On Tue, Jan 23, 2018 at 10:45:06PM +0000, Gregory Maxwell via bitcoin-dev wrote: > On Tue, Jan 23, 2018 at 10:22 PM, Anthony Towns wrote: > > Hmm, at least people can choose not to reuse addresses currently -- > > if everyone were using taproot and that didn't involve hashing the key, > > Can you show me a model of quantum computation that is conjectured to > be able to solve the discrete log problem but which would take longer > than fractions of a second to do so? Quantum computation has to occur > within the coherence lifetime of the system. > > > way for individuals to hedge against quantum attacks in case they're ever feasible, at least that I can see (well, without moving their funds out of bitcoin anyway)? > > By using scriptpubkeys with actual security against quantum computers > instead of snake-oil. > > > (It seems like using the point at infinity wouldn't work because > > Indeed, that doesn't work. > > > that when quantum attacks start approaching feasibility. If funds are > > being held in reused addresses over the long term, that would be more > > They are. But I don't believe that is relevant; the attacker would > simply steal the coins on spend. Then the system would need to be hardforked to allow spending through a quantum-resistant ZKP of knowledge of the hashed public key. I expect that in a post-quantum world there will be demand for such a fork, especially if we came into such a world through surprise evidence of a discrete log break. -- Andrew Poelstra Mathematics Department, Blockstream Email: apoelstra at wpsoftware.net Web: https://www.wpsoftware.net/andrew "A goose alone, I suppose, can know the loneliness of geese who can never find their peace, whether north or south or west or east" --Joanna Newsom