thanks to @conduition_io, there's a new variant of the proof (claim at the xpub/xpriv level, with xpriv skipping the pubkey operations all together) that's *much* faster to prove the xpub based proof takes 14 seconds to prove on my machine, with a composite proof size of 500 KB and 200 KB succint, requiring 11 GB during the proof the priv xpriv proofs takes 2 seconds to prove! using just 3 GB of memory 😎 let the games of STARK proof golf continue! 🏆 added some new docs on the repo to explain the diff proofs: * github.com/Roasbeef/bip32-pq… * github.com/Roasbeef/bip32-pq… * github.com/Roasbeef/bip32-pq…

in the face of quantum adversary, a commonly discussed emergency soft fork for Bitcoin would be to disable the Taproot keyspend path (eprint.iacr.org/2025/1307), effectively turning it into something that resembling BIP-360 assuming an existing precautionary soft-fork to add a pq signature scheme, this would safely allow holders to maintain unilaterally custody of their funds a downside to this proposal is that any keyspend-only (normal schnorr sig) would be locked indefinitely inspired by eprint.iacr.org/2023/362, I set out to address the option problem in section 6, to create a variant of seed-lifting that doesn't reveal the wallet's master secret! 🤓 the end result is a zk-STARK proof that proves: "public key P was generated using a private key k, which itself was derived via BIP-32/BIP-86 with a master wallet secret S" this generalizes beyond Taproot, and would allow the rightful owners of any BIP-32 derived wallets to move their funds in het case of a spend disabeling emergency softfork 🛡️ the final proof takes 50 seconds to run on my MacBook with Metal GPU acceleration, uses 12 GB of RAM during proving, with a final proof size of 1.7 MB the proving code/statement is largely unoptimized, and it's possible to aggregate several proofs into a single smaller proof ⨻ an actual production deployment would likely use a smaller optimize circuit for this specific statement, this demo serves to demonstrate that such a proof is well within reach w/ today's hardware software to generate the proof I forked TinyGo to add a risc0 RISC-V ELF compilation target for TinyGo: github.com/Roasbeef/tinygo-z… then I used some helper utilities and a C FFI wrapped risc0 library to create a generalized toolkit for TinyGo zk-STARK proofs: github.com/Roasbeef/go-zkvm the final guest host lives in the bip32-pq-zkp repo: github.com/Roasbeef/bip32-pq… such a proof scheme is yet another tool in the post quantum toolkit for Bitcoin developers to prepare for an eventual PQ world 🤠 full details in my post to the Bitcoin dev mailing list: groups.google.com/g/bitcoind…

thanks to @lukechilds the STARK proof in bip32-pq-zkp is now 222 KB (down from 1.8 MB)! takes 3.5x longer to prove (55s vs 180s), so classic time vs space tradeoff github.com/Roasbeef/bip32-pq…

reran this and it takes 64 seconds! proof golf continues however, have some new results...