Pre-emptive commit/reveal for quantum-safe migration (poison-pill)

In an insightful exchange between Boris and Leo, the discussion revolves around enhancing Bitcoin's security in the face of potential quantum computing threats by introducing a novel concept of weak and strong announcements. Boris initiates the conversation by proposing a method to ensure privacy for Satoshi and simultaneously reduce the size of what he terms as a weak announcement. He emphasizes that including a complete signed transaction within a weak announcement could inadvertently reveal the EC public key, thereby compromising security. To circumvent this issue, Boris suggests the implementation of a zero-knowledge proof mechanism that would allow the verification of the ownership of the EC public key without disclosing it until necessary.

Boris outlines a specific structure for the weak announcement, incorporating elements such as the UTXO (Unspent Transaction Output), future spending wTXID (witness transaction ID), and a proof component derived from a tagged hash function applied to the EC public key and the wTXID. This design is intended to bind the proof to a particular transaction, thus preventing unauthorized substitutions of the wTXID. The conversation also touches on Satoshi's ability to monitor these weak announcements related to his UTXOs, enabling him to act swiftly should there be any indication of a quantum attack.

Leo responds by clarifying the operational compatibility of these announcements with legacy nodes to maintain a soft-fork upgrade path. He suggests embedding the transactions within OP_RETURN data and discusses the implications for nodes upgrading after the fork, including the necessity to re-index the blockchain to detect past announcements. Leo also proposes a timeframe within which announcements must be utilized post-upgrade to streamline the process for nodes catching up.

Further, Leo introduces considerations for making all UTXOs quantum safe discreetly, allowing for proactive measures against quantum threats without immediate public knowledge of such actions. However, he acknowledges potential challenges, such as the absence of a requirement for key ownership in weak announcements, which might provoke unnecessary responses from Satoshi or other keyholders.

Boris seeks additional clarity on how weak announcements would be incorporated into the blockchain and their interaction with the UTXO set, questioning the rationale behind waiting for a weak announcement before making a strong one, especially if the EC public key had been compromised. He suggests that the approach should prioritize preemptive action to secure exposed UTXOs against quantum vulnerabilities.

The dialogue culminates in a broader discussion on strategies to mitigate risks associated with pubkey exposure and the concept of using commitment age as a criterion to resolve disputes over UTXO ownership. This approach aims to deter attacks on large UTXOs perceived as lost and protect users who have taken early steps to secure their assets against quantum computing threats.