SImple quantum security, at the expense of slower tx time

74 views
Skip to first unread message

Erik Aronesty

unread,
Feb 2, 2026, 6:37:06 PM (5 days ago) Feb 2
to Bitcoin Development Mailing List
Seeking feedback on a simple secret-reveal scheme for a quantum-secure vault.   There may be some missing details, but in general, this shows that covenant-protected vaults, with appropriate depth-locks are quantum-resistant.   The whole idea involves a two-phase reveal: you must clear one tx to pin the destination and then you can inspect what's been mined, and then, based on that inspection, submit an escape or a final reveal.   It uses linear-state as a more flawless quantum security and doesn't require new signature schemes or cryptography-libraries. 

Assumptions:

  • OP_CHECKTEMPLATEVERIFY (OP_CTV) is available per BIP119. 

  • OP_TXHASH / OP_CHECKTXHASHVERIFY is available per the current draft proposal, allowing scripts to hash and verify selected fields of the spending transaction

  • Relative timelocks exist (BIP68 / BIP112).

  • SHA256 preimage resistance holds, even if ECDSA/Schnorr signatures become forgeable.

Threat model:

An attacker may:

  • Forge signatures.
  • Intercept, delay, reorder, or fee-bump transactions.
  • Front-run in the mempool.
  • Exploit shallow reorgs.

An attacker may not:

  • Break SHA256 preimage resistance.
  • Violate miner-enforced OP_CTV semantics.
  • Violate miner-enforced  OP_TXHASH semantics.
  • Violate relative timelock rules.
  • Rewrite deep chain history.

High-level idea:

This construction creates a multi-phase envelope that separates:

  • who can trigger execution from
  • where value is allowed to go.

Even if signatures are forgeable, funds can only move into a protected Anchor envelope, and from there only along template-bound paths.

  • Phase 0 funnels all value into a predetermined Anchor envelope (that commits to a secret-reveal scheme, but no destination, using TXHASH)
  • Phase 1 instantiates that envelope on-chain (attacker could do this... but why?)
  • Phase 2 either:
    • reveals a one-time secret to complete a template-bound spend (because spender sees their good TX was mined), or
    • uses an escape hatch without revealing the secret (because spender sees a bad TX was mined)

Phase 0 locking policy:

The Phase 0 UTXO enforces the following:

  1. Anchor pinning: Any spend MUST create exactly one value-bearing output whose scriptPubKey equals P_anchor.

  2. No value leakage: No other value-bearing outputs are permitted. Transaction fees are paid by reducing the Anchor output amount.

  3. Fee bound: The Phase 0 script MUST enforce a bound on fee extraction, e.g.:

These conditions are enforced using OP_TXHASH, selecting and verifying:

  • the number of outputs,
  • the scriptPubKey of the Anchor output,
  • and sufficient value information to enforce the fee bound.

Phase 1: AnchorPublishTx

Properties:

  • Spends the Phase 0 UTXO.
  • Creates exactly one output: the Anchor UTXO, locked to P_anchor.

The Anchor envelope is now instantiated on-chain. An attacker may have triggered this spend... that's ok.

Anchor UTXO locking script shape

A Taproot script tree with two spending paths.

Path 1: Reveal spend (normal)

Conditions:

  1. Relative depth gate The Anchor UTXO must have aged by at least k blocks (CSV).

  2. Reveal check SHA256(x) == C.

  3. Template enforcement The spending transaction MUST match template T via OP_CTV.

Path 2: Escape hatch

Conditions:

  1. Template enforcement The spending transaction MUST match template E via OP_CTV.

  2. No secret revealed The value x is not disclosed on this path.

The escape path may be immediately available or time-delayed

Phase 2: SpendAnchorTx

  • Reveal path witness: x plus any required non-cryptographic data.
  • Escape path witness: no x.

Security properties

  • Quantum signature safety Forged signatures do not enable theft. All value is confined to the Anchor envelope before any secret is revealed.

  • No redirect-after-reveal Once x is revealed, OP_CTV pins the outputs.

  • Observation is sufficient If an attacker publishes Phase 0 or Phase 1 spends, the Anchor script still contains a usable escape hatch.

  • Reorg resistance The relative timelock k mitigates shallow reorg games

  • Graceful degradation A quantum attacker can force execution or cause delay or fee grief , but cannot steal value.

Some more information and discussion is on delving bitcoin:

https://delvingbitcoin.org/t/a-quantum-resistance-script-only-using-op-ctv-op-txhash-and-no-new-signatures/2168/5

Reply all
Reply to author
Forward
0 new messages