.i=@googlegroups.com Received: from mail-wm1-x332.google.com (mail-wm1-x332.google.com. [2a00:1450:4864:20::332]) by gmr-mx.google.com with ESMTPS id 2adb3069b0e04-55337914335si362916e87.10.2025.06.03.04.51.04 for (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Tue, 03 Jun 2025 04:51:04 -0700 (PDT) Received-SPF: pass (google.com: domain of lwandersleb@gmail.com designates 2a00:1450:4864:20::332 as permitted sender) client-ip=2a00:1450:4864:20::332; Received: by mail-wm1-x332.google.com with SMTP id 5b1f17b1804b1-450cb2ddd46so34902985e9.2 for ; Tue, 03 Jun 2025 04:51:04 -0700 (PDT) X-Gm-Gg: ASbGnctRlWKpwpM4PW8PzY7q7uEx/T+76qS+x4AmNpERW68WBKGyppC6Ne2Ag3eUvhs ivETh2m9jkaSXys8wwq7ZLvZrdDl6IrDHP3ANRNs2Bj0DrREJswNlOGrDrfJEHGDTjMly4kb6pU PvgfoosFapLP1lRHOlGm5vc/mnbyEvFdOp6EYoEoskKAj/JkS/CASMPsM7yFPKtIV4q+XhgAXmX 89/qgD+i57tCWtz8S7S/ZZXdEXXFTj5B+ttvNBekwKQmJJhTm6IH1SzbVjAu9lbgftuFXf7ixTA PRb1m8cQKXY+AoZ7AYibvp4GTKEi1tWWUOFK9BhzfQrTPbMaNWa8SC1Ck5d4RwfEX+0vDARBsjX B/xaGGoN35OtQLEEAa3B3c4GQSZQa X-Received: by 2002:a05:600c:810c:b0:441:ac58:ead5 with SMTP id 5b1f17b1804b1-450d6560164mr171645175e9.31.1748951463576; Tue, 03 Jun 2025 04:51:03 -0700 (PDT) Received: from ?IPV6:2a02:2455:180a:7500:500e:d0c4:e369:a642? ([2a02:2455:180a:7500:500e:d0c4:e369:a642]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-450d7fb0654sm158841255e9.21.2025.06.03.04.51.02 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Tue, 03 Jun 2025 04:51:03 -0700 (PDT) Message-ID: <33f67e84-5d1c-4c14-80b9-90a3fec3cb36@gmail.com> Date: Tue, 3 Jun 2025 13:51:02 +0200 MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: [bitcoindev] Pre-emptive commit/reveal for quantum-safe migration (poison-pill) To: Nagaev Boris Cc: Bitcoin Development Mailing List References: <2c3b7e1c-95dd-4773-a88f-f2cdb37acf4a@gmail.com> Content-Language: en-US From: Leo Wandersleb In-Reply-To: Content-Type: text/plain; charset="UTF-8"; format=flowed Content-Transfer-Encoding: quoted-printable X-Original-Sender: LWandersleb@gmail.com X-Original-Authentication-Results: gmr-mx.google.com; dkim=pass header.i=@gmail.com header.s=20230601 header.b=XUGPcuPL; spf=pass (google.com: domain of lwandersleb@gmail.com designates 2a00:1450:4864:20::332 as permitted sender) smtp.mailfrom=lwandersleb@gmail.com; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com; dara=pass header.i=@googlegroups.com Precedence: list Mailing-list: list bitcoindev@googlegroups.com; contact bitcoindev+owners@googlegroups.com List-ID: X-Google-Group-Id: 786775582512 List-Post: , List-Help: , List-Archive: , List-Unsubscribe: , X-Spam-Score: -0.5 (/) Hi Boris, Actually, I think the poison pill approach could be implemented as a soft f= ork=20 after all, with a cleaner mechanism: After activation at block height X: 1. **Vulnerable UTXOs cannot be spent directly** - they require a prior ann= ouncement 2. **Weak announcement** with no private key needed: "I intend to spend UTX= O A=20 with transaction X after block B+144" 3. **Strong announcement** with a commitment proof: References a potentiall= y=20 old, pre-fork commitment and provides proof that this UTXO was included 4. **After 144 blocks**: The UTXO can be spent according to the strongest= =20 announcement (oldest commitment wins) This is a soft fork because: - We're not "undoing" transactions - We're adding new rules about *when* certain UTXOs can be spent - Old nodes still see valid transactions, just with different timing The key insight is that the "weak announcement" doesn't require private key= s -=20 it just declares intent. This preserves the validity of pre-signed transact= ions=20 (they can still be announced and executed, just with a delay). Meanwhile, anyone who created commitments before the fork can use "strong= =20 announcements" to override potential quantum attackers during the window. This gives us poison pill protection while maintaining backward compatibili= ty.