Of the quantum proofing schemes we've seen so far, this one seems relatively light weight and reasonable. Stick a time-stamped proof that you know your keys in a block now and then you can demonstrate later that you controlled the keys before some dark future time when a quantum computer is wreaking havoc.
Suppose we’re in the year 2040, and Satoshi has decided to fund his retirement by finally selling some of his Bitcoin. Cryptographically relevant quantum computers arrived in 2030, and deriving Satoshi’s private keys is now a standard homework assignment for MIT freshmen. Luckily for Satoshi, the protocol sunsetted the ability to spend from ECDSA keys in an emergency soft fork in 2029.
Satoshi wants to prove, in a post-quantum and algorithmically verifiable way, that he knew his private key before CRQCs could derive it. What can he do?
If he has to generate that proof from scratch today, he is out of luck. Since everyone now knows his private keys, and since he didn’t derive them using BIP-32 or any other deterministic scheme, the keys don’t give him any asymmetric private information he can use for a cryptographic proof.
However, if he can cryptographically prove that he knew those keys before CRQCs could have derived them, then the protocol could let him take the coins. If he had the foresight back in 2026, he could have used a cryptographic timestamping service to timestamp a signature, establishing that he knew the private key before CRQCs existed.
Conveniently, he had already invented a trustless way to timestamp proofs of knowledge back in 2008. The Bitcoin whitepaper described the Bitcoin network as a “distributed timestamp server.” Developers have long recognized that while it was primarily designed for timestamping transactions, it could easily be used to timestamp any hash—and that since hashes can be aggregated efficiently, it is cheap to run a service that provides such timestamps for free. OpenTimestamps is an open-source protocol that allows anyone to timestamp arbitrary hashes on the Bitcoin blockchain, by including them in a Merkle tree within an OP_RETURN output.
If Satoshi had timestamped a salted commitment to a standardized address-control proof before CRQCs using OpenTimestamps, then he could provide a post-quantum-secure STARK proof of that timestamp to the Bitcoin protocol.
A Provable Address-Control Timestamp, or PACT, is just such a timestamped commitment.
There was also an interesting thread about the idea where @bluematt discusses the idea in a bit more detail.
I'm not sure why that's supposed to help. The existence of an owner is not the question. The question is how to distinguish the owner from a crqc attacker. How does the proof tie to the later spending transaction and authenticate the owner as the legitimate spender?
And you think that this is a particularly good solution?
I'm not sure, but I think anyone who is particularly worried about a quantum future could do something like this. Maybe it helps them sleep better at night to have this thing they've embedded in a block?
I like these solutions that seem to allow those people who are most worried to take some action, without requiting consensus from people who aren't worried.
Hmm.. Doesn't it say "emergency soft fork" in there? Without that, there is no use to the commitment. So this feels like procrastination. Schedule the soft-fork now, for 2028, and maybe there would be some merit. Even then though, it still feels like kicking the can down the road.
Most people don't take quantum seriously because it feels like its always 10 years away but by the time its actually a problem its too late to migrate. Glad to see people working on the transition now instead of waiting until everyone's funds are already at risk.
https://twiiit.com/TheBlueMatt/status/2050296673642188950
Most downzap censored SN post of the last 24 hours
https://stacker.news/items/1475219