1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
|
Return-Path: <earonesty@gmail.com>
Received: from smtp3.osuosl.org (smtp3.osuosl.org [IPv6:2605:bc80:3010::136])
by lists.linuxfoundation.org (Postfix) with ESMTP id 10788C000E
for <bitcoin-dev@lists.linuxfoundation.org>;
Thu, 12 Aug 2021 22:08:58 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
by smtp3.osuosl.org (Postfix) with ESMTP id E1359606FF
for <bitcoin-dev@lists.linuxfoundation.org>;
Thu, 12 Aug 2021 22:08:57 +0000 (UTC)
X-Virus-Scanned: amavisd-new at osuosl.org
X-Spam-Flag: NO
X-Spam-Score: 0.496
X-Spam-Level:
X-Spam-Status: No, score=0.496 tagged_above=-999 required=5
tests=[BAYES_20=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1,
FREEMAIL_FORGED_FROMDOMAIN=0.248, FREEMAIL_FROM=0.001,
HEADER_FROM_DIFFERENT_DOMAINS=0.248, RCVD_IN_DNSWL_NONE=-0.0001,
SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=no autolearn_force=no
Authentication-Results: smtp3.osuosl.org (amavisd-new);
dkim=pass (2048-bit key) header.d=q32-com.20150623.gappssmtp.com
Received: from smtp3.osuosl.org ([127.0.0.1])
by localhost (smtp3.osuosl.org [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id yoh9RMlIrVn9
for <bitcoin-dev@lists.linuxfoundation.org>;
Thu, 12 Aug 2021 22:08:53 +0000 (UTC)
X-Greylist: whitelisted by SQLgrey-1.8.0
Received: from mail-pj1-x1033.google.com (mail-pj1-x1033.google.com
[IPv6:2607:f8b0:4864:20::1033])
by smtp3.osuosl.org (Postfix) with ESMTPS id AA4C56060F
for <bitcoin-dev@lists.linuxfoundation.org>;
Thu, 12 Aug 2021 22:08:53 +0000 (UTC)
Received: by mail-pj1-x1033.google.com with SMTP id w14so12201584pjh.5
for <bitcoin-dev@lists.linuxfoundation.org>;
Thu, 12 Aug 2021 15:08:53 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=q32-com.20150623.gappssmtp.com; s=20150623;
h=mime-version:references:in-reply-to:from:date:message-id:subject:to;
bh=KbAjV65SplnFN2QxvP/s2zSeBUOSE/9auavdUoeQ3lI=;
b=J8wJSBX4WoDe87tcgcG4dyZTN+KunTMLYNeiUmkn+fMyVopWIAb5CChE7z/h5zpeNs
pK9SfidRYnG5JQiY8pWWdFnmE//5tQEIFv5PP+ghj42R5hIJPbvpkKkyfmb6PsCX6RcF
Hj7/w0mpSnL0EYSghi1RU+SgQ/4oHDXAHcfWysNf0OmG34cI7qucwYgojNm4vgUDcarU
JekR3qLmwzZ80t9KdFet+Div3ox5rrzqs8CjvIeZgI0L0seBny/jgIxDitYOVV+IaWTj
InthugbgfOT3C8NaLfTR+IDFryxQMksLsMLCDOCO88k+q6tcwHQiDsjgdvhJ1FicxgaI
+Y5g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20161025;
h=x-gm-message-state:mime-version:references:in-reply-to:from:date
:message-id:subject:to;
bh=KbAjV65SplnFN2QxvP/s2zSeBUOSE/9auavdUoeQ3lI=;
b=YbEvFsoHtfSb22Az6kqxmK6JdVXYf6pwQ0cDPaP18+kce6EkHd6f0Z1w64utCuZXfP
sSNyd4YEOw+6W18QWiDBM9sG2oxku6KhCRfwHst5WQ8flmuTN+KyTyPYZiFhKvcIYJCW
gwqtJwmWqtdgk1Uc28TdymVZgKcyLkv7UY0aX8jGxIk4ca6xLzu5k9q44Xw0yRYLm1ZR
EkmtJBynbp29/UHLL9OU+W64fQPJRbhj+XmZDOAkQHE7F87r6L7huheQ0P4fjqv0DRdG
rMxxQSPqhXWg5qxo9CYA5woXXT3B5SPhff3qbxKCuYBtJ/LL5IvLVxzr8pHaEfWBDt+4
YnQA==
X-Gm-Message-State: AOAM533yrjPZL206ynyJdQnx/lgfBr3lDJC51el/rukBHQrrtvEraeCd
RSDS9CYeuLlRZgZpZhPvqNP0GXUHADbFDRoAhIrhZm/WzETs
X-Google-Smtp-Source: ABdhPJyONwqHdWMQ+xsTftqi8xtFGSV26rW0JZzEoOEgn/xVAF5FqZLWqZkj8/wXJC1WsnH/7d3DjtoX9FsDv5Qk0aE=
X-Received: by 2002:a17:90a:a389:: with SMTP id
x9mr17957711pjp.167.1628806132889;
Thu, 12 Aug 2021 15:08:52 -0700 (PDT)
MIME-Version: 1.0
References: <202103152148.15477.luke@dashjr.org>
<CAJowKgLuWOkD=_jDaLqG=FOG02qX7p4-EZ69yvw4UqcWpz+rRg@mail.gmail.com>
In-Reply-To: <CAJowKgLuWOkD=_jDaLqG=FOG02qX7p4-EZ69yvw4UqcWpz+rRg@mail.gmail.com>
From: Erik Aronesty <erik@q32.com>
Date: Thu, 12 Aug 2021 18:08:40 -0400
Message-ID: <CAJowKgJ5ko2Xac+-Mr9RQgdDKmuX__wOBgpUe_Qe6Egjavj7BQ@mail.gmail.com>
To: Luke Dashjr <luke@dashjr.org>,
Bitcoin Protocol Discussion <bitcoin-dev@lists.linuxfoundation.org>
Content-Type: text/plain; charset="UTF-8"
X-Mailman-Approved-At: Thu, 12 Aug 2021 22:21:37 +0000
Subject: Re: [bitcoin-dev] PSA: Taproot loss of quantum protections
X-BeenThere: bitcoin-dev@lists.linuxfoundation.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Bitcoin Protocol Discussion <bitcoin-dev.lists.linuxfoundation.org>
List-Unsubscribe: <https://lists.linuxfoundation.org/mailman/options/bitcoin-dev>,
<mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=unsubscribe>
List-Archive: <http://lists.linuxfoundation.org/pipermail/bitcoin-dev/>
List-Post: <mailto:bitcoin-dev@lists.linuxfoundation.org>
List-Help: <mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=help>
List-Subscribe: <https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev>,
<mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=subscribe>
X-List-Received-Date: Thu, 12 Aug 2021 22:08:58 -0000
Noe: for A. Chow's upgrade to work, there obviously has to be an
effort to deliberately-blacklist unupgraded coins, say after 10-20
years of opportunity to upgrade, or something like that, as long as
the transition to quantum isn't so fast that there's no way to do
this.
