* [bitcoindev] Hashed keys are actually fully quantum secure
@ 2025-03-16 18:25 Martin Habovštiak
2025-03-16 18:50 ` 'Antoine Poinsot' via Bitcoin Development Mailing List
` (2 more replies)
0 siblings, 3 replies; 6+ messages in thread
From: Martin Habovštiak @ 2025-03-16 18:25 UTC (permalink / raw)
To: Bitcoin Development Mailing List
[-- Attachment #1: Type: text/plain, Size: 2581 bytes --]
Hello list,
this is somewhat related to Jameson's recent post but different enough to
warrant a separate topic.
As you have probably heard many times and even think yourself, "hashed keys
are not actually secure, because a quantum attacker can just snatch them
from mempool". However this is not strictly true.
It is possible to implement fully secure recovery if we forbid spending of
hashed keys unless done through the following scheme:
0. we assume we have *some* QR signing deployed, it can be done even after
QC becomes viable (though not without economic cost)
1. the user obtains a small amount of bitcoin sufficient to pay for fees
via external means, held on a QR script
2. the user creates a transaction that, aside from having a usual spendable
output also commits to a signature of QR public key. This proves that the
user knew the private key even though the public key wasn't revealed yet.
3. after sufficient number of blocks, the user spends both the old and QR
output in a single transaction. Spending requires revealing the
previously-committed sigature. Spending the old output alone is invalid.
This way, the attacker would have to revert the chain to steal which is
assumed impossible.
The only weakness I see is that (x)pubs would effectively become private
keys. However they already kinda are - one needs to protect xpubs for
privacy and to avoid the risk of getting marked as "dirty" by some
agencies, which can theoretically render them unspendable. And non-x-pubs
generally do not leak alone (no reason to reveal them without spending).
I think that the mere possibility of this scheme has two important
implications:
* the need to have "a QR scheme" ready now in case of a QC coming tomorrow
is much smaller than previously thought. Yes, doing it too late has the
effect of temporarily freezing coins which is costly and we don't want that
but it's not nearly as bad as theft
* freezing of *these* coins would be both immoral and extremely dangerous
for reputation of Bitcoin (no comments on freezing coins with revealed
pubkeys, I haven't made my mind yet)
If the time comes I'd be happy to run a soft fork that implements this
sanely.
Cheers
Martin
--
You received this message because you are subscribed to the Google Groups "Bitcoin Development Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an email to bitcoindev+unsubscribe@googlegroups•com.
To view this discussion visit https://groups.google.com/d/msgid/bitcoindev/CALkkCJY%3Ddv6cZ_HoUNQybF4-byGOjME3Jt2DRr20yZqMmdJUnQ%40mail.gmail.com.
[-- Attachment #2: Type: text/html, Size: 3474 bytes --]
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [bitcoindev] Hashed keys are actually fully quantum secure
2025-03-16 18:25 [bitcoindev] Hashed keys are actually fully quantum secure Martin Habovštiak
@ 2025-03-16 18:50 ` 'Antoine Poinsot' via Bitcoin Development Mailing List
2025-03-16 19:03 ` Agustin Cruz
2025-03-17 10:44 ` Lloyd Fournier
2 siblings, 0 replies; 6+ messages in thread
From: 'Antoine Poinsot' via Bitcoin Development Mailing List @ 2025-03-16 18:50 UTC (permalink / raw)
To: Martin Habovštiak; +Cc: Bitcoin Development Mailing List
[-- Attachment #1: Type: text/plain, Size: 3890 bytes --]
> This way, the attacker would have to revert the chain to steal which is assumed impossible.
Or just create its own "QR output"?
If your threat model assumes an attacker can promptly recover the private key from the public key then once the user broadcasts his transaction spending both the old output and his own QR output the attacker could simply create his own QR output and RBF the honest transaction.
I suppose you could in theory have, in addition to making spending old outputs invalid on their own, a rule which dictates they may only be spent along with a QR output at least X blocks old. This would give the honest user a headstart in this race, but meh.
On Sunday, March 16th, 2025 at 2:25 PM, Martin Habovštiak <martin.habovstiak@gmail•com> wrote:
> Hello list,
>
> this is somewhat related to Jameson's recent post but different enough to warrant a separate topic.
>
> As you have probably heard many times and even think yourself, "hashed keys are not actually secure, because a quantum attacker can just snatch them from mempool". However this is not strictly true.
>
> It is possible to implement fully secure recovery if we forbid spending of hashed keys unless done through the following scheme:
> 0. we assume we have *some* QR signing deployed, it can be done even after QC becomes viable (though not without economic cost)
> 1. the user obtains a small amount of bitcoin sufficient to pay for fees via external means, held on a QR script
> 2. the user creates a transaction that, aside from having a usual spendable output also commits to a signature of QR public key. This proves that the user knew the private key even though the public key wasn't revealed yet.
> 3. after sufficient number of blocks, the user spends both the old and QR output in a single transaction. Spending requires revealing the previously-committed sigature. Spending the old output alone is invalid.
>
> This way, the attacker would have to revert the chain to steal which is assumed impossible.
>
> The only weakness I see is that (x)pubs would effectively become private keys. However they already kinda are - one needs to protect xpubs for privacy and to avoid the risk of getting marked as "dirty" by some agencies, which can theoretically render them unspendable. And non-x-pubs generally do not leak alone (no reason to reveal them without spending).
>
> I think that the mere possibility of this scheme has two important implications:
> * the need to have "a QR scheme" ready now in case of a QC coming tomorrow is much smaller than previously thought. Yes, doing it too late has the effect of temporarily freezing coins which is costly and we don't want that but it's not nearly as bad as theft
> * freezing of *these* coins would be both immoral and extremely dangerous for reputation of Bitcoin (no comments on freezing coins with revealed pubkeys, I haven't made my mind yet)
>
> If the time comes I'd be happy to run a soft fork that implements this sanely.
>
> Cheers
>
> Martin
>
> --
> You received this message because you are subscribed to the Google Groups "Bitcoin Development Mailing List" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to bitcoindev+unsubscribe@googlegroups•com.
> To view this discussion visit https://groups.google.com/d/msgid/bitcoindev/CALkkCJY%3Ddv6cZ_HoUNQybF4-byGOjME3Jt2DRr20yZqMmdJUnQ%40mail.gmail.com.
--
You received this message because you are subscribed to the Google Groups "Bitcoin Development Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an email to bitcoindev+unsubscribe@googlegroups•com.
To view this discussion visit https://groups.google.com/d/msgid/bitcoindev/XHIL8Z4i4hji8LhbJ0AiKQ4eago2evXwjTGUOqqyAye_2nM3QicDpHo6KkcznBAHPUrIWSLj_GuiTQ_97KPjxcOrG8pE0rgcXucK2-4txKE%3D%40protonmail.com.
[-- Attachment #2: Type: text/html, Size: 6242 bytes --]
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [bitcoindev] Hashed keys are actually fully quantum secure
2025-03-16 18:25 [bitcoindev] Hashed keys are actually fully quantum secure Martin Habovštiak
2025-03-16 18:50 ` 'Antoine Poinsot' via Bitcoin Development Mailing List
@ 2025-03-16 19:03 ` Agustin Cruz
2025-03-16 20:52 ` Martin Habovštiak
2025-03-17 10:44 ` Lloyd Fournier
2 siblings, 1 reply; 6+ messages in thread
From: Agustin Cruz @ 2025-03-16 19:03 UTC (permalink / raw)
To: Martin Habovštiak; +Cc: Bitcoin Development Mailing List
[-- Attachment #1: Type: text/plain, Size: 4833 bytes --]
Hi Martin,
Your approach of using a committed QR signature to “anchor” the spending of
hashed keys is intriguing. If I understand correctly, the idea is:
- A user commits to a QR signature in a first transaction (Tx1), proving
ownership of the QR private key without exposing vulnerable data.
- Later, they spend both the old P2PKH output and the QR output together
(Tx2), revealing the QR signature, with rules ensuring the old output can’t
be spent independently.
- This forces an attacker to either forge a QR signature (infeasible with a
quantum-resistant scheme) or rewind the chain past Tx1’s confirmation
(infeasible with sufficient depth).
This seems to provide a solid defense against quantum theft, assuming the
QR scheme holds up and the blockchain remains secure. I also like how it
mitigates the “theft vs. freeze” dilemma. Temporary freezing is indeed less
catastrophic than permanent loss, and avoiding reputational damage is
crucial.
To better understand how this would work, I have two questions:
1. How would the QR signature commitment be encoded and verified in the
script?. Would this require new opcodes or script functionality to check
the commitment when spending?
2. How would you enforce that the old P2PKH output can only be spent with
the QR output? Would this need a soft fork, and if so, what consensus
changes would be required?
Regards,
Agustín
El dom, 16 de mar de 2025, 3:31 p. m., Martin Habovštiak <
martin.habovstiak@gmail•com> escribió:
> Hello list,
>
> this is somewhat related to Jameson's recent post but different enough to
> warrant a separate topic.
>
> As you have probably heard many times and even think yourself, "hashed
> keys are not actually secure, because a quantum attacker can just snatch
> them from mempool". However this is not strictly true.
>
> It is possible to implement fully secure recovery if we forbid spending of
> hashed keys unless done through the following scheme:
> 0. we assume we have *some* QR signing deployed, it can be done even after
> QC becomes viable (though not without economic cost)
> 1. the user obtains a small amount of bitcoin sufficient to pay for fees
> via external means, held on a QR script
> 2. the user creates a transaction that, aside from having a usual
> spendable output also commits to a signature of QR public key. This proves
> that the user knew the private key even though the public key wasn't
> revealed yet.
> 3. after sufficient number of blocks, the user spends both the old and QR
> output in a single transaction. Spending requires revealing the
> previously-committed sigature. Spending the old output alone is invalid.
>
> This way, the attacker would have to revert the chain to steal which is
> assumed impossible.
>
> The only weakness I see is that (x)pubs would effectively become private
> keys. However they already kinda are - one needs to protect xpubs for
> privacy and to avoid the risk of getting marked as "dirty" by some
> agencies, which can theoretically render them unspendable. And non-x-pubs
> generally do not leak alone (no reason to reveal them without spending).
>
> I think that the mere possibility of this scheme has two important
> implications:
> * the need to have "a QR scheme" ready now in case of a QC coming tomorrow
> is much smaller than previously thought. Yes, doing it too late has the
> effect of temporarily freezing coins which is costly and we don't want that
> but it's not nearly as bad as theft
> * freezing of *these* coins would be both immoral and extremely dangerous
> for reputation of Bitcoin (no comments on freezing coins with revealed
> pubkeys, I haven't made my mind yet)
>
> If the time comes I'd be happy to run a soft fork that implements this
> sanely.
>
> Cheers
>
> Martin
>
> --
> You received this message because you are subscribed to the Google Groups
> "Bitcoin Development Mailing List" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to bitcoindev+unsubscribe@googlegroups•com.
> To view this discussion visit
> https://groups.google.com/d/msgid/bitcoindev/CALkkCJY%3Ddv6cZ_HoUNQybF4-byGOjME3Jt2DRr20yZqMmdJUnQ%40mail.gmail.com
> <https://groups.google.com/d/msgid/bitcoindev/CALkkCJY%3Ddv6cZ_HoUNQybF4-byGOjME3Jt2DRr20yZqMmdJUnQ%40mail.gmail.com?utm_medium=email&utm_source=footer>
> .
