1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
|
Delivery-date: Tue, 18 Mar 2025 05:59:10 -0700
Received: from mail-oo1-f59.google.com ([209.85.161.59])
by mail.fairlystable.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
(Exim 4.94.2)
(envelope-from <bitcoindev+bncBAABBFO44W7AMGQEWCV3ISA@googlegroups.com>)
id 1tuWXF-0001JQ-Mx
for bitcoindev@gnusha.org; Tue, 18 Mar 2025 05:59:10 -0700
Received: by mail-oo1-f59.google.com with SMTP id 006d021491bc7-601e231e83csf383511eaf.0
for <bitcoindev@gnusha.org>; Tue, 18 Mar 2025 05:59:09 -0700 (PDT)
ARC-Seal: i=2; a=rsa-sha256; t=1742302744; cv=pass;
d=google.com; s=arc-20240605;
b=DLP9PgnuG7AmzLT7ywwCnuIm9YCQbsJQAbaydBkEUBcPJmOKYqZnwtJ+YENcdj0G5v
5JQqPsDJCX2mfjStgaFeFBtJ5cxXP+Wzl8e4d8KKx8uO/I6OUcfN5vO8tYgAbLKvk6vJ
n3Bplrei6eCDejri3sWVRKHoSwqjm9XYKhEo7STDOIMdDKC0kK+l/lOs9hnytNeOnV+8
Q4K+L80it7FuQSJkx5v4OLsVth9rOMmy2LfyLLJWTaeK46j8GMjxNCaE8Ep7jJX/NArU
B1u5Sv2vuxk6pNtt+S8D7r6jzovq4PWugn1Va+7m4FKAegTwf1ZXQaPZu2GxAtYXB34z
TatQ==
ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605;
h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post
:list-id:mailing-list:precedence:to:references:message-id
:content-transfer-encoding:cc:date:in-reply-to:from:subject
:mime-version:feedback-id:sender:dkim-signature;
bh=mqg+oI4m8tkgh6JLwK8z1zYf6ZWAZPko12+P5IW9Lrc=;
fh=PQGy8Jw4m4Qm7vCWhWB46INkbxmuRRQ8qsS05RgDyQ8=;
b=lkPMd58f1hgFpk7Y5UZbxPHw/QnLA27dB8gYAorxIeFUSLZsgzlNi0ad8LhauCFLsv
hNS2paGqEZBPxTPQZ87R2kZEq9BSY1LyAgCENH+JY3wM/+zbXmUuMz/VA9A6mDOr9U3Q
vRddRF8cdNzRU+pvg3hoT9s6l/tvvhOxbVDlCQi5yNBtLnizNV9eSq2TeOmOojnUV6gY
P74FofQN2HXGm/hGM3Dlk5keo9feYzCZ4oZtUWWQvyVikEm+83Tnj4Z5qRvA7BWtguU+
OcercDOfW821mqoxTg8hZB1ndVhkq9Ck/2f/iM9iNo5FedX61UxbUkeYlgLTEPSCMPZI
CZJQ==;
darn=gnusha.org
ARC-Authentication-Results: i=2; gmr-mx.google.com;
dkim=pass header.i=@sprovoost.nl header.s=fm2 header.b=hzxImOO9;
dkim=pass header.i=@messagingengine.com header.s=fm1 header.b=FMdtbrgx;
spf=pass (google.com: domain of sjors@sprovoost.nl designates 202.12.124.152 as permitted sender) smtp.mailfrom=sjors@sprovoost.nl;
dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=sprovoost.nl
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=googlegroups.com; s=20230601; t=1742302744; x=1742907544; darn=gnusha.org;
h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post
:list-id:mailing-list:precedence:x-original-authentication-results
:x-original-sender:to:references:message-id
:content-transfer-encoding:cc:date:in-reply-to:from:subject
:mime-version:feedback-id:sender:from:to:cc:subject:date:message-id
:reply-to;
bh=mqg+oI4m8tkgh6JLwK8z1zYf6ZWAZPko12+P5IW9Lrc=;
b=SR1rtmuOVJmAWg+jobA+Fs3wlk83j8o1SlrO9AOXhnnMxD8wsFC7qmLJ3383/JghiG
WjXc17+KpUCc0akqtzytV0ajzLuR+wKyD0KQ2vbdWLrZ8VdnK36NB10lsHmaJ1ozMC0c
fKiyZGQPQm43bVsGoOLqn377wi1QgbtM9/GCaezU1Sl0ha2XvFjBuSYkkd9i3QQvxXky
+Ix5HbjkHlmYkbQdvho53pXFHe/VR/yehJc+m0IdkNDBFuGxsV4M5aDHyeesmnkPVTzD
avHg3hfxmEP8HyKozfFBPQ4dbkFBXCBDcbNZuPfbNxeO4VPXiRFKk1JHlXKAKaXFO5N1
cO4A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20230601; t=1742302744; x=1742907544;
h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post
:list-id:mailing-list:precedence:x-original-authentication-results
:x-original-sender:to:references:message-id
:content-transfer-encoding:cc:date:in-reply-to:from:subject
:mime-version:feedback-id:x-beenthere:x-gm-message-state:sender:from
:to:cc:subject:date:message-id:reply-to;
bh=mqg+oI4m8tkgh6JLwK8z1zYf6ZWAZPko12+P5IW9Lrc=;
b=cTEsQMrW9tXw27OPHlEkUfMh2csF18CBcyw7eUH8ME+Zm0kicuVLpZCjZhoJtydB1p
vA9kxIQahryvGs95J/ihkGBhMpCLKkSQaxxYrX8EsfwxFEf24q0fiAW5rcTRjcGcs8CN
UnE2ctwsym8cxiTH87Md+eScUxZNMJdudy59Vd8RP+Vg+u0zqWYtxr5voS5DZchWGi2t
CA/7Cc/zNU4VxZMNJrCusUEhNSAj/GokiSzGIuTZ/+NJ/kQJxFqY/9XGYTRWK/m2Db2n
L1QFfDciZWJK43uUCAjf97Fh58jV30u3Nvy42mpYqLuVFzHpE/qBBL+vPvi4jvPyjD68
yBCQ==
Sender: bitcoindev@googlegroups.com
X-Forwarded-Encrypted: i=2; AJvYcCWxarHFPr1xNUSQT/rypUErGiT6ZInIMVS1pIa1eimQQ+SoPwbepCzj3PklnB0geNAYsv1TnYBK2iJC@gnusha.org
X-Gm-Message-State: AOJu0YzYfMIlom1itWFpm7HbItxbJnbRUGuADrtM2w5UzMa3MR7Vo9wO
i9eoqWjycmy5911eSYzOJ5BGNObcXqRnYgq36/ZnypaI0GLAe0cV
X-Google-Smtp-Source: AGHT+IEzCPgU1fRfEAVisjNYxuspWEqvnnqj8Jszc0OCTutwf8fOVJ/myezVM1QTILzZhOTq41vG2A==
X-Received: by 2002:a05:6820:2227:b0:601:d595:3b1f with SMTP id 006d021491bc7-6020e2b13a7mr1581136eaf.6.1742302744027;
Tue, 18 Mar 2025 05:59:04 -0700 (PDT)
X-BeenThere: bitcoindev@googlegroups.com; h=ARLLPAI+MccRsn5q4bpN5pdMOt+UDGeMmaLoA9V1sxRzt/e5iA==
Received: by 2002:a05:6820:2993:b0:600:8edd:9ee7 with SMTP id
006d021491bc7-601d8960a51ls1128567eaf.2.-pod-prod-02-us; Tue, 18 Mar 2025
05:59:01 -0700 (PDT)
X-Received: by 2002:a05:6808:3c46:b0:3f7:da57:3952 with SMTP id 5614622812f47-3fea182bd70mr1748794b6e.21.1742302741087;
Tue, 18 Mar 2025 05:59:01 -0700 (PDT)
Received: by 2002:a05:6808:3712:b0:3fa:da36:efcd with SMTP id 5614622812f47-3fddff56d2fmsb6e;
Tue, 18 Mar 2025 05:48:26 -0700 (PDT)
X-Received: by 2002:a17:903:2444:b0:220:c813:dfd1 with SMTP id d9443c01a7336-2262c5f0403mr46324465ad.36.1742302105788;
Tue, 18 Mar 2025 05:48:25 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1742302105; cv=none;
d=google.com; s=arc-20240605;
b=RzJ8g1hkbHfsu/8N7EQS+puJxS6HV4EjkSfkq9FBg1+QwfnRaMYKWStIgS6Ln7IgNM
Jt/ezJ/w7lxaBobPTd8cR0khjRAfYXifwg4KQY9CDJoktWHGCGQm2eKL43Cy4zaWNeUx
Hk7jBJUr8SyvkG1mPHgyBYo8q+rtlvffVfOhjalQ1NiEdCIOWAzOrvDAvU1z9JVsmFZI
GVxpXRLrOBCDB7FJxM29Ls5grreZw2fHIGf1iTsRSXSmyG7KxvIvmNnKAAF0TD6LxZ0O
iiNCLBgSHi7ULbluEKwDQBw4fc87ctU57NY4t49IOVCnAshAsZQR1p9msjVtPQpZ0sn3
Ffew==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605;
h=to:references:message-id:content-transfer-encoding:cc:date
:in-reply-to:from:subject:mime-version:feedback-id:dkim-signature
:dkim-signature;
bh=tQrfun4qLdHxq/g4E1tzuYEdmZ+RvrkPUd+Cg2XTkx0=;
fh=5icq5hSlLSj4APtmgiMdNhzoY7SP78//NNKf20avp3Y=;
b=URR9fkqbsFaKanhJFO5/qTe9vwoh1q4h93mDPBXZqwB+7d03oPgawOs4Nt5+KfwSaF
Y9tFa+dW2shRZyR5SetX1+d630JWsWzNvowIY81+RvSdjcR1VE7Z+zeHCBK1OkPJNiCt
IAWmEVUn7OycGCK7O9qLHji7qwpwnMvJtR5f4vVqVK2wr7Dfak0vCAWFJ5suIkP/wNoQ
ZDDX4KUrQyNfDz7ioeV5nrku8cW3RlhQdW6kXUcwvZetJ60f66QfxNK0FnwibMD56g7Z
RAaFRAgIyy6QilI6PEqyjIAs5I0zEVZWGSZbtbMTYk5xYioDHThOSFapQ4mhRHBoAtho
Ecbw==;
dara=google.com
ARC-Authentication-Results: i=1; gmr-mx.google.com;
dkim=pass header.i=@sprovoost.nl header.s=fm2 header.b=hzxImOO9;
dkim=pass header.i=@messagingengine.com header.s=fm1 header.b=FMdtbrgx;
spf=pass (google.com: domain of sjors@sprovoost.nl designates 202.12.124.152 as permitted sender) smtp.mailfrom=sjors@sprovoost.nl;
dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=sprovoost.nl
Received: from fhigh-b1-smtp.messagingengine.com (fhigh-b1-smtp.messagingengine.com. [202.12.124.152])
by gmr-mx.google.com with ESMTPS id d9443c01a7336-225c6c00f47si4665495ad.6.2025.03.18.05.48.25
for <bitcoindev@googlegroups.com>
(version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
Tue, 18 Mar 2025 05:48:25 -0700 (PDT)
Received-SPF: pass (google.com: domain of sjors@sprovoost.nl designates 202.12.124.152 as permitted sender) client-ip=202.12.124.152;
Received: from phl-compute-10.internal (phl-compute-10.phl.internal [10.202.2.50])
by mailfhigh.stl.internal (Postfix) with ESMTP id 448432540245;
Tue, 18 Mar 2025 08:48:24 -0400 (EDT)
Received: from phl-mailfrontend-02 ([10.202.2.163])
by phl-compute-10.internal (MEProxy); Tue, 18 Mar 2025 08:48:24 -0400
X-ME-Sender: <xms:l2vZZ7CuLO5QCkvPVLIa5sPr_kOQXetHRfZ6F3iQMQFWzHT7l6zQgA>
<xme:l2vZZxidLoC950YBh0nc4q81KVnxPq_y-NpI6s5HLJLk3MMURZJHZ4B0qSF72PXbS
cQyK2etZ6StsY4YPw>
X-ME-Received: <xmr:l2vZZ2nLfA5RtLF_-AsWQkKOMtnBa33lbOS1WUAA97tVVxFaLAQ4EjFr81KGGrFJXsRr>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeefvddrtddtgddugedvgeekucetufdoteggodetrf
dotffvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdggtfgfnhhsuhgsshgtrhhisggv
pdfurfetoffkrfgpnffqhgenuceurghilhhouhhtmecufedttdenucesvcftvggtihhpih
gvnhhtshculddquddttddmnecujfgurheptggguffhjgffvefgkfhfvffosehtqhhmtdhh
tddvnecuhfhrohhmpefujhhorhhsucfrrhhovhhoohhsthcuoehsjhhorhhssehsphhroh
hvohhoshhtrdhnlheqnecuggftrfgrthhtvghrnhepjeekueduieeihfelkeeifffhgefh
teefuddtveffhfdvieduheefvefgtddtueeknecuffhomhgrihhnpehgihhthhhusgdrtg
homhenucevlhhushhtvghrufhiiigvpedtnecurfgrrhgrmhepmhgrihhlfhhrohhmpehs
jhhorhhssehsphhrohhvohhoshhtrdhnlhdpnhgspghrtghpthhtohepfedpmhhouggvpe
hsmhhtphhouhhtpdhrtghpthhtohepsghithgtohhinhguvghvsehgohhoghhlvghgrhho
