public inbox for bitcoindev@googlegroups.com
 help / color / mirror / Atom feed
From: Antoine Riard <antoine.riard@gmail.com>
To: Sjors Provoost <sjors@sprovoost.nl>
Cc: Pieter Wuille <bitcoin-dev@wuille.net>,
	conduition <conduition@proton.me>,
	 Nagaev Boris <bnagaev@gmail.com>,
	 Bitcoin Development Mailing List <bitcoindev@googlegroups.com>
Subject: Re: [bitcoindev] Giving teeth to expected EC disabling: P2XX(-T)(-ML)
Date: Sun, 5 Jul 2026 22:55:06 +0100	[thread overview]
Message-ID: <CALZpt+FMHG3yoOCXPfMhS=KFF9bn+rCi9NL836GDRp1CKTBXRA@mail.gmail.com> (raw)
In-Reply-To: <002f2395-7d5d-4cb6-852c-e991aa1f0eb3@app.fastmail.com>

[-- Attachment #1: Type: text/plain, Size: 7714 bytes --]

Hi Pieter,

Thanks for the observations.

When I was saying there is a problem with the game theory,
it's that strikingly, any activation of the tripwire logic
would rely on a "flag" transaction being mined in the chain
for the network nodes starting to enforce at the block N or
N+1 or whatever the EC disabling threshold.

Any "flag" transaction can be itself re-orged out of the chain
to purely disable the effects of the EC disabling threshold,
therefore make it null and void as an effect. One might see
it as a competing race between a group of "sunsetting" users
and a (majority) coalition of miners in coordination with a
CRQC adversary, where the latter have an interest and the
hashrate capabilities to do a tx-withold [0].

In pure terms of satoshi fee denominated calculus, empirically
global miners have won an average of $20 B yearly. If we only
consider that P2PK are going to be frozen by the tripwire effect,
as for most of them it might be assumed they will never move to
a safer format, we talk already about 1.7 M of coins or as of
today valuation $107 B (the information is on the chain and can
be verified).

That's $107B can "burn" in revenue or income that a CRQC-enabled
miners coalition to constantly reorg-out the "flag" tx out of the
chain. In other terms, something like 5 years of income, and I
kindly do not count all the loss coins that are likely to amount
to a far bigger "tripwire" neutralization budget.

In the name of what a majority of miners will gracefully let on
the table an opportunity of massive income ?

Leveraging Shor the exploitation might be even done anonymously
as the mining process is done. Not even certainty, by who the
EC-protected coins could be covertly exfiltrated.

That's the most striking problem when you think about the math
with any "tripwire" approach, or even an "hourglass" one relying
on a "flag" transaction [1]. I'm ruling out "checkpoints" and
any other trust-the-dev approach, as that's even worst [2].

As you're introducing post is resounding, what the miners
are saying now, there are no guarantees on how they would use
their hashrate down the road, potentially 10 or 20 years from now.

Beyond, and to answer back your point, I still think you can
manage an escape hatch of the "tripwire" effect, it's all depends
how the script tripwire logic is implemented, but if you have
two OP_SUCCESS of different kinds before your EC CHECKSIG, you
can always have a "soft-fork" after the "tripwire" to return
true on the stack, with an EC or hashlock as a success (I agree
using undefined op_success in a script is not safe at all) [3].

Best,
Antoine
OTS hash: 4bc91d8dee1625f6e78b27c88bced8e405f25ef6d3d8fd59be8016db5b0fbe66

[0] See naumenkog's https://www.bitmex.com/blog/txwithhold-smart-contracts
[1] This is sad, as the "hourglass" depending how the parameters are chosen
was a more acceptable trade-off than pure sunsetting.
[2] Given the amounts at stake to sunset, as a group of developers you
would just paint yourself a target, there are more even funds at stake
that Satoshi herself / himself is assumed to have.
[3] There is no security proof in BIP341 on the unforgeability of the
NUMS point, if it binds in the ROM or whatever.

Le sam. 4 juil. 2026 à 13:47, Sjors Provoost <sjors@sprovoost.nl> a écrit :

>
>
> On Fri, Jul 3, 2026, at 23:23, Pieter Wuille wrote:
>
> [...]
>
> > * Just publishing the DLP in a transaction (e.g. OP_RETURN with a
> > specific marker). This is smaller than a full transaction input +
> > signature.
> >
> > * Similarly, but publishing in the coinbase, and requiring relay using
> > a separate message. Less places a node needs to check, but I'm
> > concerned about the difficulty of testing infrastructure that relay of
> > such a message works
>
> [...]
>
> >
> > On Saturday, June 27th, 2026 at 12:33 AM, Anthony Towns
> > <aj@erisian.com.au> wrote:
> >
> >> A slight variant of this approach would be to have a 128 byte value
> "aRsm", such that P = N+a*G, N is the BIP-341 NUMS point, and Rs is a
> BIP340 signature of m by P. That would allow the victim of post-quantum
> theft via a key-path spend of a BIP341 NUMS IPK to trigger the tripwire, in
> addition to someone who has direct access to a CRQC.
> >
> > Indeed, I had considered something similar, but see above for why I'm
> > not convinced supporting non-cooperative CRQCs is that useful.
> >
> > Also, in my view the tripwire isn't really a security feature on itself
> > (it's not expected to trigger...), but more something that sets
> > expectations around the output type for prospective users.
> >
> > In that sense, the question is really whether supporting
> > non-cooperative CRQCs helps set that expectation more than only
> > cooperative ones, which are definitely easier to support.
> >
> >> I think it could make sense to have the tripwire be included in the
> block via the coinbase witness commitment output, rather than having it be
> locked to a transaction, so you only having to check the coinbase for the
> magic rather than every transaction. That would require a separate P2P
> message to relay the necessary ECDL-break proof to miners, and would
> probably need stratumv2 or a getblocktemplate update in order for the node
> to be able to tell pools to actually include that info in the coinbase.
> >
> > I worry this is untestable, really. You'd need things like
> > fake-tripwires to be supported through the same message which don't
> > require an ECDLP break, and still propagate. And then that needs DoS
> > protection measures,
>
> I whipped something up last weekend:
> https://github.com/Sjors/bitcoin/pull/121
>
> It seems straightforward, but maybe I missed something:
> - for test code we use a fake NUMS point, so we can generate "proof"
> without a quantum computer
> - a p2p message floods the proof
> - nodes ignore the message if they already have *any* valid proof
> - verifying p2p proof candidates might need some rate limiting, but it's
> as cheap as verifying a transaction signature
> - mining code includes the proof in a coinbase op_return, until the freeze
> activates
>   - with stratum v2 (and ipc mining clients in general this works out of
> the box, a small change is needed for getblocktemplate clients)
> - since the proof is not in the header, we can't use the normal bip9 style
> header scan to see if the rule activated. Instead the prototype stores it
> in a file along with a merkle inclusion proof, which is read when the node
> restarts.
>
> With this mechanism it doesn't really need to be in the coinbase
> transaction, but that does seem more convenient and miners can censor it
> anyway.
>
> - Sjors
>
> --
> You received this message because you are subscribed to a topic in the
> Google Groups "Bitcoin Development Mailing List" group.
> To unsubscribe from this topic, visit
> https://groups.google.com/d/topic/bitcoindev/aWYtPLVPZ3U/unsubscribe.
> To unsubscribe from this group and all its topics, send an email to
> bitcoindev+unsubscribe@googlegroups.com.
> To view this discussion visit
> https://groups.google.com/d/msgid/bitcoindev/002f2395-7d5d-4cb6-852c-e991aa1f0eb3%40app.fastmail.com
> .
>

-- 
You received this message because you are subscribed to the Google Groups "Bitcoin Development Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an email to bitcoindev+unsubscribe@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/bitcoindev/CALZpt%2BFMHG3yoOCXPfMhS%3DKFF9bn%2BrCi9NL836GDRp1CKTBXRA%40mail.gmail.com.

[-- Attachment #2: Type: text/html, Size: 9401 bytes --]

  reply	other threads:[~2026-07-05 22:07 UTC|newest]

Thread overview: 10+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-06-25 17:42 [bitcoindev] Giving teeth to expected EC disabling: P2XX(-T)(-ML) Pieter Wuille
2026-06-26  3:40 ` Nagaev Boris
2026-06-26 11:06   ` Sjors Provoost
2026-06-26 14:10   ` Pieter Wuille
2026-06-26 18:20     ` 'conduition' via Bitcoin Development Mailing List
2026-07-03 21:23       ` Pieter Wuille
2026-07-04 11:57         ` Sjors Provoost
2026-07-05 21:55           ` Antoine Riard [this message]
2026-06-27  4:33 ` Anthony Towns
2026-06-29  2:17   ` Antoine Riard

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to='CALZpt+FMHG3yoOCXPfMhS=KFF9bn+rCi9NL836GDRp1CKTBXRA@mail.gmail.com' \
    --to=antoine.riard@gmail.com \
    --cc=bitcoin-dev@wuille.net \
    --cc=bitcoindev@googlegroups.com \
    --cc=bnagaev@gmail.com \
    --cc=conduition@proton.me \
    --cc=sjors@sprovoost.nl \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox