Against Allowing Quantum Recovery of Bitcoin

In the ongoing discourse about quantum resilience within the Bitcoin community, a novel approach has been introduced that aims to mitigate the vulnerabilities posed by quantum attacks on digital signatures. This method, developed in collaboration between Nadav Ivgi and Shai Wyborski, diverges from the conventional binary dilemma of freezing or not freezing potentially compromised assets by leveraging the asymmetry between the quantum attacker and the asset owner. The core insight here is that while a quantum attacker might obtain the private key of a digital signature, they do not possess the seed (master secret key) known to the owner. This distinction forms the basis of their proposed solution.

The technique, termed "signature lifting," essentially transforms an existing quantum-insecure signature scheme into one that is quantum-secure without changing the original keys. This transformation relies on a quantum-secure one-way function that maps the seed to the public key, ensuring the continued applicability of old keys under new, quantum-resistant protocols. However, this strategy is not applicable to wallets created before 2013, which are incompatible with BIP-38 due to the nature of their key-public key mapping functions.

The implementation of signature lifting utilizes Picnic, a cryptographic primitive recognized for its potential in post-quantum security contexts. Despite its promise, a notable limitation of signature lifting is the significant lengthening of signatures, which could complicate transactions. To counterbalance this, the researchers have also developed "Lifted FawkesCoin," an interactive transaction methodology based on a commit-wait-reveal mechanism. This adaptation of the original FawkesCoin concept ensures that transactions remain efficiently sized under honest conditions, resorting to the elongated signatures only when deceit is detected, thus penalizing dishonest parties through transaction fees.

An essential aspect of Lifted FawkesCoin is the requirement for users to periodically verify their accounts for fraudulent activities, a precaution aimed at those yet to transition to quantum-secure signatures. Despite the apparent inconvenience, this model is presented as a Pareto improvement over existing strategies to handle quantum threats, balancing security needs with operational practicality. Further details and the theoretical framework supporting these innovations are documented extensively in their peer-reviewed work available at IACR and presented at the PQC-SM workshop 2023.