I used to be questioning if utilizing one handle per transaction would mitigate this drawback

No, as a result of the general public secret’s revealed at spending time nonetheless, even should you by no means reuse addresses. The time between broadcasting the spending transaction and it being sufficiently buried on-chain nonetheless exposes the consumer to danger if hypothetical machines that may compute the discrete logarithm exist. Since we’re speaking about hypothetical {hardware}, you’ll be able to’t make any assumptions about how briskly it could work.

Moreover, a number of use circumstances of Bitcoin contain sharing public keys with different not-fully-trusted events. For instance, multisig wallets require public keys to be shared between the individuals. Light-weight shoppers reveal public keys to the servers that assist them observe their steadiness. Lightning channels contain shared node public keys and channel public keys on the community. Within the presence of hypothetical {hardware} that may compute personal keys, Bitcoin as it’s used as we speak would just about cease current, as all these use circumstances disappear.

Lastly, even should you your self handle to fastidiously keep away from all these eventualities that contain sharing of public keys, and we in some way assume that transactions in flight do not pose a danger, it’s a must to think about that an unlimited quantity of BTC is presently held in addresses for which the general public keys are identified, even when not your funds. Within the presence of a hypothetical EC breaking machine, so many funds would turn out to be uncovered that I can not think about BTC sustaining a lot worth.

I used to be questioning if utilizing one handle per transaction would mitigate this drawback, since apparently key-derivation capabilities (bcrypt, Scrypt, Argon2) are mainly quantum-safe. My reasoning is that out of your “grasp” personal key, you’d derive a brand new one and from this one you’d generate the general public key which lastly generates the handle, after which when this handle spends any UTXO and consequently tells its public key to the community, an attacker would solely be capable to get the derived personal key, however by no means the “grasp” one, that means in the long run the consumer is comparatively protected so long as they do not reuse the identical handle and carry on producing one handle every time they wish to obtain a UTXO.

Sure and no.

• Grasp personal keys that deterministically generate the precise handle keys are used ubiquitously in Bitcoin, exactly as a result of it permits utilizing a brand new handle for each transaction with no need a backup of every particular person key. The reason being not safety, however privateness nevertheless; reuse of addresses gratuitously reveals details about shared possession of UTXOs on chain.
• In idea, key derivation mechanisms do exist which are quantum-secure (or may very well be), within the sense that an attacker who learns (by means of no matter means) the personal key to an handle can not study the grasp key it was generated from. The widespread key derivation mechanism utilized in Bitcoin (BIP32) doesn’t use such methods nevertheless, as a result of it is incompatible with xpubs. The (unhardened) BIP32 technique helps sharing a grasp public key with one other social gathering (akin to your grasp personal key which isn’t revealed), in such a approach that these different events can derive the general public keys akin to the personal keys you’ll derive. This allows watch-only wallets that may observe funds on an internet machine, whereas the personal keys stay protected on an offline one.
• All of the arguments above nonetheless apply: even when attackers are prevented from computing the grasp personal key from an handle personal key, it would not cease them from computing handle personal keys from public keys.

ECDSA, and different types of EC-based cryptography are inherently not quantum-secure. It is attractive to consider methods to cowl up this property or in some way cut back its influence, nevertheless it would not change the truth that the cryptography inherently simply is not designed for that. If we would like post-quantum safe Bitcoin, we have to swap to precise cryptography designed for that, which could be very actively being researched. I personally consider it’s too early to push for that virtually, as current schemes as we speak are very novel, are ceaselessly damaged nonetheless, and include big downsides (largely dimension of keys or signatures), however given how quickly the sphere is progressing I am assured these issues will cut back over time.