Delivery-date: Mon, 17 Mar 2025 06:49:02 -0700 Received: from mail-ot1-f64.google.com ([209.85.210.64]) by mail.fairlystable.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.94.2) (envelope-from ) id 1tuApx-0004KT-Sb for bitcoindev@gnusha.org; Mon, 17 Mar 2025 06:49:02 -0700 Received: by mail-ot1-f64.google.com with SMTP id 46e09a7af769-72b862d2e23sf3084442a34.2 for ; Mon, 17 Mar 2025 06:49:02 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1742219336; cv=pass; d=google.com; s=arc-20240605; b=HgBC4fq6VJzAe9YLlzAH66Ughq/gyU8F4BoAtZiVG8I5JxTyvGstp0W6gc4hfsS5+Y WIeCiEwvg30TSVoek0FZBkSFL4fG9BLc3qgrF3JaOutKbuZ8t6VH84JJVXfCyfqOyw8o kDAsNcQgd1OoE4W0ul1gTz26tO0ZZ95oGtLVFxJMV8+Ixs5SN5gE6ZDPZtPxc+WZqOez u0ZjM9m/IE6uCwGCcVY6ZqMpD0UpAcpIftYEXRi0x3lD3TJkhoWNNQM1RQqa87CEcHN3 g5gdUH28cBujnsEQQMXcXlR94WmLoB/uUDTuaCxKTJKgpDWwUIBOktpyJ190UaQge3XW jFZg== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:reply-to:mime-version:feedback-id :references:in-reply-to:message-id:subject:cc:from:to:date :dkim-signature; bh=anbbVt5HzvpeSNJeM/jAWr44+2JuKHfveWSvU7HAl+s=; fh=W38k0TixVIRtIwAsY1FaKnYBxAGg/yMnIqkp59Q04ZY=; b=gf7M+2hqnDknixruWm8TwQaE2hsgCUR5DRRnTpsQ25+dlZqKDP2yD0bHmiacusOPju LXim0JiKP2xx+1BVF95MORCpQhwOLTjZU9Jgnce22tYfYLK66ojeCvjUj+ZpWo4KX/sS +rrJXkeZeCKtSdfyJqpCt2BznBwXfwoLD+rZ+cUXwThjBmpStQwbnPAbzlUfCbd/zThB xxvYdnp8UPr3dXhub6cDBhst4BIOgu412xo5HMoAL98NBRZnAdqYnYoGz/0Bhd1s8aEP LSXPC+gsT16dMNyYQJ/Vmjy5Zl578C8sfpNWK3raCTzm6h0opsNZ66xVXYhW0jiCDVtF 9XlA==; darn=gnusha.org ARC-Authentication-Results: i=2; gmr-mx.google.com; dkim=pass header.i=@protonmail.com header.s=protonmail3 header.b=DuPOg4TD; spf=pass (google.com: domain of darosior@protonmail.com designates 185.70.43.22 as permitted sender) smtp.mailfrom=darosior@protonmail.com; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=protonmail.com DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlegroups.com; s=20230601; t=1742219336; x=1742824136; darn=gnusha.org; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:reply-to :x-original-authentication-results:x-original-sender:mime-version :feedback-id:references:in-reply-to:message-id:subject:cc:from:to :date:from:to:cc:subject:date:message-id:reply-to; bh=anbbVt5HzvpeSNJeM/jAWr44+2JuKHfveWSvU7HAl+s=; b=wQYH1n6dq1Ka1sMieHpSh2FNGlj4IJW3dMuCMppoCK57tFs/teHZBzwZUEy4bCGgag rN8n9/SPJep930XtRHza+KLH+biHLMfiuNJmPoA3b7EHXi7hi8rxviA/xwyQq7tS0RoX QwY1fTIAwQqLr5MWDNRZ1frN4OZbhWIvL4hecbnHYv8LBiNikckwacTPVust8TAV2tGc eW846gJ20zM2QOnnWx1WL1rdN8pHx6gf06uXKdSoI2GDkc05arNUz03tcM/MKHWzLDe3 n6KN3CnN8k8dXdle6Hvzg1n6C2i79+O5flNSQHVdfRQ76D/pMk22dQ2rtybC8GhgH0Fk w+Zw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1742219336; x=1742824136; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:reply-to :x-original-authentication-results:x-original-sender:mime-version :feedback-id:references:in-reply-to:message-id:subject:cc:from:to :date:x-beenthere:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=anbbVt5HzvpeSNJeM/jAWr44+2JuKHfveWSvU7HAl+s=; b=DLH6tO4xFHA0/aF4jSgByRpFTnKpPxKGGEbMizumU7Pca0IVQ33mH6tDaMOBNSWX6a MPUUK7W8B0Hy/g9BO6I5lApq2i2CRAAFO9IHd+3OY4lAJjLxqh8CwD9QdUoNw/84PqpB aZM6yEHw/MlzHwWXVKxPcUksg5/5OYRGfaMEQvLxTLHxfiCi9OLh9zv0sAjgz/tYen4r 3uhYEkemQndptpUaekdJi5fxxgzbU8DTdHSNX1R5KyTqRp8tbQiSDflFQZfTmoE6K+8w duFJwViMKPjY3sGqMRwBmTsTCH+J517PSICklfSWzYHyPALWwFuEiEUXOUsK5qKm/rTv JWOQ== X-Forwarded-Encrypted: i=2; AJvYcCVCKHe5IUuufE10zxOa4pfCfvnvaJrExlH/e1hmSy2zHRAtlgQYYo9XBVYsAKRLSMRYavephB7Zn+Tv@gnusha.org X-Gm-Message-State: AOJu0YxwyBHxkca4bX7/TEpTHYtEH/KyuYcXB9pvhEQWLOS2RitMoDbd cEEzVuzyv0MuAYlId+AKccDfq0eLWeG8wcvKicBFWFUyMu9EgK4J X-Google-Smtp-Source: AGHT+IEpKxRL/O2uBO4T1dL72cWzDZldBd8fy2jWeu/0fTQnjQT8MRAgYZzbOVbGaT+hMgdG+RIUBg== X-Received: by 2002:a05:6830:43a3:b0:72b:9d8d:5881 with SMTP id 46e09a7af769-72bbc661152mr6778274a34.28.1742219336192; Mon, 17 Mar 2025 06:48:56 -0700 (PDT) X-BeenThere: bitcoindev@googlegroups.com; h=ARLLPAI2dk1TCs2egwJDnnviTUaLBHRXqfc2J7d4g9PCH8FqTw== Received: by 2002:a4a:db6f:0:b0:601:7ee2:67b2 with SMTP id 006d021491bc7-601d89ac51bls49265eaf.2.-pod-prod-08-us; Mon, 17 Mar 2025 06:48:53 -0700 (PDT) X-Received: by 2002:a05:6808:2008:b0:3fa:3a0:137b with SMTP id 5614622812f47-3fdf036469cmr5647451b6e.29.1742219333286; Mon, 17 Mar 2025 06:48:53 -0700 (PDT) Received: by 2002:a05:600c:1594:b0:43c:fe31:d01d with SMTP id 5b1f17b1804b1-43d1f0cdf3dms5e9; Sun, 16 Mar 2025 11:50:51 -0700 (PDT) X-Received: by 2002:a05:600c:3b97:b0:43b:c878:144c with SMTP id 5b1f17b1804b1-43d1ec784dbmr105678865e9.12.1742151049436; Sun, 16 Mar 2025 11:50:49 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1742151049; cv=none; d=google.com; s=arc-20240605; b=DyjyBVN06vWR7n5578LER38BXvzGelgN8QXJFJThCutU2oEk/iDaetvCmK5n2acnn5 60L9svm47j5GrWHHtcdnZ2udJxQLgaWRltguTBwKbgd6sFzWOo62uLONfxSfJHBoQJ+E qav9xWFkJg1bLScKO8m+d/GUWzO3UxMPi9c+JREvQSSj+Dhpm7sr7XRv4LPQy60/CM9/ strPwtODECs3p7CCoUtUnMh70kcFXn53BbiY4xvLi9IFNmAqcyRYzQ/qiyqNporqm+tS jrUJTSeQnbCpA3uG9S1WSEyycronCatdvV9DEJLg8NEqq4N7jjNwPHzRwp4OsSrFKF1L AfIQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=mime-version:feedback-id:references:in-reply-to:message-id:subject :cc:from:to:date:dkim-signature; bh=U9KpK7/Q+ajJb9dkXJ7juMhkzo+kH5Ck4XizjpqfeDc=; fh=e8mGzZDYdpYqnwi61Z2ZCoTjhem9sTc9RL+143NeH7A=; b=E6n2bwDF1apOze+LCTRvQmNaY8FqtSkiVD6hhQhUaIZb4friD+7v4goTzf1+BqxX++ Kr8lY+vZS7e//6FJZDFbp5qFvvYp3Xrmre93T5kfkEw4ledBU7mJu6IJCv3815ORVtWy XePWm6UyWdSD7BYWnFUtFDunFSvXtQChGHShw31Wso3sP7SwQAU4+7ILesIfJeOSFusx pnhSyh9NSfxZlMrXcyZhohYmI+TXUFmTwXkWlu6QFdqp4ELcLhwdegesdEQ02JEEM9Cf vImrnB17Zn/GWBi6qqvBCwS238nuEs/SSK/6WFaVmWu88jeSWfw8oGM9rEPyBOgp+U1j U7qw==; dara=google.com ARC-Authentication-Results: i=1; gmr-mx.google.com; dkim=pass header.i=@protonmail.com header.s=protonmail3 header.b=DuPOg4TD; spf=pass (google.com: domain of darosior@protonmail.com designates 185.70.43.22 as permitted sender) smtp.mailfrom=darosior@protonmail.com; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=protonmail.com Received: from mail-4322.protonmail.ch (mail-4322.protonmail.ch. [185.70.43.22]) by gmr-mx.google.com with ESMTPS id 5b1f17b1804b1-43d1fdda2f5si2084975e9.1.2025.03.16.11.50.49 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 16 Mar 2025 11:50:49 -0700 (PDT) Received-SPF: pass (google.com: domain of darosior@protonmail.com designates 185.70.43.22 as permitted sender) client-ip=185.70.43.22; Date: Sun, 16 Mar 2025 18:50:45 +0000 To: =?utf-8?Q?Martin_Habov=C5=A1tiak?= From: "'Antoine Poinsot' via Bitcoin Development Mailing List" Cc: Bitcoin Development Mailing List Subject: Re: [bitcoindev] Hashed keys are actually fully quantum secure Message-ID: In-Reply-To: References: Feedback-ID: 7060259:user:proton X-Pm-Message-ID: 20a43125faf0e533a2b3ea140acdb4ba7adc0928 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="b1=_hClUf7Eq5SqjRpKoGPXdd2QGIwvtUK2MV2SRVpYRo" X-Original-Sender: darosior@protonmail.com X-Original-Authentication-Results: gmr-mx.google.com; dkim=pass header.i=@protonmail.com header.s=protonmail3 header.b=DuPOg4TD; spf=pass (google.com: domain of darosior@protonmail.com designates 185.70.43.22 as permitted sender) smtp.mailfrom=darosior@protonmail.com; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=protonmail.com X-Original-From: Antoine Poinsot Reply-To: Antoine Poinsot Precedence: list Mailing-list: list bitcoindev@googlegroups.com; contact bitcoindev+owners@googlegroups.com List-ID: X-Google-Group-Id: 786775582512 List-Post: , List-Help: , List-Archive: , List-Unsubscribe: , X-Spam-Score: -1.0 (-) --b1=_hClUf7Eq5SqjRpKoGPXdd2QGIwvtUK2MV2SRVpYRo Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable > This way, the attacker would have to revert the chain to steal which is a= ssumed impossible. Or just create its own "QR output"? If your threat model assumes an attacker can promptly recover the private k= ey from the public key then once the user broadcasts his transaction spendi= ng both the old output and his own QR output the attacker could simply crea= te his own QR output and RBF the honest transaction. I suppose you could in theory have, in addition to making spending old outp= uts invalid on their own, a rule which dictates they may only be spent alon= g with a QR output at least X blocks old. This would give the honest user a= headstart in this race, but meh. On Sunday, March 16th, 2025 at 2:25 PM, Martin Habov=C5=A1tiak wrote: > Hello list, > > this is somewhat related to Jameson's recent post but different enough to= warrant a separate topic. > > As you have probably heard many times and even think yourself, "hashed ke= ys are not actually secure, because a quantum attacker can just snatch them= from mempool". However this is not strictly true. > > It is possible to implement fully secure recovery if we forbid spending o= f hashed keys unless done through the following scheme: > 0. we assume we have *some* QR signing deployed, it can be done even afte= r QC becomes viable (though not without economic cost) > 1. the user obtains a small amount of bitcoin sufficient to pay for fees = via external means, held on a QR script > 2. the user creates a transaction that, aside from having a usual spendab= le output also commits to a signature of QR public key. This proves that th= e user knew the private key even though the public key wasn't revealed yet. > 3. after sufficient number of blocks, the user spends both the old and QR= output in a single transaction. Spending requires revealing the previously= -committed sigature. Spending the old output alone is invalid. > > This way, the attacker would have to revert the chain to steal which is a= ssumed impossible. > > The only weakness I see is that (x)pubs would effectively become private = keys. However they already kinda are - one needs to protect xpubs for priva= cy and to avoid the risk of getting marked as "dirty" by some agencies, whi= ch can theoretically render them unspendable. And non-x-pubs generally do n= ot leak alone (no reason to reveal them without spending). > > I think that the mere possibility of this scheme has two important implic= ations: > * the need to have "a QR scheme" ready now in case of a QC coming tomorro= w is much smaller than previously thought. Yes, doing it too late has the e= ffect of temporarily freezing coins which is costly and we don't want that = but it's not nearly as bad as theft > * freezing of *these* coins would be both immoral and extremely dangerous= for reputation of Bitcoin (no comments on freezing coins with revealed pub= keys, I haven't made my mind yet) > > If the time comes I'd be happy to run a soft fork that implements this sa= nely. > > Cheers > > Martin > > -- > You received this message because you are subscribed to the Google Groups= "Bitcoin Development Mailing List" group. > To unsubscribe from this group and stop receiving emails from it, send an= email to bitcoindev+unsubscribe@googlegroups.com. > To view this discussion visit https://groups.google.com/d/msgid/bitcoinde= v/CALkkCJY%3Ddv6cZ_HoUNQybF4-byGOjME3Jt2DRr20yZqMmdJUnQ%40mail.gmail.com. --=20 You received this message because you are subscribed to the Google Groups "= Bitcoin Development Mailing List" group. To unsubscribe from this group and stop receiving emails from it, send an e= mail to bitcoindev+unsubscribe@googlegroups.com. To view this discussion visit https://groups.google.com/d/msgid/bitcoindev/= XHIL8Z4i4hji8LhbJ0AiKQ4eago2evXwjTGUOqqyAye_2nM3QicDpHo6KkcznBAHPUrIWSLj_Gu= iTQ_97KPjxcOrG8pE0rgcXucK2-4txKE%3D%40protonmail.com. --b1=_hClUf7Eq5SqjRpKoGPXdd2QGIwvtUK2MV2SRVpYRo Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
This way, the attacker would have to revert t= he chain to steal which is assumed impossible.
=20
=20
=20

<= div style=3D"font-family: Arial, sans-serif; font-size: 14px;">Or just crea= te its own "QR output"?

If your threat model assumes an attacker can promptly reco= ver the private key from the public key then once the user broadcasts his t= ransaction spending both the old output and his own QR output the attacker = could simply create his own QR output and RBF the honest transaction.
=

<= div style=3D"font-family: Arial, sans-serif; font-size: 14px;">I suppose yo= u could in theory have, in addition to making spending old outputs invalid = on their own, a rule which dictates they may only be spent along with a QR = output at least X blocks old. This would give the honest user a headstart i= n this race, but meh.
On Sunday, March 16th, 2025 at 2:25 PM, Martin Habov=C5=A1tiak <= martin.habovstiak@gmail.com> wrote:
Hello list,

this is somewhat related to Jameson's recent post but different= enough to warrant a separate topic.

As you have probably heard many times and even think yourself,= "hashed keys are not actually secure, because a quantum attacker can just = snatch them from mempool". However this is not strictly true.

It is possible to implement fully sec= ure recovery if we forbid spending of hashed keys unless done through the f= ollowing scheme:
0. we assume we have *some* QR sign= ing deployed, it can be done even after QC becomes viable (though not witho= ut economic cost)
1. the user obtains a small amount= of bitcoin sufficient to pay for fees via external means, held on a QR scr= ipt
2. the user creates a transaction that, aside fr= om having a usual spendable output also commits to a signature of QR public= key. This proves that the user knew the private key even though the public= key wasn't revealed yet.
3. after sufficient number= of blocks, the user spends both the old and QR output in a single transact= ion. Spending requires revealing the previously-committed sigature. Spendin= g the old output alone is invalid.

This way, the attacker would have to revert the chain to steal w= hich is assumed impossible.

The only weakness I see is that (x)pubs would effectively become privat= e keys. However they already kinda are - one needs to protect xpubs for pri= vacy and to avoid the risk of getting marked as "dirty" by some agencies, w= hich can theoretically render them unspendable. And non-x-pubs generally do= not leak alone (no reason to reveal them without spending).

I think that the mere possibility of = this scheme has two important implications:
* the ne= ed to have "a QR scheme" ready now in case of a QC coming tomorrow is much = smaller than previously thought. Yes, doing it too late has the effect of t= emporarily freezing coins which is costly and we don't want that but it's n= ot nearly as bad as theft
* freezing of *these* coin= s would be both immoral and extremely dangerous for reputation of Bitcoin (= no comments on freezing coins with revealed pubkeys, I haven't made my mind= yet)

If the time comes = I'd be happy to run a soft fork that implements this sanely.

Cheers

Martin

--
You received this message because you are subscribed to the Google Groups "= Bitcoin Development Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an e= mail to bitcoindev+unsubscribe@googlegroups.com. To view this discussion visit https://grou= ps.google.com/d/msgid/bitcoindev/CALkkCJY%3Ddv6cZ_HoUNQybF4-byGOjME3Jt2DRr2= 0yZqMmdJUnQ%40mail.gmail.com.

--
You received this message because you are subscribed to the Google Groups &= quot;Bitcoin Development Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an e= mail to bitcoind= ev+unsubscribe@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/bitcoindev/= XHIL8Z4i4hji8LhbJ0AiKQ4eago2evXwjTGUOqqyAye_2nM3QicDpHo6KkcznBAHPUrIWSLj_Gu= iTQ_97KPjxcOrG8pE0rgcXucK2-4txKE%3D%40protonmail.com.
--b1=_hClUf7Eq5SqjRpKoGPXdd2QGIwvtUK2MV2SRVpYRo--