On Mon, Mar 22, 2021 at 10:24 AM Erik Aronesty <erik@q32.com> wrote:
>
> The argument that hashed public addresses provide meaningful quantum
> resistance is flawed *when considered in the context*.of Bitcoin
> itself.
>
> This article by Andrew Chow is easy to read and makes a strong case
> against the quantum utility of hashed public keys:
> https://cryptowords.github.io/why-does-hashing-public-keys-not-actually-provide-any-quantum-resistance
>
> And then, of course, one should be mindful of the case against quantum
> computing itself - it is neither inevitable nor "just around the
> corner". Mikhail Dyakonov summarized the arguments well here:
> https://t.co/cgrfrroTTT?amp=1.
>
> My current stance (at my company at least) is that planning for
> quantum computing should be limited to "a provable and written ability
> to upgrade if it becomes clear that it's necessary."
>
> Does anyone think it would it be useful to write up a more official,
> and even partly functional plan for Bitcoin to use zero-knowledge
> proofs to transition to quantum resistance?
>
> - Erik Aronesty
> CTO, Atkama
>
> On Mon, Mar 15, 2021 at 5:48 PM Luke Dashjr via bitcoin-dev
> <bitcoin-dev@lists.linuxfoundation.org> wrote:
> >
> > I do not personally see this as a reason to NACK Taproot, but it has become
> > clear to me over the past week or so that many others are unaware of this
> > tradeoff, so I am sharing it here to ensure the wider community is aware of
> > it and can make their own judgements.
> >
> > Mark Friedenbach explains on his blog:
> > https://freicoin.substack.com/p/why-im-against-taproot
> >
> > In short, Taproot loses an important safety protection against quantum.
> > Note that in all circumstances, Bitcoin is endangered when QC becomes a
> > reality, but pre-Taproot, it is possible for the network to "pause" while a
> > full quantum-safe fix is developed, and then resume transacting. With Taproot
> > as-is, it could very well become an unrecoverable situation if QC go online
> > prior to having a full quantum-safe solution.
> >
> > Also, what I didn't know myself until today, is that we do not actually gain
> > anything from this: the features proposed to make use of the raw keys being
> > public prior to spending can be implemented with hashed keys as well.
> > It would use significantly more CPU time and bandwidth (between private
> > parties, not on-chain), but there should be no shortage of that for anyone
> > running a full node (indeed, CPU time is freed up by Taproot!); at worst, it
> > would create an incentive for more people to use their own full node, which
> > is a good thing!
> >
> > Despite this, I still don't think it's a reason to NACK Taproot: it should be
> > fairly trivial to add a hash on top in an additional softfork and fix this.
> >
> > In addition to the points made by Mark, I also want to add two more, in
> > response to Pieter's "you can't claim much security if 37% of the supply is
> > at risk" argument. This argument is based in part on the fact that many
> > people reuse Bitcoin invoice addresses.
> >
> > First, so long as we have hash-based addresses as a best practice, we can
> > continue to shrink the percentage of bitcoins affected through social efforts
> > discouraging address use. If the standard loses the hash, the situation
> > cannot be improved, and will indeed only get worse.
> >
> > Second, when/if quantum does compromise these coins, so long as they are
> > neglected or abandoned/lost coins (inherent in the current model), it can be
> > seen as equivalent to Bitcoin mining. At the end of the day, 37% of supply
> > minable by QCs is really no different than 37% minable by ASICs. (We've seen
> > far higher %s available for mining obviously.)
> >
> > To conclude, I recommend anyone using Bitcoin to read Mark's article, my
> > thoughts, and any other arguments on the topic; decide if this is a concern
> > to you, and make your own post(s) accordingly. Mark has conceded the argument
> > (AFAIK he doesn't have an interest in bitcoins anyway), and I do not consider
> > it a showstopper - so if anyone else out there does, please make yourself
> > known ASAP since Taproot has already moved on to the activation phase and it
> > is likely software will be released within the next month or two as things
> > stand.
> >
> > Luke
> > _______________________________________________
> > bitcoin-dev mailing list
> > bitcoin-dev@lists.linuxfoundation.org
> > https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
|
