Delivery-date: Sun, 25 May 2025 11:39:02 -0700 Received: from mail-qk1-f183.google.com ([209.85.222.183]) by mail.fairlystable.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.94.2) (envelope-from ) id 1uJGFR-00074L-PS for bitcoindev@gnusha.org; Sun, 25 May 2025 11:39:02 -0700 Received: by mail-qk1-f183.google.com with SMTP id af79cd13be357-7c95e424b62sf429707585a.1 for ; Sun, 25 May 2025 11:39:01 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1748198335; cv=pass; d=google.com; s=arc-20240605; b=SUnSf5iPzfpOXZTJrASKmXwHZb8Vc6XTiaCsMw1cBrQ+65NYfVRBorCOw5bNXvWsw6 zZK4UBOk6rJ80sio90TMNa0ib5ijzRWegbs0Wa26J1DALFDQq7D/e52vImk2HVGgHndX i1AFRJaIL7uMNA//tCN98ylkKllkFrdtjmELRxAaS6HChFlTI4xif8FEMRkolNJ3tVnU T29Bxsi5hXm/xUJEPdsL3PzmDj3nF68nEGinHvaEMCm1AsHzh7HzPK4otKg4TZQH9Cfv 964WvnA0GI2Ivhf2OEOusnIurXyt2K5/F7rqfKIMVl1je/7zHFqpuie0qtPqF0ZPoyjm CTnw== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:reply-to:mime-version:feedback-id :references:in-reply-to:message-id:subject:cc:from:to:date :dkim-signature; bh=wHxas3yT8eg0yQJwDDOQSMmGSyUBtnszLZUnbm3Ters=; fh=NEEm1ZMrCfCukF6+lcHkhHMyBxWq7YJ8bOI2N3nnEVg=; b=WUQ4d8ePDzrONH3tGRkfaehxbes4JUWoY9UNDMXaBadeEVtkUijYdUV+kB4NOJ4b7U /urhOcyPFOW8UUd4xazGU8lEQ+80Ugb0TQzvth6yc7tMkGqSairZ0QHHaMDvz3hUIchR AQ5yAIVF4c2U/XrCJhGAnzSIQiBwWkrkGAymiOMJdDagPQgi7pYr2hmO94VLRU2xV6p4 yPfby+87Mk62JL9plcjm2XSySUhDQBv4qkQt+Skjwl1peqc6Uz6rzno5Khvlfwq/eAw9 u51mk3vPDmte+ByBc5/cLbc1uxjhvE0mUyXS/poYRoZecwE2EJf5jx1b+HVci8FTQDLi aPyQ==; darn=gnusha.org ARC-Authentication-Results: i=2; gmr-mx.google.com; dkim=pass header.i=@proton.me header.s=protonmail header.b=Mmvouj+p; spf=pass (google.com: domain of conduition@proton.me designates 79.135.106.30 as permitted sender) smtp.mailfrom=conduition@proton.me; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=proton.me DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlegroups.com; s=20230601; t=1748198335; x=1748803135; darn=gnusha.org; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:reply-to :x-original-authentication-results:x-original-sender:mime-version :feedback-id:references:in-reply-to:message-id:subject:cc:from:to :date:from:to:cc:subject:date:message-id:reply-to; bh=wHxas3yT8eg0yQJwDDOQSMmGSyUBtnszLZUnbm3Ters=; b=nUqK4/sAjbzRaiZndBK1zRKN8Q8UwNVYPv9nQmwNvnMU3llhTfzvgy1fa8ngef6RnQ ih+jS/wmEJRIqmHGET4u5WHBfUAvlR0FONvgM6RAptuRWHJ8aVH5vSK1O5MY7iEx5yNh iC40HcQXlXoB6YEZh8tSiQYyYPIzyyMStX1mRUsT1QJDAKf6RBoTwxweCuV3sNI4gmMi S1iB6uOm7g1UcEcbKNajzxx/6Eeu79yns8kUgD18UxLwd3yKhf7gCMBPiNvhvimP6Qfy k+Zrb7dChUZL4bhgpJXHgH0xjA6qGoaB/KRiQMrJsU8WnimbhM7GDZel+1XjDO8BDotv OowA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1748198335; x=1748803135; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:reply-to :x-original-authentication-results:x-original-sender:mime-version :feedback-id:references:in-reply-to:message-id:subject:cc:from:to :date:x-beenthere:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=wHxas3yT8eg0yQJwDDOQSMmGSyUBtnszLZUnbm3Ters=; b=VL6R8saxdezBb/iiSkkyE7MGcpWhfGgfINx2K9gOeY/V6XymD3pJ2gIVNwwBYFZhAF Jc3ulPQx8fbGHmxUxQWqDfz0eQtBVteWx+USpUJXcCkb7LwSeW0YzlOtDlVXaDnqhIbK +NHOsmg1HGUUWubGSNycqDnpzR5Wj+zLLJpARKXms/p38Bztcp6cSHctMHJzDk0zPxXA uWjy02B6+2BSHbdBNoOYu4YnMMawMdCx4ncKL9rQATT9+ExBiqabg5wGI4XRjQUWqub/ 1K6Nf+Gka1uE4dCKTdsNj6mBxBoDC6Z/G1/geTF0jbfHTlVX+6VfBMR+r2W4ICa853wB zjng== X-Forwarded-Encrypted: i=2; AJvYcCVAojDLlJ+L3e+deC3Ic4DCNWpP2jgeopkQf2Au0igNMApMOB5UjCYKDwQD2j8n4hIbTaa9v000IKy8@gnusha.org X-Gm-Message-State: AOJu0YweGuGEy4tUCgfEZbNlPU/6aMFaaxCbdhw0Dh8Io+MfS8mZKsFS y84S514GVgB1E91GF/rMqaCWYigrJb8KkulCqsRr9BMSKxVtb3lrDF72 X-Google-Smtp-Source: AGHT+IF9wqhQbsBRwLQ4GzJMksZlxrEcJylccU1AxtvHS2Y4dCju4LCJgqD4ItpIr2pLmeM+CwLVnA== X-Received: by 2002:a05:620a:2729:b0:7c7:c1f8:34eb with SMTP id af79cd13be357-7cee22d2557mr1534181085a.23.1748198335292; Sun, 25 May 2025 11:38:55 -0700 (PDT) X-BeenThere: bitcoindev@googlegroups.com; h=AVT/gBGe/fAGv/35aAGC06g43DRjFEEKso0RroiY6eaH4MtVEw== Received: by 2002:ac8:4f06:0:b0:497:b054:a044 with SMTP id d75a77b69052e-49f32587e56ls28685261cf.1.-pod-prod-00-us; Sun, 25 May 2025 11:38:51 -0700 (PDT) X-Forwarded-Encrypted: i=2; AJvYcCU2bJ80CftT7ZFJBwU2eq+ipReY0YoMan4bfjYoNLiIrIswmO/lsSMqxz+87Eo8Y5AwrnRVbHi6K9S/@googlegroups.com X-Received: by 2002:a05:620a:240d:b0:7c9:65cb:6214 with SMTP id af79cd13be357-7ceec459694mr1088385985a.17.1748198331717; Sun, 25 May 2025 11:38:51 -0700 (PDT) Received: by 2002:a05:600c:c7:b0:442:dc76:9493 with SMTP id 5b1f17b1804b1-442fe658211ms5e9; Sun, 25 May 2025 11:22:56 -0700 (PDT) X-Forwarded-Encrypted: i=2; AJvYcCVonI9wW28lk/fDcGgfynBrgdb4uK4HdX8sDpgk/0CGrZ0TVa+nSNg+uZup3Sgq5AJB7FjFmgxuzBCd@googlegroups.com X-Received: by 2002:a05:600c:4e45:b0:442:f4a3:8c5c with SMTP id 5b1f17b1804b1-44c919e13ddmr70866545e9.10.1748197374437; Sun, 25 May 2025 11:22:54 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1748197374; cv=none; d=google.com; s=arc-20240605; b=ZioC6etg6w+Q5yeC1bVTKwthZFdxfHzBPymzKo/0C7//EUjOWiaIrBGG9oM1hAbiE4 0xAEeeI0asjmxePFZLr5QJsOLk83/ebjbiLEivgh8o4wIPtDuuZAGScC0dTG7KCxLUNu BpWWSYJhbdL8if+sBHTtlnK2FnXmo5dnp8Ex6B8O0e8OqfUfpV6sKDbBMD4TTJbGbo1g dwOBMbo1xQBUq2rh9cBlcZ+p3dS8Vyez0t6S+dIHRYJoomfKbNSv3WKTgBZLnHu1CZwj EaKCUnLYSwg7kI7Ud5qVtJyLyQcfrOQ5vrocd7pzwxVPs80LA8AX8Ul5AyssIzBlloQ9 3ekg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=mime-version:feedback-id:references:in-reply-to:message-id:subject :cc:from:to:date:dkim-signature; bh=3lxKY1kBGB88SGuPAr25J8i69Zy+1M088U7Y6Um1E7g=; fh=CdjoD3MeHalX2AUSIAn5ILqn3u2MAsJcEmcjjQyhap4=; b=kIavh2UIoYpmKL5BU2nfK2AOrEpFYlnblHJMIrUEoSeD+I+c+TIqcA5hrevoW2BCCT lhIACvbnHgkEhtLA83rAOE494ZI6kepR14c5p2I/QT1RmZHEIASuqKhlJBYBKVmtoEwk JlkOlWNq7FacuZ9X4+Bt3s3ZIfTp+nqZ2Ubvmyf78mIw5AA5iBqfUhsxsrrkjVtQf+Ad hWoMCLXi0rbKyrWjTFjFORNGziLMI5jw2EhUTrxc1giVeEG+od0dsLXAzNf1kWaVvEUW cPGXRTfkajLG+1edE4NdwZpXX/H9yU7nceIzDBbWqQ38BLOf5UJQ6BgFSVrhqZn116ry bNWw==; dara=google.com ARC-Authentication-Results: i=1; gmr-mx.google.com; dkim=pass header.i=@proton.me header.s=protonmail header.b=Mmvouj+p; spf=pass (google.com: domain of conduition@proton.me designates 79.135.106.30 as permitted sender) smtp.mailfrom=conduition@proton.me; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=proton.me Received: from mail-10630.protonmail.ch (mail-10630.protonmail.ch. [79.135.106.30]) by gmr-mx.google.com with ESMTPS id 5b1f17b1804b1-442ebd3a5c6si17540005e9.1.2025.05.25.11.22.54 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 25 May 2025 11:22:54 -0700 (PDT) Received-SPF: pass (google.com: domain of conduition@proton.me designates 79.135.106.30 as permitted sender) client-ip=79.135.106.30; Date: Sun, 25 May 2025 18:22:47 +0000 To: Lloyd Fournier From: "'conduition' via Bitcoin Development Mailing List" Cc: Antoine Poinsot , =?utf-8?Q?Martin_Habov=C5=A1tiak?= , Bitcoin Development Mailing List Subject: Re: [bitcoindev] Hashed keys are actually fully quantum secure Message-ID: In-Reply-To: References: Feedback-ID: 72003692:user:proton X-Pm-Message-ID: 71a562a8fa57f5cd3fbad5a6c17bd6008aa05153 MIME-Version: 1.0 Content-Type: multipart/signed; protocol="application/pgp-signature"; micalg=pgp-sha512; boundary="------750e04dc2af4165e16320527de00cbc0337b1d719ebf0be88b479807590197df"; charset=utf-8 X-Original-Sender: conduition@proton.me X-Original-Authentication-Results: gmr-mx.google.com; dkim=pass header.i=@proton.me header.s=protonmail header.b=Mmvouj+p; spf=pass (google.com: domain of conduition@proton.me designates 79.135.106.30 as permitted sender) smtp.mailfrom=conduition@proton.me; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=proton.me X-Original-From: conduition Reply-To: conduition Precedence: list Mailing-list: list bitcoindev@googlegroups.com; contact bitcoindev+owners@googlegroups.com List-ID: X-Google-Group-Id: 786775582512 List-Post: , List-Help: , List-Archive: , List-Unsubscribe: , X-Spam-Score: -1.0 (-) This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --------750e04dc2af4165e16320527de00cbc0337b1d719ebf0be88b479807590197df Content-Type: multipart/mixed;boundary=---------------------aa5f66b12d3325082959de1875834ce7 -----------------------aa5f66b12d3325082959de1875834ce7 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="UTF-8" Hey friends, Even if we can require a pre-quantum output to be paired with a QR output when spending in this way, and even if the QR output must be at least X blocks old... What prevents an attacker from just pre-minting a whole bunch of QR outputs, aging them for a while, and then lying in wait to steal? A well-prepared QC attacker's QR outputs may even be significantly older than an honest user's QR outputs. An aged QR output committing to a QR signature proves nothing about the ownership of an unrelated pre-quantum UTXO. The QR output must prove historical ownership of the vulnerable EC key-hashed output. To fix this, we must change this line in OP: > 2. the user creates a transaction that, aside from having a usual > spendable output also commits to a signature of QR public key. This transaction must be fully protected by QR signing. It must commit to, but not reveal, the EC public key, while also proving ownership. I would correct this description to: > 2. the user creates a transaction with at least one QR input which, > aside from having a usual spendable output also commits to >=C2=A0*a signature from the legacy EC pubkey.* This TX might have an OP_RETURN output or an inscription which embeds=20 SHA256(ec_signature).=C2=A0 Or, like taproot, the QR output script might itself contain a hidden commitment to that hash.=C2=A0 A few blocks after this transaction is mined, the honest user can spend the QR and legacy UTXOs together, opening the EC signature commitment. Validating nodes would have to check the QR output is old enough, but also check that it committed to the correct pubkey+signature. A QC attacker shouldn't be able to break this unless the legacy EC pubkey has already been revealed prior to the commitment TX. Only the authentic user could've pre-committed to that signature. If we assume the QC attacker can't roll-back the chain more than X blocks, they can't go back and insert an EC sig commitment retroactively. I suspect this might've been Martin's intent, judging from the way he was writing? regards, conduition On Sunday, March 23rd, 2025 at 8:24 