Delivery-date: Thu, 13 Mar 2025 20:33:27 -0700
Sender: bitcoindev@googlegroups.com
Date: Wed, 12 Mar 2025 14:05:22 -0700 (PDT)
From: Hunter Beast <hunter@surmount.systems>
To: Bitcoin Development Mailing List <bitcoindev@googlegroups.com>
Message-Id: <ae919b55-cd35-40a1-95a3-96551eadec9an@googlegroups.com>
In-Reply-To: <77dbf51a-93aa-4d4a-87c0-b1303d83d5ccn@googlegroups.com>
References: <8797807d-e017-44e2-b419-803291779007n@googlegroups.com>
 <5667eb21-cd56-411d-a29f-81604752b7c4@gmail.com>
 <16d7adca-a01e-40c5-9570-31967ee339ecn@googlegroups.com>
 <5550807e-0655-4895-bc66-1b67bfde8c3e@gmail.com>
 <8e1cf1b5-27d1-4510-afec-52fb28959189n@googlegroups.com>
 <69ab395f-acba-4d11-87ee-9da6327509c6@gmail.com>
 <fac67bec-cbf3-4e49-b73d-f8057adca0aan@googlegroups.com>
 <77dbf51a-93aa-4d4a-87c0-b1303d83d5ccn@googlegroups.com>
Subject: Re: [bitcoindev] P2QRH / BIP-360 Update
MIME-Version: 1.0
Content-Type: multipart/mixed; 
	boundary="----=_Part_91146_890765621.1741813522055"
Precedence: list
Mailing-list: list bitcoindev@googlegroups.com; contact bitcoindev+owners@googlegroups.com

------=_Part_91146_890765621.1741813522055
Content-Type: multipart/alternative; 
	boundary="----=_Part_91147_1693723470.1741813522055"

------=_Part_91147_1693723470.1741813522055
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

P2TRH doesn't protect against short exposure attacks.
Matt Corallo's approach basically breaks the entire existing Taproot=20
ecosystem because nobody is using PQC opcodes.
Anyway, I guess the alternative is to wait for the Binance cold wallet to=
=20
get hacked and then everyone rushes to move their funds using private=20
mempools that have limited capacity.
Either that or we wait until a perfect algorithm that does not yet exist=20
gets FIPS-certified within the next 5 years.
Not sure what else to say other than I guess we just let perfect be the=20
enemy of the good until it's too late.
Anyway, I'll keep working on this in the meantime until it's needed.
Thanks for all the support, guys.

On Wednesday, March 12, 2025 at 6:41:09=E2=80=AFAM UTC-6 Jose Storopoli wro=
te:

> I think that ECDSA was a mistake in Bitcoin (Schnorr patent expired in=20
> 2008; but I do understand its motives).
> My fear is that this BIP will become a mistake in Bitcoin in 15 years or=
=20
> less.
>
> It adds orders of magnitude to public keys sizes and/or signature sizes;=
=20
> and verification computation cost.
> About the whole QR cryptography hype:
> one thing is to do have key encapsulation QR schemes in symmetric-key=20
> cryptography where we don't have tight constrains around storage,
> like with TLS, or E2EE messaging apps.
> Another thing is to add these huge public key and signature schemes to a=
=20
> storage-restricted blockchain like Bitcoin.
> QR lattice-based asymmetric-key cryptography is still in its infancy both=
=20
> in standards and research; and we should wait.
>
> If we are worried about quantum menaces, a much better approach would be=
=20
> the P2TRH (Pay To Taproot Hash),
> even with the loss of batch verification, combined with advising users to=
=20
> not re-use address.
> Address reuse should be treated the same as nonce reuse: you get pwned!
> Or Matt Corallo's emergency disable of key path spends in P2TR;
>
> Jose Storopoli
>
> On Monday, March 3, 2025 at 6:55:19=E2=80=AFPM UTC-3 Hunter Beast wrote:
>
>> Hi, Jonas
>>
>> In order to spend the coins, a valid signature will need to be present i=
n=20
>> the attestation. Even if it's a 1/1024 multisig, a valid public key=20
>> signature pair will need to be provided. The merkle path would then be h=
ow=20
>> the arbitrary data could be encoded. In my mind this is a highly=20
>> impractical scenario that gets exponentially more complex, and only work=
s=20
>> 32 bytes at a time.
>>
>> Does that make sense?
>>
>> Hunter
>>
>> On Wednesday, February 26, 2025 at 3:00:36=E2=80=AFAM UTC-7 Jonas Nick w=
rote:
>>
>>> > it would require an extraordinary amount of computation to wind up=20
>>> with enough=20
>>> > to store arbitrary data.=20
>>>
>>> I have no idea why this would require extraordinary amount of=20
>>> computation. In=20
>>> the example I provided, arbitrary data can be included in the=20
>>> attestation=20
>>> structure with zero additional computational cost, no elliptic curve=20
>>> grinding or=20
>>> hash collisions required.=20
>>>
>>

--=20
You received this message because you are subscribed to the Google Groups "=
Bitcoin Development Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an e=
mail to bitcoindev+unsubscribe@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/bitcoindev/=
ae919b55-cd35-40a1-95a3-96551eadec9an%40googlegroups.com.

------=_Part_91147_1693723470.1741813522055
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

<div>P2TRH doesn't protect against short exposure attacks.</div><div>Matt C=
orallo's approach basically breaks the entire existing Taproot ecosystem be=
cause nobody is using PQC opcodes.</div><div>Anyway, I guess the alternativ=
e is to wait for the Binance cold wallet to get hacked and then everyone ru=
shes to move their funds using private mempools that have limited capacity.=
</div><div>Either that or we wait until a perfect algorithm that does not y=
et exist gets FIPS-certified within the next 5 years.</div><div>Not sure wh=
at else to say other than I guess we just let perfect be the enemy of the g=
ood until it's too late.</div><div>Anyway, I'll keep working on this in the=
 meantime until it's needed.</div><div>Thanks for all the support, guys.<br=
 /><br /></div><div class=3D"gmail_quote"><div dir=3D"auto" class=3D"gmail_=
attr">On Wednesday, March 12, 2025 at 6:41:09=E2=80=AFAM UTC-6 Jose Storopo=
li wrote:<br/></div><blockquote class=3D"gmail_quote" style=3D"margin: 0 0 =
0 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;">I t=
hink that ECDSA was a mistake in Bitcoin (Schnorr patent expired in 2008; b=
ut I do understand its motives).<div>My fear is that this BIP will become a=
 mistake in Bitcoin in 15 years or less.</div><div><br></div><div>It adds o=
rders of magnitude to public keys sizes and/or signature sizes; and verific=
ation computation cost.</div><div>About the whole QR cryptography hype:</di=
v><div>one thing is to do have key encapsulation QR schemes in symmetric-ke=
y cryptography where we don&#39;t have tight constrains around storage,</di=
v><div>like with TLS, or E2EE messaging apps.</div><div>Another thing is to=
 add these huge public key and signature schemes to a storage-restricted bl=
ockchain like Bitcoin.</div><div>QR lattice-based asymmetric-key cryptograp=
hy is still in its infancy both in standards and research; and we should wa=
it.</div><div><br></div><div>If we are worried about quantum menaces, a muc=
h better approach would be the P2TRH (Pay To Taproot Hash),</div><div>even =
with the loss of batch verification, combined with advising users to not re=
-use address.</div><div>Address reuse should be treated the same as nonce r=
euse: you get pwned!</div><div>Or Matt Corallo&#39;s emergency disable of k=
ey path spends in P2TR;<br></div><div><br></div><div>Jose Storopoli</div><b=
r><div class=3D"gmail_quote"><div dir=3D"auto" class=3D"gmail_attr">On Mond=
ay, March 3, 2025 at 6:55:19=E2=80=AFPM UTC-3 Hunter Beast wrote:<br></div>=
<blockquote class=3D"gmail_quote" style=3D"margin:0 0 0 0.8ex;border-left:1=
px solid rgb(204,204,204);padding-left:1ex">Hi, Jonas<div><br></div><div>In=
 order to spend the coins, a valid signature will need to be present in the=
 attestation. Even if it&#39;s a 1/1024 multisig, a valid public key signat=
ure pair will need to be provided. The merkle path would then be how the ar=
bitrary data could be encoded. In my mind this is a highly impractical scen=
ario that gets exponentially more complex, and only works 32 bytes at a tim=
e.</div><div><br></div><div>Does that make sense?</div><div><br></div><div>=
Hunter<br><br></div><div class=3D"gmail_quote"><div dir=3D"auto" class=3D"g=
mail_attr">On Wednesday, February 26, 2025 at 3:00:36=E2=80=AFAM UTC-7 Jona=
s Nick wrote:<br></div><blockquote class=3D"gmail_quote" style=3D"margin:0 =
0 0 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"> &gt; it=
 would require an extraordinary amount of computation to wind up with enoug=
h
<br> &gt; to store arbitrary data.
<br>
<br>I have no idea why this would require extraordinary amount of computati=
on. In
<br>the example I provided, arbitrary data can be included in the attestati=
on
<br>structure with zero additional computational cost, no elliptic curve gr=
inding or
<br>hash collisions required.
<br></blockquote></div></blockquote></div></blockquote></div>

<p></p>

-- <br />
You received this message because you are subscribed to the Google Groups &=
quot;Bitcoin Development Mailing List&quot; group.<br />
To unsubscribe from this group and stop receiving emails from it, send an e=
mail to <a href=3D"mailto:bitcoindev+unsubscribe@googlegroups.com">bitcoind=
ev+unsubscribe@googlegroups.com</a>.<br />
To view this discussion visit <a href=3D"https://groups.google.com/d/msgid/=
bitcoindev/ae919b55-cd35-40a1-95a3-96551eadec9an%40googlegroups.com?utm_med=
ium=3Demail&utm_source=3Dfooter">https://groups.google.com/d/msgid/bitcoind=
ev/ae919b55-cd35-40a1-95a3-96551eadec9an%40googlegroups.com</a>.<br />

------=_Part_91147_1693723470.1741813522055--

------=_Part_91146_890765621.1741813522055--