Against Allowing Quantum Recovery of Bitcoin

The discussion revolves around Or's approach, which shares similarities with the folklore BIP39 zk-STARK method, utilizing Picnic to prove in zero-knowledge specific properties of UTXOs, either by demonstrating knowledge of a BIP39 seed that derives an EC secret key matching a given hash or proving ownership of a public key directly corresponding to a hash. This technique, while innovative, encounters significant barriers when considering implementation within the Bitcoin protocol, particularly due to the necessity of a hard fork for direct replacement of EC signatures with Picnic signatures. Existing Bitcoin clients require EC signatures for transaction verification, leading to potential vulnerabilities from quantum computing attacks.

The email outlines a possible solution to achieve backward compatibility through soft forks by introducing a new transaction data field for carrying proof-of-seed-derivation, akin to how segwit incorporated witness data. This method would necessitate new clients to validate EC signatures only if accompanied by this proof, thereby preserving the validity of transactions on old clients without requiring a hard fork. However, challenges arise with the proposed "Lifted FawkesCoin" commit/reveal protocol, which may necessitate a hard fork due to its novel consensus rules and incentive structures that could disrupt the current mining equilibrium. The "Restrictive FawkesCoin" protocol attempts to address these incentive issues but introduces additional complexity into the consensus process.

The complexity of integrating such extensive protocol modifications into the Bitcoin consensus is underscored, highlighting the difficulty of achieving consensus on already contentious debates within the community. The email suggests a more pragmatic approach might be to implement a proof-of-seed-knowledge requirement for spending any EC-signature-locked UTXO as a soft fork, acknowledging the trade-offs in terms of cost and throughput but emphasizing the simplicity and feasibility over the ambitious Fawkescoin protocols.

Finally, the conversation turns to the technical comparison between using Seed-lifted Picnic signatures versus zk-STARKs for proof-of-seed-knowledge, noting the potential benefits of zk-STARKs in a post-quantum context due to their flexibility, quick verification times, and the possibility of reducing proof size and computation time with optimized circuits. The email encourages further research and benchmarking between these technologies, recognizing the value of Or's paper as a comprehensive resource on post-quantum commit/reveal protocols despite the practical challenges of integrating such innovations into Bitcoin's consensus mechanism.