Pre-emptive commit/reveal for quantum-safe migration (poison-pill)

The conversation delves into several key proposals and technical clarifications aimed at ensuring the security of Bitcoin in a post-quantum computing era. One significant proposal is the commit/reveal scheme, which has been analyzed and critiqued for its potential effectiveness against quantum attacks.

One aspect of the debate centers around the idea of making pre-emptive commitments to future transactions that would migrate funds to quantum-safe addresses without revealing which UTXOs (Unspent Transaction Outputs) are controlled by the user. This method involves creating and signing transactions ahead of time, then publishing only the root hash of a Merkle tree of these transactions in an OP_RETURN transaction. Such an approach could be implemented immediately, without requiring consensus changes, preserving privacy, and offering flexibility depending on whether quantum threats materialize as anticipated.

Critics of the initial commit/reveal proposal raised concerns regarding the duplication of transaction data on-chain and the complexity of implementing such a system without substantial modifications to existing node operations. There's a preference for a solution that doesn't necessitate nodes to independently track commitments, reveals, and counter-reveals, advocating instead for a more space-efficient method that avoids convoluted stages in transaction verification.

Another proposal elaborated during the discussions introduces a variant to the commit/reveal approach, aiming to protect both unrevealed and bare pubkeys. It suggests using announcements containing necessary information like the UTXO, wTXID, and a proof, stored in an OP_RETURN output. The rule for this hypothetical soft fork would mandate the presence of an announcement with the corresponding wTXID and valid proof published a certain number of blocks earlier to spend an EC output. This design aims to prevent malicious blocking of coins by attackers and does not institute an "earliest announcement wins" rule but rather allows any valid announcement that meets the time requirement to win once sufficiently buried.

Further dialogue touches on the importance of ensuring any commitment mechanism includes complete transaction data, including witness data, to prevent attackers from preemptively committing to unsigned transactions. There's also a discussion about how frequently users would need to update their commitments as their UTXO sets change and the implications for scalability and privacy.

Overall, the conversation highlights the community's ongoing efforts to proactively address the potential threat posed by quantum computing to the Bitcoin network's security. Developers are exploring innovative solutions that balance security, efficiency, and backward compatibility, acknowledging the challenges of implementing such measures without disrupting the existing blockchain ecosystem.