* [bitcoindev] SImple quantum security, at the expense of slower tx time
@ 2026-01-28 18:36 Erik Aronesty
0 siblings, 0 replies; only message in thread
From: Erik Aronesty @ 2026-01-28 18:36 UTC (permalink / raw)
To: Bitcoin Development Mailing List
[-- Attachment #1: Type: text/plain, Size: 6286 bytes --]
Seeking feedback on a simple secret-reveal scheme for a quantum-secure
vault. There may be some missing details, but in general, this shows that
covenant-protected vaults, with appropriate depth-locks are
quantum-resistant. The whole idea involves a two-phase reveal: you must
clear one tx to pin the destination and then you can inspect what's been
mined, and then, based on that inspection, submit an escape or a final
reveal. It uses linear-state as a more flawless quantum security and
doesn't require new signature schemes or cryptography-libraries.
Assumptions:
-
OP_CHECKTEMPLATEVERIFY (OP_CTV) is available per BIP119.
-
OP_TXHASH / OP_CHECKTXHASHVERIFY is available per the current draft
proposal, allowing scripts to hash and verify selected fields of
the *spending
transaction*
-
Relative timelocks exist (BIP68 / BIP112).
-
SHA256 preimage resistance holds, even if ECDSA/Schnorr signatures
become forgeable.
------------------------------
<https://delvingbitcoin.org/t/a-quantum-resistance-script-only-using-op-ctv-op-txhash-and-no-new-signatures/2168#p-6461-threat-model-4>Threat
model:
An attacker may:
- Forge signatures.
- Intercept, delay, reorder, or fee-bump transactions.
- Front-run in the mempool.
- Exploit shallow reorgs.
An attacker may not:
- Break SHA256 preimage resistance.
- Violate miner-enforced OP_CTV semantics.
- Violate miner-enforced OP_TXHASH semantics.
- Violate relative timelock rules.
- Rewrite deep chain history.
------------------------------
<https://delvingbitcoin.org/t/a-quantum-resistance-script-only-using-op-ctv-op-txhash-and-no-new-signatures/2168#p-6461-high-level-idea-5>High-level
idea:
This construction creates a multi-phase envelope that separates:
- *who can trigger execution* from
- *where value is allowed to go*.
Even if signatures are forgeable, funds can only move into a protected
Anchor envelope, and from there only along template-bound paths.
- Phase 0 funnels all value into a predetermined Anchor envelope (that
commits to a secret-reveal scheme, but no destination, using TXHASH)
- Phase 1 instantiates that envelope on-chain (attacker could do this...
but why?)
- Phase 2 either:
- reveals a one-time secret to complete a template-bound spend
(because spender sees their good TX was mined), or
- uses an escape hatch without revealing the secret (because spender
sees a bad TX was mined)
Phase 0 locking policy:
The Phase 0 UTXO enforces the following:
1.
Anchor pinning: Any spend MUST create exactly one value-bearing output
whose scriptPubKey equals P_anchor.
2.
No value leakage: No other value-bearing outputs are permitted.
Transaction fees are paid by reducing the Anchor output amount.
3.
Fee bound: The Phase 0 script MUST enforce a bound on fee extraction,
e.g.:
These conditions are enforced using OP_TXHASH, selecting and verifying:
- the number of outputs,
- the scriptPubKey of the Anchor output,
- and sufficient value information to enforce the fee bound.
<https://delvingbitcoin.org/t/a-quantum-resistance-script-only-using-op-ctv-op-txhash-and-no-new-signatures/2168#p-6461-phase-1-anchorpublishtx-10>Phase
1: AnchorPublishTx
Properties:
- Spends the Phase 0 UTXO.
- Creates exactly one output: the Anchor UTXO, locked to P_anchor.
The Anchor envelope is now instantiated on-chain. An attacker may have
triggered this spend... that's ok.
------------------------------
<https://delvingbitcoin.org/t/a-quantum-resistance-script-only-using-op-ctv-op-txhash-and-no-new-signatures/2168#p-6461-anchor-utxo-locking-script-11>Anchor
UTXO locking script shape
A Taproot script tree with two spending paths.
<https://delvingbitcoin.org/t/a-quantum-resistance-script-only-using-op-ctv-op-txhash-and-no-new-signatures/2168#p-6461-path-1-reveal-spend-normal-12>Path
1: Reveal spend (normal)
Conditions:
1.
Relative depth gate The Anchor UTXO must have aged by at least k blocks
(CSV).
2.
Reveal check SHA256(x) == C.
3.
Template enforcement The spending transaction MUST match template T via
OP_CTV.
------------------------------
<https://delvingbitcoin.org/t/a-quantum-resistance-script-only-using-op-ctv-op-txhash-and-no-new-signatures/2168#p-6461-path-2-escape-hatch-13>Path
2: Escape hatch
Conditions:
1.
Template enforcement The spending transaction MUST match template E via
OP_CTV.
2.
No secret revealed The value x is not disclosed on this path.
The escape path may be immediately available or time-delayed
------------------------------
<https://delvingbitcoin.org/t/a-quantum-resistance-script-only-using-op-ctv-op-txhash-and-no-new-signatures/2168#p-6461-phase-2-spendanchortx-14>Phase
2: SpendAnchorTx
- Reveal path witness: x plus any required non-cryptographic data.
- Escape path witness: no x.
------------------------------
<https://delvingbitcoin.org/t/a-quantum-resistance-script-only-using-op-ctv-op-txhash-and-no-new-signatures/2168#p-6461-security-properties-15>Security
properties
-
Quantum signature safety Forged signatures do not enable theft. All
value is confined to the Anchor envelope before any secret is revealed.
-
No redirect-after-reveal Once x is revealed, OP_CTV pins the outputs.
-
Observation is sufficient If an attacker publishes Phase 0 or Phase 1
spends, the Anchor script still contains a usable escape hatch.
-
Reorg resistance The relative timelock k mitigates shallow reorg games
-
Graceful degradation A quantum attacker can force execution or cause
delay or fee grief , but cannot steal value.
Some more information and discussion is on delving bitcoin:
https://delvingbitcoin.org/t/a-quantum-resistance-script-only-using-op-ctv-op-txhash-and-no-new-signatures/2168/5
--
You received this message because you are subscribed to the Google Groups "Bitcoin Development Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an email to bitcoindev+unsubscribe@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/bitcoindev/CAJowKgJnvHr%2BWV7%2B_52prP_QqiL%3D%2BzWe%2BhBMLmsCbO2san2NbQ%40mail.gmail.com.
[-- Attachment #2: Type: text/html, Size: 18083 bytes --]
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2026-02-02 23:37 UTC | newest]
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2026-01-28 18:36 [bitcoindev] SImple quantum security, at the expense of slower tx time Erik Aronesty
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox