Weak Quantum Bounty Ceremony

The concept of a "quantum bounty" in Bitcoin has been proposed as a novel method to test cryptographic system security under the threat of quantum computing. This involves creating Bitcoin outputs that are only recoverable by breaking a deliberately weakened cryptographic system. The central feature of this method is the use of a secp256k1 private key, which is generated with limited entropy (160 bits) during a public ceremony. This key governs the spendability of the Bitcoin output.

The generation process of the key is highly secure and involves multiple independent participants. Each participant contributes a secret share which is never fully reconstructed or disclosed during the process. These shares are used to compute a Bitcoin public key and an encrypted version of the same secret using a weaker elliptic curve system. The strength and integrity of the system rely on the secrecy of the scalar x derived from combined participant contributions.

Key to ensuring the security and verifiability of this setup are Pedersen-style commitments and ElGamal-style encryption, along with Chaum-Pedersen proofs. These elements help demonstrate that both the Bitcoin public key and the weak-curve ciphertext are derived from the same underlying secret without needing SNARKs or a trusted setup. After these procedures, participants are meant to destroy their secret shares and any temporary randomness used in the process, securing the scalar x from discovery.

The final product of this procedure includes the Bitcoin public key, the corresponding weak-curve ciphertext, and a comprehensive public transcript. These components prove the linkage between the public key and the ciphertext back to the hidden scalar x. Any entity capable of decrypting x from the weaker system can claim the Bitcoin, effectively setting the security level of the bounty at that of the weaker system, not the full capability of secp256k1.

This approach invites scrutiny into whether simpler or cleaner methods might exist for constructing the recoverable encryption component, particularly in ways that could streamline transcript verification and avoid complex zero-knowledge systems. Such considerations are crucial for advancing cryptographic practices in the era of potential quantum computing threats.