Pre-emptive commit/reveal for quantum-safe migration (poison-pill)

The conversation across the emails focuses on addressing the threat posed by potential quantum attacks on Bitcoin's existing cryptographic infrastructure. Boris introduces a scheme aimed at protecting against such attacks without requiring the inclusion of a full transaction in the announcement. This scheme centers around a single type of announcement, which comprises the Unspent Transaction Output (UTXO), a witness transaction identifier (wTXID), and a proof constructed from a tagged hash of the EC public key and wTXID. This information could be stored within an OP_RETURN output, suggesting that to spend an EC output under this new rule, there must be a corresponding announcement with the valid wTXID and proof published at least 'X' blocks earlier. This approach is designed to thwart attackers by allowing legitimate owners to counteract invalid announcements by publishing their own valid announcements, thereby preserving the privacy of the original transactions.

Leo responded with concerns over weak announcements, especially in scenarios where elliptic curve (EC) cryptography might be compromised before a transaction gets mined. He proposes a modified scheme whereby after a specific block height, vulnerable UTXOs cannot be spent directly but require a prior announcement involving a commitment to a wTXID that spends the vulnerable UTXO. These commitments can be stored in a hash tree within an OP_RETURN. A reveal phase allows for the presentation of the full transaction with proof of prior commitment but not as a normal transaction just yet, followed by a counter-reveal phase and ultimately the spending of the UTXO according to the strongest (oldest valid) announcement.

Boris further elaborates on the need to protect Satoshi's privacy and reduce the size of announcements without leaking the EC public key prematurely. He suggests utilizing a zero-knowledge proof mechanism to ensure that the EC public key is only revealed when absolutely necessary, thus safeguarding against preemptive attacks by quantum computers.

The emails also touch upon technical specifics related to how these announcements would be stored and interpreted by the blockchain and nodes, both upgraded and legacy. The discussion includes the implications for the blockchain's operation and user strategies for dealing with exposed public keys, suggesting periodic batching of commitments and the migration of new UTXOs to quantum-safe addresses. Both Boris and Leo highlight the importance of making these announcements prunable to manage blockchain bloat and suggest mechanisms to ensure that the legitimate owners have priority in reclaiming their UTXOs if multiple parties attempt to claim the same UTXO based on commitment age.

Finally, the dialogue underscores the necessity for a soft fork to implement these changes, ensuring backward compatibility with legacy systems while introducing measures to mitigate the risks associated with quantum computing advancements. Through these exchanges, the participants contribute to a nuanced understanding of the challenges and potential solutions in enhancing Bitcoin's resilience against quantum threats.