Return-Path: <luke@dashjr.org>
Received: from smtp2.osuosl.org (smtp2.osuosl.org [140.211.166.133])
 by lists.linuxfoundation.org (Postfix) with ESMTP id 9C28EC0001
 for <bitcoin-dev@lists.linuxfoundation.org>;
 Mon, 15 Mar 2021 21:48:30 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
 by smtp2.osuosl.org (Postfix) with ESMTP id 895AB43144
 for <bitcoin-dev@lists.linuxfoundation.org>;
 Mon, 15 Mar 2021 21:48:30 +0000 (UTC)
X-Virus-Scanned: amavisd-new at osuosl.org
X-Spam-Flag: NO
X-Spam-Score: -0.202
X-Spam-Level: 
X-Spam-Status: No, score=-0.202 tagged_above=-999 required=5
 tests=[BAYES_40=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1,
 DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001,
 SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: smtp2.osuosl.org (amavisd-new);
 dkim=pass (1024-bit key) header.d=dashjr.org
Received: from smtp2.osuosl.org ([127.0.0.1])
 by localhost (smtp2.osuosl.org [127.0.0.1]) (amavisd-new, port 10024)
 with ESMTP id j7ry9kdkY4U5
 for <bitcoin-dev@lists.linuxfoundation.org>;
 Mon, 15 Mar 2021 21:48:29 +0000 (UTC)
X-Greylist: from auto-whitelisted by SQLgrey-1.8.0
Received: from zinan.dashjr.org (zinan.dashjr.org [192.3.11.21])
 by smtp2.osuosl.org (Postfix) with ESMTP id 4E3DC4000B
 for <bitcoin-dev@lists.linuxfoundation.org>;
 Mon, 15 Mar 2021 21:48:29 +0000 (UTC)
Received: from ishibashi.lan (unknown [12.190.236.209])
 (Authenticated sender: luke-jr)
 by zinan.dashjr.org (Postfix) with ESMTPSA id 6965238A009E
 for <bitcoin-dev@lists.linuxfoundation.org>;
 Mon, 15 Mar 2021 21:48:16 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=dashjr.org; s=zinan;
 t=1615844908; bh=YerwjjIZG6WUFg8EYDHdazr9qu9MyXzzihWQyozSz3E=;
 h=From:To:Subject:Date;
 b=LwaxAJMXX0WfHLZ+Pk+n1/n70BH/1DIiPjySjvf6y5+cuWrptmVE1NruwKZmaLhy5
 DTBrVoR8YeGNEEPylRBr74hcQ+gG70gxSbXtBvoXnMSOKF3E1iqMlbbVDolJPdnpWY
 0hAkE4mh7BOd5fpq54JPHMbClFzsJEpQbJGyAAfQ=
X-Hashcash: 1:25:210315:bitcoin-dev@lists.linuxfoundation.org::=hqcgzBkQV2Nt/++:a5EzX
From: Luke Dashjr <luke@dashjr.org>
To: Bitcoin Protocol Discussion <bitcoin-dev@lists.linuxfoundation.org>
Date: Mon, 15 Mar 2021 21:48:15 +0000
User-Agent: KMail/1.9.10
MIME-Version: 1.0
Content-Type: text/plain;
  charset="us-ascii"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
Message-Id: <202103152148.15477.luke@dashjr.org>
Subject: [bitcoin-dev] PSA: Taproot loss of quantum protections
X-BeenThere: bitcoin-dev@lists.linuxfoundation.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Bitcoin Protocol Discussion <bitcoin-dev.lists.linuxfoundation.org>
List-Unsubscribe: <https://lists.linuxfoundation.org/mailman/options/bitcoin-dev>, 
 <mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=unsubscribe>
List-Archive: <http://lists.linuxfoundation.org/pipermail/bitcoin-dev/>
List-Post: <mailto:bitcoin-dev@lists.linuxfoundation.org>
List-Help: <mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=help>
List-Subscribe: <https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev>, 
 <mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=subscribe>
X-List-Received-Date: Mon, 15 Mar 2021 21:48:30 -0000

I do not personally see this as a reason to NACK Taproot, but it has become 
clear to me over the past week or so that many others are unaware of this 
tradeoff, so I am sharing it here to ensure the wider community is aware of 
it and can make their own judgements.

Mark Friedenbach explains on his blog:
    https://freicoin.substack.com/p/why-im-against-taproot

In short, Taproot loses an important safety protection against quantum.
Note that in all circumstances, Bitcoin is endangered when QC becomes a 
reality, but pre-Taproot, it is possible for the network to "pause" while a 
full quantum-safe fix is developed, and then resume transacting. With Taproot 
as-is, it could very well become an unrecoverable situation if QC go online 
prior to having a full quantum-safe solution.

Also, what I didn't know myself until today, is that we do not actually gain 
anything from this: the features proposed to make use of the raw keys being 
public prior to spending can be implemented with hashed keys as well.
It would use significantly more CPU time and bandwidth (between private 
parties, not on-chain), but there should be no shortage of that for anyone 
running a full node (indeed, CPU time is freed up by Taproot!); at worst, it 
would create an incentive for more people to use their own full node, which 
is a good thing!

Despite this, I still don't think it's a reason to NACK Taproot: it should be 
fairly trivial to add a hash on top in an additional softfork and fix this.

In addition to the points made by Mark, I also want to add two more, in 
response to Pieter's "you can't claim much security if 37% of the supply is 
at risk" argument. This argument is based in part on the fact that many 
people reuse Bitcoin invoice addresses.

First, so long as we have hash-based addresses as a best practice, we can 
continue to shrink the percentage of bitcoins affected through social efforts 
discouraging address use. If the standard loses the hash, the situation 
cannot be improved, and will indeed only get worse.

Second, when/if quantum does compromise these coins, so long as they are 
neglected or abandoned/lost coins (inherent in the current model), it can be 
seen as equivalent to Bitcoin mining. At the end of the day, 37% of supply 
minable by QCs is really no different than 37% minable by ASICs. (We've seen 
far higher %s available for mining obviously.)

To conclude, I recommend anyone using Bitcoin to read Mark's article, my 
thoughts, and any other arguments on the topic; decide if this is a concern 
to you, and make your own post(s) accordingly. Mark has conceded the argument 
(AFAIK he doesn't have an interest in bitcoins anyway), and I do not consider 
it a showstopper - so if anyone else out there does, please make yourself 
known ASAP since Taproot has already moved on to the activation phase and it 
is likely software will be released within the next month or two as things 
stand.

Luke