Return-Path: Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org [172.17.192.35]) by mail.linuxfoundation.org (Postfix) with ESMTPS id 96775FC4 for ; Wed, 24 Jan 2018 09:36:22 +0000 (UTC) X-Greylist: delayed 00:07:56 by SQLgrey-1.7.6 Received: from juno.mpi-klsb.mpg.de (srv-40-62.mpi-klsb.mpg.de [139.19.86.40]) by smtp1.linuxfoundation.org (Postfix) with ESMTPS id 7FDEAEC for ; Wed, 24 Jan 2018 09:36:21 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=mmci.uni-saarland.de; s=mail200803; h=Content-Transfer-Encoding:Mime-Version:Content-Type:References:In-Reply-To:Date:To:From:Subject:Message-ID; bh=9St8S4QerORE+zXhxHsdH8C+rPIjvdFS04c00p+ejoM=; b=xIN0KRXOeM8aSe+D3Bb02uY0u/IjBx9DcaV3dNdYQaqOa0X+v2O1tP/PvTQx77o7gFq+YBDw7MDZ+oDFO+PWOFvBhtINZDBpUtAxMbQGdcdpv7hXnWfpqz0Cfsc+zCiKjRf9waxD4l4D4Y7Kk3rJyRbozFw4wHdrk+j5oqOA93c=; Received: from srv-00-61.mpi-klsb.mpg.de ([139.19.86.26]:48220 helo=sam.mpi-klsb.mpg.de) by juno.mpi-klsb.mpg.de (envelope-from ) with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.84_2) id 1eeHLx-0003BF-Dq for bitcoin-dev@lists.linuxfoundation.org; Wed, 24 Jan 2018 10:28:23 +0100 Received: from x4db11f21.dyn.telefonica.de ([77.177.31.33]:58484 helo=tonno.fritz.box) by sam.mpi-klsb.mpg.de (envelope-from ) with esmtpsa (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.84_2) id 1eeHLx-0005CI-5c for bitcoin-dev@lists.linuxfoundation.org; Wed, 24 Jan 2018 10:28:21 +0100 Message-ID: <1516786100.2567.18.camel@mmci.uni-saarland.de> From: Tim Ruffing To: Bitcoin Protocol Discussion Date: Wed, 24 Jan 2018 10:28:20 +0100 In-Reply-To: <20180124015256.GR9082@boulet.lan> References: <20180123064419.GA1296@erisian.com.au> <20180123222229.GA3801@erisian.com.au> <20180124015256.GR9082@boulet.lan> Content-Type: text/plain; charset="UTF-8" X-Mailer: Evolution 3.26.4 Mime-Version: 1.0 Content-Transfer-Encoding: 7bit X-MPI-Local-Sender: true X-Spam-Status: No, score=-4.3 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, RCVD_IN_DNSWL_MED autolearn=ham version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on smtp1.linux-foundation.org Subject: Re: [bitcoin-dev] Taproot: Privacy preserving switchable scripting X-BeenThere: bitcoin-dev@lists.linuxfoundation.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Bitcoin Protocol Discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 24 Jan 2018 09:36:22 -0000 On Wed, 2018-01-24 at 01:52 +0000, Andrew Poelstra via bitcoin-dev wrote: > > > They are. But I don't believe that is relevant; the attacker would > > simply steal the coins on spend. > > > Then the system would need to be hardforked to allow spending through > a > quantum-resistant ZKP of knowledge of the hashed public key. I expect > that in a post-quantum world there will be demand for such a fork, > especially if we came into such a world through surprise evidence of > a discrete log break. > There are simpler ways using consensus / waiting instead of zero- knowledge, e.g., 1. Include H(classic_pk, tx) to blockchain, wait until confirmed. 2. Reveal classic_pk, tx This is taken from my tweet [1] but now I realize that these are basically Guy Fawkes "signatures" [2]. Joseph Bonneau and Andrew Miller [3] had the idea to use this for cryptocurrency without asymmetric cryptography. Best, Tim [1] https://twitter.com/real_or_random/status/948226830166786048 [2] https://www.cl.cam.ac.uk/~rja14/Papers/fawkes.pdf [3] http://www.jbonneau.com/doc/BM14-SPW-fawkescoin.pdf