Delivery-date: Wed, 12 Mar 2025 05:41:16 -0700
Sender: bitcoindev@googlegroups.com
Date: Wed, 12 Mar 2025 04:14:06 -0700 (PDT)
From: Jose Storopoli <jose@storopoli.io>
To: Bitcoin Development Mailing List <bitcoindev@googlegroups.com>
Message-Id: <77dbf51a-93aa-4d4a-87c0-b1303d83d5ccn@googlegroups.com>
In-Reply-To: <fac67bec-cbf3-4e49-b73d-f8057adca0aan@googlegroups.com>
References: <8797807d-e017-44e2-b419-803291779007n@googlegroups.com>
 <5667eb21-cd56-411d-a29f-81604752b7c4@gmail.com>
 <16d7adca-a01e-40c5-9570-31967ee339ecn@googlegroups.com>
 <5550807e-0655-4895-bc66-1b67bfde8c3e@gmail.com>
 <8e1cf1b5-27d1-4510-afec-52fb28959189n@googlegroups.com>
 <69ab395f-acba-4d11-87ee-9da6327509c6@gmail.com>
 <fac67bec-cbf3-4e49-b73d-f8057adca0aan@googlegroups.com>
Subject: Re: [bitcoindev] P2QRH / BIP-360 Update
MIME-Version: 1.0
Content-Type: multipart/mixed; 
	boundary="----=_Part_46988_1905702069.1741778046769"
Precedence: list
Mailing-list: list bitcoindev@googlegroups.com; contact bitcoindev+owners@googlegroups.com

------=_Part_46988_1905702069.1741778046769
Content-Type: multipart/alternative; 
	boundary="----=_Part_46989_1945388750.1741778046769"

------=_Part_46989_1945388750.1741778046769
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

I think that ECDSA was a mistake in Bitcoin (Schnorr patent expired in=20
2008; but I do understand its motives).
My fear is that this BIP will become a mistake in Bitcoin in 15 years or=20
less.

It adds orders of magnitude to public keys sizes and/or signature sizes;=20
and verification computation cost.
About the whole QR cryptography hype:
one thing is to do have key encapsulation QR schemes in symmetric-key=20
cryptography where we don't have tight constrains around storage,
like with TLS, or E2EE messaging apps.
Another thing is to add these huge public key and signature schemes to a=20
storage-restricted blockchain like Bitcoin.
QR lattice-based asymmetric-key cryptography is still in its infancy both=
=20
in standards and research; and we should wait.

If we are worried about quantum menaces, a much better approach would be=20
the P2TRH (Pay To Taproot Hash),
even with the loss of batch verification, combined with advising users to=
=20
not re-use address.
Address reuse should be treated the same as nonce reuse: you get pwned!
Or Matt Corallo's emergency disable of key path spends in P2TR;

Jose Storopoli

On Monday, March 3, 2025 at 6:55:19=E2=80=AFPM UTC-3 Hunter Beast wrote:

> Hi, Jonas
>
> In order to spend the coins, a valid signature will need to be present in=
=20
> the attestation. Even if it's a 1/1024 multisig, a valid public key=20
> signature pair will need to be provided. The merkle path would then be ho=
w=20
> the arbitrary data could be encoded. In my mind this is a highly=20
> impractical scenario that gets exponentially more complex, and only works=
=20
> 32 bytes at a time.
>
> Does that make sense?
>
> Hunter
>
> On Wednesday, February 26, 2025 at 3:00:36=E2=80=AFAM UTC-7 Jonas Nick wr=
ote:
>
>> > it would require an extraordinary amount of computation to wind up wit=
h=20
>> enough=20
>> > to store arbitrary data.=20
>>
>> I have no idea why this would require extraordinary amount of=20
>> computation. In=20
>> the example I provided, arbitrary data can be included in the attestatio=
n=20
>> structure with zero additional computational cost, no elliptic curve=20
>> grinding or=20
>> hash collisions required.=20
>>
>

--=20
You received this message because you are subscribed to the Google Groups "=
Bitcoin Development Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an e=
mail to bitcoindev+unsubscribe@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/bitcoindev/=
77dbf51a-93aa-4d4a-87c0-b1303d83d5ccn%40googlegroups.com.

