1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
|
Delivery-date: Tue, 25 Mar 2025 01:53:21 -0700
Received: from mail-qk1-f189.google.com ([209.85.222.189])
by mail.fairlystable.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
(Exim 4.94.2)
(envelope-from <bitcoindev+bncBAABB5W5RG7QMGQESUNTMSI@googlegroups.com>)
id 1tx02C-0001Mj-EX
for bitcoindev@gnusha.org; Tue, 25 Mar 2025 01:53:21 -0700
Received: by mail-qk1-f189.google.com with SMTP id af79cd13be357-7c5ad42d6bcsf157929585a.2
for <bitcoindev@gnusha.org>; Tue, 25 Mar 2025 01:53:20 -0700 (PDT)
ARC-Seal: i=2; a=rsa-sha256; t=1742892794; cv=pass;
d=google.com; s=arc-20240605;
b=bBRX0rt70yX+HEWtUO38c99KPnWAWRnSsfAoNf1MzEbta8TWLYkpSvWeoOnXTX7QkZ
Ot7d2k50lkbH08hjMG2REolwgoUs3K6os6drLNUkvm4Hg/TVw6e2YYomGziXj+hw7qaw
t/YuxvraRDkygL29W4OHsTW88fb7Y487gLGD66vIIS1N9XicKwwd098StGzvv9PMhjP+
DQN0CzADOO2FuwB3HVUF6x/PSbPmuvJyiIreXFm7dENSZORYFF7nbxfZquxUSLwYixK+
ZNYd7hn9leK04CBg5I1rSZV392c0zpJEtV9xRUh0HEr6UsR6TBeVZO/L/UHAFs95xh3E
7ybQ==
ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605;
h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post
:list-id:mailing-list:precedence:content-transfer-encoding
:in-reply-to:from:content-language:references:cc:to:subject
:mime-version:date:message-id:sender:dkim-signature;
bh=/8pAXu4TBRnIRn9nGMuHwE3KSBP2Qd8PMxlhzZefS+I=;
fh=Zy78p7Xi0Rxog8+cISrcZxwv+7qU7XahGlZWI4RR2qo=;
b=gQ9Ttgd8kDIgYsjL52hvAlT2PHt8uyMA/5qXY9QNfdWzqQ/rd5fNrLOaMR8ASmYCIN
nS13rH0kJ2j4mPiwRkLO5z6/A1Ro6rfh/CJ0s/W2U69Vfb68644jzwjYcUQRz5qBa/P7
Q+efToS9anGh8no0B6AlRIVpYyzk9M+kKVN0gbe4IGoFEyKNecLzhSi79/3LoPtnaL+8
kGOHHnGRD2PbwpVQb8ctgEbwEZUgoA4w96JX1hkw/xmkCox0qn8B9xYwS29uwnDRqobi
uy72vS0LiEjA4eHt8VQTIGCaPAG/g+Diltr2PK4PjNKUAg37c/+P/ElVCfbRgYbaYsoF
P/zQ==;
darn=gnusha.org
ARC-Authentication-Results: i=2; gmr-mx.google.com;
dkim=pass header.i=@mattcorallo.com header.s=1742863262 header.b=wlUCVacS;
dkim=pass header.i=@clients.mail.as397444.net header.s=1742863265 header.b=W2gm7WFA;
spf=pass (google.com: domain of lf-lists@mattcorallo.com designates 2620:6e:a000:1::99 as permitted sender) smtp.mailfrom=lf-lists@mattcorallo.com;
dmarc=pass (p=NONE sp=REJECT dis=NONE) header.from=mattcorallo.com
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=googlegroups.com; s=20230601; t=1742892794; x=1743497594; darn=gnusha.org;
h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post
:list-id:mailing-list:precedence:x-original-authentication-results
:x-original-sender:content-transfer-encoding:in-reply-to:from
