1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
|
Return-Path: <apoelstra@wpsoftware.net>
Received: from smtp2.osuosl.org (smtp2.osuosl.org [IPv6:2605:bc80:3010::133])
by lists.linuxfoundation.org (Postfix) with ESMTP id E262EC000A
for <bitcoin-dev@lists.linuxfoundation.org>;
Tue, 16 Mar 2021 13:28:36 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
by smtp2.osuosl.org (Postfix) with ESMTP id BCCA342D1D
for <bitcoin-dev@lists.linuxfoundation.org>;
Tue, 16 Mar 2021 13:28:36 +0000 (UTC)
X-Virus-Scanned: amavisd-new at osuosl.org
X-Spam-Flag: NO
X-Spam-Score: -1.107
X-Spam-Level:
X-Spam-Status: No, score=-1.107 tagged_above=-999 required=5
tests=[BAYES_00=-1.9, RDNS_NONE=0.793] autolearn=no autolearn_force=no
Received: from smtp2.osuosl.org ([127.0.0.1])
by localhost (smtp2.osuosl.org [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id pi3SsDSgKW3C
for <bitcoin-dev@lists.linuxfoundation.org>;
Tue, 16 Mar 2021 13:28:35 +0000 (UTC)
X-Greylist: from auto-whitelisted by SQLgrey-1.8.0
Received: from mail.wpsoftware.net (unknown [66.183.0.205])
by smtp2.osuosl.org (Postfix) with ESMTP id C4B32414E0
for <bitcoin-dev@lists.linuxfoundation.org>;
Tue, 16 Mar 2021 13:28:35 +0000 (UTC)
Received: from camus (camus-andrew.lan [192.168.0.190])
by mail.wpsoftware.net (Postfix) with ESMTPSA id 8ACD7400F9;
Tue, 16 Mar 2021 13:23:28 +0000 (UTC)
Date: Tue, 16 Mar 2021 13:28:34 +0000
From: Andrew Poelstra <apoelstra@wpsoftware.net>
To: Luke Dashjr <luke@dashjr.org>
Message-ID: <YFCygncy/hyxFRWz@camus>
References: <202103152148.15477.luke@dashjr.org>
<a88cd471-fdc9-de35-86cd-595b387249c8@mattcorallo.com>
<202103160344.26299.luke@dashjr.org>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha256;
protocol="application/pgp-signature"; boundary="0EwcQkygrej2ZUHa"
Content-Disposition: inline
In-Reply-To: <202103160344.26299.luke@dashjr.org>
Cc: Bitcoin Protocol Discussion <bitcoin-dev@lists.linuxfoundation.org>
Subject: Re: [bitcoin-dev] PSA: Taproot loss of quantum protections
X-BeenThere: bitcoin-dev@lists.linuxfoundation.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Bitcoin Protocol Discussion <bitcoin-dev.lists.linuxfoundation.org>
List-Unsubscribe: <https://lists.linuxfoundation.org/mailman/options/bitcoin-dev>,
<mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=unsubscribe>
List-Archive: <http://lists.linuxfoundation.org/pipermail/bitcoin-dev/>
List-Post: <mailto:bitcoin-dev@lists.linuxfoundation.org>
List-Help: <mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=help>
List-Subscribe: <https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev>,
<mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=subscribe>
X-List-Received-Date: Tue, 16 Mar 2021 13:28:37 -0000
--0EwcQkygrej2ZUHa
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
On Tue, Mar 16, 2021 at 03:44:25AM +0000, Luke Dashjr wrote:
> (To reiterate: I do not intend any of this as a NACK of Taproot.)
>
Thanks, although it's still somewhat frustrating to be rehashing this
discussion again after so many years.
=20
> On Monday 15 March 2021 23:12:18 Andrew Poelstra wrote:
> > "No gain" except to save significant CPU time and bandwidth?
>=20
> The CPU time is localised to involved nodes, and (correct me if I'm wrong=
)=20
> trivial in comparison to what is required to run a full node in the first=
=20
> place. I'm not sure how it looks with bandwidth.
>
I really can't parse what "localized to involved nodes" means. All Bitcoin
nodes will be affected. Right now for nodes with sufficient bandwidth, sign=
ature
validation is the slowest part of validating transactions, which is why it
is disabled for the bulk of the chain during IBD. Taproot, by virtue of
enabling batch verification, would give a 2-3x speedup when validating the
same number of signatures.
=20
> > Having exposed keys also lets you do ring signatures over outputs, crea=
ting
> > the ability to do private proof of funds via Provisions.
>=20
> But you can also do comparable proofs behind a hash with Bulletproofs, ri=
ght?
>
Yes, if you are willing to accept independent >100000x slowdowns on proving,
verification and code review.
=20
> > > Despite this, I still don't think it's a reason to NACK Taproot: it
> > > should be fairly trivial to add a hash on top in an additional softfo=
rk
> > > and fix this.
> >
> > This would make Bitcoin strictly worse.
>=20
> How so? People could just not use it if they don't care, right?
> The alternative (if people care enough) is that those concerned about qua=
ntum=20
> risk would be forced to forego the benefits of Taproot and stick to p2pkh=
or=20
> such, which seems like an artificial punishment.
>
People who do use it will reduce their privacy set, reduce the privacy set =
of
people who aren't using it, create confusion and delays for people implemen=
ting
Taproot, and slow down Bitcoin nodes who would have to validate the extra
material.
=20
> > > In addition to the points made by Mark, I also want to add two more, =
in
> > > response to Pieter's "you can't claim much security if 37% of the sup=
ply
> > > is at risk" argument. This argument is based in part on the fact that
> > > many people reuse Bitcoin invoice addresses.
> >
> > 37% is a dramatic understatement. Every address which is derived using
> > BIP32 should be assumed compromised to a QC attacker because xpubs are =
not
> > treated like secret key material and are trivial to e.g. extract from
> > hardware wallets or PSBTs. I expect the real number is close to 100%.
>=20
> xpubs should be treated like secret key material IMO.
>=20
Your opinion is noted. This is not how xpubs are, in reality, treated. And
it would make them significantly less useful if you could no longer share
descriptors with people you would like to do multiparty transactions with.
> A quantum attacker would need to compromise your PC to attack a hardware=
=20
> wallet, right?
>=20
No, I expect you could get xpubs out of hardware wallets using any of the
web endpoints provided by hardware wallet vendors, or by asking it to update
a PSBT with any of its scriptpubkeys.
> > In any case, Taproot keys, when used according to the recommendation in
> > BIP-0341, are already hashes of their internal keys, so (a) Taproot out=
puts
> > actually have better quantum resistance than legacy outputs; and (b) ad=
ding
> > another hash would be strictly redundant.
>=20
> It not only stops the attacker from obtaining the original key, but also=
=20
> prevents creating a new private key that can spend the output?
>=20
I don't know what you mean by this. If the original key is usable, i.e. a QC
has appeared overnight, then Bitcoin is screwed. (For that matter, the same=
is
true if there is an overnight break in SHA2, or ECDSA, or any other major
component of Bitcoin. Fortunately this is not how cryptographic breaks have
historically appeared.) There is no new private key that could be created.
If there is a QC where we have some warning, then we need to disable all EC
operations in Script, including keypath spends of Taproot outputs, and this
would be true with or without the redundant extra hash.
Taproot, with or without the redundant hash, has a few distinct benefits ov=
er
legacy outputs in this scenario:
* Taproot keys are hashes of semi-secret data (at least as secret as xpub=
s)
in a well-defined and simple way, by virtue of committing to an internal
key and some script (usually unspendable)
* By adding secret data to the script, users can provide extra data to pr=
ove
in a QC-hard way, even if their internal key is compromised
* Taproot keys can be chosen to be provably unspendable except by a DL br=
eak,
as David Harding points out, by using a NUMS point as an internal key.
None of these factors are improved by adding an extra hash.
--=20
Andrew Poelstra
Director of Research, Blockstream
Email: apoelstra at wpsoftware.net
Web: https://www.wpsoftware.net/andrew
The sun is always shining in space
-Justin Lewis-Webster
--0EwcQkygrej2ZUHa
Content-Type: application/pgp-signature; name="signature.asc"
-----BEGIN PGP SIGNATURE-----
iQEzBAEBCAAdFiEEkPnKPD7Je+ki35VexYjWPOQbl8EFAmBQsn4ACgkQxYjWPOQb
l8F03Qf+PYw80K0gYPOK0QfHLTIaXBfO4F2D5ufP8qU2vvOsvHsqlHgrMStaXvQ9
r//RW5AAT7mnqNv7TFXW8xXCtpJ2qOkHqGZL84R6BO4sFf6YcrUBMdMctCHE3L6u
JuBowXwWSBBxDSXyxGUIVZ5EBYHmZc/y1jLWTtsz3PdlEKm+wueLrl3OGOLR465A
4kPIxSV07y7QW4jhKtaacnozPcJgGeANCn/jQ31ZqECRgdaTFn8yAwyQvE/k9mAY
QFcnW2uKFMVXxKsigY0ecO7OAZaO8cAnIYteG3WGd3AxGxm0NqlRVyEsfmjtwzhM
K1UkacmBxrGQC6Caiaz5fMwbPgcCog==
=HQDI
-----END PGP SIGNATURE-----
--0EwcQkygrej2ZUHa--
|