uhhpshdrtghomhdprhgtphhtthhopehjrghmvghsohhnrdhlohhpphesghhmrghilhdrtg
homhdprhgtphhtthhopehlfhdqlhhishhtshesmhgrthhttghorhgrlhhlohdrtghomh
X-ME-Proxy: <xmx:l2vZZ9xdkiFdJN61ypJj2EYuD45wAf3JZy9Q1xMNecu9OtgZ_DyTGg>
<xmx:l2vZZwRjuVbFVnf-UvoeXn_oW7GKzgH8hm1sl-tI4lK2TuKbkFpV0g>
<xmx:l2vZZwZde7xLeMwT3tbT25KCcZs1AteG4bmAhuGTZSU8ul64DE6ItA>
<xmx:l2vZZxSRP34Cu7A5EP6AbGIzNiiYHWgr03SjWkj8F1wZ8s742rN-Ag>
<xmx:mGvZZ2cdNPyUJVsfkPqbKZjw57gFa0SeFFUQrpBV1L-d3DDiSyQ5qXos>
Feedback-ID: ie5e042df:Fastmail
Received: by mail.messagingengine.com (Postfix) with ESMTPA; Tue,
18 Mar 2025 08:48:23 -0400 (EDT)
Content-Type: text/plain; charset="UTF-8"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3826.400.131.1.6\))
Subject: Re: [bitcoindev] Against Allowing Quantum Recovery of Bitcoin
From: Sjors Provoost <sjors@sprovoost.nl>
In-Reply-To: <43afd5bb-244e-4698-ba3d-139efa2c2058@mattcorallo.com>
Date: Tue, 18 Mar 2025 13:48:12 +0100
Cc: Jameson Lopp <jameson.lopp@gmail.com>,
Matt Corallo <lf-lists@mattcorallo.com>
Content-Transfer-Encoding: quoted-printable
Message-Id: <ED96C777-5BBD-4ACE-8821-A53FDE8FA128@sprovoost.nl>
References: <CADL_X_cF=UKVa7CitXReMq8nA_4RadCF==kU4YG+0GYN97P6hQ@mail.gmail.com>
<43afd5bb-244e-4698-ba3d-139efa2c2058@mattcorallo.com>
To: Bitcoin Development Mailing List <bitcoindev@googlegroups.com>
X-Mailer: Apple Mail (2.3826.400.131.1.6)
X-Original-Sender: sjors@sprovoost.nl
X-Original-Authentication-Results: gmr-mx.google.com; dkim=pass
header.i=@sprovoost.nl header.s=fm2 header.b=hzxImOO9; dkim=pass
header.i=@messagingengine.com header.s=fm1 header.b=FMdtbrgx; spf=pass
(google.com: domain of sjors@sprovoost.nl designates 202.12.124.152 as
permitted sender) smtp.mailfrom=sjors@sprovoost.nl; dmarc=pass (p=NONE
sp=NONE dis=NONE) header.from=sprovoost.nl
Precedence: list
Mailing-list: list bitcoindev@googlegroups.com; contact bitcoindev+owners@googlegroups.com
List-ID: <bitcoindev.googlegroups.com>
X-Google-Group-Id: 786775582512
List-Post: <https://groups.google.com/group/bitcoindev/post>, <mailto:bitcoindev@googlegroups.com>
List-Help: <https://groups.google.com/support/>, <mailto:bitcoindev+help@googlegroups.com>
List-Archive: <https://groups.google.com/group/bitcoindev
List-Subscribe: <https://groups.google.com/group/bitcoindev/subscribe>, <mailto:bitcoindev+subscribe@googlegroups.com>
List-Unsubscribe: <mailto:googlegroups-manage+786775582512+unsubscribe@googlegroups.com>,
<https://groups.google.com/group/bitcoindev/subscribe>
X-Spam-Score: -0.8 (/)
> Op 17 mrt 2025, om 13:00 heeft Matt Corallo <lf-lists@mattcorallo.com> he=
t volgende geschreven:
>=20
> I think this is a strong motivation to do "simple PQC" today - while we d=
on't need to decide on the tough question of seizing non-PQC coins today, w=
e want to have the option to do so in the future.
>=20
> In order for that option to be practical, wallets need to be embedding PQ=
C public keys in their outputs probably at least a decade before the seizur=
e occurs, with any additional time giving us an important safety margin.
I don't think that in practice we can deploy a PCQ scheme without at the sa=
me time making a decision with regards to burn vs free-for-all. The best we=
can do is to have all that stuff well researched and tested long before on=
a signet.
Let's say the burn consensus rule is that no pk(), bare multisig, pkh()*, =
wpkhk() output can be spent, in addition to any tr() key path.=20
To be triggered at some point far enough in the future that people can migr=
ate, but not too late. Let's ignore for now that this will be very hard to =
agree on, because people will disagree on the nature and timing of the thre=
at until it's undeniable.
In principe a PQC (Post-quantum cryptography) tap leaf scheme could be prop=
osed in a BIP and activated in a soft-fork, without having to decide on the=
burn issue. Any time your wallet needs to generate a new address, it could=
add such a tap leaf just in case.=20
But this adds a bunch of complexity to wallets, makes descriptor backups lo=
nger, etc. So adoption might be minimal. And since no sane person spends fr=
om the PQC path, we'd have no idea how much adoption there is.
More importantly, the activation of a PQC tapleaf soft fork would not be su=
fficient to permanently migrate coins. That's because in a free-for-all qua=
ntum scenario it's the wrong approach. The quantum attacker would just spen=
d from your key path.
In that scenario you'd need to use a NUMS point for the key path. Or maybe =
that's unsafe, in which case we'd need a new Taproot version without key pa=
th support (or BIP360). That's also not a difficult soft fork, but now agai=
n you have something that only a small set of users will want to use.
This new address type is only suitable for very long term storage since it'=
s more expensive to use in a pre-quantum world (using the a regular Schnorr=
signature in a script path).
So now we'd have two soft forks that ~nobody uses, because it's a bunch of =
extra wallet complexity and you don't know if you should use the tapleaf or=
the taproot-without-keypath address for your cold storage.
I doubt that soft forks which nobody intends to use will be activated anyti=
me soon.
- Sjors
---
*=20
See appendix B of BIP380 for notation: https://github.com/bitcoin/bips/blob=
/master/bip-0380.mediawiki#appendix-b-index-of-script-expressions
Since we don't know which public keys are reused, the pkh() underlying publ=
ic key can be brute force guessed by trying all known keys. There is also n=
o alternative spending path. So it should be included in the burn.
sh() and wsh() would not be frozen. Some scripts may be guessable from cont=
ext, but imo that doesn't outweigh the possibly that someone designed a qua=
ntum proof script - even a bad one.
Neither would any scriptPubKey that's different from the above standard tem=
plates. This allows implementing the freeze rule in a way that doesn't requ=
ire deep / complicated inspection of the script
--=20
You received this message because you are subscribed to the Google Groups "=
Bitcoin Development Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an e=
mail to bitcoindev+unsubscribe@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/bitcoindev/=
ED96C777-5BBD-4ACE-8821-A53FDE8FA128%40sprovoost.nl.
|