:content-language:references:cc:to:subject:mime-version:date
:message-id:sender:from:to:cc:subject:date:message-id:reply-to;
bh=/8pAXu4TBRnIRn9nGMuHwE3KSBP2Qd8PMxlhzZefS+I=;
b=rmDVEhPagsj8JuM6qHIWlpGMLtUSpPvMen/a07cbKtSgBrDhI9qGNcU0I4oSeIdZjF
G4geFs4VqCoLEwnNbBEDoU0er5N4+ZrLKxmbhI/tuaBvO1712TFguQxJimUoLr/N2Y+l
M7fNJFQ77FzrHySOA8SOwxaF5gN13hPRnaEaWLTVDKaGYoRTSmjssWjh2l8tmXhvxn45
HwqudyMlo4P7EfXJVFMWnRyfvgfoGnci0s1ivvCk2bknmyxdyBqOIb7pG5hIoigdWzQd
41VQaf7iN2NR5GVqesCOfFzjgJedqjQ1Tp7CsiwZonUc3bp8eARuz5yPdXz7u9bHE4EF
ef/Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20230601; t=1742892794; x=1743497594;
h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post
:list-id:mailing-list:precedence:x-original-authentication-results
:x-original-sender:content-transfer-encoding:in-reply-to:from
:content-language:references:cc:to:subject:mime-version:date
:message-id:x-beenthere:x-gm-message-state:sender:from:to:cc:subject
:date:message-id:reply-to;
bh=/8pAXu4TBRnIRn9nGMuHwE3KSBP2Qd8PMxlhzZefS+I=;
b=ThRxut1Pmzgzro5yezRy96G0X9W6edMkDiiudRHmH+jpwdReWjoTkplVqRnhlFAWOF
BboGcJDPPD1XK04JswzhfnDjBRJkjkGr//0/8Kkz3NyBwi8UXZiqS3Ihzkv59U9gUJr1
+VB9hJRK2RewsQhH5wcKPjuR7Tv5fWxfeSkCu+ufEs+AkIJFVydjy3VZq7PjkS1qV5Qu
RJzM3bdlzyU0HwjfX7RrWkUKaeeSKXUdTgHjtQoM7UbEAkDS/0WCXJIKDoreS5pbJIoZ
/RBhLB/2Dh04OyhdlAkd3QAnfmnM4JsUUE2KYVWyU8Bf8kdYOD14MPcIAhLt0v88kgBr
bWFw==
Sender: bitcoindev@googlegroups.com
X-Forwarded-Encrypted: i=2; AJvYcCXK1Tp9d7fbX4WPTaaYDkcVEZ28g3G0/Fqg9ux/OHa3CwICiQd2zMxAz1VZqlgctYCIOcEQ87y8h+CM@gnusha.org
X-Gm-Message-State: AOJu0Yy2W4nSaDScNJyuQ2SyNkTGHox4WC/KqvfDTuZ0jlnFu7twhJm+
AnwPNuBsZPyp9/Sx+6KLuOoFa2pPTkQ0p1aak0t+Lm6WVol/Fu9Y
X-Google-Smtp-Source: AGHT+IE1QTzVKvuCF7NciAltVVC7DTCCTXcr24LAasAJdTpHzn8sBgh1EuSABWCCwkp1i4msLpf2Kg==
X-Received: by 2002:a05:622a:58d:b0:474:e4bd:834 with SMTP id d75a77b69052e-47751324359mr10490551cf.2.1742892794075;
Tue, 25 Mar 2025 01:53:14 -0700 (PDT)
X-BeenThere: bitcoindev@googlegroups.com; h=ARLLPAIJdFatRfrzwIRVVP8cd0afR286Bs8/3ClEPuaTjsVnow==
Received: by 2002:ac8:5849:0:b0:476:72e4:2758 with SMTP id d75a77b69052e-47710ae12acls8004991cf.1.-pod-prod-01-us;
Tue, 25 Mar 2025 01:53:10 -0700 (PDT)
X-Forwarded-Encrypted: i=2; AJvYcCUoCKCH09Jch48eRIpnLVUs+tdpFV90M8jQ0N5s8tXQEQw+mt75aO0VF+fCKRXlFsg7p/6IDj3eru5D@googlegroups.com
X-Received: by 2002:a05:620a:24d5:b0:7c5:44d0:7dba with SMTP id af79cd13be357-7c5ba1336d6mr2112748285a.11.1742892790589;
Tue, 25 Mar 2025 01:53:10 -0700 (PDT)
Received: by 2002:a05:620a:1da8:b0:7c5:3b15:3956 with SMTP id af79cd13be357-7c5da16645ams85a;
Mon, 24 Mar 2025 18:06:19 -0700 (PDT)
X-Forwarded-Encrypted: i=2; AJvYcCXqGLm4n9CUR4ZjNPpgpAQrjkdGFrMiDfOhct+hsQ/5nnMNZki5Eb7RXAqWdwGy7tegNQvAutCi4+cv@googlegroups.com
X-Received: by 2002:a05:6214:194b:b0:6e8:9b52:7a1d with SMTP id 6a1803df08f44-6eb3f27f3a0mr219236456d6.8.1742864778214;
Mon, 24 Mar 2025 18:06:18 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1742864778; cv=none;
d=google.com; s=arc-20240605;
b=VRVT4nKPSBQicx4AUbOpuaUCgEajDyXWG1B7SCQkqit78TcSfJd8to1bAlD6tSwiAt
PgNqOhFym8iBdgraDDLnK1cN2ixiTjZda1fLcCgyFotAF5X/IJztVU4R1FeUer0zHs++
VtIDqvZVPfO1Lt5f/9swxupSzNEuzSdbC9URe3XpjL4gSl18tF/Q0ESRWsbxm4jFglHC
0PH/0pwy1io2lcpRSG4RbMPvENMXLm2n3x1FByXhuN4PM2t17h+bTSgu2yT42mAWZ5mQ
5wUvui9ubxYIduSTJas6hILHR4pBSg68omswM01A1PrJC2VOXNDohdyU6oZgb7qdoR3L
+crw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605;
h=content-transfer-encoding:in-reply-to:from:content-language
:references:cc:to:subject:mime-version:date:message-id
:dkim-signature:dkim-signature;
bh=c3m09DQQ6M/Au7RR6u8QDdPkohojHzlkI8Fypofel30=;
fh=6RqJF1663XQL2Jeebjqd5aeY/xLsfT/HD9pGzPnQOEk=;
b=StosHXXTZ69bDpmoCR2v7rAr23uIFfS3mk2OK0OExmlubfhfw5FHZO/tx1Kuf+Unp5
w3ivZL+Vws2kE+BLG+pgYH21vcD16zu77lFfpxoupTDd8a+aTG42a7WKiEQWdVzjsSjt
sKYBHm5FfazH2xHQ9gEshcFPlRKLNflwQ5vVF086lLVIboN/mJg45UQwlG26Ug+lvqZb
KpWegnv28dVbDcOUAIbMQTonNbJIRKyGU3aRV1E5AQQDgYvltFFHE5tg3BD8pK8ui96v
9a4m+vvy9j9lomYGMT+HdZZYrWIHVv4USDH/JIbxWEacxGynB1IvRfyudhAEghZMaute
Ag0Q==;
dara=google.com
ARC-Authentication-Results: i=1; gmr-mx.google.com;
dkim=pass header.i=@mattcorallo.com header.s=1742863262 header.b=wlUCVacS;
dkim=pass header.i=@clients.mail.as397444.net header.s=1742863265 header.b=W2gm7WFA;
spf=pass (google.com: domain of lf-lists@mattcorallo.com designates 2620:6e:a000:1::99 as permitted sender) smtp.mailfrom=lf-lists@mattcorallo.com;
dmarc=pass (p=NONE sp=REJECT dis=NONE) header.from=mattcorallo.com
Received: from mail.as397444.net (mail.as397444.net. [2620:6e:a000:1::99])
by gmr-mx.google.com with ESMTPS id 6a1803df08f44-6eb3efc4bedsi3710136d6.3.2025.03.24.18.06.18
for <bitcoindev@googlegroups.com>
(version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
Mon, 24 Mar 2025 18:06:18 -0700 (PDT)
Received-SPF: pass (google.com: domain of lf-lists@mattcorallo.com designates 2620:6e:a000:1::99 as permitted sender) client-ip=2620:6e:a000:1::99;
X-DKIM-Note: Keys used to sign are likely public at
X-DKIM-Note: https://as397444.net/dkim/mattcorallo.com and
X-DKIM-Note: https://as397444.net/dkim/clients.mail.as397444.net
