When we considered this option, an idea was to create a kind of registry with the following relation:
addr(P2PKH) :: PQ_PK :: proof
In this scenario, the user:
- Generates the set of new PQ keys \{\mathsf{pk}_i, \mathsf{sk}_i\}_{i\in \mathsf{SLH\text{-}DSA, ML\text{-}DSA, etc}} for different PQ signatures’ algorithms i
- Forms a message m = \mathcal{H}_{sha256}(\mathsf{tagPQ}, \{\mathsf{pk}_i, \mathsf{sk}_i\},tx\_id, index)
- Signs the message with the ECDSA key behind a P2PKH address: \sigma \gets \mathsf{SigGen}(m, sk_{\mathsf{ECDSA}})
- Generates the proof \pi_{\mathsf{p2pkh}} for the relation:
If we have a secure timestamping service (like Opentimestamps), the user can commit (m, \pi_{\mathsf{p2pkh}}) before the day Q (to be able to prove in the future the connection between P2PKH address and PQ keys).