Re: [bitcoindev] Pre-emptive commit/reveal for quantum-safe migration (poison-pill)

[Nagaev Boris <bnagaev@gmail.com>]

Hi Leo,

Thanks for sharing your proposal, a very interesting approach! I have
a few questions and comments:

> Users create and sign transactions moving their funds to quantum-safe addresses
> 1. **No consensus changes needed now** - Users can start protecting themselves
> immediately

How would users prepare transactions moving funds to quantum-safe
addresses now, before such address types exist? We would need to know
the structure of a quantum-safe address to create the transaction.
Either an existing address type would need to support some form of
quantum protection already (e.g., WOTS implemented via BitVM), or we
would still need a softfork to introduce a new address type.

Additionally, a future softfork (or possibly a hardfork, see below)
would still be required to enforce the new spending rules.

> - If attacked, the victim can reveal the commitment to execute the recovery
> transaction

Wouldn't such a recovery transaction require a hardfork? As far as I
understand, it wouldn't be valid under current consensus rules.
Enabling it would require relaxing existing rules, which would imply a
hardfork.

Best,
Boris

On Mon, Jun 2, 2025 at 6:12 PM Leo Wandersleb <lwandersleb@gmail.com> wrote:
>
> Hi all,
>
> I'd like to propose a variant of the commit/reveal schemes being discussed for
> quantum resistance, but with a different goal and timeline. This builds on ideas
> from the recent thread "Post-Quantum commit / reveal Fawkescoin variant as a
> soft fork" but targets a different use case.
>
> ## The Problem
>
> Current discussions focus on emergency reactive measures - what to do *after*
> quantum computers arrive. But this leaves users in a difficult position:
>
> 1. They can't prove ownership of their coins without revealing pubkeys (and thus
> becoming vulnerable)
> 2. Moving coins to quantum-safe addresses early reveals which addresses are
> active vs. abandoned
> 3. There's no way to prepare for migration without exposing yourself
>
> ## Pre-emptive Commit/Reveal
>
> What if users could commit *today* to future migration transactions, without
> revealing which UTXOs they control?
>
> The idea is simple:
> - Users create and sign transactions moving their funds to quantum-safe addresses
> - They compute a Merkle tree of all these transactions
> - They publish only the root hash (e.g., in an OP_RETURN)
> - This can be done today, with no consensus changes
>
> If/when quantum computers become a threat:
> - We soft fork to require at least n confirmations on quantum vulnerable
> transactions
> - Transactions work as always but can't be spent for n blocks
> - If attacked, the victim can reveal the commitment to execute the recovery
> transaction
>
> ## Key Advantages
>
> 1. **No consensus changes needed now** - Users can start protecting themselves
> immediately
> 2. **Privacy preserved** - The commitment reveals nothing about which UTXOs you own
> 3. **Efficient** - One hash can commit to migrations for all your UTXOs or even
> the UTXOs of several users
> 4. **Flexible** - Works whether or not a quantum computer ever actually appears
>
> ## Differences from Tadge's Proposal
>
> While Tadge's proposal solves post-quantum spending where any pubkey reveal is
> dangerous, this proposal is about preparation:
>
> - **Timing**: Pre-quantum (can start now) vs. post-quantum (activates after QC
> appears)
> - **Scope**: Migration to quantum-safe addresses for all address types in the
> worst case vs. general spending of hashed pubkeys
>
> Both use the same cryptographic primitive (commit/reveal) but for different
> phases of the quantum transition.
>
> This approach lets users protect their funds without waiting for consensus
> changes or revealing their holdings. It's a "poison pill" against quantum
> attackers - they might steal coins, but pre-committed owners can reclaim them.
>
> Would love to hear thoughts on this approach.
>
> Leo Wandersleb
>
> --
> You received this message because you are subscribed to the Google Groups "Bitcoin Development Mailing List" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to bitcoindev+unsubscribe@googlegroups.com.
> To view this discussion visit https://groups.google.com/d/msgid/bitcoindev/2c3b7e1c-95dd-4773-a88f-f2cdb37acf4a%40gmail.com.



-- 
Best regards,
Boris Nagaev

-- 
You received this message because you are subscribed to the Google Groups "Bitcoin Development Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an email to bitcoindev+unsubscribe@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/bitcoindev/CAFC_Vt7z5Vj%3Dr90J8RoH3sC5592BO4G9U3L9gdcX%2BD3DruC1PQ%40mail.gmail.com.