Delivery-date: Sun, 23 Mar 2025 18:28:49 -0700 Received: from mail-oi1-f191.google.com ([209.85.167.191]) by mail.fairlystable.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.94.2) (envelope-from ) id 1twWcS-00031U-FS for bitcoindev@gnusha.org; Sun, 23 Mar 2025 18:28:49 -0700 Received: by mail-oi1-f191.google.com with SMTP id 5614622812f47-3f95cf64b6fsf3164663b6e.2 for ; Sun, 23 Mar 2025 18:28:48 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1742779722; cv=pass; d=google.com; s=arc-20240605; b=QyPUU3IcW/l+RCDsKHetIcAmJb8SCooYM31Yc6R4EwWlaXpE/BJxXeEw9UEOLlJWU7 +QqMUHMCEkOKvM8+MoLCFAnHQVm5rtglakUXi8Ay6RUGkgtepIBSHYHowvnDf2dJ4OPu gnouzTv8CvfhzZnTU8DZyH0QCPqPn+10Y88PkcKqZkJaz5XmVnd57Zojq1MQZ0dm4gNQ uWbLvJkxLdq+aclhs61JdP9MxDJM31+FGDEO1JXBxslD5IJ0/p9snjZjnTQT/NOZHhMU +wn3xTtUL3MV7dc99EFsOUorVUAtWGYwbvp9qF+CcXw7/H4WAv+SPto3PykfCFrCW3ph NowQ== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:sender:dkim-signature :dkim-signature; bh=L9dn+DVgoAyWn5s82GnCD0bvogElEwDwsga9yKa6FZQ=; fh=wguOpO8mWvdFUpMIJXAHnR2XjrgZGnQ9RHl4V/ac2Zs=; b=X21zR0kyJLYQoL6Sr05NCfEzAq24dlEB4IYHmQXH4Xe6oQ6ozUE5ZYhiK8kNzLJ1nw 84AanSP6+Zed2Hcp1efmCK7fyFgq66xrmoNTau4xXduYmexV1lTvcjcHlQsz1JFwjy03 WDxroKvsXEwfV7J0PiXqfE7/91Rnqn62K4e7HniNaYaqJpVnpwyWjSjN9pIhXh9rCA9P wVVsn5muM4njnITXsgTcMy9wc24+Luap3GCsvsJC5HuVYVO5xH7zDgxeQrlOWy9iGW9u I3MdHMeyBtdfOCi/5nOhdD2/B+M+hA1IpY6xVPmxjrMytdrJ4xABrpw3HntvkKjvcMRo FFAg==; darn=gnusha.org ARC-Authentication-Results: i=2; gmr-mx.google.com; dkim=pass header.i=@gmail.com header.s=20230601 header.b=alfkKTzf; spf=pass (google.com: domain of lloyd.fourn@gmail.com designates 2607:f8b0:4864:20::82b as permitted sender) smtp.mailfrom=lloyd.fourn@gmail.com; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com; dara=pass header.i=@googlegroups.com DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlegroups.com; s=20230601; t=1742779722; x=1743384522; darn=gnusha.org; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:x-original-authentication-results :x-original-sender:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:sender:from:to:cc:subject:date:message-id :reply-to; bh=L9dn+DVgoAyWn5s82GnCD0bvogElEwDwsga9yKa6FZQ=; b=xemQMMpFNFsoZM68VkPh5nCXIRqYvLDguXGyxH6LOTrF9bApBpUgIQGfMjss4Zjctx 8AOhdCrHQ12MKHWR3oVyk0K8GhilGnxOQtsQhHwLuDatWkx75ZTJczWH4Za3v0O7dSYj jpeBEH7cYXrjGlrHrrkv6d9FnVL61Dw8Hpxmfig+WCNkJs0ziz90kh3Puxtghw5SUwo8 afEyLDhdYSOnIrS/OVejaqS2/KI/wc1/ViErU7IWGgQz1Pp7WxxF8wIVzZ3/xRAqKe0I OBgXBLTg5rebQU9rtxbSujIVw9h8qaXM3S+wSmEkGsA00SmeaPhcN0O+v6yaW+R1UvGR ZqCQ== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1742779722; x=1743384522; darn=gnusha.org; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:x-original-authentication-results :x-original-sender:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:from:to:cc:subject:date:message-id:reply-to; bh=L9dn+DVgoAyWn5s82GnCD0bvogElEwDwsga9yKa6FZQ=; b=dIBy3eA08WDold6RIH3Tqx0f3KkQhpa3cb+mfqQG8IzVNKneGDM0bqeLVd/7W623cH STSNKLuHQ9K1z4Zy5JC6Crhc+3RgBQuJojuvSiBdZNL/0oQ1aLh+wb5rWjr3ttYKWPLG y9X0fqcyKYG4lmEg6lRQ6e97IfVma4DcLD4OmZaQoHQi11yW4VtZhL9bZDM/J+H9KwDe ElS3Q1ftEJszmXvZjm2rc+O+EDmEFo3Vw2QaicrxVw6QjtQ9ermzlhUz661jQK/aqBg6 /No5VUxCN1hsqGxDqjj6FtwGOn3uzqhhPJEXYNfbeNazBtmI37u3uZ4TRcMIGsZColuJ 5wvQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1742779722; x=1743384522; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:x-original-authentication-results :x-original-sender:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:x-beenthere:x-gm-message-state:sender:from :to:cc:subject:date:message-id:reply-to; bh=L9dn+DVgoAyWn5s82GnCD0bvogElEwDwsga9yKa6FZQ=; b=UI92w+CavT0hNu+4v8uC1Pd39Kd2/uvL2aR/XFUavRvua+nd0NtmC23RIfi5vjqpku OPFxQI0hWvQAH3jsz6Ly9FAuG9QyZ9SkUPqEKMI6jsa2r7xc0VUwd+/CXH+4KjyEFRHr W7jEIQ6etGDHSyeG9aD3U48YDNAEmVBTcWq2LeDN5yLpvhzedZ+p0QRgDNYNtZGSJLPi XlTdG40fF+XlQtvcVoksaPUlTFhCcBU8VOo91qlP+S16/ok8BXErlEixnjYxP8cbbOnr V+mPzNoHPy1//e2e694rMedt5AqXZVTk+srfbKW9jWiTu9EjsLa+3aUPWDUWSq2sJhuG 3JrA== Sender: bitcoindev@googlegroups.com X-Forwarded-Encrypted: i=2; AJvYcCVSsLXCYFxRLYaisnqkl/leEZMdxSrehCL+nCIQ9Hk5Tb5I5bezcngH9VHLytp4F3MYA3qDXuZRSgeP@gnusha.org X-Gm-Message-State: AOJu0YyTM8BwNVuNkxG+yFl6VkPvcfb33EfFfGt4P3zDPCLZAYfkf6qC qwtinUQW2UDklC4cRlYqfzeGkjyB99Y/WEwzwjrRLvbLazenTpZj X-Google-Smtp-Source: AGHT+IGOc2sAlQFcJPqrBwrUUWgYo+0Ct2qfiSrZkQefNijWg/sKS306NdHsGYpUvo5d3sssABeZww== X-Received: by 2002:a05:6808:6a8e:b0:3f6:abec:2b9a with SMTP id 5614622812f47-3febf724b57mr7495210b6e.10.1742779722236; Sun, 23 Mar 2025 18:28:42 -0700 (PDT) X-BeenThere: bitcoindev@googlegroups.com; h=ARLLPAKlezgdN0H0hD+toT+Zm8Le+5HuFzieUH+ifjp8wf9VAw== Received: by 2002:a4a:d24d:0:b0:602:af0:7fc2 with SMTP id 006d021491bc7-602327b0224ls991703eaf.0.-pod-prod-08-us; Sun, 23 Mar 2025 18:28:38 -0700 (PDT) X-Forwarded-Encrypted: i=2; AJvYcCVa8GivcX7ATadM5xLu1jHzOb8vK/vXx1epcgKJ9/WgebMFicSb7Sp5IITbLmcjkMATDelXGcKNspnJ@googlegroups.com X-Received: by 2002:a05:6808:6c85:b0:3f7:c2f9:43f4 with SMTP id 5614622812f47-3febf74ba32mr7120792b6e.18.1742779718454; Sun, 23 Mar 2025 18:28:38 -0700 (PDT) Received: by 2002:a05:6808:2d37:b0:3f9:f009:458e with SMTP id 5614622812f47-3febee4f79fmsb6e; Sun, 23 Mar 2025 17:25:07 -0700 (PDT) X-Forwarded-Encrypted: i=2; AJvYcCWf7pXVpVQHYwNfldpIGx1Wf3yjyD6j7WJMB6EbteJ2hv+SHzN9k5IRQ8lX7ByBCUZMsnJ480qNaZVS@googlegroups.com X-Received: by 2002:a05:6a21:99a7:b0:1fe:4225:f84b with SMTP id adf61e73a8af0-1fe43451976mr19225631637.38.1742775906584; Sun, 23 Mar 2025 17:25:06 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1742775906; cv=none; d=google.com; s=arc-20240605; b=Zn8ITEtXmvMRIQm86t/jzBiVQeIaVhK7wtG7SHCZvM40TecMJaD0lGaYvZsV6dBvgg 1I2F/9Xofz8lSFi7ib1BvdpChdNTHlN5Wseg4Y32OqzRenXUYD6+0YVkPFuC13M7kuuT ldX4K0W8mv2FICUe/a9YG/O88b3m833Nc7Sz9OwlbIeeEqN+JW0mvjp6Zw5LS6KzJsYh fBojWM4VT1NJXOhJfHpcqFP/6A+v6+mbCuYlwrb9OW8D6jqufDjiQwV/0KRgVdg1xnbw qYj/Q0VAjHEMSNv5Jx7ChHiNi/rKTNlhekk4jdFhoQb29GeNH7a5HeNTN12nEORNqnKx I6KA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:dkim-signature; bh=osTKQbtBWQjpKE5h1g89dXh0c9FkEXmra9IKuTWvWOY=; fh=oz55UmGl1/A8o3izfyHAVIMnZzps+37+2y5HEbeR3Sw=; b=Ddgiamj27bM9nvjF40i8zjeIEnIqQfz9ZzvWDRWE8Fp9IMoE17KqrGUkJ1GEaHxmW0 ExML6FfUR0wiZbTduCrE2oR+dgiNK0CnyhOxZIKshQ0c+lDYY/T7zAlsEeC5mSbvHH3m Cpffh2wWavEm4A/S0yhIrssC2Obe3iCVAd4+ZfyP9VBcseXwcu0/rRVwIssFsoG8NiLO QmhktUsR/nPX7DIxpdY2sIEasikmMkZqzGHFHIAOUAsAIkne8qKtxl+TLRnnUbCDeoXv xbLO8bHwB1fvMwCnrPrKd75oLTjbgUS3EFqsIFX4YjEhMDKCrHvhPGG6pzq/pC/EyGJD JsmQ==; dara=google.com ARC-Authentication-Results: i=1; gmr-mx.google.com; dkim=pass header.i=@gmail.com header.s=20230601 header.b=alfkKTzf; spf=pass (google.com: domain of lloyd.fourn@gmail.com designates 2607:f8b0:4864:20::82b as permitted sender) smtp.mailfrom=lloyd.fourn@gmail.com; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com; dara=pass header.i=@googlegroups.com Received: from mail-qt1-x82b.google.com (mail-qt1-x82b.google.com. [2607:f8b0:4864:20::82b]) by gmr-mx.google.com with ESMTPS id d2e1a72fcca58-739060b76fasi278981b3a.3.2025.03.23.17.25.06 for (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Sun, 23 Mar 2025 17:25:06 -0700 (PDT) Received-SPF: pass (google.com: domain of lloyd.fourn@gmail.com designates 2607:f8b0:4864:20::82b as permitted sender) client-ip=2607:f8b0:4864:20::82b; Received: by mail-qt1-x82b.google.com with SMTP id d75a77b69052e-4769a9055e6so2435891cf.0 for ; Sun, 23 Mar 2025 17:25:06 -0700 (PDT) X-Forwarded-Encrypted: i=1; AJvYcCUHmaGuI34s1nHhwzI7pd/EXSB7Qjg7S04zM3sDe0ngAWCLKDxYO/jEqfP9xXFdXIpVPW4GoRDI2Ro7@googlegroups.com X-Gm-Gg: ASbGncvGD3CA3QoarbVjZn/+ZpI5dkEe5haYUfULaWNlk+M7bOsXptNFh6+jqckBbSV Hs5gycp4FeM+6TCj+uASQBdCKJkkHXyGj9VxanhclOjGWgmCFLKOlx0aG20AsBFQAeBcd765TW7 3U8g8JQWCtMgTHNl5ygcBXSu2NpWvasvuVe5o8 X-Received: by 2002:a05:622a:1993:b0:474:f9a1:ffb8 with SMTP id d75a77b69052e-4771ddeca92mr69696321cf.10.1742775905414; Sun, 23 Mar 2025 17:25:05 -0700 (PDT) MIME-Version: 1.0 References: In-Reply-To: From: Lloyd Fournier Date: Mon, 24 Mar 2025 11:24:38 +1100 X-Gm-Features: AQ5f1JpIrBYKJhMv70g1nUP9k0b_GaiK11AfRXeTFXl122NeuQD8mfB703xompQ Message-ID: Subject: Re: [bitcoindev] Hashed keys are actually fully quantum secure To: Antoine Poinsot Cc: =?UTF-8?Q?Martin_Habov=C5=A1tiak?= , Bitcoin Development Mailing List Content-Type: multipart/alternative; boundary="000000000000c3f5db06310ba235" X-Original-Sender: lloyd.fourn@gmail.com X-Original-Authentication-Results: gmr-mx.google.com; dkim=pass header.i=@gmail.com header.s=20230601 header.b=alfkKTzf; spf=pass (google.com: domain of lloyd.fourn@gmail.com designates 2607:f8b0:4864:20::82b as permitted sender) smtp.mailfrom=lloyd.fourn@gmail.com; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com; dara=pass header.i=@googlegroups.com Precedence: list Mailing-list: list bitcoindev@googlegroups.com; contact bitcoindev+owners@googlegroups.com List-ID: X-Google-Group-Id: 786775582512 List-Post: , List-Help: , List-Archive: , List-Unsubscribe: , X-Spam-Score: -0.5 (/) --000000000000c3f5db06310ba235 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable On Tue, 18 Mar 2025 at 00:48, 'Antoine Poinsot' via Bitcoin Development Mailing List wrote: I suppose you could in theory have, in addition to making spending old > outputs invalid on their own, a rule which dictates they may only be spen= t > along with a QR output at least X blocks old. This would give the honest > user a headstart in this race, but meh. > Yes this is how I read the OP "after sufficient number of blocks". I think this is a really nice idea. The head start can be arbitrarily large so that the attacker simply cannot compete. It's probably not too difficult to design some honest RBF mechanism either such that you can bump the fee with a new QR signature if it's taking too long. LL > On Sunday, March 16th, 2025 at 2:25 PM, Martin Habov=C5=A1tiak < > martin.habovstiak@gmail.com> wrote: > > Hello list, > > this is somewhat related to Jameson's recent post but different enough to > warrant a separate topic. > > As you have probably heard many times and even think yourself, "hashed > keys are not actually secure, because a