📅 Original date posted:2018-01-26
📝 Original message:(changing the subject... ;))
My proposal does not include any form of expiration, so I don't see how
it should be vulnerable to the described attack.
To make this a little bit more detailed:
The user has one or more single standard UTXOs all with ECDSA public
key classic_pk and thus address SHA256(RIPEMD160((classic_pk)). The
corresponding secret key is classic_sk. Let MAC be a quantum-secure
message-authentication code, e.g., MAC(k,x)=H(k||x) for a suitable hash
function, e.g, BLAKE2 or SHA3.
The idea is to (ab)use the public key classic_pk as a key for the MAC.
To spend an UTXO with a transaction tx, the user does the following:
1. Create and publish a "transaction" c that references the address
SHA256(RIPEMD160((classic_pk)) and contains the following data:
MAC(classic_pk,tx))||tx
2. Wait until c is confirmed. (If it does not confirm, send it again as
usual).
3. Create and publish a "transaction" d with the following data:
classic_pk||Sign(classic_sk, tx)
Consensus rules:
A transaction d=classic_pk||sig spends all UTXOs with
address SHA256(RIPEMD160(classic_pk)), applying the effects of tx, if
there exists a transaction c=mac||tx in the blockchain such that
1. c is the first transaction (among all referencing the address) in
the blockchain where mac is a valid MAC for message tx under correct
key classic_pk
2. sig is valid ECDSA signature over tx under public key classic_pk
c-transactions never expire.
If the user has not published classic_pk before, this should be secure
against quantum attackers:
Before step 2, the MAC key k=classic_pk is only known to the user. So
the only valid c that the attacker can produce has the real transaction
tx, because a different transaction tx' requires the attacker to forge
the MAC. Since the user waits for confirmation, the first c in the
blockchain fulfilling conditions 1 and 2 has been created by the user.
Even if classic_pk is known, this is no less secure than "classic
spending", because we require an ECDSA signature on tx.
I'm pretty confident that I'm not overlooking an obvious attack. If I'm
wrong then please describe exactly the steps of the user and the
attacker.
Best,
Tim
On Thu, 2018-01-25 at 01:09 +0100, Natanael wrote:
>
> Den 25 jan. 2018 00:22 skrev "Tim Ruffing via bitcoin-dev" <bitcoin-d
> ev at lists.linuxfoundation.org>:
> > I think you misread my second proposal. The first step is not only
> > to
> > publish the hash but to publish a *pair* consisting of the hash and
> > the
> > transaction.
> >
> > If the attacker changes the transaction on the wire, the user does
> > not
> > care and will try again.
>
> I guess I assumed you meant it otherwise because I didn't assume you
> intended a commitment to the full transaction just without the
> asymmetric key material.
>
> You could treat it the same way as in my suggestion, let it expire
> and prune it if the key material isn't published in time.
>
> However... A sufficiently powerful attacker can deploy as soon as he
> sees your published signature and key, delay its propagation to the
> miners, force expiration and then *still* repeat the attack with his
> own forgery.
>
> Honestly, as long as we need to allow any form of expiry + relying on
> publication of the vulnerable algorithms result for verification, I
> think the weakness will remain.
>
> No expiration hurts in multiple ways like via DoS, or by locking in
> potentially wrong (or straight up malicious) transactions.
>
> ---
>
> There's one way out, I believe, which is quantum safe Zero-knowledge
> proofs. Currently STARK:s are one variant presumed quantum safe. It
> would be used to completely substitute the publication of the public
> key and signatures, and this way we don't even need two-step
> commitments.
>
> It does however likely require a hardfork to apply to old
> transactions. (I can imagine an extension block type softfork method,
> in which case old UTXO:s get locked on the mainchain to create
> equivalent valued extension block funds.)
>
> Without practical ZKP, and presuming no powerful QC attackers with
> the ability to control the network (basically NSA level attackers), I
> do think the Fawkes signature scheme is sufficient. Quantum attacks
> are likely to be very expensive anyway, for the foreseeable future.
Tim Ruffing [ARCHIVE] /
npub1cm…dwkls
2023-06-07 18:10:12
in reply to nevent1q…m5uv
Author Public Key
npub1cmt6gqyfw3sdngkq0wadtpe3kmgyyeld6ad0g2h5tar3kpzcrmpqddwklsPublished at
2023-06-07 18:10:12Event JSON
{
"id": "c5b1eae4e9f94ba75444b83d13ff2f661f96e25428ae27fd2da34108a461db77",
"pubkey": "c6d7a400897460d9a2c07bbad58731b6d04267edd75af42af45f471b04581ec2",
"created_at": 1686161412,
"kind": 1,
"tags": [
[
"e",
"4c3e6ea3583d0a49d6b0ee693dcdcf3525ceca178c415ed90ee44e95a3754590",
"",
"reply"
],
[
"p",
"a23dbf6c6cc83e14cc3df4e56cc71845f611908084cfe620e83e40c06ccdd3d0"
]
],
"content": "📅 Original date posted:2018-01-26\n📝 Original message:(changing the subject... ;))\n\nMy proposal does not include any form of expiration, so I don't see how\nit should be vulnerable to the described attack.\n\nTo make this a little bit more detailed:\n\nThe user has one or more single standard UTXOs all with ECDSA public\nkey classic_pk and thus address SHA256(RIPEMD160((classic_pk)). The\ncorresponding secret key is classic_sk. Let MAC be a quantum-secure\nmessage-authentication code, e.g., MAC(k,x)=H(k||x) for a suitable hash\nfunction, e.g, BLAKE2 or SHA3.\n\nThe idea is to (ab)use the public key classic_pk as a key for the MAC. \n\nTo spend an UTXO with a transaction tx, the user does the following:\n 1. Create and publish a \"transaction\" c that references the address\n SHA256(RIPEMD160((classic_pk)) and contains the following data: \n MAC(classic_pk,tx))||tx\n 2. Wait until c is confirmed. (If it does not confirm, send it again as\n usual).\n 3. Create and publish a \"transaction\" d with the following data:\n classic_pk||Sign(classic_sk, tx)\n\nConsensus rules:\nA transaction d=classic_pk||sig spends all UTXOs with\naddress SHA256(RIPEMD160(classic_pk)), applying the effects of tx, if\nthere exists a transaction c=mac||tx in the blockchain such that \n 1. c is the first transaction (among all referencing the address) in\n the blockchain where mac is a valid MAC for message tx under correct\n key classic_pk\n 2. sig is valid ECDSA signature over tx under public key classic_pk\n\nc-transactions never expire. \n\nIf the user has not published classic_pk before, this should be secure\nagainst quantum attackers:\nBefore step 2, the MAC key k=classic_pk is only known to the user. So\nthe only valid c that the attacker can produce has the real transaction\ntx, because a different transaction tx' requires the attacker to forge\nthe MAC. Since the user waits for confirmation, the first c in the\nblockchain fulfilling conditions 1 and 2 has been created by the user.\n\nEven if classic_pk is known, this is no less secure than \"classic\nspending\", because we require an ECDSA signature on tx.\n\nI'm pretty confident that I'm not overlooking an obvious attack. If I'm\nwrong then please describe exactly the steps of the user and the\nattacker. \n\nBest,\nTim \n\n\nOn Thu, 2018-01-25 at 01:09 +0100, Natanael wrote:\n\u003e \n\u003e Den 25 jan. 2018 00:22 skrev \"Tim Ruffing via bitcoin-dev\" \u003cbitcoin-d\n\u003e ev at lists.linuxfoundation.org\u003e:\n\u003e \u003e I think you misread my second proposal. The first step is not only\n\u003e \u003e to\n\u003e \u003e publish the hash but to publish a *pair* consisting of the hash and\n\u003e \u003e the\n\u003e \u003e transaction.\n\u003e \u003e \n\u003e \u003e If the attacker changes the transaction on the wire, the user does\n\u003e \u003e not\n\u003e \u003e care and will try again.\n\u003e \n\u003e I guess I assumed you meant it otherwise because I didn't assume you\n\u003e intended a commitment to the full transaction just without the\n\u003e asymmetric key material. \n\u003e \n\u003e You could treat it the same way as in my suggestion, let it expire\n\u003e and prune it if the key material isn't published in time. \n\u003e \n\u003e However... A sufficiently powerful attacker can deploy as soon as he\n\u003e sees your published signature and key, delay its propagation to the\n\u003e miners, force expiration and then *still* repeat the attack with his\n\u003e own forgery. \n\u003e \n\u003e Honestly, as long as we need to allow any form of expiry + relying on\n\u003e publication of the vulnerable algorithms result for verification, I\n\u003e think the weakness will remain. \n\u003e \n\u003e No expiration hurts in multiple ways like via DoS, or by locking in\n\u003e potentially wrong (or straight up malicious) transactions.\n\u003e \n\u003e ---\n\u003e \n\u003e There's one way out, I believe, which is quantum safe Zero-knowledge\n\u003e proofs. Currently STARK:s are one variant presumed quantum safe. It\n\u003e would be used to completely substitute the publication of the public\n\u003e key and signatures, and this way we don't even need two-step\n\u003e commitments. \n\u003e \n\u003e It does however likely require a hardfork to apply to old\n\u003e transactions. (I can imagine an extension block type softfork method,\n\u003e in which case old UTXO:s get locked on the mainchain to create\n\u003e equivalent valued extension block funds.)\n\u003e \n\u003e Without practical ZKP, and presuming no powerful QC attackers with\n\u003e the ability to control the network (basically NSA level attackers), I\n\u003e do think the Fawkes signature scheme is sufficient. Quantum attacks\n\u003e are likely to be very expensive anyway, for the foreseeable future.",
"sig": "3cad4253d57162ec9aad9b3ec61ba52c165a742ceb63d1c72369cbe88951ece8d000bb2c76724343bdce2eebe62d2d92bca14ddab19899f71f3d80c0c1747649"
}