Post-Quantum Migrations via Commit-then-Reveal (ala BIP16) - An Alternative to Sunsetting

The proposed Commit-then-Reveal soft-fork addresses critical vulnerabilities in the current post-quantum migration strategies by introducing a two-phase process that enhances security against quantum attacks. The first phase, termed as "The Stealth Claim," involves the user creating a migration transaction to a quantum-resistant (QR) address but only broadcasting a hash of this transaction. This hash is then included in an on-chain “anchoring” transaction with particular components for verification and protection against malicious activities, such as reserved space for part of the HASH160 and the SIGHASH_ALL digest. Importantly, during this phase, no public key is exposed, thereby safeguarding against potential quantum decryption.

In the second phase, referred to as "The Reveal," the transaction preimage, ECDSA public key, and signature are broadcasted only after the hash has been securely anchored by a sufficient number of blocks (e.g., 100 blocks for re-org protection). This process ensures that even if a quantum attacker were able to derive the private key from the public key, the network would reject any transactions that do not match the pre-committed hash anchored in the first phase. This validation rule, known as the "Earliest Assertion," mandates that only the earliest valid commitment defines the spend path for a UTXO, which prevents attackers from redirecting funds even if they crack the key post-reveal.

The technical framework for this proposal builds on existing Bitcoin Improvement Proposals such as BIP 16 (P2SH) and BIP 360 (P2MR), extending their logic to the migration of legacy UTXOs. This method not only neutralizes the threat of front-running by quantum attackers by making the transaction destination immutable well before the actual movement of funds but also reduces panic associated with the potential emergence of quantum attacks ("Q-Day"). Additionally, it allows users substantial flexibility; they can lock in their migration path without moving the coins immediately or choose to wait indefinitely, particularly if they have never reused an address.

Despite its advantages, the Commit-then-Reveal approach does introduce some complexities and potential drawbacks. It necessitates an additional transaction, potentially increasing the data stored in the UTXO set and requiring users to pre-commit to transaction fees for what must be a successful one-time migration attempt. These considerations highlight the trade-offs between enhanced security and operational complexity in adapting blockchain technologies to the age of quantum computing.