Delivery-date: Tue, 25 Mar 2025 01:53:21 -0700
Received: from mail-qk1-f189.google.com ([209.85.222.189])
by mail.fairlystable.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
(Exim 4.94.2)
(envelope-from <bitcoindev+bncBAABB5W5RG7QMGQESUNTMSI@googlegroups.com>)
id 1tx02C-0001Mj-EX
for bitcoindev@gnusha.org; Tue, 25 Mar 2025 01:53:21 -0700
Received: by mail-qk1-f189.google.com with SMTP id af79cd13be357-7c5ad42d6bcsf157929585a.2
for <bitcoindev@gnusha.org>; Tue, 25 Mar 2025 01:53:20 -0700 (PDT)
ARC-Seal: i=2; a=rsa-sha256; t=1742892794; cv=pass;
d=google.com; s=arc-20240605;
b=bBRX0rt70yX+HEWtUO38c99KPnWAWRnSsfAoNf1MzEbta8TWLYkpSvWeoOnXTX7QkZ
Ot7d2k50lkbH08hjMG2REolwgoUs3K6os6drLNUkvm4Hg/TVw6e2YYomGziXj+hw7qaw
t/YuxvraRDkygL29W4OHsTW88fb7Y487gLGD66vIIS1N9XicKwwd098StGzvv9PMhjP+
DQN0CzADOO2FuwB3HVUF6x/PSbPmuvJyiIreXFm7dENSZORYFF7nbxfZquxUSLwYixK+
ZNYd7hn9leK04CBg5I1rSZV392c0zpJEtV9xRUh0HEr6UsR6TBeVZO/L/UHAFs95xh3E
7ybQ==
ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605;
h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post
:list-id:mailing-list:precedence:content-transfer-encoding
:in-reply-to:from:content-language:references:cc:to:subject
:mime-version:date:message-id:sender:dkim-signature;
bh=/8pAXu4TBRnIRn9nGMuHwE3KSBP2Qd8PMxlhzZefS+I=;
fh=Zy78p7Xi0Rxog8+cISrcZxwv+7qU7XahGlZWI4RR2qo=;
b=gQ9Ttgd8kDIgYsjL52hvAlT2PHt8uyMA/5qXY9QNfdWzqQ/rd5fNrLOaMR8ASmYCIN
nS13rH0kJ2j4mPiwRkLO5z6/A1Ro6rfh/CJ0s/W2U69Vfb68644jzwjYcUQRz5qBa/P7
Q+efToS9anGh8no0B6AlRIVpYyzk9M+kKVN0gbe4IGoFEyKNecLzhSi79/3LoPtnaL+8
kGOHHnGRD2PbwpVQb8ctgEbwEZUgoA4w96JX1hkw/xmkCox0qn8B9xYwS29uwnDRqobi
uy72vS0LiEjA4eHt8VQTIGCaPAG/g+Diltr2PK4PjNKUAg37c/+P/ElVCfbRgYbaYsoF
P/zQ==;
darn=gnusha.org
ARC-Authentication-Results: i=2; gmr-mx.google.com;
dkim=pass header.i=@mattcorallo.com header.s=1742863262 header.b=wlUCVacS;
dkim=pass header.i=@clients.mail.as397444.net header.s=1742863265 header.b=W2gm7WFA;
spf=pass (google.com: domain of lf-lists@mattcorallo.com designates 2620:6e:a000:1::99 as permitted sender) smtp.mailfrom=lf-lists@mattcorallo.com;
dmarc=pass (p=NONE sp=REJECT dis=NONE) header.from=mattcorallo.com
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=googlegroups.com; s=20230601; t=1742892794; x=1743497594; darn=gnusha.org;
h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post
:list-id:mailing-list:precedence:x-original-authentication-results
:x-original-sender:content-transfer-encoding:in-reply-to:from
:content-language:references:cc:to:subject:mime-version:date
:message-id:sender:from:to:cc:subject:date:message-id:reply-to;
bh=/8pAXu4TBRnIRn9nGMuHwE3KSBP2Qd8PMxlhzZefS+I=;
b=rmDVEhPagsj8JuM6qHIWlpGMLtUSpPvMen/a07cbKtSgBrDhI9qGNcU0I4oSeIdZjF
G4geFs4VqCoLEwnNbBEDoU0er5N4+ZrLKxmbhI/tuaBvO1712TFguQxJimUoLr/N2Y+l
M7fNJFQ77FzrHySOA8SOwxaF5gN13hPRnaEaWLTVDKaGYoRTSmjssWjh2l8tmXhvxn45
HwqudyMlo4P7EfXJVFMWnRyfvgfoGnci0s1ivvCk2bknmyxdyBqOIb7pG5hIoigdWzQd
41VQaf7iN2NR5GVqesCOfFzjgJedqjQ1Tp7CsiwZonUc3bp8eARuz5yPdXz7u9bHE4EF
ef/Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20230601; t=1742892794; x=1743497594;
h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post
:list-id:mailing-list:precedence:x-original-authentication-results
:x-original-sender:content-transfer-encoding:in-reply-to:from
:content-language:references:cc:to:subject:mime-version:date
:message-id:x-beenthere:x-gm-message-state:sender:from:to:cc:subject
:date:message-id:reply-to;
bh=/8pAXu4TBRnIRn9nGMuHwE3KSBP2Qd8PMxlhzZefS+I=;
b=ThRxut1Pmzgzro5yezRy96G0X9W6edMkDiiudRHmH+jpwdReWjoTkplVqRnhlFAWOF
BboGcJDPPD1XK04JswzhfnDjBRJkjkGr//0/8Kkz3NyBwi8UXZiqS3Ihzkv59U9gUJr1
+VB9hJRK2RewsQhH5wcKPjuR7Tv5fWxfeSkCu+ufEs+AkIJFVydjy3VZq7PjkS1qV5Qu
RJzM3bdlzyU0HwjfX7RrWkUKaeeSKXUdTgHjtQoM7UbEAkDS/0WCXJIKDoreS5pbJIoZ
/RBhLB/2Dh04OyhdlAkd3QAnfmnM4JsUUE2KYVWyU8Bf8kdYOD14MPcIAhLt0v88kgBr
bWFw==
Sender: bitcoindev@googlegroups.com
X-Forwarded-Encrypted: i=2; AJvYcCXK1Tp9d7fbX4WPTaaYDkcVEZ28g3G0/Fqg9ux/OHa3CwICiQd2zMxAz1VZqlgctYCIOcEQ87y8h+CM@gnusha.org
X-Gm-Message-State: AOJu0Yy2W4nSaDScNJyuQ2SyNkTGHox4WC/KqvfDTuZ0jlnFu7twhJm+
AnwPNuBsZPyp9/Sx+6KLuOoFa2pPTkQ0p1aak0t+Lm6WVol/Fu9Y
X-Google-Smtp-Source: AGHT+IE1QTzVKvuCF7NciAltVVC7DTCCTXcr24LAasAJdTpHzn8sBgh1EuSABWCCwkp1i4msLpf2Kg==
X-Received: by 2002:a05:622a:58d:b0:474:e4bd:834 with SMTP id d75a77b69052e-47751324359mr10490551cf.2.1742892794075;
Tue, 25 Mar 2025 01:53:14 -0700 (PDT)
X-BeenThere: bitcoindev@googlegroups.com; h=ARLLPAIJdFatRfrzwIRVVP8cd0afR286Bs8/3ClEPuaTjsVnow==
Received: by 2002:ac8:5849:0:b0:476:72e4:2758 with SMTP id d75a77b69052e-47710ae12acls8004991cf.1.-pod-prod-01-us;
Tue, 25 Mar 2025 01:53:10 -0700 (PDT)
X-Forwarded-Encrypted: i=2; AJvYcCUoCKCH09Jch48eRIpnLVUs+tdpFV90M8jQ0N5s8tXQEQw+mt75aO0VF+fCKRXlFsg7p/6IDj3eru5D@googlegroups.com
X-Received: by 2002:a05:620a:24d5:b0:7c5:44d0:7dba with SMTP id af79cd13be357-7c5ba1336d6mr2112748285a.11.1742892790589;
Tue, 25 Mar 2025 01:53:10 -0700 (PDT)
Received: by 2002:a05:620a:1da8:b0:7c5:3b15:3956 with SMTP id af79cd13be357-7c5da16645ams85a;
Mon, 24 Mar 2025 18:06:19 -0700 (PDT)
X-Forwarded-Encrypted: i=2; AJvYcCXqGLm4n9CUR4ZjNPpgpAQrjkdGFrMiDfOhct+hsQ/5nnMNZki5Eb7RXAqWdwGy7tegNQvAutCi4+cv@googlegroups.com
X-Received: by 2002:a05:6214:194b:b0:6e8:9b52:7a1d with SMTP id 6a1803df08f44-6eb3f27f3a0mr219236456d6.8.1742864778214;
Mon, 24 Mar 2025 18:06:18 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1742864778; cv=none;
d=google.com; s=arc-20240605;
b=VRVT4nKPSBQicx4AUbOpuaUCgEajDyXWG1B7SCQkqit78TcSfJd8to1bAlD6tSwiAt
PgNqOhFym8iBdgraDDLnK1cN2ixiTjZda1fLcCgyFotAF5X/IJztVU4R1FeUer0zHs++
VtIDqvZVPfO1Lt5f/9swxupSzNEuzSdbC9URe3XpjL4gSl18tF/Q0ESRWsbxm4jFglHC
0PH/0pwy1io2lcpRSG4RbMPvENMXLm2n3x1FByXhuN4PM2t17h+bTSgu2yT42mAWZ5mQ
5wUvui9ubxYIduSTJas6hILHR4pBSg68omswM01A1PrJC2VOXNDohdyU6oZgb7qdoR3L
+crw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605;
h=content-transfer-encoding:in-reply-to:from:content-language
:references:cc:to:subject:mime-version:date:message-id
:dkim-signature:dkim-signature;
bh=c3m09DQQ6M/Au7RR6u8QDdPkohojHzlkI8Fypofel30=;
fh=6RqJF1663XQL2Jeebjqd5aeY/xLsfT/HD9pGzPnQOEk=;
b=StosHXXTZ69bDpmoCR2v7rAr23uIFfS3mk2OK0OExmlubfhfw5FHZO/tx1Kuf+Unp5
w3ivZL+Vws2kE+BLG+pgYH21vcD16zu77lFfpxoupTDd8a+aTG42a7WKiEQWdVzjsSjt
sKYBHm5FfazH2xHQ9gEshcFPlRKLNflwQ5vVF086lLVIboN/mJg45UQwlG26Ug+lvqZb
KpWegnv28dVbDcOUAIbMQTonNbJIRKyGU3aRV1E5AQQDgYvltFFHE5tg3BD8pK8ui96v
9a4m+vvy9j9lomYGMT+HdZZYrWIHVv4USDH/JIbxWEacxGynB1IvRfyudhAEghZMaute
Ag0Q==;
dara=google.com
ARC-Authentication-Results: i=1; gmr-mx.google.com;
dkim=pass header.i=@mattcorallo.com header.s=1742863262 header.b=wlUCVacS;
dkim=pass header.i=@clients.mail.as397444.net header.s=1742863265 header.b=W2gm7WFA;
spf=pass (google.com: domain of lf-lists@mattcorallo.com designates 2620:6e:a000:1::99 as permitted sender) smtp.mailfrom=lf-lists@mattcorallo.com;
dmarc=pass (p=NONE sp=REJECT dis=NONE) header.from=mattcorallo.com
Received: from mail.as397444.net (mail.as397444.net. [2620:6e:a000:1::99])
by gmr-mx.google.com with ESMTPS id 6a1803df08f44-6eb3efc4bedsi3710136d6.3.2025.03.24.18.06.18
for <bitcoindev@googlegroups.com>
(version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
Mon, 24 Mar 2025 18:06:18 -0700 (PDT)
Received-SPF: pass (google.com: domain of lf-lists@mattcorallo.com designates 2620:6e:a000:1::99 as permitted sender) client-ip=2620:6e:a000:1::99;
X-DKIM-Note: Keys used to sign are likely public at
X-DKIM-Note: https://as397444.net/dkim/mattcorallo.com and
X-DKIM-Note: https://as397444.net/dkim/clients.mail.as397444.net
