From mboxrd@z Thu Jan 1 00:00:00 1970 Delivery-date: Tue, 25 Mar 2025 01:53:21 -0700 Received: from mail-qk1-f189.google.com ([209.85.222.189]) by mail.fairlystable.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.94.2) (envelope-from ) id 1tx02C-0001Mj-EX for bitcoindev@gnusha.org; Tue, 25 Mar 2025 01:53:21 -0700 Received: by mail-qk1-f189.google.com with SMTP id af79cd13be357-7c5ad42d6bcsf157929585a.2 for ; Tue, 25 Mar 2025 01:53:20 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1742892794; cv=pass; d=google.com; s=arc-20240605; b=bBRX0rt70yX+HEWtUO38c99KPnWAWRnSsfAoNf1MzEbta8TWLYkpSvWeoOnXTX7QkZ Ot7d2k50lkbH08hjMG2REolwgoUs3K6os6drLNUkvm4Hg/TVw6e2YYomGziXj+hw7qaw t/YuxvraRDkygL29W4OHsTW88fb7Y487gLGD66vIIS1N9XicKwwd098StGzvv9PMhjP+ DQN0CzADOO2FuwB3HVUF6x/PSbPmuvJyiIreXFm7dENSZORYFF7nbxfZquxUSLwYixK+ ZNYd7hn9leK04CBg5I1rSZV392c0zpJEtV9xRUh0HEr6UsR6TBeVZO/L/UHAFs95xh3E 7ybQ== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:content-transfer-encoding :in-reply-to:from:content-language:references:cc:to:subject :mime-version:date:message-id:sender:dkim-signature; bh=/8pAXu4TBRnIRn9nGMuHwE3KSBP2Qd8PMxlhzZefS+I=; fh=Zy78p7Xi0Rxog8+cISrcZxwv+7qU7XahGlZWI4RR2qo=; b=gQ9Ttgd8kDIgYsjL52hvAlT2PHt8uyMA/5qXY9QNfdWzqQ/rd5fNrLOaMR8ASmYCIN nS13rH0kJ2j4mPiwRkLO5z6/A1Ro6rfh/CJ0s/W2U69Vfb68644jzwjYcUQRz5qBa/P7 Q+efToS9anGh8no0B6AlRIVpYyzk9M+kKVN0gbe4IGoFEyKNecLzhSi79/3LoPtnaL+8 kGOHHnGRD2PbwpVQb8ctgEbwEZUgoA4w96JX1hkw/xmkCox0qn8B9xYwS29uwnDRqobi uy72vS0LiEjA4eHt8VQTIGCaPAG/g+Diltr2PK4PjNKUAg37c/+P/ElVCfbRgYbaYsoF P/zQ==; darn=gnusha.org ARC-Authentication-Results: i=2; gmr-mx.google.com; dkim=pass header.i=@mattcorallo.com header.s=1742863262 header.b=wlUCVacS; dkim=pass header.i=@clients.mail.as397444.net header.s=1742863265 header.b=W2gm7WFA; spf=pass (google.com: domain of lf-lists@mattcorallo.com designates 2620:6e:a000:1::99 as permitted sender) smtp.mailfrom=lf-lists@mattcorallo.com; dmarc=pass (p=NONE sp=REJECT dis=NONE) header.from=mattcorallo.com DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlegroups.com; s=20230601; t=1742892794; x=1743497594; darn=gnusha.org; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:x-original-authentication-results :x-original-sender:content-transfer-encoding:in-reply-to:from :content-language:references:cc:to:subject:mime-version:date :message-id:sender:from:to:cc:subject:date:message-id:reply-to; bh=/8pAXu4TBRnIRn9nGMuHwE3KSBP2Qd8PMxlhzZefS+I=; b=rmDVEhPagsj8JuM6qHIWlpGMLtUSpPvMen/a07cbKtSgBrDhI9qGNcU0I4oSeIdZjF G4geFs4VqCoLEwnNbBEDoU0er5N4+ZrLKxmbhI/tuaBvO1712TFguQxJimUoLr/N2Y+l M7fNJFQ77FzrHySOA8SOwxaF5gN13hPRnaEaWLTVDKaGYoRTSmjssWjh2l8tmXhvxn45 HwqudyMlo4P7EfXJVFMWnRyfvgfoGnci0s1ivvCk2bknmyxdyBqOIb7pG5hIoigdWzQd 41VQaf7iN2NR5GVqesCOfFzjgJedqjQ1Tp7CsiwZonUc3bp8eARuz5yPdXz7u9bHE4EF ef/Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1742892794; x=1743497594; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:x-original-authentication-results :x-original-sender:content-transfer-encoding:in-reply-to:from :content-language:references:cc:to:subject:mime-version:date :message-id:x-beenthere:x-gm-message-state:sender:from:to:cc:subject :date:message-id:reply-to; bh=/8pAXu4TBRnIRn9nGMuHwE3KSBP2Qd8PMxlhzZefS+I=; b=ThRxut1Pmzgzro5yezRy96G0X9W6edMkDiiudRHmH+jpwdReWjoTkplVqRnhlFAWOF BboGcJDPPD1XK04JswzhfnDjBRJkjkGr//0/8Kkz3NyBwi8UXZiqS3Ihzkv59U9gUJr1 +VB9hJRK2RewsQhH5wcKPjuR7Tv5fWxfeSkCu+ufEs+AkIJFVydjy3VZq7PjkS1qV5Qu RJzM3bdlzyU0HwjfX7RrWkUKaeeSKXUdTgHjtQoM7UbEAkDS/0WCXJIKDoreS5pbJIoZ /RBhLB/2Dh04OyhdlAkd3QAnfmnM4JsUUE2KYVWyU8Bf8kdYOD14MPcIAhLt0v88kgBr bWFw== Sender: bitcoindev@googlegroups.com X-Forwarded-Encrypted: i=2; AJvYcCXK1Tp9d7fbX4WPTaaYDkcVEZ28g3G0/Fqg9ux/OHa3CwICiQd2zMxAz1VZqlgctYCIOcEQ87y8h+CM@gnusha.org X-Gm-Message-State: AOJu0Yy2W4nSaDScNJyuQ2SyNkTGHox4WC/KqvfDTuZ0jlnFu7twhJm+ AnwPNuBsZPyp9/Sx+6KLuOoFa2pPTkQ0p1aak0t+Lm6WVol/Fu9Y X-Google-Smtp-Source: AGHT+IE1QTzVKvuCF7NciAltVVC7DTCCTXcr24LAasAJdTpHzn8sBgh1EuSABWCCwkp1i4msLpf2Kg== X-Received: by 2002:a05:622a:58d:b0:474:e4bd:834 with SMTP id d75a77b69052e-47751324359mr10490551cf.2.1742892794075; Tue, 25 Mar 2025 01:53:14 -0700 (PDT) X-BeenThere: bitcoindev@googlegroups.com; h=ARLLPAIJdFatRfrzwIRVVP8cd0afR286Bs8/3ClEPuaTjsVnow== Received: by 2002:ac8:5849:0:b0:476:72e4:2758 with SMTP id d75a77b69052e-47710ae12acls8004991cf.1.-pod-prod-01-us; Tue, 25 Mar 2025 01:53:10 -0700 (PDT) X-Forwarded-Encrypted: i=2; AJvYcCUoCKCH09Jch48eRIpnLVUs+tdpFV90M8jQ0N5s8tXQEQw+mt75aO0VF+fCKRXlFsg7p/6IDj3eru5D@googlegroups.com X-Received: by 2002:a05:620a:24d5:b0:7c5:44d0:7dba with SMTP id af79cd13be357-7c5ba1336d6mr2112748285a.11.1742892790589; Tue, 25 Mar 2025 01:53:10 -0700 (PDT) Received: by 2002:a05:620a:1da8:b0:7c5:3b15:3956 with SMTP id af79cd13be357-7c5da16645ams85a; Mon, 24 Mar 2025 18:06:19 -0700 (PDT) X-Forwarded-Encrypted: i=2; AJvYcCXqGLm4n9CUR4ZjNPpgpAQrjkdGFrMiDfOhct+hsQ/5nnMNZki5Eb7RXAqWdwGy7tegNQvAutCi4+cv@googlegroups.com X-Received: by 2002:a05:6214:194b:b0:6e8:9b52:7a1d with SMTP id 6a1803df08f44-6eb3f27f3a0mr219236456d6.8.1742864778214; Mon, 24 Mar 2025 18:06:18 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1742864778; cv=none; d=google.com; s=arc-20240605; b=VRVT4nKPSBQicx4AUbOpuaUCgEajDyXWG1B7SCQkqit78TcSfJd8to1bAlD6tSwiAt PgNqOhFym8iBdgraDDLnK1cN2ixiTjZda1fLcCgyFotAF5X/IJztVU4R1FeUer0zHs++ VtIDqvZVPfO1Lt5f/9swxupSzNEuzSdbC9URe3XpjL4gSl18tF/Q0ESRWsbxm4jFglHC 0PH/0pwy1io2lcpRSG4RbMPvENMXLm2n3x1FByXhuN4PM2t17h+bTSgu2yT42mAWZ5mQ 5wUvui9ubxYIduSTJas6hILHR4pBSg68omswM01A1PrJC2VOXNDohdyU6oZgb7qdoR3L +crw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=content-transfer-encoding:in-reply-to:from:content-language :references:cc:to:subject:mime-version:date:message-id :dkim-signature:dkim-signature; bh=c3m09DQQ6M/Au7RR6u8QDdPkohojHzlkI8Fypofel30=; fh=6RqJF1663XQL2Jeebjqd5aeY/xLsfT/HD9pGzPnQOEk=; b=StosHXXTZ69bDpmoCR2v7rAr23uIFfS3mk2OK0OExmlubfhfw5FHZO/tx1Kuf+Unp5 w3ivZL+Vws2kE+BLG+pgYH21vcD16zu77lFfpxoupTDd8a+aTG42a7WKiEQWdVzjsSjt sKYBHm5FfazH2xHQ9gEshcFPlRKLNflwQ5vVF086lLVIboN/mJg45UQwlG26Ug+lvqZb KpWegnv28dVbDcOUAIbMQTonNbJIRKyGU3aRV1E5AQQDgYvltFFHE5tg3BD8pK8ui96v 9a4m+vvy9j9lomYGMT+HdZZYrWIHVv4USDH/JIbxWEacxGynB1IvRfyudhAEghZMaute Ag0Q==; dara=google.com ARC-Authentication-Results: i=1; gmr-mx.google.com; dkim=pass header.i=@mattcorallo.com header.s=1742863262 header.b=wlUCVacS; dkim=pass header.i=@clients.mail.as397444.net header.s=1742863265 header.b=W2gm7WFA; spf=pass (google.com: domain of lf-lists@mattcorallo.com designates 2620:6e:a000:1::99 as permitted sender) smtp.mailfrom=lf-lists@mattcorallo.com; dmarc=pass (p=NONE sp=REJECT dis=NONE) header.from=mattcorallo.com Received: from mail.as397444.net (mail.as397444.net. [2620:6e:a000:1::99]) by gmr-mx.google.com with ESMTPS id 6a1803df08f44-6eb3efc4bedsi3710136d6.3.2025.03.24.18.06.18 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 24 Mar 2025 18:06:18 -0700 (PDT) Received-SPF: pass (google.com: domain of lf-lists@mattcorallo.com designates 2620:6e:a000:1::99 as permitted sender) client-ip=2620:6e:a000:1::99; X-DKIM-Note: Keys used to sign are likely public at X-DKIM-Note: https://as397444.net/dkim/mattcorallo.com and X-DKIM-Note: https://as397444.net/dkim/clients.mail.as397444.net X-DKIM-Note: For more info, see https://as397444.net/dkim/ Received: by mail.as397444.net with esmtpsa (TLS1.3) (Exim) (envelope-from ) id 1twskB-005O2q-1g; Tue, 25 Mar 2025 01:06:16 +0000 Message-ID: <912fd35e-02f5-49b5-b373-ca02806d952f@mattcorallo.com> Date: Mon, 24 Mar 2025 21:06:01 -0400 MIME-Version: 1.0 Subject: Re: [bitcoindev] Against Allowing Quantum Recovery of Bitcoin To: Sjors Provoost , Bitcoin Development Mailing List Cc: Jameson Lopp References: <43afd5bb-244e-4698-ba3d-139efa2c2058@mattcorallo.com> Content-Language: en-US From: Matt Corallo In-Reply-To: Content-Type: text/plain; charset="UTF-8"; format=flowed Content-Transfer-Encoding: quoted-printable X-Original-Sender: lf-lists@mattcorallo.com X-Original-Authentication-Results: gmr-mx.google.com; dkim=pass header.i=@mattcorallo.com header.s=1742863262 header.b=wlUCVacS; dkim=pass header.i=@clients.mail.as397444.net header.s=1742863265 header.b=W2gm7WFA; spf=pass (google.com: domain of lf-lists@mattcorallo.com designates 2620:6e:a000:1::99 as permitted sender) smtp.mailfrom=lf-lists@mattcorallo.com; dmarc=pass (p=NONE sp=REJECT dis=NONE) header.from=mattcorallo.com Precedence: list Mailing-list: list bitcoindev@googlegroups.com; contact bitcoindev+owners@googlegroups.com List-ID: X-Google-Group-Id: 786775582512 List-Post: , List-Help: , List-Archive: , List-Unsubscribe: , X-Spam-Score: -0.8 (/) On 3/18/25 8:48 AM, Sjors Provoost wrote: >=20 >> Op 17 mrt 2025, om 13:00 heeft Matt Corallo h= et volgende geschreven: >> >> I think this is a strong motivation to do "simple PQC" today - while we = don't need to decide on the tough question of seizing non-PQC coins today, = we want to have the option to do so in the future. >> >> In order for that option to be practical, wallets need to be embedding P= QC public keys in their outputs probably at least a decade before the seizu= re occurs, with any additional time giving us an important safety margin. >=20 > I don't think that in practice we can deploy a PCQ scheme without at the = same time making a decision with regards to burn vs free-for-all. The best = we can do is to have all that stuff well researched and tested long before = on a signet. As Jameson describes, I don't think there's a decision to be made here. If,= at some point, a QC=20 becomes undeniable reality (or near-term reality), *not* doing a freeze for= k is to allow Bitcoin to=20 simply die. The only thing we can do is set ourselves up for