1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
|
Return-Path: <tristan.hoy@gmail.com>
Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org
[172.17.192.35])
by mail.linuxfoundation.org (Postfix) with ESMTPS id D5CA6EAF
for <bitcoin-dev@lists.linuxfoundation.org>;
Mon, 12 Feb 2018 21:32:38 +0000 (UTC)
X-Greylist: whitelisted by SQLgrey-1.7.6
Received: from mail-lf0-f50.google.com (mail-lf0-f50.google.com
[209.85.215.50])
by smtp1.linuxfoundation.org (Postfix) with ESMTPS id D59D7165
for <bitcoin-dev@lists.linuxfoundation.org>;
Mon, 12 Feb 2018 21:32:37 +0000 (UTC)
Received: by mail-lf0-f50.google.com with SMTP id k19so22374825lfj.1
for <bitcoin-dev@lists.linuxfoundation.org>;
Mon, 12 Feb 2018 13:32:37 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;
h=mime-version:in-reply-to:references:from:date:message-id:subject:to;
bh=oD5vlXPcmLUJsWEXzKKSVPAV9aQxct7f/XhVzfY7DzI=;
b=k1+lIGqpyt8nCF6tL3si5WmP2f0MxLqJhWsvhX6RjeMRtMol7CnTLFssGvhpPXDUWa
aYpley8qWTE0OlhXb88UUtY/Ha8vOVJbQmMuhz242w55tRb2cxGJXRmpTQnGikIXESxk
/PA3nxSBExtlPrZqJVv0b5PfRyvQogdgzxCQCkhzP0kOOAAdVkM46eJjN+5XIVX1NH8Z
qKCbxJHZY1I4lvaiKAGWtgh0A22Opw8HtIWqjV2TuDaXOcz9yzOim2ZoWQa0aE8N3+8U
WWgWk17fSGYj5OvlPtyfUasyDH6OkvoaTwFP5c6gTRJsA47ShuoFvojT2SG9Ac02lv/v
KQdA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20161025;
h=x-gm-message-state:mime-version:in-reply-to:references:from:date
:message-id:subject:to;
bh=oD5vlXPcmLUJsWEXzKKSVPAV9aQxct7f/XhVzfY7DzI=;
b=piygfXestexrd7Xw/MumLD3hbsDKcIjvCufKmwvPkKe7ipb4DcYfYiJUV7dMdmVPLu
CIp33FJyd/BD/Db9Oq+U5cHqbIRISAMDqUhQNBoXpsI2Q/eOKtnHm7E18J265NtqVABc
3tWouGXcbl265/JFWAInakJ/0zUcXtzpou/Bz/Dy3nrTFhCBzVF3pAD0SpsP5J0MVkpm
1I+BwisOz5J8vtlxONTQ3B8W7pl8ybhQbjFulAPe7tBQ8O0I2tXGcpD92pi5HepH/lLl
k3F3xxhgPotHFlBYFsC/CJs/tdmmUiQnbA8uacw+wv098B6xqSJSYiN1ksGraI9dWTR4
ClDA==
X-Gm-Message-State: APf1xPA3OJVrUrBoAHiX6Lu3Or3SFBzIFhpjhQpXzE22SRt4uhEH3YzC
jfcJXs2/PEmCc9Jtc+YRIzeh6O0EXrq6mJqEETU=
X-Google-Smtp-Source: AH8x227pUdcOZxA596y+BsfpieWApeW46KucGj3zoXcdRk+4DybHr26wNaexFoJq4my+K24YQUbizM41UymL6bU1DHg=
X-Received: by 10.25.153.213 with SMTP id b204mr206702lfe.144.1518471156007;
Mon, 12 Feb 2018 13:32:36 -0800 (PST)
MIME-Version: 1.0
Received: by 10.25.89.140 with HTTP; Mon, 12 Feb 2018 13:32:35 -0800 (PST)
In-Reply-To: <1518450650.7829.87.camel@mmci.uni-saarland.de>
References: <CAFEpHQHP7XXBYUP6CF1OeYoBpj0UwK+qpYG-14_zQZDX4Md7UA@mail.gmail.com>
<1518450650.7829.87.camel@mmci.uni-saarland.de>
From: Tristan Hoy <tristan.hoy@gmail.com>
Date: Tue, 13 Feb 2018 08:32:35 +1100
Message-ID: <CAFEpHQHYdE3m2GUtN=ijvtYUudwtcG52rRxzH66VFbgO1KEihw@mail.gmail.com>
To: Tim Ruffing <tim.ruffing@mmci.uni-saarland.de>,
Bitcoin Protocol Discussion <bitcoin-dev@lists.linuxfoundation.org>
Content-Type: multipart/alternative; boundary="001a11401934db0d8605650a9d95"
X-Spam-Status: No, score=-2.0 required=5.0 tests=BAYES_00,DKIM_SIGNED,
DKIM_VALID, DKIM_VALID_AU, FREEMAIL_FROM, HTML_MESSAGE,
RCVD_IN_DNSWL_NONE autolearn=ham version=3.3.1
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
smtp1.linux-foundation.org
X-Mailman-Approved-At: Mon, 12 Feb 2018 22:55:21 +0000
Subject: Re: [bitcoin-dev] Transition to post-quantum
X-BeenThere: bitcoin-dev@lists.linuxfoundation.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Bitcoin Protocol Discussion <bitcoin-dev.lists.linuxfoundation.org>
List-Unsubscribe: <https://lists.linuxfoundation.org/mailman/options/bitcoin-dev>,
<mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=unsubscribe>
List-Archive: <http://lists.linuxfoundation.org/pipermail/bitcoin-dev/>
List-Post: <mailto:bitcoin-dev@lists.linuxfoundation.org>
List-Help: <mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=help>
List-Subscribe: <https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev>,
<mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=subscribe>
X-List-Received-Date: Mon, 12 Feb 2018 21:32:38 -0000
--001a11401934db0d8605650a9d95
Content-Type: text/plain; charset="UTF-8"
Hi Tim,
Just read through your post, thanks for the heads up - I only just joined
this mailing list.
In a post-quantum world, your second "d" type transaction is completely
forgeable, which means it is vulnerable to front-running. An adversary
capable of breaking ECDSA needs only listen for these transactions, obtain
"classic_sk" and then use a higher fee (or relationship with a miner) to
effectively turn your original "d" transaction into a double-spend, with
the forged transaction sending all your funds to the adversary.
I'm pretty confident that a PQ DSA is required to prevent front-running,
and that no "commit-reveal" scheme will be secure without one.
The other issue with your approach is that if it is rolled out today, it
will effectively double transaction volumes - this is what I tried to solve
in solutions 2 and 3 in my article by instead modifying the address
generation process.
Regards,
Tristan
On Tue, Feb 13, 2018 at 2:50 AM, Tim Ruffing via bitcoin-dev <
bitcoin-dev@lists.linuxfoundation.org> wrote:
> Hi Tristan,
>
> Regarding the "Post-Quantum Address Recovery" part (I haven't read the
> other parts), you may be interested in my message to the list from last
> month and the rest of the thread:
> https://lists.linuxfoundation.org/pipermail/bitcoin-dev/
> 2018-January/015659.html
>
> This is an approach which aims to avoid the issues that you've
> mentioned in your blog post.
>
> Best,
> Tim
>
> On Tue, 2018-02-13 at 01:13 +1100, Tristan Hoy via bitcoin-dev wrote:
> > Hi all,
> >
> > Recently I've been exploring what a post-quantum attack on Bitcoin
> > would actually look like, and what options exist for mitigating it.
> >
> > I've put up a draft of my research here: https://medium.com/@tristanh
> > oy/11271f430c41
> >
> > In summary:
> > 1) None of the recommended post-quantum DSAs (XMSS, SPHINCS) are
> > scalable
> > 2) This is a rapidly advancing space and committment to a specific
> > post-quantum DSA now would be premature
> > 3) I've identified a strategy (solution 3 in the draft) that
> > mitigates against the worst case scenario (unexpectedly early attack
> > on ECDSA) without requiring any changes to the Bitcoin protocol or
> > total committment to a specific post-quantum DSA that will likely be
> > superseded in the next 3-5 years
> > 4) This strategy also serves as a secure means of transferring
> > balances into a post-quantum DSA address space, even in the event
> > that ECDSA is fully compromised and the transition is reactionary
> >
> > The proposal is a change to key generation only and will be
> > implemented by wallet providers.
> >
> > Feedback would be most appreciated.
> >
> > Regards,
> >
> > Tristan
> > _______________________________________________
> > bitcoin-dev mailing list
> > bitcoin-dev@lists.linuxfoundation.org
> > https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
> _______________________________________________
> bitcoin-dev mailing list
> bitcoin-dev@lists.linuxfoundation.org
> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
>
--001a11401934db0d8605650a9d95
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
<div dir=3D"ltr">Hi Tim,<div><br></div><div>Just read through your post, th=
anks for the heads up - I only just joined this mailing list.</div><div><br=
></div><div>In a post-quantum world, your second "d" type transac=
tion is completely forgeable, which means it is vulnerable to front-running=
. An adversary capable of breaking ECDSA needs only listen for these transa=
ctions, obtain "classic_sk" and then use a higher fee (or relatio=
nship with a miner) to effectively turn your original "d" transac=
tion into a double-spend, with the forged transaction sending all your fund=
s to the adversary.</div><div><br></div><div>I'm pretty confident that =
a PQ DSA is required to prevent front-running, and that no "commit-rev=
eal" scheme will be secure without one.</div><div><br></div><div>The o=
ther issue with your approach is that if it is rolled out today, it will ef=
fectively double transaction volumes - this is what I tried to solve in sol=
utions 2 and 3 in my article by instead modifying the address generation pr=
ocess.</div><div><div><br></div><div>Regards,</div><div><br></div><div>Tris=
tan</div></div></div><div class=3D"gmail_extra"><br><div class=3D"gmail_quo=
te">On Tue, Feb 13, 2018 at 2:50 AM, Tim Ruffing via bitcoin-dev <span dir=
=3D"ltr"><<a href=3D"mailto:bitcoin-dev@lists.linuxfoundation.org" targe=
t=3D"_blank">bitcoin-dev@lists.linuxfoundation.org</a>></span> wrote:<br=
><blockquote class=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;border-left:1=
px #ccc solid;padding-left:1ex">Hi Tristan,<br>
<br>
Regarding the "Post-Quantum Address Recovery" part (I haven't=
read the<br>
other parts), you may be interested in my message to the list from last<br>
month and the rest of the thread:<br>
<a href=3D"https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2018-Jan=
uary/015659.html" rel=3D"noreferrer" target=3D"_blank">https://lists.linuxf=
oundation.<wbr>org/pipermail/bitcoin-dev/<wbr>2018-January/015659.html</a><=
br>
<br>
This is an approach which aims to avoid the issues that you've<br>
mentioned in your blog post.<br>
<br>
Best,<br>
Tim<br>
<div><div class=3D"h5"><br>
On Tue, 2018-02-13 at 01:13 +1100, Tristan Hoy via bitcoin-dev wrote:<br>
> Hi all,<br>
><br>
> Recently I've been exploring what a post-quantum attack on Bitcoin=
<br>
> would actually look like, and what options exist for mitigating it.<br=
>
><br>
> I've put up a draft of my research here: <a href=3D"https://medium=
.com/@tristanh" rel=3D"noreferrer" target=3D"_blank">https://medium.com/@tr=
istanh</a><br>
> oy/11271f430c41<br>
><br>
> In summary:<br>
> 1) None of the recommended post-quantum DSAs (XMSS, SPHINCS) are<br>
> scalable<br>
> 2) This is a rapidly advancing space and committment to a specific<br>
> post-quantum DSA now would be premature<br>
> 3) I've identified a strategy (solution 3 in the draft) that<br>
> mitigates against the worst case scenario (unexpectedly early attack<b=
r>
> on ECDSA) without requiring any changes to the Bitcoin protocol or<br>
> total committment to a specific post-quantum DSA that will likely be<b=
r>
> superseded in the next 3-5 years<br>
> 4) This strategy also serves as a secure means of transferring<br>
> balances into a post-quantum DSA address space, even in the event<br>
> that ECDSA is fully compromised and the transition is reactionary<br>
><br>
> The proposal is a change to key generation only and will be<br>
> implemented by wallet providers.<br>
><br>
> Feedback would be most appreciated.<br>
><br>
> Regards,<br>
><br>
> Tristan<br>
</div></div>> ______________________________<wbr>_________________<br>
> bitcoin-dev mailing list<br>
> <a href=3D"mailto:bitcoin-dev@lists.linuxfoundation.org">bitcoin-dev@l=
ists.<wbr>linuxfoundation.org</a><br>
> <a href=3D"https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-=
dev" rel=3D"noreferrer" target=3D"_blank">https://lists.linuxfoundation.<wb=
r>org/mailman/listinfo/bitcoin-<wbr>dev</a><br>
______________________________<wbr>_________________<br>
bitcoin-dev mailing list<br>
<a href=3D"mailto:bitcoin-dev@lists.linuxfoundation.org">bitcoin-dev@lists.=
<wbr>linuxfoundation.org</a><br>
<a href=3D"https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev" =
rel=3D"noreferrer" target=3D"_blank">https://lists.linuxfoundation.<wbr>org=
/mailman/listinfo/bitcoin-<wbr>dev</a><br>
</blockquote></div><br></div>
--001a11401934db0d8605650a9d95--
|
