From mboxrd@z Thu Jan 1 00:00:00 1970 Delivery-date: Sat, 30 May 2026 10:59:02 -0700 Received: from mail-oo1-f56.google.com ([209.85.161.56]) by mail.fairlystable.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.94.2) (envelope-from ) id 1wTNxd-0001RX-KN for bitcoindev@gnusha.org; Sat, 30 May 2026 10:59:02 -0700 Received: by mail-oo1-f56.google.com with SMTP id 006d021491bc7-69dac65fd9bsf4562725eaf.1 for ; Sat, 30 May 2026 10:59:01 -0700 (PDT) ARC-Seal: i=3; a=rsa-sha256; t=1780163935; cv=pass; d=google.com; s=arc-20240605; b=aITk3SXh2guNyDkpKiZw4B4IWzqc6D9/49wJmHeqB0e6xkAH/s7DDp5wG4BzCT8IRu b8uQrRMfgzLKYlobdiENJk/N1v2RZR2E1DlUIAh+tisD1+C8I+XkvaXFhCfYQjsNKrJr veGVBBBCgcqrO2dLOd6SAyRf7wSUYGSDo0M6uthPM2efDoIOKnjMR1eGGowgdKZmTr0s W6VK75jgP9yT10jrxCGv9/6fSMOtYClKKlrGDjBcBg51CUzk0bRH3VvGK0awsgBahxix qZm6qVuaYxhaEBmtCOfRLxFMSRlD9Nr+FCC9UeWb2bb+iE3G8Q8smD2VUfHUx91Eb6rI IDKg== ARC-Message-Signature: i=3; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:to:subject:message-id:date:from :mime-version:sender:dkim-signature; bh=mhBKNkgif5g99mtV2mwcSgg8QHphnt6KhtN2OAfDLkU=; fh=YS5KkClkPLoBSV+bTE8pik8WLG/AYnoh/P9CX88gsSA=; b=ORmss4b/LnEBpET5YP3xpYvGbmqpfVBmqRmUxWlIOHTAAtcWIjylPKromliEVTEcVX AGpQXmUS9QOFnJEwwOj2caPgWaYNvoQ1Qhh4UZDf2bbgEGCfdhcCahkyPskTeq6OAvIF +EV25atRnXZV37JafOOPPNautGVlt/a6G1G1NYA++dSM496bFXfuL5iVLBKsUC2c/XoL ybnC2BMCS37z31I1kTYbG37Wdhb64Ry8zz7dUCN1W5FXXICalU8dmD06d7cYW0Ke80ir A/HgQAEPiI/7Ca7GfzogtbVRyrmn6JXjHhGEB20K2kT3AhQYAMHlQB909VgORWpOGOWr 6lhQ==; darn=gnusha.org ARC-Authentication-Results: i=3; gmr-mx.google.com; dkim=pass header.i=@q32-com.20251104.gappssmtp.com header.s=20251104 header.b=tQeutfCa; arc=pass (i=1); spf=pass (google.com: domain of earonesty@gmail.com designates 2a00:1450:4864:20::62b as permitted sender) smtp.mailfrom=earonesty@gmail.com; dara=pass header.i=@googlegroups.com DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlegroups.com; s=20251104; t=1780163935; x=1780768735; darn=gnusha.org; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:x-original-authentication-results :x-original-sender:to:subject:message-id:date:from:mime-version :sender:from:to:cc:subject:date:message-id:reply-to; bh=mhBKNkgif5g99mtV2mwcSgg8QHphnt6KhtN2OAfDLkU=; b=Xk5JxsLrfCdlaY3ciDW6iBnchhRvr2thBPrjLUeqykroR3iHTCcDGRt+nCf6vNHpkL ZVWIGx/sPqKAUGzTavJfhNlvugZccRLTNAHASWuLhxfwbjskE9Iz3pQ2wDm9zXvcKSvp KbXrJgpfQ4/vf8pJZ+tXPaVtPYDHe2prDAxz4/cqIL+H5s6TgclQJ3EULRWj4E/iPj3A qc7on59EV8atxMZNaoCSv4G1+LhV1tQ0EbnMugdRxj8QiRN+/8F31IAH0tJBANQQ7580 0JW41yqgrKgki2rzbOZzYhdUxKYO3vf93HXHtamNvv29heutUK1lbmzpnO30PXlVZ1TS G6ag== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1780163935; x=1780768735; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:x-original-authentication-results :x-original-sender:to:subject:message-id:date:from:mime-version :x-gm-gg:x-beenthere:x-gm-message-state:sender:from:to:cc:subject :date:message-id:reply-to; bh=mhBKNkgif5g99mtV2mwcSgg8QHphnt6KhtN2OAfDLkU=; b=oyKmWzshLYDfnrxsUJpdh/osAymDBePdMnn7iA4JyVBkXBQS7kz8Kd3WJ3Vb9INdUN 1tE/oGq44bXXg95D95rj9ijAs+kwL3hpnyXQNLmvJMqt7yXNs+dEQ2UiKYsjqcJ/X9gr ieBeKrquvEB2JKZnCiIjD+2WInOXRYoO4M9yJevIyAH7L/Qf5diUR2gxGG2e1qLH+UTl +ORxswEZL8NZcEs/IjUtDih2GIvoxTe/VADvrxpr0pwQSq3m7qTDWar30AuAVBDdULCR Ref488HJ9VmA6H81aHWvBuibuqKFDLUj4vsjzcq9a/N6sV5PtxFnqsLjTpsdmjCVOn0f w+xQ== Sender: bitcoindev@googlegroups.com X-Forwarded-Encrypted: i=3; AFNElJ/klPSb53Pjarh+SzSgQ3r6NJaT5JBZuS4CK1r3zRhuIK2DfvfZumZTGge5AYUYFjOzYyCh3Y5fm1ti@gnusha.org X-Gm-Message-State: AOJu0YwMzXRJjj5dQjwcK6CQU/lD3t1/RS94L/Qcz5GyEPJ420JSn4BD 0w3s9061754UpY8L+9iRFS9gCIjhoB/cIs7i4BFu45KSfTslYIvpbFX2 X-Received: by 2002:a05:6820:134e:b0:694:9175:9d47 with SMTP id 006d021491bc7-69e102e6699mr2149602eaf.18.1780163935317; Sat, 30 May 2026 10:58:55 -0700 (PDT) X-BeenThere: bitcoindev@googlegroups.com; h="AUV6zMMMECHgaFF/qxkBYov/rljAatgfOu4oe4AQJQld0YWBsw==" Received: by 2002:a05:6870:a492:b0:42f:eb75:2e78 with SMTP id 586e51a60fabf-43c51b7b17bls1827033fac.2.-pod-prod-06-us; Sat, 30 May 2026 10:58:49 -0700 (PDT) X-Received: by 2002:a05:6808:5289:b0:467:2a6e:adb6 with SMTP id 5614622812f47-485fb265b4dmr2408210b6e.8.1780163929322; Sat, 30 May 2026 10:58:49 -0700 (PDT) Received: by 2002:a05:6402:3718:b0:670:416a:5ab4 with SMTP id 4fb4d7f45d1cf-68ce1bb1335msa12; Sat, 30 May 2026 10:01:19 -0700 (PDT) X-Received: by 2002:a50:85cc:0:b0:68c:d4e:3a46 with SMTP id 4fb4d7f45d1cf-68c8910be87mr1597458a12.8.1780160477618; Sat, 30 May 2026 10:01:17 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1780160477; cv=pass; d=google.com; s=arc-20240605; b=etSX0buqVUfK9I7ypLgN9ewkEcl6odG/1CNOFMVE/tP71W+5tUMw0JVKKgziNEsM+t 8iogep4SeSzlIajnIpOtKx3ru3BCedzxu9bmqbmfxFO5Mb/wOCBd7GvWzfVTUzs+zKls /uu/+9Rq9tcTjVfsNVPXJohME0/x/VLXUwdixDkwlgqFdiyEfttSi4GCHaDobh1802Yf zgeUgYQ9wjPmQd3eHUyMNQWAZeCSb68Vehvm64AgHDb2eqDF1F94R/7r4rbGO9bgg+0R /oCZV1ER6Iu8KF8SrOQmoGAbYne4gGh5xXyPl3CEG3oTb9rfnKA/E4EjCGKeLyIXWs4R ZB1g== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=to:subject:message-id:date:from:mime-version:dkim-signature; bh=3P01wK0yc7SSousKqPtOueloC8GhA6/5zFRtAVHdjVY=; fh=DMP0F9ULS1guKiqimntQRCN8ZraraesEgQuVcn7F0Z0=; b=S3lx6pwe5YyBeUOGcDQBIGdUtyI8jolkIWktDkpi3damZoLpwmjM3dVkR/GJwDL+Zy cJCptQSkMfqSyMPKTsGKlIQQGyMF2o5JoLsTOt3Dux4EtJMYF/dR2sTbW/AsgHHwED7z 9Wn+inN/WsQcwWMQNu0B1ytG6r3EdjC7u9JmagTiFXD+qbaD/J/IjRSV0GP4W5S54JaZ K3RGscujwbLdz623OkpXQ8qQVuPzWI3UndixgTnOkcNVvTdMkxYqf/Ny//pmvYXLgVJg xbeTdslxzPgzWcMxa4+qXX0qcgNb6B64GBQEresFBnBp7LkfuGi1ioPqtLoPNKhpZBiq P5bQ==; dara=google.com ARC-Authentication-Results: i=2; gmr-mx.google.com; dkim=pass header.i=@q32-com.20251104.gappssmtp.com header.s=20251104 header.b=tQeutfCa; arc=pass (i=1); spf=pass (google.com: domain of earonesty@gmail.com designates 2a00:1450:4864:20::62b as permitted sender) smtp.mailfrom=earonesty@gmail.com; dara=pass header.i=@googlegroups.com Received: from mail-ej1-x62b.google.com (mail-ej1-x62b.google.com. [2a00:1450:4864:20::62b]) by gmr-mx.google.com with ESMTPS id 4fb4d7f45d1cf-68ceb86be49si33000a12.5.2026.05.30.10.01.17 for (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Sat, 30 May 2026 10:01:17 -0700 (PDT) Received-SPF: pass (google.com: domain of earonesty@gmail.com designates 2a00:1450:4864:20::62b as permitted sender) client-ip=2a00:1450:4864:20::62b; Received: by mail-ej1-x62b.google.com with SMTP id a640c23a62f3a-bd9a71b565aso1891604866b.0 for ; Sat, 30 May 2026 10:01:17 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1780160477; cv=none; d=google.com; s=arc-20240605; b=cKPNuabOB/rPpKEi9KF2W0XyUovnk4G7gYgQqxMGjqPGk76vDqsWU6TdwgHLMKFeBZ NRCW6GaqcNmoH1s9/3Eb/VqR4z7zHTmXxakSRsOCdcn2BX9pcctPLTNgj+UOA5lU3Vhc m2GFNtUkE/t1b+4lAuyTqzU+/UTpCguj2zel5OATkuSUDdVSfuwmXsYf1UnL2sykp57a +z5z36ITn4nFWYjHSBcHaMRi2osvt2Ss09RTj9vP3rCE74KfMP8NyxVZD/0L8INkoOD5 CteyRV+2tNrktkzxkmjtdKwMEdgEr4Y+eTxeUkga50iN34rYMmqoQFZmgaHCB7D62YTE 0L4g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=to:subject:message-id:date:from:mime-version:dkim-signature; bh=3P01wK0yc7SSousKqPtOueloC8GhA6/5zFRtAVHdjVY=; fh=DMP0F9ULS1guKiqimntQRCN8ZraraesEgQuVcn7F0Z0=; b=dDMnlsmFB/kyD9z/CBGN/vPBgl7lCmkmSdJCGJAhrJW7k+9oOh/e2d8n2emlsCZNLj 2sSsr8a82WOvunK0792ighOpK1GojzuYQVd9Xalwmxed/e/y7TziPhAg/A5PCqq3HQkR HtzqF3+m/1jHBThC3zrrNpzXS6Shde4nMi8zHiO424aSR3ZpKDB64f52kdBE6b9CR2c4 J6QAuAJZ2IsNzpJ/JVuLjO54gQfLLugVmXQv/rsRByTNuThgr+UA2beO7UxO7tCauWjR UO13PLp5YUXKIvRQ0JI5417wC1CXCsTPl/5L5whLINmRtxcWfWDZtgynCPB94llaIKSp BhiQ==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; arc=none X-Gm-Gg: Acq92OHOnuSIQqlFF8QWmB1rlznPpNnM75oZGL7GpS/i/6WaNYDAx7FSS3sd91yM2ac tTRNrXFuJcMTo/HSB0VMcBk8Zxkp4cZty9lhh/8EmJvVuif3LzF3yFPBJ6MnG0wru7GTddJIQVU 9CtIvV+CMncmlcBmphaRGwReUL/QRkRtIGQvDsBhHnY89b//HsacAMxoSOwwQ/4/J/8F96GUwIL ZvgRNESO8gBtj/uEd+F2GUASAVfQy43gnBqItMBk4T+69UN8205f1vJ1g2ltnPJUtbtlZMAvbUb VZQeYHNzHArq6n/CMCVEWz+P/k4eQD/lJ1qQzprfLyzn20sbBxYhok8jJxO/w/f4h3wnt2054gy 8D+JurNmqbA4= X-Received: by 2002:a17:907:3c82:b0:bd9:cf0c:93c0 with SMTP id a640c23a62f3a-beab3a414dcmr231255666b.1.1780160476709; Sat, 30 May 2026 10:01:16 -0700 (PDT) MIME-Version: 1.0 From: Erik Aronesty Date: Sat, 30 May 2026 07:01:05 -1000 X-Gm-Features: AVHnY4K-Hw6zbYLWXb8PgLHvKeb4-YUzUqNwlxrjOzNdtmSwshtHmueaPS_RA4s Message-ID: Subject: [bitcoindev] Weak Quantum Bounty Ceremony To: Bitcoin Development Mailing List Content-Type: multipart/alternative; boundary="000000000000db87fe06530be8a6" X-Original-Sender: erik@q32.com X-Original-Authentication-Results: gmr-mx.google.com; dkim=pass header.i=@q32-com.20251104.gappssmtp.com header.s=20251104 header.b=tQeutfCa; arc=pass (i=1); spf=pass (google.com: domain of earonesty@gmail.com designates 2a00:1450:4864:20::62b as permitted sender) smtp.mailfrom=earonesty@gmail.com; dara=pass header.i=@googlegroups.com Precedence: list Mailing-list: list bitcoindev@googlegroups.com; contact bitcoindev+owners@googlegroups.com List-ID: X-Google-Group-Id: 786775582512 List-Post: , List-Help: , List-Archive: , List-Unsubscribe: , X-Spam-Score: -0.7 (/) --000000000000db87fe06530be8a6 Content-Type: text/plain; charset="UTF-8" I have been thinking about a way to create publicly verifiable Bitcoin outputs whose recovery is intentionally tied to breaking a weaker cryptographic system. The goal is to create a "quantum bounty." The output would be spendable by a valid secp256k1 private key, but the key would be generated in a public ceremony and intentionally limited to 160 bits of entropy. Recovery would additionally be facilitated by publishing an encryption of the same secret under a weaker elliptic curve system. The basic idea is that a group of independent participants runs a distributed key generation ceremony. Each participant contributes a secret share. The shares are combined into a single 160-bit scalar x. At no point is x reconstructed on any machine or revealed to any participant. >From the same distributed shares, participants jointly derive: 1. A Bitcoin public key P = xG on secp256k1. 2. An encryption of x under a separate 160-bit elliptic curve system. The transcript contains all commitments, public contributions, ciphertext contributions, and equality-of-discrete-log proofs needed to verify that both constructions are derived from the same hidden scalar. The construction does not require SNARKs or any trusted setup. It appears sufficient to use Pedersen-style commitments, ElGamal-style encryption, and Chaum-Pedersen proofs showing consistency between participant contributions across the two groups. After the transcript is finalized, participants destroy their secret shares and temporary randomness. Assuming at least one participant behaves honestly and destroys their material, the scalar x is no longer known to anyone. The final artifact consists of: * A Bitcoin public key P. * A weak-curve ciphertext C. * A complete public transcript proving that P and C were derived from the same hidden scalar. Bitcoin can then be sent to the address corresponding to P. Anyone who can recover x from the weak cryptosystem can spend the output. The effective security of the bounty is therefore determined by the weaker curve rather than by the full secp256k1 discrete logarithm problem. The intended purpose is to create a publicly auditable cryptographic canary target. One question I have not fully resolved is whether there are cleaner constructions for the recoverable encryption component than ElGamal-style encryption, while still preserving simple transcript verification and avoiding general-purpose zero-knowledge systems. -- You received this message because you are subscribed to the Google Groups "Bitcoin Development Mailing List" group. To unsubscribe from this group and stop receiving emails from it, send an email to bitcoindev+unsubscribe@googlegroups.com. To view this discussion visit https://groups.google.com/d/msgid/bitcoindev/CAJowKgJVwmm%3Dh6AsO4zeGTmfdK-RUQiDsMJkMRd6WZSo5FjeZg%40mail.gmail.com. --000000000000db87fe06530be8a6 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
I have been thinking about a way to create publicly verif= iable Bitcoin outputs whose recovery is intentionally tied to breaking a we= aker cryptographic system.

The= goal is to create a "quantum bounty." The output would be spenda= ble by a valid secp256k1 private key, but the key would be generated in a p= ublic ceremony and intentionally limited to 160 bits of entropy. Recovery w= ould additionally be facilitated by publishing an encryption of the same se= cret under a weaker elliptic curve system.

The basic idea is that a group of independent participan= ts runs a distributed key generation ceremony. Each participant contributes= a secret share. The shares are combined into a single 160-bit scalar x. At= no point is x reconstructed on any machine or revealed to any participant.=

From the same distribut= ed shares, participants jointly derive:

1. A Bitcoin public key P =3D xG on secp256k1.
2. An encryption of x under a separate 160-bit elliptic curve sy= stem.

The transcript con= tains all commitments, public contributions, ciphertext contributions, and = equality-of-discrete-log proofs needed to verify that both constructions ar= e derived from the same hidden scalar.

The construction does not require SNARKs or any trusted setu= p. It appears sufficient to use Pedersen-style commitments, ElGamal-style e= ncryption, and Chaum-Pedersen proofs showing consistency between participan= t contributions across the two groups.

After the transcript is finalized, participants destroy thei= r secret shares and temporary randomness. Assuming at least one participant= behaves honestly and destroys their material, the scalar x is no longer kn= own to anyone.

The final= artifact consists of:

*= A Bitcoin public key P.
* A weak-curve ciphertext C= .
* A complete public transcript proving that P and = C were derived from the same hidden scalar.

Bitcoin can then be sent to the address corresponding t= o P.

Anyone who can reco= ver x from the weak cryptosystem can spend the output. The effective securi= ty of the bounty is therefore determined by the weaker curve rather than by= the full secp256k1 discrete logarithm problem.

=
The intended purpose is to create a publicly audita= ble cryptographic canary target.

One question I have not fully resolved is whether there are clean= er constructions for the recoverable encryption component than ElGamal-styl= e encryption, while still preserving simple transcript verification and avo= iding general-purpose zero-knowledge systems.

--
You received this message because you are subscribed to the Google Groups &= quot;Bitcoin Development Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an e= mail to bitcoind= ev+unsubscribe@googlegroups.com.
To view this discussion visit https://groups.google.com/d/= msgid/bitcoindev/CAJowKgJVwmm%3Dh6AsO4zeGTmfdK-RUQiDsMJkMRd6WZSo5FjeZg%40ma= il.gmail.com.
--000000000000db87fe06530be8a6--