From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org [172.17.192.35]) by mail.linuxfoundation.org (Postfix) with ESMTPS id 0D093F08 for ; Wed, 24 Jan 2018 01:52:59 +0000 (UTC) X-Greylist: from auto-whitelisted by SQLgrey-1.7.6 Received: from mail.wpsoftware.net (wpsoftware.net [96.53.77.134]) by smtp1.linuxfoundation.org (Postfix) with ESMTP id 7B8B5293 for ; Wed, 24 Jan 2018 01:52:58 +0000 (UTC) Received: from boulet.lan (boulot.lan [192.168.0.193]) by mail.wpsoftware.net (Postfix) with ESMTPSA id 95E71400E2; Wed, 24 Jan 2018 01:52:56 +0000 (UTC) Date: Wed, 24 Jan 2018 01:52:57 +0000 From: Andrew Poelstra To: Gregory Maxwell via bitcoin-dev Message-ID: <20180124015256.GR9082@boulet.lan> References: <20180123064419.GA1296@erisian.com.au> <20180123222229.GA3801@erisian.com.au> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="HSfddtAs2KjjielS" Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.7.1 (2016-10-04) X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,T_RP_MATCHES_RCVD autolearn=ham version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on smtp1.linux-foundation.org Subject: Re: [bitcoin-dev] Taproot: Privacy preserving switchable scripting X-BeenThere: bitcoin-dev@lists.linuxfoundation.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Bitcoin Protocol Discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 24 Jan 2018 01:52:59 -0000 --HSfddtAs2KjjielS Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Jan 23, 2018 at 10:45:06PM +0000, Gregory Maxwell via bitcoin-dev w= rote: > On Tue, Jan 23, 2018 at 10:22 PM, Anthony Towns wrote: > > Hmm, at least people can choose not to reuse addresses currently -- > > if everyone were using taproot and that didn't involve hashing the key, >=20 > Can you show me a model of quantum computation that is conjectured to > be able to solve the discrete log problem but which would take longer > than fractions of a second to do so? Quantum computation has to occur > within the coherence lifetime of the system. >=20 > > way for individuals to hedge against quantum attacks in case they're ev= er feasible, at least that I can see (well, without moving their funds out = of bitcoin anyway)? >=20 > By using scriptpubkeys with actual security against quantum computers > instead of snake-oil. >=20 > > (It seems like using the point at infinity wouldn't work because >=20 > Indeed, that doesn't work. >=20 > > that when quantum attacks start approaching feasibility. If funds are > > being held in reused addresses over the long term, that would be more >=20 > They are. But I don't believe that is relevant; the attacker would > simply steal the coins on spend. Then the system would need to be hardforked to allow spending through a quantum-resistant ZKP of knowledge of the hashed public key. I expect that in a post-quantum world there will be demand for such a fork, especially if we came into such a world through surprise evidence of a discrete log break. --=20 Andrew Poelstra Mathematics Department, Blockstream Email: apoelstra at wpsoftware.net Web: https://www.wpsoftware.net/andrew "A goose alone, I suppose, can know the loneliness of geese who can never find their peace, whether north or south or west or east" --Joanna Newsom --HSfddtAs2KjjielS Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQEcBAEBCAAGBQJaZ+b4AAoJEMWI1jzkG5fBqgIH/0IXtc0XFwQwYYjYz0f17NDW VKg08Qduk3DWKpSJs7TCJ6XHoqEwEKaAfcjy/CmgCGhiOo8KxR+mLUtoPr5hFSzX CMuW4Lh+LyE89ZlYiFp1qzGsHhf60i7e0UFSFFdMrUyR0s06W1TDdr6C31W6hshC 28Rmp9he3+R6j0takBWQwIo0IzmgTBY2MYmy9VMmHPPpaUUIoHYTPJI3IcBnZ338 ahGrdcX6LUPOkq45SmGX6wwP4BF0HNd1tVMNg4ho1dsicuPxyx85d1iFQJpUR2pu rXWuBhaXKCMU/wdqn5rCTXxPpAR3Go0R5xwbYK4+/ZgOS88MA/bOWIyJHmZt48s= =/1iP -----END PGP SIGNATURE----- --HSfddtAs2KjjielS--