From mboxrd@z Thu Jan 1 00:00:00 1970 Delivery-date: Fri, 05 Jun 2026 16:56:29 -0700 Received: from mail-oa1-f58.google.com ([209.85.160.58]) by mail.fairlystable.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.94.2) (envelope-from ) id 1wVeOq-0005rL-7q for bitcoindev@gnusha.org; Fri, 05 Jun 2026 16:56:29 -0700 Received: by mail-oa1-f58.google.com with SMTP id 586e51a60fabf-43d1fa463d0sf3413989fac.0 for ; Fri, 05 Jun 2026 16:56:28 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1780703778; cv=pass; d=google.com; s=arc-20240605; b=kjnAinbIE9+rPn3Lx4PsVLfTC8dKxkCZ4imo/3Rr5WsWa7vGPDR4dP/DCI3s4zjbIH 534JeIQL3XFAzLsEnIIiT4xxetkpKBCaTU8o1W6xkrtVSdnoAO7jLoPKZBjjS8tJ53Gb bWd02ayW3tAeGUontT3HsMSoQtcy1XTfkizXb9kmdQ+qlGuUb0NhkOgS17OV4vBJ3JbT 4OfJjNiQ0dz3ZNgX2lvSx+5CHxZqAIV3KbiPmvY7U26PojhxA+FOZoaEhtwXYbSObcBK NQ4q9HadqXXiGpiQtAYltSPM/qzRJJFS2vFxhtwy3pTSDHE+aumZU6auEBxS3pb0wEMJ 2+BA== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:reply-to:mime-version:feedback-id :references:in-reply-to:message-id:subject:cc:from:to:date :dkim-signature; bh=07rnzZ2Atv6aslLFn2aDOyhMls6gpLXwbshSl3qx/F4=; fh=kiQ2xx+hDtAL07J1VFh+aWKTHMKOa00Sj5CQXaJpvx4=; b=Pcm8ShWDaDNmsmsJeC4fnriZNF/8A7Kgq1suM362AgooTAZ61+ZQEyTFDpx38yKQGT tkFo8bc1Ogr++8OONlJjLlMwqnECNW1g8GpOUqZch3z3psLAPwuS6sT1IFacckvKPN9X YiA1HgLHyR9U+6/6gF9idUl/X/gzcmvcg2u+mKdC7lXsD+Mmjhg7cz15JP9WiiTFgDw8 RP7FnPALj4opK2k/j73M5BanjekaplQOAS1eDwVKpQ2+NAKUOAmhr7iu1WbIdbyV2W4A 9SNi2lXMFp1uWWV+yIax7ZTo3AXSVWzb08LueR6IzodRR3eIrE1unyMMADL7m67cdquH pA+g==; darn=gnusha.org ARC-Authentication-Results: i=2; gmr-mx.google.com; dkim=pass header.i=@proton.me header.s=protonmail header.b=SSCM1zaT; spf=pass (google.com: domain of conduition@proton.me designates 185.70.43.25 as permitted sender) smtp.mailfrom=conduition@proton.me; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=proton.me DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlegroups.com; s=20251104; t=1780703778; x=1781308578; darn=gnusha.org; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:reply-to :x-original-authentication-results:x-original-sender:mime-version :feedback-id:references:in-reply-to:message-id:subject:cc:from:to :date:from:to:cc:subject:date:message-id:reply-to; bh=07rnzZ2Atv6aslLFn2aDOyhMls6gpLXwbshSl3qx/F4=; b=jNKDAsG/v4OdBddA9rgvTBeuuGRFovGarvMdUKm1qi+JkdvkjiyQ2QWw5hgfCnIBmd kbNMbZtsQgibcYSPnSat8JUvdp7sIudJlwVRR95xPygDzzLGyIvSMQPcWp6tiqpTHGw8 WV5qcAWDHplNbE4z48i4JGH7CZmOvBTO5T6TCiphRGwVSYTR0hhUOq3RyneDqE3n/nzx G/0oEsbmaOTwOw5JYyFTGeZFIQISBp8Mm/QtSmXiNPqxu1PlFPcpM3gDx19m5U+1FIke YGlXtuuKLdnu5XC70Pd344GuNjwEf8Vs5s10TEobj7Y7whGjcAU5HEUByLIa6xutBO+x xdZg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1780703778; x=1781308578; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:reply-to :x-original-authentication-results:x-original-sender:mime-version :feedback-id:references:in-reply-to:message-id:subject:cc:from:to :date:x-beenthere:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=07rnzZ2Atv6aslLFn2aDOyhMls6gpLXwbshSl3qx/F4=; b=jAFYsxGdyWF4Y2ncc/qHeuuEqbzvaUThTPeGHsCQLSapLYTw8XUcanKlTcy8sC0Caa Sis0irGYXdH9BoOxolbGZdZIFKwz7RsoL7HijpRlHwN7uvzVwYMlmW4uHJHCakp1Qiuh pOqbi6HM4NuFKWfDXN5xSxRP19PUOGw6EmmhfWbCl4RrvuTVTdKOzVgsOnpJX8BdzwYM KtslHBaKH5yHCtesiHdX0Gux/evVyQkx9FtdQihhKIwU7xxYlDCaaxCBi0oyzVuIajq/ TdXd56gG/ZIc/BDnQcchvDill7dpLlNlowCgetigkCdH8cF4vAzmHS+GcbhjzRvWC6SW 0xLQ== X-Forwarded-Encrypted: i=2; AFNElJ+sgcp2mr/S3tFpEdXeuVU271uaQoI9LJ/nfkN0bPC/I0bhx7bBU/OczDzmsta6Y+91fvFtUpWdWNXl@gnusha.org X-Gm-Message-State: AOJu0YwvwJdu5A1vwTofgfL9xkNBOagrXcVkO3C7myVZmbDkNhP24O36 6DE+tSHYytrSw5UUvXCV2uRUYvHzgQkorunsbiiYyQUU6N2fYmnu4Gvv X-Received: by 2002:a05:6820:7084:20b0:69d:ecb9:52c with SMTP id 006d021491bc7-69e68c1e799mr2475782eaf.32.1780703777998; Fri, 05 Jun 2026 16:56:17 -0700 (PDT) X-BeenThere: bitcoindev@googlegroups.com; h="AX0PUUfZvJshL7dmFosGY3LI84m+vnyxNCe68UDLUomtrlNByA==" Received: by 2002:a05:6870:5712:b0:440:fd1e:ce26 with SMTP id 586e51a60fabf-44109a4e8e4ls1413104fac.2.-pod-prod-04-us; Fri, 05 Jun 2026 16:56:14 -0700 (PDT) X-Forwarded-Encrypted: i=2; AFNElJ/PGN3b3M5OYXFQHUhqQJ3lC0pEkWxRILHx169cuVEbB2HMIwfiguMkZhg0PD5o7l01dHQQsmBZw85c@googlegroups.com X-Received: by 2002:a05:6808:3442:b0:486:8827:66cc with SMTP id 5614622812f47-4868df91308mr3344585b6e.40.1780703773933; Fri, 05 Jun 2026 16:56:13 -0700 (PDT) Received: by 2002:a05:600c:c059:10b0:485:53e3:ec5e with SMTP id 5b1f17b1804b1-490c2546a9cms5e9; Fri, 5 Jun 2026 16:46:54 -0700 (PDT) X-Forwarded-Encrypted: i=2; AFNElJ8hgyqwW6GKjeo4HDrgW7UOfLlaejs9EKVrgq/7DuqJE2jiLyOkliGxJ0GJuyFHpaaEf2bwDwMHtEUx@googlegroups.com X-Received: by 2002:a05:600c:34cb:b0:48e:6db3:ff3a with SMTP id 5b1f17b1804b1-490c25b09a2mr100451325e9.16.1780703212775; Fri, 05 Jun 2026 16:46:52 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1780703212; cv=none; d=google.com; s=arc-20240605; b=F/rW7MixBXlXPhTMisfaL4zQWvdPWJHY3wzbA8/ydT3p40rkpMbf+wYo5cv0Rwr4fd X7WNSfhPB+QW3VErsgWpGxAuu437HUOFpgsTu0+P53woad3zyWIm/0Bib9j5CtJ95HI/ unNTcFgbWC+3JmDe+botuemgE+BuREbNhGReiT0n+5Ali8Nt9YD0mm3/h/FImzTBt0OS 4XI9+sz6t2teShy8uVabKcGHM2HeGgnDPiQrD9XIHDTWOG37nvq6UjJ5/nh1BKSh60Rg Yexb7W9XnPseywDgsKyZOWzpnaqQvrsyxNz6Mg7fD9vBk4IKxnorlUPe7cUfxew7vQ5c w2dw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=mime-version:feedback-id:references:in-reply-to:message-id:subject :cc:from:to:date:dkim-signature; bh=oB+GILMK4S/g0SDDBmFXLmAtbxg495p7qdaWHG3KG44=; fh=RSmXnIPQlENV3Aa1R20OyJPI8gCpNkvhY7PRo852WsI=; b=cQ84Pm2KC42xIeFJTf7JW3Eraft9QXv1Vu9akX5p7UEH+3yHzsJANMVu4p834cgnsl CTBozZDVLlFFQT4jzjbNyPEeuvEUipxsNqquUVmXK5gf5uhkA8xPv7LjV77Dpaueb2pg XyeVeXSfr64+yn051vM9Qc2S0d3wr/WesanYmJbwIkOKYBmaJWoL6TqiU3Mol5heBSmJ +xf88PnhIPq7jwp2U0c8A3jh+6uJq9IUvrkf0pLEv/5G40mNiv2KY+5tWOSTame2v6hR wcDkfNy43xHlm37lKt8x/JlUHibYy3oKLAM68JooFdsrjdlDF/YwBpxLDfjP90ueqCSJ rEFg==; dara=google.com ARC-Authentication-Results: i=1; gmr-mx.google.com; dkim=pass header.i=@proton.me header.s=protonmail header.b=SSCM1zaT; spf=pass (google.com: domain of conduition@proton.me designates 185.70.43.25 as permitted sender) smtp.mailfrom=conduition@proton.me; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=proton.me Received: from mail-4325.protonmail.ch (mail-4325.protonmail.ch. [185.70.43.25]) by gmr-mx.google.com with ESMTPS id ffacd0b85a97d-4601f322bcesi227531f8f.3.2026.06.05.16.46.52 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 05 Jun 2026 16:46:52 -0700 (PDT) Received-SPF: pass (google.com: domain of conduition@proton.me designates 185.70.43.25 as permitted