📅 Original date posted:2021-03-16
📝 Original message:(To reiterate: I do not intend any of this as a NACK of Taproot.)
On Monday 15 March 2021 22:05:45 Matt Corallo wrote:
> > First, so long as we have hash-based addresses as a best practice, we can
> > continue to shrink the percentage of bitcoins affected through social
> > efforts discouraging address use. If the standard loses the hash, the
> > situation cannot be improved, and will indeed only get worse.
>
> I truly wish this were the case, but we've been beating that drum for at
> least nine years and still haven't solved it.
I think we've made progress over those 9 years, don't you?
> > Second, when/if quantum does compromise these coins, so long as they are
> > neglected or abandoned/lost coins (inherent in the current model), it can
> > be seen as equivalent to Bitcoin mining. At the end of the day, 37% of
> > supply minable by QCs is really no different than 37% minable by ASICs.
> > (We've seen far higher %s available for mining obviously.)
>
> Except its not? One entity would be able to steal that entire block of
> supply rather quickly (presumably over the course of a few days, at
> maximum), instead of a slow process with significant upfront real-world
> cost in the form of electricity.
My understanding is that at least initial successes would likely be very slow.
Hopefully we would have a permanent solution before it got too out of hand.
On Monday 15 March 2021 23:01:47 Karl-Johan Alm via bitcoin-dev wrote:
> The important distinction here is that, with hashes, an attacker has
> to race against the spending transaction confirming, whereas with
> naked pubkeys, the attacker doesn't have to wait for a spend to occur,
> drastically increasing the available time to attack.
More importantly, once an attack is recognised, with hashes, people can simply
stop sending transactions and await a fix, to protect their stash. Without
hashes, there is no defense at all (other than sending bitcoins to a
non-taproot address and hoping they evade the attack in time).
On Monday 15 March 2021 23:12:18 Andrew Poelstra wrote:
> "No gain" except to save significant CPU time and bandwidth?
The CPU time is localised to involved nodes, and (correct me if I'm wrong)
trivial in comparison to what is required to run a full node in the first
place. I'm not sure how it looks with bandwidth.
> Having exposed keys also lets you do ring signatures over outputs, creating
> the ability to do private proof of funds via Provisions.
But you can also do comparable proofs behind a hash with Bulletproofs, right?
> > Despite this, I still don't think it's a reason to NACK Taproot: it
> > should be fairly trivial to add a hash on top in an additional softfork
> > and fix this.
>
> This would make Bitcoin strictly worse.
How so? People could just not use it if they don't care, right?
The alternative (if people care enough) is that those concerned about quantum
risk would be forced to forego the benefits of Taproot and stick to p2pkh or
such, which seems like an artificial punishment.
> > In addition to the points made by Mark, I also want to add two more, in
> > response to Pieter's "you can't claim much security if 37% of the supply
> > is at risk" argument. This argument is based in part on the fact that
> > many people reuse Bitcoin invoice addresses.
>
> 37% is a dramatic understatement. Every address which is derived using
> BIP32 should be assumed compromised to a QC attacker because xpubs are not
> treated like secret key material and are trivial to e.g. extract from
> hardware wallets or PSBTs. I expect the real number is close to 100%.
xpubs should be treated like secret key material IMO.
A quantum attacker would need to compromise your PC to attack a hardware
wallet, right?
> In any case, Taproot keys, when used according to the recommendation in
> BIP-0341, are already hashes of their internal keys, so (a) Taproot outputs
> actually have better quantum resistance than legacy outputs; and (b) adding
> another hash would be strictly redundant.
It not only stops the attacker from obtaining the original key, but also
prevents creating a new private key that can spend the output?
On Tuesday 16 March 2021 02:38:55 ZmnSCPxj via bitcoin-dev wrote:
> From this point-of-view, it seems to me that the amount of energy to mount
> a "fast" attack may eventually approach the energy required by mining, in
> which case someone who possesses the ability to mount such an attack may
> very well find it easier to just 51% the network (since that can be done
> today without having to pour R&D satoshis into developing practical quantum
> computers).