=20 No transaction reversal needed - just a new spending process for vulnerable= UTXOs. Does this address your hard fork concern? --- This formulation avoids implementation details while focusing on the concep= tual=20 mechanism that makes it a soft fork rather than a hard fork. On 6/3/25 01:11, Nagaev Boris wrote: > Hi Leo, > > Thanks for sharing your proposal, a very interesting approach! I have > a few questions and comments: > >> Users create and sign transactions moving their funds to quantum-safe ad= dresses >> 1. **No consensus changes needed now** - Users can start protecting them= selves >> immediately > How would users prepare transactions moving funds to quantum-safe > addresses now, before such address types exist? We would need to know > the structure of a quantum-safe address to create the transaction. > Either an existing address type would need to support some form of > quantum protection already (e.g., WOTS implemented via BitVM), or we > would still need a softfork to introduce a new address type. > > Additionally, a future softfork (or possibly a hardfork, see below) > would still be required to enforce the new spending rules. > >> - If attacked, the victim can reveal the commitment to execute the recov= ery >> transaction > Wouldn't such a recovery transaction require a hardfork? As far as I > understand, it wouldn't be valid under current consensus rules. > Enabling it would require relaxing existing rules, which would imply a > hardfork. > > Best, > Boris > > On Mon, Jun 2, 2025 at 6:12=E2=80=AFPM Leo Wandersleb wrote: >> Hi all, >> >> I'd like to propose a variant of the commit/reveal schemes being discuss= ed for >> quantum resistance, but with a different goal and timeline. This builds = on ideas >> from the recent thread "Post-Quantum commit / reveal Fawkescoin variant = as a >> soft fork" but targets a different use case. >> >> ## The Problem >> >> Current discussions focus on emergency reactive measures - what to do *a= fter* >> quantum computers arrive. But this leaves users in a difficult position: >> >> 1. They can't prove ownership of their coins without revealing pubkeys (= and thus >> becoming vulnerable) >> 2. Moving coins to quantum-safe addresses early reveals which addresses = are >> active vs. abandoned >> 3. There's no way to prepare for migration without exposing yourself >> >> ## Pre-emptive Commit/Reveal >> >> What if users could commit *today* to future migration transactions, wit= hout >> revealing which UTXOs they control? >> >> The idea is simple: >> - Users create and sign transactions moving their funds to quantum-safe = addresses >> - They compute a Merkle tree of all these transactions >> - They publish only the root hash (e.g., in an OP_RETURN) >> - This can be done today, with no consensus changes >> >> If/when quantum computers become a threat: >> - We soft fork to require at least n confirmations on quantum vulnerable >> transactions >> - Transactions work as always but can't be spent for n blocks >> - If attacked, the victim can reveal the commitment to execute the recov= ery >> transaction >> >> ## Key Advantages >> >> 1. **No consensus changes needed now** - Users can start protecting them= selves >> immediately >> 2. **Privacy preserved** - The commitment reveals nothing about which UT= XOs you own >> 3. **Efficient** - One hash can commit to migrations for all your UTXOs = or even >> the UTXOs of several users >> 4. **Flexible** - Works whether or not a quantum computer ever actually = appears >> >> ## Differences from Tadge's Proposal >> >> While Tadge's proposal solves post-quantum spending where any pubkey rev= eal is >> dangerous, this proposal is about preparation: >> >> - **Timing**: Pre-quantum (can start now) vs. post-quantum (activates af= ter QC >> appears) >> - **Scope**: Migration to quantum-safe addresses for all address types i= n the >> worst case vs. general spending of hashed pubkeys >> >> Both use the same cryptographic primitive (commit/reveal) but for differ= ent >> phases of the quantum transition. >> >> This approach lets users protect their funds without waiting for consens= us >> changes or revealing their holdings. It's a "poison pill" against quantu= m >> attackers - they might steal coins, but pre-committed owners can reclaim= them. >> >> Would love to hear thoughts on this approach. >> >> Leo Wandersleb >> >> -- >> You received this message because you are subscribed to the Google Group= s "Bitcoin Development Mailing List" group. >> To unsubscribe from this group and stop receiving emails from it, send a= n email to bitcoindev+unsubscribe@googlegroups.com. >> To view this discussion visit https://groups.google.com/d/msgid/bitcoind= ev/2c3b7e1c-95dd-4773-a88f-f2cdb37acf4a%40gmail.com. > > --=20 You received this message because you are subscribed to the Google Groups "= Bitcoin Development Mailing List" group. To unsubscribe from this group and stop receiving emails from it, send an e= mail to bitcoindev+unsubscribe@googlegroups.com. To view this discussion visit https://groups.google.com/d/msgid/bitcoindev/= 33f67e84-5d1c-4c14-80b9-90a3fec3cb36%40gmail.com.