<div dir="ltr">Hi all,<div><br></div><div>Recently I've been exploring what a post-quantum attack on Bitcoin would actually look like, and what options exist for mitigating it.</div><div><br></div><div>
<span style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:small;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial;float:none;display:inline">I've put up a draft of my research here: <a href="https://medium.com/@tristanhoy/11271f430c41">https://medium.com/@tristanhoy/11271f430c41</a></span>
<br></div><div><br></div><div>In summary:</div><div>1) None of the recommended post-quantum DSAs (XMSS, SPHINCS) are scalable<br></div><div>2) This is a rapidly advancing space and committment to a specific post-quantum DSA now would be premature</div><div>3) I've identified a strategy (solution 3 in the draft) that mitigates against the worst case scenario (unexpectedly early attack on ECDSA) without requiring any changes to the Bitcoin protocol or total committment to a specific post-quantum DSA that will likely be superseded in the next 3-5 years</div><div>4) This strategy also serves as a secure means of transferring balances into a post-quantum DSA address space, even in the event that ECDSA is fully compromised and the transition is reactionary</div><div><br></div><div>The proposal is a change to key generation only and will be implemented by wallet providers.</div><div><br></div><div>Feedback would be most appreciated.</div><div><br></div><div>Regards,</div><div><br></div><div>Tristan</div></div>