>
--
You received this message because you are subscribed to the Google Groups "Bitcoin Development Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an email to bitcoindev+unsubscribe@googlegroups•com.
To view this discussion visit https://groups.google.com/d/msgid/bitcoindev/CAJDmzYw-Z2nB3BvSnuCT2OF%2Bahd-kbVrYauM_cZgmDytPYVfpA%40mail.gmail.com.
[-- Attachment #2: Type: text/html, Size: 6164 bytes --]
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [bitcoindev] Hashed keys are actually fully quantum secure
2025-03-16 19:03 ` Agustin Cruz
@ 2025-03-16 20:52 ` Martin Habovštiak
0 siblings, 0 replies; 6+ messages in thread
From: Martin Habovštiak @ 2025-03-16 20:52 UTC (permalink / raw)
To: Agustin Cruz; +Cc: Bitcoin Development Mailing List
[-- Attachment #1: Type: text/plain, Size: 6183 bytes --]
Antoine, "in addition to making spending old outputs invalid on their own,
a rule which dictates they may only be spent along with a QR output at
least X blocks old."
yes, this is what I meant but also the QR output must contain the
commitment. This rule makes it not "a race". The attacker cannot make the
commitment before knowing the private key and cannot reverse deep chain.
Augustin, you understand it correctly. Sadly, the dilemma is only mitigated
for hashed keys, not revealed ones.
1. we would presumably bump segwit version, so we can do whatever we like.
I assume it'd be something similar to today's Annex but there are likely
more ways to do it with their pros and cons. I don't think these details
matter much today. But it's certainly possible.
2. of course, soft fork would be required but it will be anyway to deploy a
QR signing algo. And I don't think anything saving coins from certain loss
will be contentious. :)
The changes would need to identify inputs using secp256k1 verification and
look up the commitments in the other inputs. Also they'd need to check how
deep the spent inputs are.
Dňa ne 16. 3. 2025, 20:03 Agustin Cruz <agustin.cruz@gmail•com> napísal(a):
> Hi Martin,
>
> Your approach of using a committed QR signature to “anchor” the spending
> of hashed keys is intriguing. If I understand correctly, the idea is:
> - A user commits to a QR signature in a first transaction (Tx1), proving
> ownership of the QR private key without exposing vulnerable data.
> - Later, they spend both the old P2PKH output and the QR output together
> (Tx2), revealing the QR signature, with rules ensuring the old output can’t
> be spent independently.
> - This forces an attacker to either forge a QR signature (infeasible with
> a quantum-resistant scheme) or rewind the chain past Tx1’s confirmation
> (infeasible with sufficient depth).
>
> This seems to provide a solid defense against quantum theft, assuming the
> QR scheme holds up and the blockchain remains secure. I also like how it
> mitigates the “theft vs. freeze” dilemma. Temporary freezing is indeed less
> catastrophic than permanent loss, and avoiding reputational damage is
> crucial.
>
> To better understand how this would work, I have two questions:
>
> 1. How would the QR signature commitment be encoded and verified in the
> script?. Would this require new opcodes or script functionality to check
> the commitment when spending?
>
> 2. How would you enforce that the old P2PKH output can only be spent with
> the QR output? Would this need a soft fork, and if so, what consensus
> changes would be required?
>
> Regards,
> Agustín
>
> El dom, 16 de mar de 2025, 3:31 p. m., Martin Habovštiak <
> martin.habovstiak@gmail•com> escribió:
>
>> Hello list,
>>
>> this is somewhat related to Jameson's recent post but different enough to
>> warrant a separate topic.
>>
>> As you have probably heard many times and even think yourself, "hashed
>> keys are not actually secure, because a quantum attacker can just snatch
>> them from mempool". However this is not strictly true.