X-DKIM-Note: For more info, see https://as397444.net/dkim/
Received: by mail.as397444.net with esmtpsa (TLS1.3) (Exim)
(envelope-from <lf-lists@mattcorallo.com>)
id 1twskB-005O2q-1g;
Tue, 25 Mar 2025 01:06:16 +0000
Message-ID: <912fd35e-02f5-49b5-b373-ca02806d952f@mattcorallo.com>
Date: Mon, 24 Mar 2025 21:06:01 -0400
MIME-Version: 1.0
Subject: Re: [bitcoindev] Against Allowing Quantum Recovery of Bitcoin
To: Sjors Provoost <sjors@sprovoost.nl>,
Bitcoin Development Mailing List <bitcoindev@googlegroups.com>
Cc: Jameson Lopp <jameson.lopp@gmail.com>
References: <CADL_X_cF=UKVa7CitXReMq8nA_4RadCF==kU4YG+0GYN97P6hQ@mail.gmail.com>
<43afd5bb-244e-4698-ba3d-139efa2c2058@mattcorallo.com>
<ED96C777-5BBD-4ACE-8821-A53FDE8FA128@sprovoost.nl>
Content-Language: en-US
From: Matt Corallo <lf-lists@mattcorallo.com>
In-Reply-To: <ED96C777-5BBD-4ACE-8821-A53FDE8FA128@sprovoost.nl>
Content-Type: text/plain; charset="UTF-8"; format=flowed
Content-Transfer-Encoding: quoted-printable
X-Original-Sender: lf-lists@mattcorallo.com
X-Original-Authentication-Results: gmr-mx.google.com; dkim=pass
header.i=@mattcorallo.com header.s=1742863262 header.b=wlUCVacS;
dkim=pass header.i=@clients.mail.as397444.net header.s=1742863265
header.b=W2gm7WFA; spf=pass (google.com: domain of lf-lists@mattcorallo.com
designates 2620:6e:a000:1::99 as permitted sender) smtp.mailfrom=lf-lists@mattcorallo.com;
dmarc=pass (p=NONE sp=REJECT dis=NONE) header.from=mattcorallo.com
Precedence: list
Mailing-list: list bitcoindev@googlegroups.com; contact bitcoindev+owners@googlegroups.com
List-ID: <bitcoindev.googlegroups.com>
X-Google-Group-Id: 786775582512
List-Post: <https://groups.google.com/group/bitcoindev/post>, <mailto:bitcoindev@googlegroups.com>
List-Help: <https://groups.google.com/support/>, <mailto:bitcoindev+help@googlegroups.com>
List-Archive: <https://groups.google.com/group/bitcoindev
List-Subscribe: <https://groups.google.com/group/bitcoindev/subscribe>, <mailto:bitcoindev+subscribe@googlegroups.com>
List-Unsubscribe: <mailto:googlegroups-manage+786775582512+unsubscribe@googlegroups.com>,
<https://groups.google.com/group/bitcoindev/subscribe>
X-Spam-Score: -0.8 (/)
On 3/18/25 8:48 AM, Sjors Provoost wrote:
>=20
>> Op 17 mrt 2025, om 13:00 heeft Matt Corallo <lf-lists@mattcorallo.com> h=
et volgende geschreven:
>>
>> I think this is a strong motivation to do "simple PQC" today - while we =
don't need to decide on the tough question of seizing non-PQC coins today, =
we want to have the option to do so in the future.