success such t= hat that freeze freezes=20 the minimum possible number coins. > Let's say the burn consensus rule is that no pk(), bare multisig, pkh()*= , wpkhk() output can be spent, in addition to any tr() key path. > To be triggered at some point far enough in the future that people can mi= grate, but not too late. Let's ignore for now that this will be very hard t= o agree on, because people will disagree on the nature and timing of the th= reat until it's undeniable. >=20 > In principe a PQC (Post-quantum cryptography) tap leaf scheme could be pr= oposed in a BIP and activated in a soft-fork, without having to decide on t= he burn issue. Any time your wallet needs to generate a new address, it cou= ld add such a tap leaf just in case. > But this adds a bunch of complexity to wallets, makes descriptor backups = longer, etc. So adoption might be minimal. And since no sane person spends = from the PQC path, we'd have no idea how much adoption there is. Indeed, adoption is a challenge. This is true for any PQ scheme, however. S= till, I'm dubious that=20 simply no wallets would actually do that - there is material dramaz over PQ= Bitcoin these days, and=20 for (somewhat) good reason. Those selecting a wallet for short-term use of = course have no need to do=20 this, but those selecting a long-term storage wallet might see PQC as a fea= ture they want, and=20 select a wallet accordingly. > More importantly, the activation of a PQC tapleaf soft fork would not be = sufficient to permanently migrate coins. That's because in a free-for-all q= uantum scenario it's the wrong approach. The quantum attacker would just sp= end from your key path. As noted above I don't buy that this is a possible outcome. > In that scenario you'd need to use a NUMS point for the key path. Or mayb= e that's unsafe, in which case we'd need a new Taproot version without key = path support (or BIP360). That's also not a difficult soft fork, but now ag= ain you have something that only a small set of users will want to use. A NUMS point does not suffice unless we explicitly soft-fork out spending f= rom that NUMS point=20 (which is, of course, doable). > This new address type is only suitable for very long term storage since i= t's more expensive to use in a pre-quantum world (using the a regular Schno= rr signature in a script path). >=20 > So now we'd have two soft forks that ~nobody uses, because it's a bunch o= f extra wallet complexity and you don't know if you should use the tapleaf = or the taproot-without-keypath address for your cold storage. >=20 > I doubt that soft forks which nobody intends to use will be activated any= time soon. There is nontrivial demand (again, for (somewhat) good reason) for PQC on b= itcoin today. Suggesting=20 that no one intends to use such a thing I find incredibly dubious. Matt --=20 You received this message because you are subscribed to the Google Groups "= Bitcoin Development Mailing List" group. To unsubscribe from this group and stop receiving emails from it, send an e= mail to bitcoindev+unsubscribe@googlegroups.com. To view this discussion visit https://groups.google.com/d/msgid/bitcoindev/= 912fd35e-02f5-49b5-b373-ca02806d952f%40mattcorallo.com.