Against Allowing Quantum Recovery of Bitcoin

In a recent discussion on the complexities of managing public keys (pubkeys) and transaction commitments in blockchain systems, an innovative approach was considered but identified to have critical vulnerabilities. The initial idea proposed merging all pubkeys across inputs to streamline the process. However, this method encounters a significant challenge in maintaining the total ordering of commitments. The core issue arises when a reveal transaction (TX) is presented for validation; the validator cannot confidently determine if the commitment being opened precedes all others. This uncertainty is due to the potential for miners to delay a reveal TX intentionally and replace it with another that has a different input set, thus altering the HMAC key used for verification.

Further complicating the matter, the concept of "witness hashing" was also explored but ultimately deemed ineffective against quantum adversaries. Such adversaries could manipulate the witness stack after a reveal TX has been made public by altering one of the pubkeys, thereby generating a new signature and changing the HMAC key intended for authentic commitment verification. Consequently, validators would be unable to verify the chronological order of commitments accurately.

To address these challenges, the correspondence suggests a refined strategy that involves HMAC signing the transaction identifier (TXID) on a per-input basis rather than merging pubkeys across all inputs. By doing so, each pubkey within a single locking script of a specific reveal TX input can be merged into a singular HMAC key. This adjustment ensures that the HMAC key disclosed to open any commitment remains constant, irrespective of the spender of the revealed input. An exception noted is Taproot (P2TR addresses), which could present multiple potential locking scripts with varied pubkey sets. However, it's posited that a quantum attacker is unlikely to exploit this without inverting SHA256, allowing validators to establish a clear sequence of past commitments for a given reveal, effectively countering miner-driven censorship attacks. This dialogue underscores the intricate balance between innovation and security in the ongoing development of blockchain technologies.