>>
>> It is possible to implement fully secure recovery if we forbid spending
>> of hashed keys unless done through the following scheme:
>> 0. we assume we have *some* QR signing deployed, it can be done even
>> after QC becomes viable (though not without economic cost)
>> 1. the user obtains a small amount of bitcoin sufficient to pay for fees
>> via external means, held on a QR script
>> 2. the user creates a transaction that, aside from having a usual
>> spendable output also commits to a signature of QR public key. This proves
>> that the user knew the private key even though the public key wasn't
>> revealed yet.
>> 3. after sufficient number of blocks, the user spends both the old and QR
>> output in a single transaction. Spending requires revealing the
>> previously-committed sigature. Spending the old output alone is invalid.
>>
>> This way, the attacker would have to revert the chain to steal which is
>> assumed impossible.
>>
>> The only weakness I see is that (x)pubs would effectively become private
>> keys. However they already kinda are - one needs to protect xpubs for
>> privacy and to avoid the risk of getting marked as "dirty" by some
>> agencies, which can theoretically render them unspendable. And non-x-pubs
>> generally do not leak alone (no reason to reveal them without spending).
>>
>> I think that the mere possibility of this scheme has two important
>> implications:
>> * the need to have "a QR scheme" ready now in case of a QC coming
>> tomorrow is much smaller than previously thought. Yes, doing it too late
>> has the effect of temporarily freezing coins which is costly and we don't
>> want that but it's not nearly as bad as theft
>> * freezing of *these* coins would be both immoral and extremely dangerous
>> for reputation of Bitcoin (no comments on freezing coins with revealed
>> pubkeys, I haven't made my mind yet)
>>
>> If the time comes I'd be happy to run a soft fork that implements this
>> sanely.
>>
>> Cheers
>>
>> Martin
>>
>> --
>> You received this message because you are subscribed to the Google Groups
>> "Bitcoin Development Mailing List" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to bitcoindev+unsubscribe@googlegroups•com.
>> To view this discussion visit
>> https://groups.google.com/d/msgid/bitcoindev/CALkkCJY%3Ddv6cZ_HoUNQybF4-byGOjME3Jt2DRr20yZqMmdJUnQ%40mail.gmail.com
>> <https://groups.google.com/d/msgid/bitcoindev/CALkkCJY%3Ddv6cZ_HoUNQybF4-byGOjME3Jt2DRr20yZqMmdJUnQ%40mail.gmail.com?utm_medium=email&utm_source=footer>
>> .
>>
>
--
You received this message because you are subscribed to the Google Groups "Bitcoin Development Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an email to bitcoindev+unsubscribe@googlegroups•com.
To view this discussion visit https://groups.google.com/d/msgid/bitcoindev/CALkkCJZ6cT%3D9kq%2B%3DmSmkgFY%2B6x3zxTwo196crOOxTkFWq8w3vw%40mail.gmail.com.
[-- Attachment #2: Type: text/html, Size: 7903 bytes --]
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [bitcoindev] Hashed keys are actually fully quantum secure
2025-03-16 18:25 [bitcoindev] Hashed keys are actually fully quantum secure Martin Habovštiak
2025-03-16 18:50 ` 'Antoine Poinsot' via Bitcoin Development Mailing List
2025-03-16 19:03 ` Agustin Cruz
@ 2025-03-17 10:44 ` Lloyd Fournier
2025-03-17 11:07 ` Martin Habovštiak
2 siblings, 1 reply; 6+ messages in thread
From: Lloyd Fournier @ 2025-03-17 10:44 UTC (permalink / raw)
To: Martin Habovštiak; +Cc: Bitcoin Development Mailing List
[-- Attachment #1: Type: text/plain, Size: 5695 bytes --]
This seems like a very clever idea. It allows us to mostly ignore the QC
question until a threat actually materializes and then soft fork to
disallow bare public key spending with minimal actions needed to be taken
by users. Nice work!
A couple of important points:
- Taproot keys are also "hashed keys" since the internal key is technically
hashed to produce the external. If you disallow key path spend you can
apply the same rule by using the internal key to produce the commitment
signature.
- Taproot keys are actually better hashed keys since you don't have to
worry about whether you've revealed your public key on-chain in the past
e.g. via address re-use if you use external key spends (since this doesn't
reveal your internal key).
If this approach gains acceptance I think the main immediate action users
can take is to move to a taproot wallet. I predict trying to advise people
to move to p2pkh addresses or that p2pkh addresses are "fine" will create
confusion since there are huge numbers of coins in p2pkh addresses whose
public key has already been revealed and people may do address reuse
without knowing it.
Also an attractive approach is to embed the QR signature scheme in a
tapleaf before activating it so that most coins already have a QR spending
path ready to go. This is more straightforward if taproot is normalized
first.
I understand that people might feel "less protected" on a taproot address
because they might get sniped by the QC attacker before the freezing fork
has been activated but I don't think this is a serious concern relative to
the millions of coins available with known public keys. We have to freeze
it before they can be taken.
So outside of cryptography, the difficult task is to come to a social
consensus mechanism about when to trigger the freezing soft fork. It should
be done *before* a secp256k1 DLOG QC can be built but *after* we know that
one can be built. Right now it is certainly not clear that one *can* be
built ever and we won't have any indication this decade and maybe the next.
It may be a matter of debate whether we've reached that point in 10 years
(it certainly isn't now) and you can imagine malicious actors trying to
subvert the process either to hold it back or to push it forward.
LL
On Mon, 17 Mar 2025 at 05:31, Martin Habovštiak <martin.habovstiak@gmail•com>
wrote:
> Hello list,
>
> this is somewhat related to Jameson's recent post but different enough to
> warrant a separate topic.
>
> As you have probably heard many times and even think yourself, "hashed
> keys are not actually secure, because a quantum attacker can just snatch
> them from mempool". However this is not strictly true.
>
> It is possible to implement fully secure recovery if we forbid spending of
> hashed keys unless done through the following scheme:
> 0. we assume we have *some* QR signing deployed, it can be done even after
> QC becomes viable (though not without economic cost)
> 1. the user obtains a small amount of bitcoin sufficient to pay for fees
> via external means, held on a QR script
> 2. the user creates a transaction that, aside from having a usual
> spendable output also commits to a signature of QR public key. This proves
> that the user knew the private key even though the public key wasn't
> revealed yet.
> 3. after sufficient number of blocks, the user spends both the old and QR
> output in a single transaction. Spending requires revealing the
> previously-committed sigature. Spending the old output alone is invalid.
>
> This way, the attacker would have to revert the chain to steal which is
> assumed impossible.
>
> The only weakness I see is that (x)pubs would effectively become private
> keys. However they already kinda are - one needs to protect xpubs for
> privacy and to avoid the risk of getting marked as "dirty" by some
> agencies, which can theoretically render them unspendable. And non-x-pubs
> generally do not leak alone (no reason to reveal them without spending).
>
> I think that the mere possibility of this scheme has two important
> implications:
> * the need to have "a QR scheme" ready now in case of a QC coming tomorrow
> is much smaller than previously thought. Yes, doing it too late has the
> effect of temporarily freezing coins which is costly and we don't want that
> but it's not nearly as bad as theft
> * freezing of *these* coins would be both immoral and extremely dangerous
> for reputation of Bitcoin (no comments on freezing coins with revealed
> pubkeys, I haven't made my mind yet)
>
> If the time comes I'd be happy to run a soft fork that implements this
> sanely.
>
> Cheers
>
> Martin
>
> --
> You received this message because you are subscribed to the Google Groups
> "Bitcoin Development Mailing List" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to bitcoindev+unsubscribe@googlegroups•com.
> To view this discussion visit
> https://groups.google.com/d/msgid/bitcoindev/CALkkCJY%3Ddv6cZ_HoUNQybF4-byGOjME3Jt2DRr20yZqMmdJUnQ%40mail.gmail.com
> <https://groups.google.com/d/msgid/bitcoindev/CALkkCJY%3Ddv6cZ_HoUNQybF4-byGOjME3Jt2DRr20yZqMmdJUnQ%40mail.gmail.com?utm_medium=email&utm_source=footer>
> .
>
--
You received this message because you are subscribed to the Google Groups "Bitcoin Development Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an email to bitcoindev+unsubscribe@googlegroups•com.
To view this discussion visit https://groups.google.com/d/msgid/bitcoindev/CAH5Bsr3Yx1n22svy7QCTkT_BdzxLUqSmaR6Ji%2Bv7Zf4Pph9S7w%40mail.gmail.com.
[-- Attachment #2: Type: text/html, Size: 6942 bytes --]
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [bitcoindev] Hashed keys are actually fully quantum secure
2025-03-17 10:44 ` Lloyd Fournier
@ 2025-03-17 11:07 ` Martin Habovštiak
0 siblings, 0 replies; 6+ messages in thread
From: Martin Habovštiak @ 2025-03-17 11:07 UTC (permalink / raw)
To: Lloyd Fournier; +Cc: Bitcoin Development Mailing List
[-- Attachment #1: Type: text/plain, Size: 6942 bytes --]
Oh, great point that while the hashing in Taproot disallows spending when
null tweak is used, it's still usable to produce a proof similar to what I
suggested. Also very interesting point about address reuse being "fine"
with taproot.
I believe the QR signature scheme in tapleaf was already suggested but that
has the problem that the scheme needs to be specified in advance. IIUC it's
not currently clear which even is reasonable. My idea gives us more time to
figure that out.
However, I do not think that Taproot is generally safer than p2*pkh.
Comparing to millions lost coins is not valid, since those at worst
decrease the price of bitcoin but economically wouldn't set it to literal
zero, thus the value of one's coins just decreases, while getting stolen
from means the value of one's coins goes to literal zero.
The difference wrt safety thus relies on how well one is able to avoid
address reuse. Some people can avoid it completely, some can't.
The social aspect is indeed messy.
Dňa po 17. 3. 2025, 11:44 Lloyd Fournier <lloyd.fourn@gmail•com> napísal(a):
> This seems like a very clever idea. It allows us to mostly ignore the QC
> question until a threat actually materializes and then soft fork to
> disallow bare public key spending with minimal actions needed to be taken
> by users. Nice work!
>
> A couple of important points:
> - Taproot keys are also "hashed keys" since the internal key is
> technically hashed to produce the external. If you disallow key path spend
> you can apply the same rule by using the internal key to produce the
> commitment signature.
> - Taproot keys are actually better hashed keys since you don't have to
> worry about whether you've revealed your public key on-chain in the past
> e.g. via address re-use if you use external key spends (since this doesn't
> reveal your internal key).
>
> If this approach gains acceptance I think the main immediate action users
> can take is to move to a taproot wallet. I predict trying to advise people
> to move to p2pkh addresses or that p2pkh addresses are "fine" will create
> confusion since there are huge numbers of coins in p2pkh addresses whose
> public key has already been revealed and people may do address reuse
> without knowing it.
> Also an attractive approach is to embed the QR signature scheme in a
> tapleaf before activating it so that most coins already have a QR spending
> path ready to go. This is more straightforward if taproot is normalized
> first.
> I understand that people might feel "less protected" on a taproot address
> because they might get sniped by the QC attacker before the freezing fork
> has been activated but I don't think this is a serious concern relative to
> the millions of coins available with known public keys. We have to freeze
> it before they can be taken.
>
> So outside of cryptography, the difficult task is to come to a social
> consensus mechanism about when to trigger the freezing soft fork. It should
> be done *before* a secp256k1 DLOG QC can be built but *after* we know that
> one can be built. Right now it is certainly not clear that one *can* be
> built ever and we won't have any indication this decade and maybe the next.
> It may be a matter of debate whether we've reached that point in 10 years
> (it certainly isn't now) and you can imagine malicious actors trying to
> subvert the process either to hold it back or to push it forward.
