From mboxrd@z Thu Jan 1 00:00:00 1970 Delivery-date: Mon, 02 Jun 2025 20:34:39 -0700 Received: from mail-qv1-f61.google.com ([209.85.219.61]) by mail.fairlystable.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.94.2) (envelope-from ) id 1uMIQA-0008IR-GL for bitcoindev@gnusha.org; Mon, 02 Jun 2025 20:34:39 -0700 Received: by mail-qv1-f61.google.com with SMTP id 6a1803df08f44-6f2b0a75decsf36031326d6.2 for ; Mon, 02 Jun 2025 20:34:38 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1748921672; cv=pass; d=google.com; s=arc-20240605; b=N12BsqrMxxGFu/yOEDWyXtCXaNTEtDPorD2WAZEBEKVH3kwQ1fKfVpdykZq5WzqW2v 9l+ipRgRzw8YnZkGrshiLnqTbBmKpnFfnT9MLAXwBlLdIeQ1YLmllQnSIycVLFgZeb5I Tfn6lkR7RlIOpyG//2xKWiBjMLSCU4Y5rWYxuYAzn/3zlZNqfI4dWFfaxsuAbkIsgI4h caBhUk1bpK61Epd8tBw0VxgciG9frQjQxDUvKdXSIwsBkSVOYSbqve+gq2T89QSWbQtS TCcaoDmGavQHlBtHtrME2r1kSBC0iHxH5ZaeS8rAQpv36sWKeOLK5cVtc3PYRV56N9VV Vh2w== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:content-transfer-encoding:cc:to :subject:message-id:date:from:in-reply-to:references:mime-version :sender:dkim-signature:dkim-signature; bh=nm4lDEAJ79ipQxxSnQr4jvEe+KOOzdPlG4O1h0UO/qc=; fh=tv8QRRerqYBpnfYlvOu7SJQpujd3orxIlhJWnN/uOKk=; b=N2djerPp/6f+LevBbA53bisRRQZ8TwkTM/S5lIvTL42aYAQK39PU7wO8qmJNVeCpTr 9FrS9cHAuiqhpOF8A3jh63ZpJF8tiZfJUYRk81yZUUAVzj9w61RHDfalW4ZEl8EGE1At i3bu+eNyGVEGNQuG6Qpm5gLhk4prYy47MTGuOQU0VQfSH/WcHMpEFHdF4dwKxhy+ZXjG Xv+x6kE4sgxixw2TkCCTU5ZnuLVdHE7XuoaeMDes59IwrKfDVquxj3Z3Hf7xxIXALW8V 9M7JWIyKWqXXBtYKecI2DLyFTB3kINEUbl3ppUWzoLmjgIgBktMRg5reKwTffLswW9nH xizw==; darn=gnusha.org ARC-Authentication-Results: i=2; gmr-mx.google.com; dkim=pass header.i=@gmail.com header.s=20230601 header.b=Z8w6bmZ9; spf=pass (google.com: domain of bnagaev@gmail.com designates 2607:f8b0:4864:20::1032 as permitted sender) smtp.mailfrom=bnagaev@gmail.com; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com; dara=pass header.i=@googlegroups.com DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlegroups.com; s=20230601; t=1748921672; x=1749526472; darn=gnusha.org; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:x-original-authentication-results :x-original-sender:content-transfer-encoding:cc:to:subject :message-id:date:from:in-reply-to:references:mime-version:sender :from:to:cc:subject:date:message-id:reply-to; bh=nm4lDEAJ79ipQxxSnQr4jvEe+KOOzdPlG4O1h0UO/qc=; b=D6yKZkGR/SuCHKFcRgYP5gjTg/acP2GPfQMOzLod8qpcNgKTmtTGo/1PoOJyKO77TV HWfmgPa+pPz3TqesIHjioT+0EpvV6N9mjM8pLKXf7b7DVzcqVKXag6tit3OwqdGuCynY MEfNrCVkRdZMzo1Ey5/90awO5LH5A0zpEaeFKc66ronbmzsCYKIFW8O6gPccCVjOp1ky OwoBPC4B5OG9L0RftnKnc2hda7kYv3wAlvc0lWw20HArYh0U8l8yuLklNA0cBDVQjPbM 9p2OCF8cya/pkQP/0YwBETE1ReqbhLxK8oVq6fw1H8EMm6AXkZ94BMpDUGVZN6yvQ4HW OnLg== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1748921672; x=1749526472; darn=gnusha.org; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:x-original-authentication-results :x-original-sender:content-transfer-encoding:cc:to:subject :message-id:date:from:in-reply-to:references:mime-version:from:to:cc :subject:date:message-id:reply-to; bh=nm4lDEAJ79ipQxxSnQr4jvEe+KOOzdPlG4O1h0UO/qc=; b=UnzmGiBByRKnjosv8w8tKQSSlVfiKoTE8xrJnnSasHUQQu8fyTTe7zGYq6EoV1946v pMi5xEwxR5dqE0Tbn9Sz7wr6IxsCVmAIvi/niaAJxElGZY2HLy+baTbXyZl+Sf0sZv4d b8z4zgR3TQIDOTA2gUuLdpz01EqvAk2QpOlZEKSc3q6MmiJfuK3SsI92lL/K47MkvmWS FpSO6q7y5W0WSHvLL5oQzPb/gCXdKgWQnnR7YIohWaj4ze4IpqBSO8HVFg70FFbufEJg +EIuik/LJoLTXpPwrZQQ8jSF7RMsmT7tjNa7xtQ6VEeitLSUKklEAkUPBYYPvHL3HVG1 fpQw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1748921672; x=1749526472; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:x-original-authentication-results :x-original-sender:content-transfer-encoding:cc:to:subject :message-id:date:from:in-reply-to:references:mime-version :x-beenthere:x-gm-message-state:sender:from:to:cc:subject:date :message-id:reply-to; bh=nm4lDEAJ79ipQxxSnQr4jvEe+KOOzdPlG4O1h0UO/qc=; b=M+FdyTiRKLbZqoA+iRZTtcqTyCQtR5xF8VuIMqiY9nwg4U36tNwKT3gITFHw5fRZcN iRUKo6FBLAzyTVs4DEmAfL0ZR2O9ywdu+jmHW7QoWxaWcN0r5JIV/XtvUIbfptz6YgN2 fVE16XuepLuTiqZqa3J/YM3qSjrdmSfaDryvEDTRiBsl95axlfzcNcwQC3tIrf/ZLpbn fAUSvZtZYyHoVqN7YLfUYaIE+1q4ijuPPdzL2Ssx0Cw8ohJqkLTD49Ncp8l9s3tbzCBI L5ZMvJI4S8qFF94GCs1yfDQhNfyr6kNt1qQAKlhsmsLcLw5wuwu9m57VFAL2TxH0QsuD /kmA== Sender: bitcoindev@googlegroups.com X-Forwarded-Encrypted: i=2; AJvYcCX61dnkA2xaOIV3g8CFzo2w1C7zxsuF2PlABmvmEZwxS6kGKZ+Z3UevR9/FDxBmqrErojbvQTMlOwIW@gnusha.org X-Gm-Message-State: AOJu0YwuqpMP49XZdt6tJrniLzr8zrBxDu2/FaDvRyv2f++lMnFDPTaf 2rUdNpFo3u+vcb0CPN6STjOdS+2Ae0Ha/ThqC/ZUoWx22V+p+M8Nf9rV X-Google-Smtp-Source: AGHT+IG31De9MWfS91jsg5RDTvY0pITxC91/fKZdWYn8Rezd7ZJGvX3RNIyiLhqmxbdroKp1dEuobA== X-Received: by 2002:ad4:5ca5:0:b0:6fa:cdc9:8b09 with SMTP id 6a1803df08f44-6fad1907401mr197256116d6.6.1748921672539; Mon, 02 Jun 2025 20:34:32 -0700 (PDT) X-BeenThere: bitcoindev@googlegroups.com; h=AZMbMZeJPfNa+8RhWakg5ia0wcwf1IfjwWTDqoK9habxeYgrCA== Received: by 2002:a05:6214:cc7:b0:6fa:bedd:25e1 with SMTP id 6a1803df08f44-6fac5d969ddls134694506d6.2.-pod-prod-04-us; Mon, 02 Jun 2025 20:34:28 -0700 (PDT) X-Received: by 2002:a05:6214:5193:b0:6e8:f2d2:f123 with SMTP id 6a1803df08f44-6fad190fe0amr244284906d6.13.1748921668764; Mon, 02 Jun 2025 20:34:28 -0700 (PDT) Received: by 2002:a05:620a:5806:b0:7c5:495f:5415 with SMTP id af79cd13be357-7d210ccc135ms85a; Mon, 2 Jun 2025 16:12:35 -0700 (PDT) X-Received: by 2002:a05:620a:172a:b0:7ca:eb5b:6de9 with SMTP id af79cd13be357-7d0a4e5268emr1867180685a.42.1748905954645; Mon, 02 Jun 2025 16:12:34 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1748905954; cv=none; d=google.com; s=arc-20240605; b=NKMJW3JZtkvsTtimBZLVCgZ9QgBJJ6FBHY0NB3rpQfW+ED8UbQHKbezQCP+ytPPUcA r1Cd3txXQaIpNqzQwuTuqhycCcG+e2uZ3ID0WAUR38IEZ/oRlMUwb7ndYgg6rGyAd39y VRUn8dMCZZwc5C8kASvzdHZMY7xxqAhpmQLF/qgcrP8oT+L3WNU9IlVH41p4AVLAZnoc b5mqMIe3dTZzz/mHmiSvysKYUxd4JjrKJW/JGLIqmYeMzoDVpJTg165MKWK4UCnhV8k5 ErcAE53BvaKsYOKJaSRmcZPdUfxtp6M1DHcVdBvoHZYTzPbAW8aJmesakoxwCmyS+QNc TsEA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=3sH124DPt0urKULadyclwqH2RdqwgJI84daFY2MLS14=; fh=e79b22hAuSaC6/8oKXuBX7NFmH7iXgOLPA7D5tCVfno=; b=CqNQX0umnLU7I2F1YW0rUyTusNOpBFUN2kxAKk7GcwfVKYiKnOhF7FTkjU6kjlhBCo z4byoAu708GfqbTeXp3SE2fOAI+zvW8fYqg7aZI6WXo2ZRlDONIAoDLQykpKVq58IgB1 sfuAvNoBenVN3oPl1DtQGCGR3FgIKWa4w27ftpaZqIlcM0i5wrxS4M8rWdu10pEBMDZp 7VqLfGOINm2A3YVkiNN4lGNDVUDX5OmuRCMoXuvBQNOUWfYkXwAhs1w9h1yYcOrI524j nuYCIKxfu7jqXYaP43jlnzWFZVf/AMuad7XwBWiVlGC174zssD8C0FubF811XsLsy2pS RFCw==; dara=google.com ARC-Authentication-Results: i=1; gmr-mx.google.com; dkim=pass header.i=@gmail.com header.s=20230601 header.b=Z8w6bmZ9; spf=pass (google.com: domain of bnagaev@gmail.com designates 2607:f8b0:4864:20::1032 as permitted sender) smtp.mailfrom=bnagaev@gmail.com; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com; dara=pass header.i=@googlegroups.com Received: from mail-pj1-x1032.google.com (mail-pj1-x1032.google.com. [2607:f8b0:4864:20::1032]) by gmr-mx.google.com with ESMTPS id 6a1803df08f44-6fac6de9b69si4573526d6.2.2025.06.02.16.12.34 for (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Mon, 02 Jun 2025 16:12:34 -0700 (PDT) Received-SPF: pass (google.com: domain of bnagaev@gmail.com designates 2607:f8b0:4864:20::1032 as permitted sender) client-ip=2607:f8b0:4864:20::1032; Received: by mail-pj1-x1032.google.com with SMTP id 98e67ed59e1d1-312b0d83a10so1381467a91.0 for ; Mon, 02 Jun 2025 16:12:34 -0700 (PDT) X-Gm-Gg: ASbGncs7MiUPrAF2pYrgEAmcrYAs/1+eBFktY9Ndrztm6G4+cjkfvbf4FchYOGqLFdK nPA5lGEC4LzMG/QtZhfBu2ptOjxjpOLdN75PjS6yy94cRBasUIaFH94cUfngLKP3aszhoJBrtpc 0Mvc6wzwUyxxXWvaMoD+Wg7TMIm51WHF4= X-Received: by 2002:a17:90b:35c3:b0:312:1b53:5e98 with SMTP id 98e67ed59e1d1-3125049b92bmr16878024a91.34.1748905953524; Mon, 02 Jun 2025 16:12:33 -0700 (PDT) MIME-Version: 1.0 References: <2c3b7e1c-95dd-4773-a88f-f2cdb37acf4a@gmail.com> In-Reply-To: <2c3b7e1c-95dd-4773-a88f-f2cdb37acf4a@gmail.com> From: Nagaev Boris Date: Mon, 2 Jun 2025 20:11:57 -0300 X-Gm-Features: AX0GCFvwf2m2bGrG4SC89yMRV0Lk_Y2aBCGh9CHJFAQwjdb7d3wCxzwyBj1s6lU Message-ID: Subject: Re: [bitcoindev] Pre-emptive commit/reveal for quantum-safe migration (poison-pill) To: Leo Wandersleb Cc: Bitcoin Development Mailing List Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Original-Sender: bnagaev@gmail.com X-Original-Authentication-Results: gmr-mx.google.com; dkim=pass header.i=@gmail.com header.s=20230601 header.b=Z8w6bmZ9; spf=pass (google.com: domain of bnagaev@gmail.com designates 2607:f8b0:4864:20::1032 as permitted sender) smtp.mailfrom=bnagaev@gmail.com; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com; dara=pass header.i=@googlegroups.com Precedence: list Mailing-list: list bitcoindev@googlegroups.com; contact bitcoindev+owners@googlegroups.com List-ID: X-Google-Group-Id: 786775582512 List-Post: , List-Help: , List-Archive: , List-Unsubscribe: , X-Spam-Score: -0.5 (/) Hi Leo, Thanks for sharing your proposal, a very interesting approach! I have a few questions and comments: > Users create and sign transactions moving their funds to quantum-safe add= resses > 1. **No consensus changes needed now** - Users can start protecting thems= elves > immediately How would users prepare transactions moving funds to quantum-safe addresses now, before such address types exist? We would need to know the structure of a quantum-safe address to create the transaction. Either an existing address type would need to support some form of quantum protection already (e.g., WOTS implemented via BitVM), or we would still need a softfork to introduce a new address type. Additionally, a future softfork (or possibly a hardfork, see below) would still be required to enforce the new spending rules. > - If attacked, the victim can reveal the commitment to execute the recove= ry > transaction Wouldn't such a recovery transaction require a hardfork? As far as I understand, it wouldn't be valid under current consensus rules. Enabling it would require relaxing existing rules, which would imply a hardfork. Best, Boris On Mon, Jun 2, 2025 at 6:12=E2=80=AFPM Leo Wandersleb wrote: > > Hi all, > > I'd like to propose a variant of the commit/reveal schemes being discusse= d for > quantum resistance, but with a different goal and timeline. This builds o= n ideas > from the recent thread "Post-Quantum commit / reveal Fawkescoin variant a= s a > soft fork" but targets a different use case. > > ## The Problem > > Current discussions focus on emergency reactive measures - what to do *af= ter* > quantum computers arrive. But this leaves users in a difficult position: > > 1. They can't prove ownership of their coins without revealing pubkeys (a= nd thus > becoming vulnerable) > 2. Moving coins to quantum-safe addresses early reveals which addresses a= re > active vs. abandoned > 3. There's no way to prepare for migration without exposing yourself > > ## Pre-emptive Commit/Reveal > > What if users could commit *today* to future migration transactions, with= out > revealing which UTXOs they control? > > The idea is simple: > - Users create and sign transactions moving their funds to quantum-safe a= ddresses > - They compute a Merkle tree of all these transactions > - They publish only the root hash (e.g., in an OP_RETURN) > - This can be done today, with no consensus changes > > If/when quantum computers become a threat: > - We soft fork to require at least n confirmations on quantum vulnerable > transactions > - Transactions work as always but can't be spent for n blocks > - If attacked, the victim can reveal the commitment to execute the recove= ry > transaction > > ## Key Advantages > > 1. **No consensus changes needed now** - Users can start protecting thems= elves > immediately > 2. **Privacy preserved** - The commitment reveals nothing about which UTX= Os you own > 3. **Efficient** - One hash can commit to migrations for all your UTXOs o= r even > the UTXOs of several users > 4. **Flexible** - Works whether or not a quantum computer ever actually a= ppears > > ## Differences from Tadge's Proposal > > While Tadge's proposal solves post-quantum spending where any pubkey reve= al is > dangerous, this proposal is about preparation: > > - **Timing**: Pre-quantum (can start now) vs. post-quantum (activates aft= er QC > appears) > - **Scope**: Migration to quantum-safe addresses for all address types in= the > worst case vs. general spending of hashed pubkeys > > Both use the same cryptographic primitive (commit/reveal) but for differe= nt > phases of the quantum transition. > > This approach lets users protect their funds without waiting for consensu= s > changes or revealing their holdings. It's a "poison pill" against quantum > attackers - they might steal coins, but pre-committed owners can reclaim = them. > > Would love to hear thoughts on this approach. > > Leo Wandersleb > > -- > You received this message because you are subscribed to the Google Groups= "Bitcoin Development Mailing List" group. > To unsubscribe from this group and stop receiving emails from it, send an= email to bitcoindev+unsubscribe@googlegroups.com. > To view this discussion visit https://groups.google.com/d/msgid/bitcoinde= v/2c3b7e1c-95dd-4773-a88f-f2cdb37acf4a%40gmail.com. --=20 Best regards, Boris Nagaev --=20 You received this message because you are subscribed to the Google Groups "= Bitcoin Development Mailing List" group. To unsubscribe from this group and stop receiving emails from it, send an e= mail to bitcoindev+unsubscribe@googlegroups.com. To view this discussion visit https://groups.google.com/d/msgid/bitcoindev/= CAFC_Vt7z5Vj%3Dr90J8RoH3sC5592BO4G9U3L9gdcX%2BD3DruC1PQ%40mail.gmail.com.