1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
|
Return-Path: <martin.schwarz@gmail.com>
Received: from smtp3.osuosl.org (smtp3.osuosl.org [IPv6:2605:bc80:3010::136])
by lists.linuxfoundation.org (Postfix) with ESMTP id 98676C0001
for <bitcoin-dev@lists.linuxfoundation.org>;
Tue, 23 Mar 2021 09:36:46 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
by smtp3.osuosl.org (Postfix) with ESMTP id 7D97060694
for <bitcoin-dev@lists.linuxfoundation.org>;
Tue, 23 Mar 2021 09:36:46 +0000 (UTC)
X-Virus-Scanned: amavisd-new at osuosl.org
X-Spam-Flag: NO
X-Spam-Score: 0.602
X-Spam-Level:
X-Spam-Status: No, score=0.602 tagged_above=-999 required=5
tests=[BAYES_50=0.8, DKIM_SIGNED=0.1, DKIM_VALID=-0.1,
DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001,
HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001,
SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: smtp3.osuosl.org (amavisd-new);
dkim=pass (2048-bit key) header.d=gmail.com
Received: from smtp3.osuosl.org ([127.0.0.1])
by localhost (smtp3.osuosl.org [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id T9M_mp-zaH7H
for <bitcoin-dev@lists.linuxfoundation.org>;
Tue, 23 Mar 2021 09:36:45 +0000 (UTC)
X-Greylist: whitelisted by SQLgrey-1.8.0
Received: from mail-ej1-x633.google.com (mail-ej1-x633.google.com
[IPv6:2a00:1450:4864:20::633])
by smtp3.osuosl.org (Postfix) with ESMTPS id E045560812
for <bitcoin-dev@lists.linuxfoundation.org>;
Tue, 23 Mar 2021 09:36:44 +0000 (UTC)
Received: by mail-ej1-x633.google.com with SMTP id a7so25950667ejs.3
for <bitcoin-dev@lists.linuxfoundation.org>;
Tue, 23 Mar 2021 02:36:44 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;
h=mime-version:references:in-reply-to:from:date:message-id:subject:to;
bh=OVH0R+3J2EPofJmblxgp4lisV5uGCvYMVWBAFI+3/PU=;
b=lT01xwsUc96+xikmdCQoIgQ0n89k7CCAqEDtMhyo/aN9nU/bZJwV4RqL1nkpBo8TBw
JIf9hpdcjYC6ds4KTB1GTYVkgR+JsIKcJKvEbC0zrB0uYiadYoQXNMdG20aHwAwhn67J
fGOsz5SYhmuBrMIDju0NVeLGcbz0talUI2AyyeC9eOMBXFlCdeFzfohrmIQudkN8qSXV
YtIkh7GZ3qFRNL+na4ExVQYmjGAWxHu+41PYdj2hybav0SQq2aZ5F/txLOek/ZYV6dHl
y2qQrg5gPGiD+7Jm+Tn/yIK1elGhFhlcMhFoP1Tg6N6ABVynS7moieaZ0/XwQwi/6DDL
Gbww==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20161025;
h=x-gm-message-state:mime-version:references:in-reply-to:from:date
:message-id:subject:to;
bh=OVH0R+3J2EPofJmblxgp4lisV5uGCvYMVWBAFI+3/PU=;
b=oWhet77VrIWfzq4gIwFrZpCsKASAqZTzuXtHAJpuuUlxBEXsbtSXdjcKjMWU1ZdqXm
GkGEC5atC5+34wFYSFvogGy5koMKmVPIZoh0Ceww9hAoBcI1KI8ayPUE/YknCGtEcNpW
EaJVMkSrQ3+aL3U9/0+N+Tu0mDiXBhbaABHp6iA8yFF/F8xQQNK6VVWgJorvAMKQRjAI
vNZppANJbiWo1LPjLhkcnlMsSRrvWYu4vWC1QY0PWyDAQ31Wqh8uAlPlQNnn5iMPSG9I
ub9oOoif2HKcoz8XKukW9GnWA4nZSDU1C9DM8jhByTmLiaA1fyMcb53fGF/5+Q8TK7i6
MV1g==
X-Gm-Message-State: AOAM530TLf4ZPaTpp5DOuvvn63UzZtNHmAGZfaJvC9smSAAcDVxcJ4cp
ShmkElFKSIUBNNBUPK4LIStbl2xenuS8vfvJqlxVS3S+chbhdj5z
X-Google-Smtp-Source: ABdhPJxPoERnPDRwFEkWq17E8ai3/FXGmaOwFOP4+v5iUqMJVc8ZEdUJG7N1UAQZ3qQOqO5O2HvLCsVk2nU+usnwrl8=
X-Received: by 2002:a17:906:95d1:: with SMTP id
n17mr3947280ejy.394.1616492203116;
Tue, 23 Mar 2021 02:36:43 -0700 (PDT)
MIME-Version: 1.0
References: <202103152148.15477.luke@dashjr.org>
<CAJowKgLuWOkD=_jDaLqG=FOG02qX7p4-EZ69yvw4UqcWpz+rRg@mail.gmail.com>
In-Reply-To: <CAJowKgLuWOkD=_jDaLqG=FOG02qX7p4-EZ69yvw4UqcWpz+rRg@mail.gmail.com>
From: Martin Schwarz <martin.schwarz@gmail.com>
Date: Tue, 23 Mar 2021 10:36:32 +0100
Message-ID: <CAKhySQy3BZjPpk17DNedbobG4+VTkQQND_m2X6RhfyOrfkAiJA@mail.gmail.com>
To: Erik Aronesty <erik@q32.com>,
Bitcoin Protocol Discussion <bitcoin-dev@lists.linuxfoundation.org>
Content-Type: multipart/alternative; boundary="0000000000008c8cab05be30eb33"