>>
>> In order for that option to be practical, wallets need to be embedding P=
QC public keys in their outputs probably at least a decade before the seizu=
re occurs, with any additional time giving us an important safety margin.
>=20
> I don't think that in practice we can deploy a PCQ scheme without at the =
same time making a decision with regards to burn vs free-for-all. The best =
we can do is to have all that stuff well researched and tested long before =
on a signet.
As Jameson describes, I don't think there's a decision to be made here. If,=
at some point, a QC=20
becomes undeniable reality (or near-term reality), *not* doing a freeze for=
k is to allow Bitcoin to=20
simply die. The only thing we can do is set ourselves up for success such t=
hat that freeze freezes=20
the minimum possible number coins.
> Let's say the burn consensus rule is that no pk(), bare multisig, pkh()*=
, wpkhk() output can be spent, in addition to any tr() key path.
> To be triggered at some point far enough in the future that people can mi=
grate, but not too late. Let's ignore for now that this will be very hard t=
o agree on, because people will disagree on the nature and timing of the th=
reat until it's undeniable.
>=20
> In principe a PQC (Post-quantum cryptography) tap leaf scheme could be pr=
oposed in a BIP and activated in a soft-fork, without having to decide on t=
he burn issue. Any time your wallet needs to generate a new address, it cou=
ld add such a tap leaf just in case.
> But this adds a bunch of complexity to wallets, makes descriptor backups =
longer, etc. So adoption might be minimal. And since no sane person spends =
from the PQC path, we'd have no idea how much adoption there is.
Indeed, adoption is a challenge. This is true for any PQ scheme, however. S=
till, I'm dubious that=20
simply no wallets would actually do that - there is material dramaz over PQ=
Bitcoin these days, and=20
for (somewhat) good reason. Those selecting a wallet for short-term use of =
course have no need to do=20
this, but those selecting a long-term storage wallet might see PQC as a fea=
ture they want, and=20
select a wallet accordingly.
> More importantly, the activation of a PQC tapleaf soft fork would not be =
sufficient to permanently migrate coins. That's because in a free-for-all q=
uantum scenario it's the wrong approach. The quantum attacker would just sp=
end from your key path.
As noted above I don't buy that this is a possible outcome.
> In that scenario you'd need to use a NUMS point for the key path. Or mayb=
e that's unsafe, in which case we'd need a new Taproot version without key =
path support (or BIP360). That's also not a difficult soft fork, but now ag=
ain you have something that only a small set of users will want to use.
A NUMS point does not suffice unless we explicitly soft-fork out spending f=
rom that NUMS point=20
(which is, of course, doable).
> This new address type is only suitable for very long term storage since i=
t's more expensive to use in a pre-quantum world (using the a regular Schno=
rr signature in a script path).
>=20
> So now we'd have two soft forks that ~nobody uses, because it's a bunch o=
f extra wallet complexity and you don't know if you should use the tapleaf =
or the taproot-without-keypath address for your cold storage.
>=20
> I doubt that soft forks which nobody intends to use will be activated any=
time soon.
There is nontrivial demand (again, for (somewhat) good reason) for PQC on b=
itcoin today. Suggesting=20
that no one intends to use such a thing I find incredibly dubious.
Matt
--=20
You received this message because you are subscribed to the Google Groups "=
Bitcoin Development Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an e=
mail to bitcoindev+unsubscribe@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/bitcoindev/=
912fd35e-02f5-49b5-b373-ca02806d952f%40mattcorallo.com.
|
