Re: [bitcoindev] Against Allowing Quantum Recovery of Bitcoin

[waxwing/ AdamISZ <ekaggata@gmail.com>]

[-- Attachment #1.1: Type: text/plain, Size: 2149 bytes --]

Sorry looks like I forgot to crosspost this reply to list:

Hi Sjors, list:

> I brought this up [0], but it was later pointed out to me that it doesn't 
work
 

Oh yes, doh. That's most unfortunate. While this is getting silly, I can't 
help wondering what happens, in the presence of an ECDLP breaker, to a 
botched version of taproot that requires script-path spending and doesn't 
allow key-path.

It's interesting, imagine: honest keyholder creates Q = P_N + H(P_N||S)G 
where P_N means NUMS internal key. ECDLP breaker can just find DL of Q but 
if we disallow key-path spend they have to open a hash commitment to a 
tweak as per usual taproot rules.

So they need: Q = P_2 +H(P_2||S_2)G now, they know the full private key x_N 
+ H(P_N||S) for Q (and they may or may not know S, or be able to guess it, 
to get all the variables in that expression), but it seems to not help them 
given the commitment to P_2 in the hash, requiring them to choose P_2 
before the hash.

They could of course do it with P_N itself, if that were allowed, hence the 
"disable NUMS" might make sense, in this scenario. Can't say I'm 100% sure 
of myself here, but it looks like that works.

Even if I'm right, it's not so interesting; we already are assuming that a 
quantum attacker can't break hashes, that's behind a lot of the discussion 
here, so of course it would make sense if we broke taproot to require it 
only to use hashes (script path only), then it might come back to the same 
security situation (which of course, is not actual security, since keys are 
always revealed in spending). Or maybe we should start to think of really, 
really worst case scenarios: what if a new quantum algorithm actually does 
efficiently find SHA2 preimages? :)

Thanks, AdamISZ/waxwing


-- 
You received this message because you are subscribed to the Google Groups "Bitcoin Development Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an email to bitcoindev+unsubscribe@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/bitcoindev/84ae7e2c-eb71-44fa-b3da-27731802f47an%40googlegroups.com.

[-- Attachment #1.2: Type: text/html, Size: 2509 bytes --]