------=_Part_46989_1945388750.1741778046769
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

I think that ECDSA was a mistake in Bitcoin (Schnorr patent expired in 2008=
; but I do understand its motives).<div>My fear is that this BIP will becom=
e a mistake in Bitcoin in 15 years or less.</div><div><br /></div><div>It a=
dds orders of magnitude to public keys sizes and/or signature sizes; and ve=
rification computation cost.</div><div>About the whole QR cryptography hype=
:</div><div>one thing is to do have key encapsulation QR schemes in symmetr=
ic-key cryptography where we don't have tight constrains around storage,</d=
iv><div>like with TLS, or E2EE messaging apps.</div><div>Another thing is t=
o add these huge public key and signature schemes to a storage-restricted b=
lockchain like Bitcoin.</div><div>QR lattice-based asymmetric-key cryptogra=
phy is still in its infancy both in standards and research; and we should w=
ait.</div><div><br /></div><div>If we are worried about quantum menaces, a =
much better approach would be the P2TRH (Pay To Taproot Hash),</div><div>ev=
en with the loss of batch verification, combined with advising users to not=
 re-use address.</div><div>Address reuse should be treated the same as nonc=
e reuse: you get pwned!</div><div>Or Matt Corallo's emergency disable of ke=
y path spends in P2TR;<br /></div><div><br /></div><div>Jose Storopoli</div=
><br /><div class=3D"gmail_quote"><div dir=3D"auto" class=3D"gmail_attr">On=
 Monday, March 3, 2025 at 6:55:19=E2=80=AFPM UTC-3 Hunter Beast wrote:<br/>=
</div><blockquote class=3D"gmail_quote" style=3D"margin: 0 0 0 0.8ex; borde=
r-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;">Hi, Jonas<div><br=
></div><div>In order to spend the coins, a valid signature will need to be =
present in the attestation. Even if it&#39;s a 1/1024 multisig, a valid pub=
lic key signature pair will need to be provided. The merkle path would then=
 be how the arbitrary data could be encoded. In my mind this is a highly im=
practical scenario that gets exponentially more complex, and only works 32 =
bytes at a time.</div><div><br></div><div>Does that make sense?</div><div><=
br></div><div>Hunter<br><br></div><div class=3D"gmail_quote"><div dir=3D"au=
to" class=3D"gmail_attr">On Wednesday, February 26, 2025 at 3:00:36=E2=80=
=AFAM UTC-7 Jonas Nick wrote:<br></div><blockquote class=3D"gmail_quote" st=
yle=3D"margin:0 0 0 0.8ex;border-left:1px solid rgb(204,204,204);padding-le=
ft:1ex"> &gt; it would require an extraordinary amount of computation to wi=
nd up with enough
<br> &gt; to store arbitrary data.
<br>
<br>I have no idea why this would require extraordinary amount of computati=
on. In
<br>the example I provided, arbitrary data can be included in the attestati=
on
<br>structure with zero additional computational cost, no elliptic curve gr=
inding or
<br>hash collisions required.
<br></blockquote></div></blockquote></div>

<p></p>

-- <br />
You received this message because you are subscribed to the Google Groups &=
quot;Bitcoin Development Mailing List&quot; group.<br />
To unsubscribe from this group and stop receiving emails from it, send an e=
mail to <a href=3D"mailto:bitcoindev+unsubscribe@googlegroups.com">bitcoind=
ev+unsubscribe@googlegroups.com</a>.<br />
To view this discussion visit <a href=3D"https://groups.google.com/d/msgid/=
bitcoindev/77dbf51a-93aa-4d4a-87c0-b1303d83d5ccn%40googlegroups.com?utm_med=
ium=3Demail&utm_source=3Dfooter">https://groups.google.com/d/msgid/bitcoind=
ev/77dbf51a-93aa-4d4a-87c0-b1303d83d5ccn%40googlegroups.com</a>.<br />

------=_Part_46989_1945388750.1741778046769--

------=_Part_46988_1905702069.1741778046769--