quantum attacker can just snatch > them from mempool". However this is not strictly true. > > It is possible to implement fully secure recovery if we forbid spending o= f > hashed keys unless done through the following scheme: > 0. we assume we have *some* QR signing deployed, it can be done even afte= r > QC becomes viable (though not without economic cost) > 1. the user obtains a small amount of bitcoin sufficient to pay for fees > via external means, held on a QR script > 2. the user creates a transaction that, aside from having a usual > spendable output also commits to a signature of QR public key. This prove= s > that the user knew the private key even though the public key wasn't > revealed yet. > 3. after sufficient number of blocks, the user spends both the old and QR > output in a single transaction. Spending requires revealing the > previously-committed sigature. Spending the old output alone is invalid. > > This way, the attacker would have to revert the chain to steal which is > assumed impossible. > > The only weakness I see is that (x)pubs would effectively become private > keys. However they already kinda are - one needs to protect xpubs for > privacy and to avoid the risk of getting marked as "dirty" by some > agencies, which can theoretically render them unspendable. And non-x-pubs > generally do not leak alone (no reason to reveal them without spending). > > I think that the mere possibility of this scheme has two important > implications: > * the need to have "a QR scheme" ready now in case of a QC coming tomorro= w > is much smaller than previously thought. Yes, doing it too late has the > effect of temporarily freezing coins which is costly and we don't want th= at > but it's not nearly as bad as theft > * freezing of *these* coins would be both immoral and extremely dangerous > for reputation of Bitcoin (no comments on freezing coins with revealed > pubkeys, I haven't made my mind yet) > > If the time comes I'd be happy to run a soft fork that implements this > sanely. > > Cheers > > Martin > > -- > You received this message because you are subscribed to the Google Groups > "Bitcoin Development Mailing List" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to bitcoindev+unsubscribe@googlegroups.com. > To view this discussion visit > https://groups.google.com/d/msgid/bitcoindev/CALkkCJY%3Ddv6cZ_HoUNQybF4-b= yGOjME3Jt2DRr20yZqMmdJUnQ%40mail.gmail.com > . > > > -- > You received this message because you are subscribed to the Google Groups > "Bitcoin Development Mailing List" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to bitcoindev+unsubscribe@googlegroups.com. > To view this discussion visit > https://groups.google.com/d/msgid/bitcoindev/XHIL8Z4i4hji8LhbJ0AiKQ4eago2= evXwjTGUOqqyAye_2nM3QicDpHo6KkcznBAHPUrIWSLj_GuiTQ_97KPjxcOrG8pE0rgcXucK2-4= txKE%3D%40protonmail.com > > . > --=20 You received this message because you are subscribed to the Google Groups "= Bitcoin Development Mailing List" group. To unsubscribe from this group and stop receiving emails from it, send an e= mail to bitcoindev+unsubscribe@googlegroups.com. To view this discussion visit https://groups.google.com/d/msgid/bitcoindev/= CAH5Bsr0muoF27besnoQh32vL-keujeR%2Bd-_JurE0%2ByXY5gPKQg%40mail.gmail.com. --000000000000c3f5db06310ba235 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable


On Tue, 18 Mar = 2025 at 00:48, 'Antoine Poinsot' via Bitcoin Development Mailing Li= st <bitcoindev@googlegrou= ps.com> wrote:

=
I suppose you could in theory have, in ad= dition to making spending old outputs invalid on their own, a rule which di= ctates they may only be spent along with a QR output at least X blocks old.= This would give the honest user a headstart in this race, but meh.

Yes this is how I read the OP "afte= r sufficient number of blocks". I think this is a really nice idea. Th= e head start can be arbitrarily large so that the attacker simply cannot co= mpete. It's probably not too difficult to design some honest RBF mechan= ism either such that you can bump the fee with a new QR signature if it'= ;s taking too long.

LL

= =C2=A0
On Sunday, March 16th, 2025 at 2:25 PM, Martin Habov=C5=A1tiak <= martin.hab= ovstiak@gmail.com> wrote:
Hello list,

this is somewhat related to Jameson's recent post but diffe= rent enough to warrant a separate topic.

<= div dir=3D"auto">As you have probably heard many times and even think yours= elf, "hashed keys are not actually secure, because a quantum attacker = can just snatch them from mempool". However this is not strictly true.=

It is possible to imple= ment fully secure recovery if we forbid spending of hashed keys unless done= through the following scheme:
0. we assume we have = *some* QR signing deployed, it can be done even after QC becomes viable (th= ough not without economic cost)
1. the user obtains = a small amount of bitcoin sufficient to pay for fees via external means, he= ld on a QR script
2. the user creates a transaction = that, aside from having a usual spendable output also commits to a signatur= e of QR public key. This proves that the user knew the private key even tho= ugh the public key wasn't revealed yet.
3. after= sufficient number of blocks, the user spends both the old and QR output in= a single transaction. Spending requires revealing the previously-committed= sigature. Spending the old output alone is invalid.

This way, the attacker would have to revert th= e chain to steal which is assumed impossible.

The only weakness I see is that (x)pubs would effecti= vely become private keys. However they already kinda are - one needs to pro= tect xpubs for privacy and to avoid the risk of getting marked as "dir= ty" by some agencies, which can theoretically render them unspendable.= And non-x-pubs generally do not leak alone (no reason to reveal them witho= ut spending).

I think th= at the mere possibility of this scheme has two important implications:
* the need to have "a QR scheme" ready now in = case of a QC coming tomorrow is much smaller than previously thought. Yes, = doing it too late has the effect of temporarily freezing coins which is cos= tly and we don't want that but it's not nearly as bad as theft
* freezing of *these* coins would be both immoral and ex= tremely dangerous for reputation of Bitcoin (no comments on freezing coins = with revealed pubkeys, I haven't made my mind yet)

If the time comes I'd be happy to run a = soft fork that implements this sanely.

Cheers

Ma= rtin

--
You received this message because you are subscribed to the Google Groups &= quot;Bitcoin Development Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an e= mail to bitcoindev+unsubscribe@googl= egroups.com.
To view this discussion visit https://grou= ps.google.com/d/msgid/bitcoindev/CALkkCJY%3Ddv6cZ_HoUNQybF4-byGOjME3Jt2DRr2= 0yZqMmdJUnQ%40mail.gmail.com.

--
You received this message because you are subscribed to the Google Groups &= quot;Bitcoin Development Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an e= mail to bitcoindev+unsubscribe@googlegroups.com.
To view this discussion visit https://groups.google.c= om/d/msgid/bitcoindev/XHIL8Z4i4hji8LhbJ0AiKQ4eago2evXwjTGUOqqyAye_2nM3QicDp= Ho6KkcznBAHPUrIWSLj_GuiTQ_97KPjxcOrG8pE0rgcXucK2-4txKE%3D%40protonmail.com<= /a>.

--
You received this message because you are subscribed to the Google Groups &= quot;Bitcoin Development Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an e= mail to
bitcoind= ev+unsubscribe@googlegroups.com.
To view this discussion visit https://groups.google.com/= d/msgid/bitcoindev/CAH5Bsr0muoF27besnoQh32vL-keujeR%2Bd-_JurE0%2ByXY5gPKQg%= 40mail.gmail.com.
--000000000000c3f5db06310ba235--