public inbox for bitcoindev@googlegroups.com
 help / color / mirror / Atom feed
From: Lloyd Fournier <lloyd.fourn@gmail•com>
To: Karl-Johan Alm <karljohan-alm@garage•co.jp>,
	 Bitcoin Protocol Discussion
	<bitcoin-dev@lists•linuxfoundation.org>
Subject: Re: [bitcoin-dev] PSA: Taproot loss of quantum protections
Date: Tue, 16 Mar 2021 10:46:05 +1100	[thread overview]
Message-ID: <CAH5Bsr2Rs=WGAVVjrDdtsYBGARNeeM210ubWacwJLJogMinm+w@mail.gmail.com> (raw)
In-Reply-To: <CALJw2w4hBk1pZrV7E6FNDPDCWH=T_S6qAHGKvRC6JsT9iZevfg@mail.gmail.com>

[-- Attachment #1: Type: text/plain, Size: 4254 bytes --]

On Tue, 16 Mar 2021 at 09:05, Matt Corallo via bitcoin-dev <
bitcoin-dev@lists•linuxfoundation.org> wrote:

> There have been many threads on this before, I'm not sure anything new has
> been brought up here.
>
> Matt
>
> On 3/15/21 17:48, Luke Dashjr via bitcoin-dev wrote:
> > I do not personally see this as a reason to NACK Taproot, but it has
> become
> > clear to me over the past week or so that many others are unaware of this
> > tradeoff, so I am sharing it here to ensure the wider community is aware
> of
> > it and can make their own judgements.
>
> Note that this is most definitely *not* news to this list, eg, Anthony
> brought it up in "Schnorr and taproot (etc)
> upgrade" and there was a whole thread on it in "Taproot: Privacy
> preserving switchable scripting". This issue has been
> beaten to death, I'm not sure why we need to keep hitting the poor horse
> corpse.
>
>
I read through this thread just now. The QC discussion starts roughly here:
https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2018-January/015620.html

My own (very possibly wrong) interpretation of the situation is:

1. Current addresses are very vulnerable to QC and would require hardfork
to fix (and not fix particularly well).
2. Once a QC resistant spending procedure has been developed it could be
added as a backup spending policy as a new tapleaf version (wallets would
have to opt into it).
3. If QC does get to the point where it can break ECC then we can disable
key-path spends via softfork
4. If everyone has moved their coins to Taproot addresses with a QC
resistant tapleaf backup then we're ok.
5. Since the above is almost certainly not going to happen we can simply
congratulate the new QC owners on the Bitcoin they take from old addresses
(specter of QC encourages moving to taproot which could be thought of as a
good thing).
6. Otherwise we have to hard fork to stop old addresses being spent without
a quantum resistant ZKP (oof!).
7. Once we know what we're up against a new quantum resistant segwit
version can be introduced (if it hasn't already).
8. If QC develop far enough to degrade SHA256 sufficiently (ECC probably
breaks first) then that's a whole other ball game since it affects PoW and
txids and so on and will likely require a hard fork.

The ordering of the above events is not predictable. IMO Mark's post is on
the wildly optimistic side of projected rate of progress from my limited
understanding. Either way it is strictly better to enter a QC world with
Taproot enabled and most people are using it so we can introduce QC
resistant backup spend paths without hardforks before they become
practical. Depending on what happens they may not be needed but it's good
to have the option.

On Tue, 16 Mar 2021 at 10:11, Karl-Johan Alm via bitcoin-dev <
bitcoin-dev@lists•linuxfoundation.org> wrote:

> On Tue, 16 Mar 2021 at 07:48, Matt Corallo via bitcoin-dev
> <bitcoin-dev@lists•linuxfoundation.org> wrote:
> >
> > Overall, the tradeoffs here seem ludicrous, given that any QC issues in
> Bitcoin need to be solved in another way, and
> > can't practically be solved by just relying on the existing hash
> indirection.
>
> The important distinction here is that, with hashes, an attacker has
> to race against the spending transaction confirming, whereas with
> naked pubkeys, the attacker doesn't have to wait for a spend to occur,
> drastically increasing the available time to attack.
>
>
First note that I am enthusiastically ignorant of QC technology so please
take the following with a bowl of salt.
The premise of Mark's post is that QC progress is currently exponential
(debatable) and will continue to be (unknowable) so "months" will turn into
days and into minutes in short time period. Since QC progress is
exponential and the speedup that ECC quantum algorithms offer is
exponential you're not dealing with the typical "Moore's law" progress in
terms of time to solve a particular problem; It's like exponential
exponential (math person help me now). You could easily go from ten
thousand years to break ECC to a few seconds within a year with that rate
of progress so I don't think "slow quantum" is an adversary worth
protecting against. I would love to know if I am wrong on this point.

Cheers,

LL

[-- Attachment #2: Type: text/html, Size: 5661 bytes --]

  parent reply	other threads:[~2021-03-15 23:46 UTC|newest]

Thread overview: 29+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-03-15 21:48 Luke Dashjr
2021-03-15 22:05 ` Matt Corallo
2021-03-15 22:30   ` Robert Spigler
2021-03-15 22:40   ` Jeremy
2021-03-15 22:48     ` Matt Corallo
2021-03-15 23:01       ` Karl-Johan Alm
2021-03-15 23:19         ` Matt Corallo
2021-03-15 23:46         ` Lloyd Fournier [this message]
2021-03-16  0:50         ` Anthony Towns
2021-03-16  2:38           ` ZmnSCPxj
2021-03-16  3:44   ` Luke Dashjr
2021-03-16 13:28     ` Andrew Poelstra
2021-03-16 17:25     ` Matt Corallo
2021-03-17  1:23       ` Ryan Grant
2021-03-17 11:56         ` Eoin McQuinn
2021-03-15 23:12 ` Andrew Poelstra
2021-03-16 14:10   ` Andrea
2021-03-16 15:15     ` [bitcoin-dev] Provisions (was: PSA: Taproot loss of quantum protections) Andrew Poelstra
2021-03-17  4:24       ` ZmnSCPxj
2021-03-17  8:29         ` Andrea
2021-03-20 16:31           ` Andrea Barontini
2021-03-16  0:24 ` [bitcoin-dev] PSA: Taproot loss of quantum protections David A. Harding
2021-04-05  0:27   ` Lloyd Fournier
2021-04-16  3:47     ` ZmnSCPxj
2021-04-16  5:00       ` Lloyd Fournier
2021-03-22 14:24 ` Erik Aronesty
2021-03-23  9:36   ` Martin Schwarz
2021-03-23 10:50   ` Tim Ruffing
2021-08-12 22:08   ` Erik Aronesty

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to='CAH5Bsr2Rs=WGAVVjrDdtsYBGARNeeM210ubWacwJLJogMinm+w@mail.gmail.com' \
    --to=lloyd.fourn@gmail$(echo .)com \
    --cc=bitcoin-dev@lists$(echo .)linuxfoundation.org \
    --cc=karljohan-alm@garage$(echo .)co.jp \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox