From: Natanael <natanael.l@gmail•com>
To: Gregory Maxwell <greg@xiph•org>,
Bitcoin Dev <bitcoin-dev@lists•linuxfoundation.org>
Subject: Re: [bitcoin-dev] Taproot: Privacy preserving switchable scripting
Date: Wed, 24 Jan 2018 13:51:45 +0100 [thread overview]
Message-ID: <CAAt2M1-oh=_Ro6+Srit0XYburK_abQgJiW0Jx=nmNyeToA2rSA@mail.gmail.com> (raw)
In-Reply-To: <CAAS2fgTNcCB2mfvCBhC_AhgxX=g8feYguGHN_VPWW0EoOOxMyA@mail.gmail.com>
[-- Attachment #1: Type: text/plain, Size: 5418 bytes --]
Den 23 jan. 2018 23:45 skrev "Gregory Maxwell via bitcoin-dev" <
bitcoin-dev@lists•linuxfoundation.org>:
On Tue, Jan 23, 2018 at 10:22 PM, Anthony Towns <aj@erisian•com.au> wrote:
> Hmm, at least people can choose not to reuse addresses currently --
> if everyone were using taproot and that didn't involve hashing the key,
Can you show me a model of quantum computation that is conjectured to
be able to solve the discrete log problem but which would take longer
than fractions of a second to do so? Quantum computation has to occur
within the coherence lifetime of the system.
Quantum computers works like randomized black boxes, you run them in many
cycles with a certain probability of getting the right answer.
The trick to them is that they bias the probabilities of their qubits to
read out the correct answer *more often than at random*, for many classes
of problems. You (likely) won't get the correct answer immediately.
https://en.wikipedia.org/wiki/Quantum_computing
Quoting Wikipedia:
> An algorithm is composed of a fixed sequence of quantum logic gates and a
problem is encoded by setting the initial values of the qubits, similar to
how a classical computer works. The calculation usually ends with a
measurement, collapsing the system of qubits into one of the 2 n
{\displaystyle 2^{n}} 2^{n} pure states, where each qubit is zero or one,
decomposing into a classical state. The outcome can therefore be at most n
{\displaystyle n} n classical bits of information (or, if the algorithm did
not end with a measurement, the result is an unobserved quantum state).
Quantum algorithms are often probabilistic, in that they provide the
correct solution only with a certain known probability.
A non programmed QC is essentially an RNG driven by quantum effects. You
just get random bits.
A programmed one will need to run the and program over and over until you
can derive the correct answer from one of its outputs. How fast this goes
depends on the problem and the algorithm.
Most people here have heard of Grover's algorithm, it would crack a
symmetric 256 bit key in approximately 2^128 QC cycles - completely
impractical. Shor's algorithm is the dangerous one for ECC since it cracks
current keys at "practical" speeds.
https://eprint.iacr.org/2017/598 - resource estimates, in terms of size of
the QC. Does not address implementation speed.
I can't seem to find specific details, but I remember having seen estimates
of around 2^40 cycles in practical implementations for 256 bit ECC (this
assumes use error correction schemes, QC machines with small some
imperfections, and more). Unfortunately I can't find a source for this
estimate. I've seen lower estimates too, but they seem entirely
theoretical.
Read-out time for QC:s is indeed insignificant, in terms of measuring the
state of the qubits after a complete cycle.
Programming time, time to prepared for readout, reset, reprogramming, etc,
that will all take a little longer. In particular with more qubits
involved, since they all need to be in superposition and be coherent at
some point. Also, you still have to parse all the different outputs (on a
classical computer) to find your answer among them.
Very very optimistic cycle speeds are in the GHz range, and then that's
still on the order of ~15 minutes for 2^40 cycles. Since we don't even have
a proper general purpose QC yet, nor one with usable amounts of qubits, we
don't even know if we can make them run at a cycle per second, or per
minute...
However if somebody *does* build a fast QC that's nearly ideal, then
Bitcoin's typical use of ECC would be in immediate danger. The most
optimistic QC plausible would indeed be able to crack keys in under a
minute. But my own wild guess is that for the next few decades none will be
faster than a runtime measured in weeks for cracking keys.
---
Sidenote, I'm strongly in favor of implementing early support for the
Fawkes scheme mentioned previously.
We could even patch it on top of classical transactions - you can only
break ECC with a known public key, so just commit to the signed transaction
into the blockchain before publishing it. Then afterwards you publish the
transaction itself, with a reference to the commitment. That transaction
can then be assumed legit simply because there was no room to crack the key
before the commitment, and the transaction matches the commitment.
Never reuse keys, and you're safe against QC:s.
Sidenote: There's a risk here with interception, insertion of a new
commitment and getting the new transaction into the blockchain first.
However, I would suggest a mining policy here were two known conflicting
transactions with commitments are resolved such that the one with the
oldest commitment wins. How to address detection of conflicting
transactions with commitments older than confirmed transactions isn't
obvious. Some of these may be fully intentional by the original owner, such
as a regretted transaction.
Another sidenote: HD wallets with hash based hardened derivation should
also be safe in various circumstances, near completely safe in the case
where they're defined such that knowing an individual private key, which is
not the root key, is not enough to derive any other in your wallet.
HD schemes that only prevent derivation of parent keypairs in the tree
would require that you never use a key derived from another already used or
published public key.
[-- Attachment #2: Type: text/html, Size: 7301 bytes --]
next prev parent reply other threads:[~2018-01-24 12:51 UTC|newest]
Thread overview: 25+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-01-23 0:30 Gregory Maxwell
2018-01-23 1:55 ` Chris Belcher
2018-01-23 2:51 ` Matt Corallo
2018-01-23 14:39 ` Mark Friedenbach
2018-01-23 21:23 ` Matt Corallo
2018-01-23 21:38 ` Gregory Maxwell
2018-01-23 6:44 ` Anthony Towns
2018-01-23 13:15 ` Gregory Maxwell
2018-01-23 22:22 ` Anthony Towns
2018-01-23 22:45 ` Gregory Maxwell
2018-01-24 1:52 ` Andrew Poelstra
2018-01-24 9:28 ` Tim Ruffing
2018-01-24 12:51 ` Natanael [this message]
2018-01-24 15:38 ` Tim Ruffing
2018-01-24 18:51 ` Natanael
2018-01-24 23:22 ` Tim Ruffing
2018-01-25 0:09 ` Natanael
2018-01-26 13:14 ` [bitcoin-dev] Recovery of old UTXOs in a post-quantum world Tim Ruffing
2018-01-27 17:07 ` [bitcoin-dev] Taproot: Privacy preserving switchable scripting Russell O'Connor
2018-01-27 17:23 ` Matt Corallo
2018-01-23 15:43 ` Greg Sanders
2018-01-26 21:34 ` Gregory Maxwell
2018-07-13 1:51 ` [bitcoin-dev] Generalised taproot Anthony Towns
2018-10-24 2:22 ` Pieter Wuille
2018-02-05 9:27 ` [bitcoin-dev] Taproot: Privacy preserving switchable scripting ZmnSCPxj
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CAAt2M1-oh=_Ro6+Srit0XYburK_abQgJiW0Jx=nmNyeToA2rSA@mail.gmail.com' \
--to=natanael.l@gmail$(echo .)com \
--cc=bitcoin-dev@lists$(echo .)linuxfoundation.org \
--cc=greg@xiph$(echo .)org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox