From: "Martin Habovštiak" <martin.habovstiak@gmail•com>
To: Bitcoin Development Mailing List <bitcoindev@googlegroups.com>
Subject: [bitcoindev] Hashed keys are actually fully quantum secure
Date: Sun, 16 Mar 2025 19:25:00 +0100 [thread overview]
Message-ID: <CALkkCJY=dv6cZ_HoUNQybF4-byGOjME3Jt2DRr20yZqMmdJUnQ@mail.gmail.com> (raw)
[-- Attachment #1: Type: text/plain, Size: 2581 bytes --]
Hello list,
this is somewhat related to Jameson's recent post but different enough to
warrant a separate topic.
As you have probably heard many times and even think yourself, "hashed keys
are not actually secure, because a quantum attacker can just snatch them
from mempool". However this is not strictly true.
It is possible to implement fully secure recovery if we forbid spending of
hashed keys unless done through the following scheme:
0. we assume we have *some* QR signing deployed, it can be done even after
QC becomes viable (though not without economic cost)
1. the user obtains a small amount of bitcoin sufficient to pay for fees
via external means, held on a QR script
2. the user creates a transaction that, aside from having a usual spendable
output also commits to a signature of QR public key. This proves that the
user knew the private key even though the public key wasn't revealed yet.
3. after sufficient number of blocks, the user spends both the old and QR
output in a single transaction. Spending requires revealing the
previously-committed sigature. Spending the old output alone is invalid.
This way, the attacker would have to revert the chain to steal which is
assumed impossible.
The only weakness I see is that (x)pubs would effectively become private
keys. However they already kinda are - one needs to protect xpubs for
privacy and to avoid the risk of getting marked as "dirty" by some
agencies, which can theoretically render them unspendable. And non-x-pubs
generally do not leak alone (no reason to reveal them without spending).
I think that the mere possibility of this scheme has two important
implications:
* the need to have "a QR scheme" ready now in case of a QC coming tomorrow
is much smaller than previously thought. Yes, doing it too late has the
effect of temporarily freezing coins which is costly and we don't want that
but it's not nearly as bad as theft
* freezing of *these* coins would be both immoral and extremely dangerous
for reputation of Bitcoin (no comments on freezing coins with revealed
pubkeys, I haven't made my mind yet)
If the time comes I'd be happy to run a soft fork that implements this
sanely.
Cheers
Martin
--
You received this message because you are subscribed to the Google Groups "Bitcoin Development Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an email to bitcoindev+unsubscribe@googlegroups•com.
To view this discussion visit https://groups.google.com/d/msgid/bitcoindev/CALkkCJY%3Ddv6cZ_HoUNQybF4-byGOjME3Jt2DRr20yZqMmdJUnQ%40mail.gmail.com.
[-- Attachment #2: Type: text/html, Size: 3474 bytes --]
reply other threads:[~2025-03-16 18:31 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CALkkCJY=dv6cZ_HoUNQybF4-byGOjME3Jt2DRr20yZqMmdJUnQ@mail.gmail.com' \
--to=martin.habovstiak@gmail$(echo .)com \
--cc=bitcoindev@googlegroups.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox