Mehow

The authors are me and the AF team. We published the Ed25519 version of the tech referenced in the article today. The secp256k1 version we’re almost done with, we confirmed it works already and we’ll be publishing that shortly. With the secp256k1 version there are two variants of protection… 1. Any address derived with BIP-32 (which should be all the money in crypto except the oldest of old wallets that were pre BIP-32 paper wallets) is automatically quantum protected with no funds migration by the user and that has a 9 second proving time. 2. We have a new QBIP-32 for secp256k1 which is a new HD derivation standard that does the same thing as above but does it in under 100ms and also works with standard ECDSA signing. So the general deployment idea is that paper wallets move funds to BIP-32 before q-day (our expert opinion on when that is 2032) and users on their next transaction use QBIP-32 for more future speed. QBIP-32 will work today with millisecond derivation time of the address and can be traditionally signed (again milliseconds) and 100ms quantum proving time when the nodes decide it’s q-day. The nodes can decide whether to spend you need the old school ECDSA sign (BIP-32 or QBIP-32) or both or just quantum. In any case where the money is going and addresses can stay the same forever. QBIP-32 keys will be indistinguishable from regular BIP-32 keys or even just randomly generated keys except for the ability to produce ZPKs. Nobody can look at the public keys and know how they were derived.