PM, Lloyd Fournier wrote: >=20 >=20 > On Tue, 18 Mar 2025 at 00:48, 'Antoine Poinsot' via Bitcoin Development M= ailing List wrote: >=20 >=20 > > I suppose you could in theory have, in addition to making spending old = outputs invalid on their own, a rule which dictates they may only be spent = along with a QR output at least X blocks old. This would give the honest us= er a headstart in this race, but meh. >=20 >=20 > Yes this is how I read the OP "after sufficient number of blocks". I thin= k this is a really nice idea. The head start can be arbitrarily large so th= at the attacker simply cannot compete. It's probably not too difficult to d= esign some honest RBF mechanism either such that you can bump the fee with = a new QR signature if it's taking too long. >=20 > LL >=20 >=20 > > On Sunday, March 16th, 2025 at 2:25 PM, Martin Habov=C5=A1tiak wrote: > >=20 > > > Hello list, > > > this is somewhat related to Jameson's recent post but different enoug= h to warrant a separate topic. > > >=20 > > > As you have probably heard many times and even think yourself, "hashe= d keys are not actually secure, because a quantum attacker can just snatch = them from mempool". However this is not strictly true. > > >=20 > > > It is possible to implement fully secure recovery if we forbid spendi= ng of hashed keys unless done through the following scheme: > > > 0. we assume we have *some* QR signing deployed, it can be done even = after QC becomes viable (though not without economic cost) > > > 1. the user obtains a small amount of bitcoin sufficient to pay for f= ees via external means, held on a QR script > > > 2. the user creates a transaction that, aside from having a usual spe= ndable output also commits to a signature of QR public key. This proves tha= t the user knew the private key even though the public key wasn't revealed = yet. > > > 3. after sufficient number of blocks, the user spends both the old an= d QR output in a single transaction. Spending requires revealing the previo= usly-committed sigature. Spending the old output alone is invalid. > > >=20 > > > This way, the attacker would have to revert the chain to steal which = is assumed impossible. > > >=20 > > > The only weakness I see is that (x)pubs would effectively become priv= ate keys. However they already kinda are - one needs to protect xpubs for p= rivacy and to avoid the risk of getting marked as "dirty" by some agencies,= which can theoretically render them unspendable. And non-x-pubs generally = do not leak alone (no reason to reveal them without spending). > > >=20 > > > I think that the mere possibility of this scheme has two important im= plications: > > > * the need to have "a QR scheme" ready now in case of a QC coming tom= orrow is much smaller than previously thought. Yes, doing it too late has t= he effect of temporarily freezing coins which is costly and we don't want t= hat but it's not nearly as bad as theft > > > * freezing of *these* coins would be both immoral and extremely dange= rous for reputation of Bitcoin (no comments on freezing coins with revealed= pubkeys, I haven't made my mind yet) > > >=20 > > > If the time comes I'd be happy to run a soft fork that implements thi= s sanely. > > >=20 > > > Cheers > > >=20 > > > Martin > > >=20 > > > -- > > > You received this message because you are subscribed to the Google Gr= oups "Bitcoin Development Mailing List" group. > > > To unsubscribe