Pre-emptive commit/reveal for quantum-safe migration (poison-pill)

Posted by conduition

Jun 3, 2025/15:15 UTC

In an intriguing discussion on the vulnerability of current cryptographic schemes to quantum attacks, a significant concern was raised regarding the protection of unspent transaction outputs (UTXOs) in blockchain technology. The conversation highlighted a potential flaw in a proposed scheme aimed at safeguarding against quantum attackers. These attackers could potentially enumerate the entire UTXO set and create transactions to steal P2WPKH/P2TR UTXOs by committing to all those transaction IDs in one big merkle root using the OP_RETURN function. This approach is feasible because creating a valid unsigned transaction for a segwit UTXO does not require knowledge of the public key, given that segwit inputs exclude witness data such as public keys and signatures from the transaction ID.

To mitigate this risk, an alternative suggestion was made to commit to the witness transaction IDs (wTXID) of recovery transactions instead. The wTXID encompasses witness data, including public keys and signatures, which a quantum computer attacker would be unable to predict, thus adding a layer of security against such futuristic threats.

Another point of discussion revolved around the method of publishing pre-emptive commitments to protect against quantum attacks. The original proposal's approach of continuously updating and publishing a new merkle root for every added UTXO was critiqued for its inefficiency and potential scalability issues. A more viable solution suggested was to utilize platforms like OpenTimestamps for publishing these commitments. This would allow for aggregation of commitments by multiple users, conserving block space and enhancing the scalability of the protective mechanism.

Lastly, the discourse sought clarification on the necessity of imposing a minimum number of confirmations on quantum-vulnerable transactions. The rationale behind requiring transactions to have at least "n" confirmations before being considered secure was questioned, particularly in how it contributes to thwarting quantum attackers. The focus was on understanding the importance of time-delaying the opening of commitment merkle roots to ensure their age and validity, thereby preventing quantum attackers from forging after acquiring a victim's public key. This part of the conversation underscores the complexity of designing security measures capable of withstanding quantum decryption capabilities while maintaining efficiency and user convenience in the blockchain ecosystem.

Link to Raw Post
Bitcoin Logo

TLDR

Join Our Newsletter

We’ll email you summaries of the latest discussions from authoritative bitcoin sources, like bitcoin-dev, lightning-dev, and Delving Bitcoin.

Explore all Products

ChatBTC imageBitcoin searchBitcoin TranscriptsSaving SatoshiBitcoin Transcripts Review
Built with 🧡 by the Bitcoin Dev Project
View our public visitor count

We'd love to hear your feedback on this project?

Give Feedback