I don't claim to fully understand Finney's zk method here, but - in the context of quantum resistance - I've come up with a two-transaction approach to allow us to spend from P2(W)PKH addresses, even when powerful quantum attackers already exist.
My method is probably either wrong, or unoriginal, as I'm newish to this. I studied cryptography twenty years ago in university, but have probably forgotten a lot. I'm just thinking out loud here, as I guess I might get good quality feedback on Nostr š
=== The problem, and my proposed method: ===
Let's assume that we have a balance in a P2(W)PKH address. The private key (s) and the public key (k) are known only to us, while the hash (h) is the address and is public as it's in the block chain. I want to spend my funds from that address, but an attacker wants to steal them.
Let's assume there are attackers with very fast and powerful quantum computers. To spend from that address (ideally to send it to a new - quantum-resistant - address) we need to show 'k' to the mempool along with a message signed by 's'. A fast attacker can see 'k' in the mempool and use their quantum computer to compute 's' and therefore quickly replace my genuine transaction with a transaction that spends to the attacker's address.
To prevent this, we can change the consensus rules to allow us to pre-register the address we want to spend to. First, we need to combine the public key 'k' and our target (hopefully quantum-resistant) address and then compute the hash of that pair. Call this hash 'h2'
The pre-register transaction doesn't spend anything (apart from any fees necessary to get this pre-registration on to the chain), it just records - perhaps inside an OP_RETURN - the following two pieces of information on the chain:
- the original address, 'h', that I (claim to) own,
- this secondary hash, 'h2', which is as described in the previous paragraph
Of course, any attacker could also make a similar claim to the same 'h'. But they don't know (yet) the true 'k' and therefore they are unable to compute the correct 'h2'
Later, when I'm satisfied that this pre-register transaction has enough confirmations, I can broadcast the real (signed) transaction. As this exposes the public key, it means that both hashes can be computed and it's easy to see that my claim - not the attacker's claim - are genuine. At this point, the quantum attacker can compute the private key. But they can't steal the funds as my 'claim' has been proven correct and therefore the target address that I chose in the pre-registration is 'locked in'
This is a change to consensus rules, to 'lock in' any claims that have been proven correct, and it might take a long time to agree and implement it. But the point is that we can use a simple scheme like this to safely spend.
So, as long as your funds are in P2(W)PKH addresses that you have not already spent from, you don't need to panic when quantum computers become very powerful. Just wait patiently for this scheme (or something better!) to be implemented
#Bitcoin #Quantum #QuantumResistance
