public inbox for bitcoindev@googlegroups.com
 help / color / mirror / Atom feed
From: "Sjors Provoost" <sjors@sprovoost.nl>
To: "Pieter Wuille" <bitcoin-dev@wuille.net>,
	conduition <conduition@proton.me>
Cc: "Nagaev Boris" <bnagaev@gmail.com>,
	"'Bitcoin Development Mailing List'"
	<bitcoindev@googlegroups.com>
Subject: Re: [bitcoindev] Giving teeth to expected EC disabling: P2XX(-T)(-ML)
Date: Sat, 04 Jul 2026 13:57:51 +0200	[thread overview]
Message-ID: <002f2395-7d5d-4cb6-852c-e991aa1f0eb3@app.fastmail.com> (raw)
In-Reply-To: <G6JS-1KFsfB7MzyRZH42MhcTp4rb_7M9Xg-1xznpwSg9MUjuI9B4ZSfVZ68S-FTaMjGBQhIpPb2E9U346X1xN1jzWoQeL5X_0Ju_j81MSAg=@wuille.net>



On Fri, Jul 3, 2026, at 23:23, Pieter Wuille wrote:

[...]

> * Just publishing the DLP in a transaction (e.g. OP_RETURN with a 
> specific marker). This is smaller than a full transaction input + 
> signature.
>
> * Similarly, but publishing in the coinbase, and requiring relay using 
> a separate message. Less places a node needs to check, but I'm 
> concerned about the difficulty of testing infrastructure that relay of 
> such a message works

[...]

>
> On Saturday, June 27th, 2026 at 12:33 AM, Anthony Towns 
> <aj@erisian.com.au> wrote:
>
>> A slight variant of this approach would be to have a 128 byte value "aRsm", such that P = N+a*G, N is the BIP-341 NUMS point, and Rs is a BIP340 signature of m by P. That would allow the victim of post-quantum theft via a key-path spend of a BIP341 NUMS IPK to trigger the tripwire, in addition to someone who has direct access to a CRQC.
>
> Indeed, I had considered something similar, but see above for why I'm 
> not convinced supporting non-cooperative CRQCs is that useful.
>
> Also, in my view the tripwire isn't really a security feature on itself 
> (it's not expected to trigger...), but more something that sets 
> expectations around the output type for prospective users.
>
> In that sense, the question is really whether supporting 
> non-cooperative CRQCs helps set that expectation more than only 
> cooperative ones, which are definitely easier to support.
>
>> I think it could make sense to have the tripwire be included in the block via the coinbase witness commitment output, rather than having it be locked to a transaction, so you only having to check the coinbase for the magic rather than every transaction. That would require a separate P2P message to relay the necessary ECDL-break proof to miners, and would probably need stratumv2 or a getblocktemplate update in order for the node to be able to tell pools to actually include that info in the coinbase.
>
> I worry this is untestable, really. You'd need things like 
> fake-tripwires to be supported through the same message which don't 
> require an ECDLP break, and still propagate. And then that needs DoS 
> protection measures, 

I whipped something up last weekend:
https://github.com/Sjors/bitcoin/pull/121

It seems straightforward, but maybe I missed something:
- for test code we use a fake NUMS point, so we can generate "proof" without a quantum computer
- a p2p message floods the proof
- nodes ignore the message if they already have *any* valid proof
- verifying p2p proof candidates might need some rate limiting, but it's as cheap as verifying a transaction signature
- mining code includes the proof in a coinbase op_return, until the freeze activates
  - with stratum v2 (and ipc mining clients in general this works out of the box, a small change is needed for getblocktemplate clients)
- since the proof is not in the header, we can't use the normal bip9 style header scan to see if the rule activated. Instead the prototype stores it in a file along with a merkle inclusion proof, which is read when the node restarts.

With this mechanism it doesn't really need to be in the coinbase transaction, but that does seem more convenient and miners can censor it anyway.

- Sjors

-- 
You received this message because you are subscribed to the Google Groups "Bitcoin Development Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an email to bitcoindev+unsubscribe@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/bitcoindev/002f2395-7d5d-4cb6-852c-e991aa1f0eb3%40app.fastmail.com.


  reply	other threads:[~2026-07-04 12:47 UTC|newest]

Thread overview: 10+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-06-25 17:42 [bitcoindev] Giving teeth to expected EC disabling: P2XX(-T)(-ML) Pieter Wuille
2026-06-26  3:40 ` Nagaev Boris
2026-06-26 11:06   ` Sjors Provoost
2026-06-26 14:10   ` Pieter Wuille
2026-06-26 18:20     ` 'conduition' via Bitcoin Development Mailing List
2026-07-03 21:23       ` Pieter Wuille
2026-07-04 11:57         ` Sjors Provoost [this message]
2026-07-05 21:55           ` Antoine Riard
2026-06-27  4:33 ` Anthony Towns
2026-06-29  2:17   ` Antoine Riard

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=002f2395-7d5d-4cb6-852c-e991aa1f0eb3@app.fastmail.com \
    --to=sjors@sprovoost.nl \
    --cc=bitcoin-dev@wuille.net \
    --cc=bitcoindev@googlegroups.com \
    --cc=bnagaev@gmail.com \
    --cc=conduition@proton.me \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox