Commit-Delay-Reveal (CDR) Protocol (Part 3)Commit-Delay-Reveal (CDR) Protocol (Part 3)
This is Part 3 of our visual series on quantum threats to Bitcoin and how we can defend against them.
๐ In case you missed the earlier posts:
๐ง The Threat: Quantum Computers๐ง The Threat: Quantum Computers
Quantum computers can break ECDSA.
Once your public key is exposed, your funds can be stolen.
๐ฏ The Goal๐ฏ The Goal
We want to move coins from vulnerable UTXOs (e.g., P2PKH) to a quantum-safe address without revealing the old key.
๐ก๏ธ The Solution: Commit-Delay-Reveal๐ก๏ธ The Solution: Commit-Delay-Reveal
A protocol with 3 phases:
Commit โ Delay โ Reveal
๐งฉ CDR Phases Overview๐งฉ CDR Phases Overview
Commit (C): You commit to your keys
Delay (D): You wait for a security window
Reveal (R): You prove ownership and migrate safely
๐ถ 1. Commit Phase๐ถ 1. Commit Phase
Bob creates a commitment of two keys:
pk: old (ECDSA)pkQR: new (quantum-safe)
โก๏ธ H(pk || pkQR)
Bob includes this hash in a transaction T_commit using OP_RETURN.
This hides the keys, while anchoring the commitment on-chain.
๐ก 2. Delay Phase๐ก 2. Delay Phase
Bob waits a period t_sec without touching the UTXO.
This pause prevents attackers from reorg-ing the chain.
โณ Suggested delay: 6 months
Makes even quantum-powered reorgs too costly.
๐ข 3. Reveal Phase๐ข 3. Reveal Phase
After the delay, Bob creates T_reveal to move the funds using his quantum-safe key skQR.
T_reveal must include:
pkโ old keypkQRโ new keyH(pk || pkQR)โ prove it was inT_commit- Signature with
skQR
๐งพ Detailed Breakdown๐งพ Detailed Breakdown
โ Step 1: Reveal Old Keyโ Step 1: Reveal Old Key
This proves you control the originally locked UTXO.
โ Step 2: Reveal New Keyโ Step 2: Reveal New Key
This is your quantum-resistant key.
โ Step 3: Prove the Commitmentโ Step 3: Prove the Commitment
Show that H(pk || pkQR) was committed earlier in T_commit.
โ Step 4: Sign with Quantum Keyโ Step 4: Sign with Quantum Key
Only someone with the secret key of pkQR can authorize the spend.
๐ฏ Final Result๐ฏ Final Result
The network is convinced:
The person who controls pkQR also controlled pk.
The migration is secure.
๐จ Limitation๐จ Limitation
To begin the process, users need access to some quantum-safe UTXOs.
โ Solutionโ Solution
FawkesCoin protocol solves this by helping bootstrap quantum-safe UTXOs.
๐ Next Post๐ Next Post
We'll dive deeper into FawkesCoin next.
๐ค Follow for more๐ค Follow for more
Follow @Bitcoin_Devs for more visual explainers on Bitcoin's quantum future.
One question I have about CDR is how we would distinguish between a quantum vulnerable address whose public key is still hidden and those addresses with public keys that have been revealed?
Could an attacker who knows your public key "race" you to get their commitment tx in a block, commuting your coins to their QR address?
Perhaps we say p2pk and p2tr are not eligible for CDR, but what about reused addresses or leaked xpubs? How do we know the CDR commitment transaction is actually being made by the true owner of the coins rather than someone who managed to gain access to their pubkey?
Wouldn't this kind of turn public keys into private keys? (I feel like I must be getting something wrong here).
May this be fruitful!