New Post Quantum Bitcoin Proposal using WInternitz + Lamport auth chains

The discussion on the growth concerns of the nullifier set in blockchain transactions highlights a significant issue with current designs and proposes a potential solution. The nullifier set, which grows monotonically by 32 bytes per WOTS-39 transaction, cannot be pruned in the same manner as the UTXO set that prunes spend outputs. This growth is considered an engineering tradeoff rather than a design flaw, with the set increasing approximately 350 MB/year at 10% adoption of today’s transaction volume. A proposed optimization involves allowing nodes to prune all entries related to a Lamport chain once the final slot is spent, thus making the nullifier set self-pruning per chain and significantly reducing the live state.

Regarding transaction methods and user participation, the WOTS-39 implementation allows for quantum security without compromising existing Bitcoin functionalities such as Replace-by-Fee (RBF), CoinJoin, or Lightning Network transactions. The standard Taproot outputs facilitate two independent spending paths: a key path using a direct Schnorr signature, and a script path that includes the OP_WOTS_VERIFY. This design ensures that users can participate in multi-user transactions using the Schnorr key path without revealing the WOTS structure, maintaining both flexibility and privacy.

Privacy and linkability issues arise when spending a WOTS-39 UTXO via the script path, as it reveals identifiable information potentially linking spends to the same entity. This is similar to the risks associated with Bitcoin address reuse. The proposed solution to enhance privacy involves decoupling key derivation from the UTXO outpoint by using a pre-computable per UTXO nonce, ensuring that no visible mathematical relationship exists between different UTXOs on-chain. This method mirrors the privacy model used by other post-quantum cryptographic proposals like SPHINCS+ and XMSS, which maintain independent key material for each UTXO.

In summary, these discussions and proposed changes aim to refine Bitcoin's approach to incorporating quantum-resistant mechanisms, addressing key growth, privacy, and usability concerns. The ongoing revisions to the BIP will seek to align more closely with Bitcoin's native privacy standards while retaining the core innovations intended for enhancing security against quantum threats.