Return-Path: Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org [172.17.192.35]) by mail.linuxfoundation.org (Postfix) with ESMTPS id 7C08210D0 for ; Thu, 25 Jan 2018 00:09:34 +0000 (UTC) X-Greylist: whitelisted by SQLgrey-1.7.6 Received: from mail-wm0-f47.google.com (mail-wm0-f47.google.com [74.125.82.47]) by smtp1.linuxfoundation.org (Postfix) with ESMTPS id 9DA92E2 for ; Thu, 25 Jan 2018 00:09:33 +0000 (UTC) Received: by mail-wm0-f47.google.com with SMTP id f3so11837166wmc.1 for ; Wed, 24 Jan 2018 16:09:33 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to; bh=/V6Lystpv41Qe0CXj7M8rWF69+BluajmbPgXbANybjc=; b=ate9jKz81LklH/dI7SY8l3nLCjDvTDF1FYOTNTGvRPuwNlxkBuFU1tVQAdA2OfopRJ jIcJlnDtomoEm2E8lc61AVV8bTBMO8g7shPATln0ta4Ain532tz/Wg/Pq2A3cSVjNqx7 8bBK7DthHbKUjF05/H6t6Row1hpapjPleLL9vXXkKxDDT0RkDKxIbRA9QRICRBoJnWln 3IosNpWyvZGQ1LnzrBQa6mnkLR2WnxoHhDWNIpys8n2cU/dtWn6sCzsLdLgoAT91OBjy tNPei15BVJy5PrQohwEg8ydpR2KZO3SWYIStXw/M8lu7/6qqr+R2KglXpy/qzU7Er09s ALUQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to; bh=/V6Lystpv41Qe0CXj7M8rWF69+BluajmbPgXbANybjc=; b=sqywqC41d3O+nduqQ5yb1TwRjvGcb2SdkneRbDs2Irut2Hdu8u6SWJGdlyYwEUcS7L YotGx+DGcRqjsFBno0fLobiln64J6rQZ0r6SAzksY/QQTcy3kUByTEyBxLURq+uZfkTz PJQbBvc0V7Otd3GXhGsHWKUiHlDtviD7tw5oCRivNNYhmN/7sv6Ao4VmCEBxLhcrqRDb orBtCAhGlS3bwTWTP+Nj4BLxJO8w3xvjCmnIRPYco6z5bQnm1AxlLhs9dpNNJZGjEgMD J9Gt/3yGTRj+xo+arnAbxrmquH5iv0vk6lkSROC9L9Yw2or9krrcUhkXcFFu8hJjbQpK zXgQ== X-Gm-Message-State: AKwxytcH2DdrhXmL50HrzqnVDzDEPINwRzAI2/RPG2tTIsr//GjlRBU6 /jbPGTxVCo5MzSYzieKgpck6twxWdSm4mF7KJqU= X-Google-Smtp-Source: AH8x225WqZyjseic7zYUIiZKigf3eAhiQ19+JIud2kmff+vW+UVHMepCJAxuTQ6sgJWGB0kDnZFlM6Qu4jLMlE6TIuM= X-Received: by 10.80.135.8 with SMTP id i8mr26051518edb.233.1516838972235; Wed, 24 Jan 2018 16:09:32 -0800 (PST) MIME-Version: 1.0 Received: by 10.80.169.103 with HTTP; Wed, 24 Jan 2018 16:09:31 -0800 (PST) Received: by 10.80.169.103 with HTTP; Wed, 24 Jan 2018 16:09:31 -0800 (PST) In-Reply-To: <1516836125.5969.11.camel@mmci.uni-saarland.de> References: <20180123064419.GA1296@erisian.com.au> <20180123222229.GA3801@erisian.com.au> <1516808291.4277.25.camel@mmci.uni-saarland.de> <1516836125.5969.11.camel@mmci.uni-saarland.de> From: Natanael Date: Thu, 25 Jan 2018 01:09:31 +0100 Message-ID: To: Tim Ruffing , Bitcoin Dev Content-Type: multipart/alternative; boundary="94eb2c0ef2e21f23c705638e98db" X-Spam-Status: No, score=-2.0 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, FREEMAIL_FROM, HTML_MESSAGE, RCVD_IN_DNSWL_NONE autolearn=ham version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on smtp1.linux-foundation.org Subject: Re: [bitcoin-dev] Taproot: Privacy preserving switchable scripting X-BeenThere: bitcoin-dev@lists.linuxfoundation.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Bitcoin Protocol Discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 25 Jan 2018 00:09:34 -0000 --94eb2c0ef2e21f23c705638e98db Content-Type: text/plain; charset="UTF-8" Den 25 jan. 2018 00:22 skrev "Tim Ruffing via bitcoin-dev" < bitcoin-dev@lists.linuxfoundation.org>: I think you misread my second proposal. The first step is not only to publish the hash but to publish a *pair* consisting of the hash and the transaction. If the attacker changes the transaction on the wire, the user does not care and will try again. I guess I assumed you meant it otherwise because I didn't assume you intended a commitment to the full transaction just without the asymmetric key material. You could treat it the same way as in my suggestion, let it expire and prune it if the key material isn't published in time. However... A sufficiently powerful attacker can deploy as soon as he sees your published signature and key, delay its propagation to the miners, force expiration and then *still* repeat the attack with his own forgery. Honestly, as long as we need to allow any form of expiry + relying on publication of the vulnerable algorithms result for verification, I think the weakness will remain. No expiration hurts in multiple ways like via DoS, or by locking in potentially wrong (or straight up malicious) transactions. --- There's one way out, I believe, which is quantum safe Zero-knowledge proofs. Currently STARK:s are one variant presumed quantum safe. It would be used to completely substitute the publication of the public key and signatures, and this way we don't even need two-step commitments. It does however likely require a hardfork to apply to old transactions. (I can imagine an extension block type softfork method, in which case old UTXO:s get locked on the mainchain to create equivalent valued extension block funds.) Without practical ZKP, and presuming no powerful QC attackers with the ability to control the network (basically NSA level attackers), I do think the Fawkes signature scheme is sufficient. Quantum attacks are likely to be very expensive anyway, for the foreseeable future. --94eb2c0ef2e21f23c705638e98db Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable

Den 25 jan. 2018 00:22 skrev "Tim Ruffing via bitcoin-dev" = <bitcoin-dev@li= sts.linuxfoundation.org>:

I think you misread my second proposal. The first step is not only to=
publish the hash but to publish a *pair* consisting of the hash and the
transaction.

If the attacker changes the transaction on the wire, the user does not
care and will try again.

I guess I assumed you meant it otherwise beca= use I didn't assume you intended a commitment to the full transaction j= ust without the asymmetric key material.=C2=A0

<= /div>
You could treat it the same way as in my suggestion,= let it expire and prune it if the key material isn't published in time= .=C2=A0

However... A suf= ficiently powerful attacker can deploy as soon as he sees your published si= gnature and key, delay its propagation to the miners, force expiration and = then *still* repeat the attack with his own forgery.=C2=A0

Honestly, as long as we need to allow an= y form of expiry + relying on publication of the vulnerable algorithms resu= lt for verification, I think the weakness will remain.=C2=A0

No expiration hurts in multiple ways = like via DoS, or by locking in potentially wrong (or straight up malicious)= transactions.

---
=

There's one way out, I be= lieve, which is quantum safe Zero-knowledge proofs.=C2=A0Currently STARK:s are one variant presumed quantum saf= e.=C2=A0It would be used to completely substitute the publication of= the public key and signatures, and this way we don't even need two-ste= p commitments.=C2=A0

It = does however likely require a hardfork to apply to old transactions. (I can= imagine an extension block type softfork method, in which case old UTXO:s = get locked on the mainchain to create equivalent valued extension block fun= ds.)

Without practical Z= KP,=C2=A0 and presuming no powerful QC attackers with the ability to contro= l the network (basically NSA level attackers), I do think the Fawkes signat= ure scheme is sufficient. Quantum attacks are likely to be very expensive a= nyway, for the foreseeable future.=C2=A0
--94eb2c0ef2e21f23c705638e98db--