X-Mailman-Approved-At: Tue, 23 Mar 2021 09:55:26 +0000
Subject: Re: [bitcoin-dev] PSA: Taproot loss of quantum protections
X-BeenThere: bitcoin-dev@lists.linuxfoundation.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Bitcoin Protocol Discussion <bitcoin-dev.lists.linuxfoundation.org>
List-Unsubscribe: <https://lists.linuxfoundation.org/mailman/options/bitcoin-dev>,
<mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=unsubscribe>
List-Archive: <http://lists.linuxfoundation.org/pipermail/bitcoin-dev/>
List-Post: <mailto:bitcoin-dev@lists.linuxfoundation.org>
List-Help: <mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=help>
List-Subscribe: <https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev>,
<mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=subscribe>
X-List-Received-Date: Tue, 23 Mar 2021 09:36:46 -0000
--0000000000008c8cab05be30eb33
Content-Type: text/plain; charset="UTF-8"
Erik,
> Does anyone think it would it be useful to write up a more official,
and even partly functional plan for Bitcoin to use zero-knowledge
proofs to transition to quantum resistance?
yes, this would be appreciated very much! Andrew Chow's write-up
gives already some high-level idea, but a more detailed exposition
would be essential for further discussion.
thank you,
Martin
On Mon, Mar 22, 2021 at 3:47 PM Erik Aronesty via bitcoin-dev <
bitcoin-dev@lists.linuxfoundation.org> wrote:
> The argument that hashed public addresses provide meaningful quantum
> resistance is flawed *when considered in the context*.of Bitcoin
> itself.
>
> This article by Andrew Chow is easy to read and makes a strong case
> against the quantum utility of hashed public keys:
>
> https://cryptowords.github.io/why-does-hashing-public-keys-not-actually-provide-any-quantum-resistance
>
> And then, of course, one should be mindful of the case against quantum
> computing itself - it is neither inevitable nor "just around the
> corner". Mikhail Dyakonov summarized the arguments well here:
> https://t.co/cgrfrroTTT?amp=1.
>
> My current stance (at my company at least) is that planning for
> quantum computing should be limited to "a provable and written ability
> to upgrade if it becomes clear that it's necessary."
>
> Does anyone think it would it be useful to write up a more official,
> and even partly functional plan for Bitcoin to use zero-knowledge
> proofs to transition to quantum resistance?
>
> - Erik Aronesty
> CTO, Atkama
>
> On Mon, Mar 15, 2021 at 5:48 PM Luke Dashjr via bitcoin-dev
> <bitcoin-dev@lists.linuxfoundation.org> wrote:
> >
> > I do not personally see this as a reason to NACK Taproot, but it has
> become
> > clear to me over the past week or so that many others are unaware of this
> > tradeoff, so I am sharing it here to ensure the wider community is aware
> of
> > it and can make their own judgements.
> >
> > Mark Friedenbach explains on his blog:
> > https://freicoin.substack.com/p/why-im-against-taproot
> >
> > In short, Taproot loses an important safety protection against quantum.
> > Note that in all circumstances, Bitcoin is endangered when QC becomes a
> > reality, but pre-Taproot, it is possible for the network to "pause"
> while a
> > full quantum-safe fix is developed, and then resume transacting. With
> Taproot
> > as-is, it could very well become an unrecoverable situation if QC go
> online
> > prior to having a full quantum-safe solution.
> >
> > Also, what I didn't know myself until today, is that we do not actually
> gain
> > anything from this: the features proposed to make use of the raw keys
> being
> > public prior to spending can be implemented with hashed keys as well.
> > It would use significantly more CPU time and bandwidth (between private
> > parties, not on-chain), but there should be no shortage of that for
> anyone
> > running a full node (indeed, CPU time is freed up by Taproot!); at
> worst, it
> > would create an incentive for more people to use their own full node,
> which
> > is a good thing!
> >
> > Despite this, I still don't think it's a reason to NACK Taproot: it
> should be
> > fairly trivial to add a hash on top in an additional softfork and fix
> this.
> >
> > In addition to the points made by Mark, I also want to add two more, in
> > response to Pieter's "you can't claim much security if 37% of the supply
> is
> > at risk" argument. This argument is based in part on the fact that many
> > people reuse Bitcoin invoice addresses.
> >
> > First, so long as we have hash-based addresses as a best practice, we can
> > continue to shrink the percentage of bitcoins affected through social
> efforts
> > discouraging address use. If the standard loses the hash, the situation
> > cannot be improved, and will indeed only get worse.
> >
> > Second, when/if quantum does compromise these coins, so long as they are
> > neglected or abandoned/lost coins (inherent in the current model), it
> can be
> > seen as equivalent to Bitcoin mining. At the end of the day, 37% of
> supply
> > minable by QCs is really no different than 37% minable by ASICs. (We've
> seen
> > far higher %s available for mining obviously.)
> >
> > To conclude, I recommend anyone using Bitcoin to read Mark's article, my
> > thoughts, and any other arguments on the topic; decide if this is a
> concern
> > to you, and make your own post(s) accordingly. Mark has conceded the
> argument
> > (AFAIK he doesn't have an interest in bitcoins anyway), and I do not
> consider
> > it a showstopper - so if anyone else out there does, please make yourself
> > known ASAP since Taproot has already moved on to the activation phase
> and it
> > is likely software will be released within the next month or two as
> things
> > stand.
> >
> > Luke
> > _______________________________________________
> > bitcoin-dev mailing list
> > bitcoin-dev@lists.linuxfoundation.org
> > https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
> _______________________________________________
> bitcoin-dev mailing list
> bitcoin-dev@lists.linuxfoundation.org
> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
>
--0000000000008c8cab05be30eb33
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
<div dir=3D"ltr"><div>Erik,</div><div><br></div>>
Does anyone think it would it be useful to write up a more official,<br>and=
even partly functional plan for Bitcoin to use=C2=A0<span class=3D"gmail-i=
l">zero</span>-<span class=3D"gmail-il">knowledge</span><br>proofs to trans=
ition to=C2=A0<span class=3D"gmail-il">quantum</span>=C2=A0resistance?<div>=
<br></div><div>yes, this would be appreciated very much! Andrew Chow's =
write-up=C2=A0</div><div>gives already some high-level idea, but a more det=
ailed exposition</div><div>would be essential for further discussion.</div>=
<div><br></div><div>thank you,</div><div>Martin</div></div><br><div class=
=3D"gmail_quote"><div dir=3D"ltr" class=3D"gmail_attr">On Mon, Mar 22, 2021=
at 3:47 PM Erik Aronesty via bitcoin-dev <<a href=3D"mailto:bitcoin-dev=
@lists.linuxfoundation.org">bitcoin-dev@lists.linuxfoundation.org</a>> w=
rote:<br></div><blockquote class=3D"gmail_quote" style=3D"margin:0px 0px 0p=
x 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">The argume=
nt that hashed public addresses provide meaningful quantum<br>
resistance is flawed *when considered in the context*.of Bitcoin<br>
itself.<br>
<br>
This article by Andrew Chow is easy to read and makes a strong case<br>
against the quantum utility of hashed public keys:<br>
<a href=3D"https://cryptowords.github.io/why-does-hashing-public-keys-not-a=
ctually-provide-any-quantum-resistance" rel=3D"noreferrer" target=3D"_blank=
">https://cryptowords.github.io/why-does-hashing-public-keys-not-actually-p=
rovide-any-quantum-resistance</a><br>
<br>
And then, of course, one should be mindful of the case against quantum<br>
computing itself - it is neither inevitable nor "just around the<br>
corner".=C2=A0 =C2=A0Mikhail Dyakonov summarized the arguments well he=
re:<br>
<a href=3D"https://t.co/cgrfrroTTT?amp=3D1" rel=3D"noreferrer" target=3D"_b=
lank">https://t.co/cgrfrroTTT?amp=3D1</a>.<br>
<br>
My current stance (at my company at least) is that planning for<br>
quantum computing should be limited to "a provable and written ability=
<br>
to upgrade if it becomes clear that it's necessary."<br>
<br>
