1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
|
Delivery-date: Tue, 03 Jun 2025 19:16:05 -0700
Received: from mail-oo1-f61.google.com ([209.85.161.61])
by mail.fairlystable.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
(Exim 4.94.2)
(envelope-from <bitcoindev+bncBCYMD7OS6ECBBW6Y73AQMGQEBU2M3XA@googlegroups.com>)
id 1uMdfg-0002fr-RI
for bitcoindev@gnusha.org; Tue, 03 Jun 2025 19:16:05 -0700
Received: by mail-oo1-f61.google.com with SMTP id 006d021491bc7-60eda518f7fsf907411eaf.3
for <bitcoindev@gnusha.org>; Tue, 03 Jun 2025 19:16:04 -0700 (PDT)
ARC-Seal: i=2; a=rsa-sha256; t=1749003359; cv=pass;
d=google.com; s=arc-20240605;
b=AGpqKo4z5+RZU4JAH1t9WxNBnHEC/E5HqVPZtr2g0n/CIJvna3I9Ny16bDcL1B++VM
6KmUtUG3t3JtHupfR6yPx7RSHHbVySq6BHU1javX3QC6QcHYwgghkqWVj6wXHBF6RoZ5
xKtuyVZ1ayQCClw3dH9wK3DP62Vi3SgOMZytRcCZvGOPQGUqFPBuyvShvkjs4voGCnNC
FW0/ZOUFjrTaW+whcQ470a/wh4JyY+7ittofWLQ8YjfXJX1CnkL1FwTXc5iIFjIfTFFF
4Y/Xysz/hMARrrLg4GHahTvqLVIkhSZO4tMuxNZkovagacDqWjhh1jMQel7n3vL6QegE
5LoQ==
ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605;
h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post
:list-id:mailing-list:precedence:content-transfer-encoding:cc:to
:subject:message-id:date:from:in-reply-to:references:mime-version
:sender:dkim-signature:dkim-signature;
bh=oI+wafuThQ8fJAotAs0lWCQIB5oIwfdgLZ20w2pymBk=;
fh=8OLBUsUXAtRgaWADRupcz+w9NBVNZIIbcdJpud8chn8=;
b=ke/7pvaWxxhiGWTGOqGsMRCnCXOZwbGU+9WY+SLUN7pAC1d7Ab+fJRHRWuOdPUMybW
0DwIPyB1n1MFZM98FUArqeEdtl8BgnzkDM9D7GjQ2xBWNxBWX5Td7BZhG9p6jHWMLRB/
lcllUPmGGOScVRoD5E/JClNojZW893ePpzBzTAeSBOhNIT3bS+XNJaxiduvY0/W6/io5
M1z5nFu1SGqSXpkY0eTR+oRt0pu4oBBBiEig0CrPU7WMi+S3mmGqaRwLjLs4gnCrQ6Jl
GdMTg/Epa459/IopM8fF6t0OfDM46Ek8U5ijD3co4ZDMtOpqoSHkHow9fPLa07akEtG8
ZYPg==;
darn=gnusha.org
ARC-Authentication-Results: i=2; gmr-mx.google.com;
dkim=pass header.i=@gmail.com header.s=20230601 header.b=EmyreaLa;
spf=pass (google.com: domain of bnagaev@gmail.com designates 2607:f8b0:4864:20::62d as permitted sender) smtp.mailfrom=bnagaev@gmail.com;
dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com;
dara=pass header.i=@googlegroups.com
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=googlegroups.com; s=20230601; t=1749003359; x=1749608159; darn=gnusha.org;
h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post
:list-id:mailing-list:precedence:x-original-authentication-results
:x-original-sender:content-transfer-encoding:cc:to:subject
:message-id:date:from:in-reply-to:references:mime-version:sender
:from:to:cc:subject:date:message-id:reply-to;
bh=oI+wafuThQ8fJAotAs0lWCQIB5oIwfdgLZ20w2pymBk=;
b=OVId8P0nNTCinHO29fMlcGB7df0EKz5gPe+36oyXBYIFi4MbwQHEPCAMigBzxmrtNn
g9qvXKm8fdHvZ0IqC3aRs/G4v4puDe066N5t98ZJwP3Tkwu/XciHDqSaCArXkmLFWJv1
V79b+0hB9PqaIr/iv3fOekcSIOQnqXQmTmv3r6ZqUuP66o8rWWovtCKRx8hCIG/vWcRV
cixVwGDEck5uZTdvrjJRcUxgZT++fezOKuym9nchQ0GzQneZDaexpbFzlBaqNRXF+gPb
VKYUuJgu4LAiMLybM9shw0CjoXQOpS3yVEmO/d+PD+AOX+raK9MI/qFGsmqXsFPAzpNR
HRmA==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=gmail.com; s=20230601; t=1749003359; x=1749608159; darn=gnusha.org;
h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post
:list-id:mailing-list:precedence:x-original-authentication-results
:x-original-sender:content-transfer-encoding:cc:to:subject
:message-id:date:from:in-reply-to:references:mime-version:from:to:cc
:subject:date:message-id:reply-to;
bh=oI+wafuThQ8fJAotAs0lWCQIB5oIwfdgLZ20w2pymBk=;
b=WeVETfpD5HP8orb5I9IcN30THxPDAleQ+ku5LcDBNXz8UGL7wFH9ICCUMOg6hXaiZP
E72pyqTZtKBHfhHyewplUq57G2NSPyG6wdS3BOvuO2XXSi5EMOi6x4Va5/+GRI9rx+BC
ZbyLyOLQ7ockuclN7FuCboZD5imPA3bxM/K1w+8SzQO37UnOz9P9yvdwUmPXHEp3Tdjr
62urPM+IEXJTbW9Q8rWzZ8PVADEZI0Sc/dj604wCjbL0VZqsOZ0xT/eLa345mf7t8Gxi
Y2qwJVfga9gBoNI4bpa/KZe18lz0vmMjpRPjSJuzMp/zxQjAcJiPYB8pNCBcJ9xntMX0
Tdag==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20230601; t=1749003359; x=1749608159;
h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post
:list-id:mailing-list:precedence:x-original-authentication-results
:x-original-sender:content-transfer-encoding:cc:to:subject
:message-id:date:from:in-reply-to:references:mime-version
:x-beenthere:x-gm-message-state:sender:from:to:cc:subject:date
:message-id:reply-to;
bh=oI+wafuThQ8fJAotAs0lWCQIB5oIwfdgLZ20w2pymBk=;
b=STxKcCNMsUse63qz/wWVTooIyMc+KqG043Mxf/gQfxG3bp4suqPUfSxtHtsnj/GV9M
+LtB0ouHtUdLjFK0MHvTRbzHeQcv1BLw9zXuL79+xuv+a2G+5GWTGhCVQCFZrEFnrT8R
FcX21LJpQSvRzkdyJIvam0vf2kuUgK9BLoi0PxH85HGlmVYGEmr35VBMiKKwzCj1nTOU
u1ndFK2/fo2VN6o69TwPuMnpFoAsiiMfAOiyayXwdGjdW6RLZAvbYYbsZu1JUP361vx0
cMHbFFbXSfTJ0Mlgo1ZVDSnL8DsSiPNJ4omibS0G1Yb3+lXSibTGWTREliK+BC4+FzJq
tzMA==
Sender: bitcoindev@googlegroups.com
X-Forwarded-Encrypted: i=2; AJvYcCV52cpN6r2lm8sByuNTq51xpSyg/QsHe+YwAukjJMkVR+jZmefwTIk/MToMaoWAHJHvNt8/0Kf2l+R7@gnusha.org
X-Gm-Message-State: AOJu0YwnAVPvThmhoVNRlDtpO4lxV6WEWMDq7VTOU2rhQJqZsLVcHvvf
vnR+2yS5fJyaqBzqhDwU64viYZeq+Dn9CRS8ujgmXa+9wYHR4l3InSYR
X-Google-Smtp-Source: AGHT+IHnWOV+3tIgJCoujdF5mmtgaTHJyuUalKSlO+8PlhXoCYCVTD7ldJMF7agzbi7zmQEdawXIOw==
X-Received: by 2002:a4a:ee86:0:b0:60d:63fe:2472 with SMTP id 006d021491bc7-60f0c68b40amr610356eaf.1.1749003358852;
Tue, 03 Jun 2025 19:15:58 -0700 (PDT)
X-BeenThere: bitcoindev@googlegroups.com; h=AZMbMZedxfr4SsjJv8O3fJOUwABr8PkPjrk80qeuCr2rRnBKUQ==
Received: by 2002:a05:6820:3d0:b0:60b:a45c:e7c1 with SMTP id
006d021491bc7-60be532b078ls1303854eaf.0.-pod-prod-04-us; Tue, 03 Jun 2025
19:15:55 -0700 (PDT)
X-Received: by 2002:a05:6808:229f:b0:400:a250:9819 with SMTP id 5614622812f47-408f0ee4fd7mr1139860b6e.12.1749003355044;
Tue, 03 Jun 2025 19:15:55 -0700 (PDT)
Received: by 2002:a05:6808:5068:b0:3fa:da36:efcd with SMTP id 5614622812f47-408f0237c79msb6e;
Tue, 3 Jun 2025 14:49:42 -0700 (PDT)
X-Received: by 2002:a05:6e02:160d:b0:3dc:8bb8:28a1 with SMTP id e9e14a558f8ab-3ddbed6e864mr4743515ab.14.1748987381817;
Tue, 03 Jun 2025 14:49:41 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1748987381; cv=none;
d=google.com; s=arc-20240605;
b=MM9Dr1EsaXtSSCsvnNoqS6D6ZrsXJ2Bmq7QahI4QfnbRJ9xu2pyaleaDVshmKw+DPq
fMY/qs0Sq4rfI9+ye3ToJIV3MRVFMddmVaFgC9QwB5ZdG3Rm003YbMix0tGPmkWovEId
248NALF+K/75IeNpYobYaFhTaUgtU7mBc6p7mGILH/Egk0mxnb1eNh1wta1THKtFAUW9
sUdqNun7zHrzcwM2LTXboTp6Z61JPHF4hkigtW2njITy675oM2FvW/ECgOXQwCS6SX6E
vSV5dEczwU8ocBsc+ckPjRcpWnnBBWCOQGQuUwlHTecOUiDT4pDZuCHrJRnC2XqSOv7f
Ra3A==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605;
h=content-transfer-encoding:cc:to:subject:message-id:date:from
:in-reply-to:references:mime-version:dkim-signature;
bh=opMT+S8uwpKFJ7ORLBZH0+hF9VsdfaVLW1jkqNpQmX4=;
fh=e79b22hAuSaC6/8oKXuBX7NFmH7iXgOLPA7D5tCVfno=;
b=OCXUOrGC5n1HlArVY2jVRMsdcxpmupEw4dexusznN8etgAlH7ModTujWsYBZrfawOO
E8MkLD1TQvm0mS+XwPoiYYUitOgxN7wGo73cJvgi94ijjZDfU4CiFQLBAKjyNwbuQpUh
TITkjUj6pPpEykYGbv5n9M9JEdcMnkmkhrX7oWpcVzARzgvzej+4zjhm6KMhsrQyQpNg
sCNbM7hWzULYpR97JI7KWzK7aq86J5qBIkp6KmxfMLcD5AuLLC+qhOblIC4tju4SQvyp
hBQ0ZkePeHrv36Qtna9jX3fNntSpfloKsqzMM82gbTkpI6PfmIIW8/F2JMd9AIZz9Aak
/TAQ==;
dara=google.com
ARC-Authentication-Results: i=1; gmr-mx.google.com;
dkim=pass header.i=@gmail.com header.s=20230601 header.b=EmyreaLa;
spf=pass (google.com: domain of bnagaev@gmail.com designates 2607:f8b0:4864:20::62d as permitted sender) smtp.mailfrom=bnagaev@gmail.com;
dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com;
dara=pass header.i=@googlegroups.com
Received: from mail-pl1-x62d.google.com (mail-pl1-x62d.google.com. [2607:f8b0:4864:20::62d])
by gmr-mx.google.com with ESMTPS id e9e14a558f8ab-3ddbde5959bsi357795ab.0.2025.06.03.14.49.41
for <bitcoindev@googlegroups.com>
(version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128);
Tue, 03 Jun 2025 14:49:41 -0700 (PDT)
Received-SPF: pass (google.com: domain of bnagaev@gmail.com designates 2607:f8b0:4864:20::62d as permitted sender) client-ip=2607:f8b0:4864:20::62d;
Received: by mail-pl1-x62d.google.com with SMTP id d9443c01a7336-234d3261631so41698245ad.1
for <bitcoindev@googlegroups.com>; Tue, 03 Jun 2025 14:49:41 -0700 (PDT)
X-Gm-Gg: ASbGncu+4fjK2ws154NFWM+21F8wzTY/JFVPaJ1Zk7km/w1oGMnCW8JWyZ/cKtyHDZj
+fsRjB8iPy30n1E5IaVhbSpmdzQ6CRZS+SkZWbTTEtxlrfq2IlU14NVxnjtBL+Qd/scQ0+/bPHF
UXl6et12T5V/o6EE+ONCIPyxQPT0Bw4AE=
X-Received: by 2002:a17:903:234f:b0:234:bfcb:5c21 with SMTP id
d9443c01a7336-235e112c6famr5009075ad.19.1748987381053; Tue, 03 Jun 2025
14:49:41 -0700 (PDT)
MIME-Version: 1.0
References: <2c3b7e1c-95dd-4773-a88f-f2cdb37acf4a@gmail.com>
<CAFC_Vt7z5Vj=r90J8RoH3sC5592BO4G9U3L9gdcX+D3DruC1PQ@mail.gmail.com>
<33f67e84-5d1c-4c14-80b9-90a3fec3cb36@gmail.com> <ZmYpRwmVDoJBUhiCRb909Lgwws_dT9d_CNUjfddVt128pyjdH0UcYfXgA_uguwRu44ZC8_x_SwlrooqKhyvdwJjnO1h3BvzQxVRbdCpVfjg=@proton.me>
<5e393f57-ac87-40fd-93ef-e1006accdb55n@googlegroups.com>
In-Reply-To: <5e393f57-ac87-40fd-93ef-e1006accdb55n@googlegroups.com>
From: Nagaev Boris <bnagaev@gmail.com>
Date: Tue, 3 Jun 2025 18:49:04 -0300
X-Gm-Features: AX0GCFv1cpSkv02hdmxc1KVFiLxgbWcqzgbL8moKflud9QFvm_8graKYqyQhADg
Message-ID: <CAFC_Vt5X2qrH9EaZNoMMx8367V7iYfXiCcAfT3ED86DtM7UH6A@mail.gmail.com>
Subject: Re: [bitcoindev] Pre-emptive commit/reveal for quantum-safe migration (poison-pill)
To: Leo Wandersleb <lwandersleb@gmail.com>
Cc: Bitcoin Development Mailing List <bitcoindev@googlegroups.com>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Original-Sender: bnagaev@gmail.com
X-Original-Authentication-Results: gmr-mx.google.com; dkim=pass
header.i=@gmail.com header.s=20230601 header.b=EmyreaLa; spf=pass
(google.com: domain of bnagaev@gmail.com designates 2607:f8b0:4864:20::62d as
permitted sender) smtp.mailfrom=bnagaev@gmail.com; dmarc=pass (p=NONE
sp=QUARANTINE dis=NONE) header.from=gmail.com; dara=pass header.i=@googlegroups.com
Precedence: list
Mailing-list: list bitcoindev@googlegroups.com; contact bitcoindev+owners@googlegroups.com
List-ID: <bitcoindev.googlegroups.com>
X-Google-Group-Id: 786775582512
List-Post: <https://groups.google.com/group/bitcoindev/post>, <mailto:bitcoindev@googlegroups.com>
List-Help: <https://groups.google.com/support/>, <mailto:bitcoindev+help@googlegroups.com>
List-Archive: <https://groups.google.com/group/bitcoindev
List-Subscribe: <https://groups.google.com/group/bitcoindev/subscribe>, <mailto:bitcoindev+subscribe@googlegroups.com>
List-Unsubscribe: <mailto:googlegroups-manage+786775582512+unsubscribe@googlegroups.com>,
<https://groups.google.com/group/bitcoindev/subscribe>
X-Spam-Score: -0.5 (/)
Hi Leo,
Thanks for the clarifications, much appreciated!
