From mboxrd@z Thu Jan 1 00:00:00 1970 Delivery-date: Sun, 31 May 2026 00:40:29 -0700 Received: from mail-ot1-f56.google.com ([209.85.210.56]) by mail.fairlystable.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.94.2) (envelope-from ) id 1wTamb-0001EV-73 for bitcoindev@gnusha.org; Sun, 31 May 2026 00:40:29 -0700 Received: by mail-ot1-f56.google.com with SMTP id 46e09a7af769-7e6b5976d74sf671323a34.3 for ; Sun, 31 May 2026 00:40:28 -0700 (PDT) ARC-Seal: i=3; a=rsa-sha256; t=1780213223; cv=pass; d=google.com; s=arc-20240605; b=OcovAi2r4Ov63o9PhOPTN4kHIhxtS/ABxsB1urZgYQ5UkILwaJroLz1xzHiBSFWmIX a+K1z7ezPSjz2+zmzU3yjegEwhaCbG+P5Zz/IbDkWr4Wa9jxSaqsOm4XSFqaiPDPd2Bo RAvk764I+wVtfLW3p3AdKmJruIHC7oVNBbkysfwLnR7Q5RFHFGq1wDOXwequS+FadtFH 1m6Oq0ouWAGGOBnToYU2/AWtlvd2IoNn62wD1xI1nKjr7LRGBDqTBvWetpkZBM6ZB1y0 McKnj82fmPBMRvStVB14Q2ZryyYDhkzMkKS8VhH7e215ZMMlLiIbYKBCC249LcbGCe2D e0pQ== ARC-Message-Signature: i=3; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:content-transfer-encoding:cc:to :subject:message-id:date:from:in-reply-to:references:mime-version :sender:dkim-signature:dkim-signature; bh=Mz6mhHnqdfhDcSl9Z8Inx5x0Ok8u6ro96KcQEdvdZhY=; fh=jhYacDopiBgwQIeQ1cXbvDctYYrW7ey+FZCUEP0vLxU=; b=M31rxBrqe0Rf1yKDK1lfQFo3xzJhJgHon8VKmzK+U/AYa3MBfFxRprckIYLnsoR5Jf 52r3sFdc1jmQ2nOzP/zoHuipW8F0sjSFdgeN6jUc/Pyqcwt2JtAi39IYdL+wvHdOjYpt 183Krb1JyyYwNMC35jZ3Lij2XBmxnHX0XqPxFgxyDuO3g4MVR+XrAqUWZhh9/XN63+js xYDsjuWvLokO+dyOTcB6cxLsoYFcy7s9BN5l3OTWL3Sqx7X+zOw74ZNMgE21IClB+PQv oPwUbyTcz7jaqsoGc2ZzhOVWysuWiC8lNI3Wyd62aYQjMBrhUkNdCHevzYdDrvYZL7Oe ONYQ==; darn=gnusha.org ARC-Authentication-Results: i=3; gmr-mx.google.com; dkim=pass header.i=@gmail.com header.s=20251104 header.b=dZOrCfiU; arc=pass (i=1); spf=pass (google.com: domain of bnagaev@gmail.com designates 2607:f8b0:4864:20::132e as permitted sender) smtp.mailfrom=bnagaev@gmail.com; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com; dara=pass header.i=@googlegroups.com DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlegroups.com; s=20251104; t=1780213223; x=1780818023; darn=gnusha.org; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:x-original-authentication-results :x-original-sender:content-transfer-encoding:cc:to:subject :message-id:date:from:in-reply-to:references:mime-version:sender :from:to:cc:subject:date:message-id:reply-to; bh=Mz6mhHnqdfhDcSl9Z8Inx5x0Ok8u6ro96KcQEdvdZhY=; b=r5hPdTuna7NhO4gDAwFB8+1B40gj59SiyHXFlT067r9svO+ViddIhESmdPfc8BjGUd Lv/LmQjanimXT4Gvc/YE12tS7Ws9H/2BJ3LhmMxnsDdv1UbadZ+SFT7UR9XvFJFuoBD6 5v7sbfhFFisDGUkwL/EuUtaou2zdPzfLjKuPuUWXC9zRgPB6tXZ1Lav3T+9Ge1OYzjCI /dWBK7XsLLbGiorgT9Av6+e6xslAgKya2uEEuhl6rpfvssjsS/8zrRErkemfGZ5oGJCT Wi71Mp1FECL5L6x/30pqp9HPxvemIrfdX9qvNdr9dRR/LUdTHNAwLjgU6CxD4vkFbtjN c+ag== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1780213223; x=1780818023; darn=gnusha.org; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:x-original-authentication-results :x-original-sender:content-transfer-encoding:cc:to:subject :message-id:date:from:in-reply-to:references:mime-version:from:to:cc :subject:date:message-id:reply-to; bh=Mz6mhHnqdfhDcSl9Z8Inx5x0Ok8u6ro96KcQEdvdZhY=; b=HThs6F0Hu41qgloI0snPuikXkeNKBbqPbFea/98JSzI2+JdhOsTSZFLzHr1Rvh4ptu LF9ci29zJlmHYz/wPCe+OHq8wmU8xaUxcprostRddANa3mwuty5CgH661oh4ShQtg/C0 OqeieEKzkF2+CdaS5biSYlLTdLir/YGeFjX+MGSoMEE1rdAiDKA8waJDa7t1eBJGoJTi CuAV9lSWNmoZkxRt0o0yxvKbI1C48l2hPEBM/lJA97rdck3up8XnZh6E+ckLu4zi6xaN JZZJWlh4H7b77smbM0wpXb7jKh6mkgyvTuITSUplO1LZw390hYWceqWE6kxPLH9BIoBe oEcA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1780213223; x=1780818023; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:x-original-authentication-results :x-original-sender:content-transfer-encoding:cc:to:subject :message-id:date:from:in-reply-to:references:mime-version:x-gm-gg :x-beenthere:x-gm-message-state:sender:from:to:cc:subject:date :message-id:reply-to; bh=Mz6mhHnqdfhDcSl9Z8Inx5x0Ok8u6ro96KcQEdvdZhY=; b=HpjPw9+DPMtT1/B/XOEo1ku/rBDd8cSj/YE0xJZbDdgn0qN356cbgWSt3MhrKJ79vZ VaQ0wMXVz9tdEav8FDYr4HcbIY8nBTXuCdc9Aas5WwMdWPsVpDD/W8IQQTfFtuX/QMZB JuGC+krIwmW1ibpmVEno+nUZR5H6oLtynyuzZcYyOcCnNk7qf52Zm/1WbxPxpyvg7Ywb dTqWFk9E1teojAb0yQYbmTRILgFm1aA2SQKHhGjviUw0yIKkGYBhxZCEhSn+9Mn0oXjg 6EIBPqKCBkKg2/8KvvHQaslu2Wxb8PmPQWtvbXx7OO86RJcm2Bw/c58tlpKdXKHtAHc5 hbUw== Sender: bitcoindev@googlegroups.com X-Forwarded-Encrypted: i=3; AFNElJ9dR/FUbFLUaoj5mC48auRG/de8vMAT7XGFQxEu3M6n0ZE2TeI/zWS+Go1TtZBkW6Qni/4Wb53Fau0h@gnusha.org X-Gm-Message-State: AOJu0YxcUtTe+NRPS+q9xag+uQ30fIYR850FnGfbB4dxrrJCNj6Bnjfi ypjKv3DlDk79koBfopHl+THiyuYy80shysAY79z29o5hSLuufrbH7N79 X-Received: by 2002:a05:6870:304d:b0:43b:ccff:3557 with SMTP id 586e51a60fabf-43ca42a18f5mr3419620fac.26.1780213222602; Sun, 31 May 2026 00:40:22 -0700 (PDT) X-BeenThere: bitcoindev@googlegroups.com; h="AUV6zMMI1h1mjpqgV0VpLdUD5BvA9uXY8EFkscqNqoUTSGT0zA==" Received: by 2002:a05:6871:61c7:b0:430:2c03:d0f5 with SMTP id 586e51a60fabf-43c5149e810ls2231737fac.0.-pod-prod-05-us; Sun, 31 May 2026 00:40:17 -0700 (PDT) X-Received: by 2002:a05:6808:4707:b0:480:42da:e125 with SMTP id 5614622812f47-485fb4c772fmr3033326b6e.36.1780213217704; Sun, 31 May 2026 00:40:17 -0700 (PDT) Received: by 2002:a05:620a:1669:b0:8f9:4d19:af67 with SMTP id af79cd13be357-9151578e0fbms85a; Sat, 30 May 2026 23:23:05 -0700 (PDT) X-Received: by 2002:a05:6102:9d0:b0:66b:a0d7:abc4 with SMTP id ada2fe7eead31-6c6772b5220mr1993845137.0.1780208585311; Sat, 30 May 2026 23:23:05 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1780208585; cv=pass; d=google.com; s=arc-20240605; b=aYZZb0+byuXS9osaucxSLEdx0IgVps2HFUtHxsiH57oflYLSvcYg2UOCBja4QyAAHR jVk72pOe5K8qNFgwOgjZZsq097oO43KZD8E2L1pIw58kyuJHwM0xBOcK39XiUC1Sx1H2 5nFvAwBDnEbJyX0qaBwAcewZYsGUYMZeLSZk6Oi3BIZA9jxbJW+L+to4bwR4/PIrR4C8 