[bitcoindev] Weak Quantum Bounty Ceremony

[Erik Aronesty <erik@q32.com>]

[-- Attachment #1: Type: text/plain, Size: 2844 bytes --]

I have been thinking about a way to create publicly verifiable Bitcoin
outputs whose recovery is intentionally tied to breaking a weaker
cryptographic system.

The goal is to create a "quantum bounty." The output would be spendable by
a valid secp256k1 private key, but the key would be generated in a public
ceremony and intentionally limited to 160 bits of entropy. Recovery would
additionally be facilitated by publishing an encryption of the same secret
under a weaker elliptic curve system.

The basic idea is that a group of independent participants runs a
distributed key generation ceremony. Each participant contributes a secret
share. The shares are combined into a single 160-bit scalar x. At no point
is x reconstructed on any machine or revealed to any participant.

From the same distributed shares, participants jointly derive:

1. A Bitcoin public key P = xG on secp256k1.
2. An encryption of x under a separate 160-bit elliptic curve system.

The transcript contains all commitments, public contributions, ciphertext
contributions, and equality-of-discrete-log proofs needed to verify that
both constructions are derived from the same hidden scalar.

The construction does not require SNARKs or any trusted setup. It appears
sufficient to use Pedersen-style commitments, ElGamal-style encryption, and
Chaum-Pedersen proofs showing consistency between participant contributions
across the two groups.

After the transcript is finalized, participants destroy their secret shares
and temporary randomness. Assuming at least one participant behaves
honestly and destroys their material, the scalar x is no longer known to
anyone.

The final artifact consists of:

* A Bitcoin public key P.
* A weak-curve ciphertext C.
* A complete public transcript proving that P and C were derived from the
same hidden scalar.

Bitcoin can then be sent to the address corresponding to P.

Anyone who can recover x from the weak cryptosystem can spend the output.
The effective security of the bounty is therefore determined by the weaker
curve rather than by the full secp256k1 discrete logarithm problem.

The intended purpose is to create a publicly auditable cryptographic canary
target.

One question I have not fully resolved is whether there are cleaner
constructions for the recoverable encryption component than ElGamal-style
encryption, while still preserving simple transcript verification and
avoiding general-purpose zero-knowledge systems.

-- 
You received this message because you are subscribed to the Google Groups "Bitcoin Development Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an email to bitcoindev+unsubscribe@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/bitcoindev/CAJowKgJVwmm%3Dh6AsO4zeGTmfdK-RUQiDsMJkMRd6WZSo5FjeZg%40mail.gmail.com.

[-- Attachment #2: Type: text/html, Size: 3840 bytes --]