Author: Tristan Hoy 2018-02-13 10:06:31
Published on: 2018-02-13T10:06:31+00:00
In a post-quantum world, the second "d" type transaction in Bitcoin is forgeable and vulnerable to front-running if an adversary capable of breaking ECDSA listens for these transactions, obtains "classic_sk," and then uses a higher fee or relationship with a miner to effectively turn the original "d" transaction into a double-spend, with the forged transaction sending all the funds to the adversary. However, Tim Ruffing clarifies that the decommit step of a two-step transaction does not specify the effects (output script), while the commit step fixes this by specifying it. The worst-case outcome is that ECDSA is broken before PQ addresses are rolled out, which requires a proactive measure deployed sooner rather than later. Any two-step approach adopted now as a proactive measure will bloat the blockchain and also double the effective confirmation time for all transactions between now and when PQ addresses are rolled out, which isn't likely to happen in the next 5 years. The solution proposed by Tristan Hoy changes key generation only and will be implemented by wallet providers, but he also acknowledges that no recommended post-quantum DSAs are scalable and commitment to a specific post-quantum DSA now would be premature. Feedback on his proposal is appreciated.
Updated on: 2023-06-13T00:29:19.036382+00:00