📅 Original date posted:2018-05-08
📝 Original message:
Benjamin,
I don't agree that quantum resistance should be a blocker to deployment of
scriptless scripts on lightning because 1) it is a layer-2 solution and 2)
it already critically depends on the security of DL.
There are arguments against making certain protocol changes to the base
Bitcoin blockchain for the reason that they may not be quantum resistant.
The most notable is Confidential Transactions. There reason is that the
worst case attack is much worse: an attacker could print money freely and
without detection. In Bitcoin today, a DL break would compromise funds in
any addresses for which the pubkey has been revealed and it's not even
clear what to do about the remaining funds on chain. Compromising the
fundamental security of the blockchain is a valid cause for concern.
In the case of Lightning, the attack scenario on scriptless scripts is that
a peer is going to use a quantum computer to steal all live payments routed
through them from their senders before they get to the recipient. This
would be bad, but not catastrophic, and once it is recognized that the
attack is possible, insecure channels could be closed.
But furthermore, an attacker with a quantum computer could just steal the
multisig funding output directly instead of attacking scriptless scripts.
So additional protocol changes relying on the DL assumption don't bother me
in the least.
On Tue, May 8, 2018, 6:32 AM Benjamin Mord <ben at mord.io> wrote:
>
> Sorry, I do not wish to spam the list, but I need to correct a rather
> serious error in my last email. We must never call something
> "post-quantum", absent mathematical proof. (And good luck with that.) I
> apologise for my mistake in doing so myself.
>
> I should not even refer to lattice based cryptography as a post-quantum
> algorithm, I should at best call it a Shor's algorithm-resistant scheme. At
> least, it is not (yet) known how Shor's algorithm could be used to break
> it. Not in public circles, anyhow.
>
> A cursory glance at the history of cryptanalysis shows that primitives
> generally have finite life, which makes it odd that systems seldom use
> redundant primitives, and seldom provide for their rapid and safe swap. A
> system whose entire security rests on nothing but cryptography, ought to
> take particular care! The spectre of quantum computers may render the
> finite life of certain primitives more salient than others, but we must not
> suppose that, absent Shor's algorithm, there would be no need to plan for
> cryptographic failures. The question is not if, but when, Bitcoin and
> lightning will contend with broken primitives, whether due to classical or
> quantum cryptanalysis. Likely, both will come into play at various times,
> and one must plan accordingly.
>
> On Tue, May 8, 2018, 9:09 AM Benjamin Mord <ben at mord.io> wrote:
>
>>
>> That would be awesome. Do you have a reference?
>>
>> As pertains to the whole of asymmetric cryptography, I believe there are
>> not a variety of post quantum schemes, there is only one*: lattice-based
>> cryptography. (Which scares me, because it is not all that different from
>> the others.)
>>
>> (* Actually, in contexts where time can be used for asymmetry, as in
>> TESLA, we can then use hash functions to create something like asymmetric
>> signatures as well. But the functional context has to be compatible with
>> delayed verification.)
>>
>> (But I do not mean to focus exclusively on Schor's algorithm, the history
>> of even pre-quantum cryptanalysis shows that primitives tend to have finite
>> lifespan. Redundancy of any sort of good, even when not focused
>> specifically on quantum risks.)
>>
>> On Tue, May 8, 2018, 8:58 AM Greg Sanders <gsanders87 at gmail.com> wrote:
>>
>>> From what I understand talking to folks, the linear properties of these
>>> signature tricks are maintained under a number of post-quantum schemes.
>>>
>>> On Tue, May 8, 2018 at 8:44 AM, Benjamin Mord <ben at mord.family> wrote:
>>>
>>>>
>>>> If I'm not mistaken, the scriptless scripts concept (as currently
>>>> formulated) falls to Schor's algorithm, and at present there is no
>>>> alternative implementation of the concept to fall back on. Correct? Lest we
>>>> build a house of cards, I'd strongly urge everyone to not depend on
>>>> functional concepts whose underlying cryptographic primitives cannot be
>>>> swapped in an emergency.
>>>>
>>>> Sure, we use ecdsa for example (which is also vulnerable to Schor's
>>>> algorithm), but in contrast to scriptless scripts we have a variety of
>>>> backup primitives at our disposal that fulfill the same functional
>>>> objective.
>>>>
>>>> If scriptless scripts are found possible under lattice-based
>>>> cryptography for example, that would be something I suppose. The functional
>>>> concept of scriptless scripts is indeed very awesome - we just need to add
>>>> some cryptographic conservatism before we build on it.
>>>>
>>>>
>>>> _______________________________________________
>>>> Lightning-dev mailing list
>>>> Lightning-dev at lists.linuxfoundation.org
>>>> https://lists.linuxfoundation.org/mailman/listinfo/lightning-dev
>>>>
>>>>
>>> _______________________________________________
> Lightning-dev mailing list
> Lightning-dev at lists.linuxfoundation.org
> https://lists.linuxfoundation.org/mailman/listinfo/lightning-dev
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.linuxfoundation.org/pipermail/lightning-dev/attachments/20180508/f3ebdf1a/attachment.html>