1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
|
Return-Path: <tim.ruffing@mmci.uni-saarland.de>
Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org
[172.17.192.35])
by mail.linuxfoundation.org (Postfix) with ESMTPS id 96775FC4
for <bitcoin-dev@lists.linuxfoundation.org>;
Wed, 24 Jan 2018 09:36:22 +0000 (UTC)
X-Greylist: delayed 00:07:56 by SQLgrey-1.7.6
Received: from juno.mpi-klsb.mpg.de (srv-40-62.mpi-klsb.mpg.de [139.19.86.40])
by smtp1.linuxfoundation.org (Postfix) with ESMTPS id 7FDEAEC
for <bitcoin-dev@lists.linuxfoundation.org>;
Wed, 24 Jan 2018 09:36:21 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
d=mmci.uni-saarland.de; s=mail200803;
h=Content-Transfer-Encoding:Mime-Version:Content-Type:References:In-Reply-To:Date:To:From:Subject:Message-ID;
bh=9St8S4QerORE+zXhxHsdH8C+rPIjvdFS04c00p+ejoM=;
b=xIN0KRXOeM8aSe+D3Bb02uY0u/IjBx9DcaV3dNdYQaqOa0X+v2O1tP/PvTQx77o7gFq+YBDw7MDZ+oDFO+PWOFvBhtINZDBpUtAxMbQGdcdpv7hXnWfpqz0Cfsc+zCiKjRf9waxD4l4D4Y7Kk3rJyRbozFw4wHdrk+j5oqOA93c=;
Received: from srv-00-61.mpi-klsb.mpg.de ([139.19.86.26]:48220
helo=sam.mpi-klsb.mpg.de) by juno.mpi-klsb.mpg.de (envelope-from
<tim.ruffing@mmci.uni-saarland.de>)
with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128)
(Exim 4.84_2) id 1eeHLx-0003BF-Dq
for bitcoin-dev@lists.linuxfoundation.org;
Wed, 24 Jan 2018 10:28:23 +0100
Received: from x4db11f21.dyn.telefonica.de ([77.177.31.33]:58484
helo=tonno.fritz.box) by sam.mpi-klsb.mpg.de (envelope-from
<tim.ruffing@mmci.uni-saarland.de>)
with esmtpsa (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
(Exim 4.84_2) id 1eeHLx-0005CI-5c
for bitcoin-dev@lists.linuxfoundation.org;
Wed, 24 Jan 2018 10:28:21 +0100
Message-ID: <1516786100.2567.18.camel@mmci.uni-saarland.de>
From: Tim Ruffing <tim.ruffing@mmci.uni-saarland.de>
To: Bitcoin Protocol Discussion <bitcoin-dev@lists.linuxfoundation.org>
Date: Wed, 24 Jan 2018 10:28:20 +0100
In-Reply-To: <20180124015256.GR9082@boulet.lan>
References: <CAAS2fgTXg5kk6TyUM9dS=tf5N0_Z-GKVmzMLwTW1HxUgrqdo+Q@mail.gmail.com>
<20180123064419.GA1296@erisian.com.au>
<CAAS2fgSy8qg71M6ZOr=xj=W6y2Jbz8hwygZOUYv-Brkt0JwVaQ@mail.gmail.com>
<20180123222229.GA3801@erisian.com.au>
<CAAS2fgTNcCB2mfvCBhC_AhgxX=g8feYguGHN_VPWW0EoOOxMyA@mail.gmail.com>
<20180124015256.GR9082@boulet.lan>
Content-Type: text/plain; charset="UTF-8"
X-Mailer: Evolution 3.26.4
Mime-Version: 1.0
Content-Transfer-Encoding: 7bit
X-MPI-Local-Sender: true
X-Spam-Status: No, score=-4.3 required=5.0 tests=BAYES_00,DKIM_SIGNED,
DKIM_VALID, DKIM_VALID_AU, RCVD_IN_DNSWL_MED autolearn=ham version=3.3.1
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
smtp1.linux-foundation.org
Subject: Re: [bitcoin-dev] Taproot: Privacy preserving switchable scripting
X-BeenThere: bitcoin-dev@lists.linuxfoundation.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Bitcoin Protocol Discussion <bitcoin-dev.lists.linuxfoundation.org>
List-Unsubscribe: <https://lists.linuxfoundation.org/mailman/options/bitcoin-dev>,
<mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=unsubscribe>
List-Archive: <http://lists.linuxfoundation.org/pipermail/bitcoin-dev/>
List-Post: <mailto:bitcoin-dev@lists.linuxfoundation.org>
List-Help: <mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=help>
List-Subscribe: <https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev>,
<mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=subscribe>
X-List-Received-Date: Wed, 24 Jan 2018 09:36:22 -0000
On Wed, 2018-01-24 at 01:52 +0000, Andrew Poelstra via bitcoin-dev
wrote:
>
> > They are. But I don't believe that is relevant; the attacker would
> > simply steal the coins on spend.
>
>
> Then the system would need to be hardforked to allow spending through
> a
> quantum-resistant ZKP of knowledge of the hashed public key. I expect
> that in a post-quantum world there will be demand for such a fork,
> especially if we came into such a world through surprise evidence of
> a discrete log break.
>
There are simpler ways using consensus / waiting instead of zero-
knowledge, e.g.,
1. Include H(classic_pk, tx) to blockchain, wait until confirmed.
2. Reveal classic_pk, tx
This is taken from my tweet [1] but now I realize that these are
basically Guy Fawkes "signatures" [2]. Joseph Bonneau and Andrew Miller
[3] had the idea to use this for cryptocurrency without asymmetric
cryptography.
Best,
Tim
[1] https://twitter.com/real_or_random/status/948226830166786048
[2] https://www.cl.cam.ac.uk/~rja14/Papers/fawkes.pdf
[3] http://www.jbonneau.com/doc/BM14-SPW-fawkescoin.pdf
|