ZqFrTFzrpjaIcTCsFEFansedQSc+h2hgYnCw3QiWLGm63uTwzVJiMZpvbMisiykAU3tw VgU4OJcq9+9FNxy8whdDxRA8EReZYLfAxF9oFDy+d6Ld8esyMXHEUZdy/4wcWDcJd1LG cFBw== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=QKrsETpgSDEXeUhvIXlsZ6fpXX6aSmC5u3Ug29jFnBg=; fh=t0xe4s6OwK/nag7dWixgc9y26E3m78ldPpNpzh4RGuU=; b=DUNNoz0B2uDWjiw2WhqHamwaMpIINSfx0c8lC2ayY2rS/2qdLzkU0BSxYEAwk/qCnz TICEaZkkwPNP+JfyGdJWnz+2d0PAB3d3BxyR2ObBYNkYh9u0kkNiVI/FCur5b6kcQbvK VSjar5PFGtIa97KZr6Uz0vt4eAuQO0Vc72S1lwSSGEfB1XLXso1BLZMqG3mMua78F9l5 2cx0gm5wrREVxFn7B9cMnh5NvlE5xTlTe3sTKXGV1iH20OF5nRULehF6SOcr23Ic8TJP fwV83FMVTcs0tGQce3ijuYIMVlpujD8NaZBFIxbzznuWQiymV1RjgtwaMZq5SB9e6z+V kxRQ==; dara=google.com ARC-Authentication-Results: i=2; gmr-mx.google.com; dkim=pass header.i=@gmail.com header.s=20251104 header.b=dZOrCfiU; arc=pass (i=1); spf=pass (google.com: domain of bnagaev@gmail.com designates 2607:f8b0:4864:20::132e as permitted sender) smtp.mailfrom=bnagaev@gmail.com; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com; dara=pass header.i=@googlegroups.com Received: from mail-dy1-x132e.google.com (mail-dy1-x132e.google.com. [2607:f8b0:4864:20::132e]) by gmr-mx.google.com with ESMTPS id ada2fe7eead31-6bfb965f8a2si214764137.1.2026.05.30.23.23.05 for (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Sat, 30 May 2026 23:23:05 -0700 (PDT) Received-SPF: pass (google.com: domain of bnagaev@gmail.com designates 2607:f8b0:4864:20::132e as permitted sender) client-ip=2607:f8b0:4864:20::132e; Received: by mail-dy1-x132e.google.com with SMTP id 5a478bee46e88-304ffa40c5dso2905597eec.1 for ; Sat, 30 May 2026 23:23:05 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1780208585; cv=none; d=google.com; s=arc-20240605; b=TG05zF6o7WZ4rlPWnvZcFhFq0GsZtim1Mn7IduJdbr4xIVw2k9s/DB9dMJncWa3J8G b3WLwJPUgrHJxK/i3BmKl6d1ReInHSwHyv9KKqfz5jR4ueRXvY0e8lvDev8BM+YWs2MY nMbHIoOj+REzJpjeFllMn5560WjLc5I5YZsXLCqfc5QzTFt7/Gtb6MFx7JiqcOm0+p+T CS/x2cvGtg3wXu2E3A3PVLFnB2ITNGI3TqKwrRyeCBIieMhZm3SPItSoAC3qCvAAqkv3 Czd1STs4TLMointNVWsHW4gGBaRCtJ5QpSb9nut6MkeL1oZeGPVtEURzpSfwnk4DRuXQ K6LQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=QKrsETpgSDEXeUhvIXlsZ6fpXX6aSmC5u3Ug29jFnBg=; fh=t0xe4s6OwK/nag7dWixgc9y26E3m78ldPpNpzh4RGuU=; b=lbhufd/LHbQKgY9dXWX7D8PMCfvhJwy+l9WqWdlCl2JEhrvcSX5OLDQVFud64itYbq VgnwBFLEXxMLQqob6MIw4CzkSXjn8lf8Cay4aB8d6HZDzq4pa6f9FJjuF1rzEdEeBYdr xhkWEL6E8OCuP5KWD6tBvPbIFBolk+XX0pggODEX/GB9LfRMAD0+TmIAtMiL50t+2rra PLBazAeLqEIbCJ/v5AUlL66Og4ap2IftaQH3Y3AiLQ93R6/7yXSEh8SMAxKeXGWvUeqz x85cuUeGiANVngJnY9/ucUTGlJwNshEbnfGVgo2V0UuRwcA1q1OzoJDVbz9S0urVR+lr k4XQ==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; arc=none X-Gm-Gg: Acq92OE+P4jjKBHwPIce80iAwLOSVAfHvmNlVKvtn9chvdvIkV7aAWTg9hx+BZfdWoS 92NjlKtM9gs4/7+RuH+BhgR2degMwOowhGuw9nQJFnjxhEzWZWlLWmwfWqad0qha/cn9PnLmb5K B4yqfBhHti8DhwPqsNp0vB3onDf4WH0gZgj2XCXspuOiTPRto2j9X549fMvoCTrKkzgx5QuuFDj 