pull down to refresh

๐Ÿ›ก๏ธ Post-Quantum Commit-Reveal (CDR) Protocol explained
1595 sats \ 2 comments \ @bitcoin_devs 9 Jun bitcoin

Commit-Delay-Reveal (CDR) Protocol (Part 3)

This is Part 3 of our visual series on quantum threats to Bitcoin and how we can defend against them.
๐Ÿ“š In case you missed the earlier posts:

๐Ÿง  The Threat: Quantum Computers

Quantum computers can break ECDSA.
Once your public key is exposed, your funds can be stolen.

๐ŸŽฏ The Goal

We want to move coins from vulnerable UTXOs (e.g., P2PKH) to a quantum-safe address without revealing the old key.

๐Ÿ›ก๏ธ The Solution: Commit-Delay-Reveal

A protocol with 3 phases:
Commit โž Delay โž Reveal

๐Ÿงฉ CDR Phases Overview

Commit (C): You commit to your keys
Delay (D): You wait for a security window
Reveal (R): You prove ownership and migrate safely

๐Ÿ”ถ 1. Commit Phase

Bob creates a commitment of two keys:
  • pk: old (ECDSA)
  • pkQR: new (quantum-safe)
โžก๏ธ H(pk || pkQR)
Bob includes this hash in a transaction T_commit using OP_RETURN.
This hides the keys, while anchoring the commitment on-chain.

๐ŸŸก 2. Delay Phase

Bob waits a period t_sec without touching the UTXO.
This pause prevents attackers from reorg-ing the chain.
โณ Suggested delay: 6 months
Makes even quantum-powered reorgs too costly.

๐ŸŸข 3. Reveal Phase

After the delay, Bob creates T_reveal to move the funds using his quantum-safe key skQR.
T_reveal must include:
  1. pk โ€” old key
  2. pkQR โ€” new key
  3. H(pk || pkQR) โ€” prove it was in T_commit
  4. Signature with skQR

๐Ÿงพ Detailed Breakdown

โœ… Step 1: Reveal Old Key

This proves you control the originally locked UTXO.

โœ… Step 2: Reveal New Key

This is your quantum-resistant key.

โœ… Step 3: Prove the Commitment

Show that H(pk || pkQR) was committed earlier in T_commit.

โœ… Step 4: Sign with Quantum Key

Only someone with the secret key of pkQR can authorize the spend.

๐ŸŽฏ Final Result

The network is convinced:
The person who controls pkQR also controlled pk.
The migration is secure.

๐Ÿšจ Limitation

To begin the process, users need access to some quantum-safe UTXOs.

โœ… Solution

FawkesCoin protocol solves this by helping bootstrap quantum-safe UTXOs.

๐Ÿ‘€ Next Post

We'll dive deeper into FawkesCoin next.

๐Ÿค– Follow for more

Follow @Bitcoin_Devs for more visual explainers on Bitcoin's quantum future.
write
preview
related posts
100 sats \ 0 replies \ @Scoresby 9 Jun
One question I have about CDR is how we would distinguish between a quantum vulnerable address whose public key is still hidden and those addresses with public keys that have been revealed?
Could an attacker who knows your public key "race" you to get their commitment tx in a block, commuting your coins to their QR address?
Perhaps we say p2pk and p2tr are not eligible for CDR, but what about reused addresses or leaked xpubs? How do we know the CDR commitment transaction is actually being made by the true owner of the coins rather than someone who managed to gain access to their pubkey?
Wouldn't this kind of turn public keys into private keys? (I feel like I must be getting something wrong here).
reply
0 sats \ 0 replies \ @hasherstacker 10 Jun
May this be fruitful!
reply