[Cryptography] Post-quantum confidential transactions: open problem with the commitment layer

[Communitycoins]

Thanks Howard, that's a fair correction and I appreciate it.

You're right that FCMP++ supersedes ring signatures, and I should be citing the current design rather than the one it replaces. The full-chain anonymity set is a real step up from a fixed ring.

The reason it doesn't quite resolve what I'm after is that FCMP++ is built on curve trees and Eagen's divisor work, both over an elliptic curve cycle, so the construction is still discrete-log based. As I understand it, the
forward-secrecy property means a future adversary with a discrete-log oracle can't retroactively deanonymize past spends, since the membership proof is zero-knowledge and leaks nothing about which output was spent. That's genuinely
stronger than what rings offered. But it protects the privacy of past transactions, not the integrity of funds going forward, since the spend authorization and the Pedersen commitments are still ECC, so a quantum adversary could still
forge spends or open commitments. Monero's roadmap seems to treat full PQ as a later, separate step.

For a design that has to be post-quantum on every layer from genesis, that leaves what I think is the actual open question. Is there a post-quantum analog of a full-chain membership proof? Something lattice or hash based that proves
membership in a set of millions of outputs with proof sizes in the low kilobytes. Curve trees lean on the curve cycle for the recursive proofs, and I haven't found a lattice equivalent that's practical at that scale. If that's genuinely
open, the sender-privacy layer may be harder than the commitment layer I started with.

If you know of work pointing that way I'd be glad to read it. Either way, thanks for the steer, it's already changing how I write that section.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://www.metzdowd.com/pipermail/cryptography/attachments/20260623/fb7fdab3/attachment.htm>