Mining adapts its difficulty to the block rate, so it will slow you down up to
4x each retarget. An attack on public keys would probably scale better. :)
Luke
Luke Dashjr [ARCHIVE] /
npub1tf…rfq0n
2023-06-07 18:30:54
in reply to nevent1q…3w8n
Author Public Key
npub1tfk373zg9dnmtvxnpnq7s2dkdgj37rwfj3yrwld7830qltmv8qps8rfq0nPublished at
2023-06-07 18:30:54Event JSON
{
"id": "02d298f12f121ae2a380dd60d64002d27ac8e1e17b11b3ddd8ce6a40281650ca",
"pubkey": "5a6d1f44482b67b5b0d30cc1e829b66a251f0dc99448377dbe3c5e0faf6c3803",
"created_at": 1686162654,
"kind": 1,
"tags": [
[
"e",
"a234deec8deaa4b2f960309b1c4b9227805148596a77c14f96fdcb654e31f3ba",
"",
"root"
],
[
"e",
"4ed1c1ad0f02264d60cf54609d577c3e522c622c70af5657fafd3167d04972d9",
"",
"reply"
],
[
"p",
"4505072744a9d3e490af9262bfe38e6ee5338a77177b565b6b37730b63a7b861"
]
],
"content": "📅 Original date posted:2021-03-16\n📝 Original message:(To reiterate: I do not intend any of this as a NACK of Taproot.)\n\nOn Monday 15 March 2021 22:05:45 Matt Corallo wrote:\n\u003e \u003e First, so long as we have hash-based addresses as a best practice, we can\n\u003e \u003e continue to shrink the percentage of bitcoins affected through social\n\u003e \u003e efforts discouraging address use. If the standard loses the hash, the\n\u003e \u003e situation cannot be improved, and will indeed only get worse.\n\u003e\n\u003e I truly wish this were the case, but we've been beating that drum for at\n\u003e least nine years and still haven't solved it.\n\nI think we've made progress over those 9 years, don't you?\n\n\u003e \u003e Second, when/if quantum does compromise these coins, so long as they are\n\u003e \u003e neglected or abandoned/lost coins (inherent in the current model), it can\n\u003e \u003e be seen as equivalent to Bitcoin mining. At the end of the day, 37% of\n\u003e \u003e supply minable by QCs is really no different than 37% minable by ASICs.\n\u003e \u003e (We've seen far higher %s available for mining obviously.)\n\u003e\n\u003e Except its not? One entity would be able to steal that entire block of\n\u003e supply rather quickly (presumably over the course of a few days, at\n\u003e maximum), instead of a slow process with significant upfront real-world\n\u003e cost in the form of electricity.\n\nMy understanding is that at least initial successes would likely be very slow.\nHopefully we would have a permanent solution before it got too out of hand.\n\n\nOn Monday 15 March 2021 23:01:47 Karl-Johan Alm via bitcoin-dev wrote:\n\u003e The important distinction here is that, with hashes, an attacker has\n\u003e to race against the spending transaction confirming, whereas with\n\u003e naked pubkeys, the attacker doesn't have to wait for a spend to occur,\n\u003e drastically increasing the available time to attack.\n\nMore importantly, once an attack is recognised, with hashes, people can simply \nstop sending transactions and await a fix, to protect their stash. Without \nhashes, there is no defense at all (other than sending bitcoins to a \nnon-taproot address and hoping they evade the attack in time).\n\n\nOn Monday 15 March 2021 23:12:18 Andrew Poelstra wrote:\n\u003e \"No gain\" except to save significant CPU time and bandwidth?\n\nThe CPU time is localised to involved nodes, and (correct me if I'm wrong) \ntrivial in comparison to what is required to run a full node in the first \nplace. I'm not sure how it looks with bandwidth.\n\n\u003e Having exposed keys also lets you do ring signatures over outputs, creating\n\u003e the ability to do private proof of funds via Provisions.\n\nBut you can also do comparable proofs behind a hash with Bulletproofs, right?\n\n\u003e \u003e Despite this, I still don't think it's a reason to NACK Taproot: it\n\u003e \u003e should be fairly trivial to add a hash on top in an additional softfork\n\u003e \u003e and fix this.\n\u003e\n\u003e This would make Bitcoin strictly worse.\n\nHow so? People could just not use it if they don't care, right?\nThe alternative (if people care enough) is that those concerned about quantum \nrisk would be forced to forego the benefits of Taproot and stick to p2pkh or \nsuch, which seems like an artificial punishment.\n\n\u003e \u003e In addition to the points made by Mark, I also want to add two more, in\n\u003e \u003e response to Pieter's \"you can't claim much security if 37% of the supply\n\u003e \u003e is at risk\" argument. This argument is based in part on the fact that\n\u003e \u003e many people reuse Bitcoin invoice addresses.\n\u003e\n\u003e 37% is a dramatic understatement. Every address which is derived using\n\u003e BIP32 should be assumed compromised to a QC attacker because xpubs are not\n\u003e treated like secret key material and are trivial to e.g. extract from\n\u003e hardware wallets or PSBTs. I expect the real number is close to 100%.\n\nxpubs should be treated like secret key material IMO.\n\nA quantum attacker would need to compromise your PC to attack a hardware \nwallet, right?\n\n\u003e In any case, Taproot keys, when used according to the recommendation in\n\u003e BIP-0341, are already hashes of their internal keys, so (a) Taproot outputs\n\u003e actually have better quantum resistance than legacy outputs; and (b) adding\n\u003e another hash would be strictly redundant.\n\nIt not only stops the attacker from obtaining the original key, but also \nprevents creating a new private key that can spend the output?\n\n\nOn Tuesday 16 March 2021 02:38:55 ZmnSCPxj via bitcoin-dev wrote:\n\u003e From this point-of-view, it seems to me that the amount of energy to mount\n\u003e a \"fast\" attack may eventually approach the energy required by mining, in\n\u003e which case someone who possesses the ability to mount such an attack may\n\u003e very well find it easier to just 51% the network (since that can be done\n\u003e today without having to pour R\u0026D satoshis into developing practical quantum\n\u003e computers).\n\nMining adapts its difficulty to the block rate, so it will slow you down up to \n4x each retarget. An attack on public keys would probably scale better. :)\n\nLuke",
"sig": "8b4f8e3681354ab6e86baec567f69a79deb07368219db3fb1e3ae3f9b51521d87a380afd36a5e412710f9aa824db5373a707936a9f56af7297bc4e128ea766d8"
}