from this group and stop receiving emails from it, sen= d an email to bitcoindev+unsubscribe@googlegroups.com. > > > To view this discussion visit https://groups.google.com/d/msgid/bitco= indev/CALkkCJY%3Ddv6cZ_HoUNQybF4-byGOjME3Jt2DRr20yZqMmdJUnQ%40mail.gmail.co= m. > >=20 > > -- > > You received this message because you are subscribed to the Google Grou= ps "Bitcoin Development Mailing List" group. > > To unsubscribe from this group and stop receiving emails from it, send = an email to bitcoindev+unsubscribe@googlegroups.com. > > To view this discussion visit https://groups.google.com/d/msgid/bitcoin= dev/XHIL8Z4i4hji8LhbJ0AiKQ4eago2evXwjTGUOqqyAye_2nM3QicDpHo6KkcznBAHPUrIWSL= j_GuiTQ_97KPjxcOrG8pE0rgcXucK2-4txKE%3D%40protonmail.com. >=20 > -- > You received this message because you are subscribed to the Google Groups= "Bitcoin Development Mailing List" group. > To unsubscribe from this group and stop receiving emails from it, send an= email to bitcoindev+unsubscribe@googlegroups.com. > To view this discussion visit https://groups.google.com/d/msgid/bitcoinde= v/CAH5Bsr0muoF27besnoQh32vL-keujeR%2Bd-_JurE0%2ByXY5gPKQg%40mail.gmail.com. --=20 You received this message because you are subscribed to the Google Groups "= Bitcoin Development Mailing List" group. To unsubscribe from this group and stop receiving emails from it, send an e= mail to bitcoindev+unsubscribe@googlegroups.com. To view this discussion visit https://groups.google.com/d/msgid/bitcoindev/= Rgj4DeSKQkdEWMRTmqYYLas84WIDyRftEKqmwlw0C9-ur4Tx9_d6g7SzTU_WBspYbezLDTMpgIF= Xon1_cpFSjgYOMtHlQJNS_utF2dZQ4ig%3D%40proton.me. -----------------------aa5f66b12d3325082959de1875834ce7 Content-Type: application/pgp-keys; filename="publickey - conduition@proton.me - 0x474891AD.asc"; name="publickey - conduition@proton.me - 0x474891AD.asc" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="publickey - conduition@proton.me - 0x474891AD.asc"; name="publickey - conduition@proton.me - 0x474891AD.asc" LS0tLS1CRUdJTiBQR1AgUFVCTElDIEtFWSBCTE9DSy0tLS0tCgp4ak1FWkRub0tSWUpLd1lCQkFI YVJ3OEJBUWRBcnBZYWFjZDgwcXdocmNaQW9VbW9NSHNWS21iZWlPZUEKcFhXbk1ybFdPZkxOSzJO dmJtUjFhWFJwYjI1QWNISnZkRzl1TG0xbElEeGpiMjVrZFdsMGFXOXVRSEJ5CmIzUnZiaTV0WlQ3 Q2pBUVFGZ29BUGdXQ1pEbm9LUVFMQ1FjSUNaQjRLV3p0aFBhenhRTVZDQW9FRmdBQwpBUUlaQVFL YkF3SWVBUlloQkVkSWthMENNdHJMZGcxM2EzZ3BiTzJFOXJQRkFBQTZhQUVBM1RmNHdqSVoKYnox K0diS0h4K09WQytNUXlVdi84RStoWUpjTE5QZnA0NEFBLzNiak5OTXN4WHdJTGZEM0xManNVVWFo CitBV2JyblVjVUFqQ2R1d3hUT01LempnRVpEbm9LUklLS3dZQkJBR1hWUUVGQVFFSFFDSXYxZW5J MU5MbAo3Zm55RzlVWk1wQ3ZsdG5vc0JrTmhQUVZxT3BXL3RKSkF3RUlCOEo0QkJnV0NBQXFCWUpr T2VncENaQjQKS1d6dGhQYXp4UUtiREJZaEJFZElrYTBDTXRyTGRnMTNhM2dwYk8yRTlyUEZBQUFR TFFEL2NCR2kwUDdwCkZTTkl2N1B6OVpkeUNVQjhzTy90dWZkV3NjQkNZK2ZMYTV3QkFNK0hTL3Jp S014RGt0TkhLakRGc2EvUgpEVDFxUGNBYXZCaXc2dDZ4Ti9jRgo9Y3d5eAotLS0tLUVORCBQR1Ag UFVCTElDIEtFWSBCTE9DSy0tLS0tCg== -----------------------aa5f66b12d3325082959de1875834ce7-- --------750e04dc2af4165e16320527de00cbc0337b1d719ebf0be88b479807590197df Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: ProtonMail wrsEARYKAG0FgmgzX+gJkHgpbO2E9rPFRRQAAAAAABwAIHNhbHRAbm90YXRp b25zLm9wZW5wZ3Bqcy5vcmek+gkfZpeIR/1d4KNqFMIwUlA4ex5KfeJYiiPy h8PkoRYhBEdIka0CMtrLdg13a3gpbO2E9rPFAAAHUAD/Qia44dPRW/VQW0/g 59fV5d+2n9B5lXp30DywpUA3eHsBAPqUe3UupTuR2P3LnPFZ6cFwOdvR9oOI k69HfYd8/P4A =qQup -----END PGP SIGNATURE----- --------750e04dc2af4165e16320527de00cbc0337b1d719ebf0be88b479807590197df--