X-DKIM-Note: For more info, see https://as397444.net/dkim/
Received: by mail.as397444.net with esmtpsa (TLS1.3) (Exim)
(envelope-from <lf-lists@mattcorallo.com>)
id 1twskB-005O2q-1g;
Tue, 25 Mar 2025 01:06:16 +0000
Message-ID: <912fd35e-02f5-49b5-b373-ca02806d952f@mattcorallo.com>
Date: Mon, 24 Mar 2025 21:06:01 -0400
MIME-Version: 1.0
Subject: Re: [bitcoindev] Against Allowing Quantum Recovery of Bitcoin
To: Sjors Provoost <sjors@sprovoost.nl>,
Bitcoin Development Mailing List <bitcoindev@googlegroups.com>
Cc: Jameson Lopp <jameson.lopp@gmail.com>
References: <CADL_X_cF=UKVa7CitXReMq8nA_4RadCF==kU4YG+0GYN97P6hQ@mail.gmail.com>
<43afd5bb-244e-4698-ba3d-139efa2c2058@mattcorallo.com>
<ED96C777-5BBD-4ACE-8821-A53FDE8FA128@sprovoost.nl>
Content-Language: en-US
From: Matt Corallo <lf-lists@mattcorallo.com>
In-Reply-To: <ED96C777-5BBD-4ACE-8821-A53FDE8FA128@sprovoost.nl>
Content-Type: text/plain; charset="UTF-8"; format=flowed
Content-Transfer-Encoding: quoted-printable
X-Original-Sender: lf-lists@mattcorallo.com
X-Original-Authentication-Results: gmr-mx.google.com; dkim=pass
header.i=@mattcorallo.com header.s=1742863262 header.b=wlUCVacS;
dkim=pass header.i=@clients.mail.as397444.net header.s=1742863265
header.b=W2gm7WFA; spf=pass (google.com: domain of lf-lists@mattcorallo.com
designates 2620:6e:a000:1::99 as permitted sender) smtp.mailfrom=lf-lists@mattcorallo.com;
dmarc=pass (p=NONE sp=REJECT dis=NONE) header.from=mattcorallo.com
Precedence: list
Mailing-list: list bitcoindev@googlegroups.com; contact bitcoindev+owners@googlegroups.com
List-ID: <bitcoindev.googlegroups.com>
X-Google-Group-Id: 786775582512
List-Post: <https://groups.google.com/group/bitcoindev/post>, <mailto:bitcoindev@googlegroups.com>
List-Help: <https://groups.google.com/support/>, <mailto:bitcoindev+help@googlegroups.com>
List-Archive: <https://groups.google.com/group/bitcoindev
List-Subscribe: <https://groups.google.com/group/bitcoindev/subscribe>, <mailto:bitcoindev+subscribe@googlegroups.com>
List-Unsubscribe: <mailto:googlegroups-manage+786775582512+unsubscribe@googlegroups.com>,
<https://groups.google.com/group/bitcoindev/subscribe>
X-Spam-Score: -0.8 (/)
On 3/18/25 8:48 AM, Sjors Provoost wrote:
>=20
>> Op 17 mrt 2025, om 13:00 heeft Matt Corallo <lf-lists@mattcorallo.com> h=
et volgende geschreven:
>>
>> I think this is a strong motivation to do "simple PQC" today - while we =
don't need to decide on the tough question of seizing non-PQC coins today, =
we want to have the option to do so in the future.
>>
>> In order for that option to be practical, wallets need to be embedding P=
QC public keys in their outputs probably at least a decade before the seizu=
re occurs, with any additional time giving us an important safety margin.
>=20
> I don't think that in practice we can deploy a PCQ scheme without at the =
same time making a decision with regards to burn vs free-for-all. The best =
we can do is to have all that stuff well researched and tested long before =
on a signet.
As Jameson describes, I don't think there's a decision to be made here. If,=
at some point, a QC=20
becomes undeniable reality (or near-term reality), *not* doing a freeze for=
k is to allow Bitcoin to=20
simply die. The only thing we can do is set ourselves up for success such t=
hat that freeze freezes=20
the minimum possible number coins.
> Let's say the burn consensus rule is that no pk(), bare multisig, pkh()*=
, wpkhk() output can be spent, in addition to any tr() key path.
> To be triggered at some point far enough in the future that people can mi=
grate, but not too late. Let's ignore for now that this will be very hard t=
o agree on, because people will disagree on the nature and timing of the th=
reat until it's undeniable.
>=20
> In principe a PQC (Post-quantum cryptography) tap leaf scheme could be pr=
oposed in a BIP and activated in a soft-fork, without having to decide on t=
he burn issue. Any time your wallet needs to generate a new address, it cou=
ld add such a tap leaf just in case.
> But this adds a bunch of complexity to wallets, makes descriptor backups =
longer, etc. So adoption might be minimal. And since no sane person spends =
from the PQC path, we'd have no idea how much adoption there is.
Indeed, adoption is a challenge. This is true for any PQ scheme, however. S=
till, I'm dubious that=20
simply no wallets would actually do that - there is material dramaz over PQ=
Bitcoin these days, and=20
for (somewhat) good reason. Those selecting a wallet for short-term use of =
course have no need to do=20
this, but those selecting a long-term storage wallet might see PQC as a fea=
ture they want, and=20
select a wallet accordingly.
> More importantly, the activation of a PQC tapleaf soft fork would not be =
sufficient to permanently migrate coins. That's because in a free-for-all q=
uantum scenario it's the wrong approach. The quantum attacker would just sp=
end from your key path.
As noted above I don't buy that this is a possible outcome.
> In that scenario you'd need to use a NUMS point for the key path. Or mayb=
e that's unsafe, in which case we'd need a new Taproot version without key =
path support (or BIP360). That's also not a difficult soft fork, but now ag=
ain you have something that only a small set of users will want to use.
A NUMS point does not suffice unless we explicitly soft-fork out spending f=
rom that NUMS point=20
(which is, of course, doable).
> This new address type is only suitable for very long term storage since i=
t's more expensive to use in a pre-quantum world (using the a regular Schno=
rr signature in a script path).
>=20
> So now we'd have two soft forks that ~nobody uses, because it's a bunch o=
f extra wallet complexity and you don't know if you should use the tapleaf =
or the taproot-without-keypath address for your cold storage.
>=20
> I doubt that soft forks which nobody intends to use will be activated any=
time soon.
There is nontrivial demand (again, for (somewhat) good reason) for PQC on b=
itcoin today. Suggesting=20
that no one intends to use such a thing I find incredibly dubious.
Matt
--=20
You received this message because you are subscribed to the Google Groups "=
Bitcoin Development Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an e=
mail to bitcoindev+unsubscribe@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/bitcoindev/=
912fd35e-02f5-49b5-b373-ca02806d952f%40mattcorallo.com.