I have a couple of questions:
1. How is a weak announcement stored in the blockchain and in the UTXO set?
I assume it must be a transaction, correct? And it should somehow mark
the UTXO as planned to be spent for 144 blocks?
How would older (non-upgraded) nodes interpret a transaction
containing a weak announcement? Would they just skip over it without
any special processing?
If so, is there a problem for nodes that upgrade after the fork: would
they have to reprocess all blocks since the fork to find and index all
missed weak announcements?
2. In the case of reclaiming a UTXO after a weak announcement by an
attacker: why would the legitimate owner wait for a weak announcement
at all?
If the EC public key was already leaked, it seems they should publish
a strong announcement themselves rather than wait. If the EC public
key wasn't leaked, there's nothing to worry about even if someone
publishes a weak announcement: they are most likely bluffing, since
they wouldn't have the actual public key.
Best,
Boris
On Tue, Jun 3, 2025 at 3:29=E2=80=AFPM Leo Wandersleb <lwandersleb@gmail.co=
m> wrote:
>
> Hi conduition,
>
> Thanks for your careful analysis - excellent catches.
>
> You're absolutely right about the txid vulnerability. The commitment must=
be to the complete transaction including witness data (wTXID or equivalent=
) to prevent an attacker from pre-committing to unsigned transactions. This=
is essential - otherwise an attacker could indeed enumerate the UTXO set a=
nd create commitments without knowing the private keys.
>
> Regarding updates: You're correct that frequent updates would be needed a=
s wallets receive new UTXOs. However, I don't see this as a major issue - u=
sers could batch their commitments periodically (say, monthly) rather than =
after every transaction. The scheme is particularly important for existing =
UTXOs that already have exposed pubkeys (old P2PK, reused addresses, etc.).=
For new UTXOs, wallets should ideally migrate to quantum-safe addresses on=
ce available. OpenTimestamps aggregation would indeed help with scaling and=
provide plausible deniability about the number of UTXOs being protected.
>
> The time delay serves a different purpose than you might expect. It's not=
about preventing commitment forgery after pubkey exposure, but rather abou=
t allowing priority based on commitment age when multiple parties claim the=
same UTXO:
>
> 1. Weak announcement starts the 144-block window
> 2. During this window, anyone with a strong commitment can reveal it
> 3. The oldest valid commitment wins
>
> This creates the "poison pill" effect: an attacker might crack a key and =
try to spend a UTXO, but if the original owner has an older commitment, the=
y can reclaim it during the window. The uncertainty about which UTXOs have =
poison pills makes attacking large "lost" UTXOs risky - hence less disrupti=
ve to the network.
>
> The delay essentially allows a "commitment priority contest" where age de=
termines the winner, protecting users who prepared early while still allowi=
ng these users to not move their funds.
>
> Best,
>
> Leo
>
> --
> You received this message because you are subscribed to the Google Groups=
"Bitcoin Development Mailing List" group.
> To unsubscribe from this group and stop receiving emails from it, send an=
email to bitcoindev+unsubscribe@googlegroups.com.
> To view this discussion visit https://groups.google.com/d/msgid/bitcoinde=
v/5e393f57-ac87-40fd-93ef-e1006accdb55n%40googlegroups.com.
--=20
Best regards,
Boris Nagaev
--=20
You received this message because you are subscribed to the Google Groups "=
Bitcoin Development Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an e=
mail to bitcoindev+unsubscribe@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/bitcoindev/=
CAFC_Vt5X2qrH9EaZNoMMx8367V7iYfXiCcAfT3ED86DtM7UH6A%40mail.gmail.com.
|
