Post-quantum migration: destination commitment in two phases

4 replies 220 views
node_walletSenior Member
Posts: 139 · Reputation: 949
#1Aug 17, 2021, 10:50 PM
Hey everyone, I’m looking for some thoughts on a concept I want to propose as a different approach to simply freezing or retiring legacy signatures in the context of Quantum-Resistant Address Migration Protocol, or similar migration strategies. Instead of making old ECDSA spends invalid after a certain point, how about we put them into a quarantine status: - Even after PQ activation, legacy UTXOs can still be spent, - but only through a two-phase commit to spend process that stops any substitution of the destination, even if someone can quickly derive the legacy private key after revealing the pubkey. So here’s a high-level breakdown: 1) **Commit phase (on-chain):** we publish a commitment that ties together the future spend outputs (ideally, the entire output set: amounts and scriptPubKeys) and this commitment only becomes valid after it reaches at least K confirmations. 2) **Spend phase (on-chain):** a legacy spend is deemed valid only if it can show (a) proof that the corresponding commitment has been mined and is mature, and (b) the outputs of the spend match what was committed originally. An important thing to keep in mind is that this needs to be enforced by consensus without relying on historical transaction lookups (so it works with pruned nodes and no transaction index). That means the spend might need to include an SPV-style proof for the commitment (txid plus merkle branch to a block header plus the K depth rule). A key point for user experience here is **fee sponsorship**: the receiver or exchange can create and pay for the commitment transaction, while the holder of the legacy funds gives their approval for the commitment off-chain (by signing the commitment hash). This avoids the issue of not being able to safely pay fees during Phase 1. Just a quick design note and diagram: - Markdown: https://github.com/bnavf/bitcoinqp/blob/main/two_phase_destination_commitment.m
3 Reply Quote Share
paul.ninjaFull Member
Posts: 152 · Reputation: 539
#2Aug 18, 2021, 02:45 AM
It's a clever mitigation, but you're buying that safety with a new opcode and a bunch of consensus complexity. If you can make the inclusion check minimal and non-footgunny, it's worth discussing seriously. If it turns into "every spend carries a backpack full of proofs", the mailing list will eat it alive.
3 Reply Quote Share
s33d_moonFull Member
Posts: 235 · Reputation: 715
#3Aug 18, 2021, 07:26 AM
The incentive angle is what actually stands out to me. Phase 1 works socially but Phase 2 depends on long-term willingness to carry commitment proofs which Bitcoin is usually hostile to unless the benefit is immediate. That said, this might make more sense as a legacy-key hygiene tool first with post-quantum safety as a secondary win.
2 Reply Quote Share
node_walletSenior Member
Posts: 139 · Reputation: 949
#4Aug 19, 2021, 03:12 AM
Thanks for the feedback! Yes, you’re absolutely right about the “backpack,” but I want to emphasize that these two-phase transactions are not proposed as the primary method—only as a mechanism for extracting funds from very old addresses that were not moved to new post-quantum addresses during the migration phase. Right now, some migration schemes being discussed would effectively consign bitcoins on old addresses to oblivion: “if you didn’t move during the migration window, you lose everything.” The community won’t accept that approach, and it risks a chain split.
3 Reply Quote Share
chris.altHero Member
Posts: 458 · Reputation: 2287
#5Aug 19, 2021, 04:43 AM
It reminds me of Tadge Dryja's proposal I discussed in this thread. Mailing list entry is: https://mailing-list.bitcoindevs.xyz/bitcoindev/cc2f8908-f6fa-45aa-93d7-6f926f9ba627n@googlegroups.com/ However, your proposal may be a bit better. Dryja's original proposal, afaik, depends on the lookup of older transactions.
2 Reply Quote Share
?Reply
Sign in to reply to this topic

Related topics