Return-Path: Received: from smtp3.osuosl.org (smtp3.osuosl.org [IPv6:2605:bc80:3010::136]) by lists.linuxfoundation.org (Postfix) with ESMTP id CAE9DC0001 for ; Tue, 23 Mar 2021 10:56:36 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by smtp3.osuosl.org (Postfix) with ESMTP id A45A060820 for ; Tue, 23 Mar 2021 10:56:36 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org X-Spam-Flag: NO X-Spam-Score: -0.901 X-Spam-Level: X-Spam-Status: No, score=-0.901 tagged_above=-999 required=5 tests=[BAYES_20=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: smtp3.osuosl.org (amavisd-new); dkim=pass (2048-bit key) header.d=timruffing.de Received: from smtp3.osuosl.org ([127.0.0.1]) by localhost (smtp3.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zwR9mwzXKPJs for ; Tue, 23 Mar 2021 10:56:34 +0000 (UTC) X-Greylist: delayed 00:06:07 by SQLgrey-1.8.0 Received: from mout-p-101.mailbox.org (mout-p-101.mailbox.org [80.241.56.151]) by smtp3.osuosl.org (Postfix) with ESMTPS id 36FF26081E for ; Tue, 23 Mar 2021 10:56:34 +0000 (UTC) Received: from smtp2.mailbox.org (smtp2.mailbox.org [IPv6:2001:67c:2050:105:465:1:2:0]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-384) server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by mout-p-101.mailbox.org (Postfix) with ESMTPS id 4F4SnX1q9TzQjww for ; Tue, 23 Mar 2021 11:50:24 +0100 (CET) X-Virus-Scanned: amavisd-new at heinlein-support.de DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=timruffing.de; s=MBO0001; t=1616496622; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=wZwT5QD/BP17xU3ZnFv1ooDQNGTS9MmKl53Tp9MvvNU=; b=EGD1VfqJ8U8w0fxPazM2tKVRaiGzWwS3aCWVJNXHrvQKGYHSLkNrCJVLS78ohOJsieb8SY TrLt0keFI+AEEbMhOtEVTkaMjhtMFH380WqXqpfG/DdSR4m46pYmRKCAB8q8QMsBOphwyw EoElGBj6+niNm68MtdmZ8YBrMEF/ZWB392ZtNIpzVjbLayEEyyhI1ZcZxJo3ckY2Qf5KQS 0qIN1f5sqBpgzb4IumrmtC+qNdn9V+QXEA6xE+lkR7z/JArQ9F4uI+0ucpVOSSj0v9aKM0 f6mv6FqLHv58K/iWdHziAzw5LmwnaGIe4Ms96zLtiXEZh/+wkZbWWKdSln+J9Q== Received: from smtp2.mailbox.org ([80.241.60.241]) by spamfilter06.heinlein-hosting.de (spamfilter06.heinlein-hosting.de [80.241.56.125]) (amavisd-new, port 10030) with ESMTP id 6YckQqVI9Zjp for ; Tue, 23 Mar 2021 11:50:21 +0100 (CET) Message-ID: From: Tim Ruffing To: Bitcoin Protocol Discussion Date: Tue, 23 Mar 2021 11:50:20 +0100 In-Reply-To: References: <202103152148.15477.luke@dashjr.org> Content-Type: text/plain; charset="UTF-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-MBO-SPAM-Probability: X-Rspamd-Score: -4.84 / 15.00 / 15.00 X-Rspamd-Queue-Id: 4B3EC1806 X-Rspamd-UID: d544a7 X-Mailman-Approved-At: Tue, 23 Mar 2021 10:59:47 +0000 Subject: Re: [bitcoin-dev] PSA: Taproot loss of quantum protections X-BeenThere: bitcoin-dev@lists.linuxfoundation.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Bitcoin Protocol Discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 23 Mar 2021 10:56:36 -0000 On Mon, 2021-03-22 at 10:24 -0400, Erik Aronesty via bitcoin-dev wrote: > > Does anyone think it would it be useful to write up a more official, > and even partly functional plan for Bitcoin to use zero-knowledge > proofs to transition to quantum resistance? Yes, for sure. This is certainly something that the community should discuss. Looking into this problem is also on my (too long) list of research problems. I think IF we arrive at the conclusion that this is a good idea (which is possible but not at all clear to me at this point), then one of the questions is whether it's desirable to use something more efficient than a zero-knowledge proof, at the potential cost of committing to a real public key of a simple post-quantum signature scheme. This could for example be a hash-based one-time signature scheme (but something more efficient than the often mentioned Lamport signatures, e.g., Winternitz or W-OTS+ signatures).