sender) client-ip=185.70.43.25; Date: Fri, 05 Jun 2026 23:46:48 +0000 To: Nagaev Boris From: "'conduition' via Bitcoin Development Mailing List" Cc: Erik Aronesty , Bitcoin Development Mailing List Subject: Re: [bitcoindev] Weak Quantum Bounty Ceremony Message-ID: In-Reply-To: References: Feedback-ID: 72003692:user:proton X-Pm-Message-ID: b3a36b8e154603c6ecd5e75b9e3175891bc07506 MIME-Version: 1.0 Content-Type: multipart/signed; protocol="application/pgp-signature"; micalg=pgp-sha512; boundary="------8ea2dfd44dab27778ea70a7df6c84c6ceca9583a941a70581ebf8f499bbe906b"; charset=utf-8 X-Original-Sender: conduition@proton.me X-Original-Authentication-Results: gmr-mx.google.com; dkim=pass header.i=@proton.me header.s=protonmail header.b=SSCM1zaT; spf=pass (google.com: domain of conduition@proton.me designates 185.70.43.25 as permitted sender) smtp.mailfrom=conduition@proton.me; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=proton.me X-Original-From: conduition Reply-To: conduition Precedence: list Mailing-list: list bitcoindev@googlegroups.com; contact bitcoindev+owners@googlegroups.com List-ID: X-Google-Group-Id: 786775582512 List-Post: , List-Help: , List-Archive: , List-Unsubscribe: , X-Spam-Score: -1.0 (-) This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --------8ea2dfd44dab27778ea70a7df6c84c6ceca9583a941a70581ebf8f499bbe906b Content-Type: multipart/mixed;boundary=---------------------b7e28eea732995f8618366d458b439e6 -----------------------b7e28eea732995f8618366d458b439e6 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="UTF-8" Hey guys, > Those not motivated by funds could publish a zero knowledge proof instead= of moving the funds. This means real funds are not even needed in this cas= e. Why stop there? If the quantum adversary is willing to cooperate in convinc= ing people of their capabilities, just ask them to find the discrete log of= a NUMS point on some curve. Then we don't even need ZK machinery. Informally: Given scalar k and preimage x, the verifier checks K =3D k*G = =3D HashToCurve(x). As stated this would permit a classical prover who finds a collision over a= ll (x, k) pairs, which would be feasible for a 160-bit curve. To rule out c= ollision attacks, we fix x as a constant as a part of the proof system. This would all be off-chain, no BIPs or UTXOs needed. If the quantum adversary demands payment to provide this proof, then one ca= n use ZKCPs [1] [2]. But personally I think this would be an implausible sc= enario. A self-interested QC would bide their time and steal coins once the= y can factor secp256k1 keys. regards, conduition [1]: https://en.bitcoin.it/wiki/Zero_Knowledge_Contingent_Payment [2]: https://conduition.io/bitcoin/zkpreimage/ On Sunday, May 31st, 2026 at 3:40 AM, Nagaev Boris wrot= e: > Hey Erik, >=20 > The scheme is interesting! I want to add my two cents. >=20 > Those not motivated by funds could publish a zero knowledge proof > instead of moving the funds. This means real funds are not even needed > in this case. Or the whole scheme can be deployed to testnet or signet > not to waste (or burn?) real coins. >=20 > Also I would like to propose some properties which the publishing > scheme should have to maximize the effect: >=20 > - anonymous for the publisher > - plausible deniable for the publisher > - uncensorable >=20 > For the plausible deniability thing, imagine a researcher who has > access to a particular signature made by quantum computer and can > prove it, but then it will be clear who leaked it, because the > signature has a unique nonce. This is where ZK can help. But how to do > ZK onchain to get censorship resistance? Maybe some BitVM construction > may help. >=20 > Using mainnet provides better censorship resistance than testnet or > signet - that is actually a good reason to use mainnet unless we come > up with a better approach. >=20 > Best, > Boris >=20 > On Sat, May 30, 2026 at 12:58=E2=80=AFPM Erik Aronesty wro= te: > > > > I have been thinking about a way to create publicly verifiable Bitcoin = outputs whose recovery is intentionally tied to breaking a weaker cryptogra= phic system. > > > > The goal is to create a "quantum bounty." The output would be spendable= by a valid secp256k1 private key, but the key would be generated in a publ= ic ceremony and intentionally limited to 160 bits of entropy. Recovery woul= d additionally be facilitated by publishing an encryption of the same secre= t under a weaker elliptic curve system. > > > > The basic idea is that a group of independent participants runs a distr= ibuted key generation ceremony. Each participant contributes a secret share= . The shares are combined into a single 160-bit scalar x. At no point is x = reconstructed on any machine or revealed to any participant. > > > > From the same distributed shares, participants jointly derive: > > > > 1. A Bitcoin public key P =3D xG on secp256k1. > > 2. An encryption of x under a separate 160-bit elliptic curve system. > > > > The transcript contains all commitments, public contributions, cipherte= xt contributions, and equality-of-discrete-log proofs needed to verify that= both constructions are derived from the same hidden scalar. > > > > The construction does not require SNARKs or any trusted setup. It appea= rs sufficient to use Pedersen-style commitments, ElGamal-style encryption, = and Chaum-Pedersen proofs showing consistency between participant contribut= ions across the two groups. > > > > After the transcript is finalized, participants destroy their secret sh= ares and temporary randomness. Assuming at least one participant behaves ho= nestly and destroys their material, the scalar x is no longer known to anyo= ne. > > > > The final artifact consists of: > > > > * A Bitcoin public key P. > > * A weak-curve ciphertext C. > > * A complete public transcript proving that P and C were derived from t= he same hidden scalar. > > > > Bitcoin can then be sent to the address corresponding to P. > > > > Anyone who can recover x from the weak cryptosystem can spend the outpu= t. The effective security of the bounty is therefore determined by the weak= er curve rather than by the full secp256k1 discrete logarithm problem. > > > > The intended purpose is to create a publicly auditable cryptographic ca= nary target. > > > > One question I have not fully resolved is whether there are cleaner con= structions for the recoverable encryption component than ElGamal-style encr= yption, while still preserving simple transcript verification and avoiding = general-purpose zero-knowledge systems. > > > > -- > > You received this message because you are subscribed to the Google Grou= ps "Bitcoin Development Mailing List" group. > > To unsubscribe from this group and stop receiving emails from it, send = an email to bitcoindev+unsubscribe@googlegroups.com. > > To view this discussion visit https://groups.google.com/d/msgid/bitcoin= dev/CAJowKgJVwmm%3Dh6AsO4zeGTmfdK-RUQiDsMJkMRd6WZSo5FjeZg%40mail.gmail.com. >=20 >=20 >=20 > -- > Best regards, > Boris Nagaev >=20 > -- > You received this message because you are subscribed to the Google Groups= "Bitcoin Development Mailing List" group. > To unsubscribe from this group and stop receiving emails from it, send an= email to bitcoindev+unsubscribe@googlegroups.com. > To view this discussion visit https://groups.google.com/d/msgid/bitcoinde= v/CAFC_Vt7DLZEytF72Q0EVPeg6iED3qztMXs7aX6zBNBQ5%2B-ceXA%40mail.gmail.com. >=20 --=20 You received this message because you are subscribed to the Google Groups "= Bitcoin Development Mailing List" group. To unsubscribe from this group and stop receiving emails from it, send an e= mail to bitcoindev+unsubscribe@googlegroups.com. To view this discussion visit https://groups.google.com/d/msgid/bitcoindev/= zG-JBFlHqnB2ZXTgBqIPn75VUiXkjrvBrO1CMN78gccfE4BqP3LmWnxB0cu2FQItr_cLoDcMFzl= WaXkv3xeUDTOZrJgEGDRvWbpvADCBAZo%3D%40proton.me. -----------------------b7e28eea732995f8618366d458b439e6 Content-Type: application/pgp-keys; filename="publickey - conduition@proton.me - 0x474891AD.asc"; name="publickey - conduition@proton.me - 0x474891AD.asc" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="publickey - conduition@proton.me - 0x474891AD.asc"; name="publickey - conduition@proton.me - 0x474891AD.asc" LS0tLS1CRUdJTiBQR1AgUFVCTElDIEtFWSBCTE9DSy0tLS0tCgp4ak1FWkRub0tSWUpLd1lCQkFI YVJ3OEJBUWRBcnBZYWFjZDgwcXdocmNaQW9VbW9NSHNWS21iZWlPZUEKcFhXbk1ybFdPZkxOSzJO dmJtUjFhWFJwYjI1QWNISnZkRzl1TG0xbElEeGpiMjVrZFdsMGFXOXVRSEJ5CmIzUnZiaTV0WlQ3 Q2pBUVFGZ29BUGdXQ1pEbm9LUVFMQ1FjSUNaQjRLV3p0aFBhenhRTVZDQW9FRmdBQwpBUUlaQVFL YkF3SWVBUlloQkVkSWthMENNdHJMZGcxM2EzZ3BiTzJFOXJQRkFBQTZhQUVBM1RmNHdqSVoKYnox K0diS0h4K09WQytNUXlVdi84RStoWUpjTE5QZnA0NEFBLzNiak5OTXN4WHdJTGZEM0xManNVVWFo CitBV2JyblVjVUFqQ2R1d3hUT01LempnRVpEbm9LUklLS3dZQkJBR1hWUUVGQVFFSFFDSXYxZW5J MU5MbAo3Zm55RzlVWk1wQ3ZsdG5vc0JrTmhQUVZxT3BXL3RKSkF3RUlCOEo0QkJnV0NBQXFCWUpr T2VncENaQjQKS1d6dGhQYXp4UUtiREJZaEJFZElrYTBDTXRyTGRnMTNhM2dwYk8yRTlyUEZBQUFR TFFEL2NCR2kwUDdwCkZTTkl2N1B6OVpkeUNVQjhzTy90dWZkV3NjQkNZK2ZMYTV3QkFNK0hTL3Jp S014RGt0TkhLakRGc2EvUgpEVDFxUGNBYXZCaXc2dDZ4Ti9jRgo9Y3d5eAotLS0tLUVORCBQR1Ag UFVCTElDIEtFWSBCTE9DSy0tLS0tCg== -----------------------b7e28eea732995f8618366d458b439e6-- --------8ea2dfd44dab27778ea70a7df6c84c6ceca9583a941a70581ebf8f499bbe906b Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: ProtonMail wrkEARYKAG0FgmojX9gJEHgpbO2E9rPFRRQAAAAAABwAIHNhbHRAbm90YXRp b25zLm9wZW5wZ3Bqcy5vcmeUmkwXUuErYPm851haQ0tavxCSu5sKJtaI0QzK gaYJVRYhBEdIka0CMtrLdg13a3gpbO2E9rPFAABhxQDzBQ+FjyrdiPmBRluK 9hw6S9VB0dIzZBMaEpEFJs6d4AD3Vy8E+knPtsqw/ooSJD+y2DoS0w2By6Cs cbYEpCdkAg== =cedN -----END PGP SIGNATURE----- --------8ea2dfd44dab27778ea70a7df6c84c6ceca9583a941a70581ebf8f499bbe906b--