Does anyone think it would it be useful to write up a more official,<br>
and even partly functional plan for Bitcoin to use zero-knowledge<br>
proofs to transition to quantum resistance?<br>
<br>
- Erik Aronesty<br>
=C2=A0 CTO, Atkama<br>
<br>
On Mon, Mar 15, 2021 at 5:48 PM Luke Dashjr via bitcoin-dev<br>
<<a href=3D"mailto:bitcoin-dev@lists.linuxfoundation.org" target=3D"_bla=
nk">bitcoin-dev@lists.linuxfoundation.org</a>> wrote:<br>
><br>
> I do not personally see this as a reason to NACK Taproot, but it has b=
ecome<br>
> clear to me over the past week or so that many others are unaware of t=
his<br>
> tradeoff, so I am sharing it here to ensure the wider community is awa=
re of<br>
> it and can make their own judgements.<br>
><br>
> Mark Friedenbach explains on his blog:<br>
>=C2=A0 =C2=A0 =C2=A0<a href=3D"https://freicoin.substack.com/p/why-im-a=
gainst-taproot" rel=3D"noreferrer" target=3D"_blank">https://freicoin.subst=
ack.com/p/why-im-against-taproot</a><br>
><br>
> In short, Taproot loses an important safety protection against quantum=
.<br>
> Note that in all circumstances, Bitcoin is endangered when QC becomes =
a<br>
> reality, but pre-Taproot, it is possible for the network to "paus=
e" while a<br>
> full quantum-safe fix is developed, and then resume transacting. With =
Taproot<br>
> as-is, it could very well become an unrecoverable situation if QC go o=
nline<br>
> prior to having a full quantum-safe solution.<br>
><br>
> Also, what I didn't know myself until today, is that we do not act=
ually gain<br>
> anything from this: the features proposed to make use of the raw keys =
being<br>
> public prior to spending can be implemented with hashed keys as well.<=
br>
> It would use significantly more CPU time and bandwidth (between privat=
e<br>
> parties, not on-chain), but there should be no shortage of that for an=
yone<br>
> running a full node (indeed, CPU time is freed up by Taproot!); at wor=
st, it<br>
> would create an incentive for more people to use their own full node, =
which<br>
> is a good thing!<br>
><br>
> Despite this, I still don't think it's a reason to NACK Taproo=
t: it should be<br>
> fairly trivial to add a hash on top in an additional softfork and fix =
this.<br>
><br>
> In addition to the points made by Mark, I also want to add two more, i=
n<br>
> response to Pieter's "you can't claim much security if 37=
% of the supply is<br>
> at risk" argument. This argument is based in part on the fact tha=
t many<br>
> people reuse Bitcoin invoice addresses.<br>
><br>
> First, so long as we have hash-based addresses as a best practice, we =
can<br>
> continue to shrink the percentage of bitcoins affected through social =
efforts<br>
> discouraging address use. If the standard loses the hash, the situatio=
n<br>
> cannot be improved, and will indeed only get worse.<br>
><br>
> Second, when/if quantum does compromise these coins, so long as they a=
re<br>
> neglected or abandoned/lost coins (inherent in the current model), it =
can be<br>
> seen as equivalent to Bitcoin mining. At the end of the day, 37% of su=
pply<br>
> minable by QCs is really no different than 37% minable by ASICs. (We&#=
39;ve seen<br>
> far higher %s available for mining obviously.)<br>
><br>
> To conclude, I recommend anyone using Bitcoin to read Mark's artic=
le, my<br>
> thoughts, and any other arguments on the topic; decide if this is a co=
ncern<br>
> to you, and make your own post(s) accordingly. Mark has conceded the a=
rgument<br>
> (AFAIK he doesn't have an interest in bitcoins anyway), and I do n=
ot consider<br>
> it a showstopper - so if anyone else out there does, please make yours=
elf<br>
> known ASAP since Taproot has already moved on to the activation phase =
and it<br>
> is likely software will be released within the next month or two as th=
ings<br>
> stand.<br>
><br>
> Luke<br>
> _______________________________________________<br>
> bitcoin-dev mailing list<br>
> <a href=3D"mailto:bitcoin-dev@lists.linuxfoundation.org" target=3D"_bl=
ank">bitcoin-dev@lists.linuxfoundation.org</a><br>
> <a href=3D"https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-=
dev" rel=3D"noreferrer" target=3D"_blank">https://lists.linuxfoundation.org=
/mailman/listinfo/bitcoin-dev</a><br>
_______________________________________________<br>
bitcoin-dev mailing list<br>
<a href=3D"mailto:bitcoin-dev@lists.linuxfoundation.org" target=3D"_blank">=
bitcoin-dev@lists.linuxfoundation.org</a><br>
<a href=3D"https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev" =
rel=3D"noreferrer" target=3D"_blank">https://lists.linuxfoundation.org/mail=
man/listinfo/bitcoin-dev</a><br>
</blockquote></div>
--0000000000008c8cab05be30eb33--
|
