Post-Quantum commit / reveal Fawkescoin variant as a soft fork

In a recent discussion among developers, a critical analysis was presented regarding Tadge's commit/reveal approach in the context of blockchain technology and its potential scalability issues. The primary concern raised involves the necessity for verifying nodes to maintain an order over all commitments, including those not yet revealed. This requirement stems from the need to ascertain whether a commitment for a specific public key (pubkey) was made prior to others, necessitating each commitment to be visible on-chain. Consequently, this visibility would prevent the aggregation of commitments, leading to a scenario where every legacy Unspent Transaction Output (UTXO) rescued by the protocol would require its own OP_RETURN output for publishing a commitment.

To illustrate the scalability challenges of Tadge's proposal when attempting to implement aggregated commitments, the discussion explores an alternative method involving the publication of a merkle tree root derived from a list of commitments instead of directly publishing individual commitments in an OP_RETURN. Nodes would store these merkle roots in a database, and upon spending an EC UTXO, the spender would reveal their pubkey along with a merkle proof for the commitment. The node would then compute the merkle root from the provided proof, pubkey, and transaction ID to verify the age of the commitment. However, this method introduces a security flaw as verifying nodes cannot determine whether the revealed commitment was indeed the first valid commitment for the given pubkey/AID, raising concerns about the presence of other commitments within the same or earlier merkle trees.

The conversation also references Martin's idea, which is viewed as having greater potential for scaling the commit/reveal protocol. Martin's concept allows for rescuing multiple EC outputs simultaneously using a single quantum-resistant UTXO. This approach, however, requires further definition, particularly in deciding between a post-quantum taproot-like construction or an inscription-like envelope with Pay to Script Hash (P2SH) and a post-quantum checksig opcode. The discussion suggests shifting deeper conversations regarding this idea to another thread dedicated to it.

Despite recognizing the advantage of Tadge's proposal in eliminating the immediate need for quantum-resistant signing algorithms (which may not be available on Bitcoin for an extended period), the dialogue underscores the importance of assuming the eventual availability of such algorithms. This anticipation stems from the argument that without a pathway towards quantum resistance, efforts to secure coins against future quantum threats may be futile. The discourse concludes by echoing sentiments regarding the premature fixation on a specific post-quantum signing algorithm, advocating for a flexible approach in preparing for quantum-resilient cryptographic solutions.