4wJZYc471DirIOWhBN5pFsLIEaydiF8StLsUfyIq9/Qp1ILztzfXSpcGrpMRFoPYlpuD2QfQoda qQ7Ti6DKesPs+zuT X-Received: by 2002:a05:7300:a191:b0:2f1:6252:f8fe with SMTP id 5a478bee46e88-304fa49edfcmr2514613eec.3.1780208584661; Sat, 30 May 2026 23:23:04 -0700 (PDT) MIME-Version: 1.0 References: In-Reply-To: From: Nagaev Boris Date: Sun, 31 May 2026 01:22:27 -0500 X-Gm-Features: AVHnY4LGl8P5MDielLSGw-m5qJClQI0qqoZH3w_pq2CDcr2oZmfAEuRbytaQnuM Message-ID: Subject: Re: [bitcoindev] Weak Quantum Bounty Ceremony To: Erik Aronesty Cc: Bitcoin Development Mailing List Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Original-Sender: bnagaev@gmail.com X-Original-Authentication-Results: gmr-mx.google.com; dkim=pass header.i=@gmail.com header.s=20251104 header.b=dZOrCfiU; arc=pass (i=1); spf=pass (google.com: domain of bnagaev@gmail.com designates 2607:f8b0:4864:20::132e as permitted sender) smtp.mailfrom=bnagaev@gmail.com; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com; dara=pass header.i=@googlegroups.com Precedence: list Mailing-list: list bitcoindev@googlegroups.com; contact bitcoindev+owners@googlegroups.com List-ID: X-Google-Group-Id: 786775582512 List-Post: , List-Help: , List-Archive: , List-Unsubscribe: , X-Spam-Score: -0.5 (/) Hey Erik, The scheme is interesting! I want to add my two cents. Those not motivated by funds could publish a zero knowledge proof instead of moving the funds. This means real funds are not even needed in this case. Or the whole scheme can be deployed to testnet or signet not to waste (or burn?) real coins. Also I would like to propose some properties which the publishing scheme should have to maximize the effect: - anonymous for the publisher - plausible deniable for the publisher - uncensorable For the plausible deniability thing, imagine a researcher who has access to a particular signature made by quantum computer and can prove it, but then it will be clear who leaked it, because the signature has a unique nonce. This is where ZK can help. But how to do ZK onchain to get censorship resistance? Maybe some BitVM construction may help. Using mainnet provides better censorship resistance than testnet or signet - that is actually a good reason to use mainnet unless we come up with a better approach. Best, Boris On Sat, May 30, 2026 at 12:58=E2=80=AFPM Erik Aronesty wrote= : > > I have been thinking about a way to create publicly verifiable Bitcoin ou= tputs whose recovery is intentionally tied to breaking a weaker cryptograph= ic system. > > The goal is to create a "quantum bounty." The output would be spendable b= y a valid secp256k1 private key, but the key would be generated in a public= ceremony and intentionally limited to 160 bits of entropy. Recovery would = additionally be facilitated by publishing an encryption of the same secret = under a weaker elliptic curve system. > > The basic idea is that a group of independent participants runs a distrib= uted key generation ceremony. Each participant contributes a secret share. = The shares are combined into a single 160-bit scalar x. At no point is x re= constructed on any machine or revealed to any participant. > > From the same distributed shares, participants jointly derive: > > 1. A Bitcoin public key P =3D xG on secp256k1. > 2. An encryption of x under a separate 160-bit elliptic curve system. > > The transcript contains all commitments, public contributions, ciphertext= contributions, and equality-of-discrete-log proofs needed to verify that b= oth constructions are derived from the same hidden scalar. > > The construction does not require SNARKs or any trusted setup. It appears= sufficient to use Pedersen-style commitments, ElGamal-style encryption, an= d Chaum-Pedersen proofs showing consistency between participant contributio= ns across the two groups. > > After the transcript is finalized, participants destroy their secret shar= es and temporary randomness. Assuming at least one participant behaves hone= stly and destroys their material, the scalar x is no longer known to anyone= . > > The final artifact consists of: > > * A Bitcoin public key P. > * A weak-curve ciphertext C. > * A complete public transcript proving that P and C were derived from the= same hidden scalar. > > Bitcoin can then be sent to the address corresponding to P. > > Anyone who can recover x from the weak cryptosystem can spend the output.= The effective security of the bounty is therefore determined by the weaker= curve rather than by the full secp256k1 discrete logarithm problem. > > The intended purpose is to create a publicly auditable cryptographic cana= ry target. > > One question I have not fully resolved is whether there are cleaner const= ructions for the recoverable encryption component than ElGamal-style encryp= tion, while still preserving simple transcript verification and avoiding ge= neral-purpose zero-knowledge systems. > > -- > You received this message because you are subscribed to the Google Groups= "Bitcoin Development Mailing List" group. > To unsubscribe from this group and stop receiving emails from it, send an= email to bitcoindev+unsubscribe@googlegroups.com. > To view this discussion visit https://groups.google.com/d/msgid/bitcoinde= v/CAJowKgJVwmm%3Dh6AsO4zeGTmfdK-RUQiDsMJkMRd6WZSo5FjeZg%40mail.gmail.com. --=20 Best regards, Boris Nagaev --=20 You received this message because you are subscribed to the Google Groups "= Bitcoin Development Mailing List" group. To unsubscribe from this group and stop receiving emails from it, send an e= mail to bitcoindev+unsubscribe@googlegroups.com. To view this discussion visit https://groups.google.com/d/msgid/bitcoindev/= CAFC_Vt7DLZEytF72Q0EVPeg6iED3qztMXs7aX6zBNBQ5%2B-ceXA%40mail.gmail.com.