Seeking feedback on a simple secret-reveal scheme for a quantum-secure vault. There may be some missing details, but in general, this shows that covenant-protected vaults, with appropriate depth-locks are quantum-resistant. The whole idea involves a two-phase reveal: you must clear one tx to pin the destination and then you can inspect what's been mined, and then, based on that inspection, submit an escape or a final reveal. It uses linear-state as a more flawless quantum security and doesn't require new signature schemes or cryptography-libraries. Assumptions: - OP_CHECKTEMPLATEVERIFY (OP_CTV) is available per BIP119. - OP_TXHASH / OP_CHECKTXHASHVERIFY is available per the current draft proposal, allowing scripts to hash and verify selected fields of the *spending transaction* - Relative timelocks exist (BIP68 / BIP112). - SHA256 preimage resistance holds, even if ECDSA/Schnorr signatures become forgeable. ------------------------------ Threat model: An attacker may: - Forge signatures. - Intercept, delay, reorder, or fee-bump transactions. - Front-run in the mempool. - Exploit shallow reorgs. An attacker may not: - Break SHA256 preimage resistance. - Violate miner-enforced OP_CTV semantics. - Violate miner-enforced OP_TXHASH semantics. - Violate relative timelock rules. - Rewrite deep chain history. ------------------------------ High-level idea: This construction creates a multi-phase envelope that separates: - *who can trigger execution* from - *where value is allowed to go*. Even if signatures are forgeable, funds can only move into a protected Anchor envelope, and from there only along template-bound paths. - Phase 0 funnels all value into a predetermined Anchor envelope (that commits to a secret-reveal scheme, but no destination, using TXHASH) - Phase 1 instantiates that envelope on-chain (attacker could do this... but why?) - Phase 2 either: - reveals a one-time secret to complete a template-bound spend (because spender sees their good TX was mined), or - uses an escape hatch without revealing the secret (because spender sees a bad TX was mined) Phase 0 locking policy: The Phase 0 UTXO enforces the following: 1. Anchor pinning: Any spend MUST create exactly one value-bearing output whose scriptPubKey equals P_anchor. 2. No value leakage: No other value-bearing outputs are permitted. Transaction fees are paid by reducing the Anchor output amount. 3. Fee bound: The Phase 0 script MUST enforce a bound on fee extraction, e.g.: These conditions are enforced using OP_TXHASH, selecting and verifying: - the number of outputs, - the scriptPubKey of the Anchor output, - and sufficient value information to enforce the fee bound. Phase 1: AnchorPublishTx Properties: - Spends the Phase 0 UTXO. - Creates exactly one output: the Anchor UTXO, locked to P_anchor. The Anchor envelope is now instantiated on-chain. An attacker may have triggered this spend... that's ok. ------------------------------ Anchor UTXO locking script shape A Taproot script tree with two spending paths. Path 1: Reveal spend (normal) Conditions: 1. Relative depth gate The Anchor UTXO must have aged by at least k blocks (CSV). 2. Reveal check SHA256(x) == C. 3. Template enforcement The spending transaction MUST match template T via OP_CTV. ------------------------------ Path 2: Escape hatch Conditions: 1. Template enforcement The spending transaction MUST match template E via OP_CTV. 2. No secret revealed The value x is not disclosed on this path. The escape path may be immediately available or time-delayed ------------------------------ Phase 2: SpendAnchorTx - Reveal path witness: x plus any required non-cryptographic data. - Escape path witness: no x. ------------------------------ Security properties - Quantum signature safety Forged signatures do not enable theft. All value is confined to the Anchor envelope before any secret is revealed. - No redirect-after-reveal Once x is revealed, OP_CTV pins the outputs. - Observation is sufficient If an attacker publishes Phase 0 or Phase 1 spends, the Anchor script still contains a usable escape hatch. - Reorg resistance The relative timelock k mitigates shallow reorg games - Graceful degradation A quantum attacker can force execution or cause delay or fee grief , but cannot steal value. Some more information and discussion is on delving bitcoin: https://delvingbitcoin.org/t/a-quantum-resistance-script-only-using-op-ctv-op-txhash-and-no-new-signatures/2168/5 -- You received this message because you are subscribed to the Google Groups "Bitcoin Development Mailing List" group. To unsubscribe from this group and stop receiving emails from it, send an email to bitcoindev+unsubscribe@googlegroups.com. To view this discussion visit https://groups.google.com/d/msgid/bitcoindev/CAJowKgJnvHr%2BWV7%2B_52prP_QqiL%3D%2BzWe%2BhBMLmsCbO2san2NbQ%40mail.gmail.com.