Re: [bitcoin-dev] PSA: Taproot loss of quantum protections

public inbox for bitcoindev@googlegroups.com
 help / color / mirror / Atom feed

From: Andrew Poelstra <apoelstra@wpsoftware•net>
To: Luke Dashjr <luke@dashjr•org>,
	Bitcoin Protocol Discussion
	<bitcoin-dev@lists•linuxfoundation.org>
Subject: Re: [bitcoin-dev] PSA: Taproot loss of quantum protections
Date: Mon, 15 Mar 2021 23:12:18 +0000	[thread overview]
Message-ID: <YE/p0u3gp4UYNS7R@camus> (raw)
In-Reply-To: <202103152148.15477.luke@dashjr.org>

[-- Attachment #1: Type: text/plain, Size: 2362 bytes --]

On Mon, Mar 15, 2021 at 09:48:15PM +0000, Luke Dashjr via bitcoin-dev wrote:
> Also, what I didn't know myself until today, is that we do not actually gain 
> anything from this: the features proposed to make use of the raw keys being 
> public prior to spending can be implemented with hashed keys as well.
> It would use significantly more CPU time and bandwidth (between private 
> parties, not on-chain), but there should be no shortage of that for anyone 
> running a full node (indeed, CPU time is freed up by Taproot!); at worst, it 
> would create an incentive for more people to use their own full node, which 
> is a good thing!
> 

"No gain" except to save significant CPU time and bandwidth? As Matt points
out there is also a storage hit (unless you want to _really_ waste CPU time
by using pubkey recovery, eliminating any hope of batch validation while
introducing a new dependency on an algorithm with a very unclear patent
story).

Having exposed keys also lets you do ring signatures over outputs, creating the
ability to do private proof of funds via Provisions.

> Despite this, I still don't think it's a reason to NACK Taproot: it should be 
> fairly trivial to add a hash on top in an additional softfork and fix this.
> 

This would make Bitcoin strictly worse.

> In addition to the points made by Mark, I also want to add two more, in 
> response to Pieter's "you can't claim much security if 37% of the supply is 
> at risk" argument. This argument is based in part on the fact that many 
> people reuse Bitcoin invoice addresses.
> 

37% is a dramatic understatement. Every address which is derived using BIP32
should be assumed compromised to a QC attacker because xpubs are not treated
like secret key material and are trivial to e.g. extract from hardware wallets
or PSBTs. I expect the real number is close to 100%.

In any case, Taproot keys, when used according to the recommendation in
BIP-0341, are already hashes of their internal keys, so (a) Taproot outputs
actually have better quantum resistance than legacy outputs; and (b) adding
another hash would be strictly redundant.

-- 
Andrew Poelstra
Director of Research, Blockstream
Email: apoelstra at wpsoftware.net
Web:   https://www.wpsoftware.net/andrew

The sun is always shining in space
    -Justin Lewis-Webster

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 488 bytes --]

next prev parent reply	other threads:[~2021-03-15 23:18 UTC|newest]

Thread overview: 29+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-03-15 21:48 Luke Dashjr
2021-03-15 22:05 ` Matt Corallo
2021-03-15 22:30   ` Robert Spigler
2021-03-15 22:40   ` Jeremy
2021-03-15 22:48     ` Matt Corallo
2021-03-15 23:01       ` Karl-Johan Alm
2021-03-15 23:19         ` Matt Corallo
2021-03-15 23:46         ` Lloyd Fournier
2021-03-16  0:50         ` Anthony Towns
2021-03-16  2:38           ` ZmnSCPxj
2021-03-16  3:44   ` Luke Dashjr
2021-03-16 13:28     ` Andrew Poelstra
2021-03-16 17:25     ` Matt Corallo
2021-03-17  1:23       ` Ryan Grant
2021-03-17 11:56         ` Eoin McQuinn
2021-03-15 23:12 ` Andrew Poelstra [this message]
2021-03-16 14:10   ` Andrea
2021-03-16 15:15     ` [bitcoin-dev] Provisions (was: PSA: Taproot loss of quantum protections) Andrew Poelstra
2021-03-17  4:24       ` ZmnSCPxj
2021-03-17  8:29         ` Andrea
2021-03-20 16:31           ` Andrea Barontini
2021-03-16  0:24 ` [bitcoin-dev] PSA: Taproot loss of quantum protections David A. Harding
2021-04-05  0:27   ` Lloyd Fournier
2021-04-16  3:47     ` ZmnSCPxj
2021-04-16  5:00       ` Lloyd Fournier
2021-03-22 14:24 ` Erik Aronesty
2021-03-23  9:36   ` Martin Schwarz
2021-03-23 10:50   ` Tim Ruffing
2021-08-12 22:08   ` Erik Aronesty

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=YE/p0u3gp4UYNS7R@camus \
    --to=apoelstra@wpsoftware$(echo .)net \
    --cc=bitcoin-dev@lists$(echo .)linuxfoundation.org \
    --cc=luke@dashjr$(echo .)org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox