1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
|
Delivery-date: Tue, 03 Jun 2025 13:10:08 -0700
Received: from mail-ot1-f57.google.com ([209.85.210.57])
by mail.fairlystable.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
(Exim 4.94.2)
(envelope-from <bitcoindev+bncBDWIFPUA4ICRBFVN7XAQMGQEARLUJ7I@googlegroups.com>)
id 1uMXxX-0006tD-PJ
for bitcoindev@gnusha.org; Tue, 03 Jun 2025 13:10:08 -0700
Received: by mail-ot1-f57.google.com with SMTP id 46e09a7af769-735ba7c8314sf2664838a34.1
for <bitcoindev@gnusha.org>; Tue, 03 Jun 2025 13:10:07 -0700 (PDT)
ARC-Seal: i=2; a=rsa-sha256; t=1748981402; cv=pass;
d=google.com; s=arc-20240605;
b=eI5fOo5KGJlkkg++YPpxEj5ss+MD4An1g/SYB/NP+PbMJ3/md31OZ5STNFZjPbS/pt
f4tbU9AyserOuYrXU73y6iSdcJVm8UoLxRUVgPJopqzlk92wNbgYHDbB4ELuR3fQkg1e
tazyGSP4nkQ1jy2UUuiv0DdKOHFU3TuFUk7HOjKkhoNMZbQ5799R1DnLfD8+G6MHDwk4
K3AnzYmuAvBc+YEooSgvh0o09NqCRa4SYvnkrlqGKImqW+hhlOFjWTpumPujCUQEDqFp
R/+RS44uK33wpmyPOFbBvhQXDotNcBq6CIyCm6AcOUXWvm0zWNvGKIiH4cm7NjEvc/b4
+2mQ==
ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605;
h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post
:list-id:mailing-list:precedence:mime-version:references:in-reply-to
:date:to:from:subject:message-id:sender:dkim-signature;
bh=mH24Fn+8lb2UpEx0PWRM9ePxuvi19JCjPT7y3lg4Xt8=;
fh=KrR7BFPErTu7EXZ8pCAFCZAsSWpYjUUDrpxjIAlJFME=;
b=JeGQ9cjduVFDNz/NOTvWiQAlTi0eNFbPefAaZfgTVaXSovFO+n9RVsCr8kquUYBK1O
vTyprMdPjhbfcLxoLhDcnoRFG+x++G7lGzx8MjvJSyBEWAWFbEuKFNr9Cny64uBkPC5N
Dbrfk/AJy8nqv1rQAiR6MDRsdtB7YDSl/lpmI7DULlw7KrmiUiiW1XxMxgxiIXsGpQeg
o7XZ6LcnFR+kqK6uqnCDUxcoaELLWBXANYHuMtBJ3J2m0sbo6x+fIJ4JxG+rP3qTJCgB
3qW4E4e9jNsrPiMgSDCayvqB2Ws4ctfg3W0ipMxy9OXWSMD+7OWdh10WSHRyWu42VSBG
7zag==;
darn=gnusha.org
ARC-Authentication-Results: i=2; gmr-mx.google.com;
dkim=pass header.i=@timruffing.de header.s=MBO0001 header.b=FnDreWzP;
spf=pass (google.com: domain of crypto@timruffing.de designates 80.241.56.151 as permitted sender) smtp.mailfrom=crypto@timruffing.de;
dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=timruffing.de
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=googlegroups.com; s=20230601; t=1748981402; x=1749586202; darn=gnusha.org;
h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post
:list-id:mailing-list:precedence:x-original-authentication-results
:x-original-sender:mime-version:references:in-reply-to:date:to:from
:subject:message-id:sender:from:to:cc:subject:date:message-id
:reply-to;
bh=mH24Fn+8lb2UpEx0PWRM9ePxuvi19JCjPT7y3lg4Xt8=;
b=DF5Inff8+KcxrbSlZpBzIMtwy1nLK+j1RQUeRahbgizjKCLp25DAHQRvpPKjeUCGXS
J1NdF0d3pvND1DEX9RXHyKpjO99lkxZ/skeM/9ndr9e7OKfcw2tQ5r8+en7lDbr6zRcr
MCGWEDg0Tpir/h+BeeMMWOJ3z9Dw20ha8blAM/OvoWsKAd+69FxX3Gfn5BIvFNkvK2Sn
yLeHy0W9E5Z524gSh97hIFN9Kks+y53wKGikSTp6mUEjak1/0d+TPmp2IcYfbSSuDZsd
0Q8rszOGqwqaYlvoGSirkpLjX4GuVfrJim4Xf74axmIcRiMvv+LGj7wIwP18tizr3Sqj
d53g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20230601; t=1748981402; x=1749586202;
h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post
:list-id:mailing-list:precedence:x-original-authentication-results
:x-original-sender:mime-version:references:in-reply-to:date:to:from
:subject:message-id:x-beenthere:x-gm-message-state:sender:from:to:cc
:subject:date:message-id:reply-to;
bh=mH24Fn+8lb2UpEx0PWRM9ePxuvi19JCjPT7y3lg4Xt8=;
b=YkHfmodKKF5dqUhqeoAFttulnimGryyXZ0ndiWvjDpz4lVR8rl1noWpLWlazRPVT7T
j6F04Ru7SZZzaSxC9BU2wPiZfE1Fv/6MXryofxHSACyarBAQ5NMT0vloDKOxAfJ82Ah8
UkhU7+6fEeRLHeDHAZB8q1UJzow8Nq6aHK1Tj+WVto3vBCQVRWLXn3fpktoPLdn0ONzw
nTtRWZIxGzu/MutOjnBH2CNXs+7mQ3+3KdYtSCavNnP+D5ku2cnP5mPIaJsF88Zrxe17
CDD5BPFmZIyXLR1SYFVwMjPOnfyzFtud86fcVeWWYV13OYYH0f/kSstuAwXCMUYukGWY
UJMQ==
Sender: bitcoindev@googlegroups.com
X-Forwarded-Encrypted: i=2; AJvYcCUIsc+iQjI2jTk90EvJl/MSdFD+zet+KkGYmbFZOSXdC2QFgRMOdeFA8X60i25wc0Hb3M9pGZiZOIqG@gnusha.org
X-Gm-Message-State: AOJu0Yy1ID/eWzN2pUeg1332ijKOvV0r8KT2nkdIQ4UttlOPDqePmjFP
tK/eMeLSLy8S1iEH5/rmQ0vyJMrnV5bEzZ83KfvShaiIS+bdz8AWPRzU
X-Google-Smtp-Source: AGHT+IGrPJvivM4soG51//1XRmOWoHTwibj9DxkeATcH0tOllAXXY1+i5N0alnLomsEJMKfx+4WeeA==
X-Received: by 2002:a05:6830:6682:b0:735:b9db:5939 with SMTP id 46e09a7af769-73869c3dee0mr416471a34.10.1748981401916;
Tue, 03 Jun 2025 13:10:01 -0700 (PDT)
X-BeenThere: bitcoindev@googlegroups.com; h=AZMbMZffnSYMgXy80uVPSZyXYkoFvmAUXb04zPypOL5WeLPM+Q==
Received: by 2002:a4a:be13:0:b0:60b:d479:10fe with SMTP id 006d021491bc7-60be5477cfdls2250811eaf.2.-pod-prod-05-us;
Tue, 03 Jun 2025 13:09:58 -0700 (PDT)
X-Forwarded-Encrypted: i=2; AJvYcCWasqygOMzxQfJkDerEBbsY2vTt+/kziC1t+89CKhPR6nX4YbScnfLIwHoDqc0xXIkqmPuXHU0b/Hau@googlegroups.com
X-Received: by 2002:a05:6808:338b:b0:406:71fd:b5ff with SMTP id 5614622812f47-408f0fee43amr347737b6e.38.1748981398431;
Tue, 03 Jun 2025 13:09:58 -0700 (PDT)
Received: by 2002:a05:6402:128e:b0:606:d93b:da57 with SMTP id 4fb4d7f45d1cf-606e2f501d2msa12;
Tue, 3 Jun 2025 12:50:03 -0700 (PDT)
X-Forwarded-Encrypted: i=2; AJvYcCWf4EOwD/fM6YzR3ECd4NQKfik9Em5VpQAkRkMVK1pApTH+QHogqNjxyJjbZkJjXz9hOlrbkzMHlC+a@googlegroups.com
X-Received: by 2002:a05:6402:84d:b0:604:e99e:b78f with SMTP id 4fb4d7f45d1cf-606ea3b00f1mr214238a12.16.1748980201091;
Tue, 03 Jun 2025 12:50:01 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1748980201; cv=none;
d=google.com; s=arc-20240605;
b=g39F2SkXt1fH6rmDywbACixjniQcj1dgc+NDfw2I7AoiAOq+37FFhXFRSlQdRWWA3o
3S0chlmKcrc3pXTOTNc8syhdNF5+i2JNY4Lm169DTBzYuWGDZkj2iD9UeAPMUOHRnSHp
ZuE5xf3VTHWYPjR/ToTgfES83+QwMNkRzCS5/pDCtzAjFmkfFWELUbqzmwclo6TkSPqh
utKtCRDsf7WBAmG7u8+2oTCKb26W5G9VnclXtXtJtyzYJ/VYEXjPtnbq//Xp5/j/FxZs
GEHB0FlDbYMk7nZnTrVuPOSbGdm1ellXvQDz7WLoV39gj/WYz6qJG3ZdYmubbNKnkfZU
34zg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605;
h=mime-version:content-transfer-encoding:references:in-reply-to:date
:to:from:subject:message-id:dkim-signature;
bh=MxO08MgGWrMB+HVTVHCt1nAOdDqWIma12Un7ExLhCSE=;
fh=UQZep03AQj+U987aYARnvaeKeuWGYg3Fz7wGaUf1Xxw=;
b=FvaiefdL1oNpo0gb3PI3mDbFtYKZOQNzfFM80YF3sYTmFZL7JvsYnY6v5V7ShvLybv
9obwIqTkh1ImCOuHuBKP3D4hF88BgeCiF+kF1i2M9nhrTD4HZ+8s/NrWdXUsFRyvt9Lv
3BezuE1y2W87lWOoVoNTqt0OlO3FUpKjL3K3al7M2vdjy5DwSxTCjSDmOWOsNjqAB7MB
IQ1dgPsCQ0Jt9mZoVHuURkgHC5vb1cYBJyUjK+jzrTvkzyPrIxOjJyj7oLVjzoo/nGXp
mo9jeKhAwX38X/ItJrA5bwXQLuTbpcDpkFvuY/+W/tVCaiYdd/JRkQ+/rPoN+Z2x0Pg7
HaXQ==;
dara=google.com
ARC-Authentication-Results: i=1; gmr-mx.google.com;
dkim=pass header.i=@timruffing.de header.s=MBO0001 header.b=FnDreWzP;
spf=pass (google.com: domain of crypto@timruffing.de designates 80.241.56.151 as permitted sender) smtp.mailfrom=crypto@timruffing.de;
dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=timruffing.de
Received: from mout-p-101.mailbox.org (mout-p-101.mailbox.org. [80.241.56.151])
by gmr-mx.google.com with ESMTPS id 4fb4d7f45d1cf-605671776ddsi417001a12.5.2025.06.03.12.50.01
for <bitcoindev@googlegroups.com>
(version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
Tue, 03 Jun 2025 12:50:01 -0700 (PDT)
Received-SPF: pass (google.com: domain of crypto@timruffing.de designates 80.241.56.151 as permitted sender) client-ip=80.241.56.151;
Received: from smtp1.mailbox.org (smtp1.mailbox.org [IPv6:2001:67c:2050:b231:465::1])
(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
(No client certificate requested)
by mout-p-101.mailbox.org (Postfix) with ESMTPS id 4bBhBZ3XRPz9spx;
Tue, 3 Jun 2025 21:49:58 +0200 (CEST)
Message-ID: <bb0cb7ad140e0960b55a6f18c48f047cb42d6b0a.camel@timruffing.de>
Subject: Re: [bitcoindev] Pre-emptive commit/reveal for quantum-safe migration (poison-pill)
From: Tim Ruffing <crypto@timruffing.de>
To: Leo Wandersleb <lwandersleb@gmail.com>, Bitcoin Development Mailing List
<bitcoindev@googlegroups.com>
Date: Tue, 03 Jun 2025 21:49:53 +0200
In-Reply-To: <5e393f57-ac87-40fd-93ef-e1006accdb55n@googlegroups.com>
References: <2c3b7e1c-95dd-4773-a88f-f2cdb37acf4a@gmail.com>
<CAFC_Vt7z5Vj=r90J8RoH3sC5592BO4G9U3L9gdcX+D3DruC1PQ@mail.gmail.com>
<33f67e84-5d1c-4c14-80b9-90a3fec3cb36@gmail.com>
<ZmYpRwmVDoJBUhiCRb909Lgwws_dT9d_CNUjfddVt128pyjdH0UcYfXgA_uguwRu44ZC8_x_SwlrooqKhyvdwJjnO1h3BvzQxVRbdCpVfjg=@proton.me>
<5e393f57-ac87-40fd-93ef-e1006accdb55n@googlegroups.com>
Content-Type: text/plain; charset="UTF-8"
MIME-Version: 1.0
X-Rspamd-Queue-Id: 4bBhBZ3XRPz9spx
X-Original-Sender: crypto@timruffing.de
X-Original-Authentication-Results: gmr-mx.google.com; dkim=pass
header.i=@timruffing.de header.s=MBO0001 header.b=FnDreWzP; spf=pass
(google.com: domain of crypto@timruffing.de designates 80.241.56.151 as
permitted sender) smtp.mailfrom=crypto@timruffing.de; dmarc=pass
(p=NONE sp=NONE dis=NONE) header.from=timruffing.de
Precedence: list
Mailing-list: list bitcoindev@googlegroups.com; contact bitcoindev+owners@googlegroups.com
List-ID: <bitcoindev.googlegroups.com>
X-Google-Group-Id: 786775582512
List-Post: <https://groups.google.com/group/bitcoindev/post>, <mailto:bitcoindev@googlegroups.com>
List-Help: <https://groups.google.com/support/>, <mailto:bitcoindev+help@googlegroups.com>
List-Archive: <https://groups.google.com/group/bitcoindev
List-Subscribe: <https://groups.google.com/group/bitcoindev/subscribe>, <mailto:bitcoindev+subscribe@googlegroups.com>
List-Unsubscribe: <mailto:googlegroups-manage+786775582512+unsubscribe@googlegroups.com>,
<https://groups.google.com/group/bitcoindev/subscribe>
X-Spam-Score: -0.8 (/)
What about this attack?
1. (Honestly) own some UTXO
2. Commit the UTXO
3. Wait for the fork
4. Spend the UTXO to some recipient
5. Double-spend using the pre-fork commitment
On Tue, 2025-06-03 at 10:26 -0700, Leo Wandersleb wrote:
> Hi conduition,
>
> Thanks for your careful analysis - excellent catches.
>
> You're absolutely right about the txid vulnerability. The commitment
> must be to the complete transaction including witness data (wTXID or
> equivalent) to prevent an attacker from pre-committing to unsigned
> transactions. This is essential - otherwise an attacker could indeed
> enumerate the UTXO set and create commitments without knowing the
> private keys.
>
> Regarding updates: You're correct that frequent updates would be
> needed as wallets receive new UTXOs. However, I don't see this as a
> major issue - users could batch their commitments periodically (say,
> monthly) rather than after every transaction. The scheme is
> particularly important for existing UTXOs that already have exposed
> pubkeys (old P2PK, reused addresses, etc.). For new UTXOs, wallets
> should ideally migrate to quantum-safe addresses once available.
> OpenTimestamps aggregation would indeed help with scaling and provide
> plausible deniability about the number of UTXOs being protected.
>
> The time delay serves a different purpose than you might expect. It's
> not about preventing commitment forgery after pubkey exposure, but
> rather about allowing priority based on commitment age when multiple
> parties claim the same UTXO:
>
> 1. Weak announcement starts the 144-block window
> 2. During this window, anyone with a strong commitment can reveal it
> 3. The oldest valid commitment wins
>
> This creates the "poison pill" effect: an attacker might crack a key
> and try to spend a UTXO, but if the original owner has an older
> commitment, they can reclaim it during the window. The uncertainty
> about which UTXOs have poison pills makes attacking large "lost"
> UTXOs risky - hence less disruptive to the network.
>
> The delay essentially allows a "commitment priority contest" where
> age determines the winner, protecting users who prepared early while
> still allowing these users to not move their funds.
>
> Best,
>
> Leo
> --
> You received this message because you are subscribed to the Google
> Groups "Bitcoin Development Mailing List" group.
> To unsubscribe from this group and stop receiving emails from it,
> send an email to bitcoindev+unsubscribe@googlegroups.com.
> To view this discussion visit
> https://groups.google.com/d/msgid/bitcoindev/5e393f57-ac87-40fd-93ef-e1006accdb55n%40googlegroups.com
> .
--
You received this message because you are subscribed to the Google Groups "Bitcoin Development Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an email to bitcoindev+unsubscribe@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/bitcoindev/bb0cb7ad140e0960b55a6f18c48f047cb42d6b0a.camel%40timruffing.de.
|