>
> LL
>
> On Mon, 17 Mar 2025 at 05:31, Martin Habovštiak <
> martin.habovstiak@gmail•com> wrote:
>
>> Hello list,
>>
>> this is somewhat related to Jameson's recent post but different enough to
>> warrant a separate topic.
>>
>> As you have probably heard many times and even think yourself, "hashed
>> keys are not actually secure, because a quantum attacker can just snatch
>> them from mempool". However this is not strictly true.
>>
>> It is possible to implement fully secure recovery if we forbid spending
>> of hashed keys unless done through the following scheme:
>> 0. we assume we have *some* QR signing deployed, it can be done even
>> after QC becomes viable (though not without economic cost)
>> 1. the user obtains a small amount of bitcoin sufficient to pay for fees
>> via external means, held on a QR script
>> 2. the user creates a transaction that, aside from having a usual
>> spendable output also commits to a signature of QR public key. This proves
>> that the user knew the private key even though the public key wasn't
>> revealed yet.
>> 3. after sufficient number of blocks, the user spends both the old and QR
>> output in a single transaction. Spending requires revealing the
>> previously-committed sigature. Spending the old output alone is invalid.
>>
>> This way, the attacker would have to revert the chain to steal which is
>> assumed impossible.
>>
>> The only weakness I see is that (x)pubs would effectively become private
>> keys. However they already kinda are - one needs to protect xpubs for
>> privacy and to avoid the risk of getting marked as "dirty" by some
>> agencies, which can theoretically render them unspendable. And non-x-pubs
>> generally do not leak alone (no reason to reveal them without spending).
>>
>> I think that the mere possibility of this scheme has two important
>> implications:
>> * the need to have "a QR scheme" ready now in case of a QC coming
>> tomorrow is much smaller than previously thought. Yes, doing it too late
>> has the effect of temporarily freezing coins which is costly and we don't
>> want that but it's not nearly as bad as theft
>> * freezing of *these* coins would be both immoral and extremely dangerous
>> for reputation of Bitcoin (no comments on freezing coins with revealed
>> pubkeys, I haven't made my mind yet)
>>
>> If the time comes I'd be happy to run a soft fork that implements this
>> sanely.
>>
>> Cheers
>>
>> Martin
>>
>> --
>> You received this message because you are subscribed to the Google Groups
>> "Bitcoin Development Mailing List" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to bitcoindev+unsubscribe@googlegroups•com.
>> To view this discussion visit
>> https://groups.google.com/d/msgid/bitcoindev/CALkkCJY%3Ddv6cZ_HoUNQybF4-byGOjME3Jt2DRr20yZqMmdJUnQ%40mail.gmail.com
>> <https://groups.google.com/d/msgid/bitcoindev/CALkkCJY%3Ddv6cZ_HoUNQybF4-byGOjME3Jt2DRr20yZqMmdJUnQ%40mail.gmail.com?utm_medium=email&utm_source=footer>
>> .
>>
>
--
You received this message because you are subscribed to the Google Groups "Bitcoin Development Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an email to bitcoindev+unsubscribe@googlegroups•com.
To view this discussion visit https://groups.google.com/d/msgid/bitcoindev/CALkkCJZ3TBEfRYBHVv_NON18mqbsQixgUEtgGThau4D%3DW6gdGg%40mail.gmail.com.
[-- Attachment #2: Type: text/html, Size: 8573 bytes --]
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2025-03-17 13:49 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2025-03-16 18:25 [bitcoindev] Hashed keys are actually fully quantum secure Martin Habovštiak
2025-03-16 18:50 ` 'Antoine Poinsot' via Bitcoin Development Mailing List
2025-03-16 19:03 ` Agustin Cruz
2025-03-16 20:52 ` Martin Habovštiak
2025-03-17 10:44 ` Lloyd Fournier
2025-03-17 11:07 ` Martin Habovštiak
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox