Hi all,
Recently I've been exploring what a post-quantum attack on Bitcoin would actually look like, and what options exist for mitigating it.
In summary:
1) None of the recommended post-quantum DSAs (XMSS, SPHINCS) are scalable
2) This is a rapidly advancing space and committment to a specific post-quantum DSA now would be premature
3) I've identified a strategy (solution 3 in the draft) that mitigates against the worst case scenario (unexpectedly early attack on ECDSA) without requiring any changes to the Bitcoin protocol or total committment to a specific post-quantum DSA that will likely be superseded in the next 3-5 years
4) This strategy also serves as a secure means of transferring balances into a post-quantum DSA address space, even in the event that ECDSA is fully compromised and the transition is reactionary
The proposal is a change to key generation only and will be implemented by wallet providers.
Feedback would be most appreciated.
Regards,
Tristan