From mboxrd@z Thu Jan 1 00:00:00 1970 Delivery-date: Tue, 18 Mar 2025 05:59:10 -0700 Received: from mail-oo1-f59.google.com ([209.85.161.59]) by mail.fairlystable.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.94.2) (envelope-from ) id 1tuWXF-0001JQ-Mx for bitcoindev@gnusha.org; Tue, 18 Mar 2025 05:59:10 -0700 Received: by mail-oo1-f59.google.com with SMTP id 006d021491bc7-601e231e83csf383511eaf.0 for ; Tue, 18 Mar 2025 05:59:09 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1742302744; cv=pass; d=google.com; s=arc-20240605; b=DLP9PgnuG7AmzLT7ywwCnuIm9YCQbsJQAbaydBkEUBcPJmOKYqZnwtJ+YENcdj0G5v 5JQqPsDJCX2mfjStgaFeFBtJ5cxXP+Wzl8e4d8KKx8uO/I6OUcfN5vO8tYgAbLKvk6vJ n3Bplrei6eCDejri3sWVRKHoSwqjm9XYKhEo7STDOIMdDKC0kK+l/lOs9hnytNeOnV+8 Q4K+L80it7FuQSJkx5v4OLsVth9rOMmy2LfyLLJWTaeK46j8GMjxNCaE8Ep7jJX/NArU B1u5Sv2vuxk6pNtt+S8D7r6jzovq4PWugn1Va+7m4FKAegTwf1ZXQaPZu2GxAtYXB34z TatQ== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:to:references:message-id :content-transfer-encoding:cc:date:in-reply-to:from:subject :mime-version:feedback-id:sender:dkim-signature; bh=mqg+oI4m8tkgh6JLwK8z1zYf6ZWAZPko12+P5IW9Lrc=; fh=PQGy8Jw4m4Qm7vCWhWB46INkbxmuRRQ8qsS05RgDyQ8=; b=lkPMd58f1hgFpk7Y5UZbxPHw/QnLA27dB8gYAorxIeFUSLZsgzlNi0ad8LhauCFLsv hNS2paGqEZBPxTPQZ87R2kZEq9BSY1LyAgCENH+JY3wM/+zbXmUuMz/VA9A6mDOr9U3Q vRddRF8cdNzRU+pvg3hoT9s6l/tvvhOxbVDlCQi5yNBtLnizNV9eSq2TeOmOojnUV6gY P74FofQN2HXGm/hGM3Dlk5keo9feYzCZ4oZtUWWQvyVikEm+83Tnj4Z5qRvA7BWtguU+ OcercDOfW821mqoxTg8hZB1ndVhkq9Ck/2f/iM9iNo5FedX61UxbUkeYlgLTEPSCMPZI CZJQ==; darn=gnusha.org ARC-Authentication-Results: i=2; gmr-mx.google.com; dkim=pass header.i=@sprovoost.nl header.s=fm2 header.b=hzxImOO9; dkim=pass header.i=@messagingengine.com header.s=fm1 header.b=FMdtbrgx; spf=pass (google.com: domain of sjors@sprovoost.nl designates 202.12.124.152 as permitted sender) smtp.mailfrom=sjors@sprovoost.nl; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=sprovoost.nl DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlegroups.com; s=20230601; t=1742302744; x=1742907544; darn=gnusha.org; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:x-original-authentication-results :x-original-sender:to:references:message-id :content-transfer-encoding:cc:date:in-reply-to:from:subject :mime-version:feedback-id:sender:from:to:cc:subject:date:message-id :reply-to; bh=mqg+oI4m8tkgh6JLwK8z1zYf6ZWAZPko12+P5IW9Lrc=; b=SR1rtmuOVJmAWg+jobA+Fs3wlk83j8o1SlrO9AOXhnnMxD8wsFC7qmLJ3383/JghiG WjXc17+KpUCc0akqtzytV0ajzLuR+wKyD0KQ2vbdWLrZ8VdnK36NB10lsHmaJ1ozMC0c fKiyZGQPQm43bVsGoOLqn377wi1QgbtM9/GCaezU1Sl0ha2XvFjBuSYkkd9i3QQvxXky +Ix5HbjkHlmYkbQdvho53pXFHe/VR/yehJc+m0IdkNDBFuGxsV4M5aDHyeesmnkPVTzD avHg3hfxmEP8HyKozfFBPQ4dbkFBXCBDcbNZuPfbNxeO4VPXiRFKk1JHlXKAKaXFO5N1 cO4A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1742302744; x=1742907544; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:x-original-authentication-results :x-original-sender:to:references:message-id :content-transfer-encoding:cc:date:in-reply-to:from:subject :mime-version:feedback-id:x-beenthere:x-gm-message-state:sender:from :to:cc:subject:date:message-id:reply-to; bh=mqg+oI4m8tkgh6JLwK8z1zYf6ZWAZPko12+P5IW9Lrc=; b=cTEsQMrW9tXw27OPHlEkUfMh2csF18CBcyw7eUH8ME+Zm0kicuVLpZCjZhoJtydB1p vA9kxIQahryvGs95J/ihkGBhMpCLKkSQaxxYrX8EsfwxFEf24q0fiAW5rcTRjcGcs8CN UnE2ctwsym8cxiTH87Md+eScUxZNMJdudy59Vd8RP+Vg+u0zqWYtxr5voS5DZchWGi2t CA/7Cc/zNU4VxZMNJrCusUEhNSAj/GokiSzGIuTZ/+NJ/kQJxFqY/9XGYTRWK/m2Db2n L1QFfDciZWJK43uUCAjf97Fh58jV30u3Nvy42mpYqLuVFzHpE/qBBL+vPvi4jvPyjD68 yBCQ== Sender: bitcoindev@googlegroups.com X-Forwarded-Encrypted: i=2; AJvYcCWxarHFPr1xNUSQT/rypUErGiT6ZInIMVS1pIa1eimQQ+SoPwbepCzj3PklnB0geNAYsv1TnYBK2iJC@gnusha.org X-Gm-Message-State: AOJu0YzYfMIlom1itWFpm7HbItxbJnbRUGuADrtM2w5UzMa3MR7Vo9wO i9eoqWjycmy5911eSYzOJ5BGNObcXqRnYgq36/ZnypaI0GLAe0cV X-Google-Smtp-Source: AGHT+IEzCPgU1fRfEAVisjNYxuspWEqvnnqj8Jszc0OCTutwf8fOVJ/myezVM1QTILzZhOTq41vG2A== X-Received: by 2002:a05:6820:2227:b0:601:d595:3b1f with SMTP id 006d021491bc7-6020e2b13a7mr1581136eaf.6.1742302744027; Tue, 18 Mar 2025 05:59:04 -0700 (PDT) X-BeenThere: bitcoindev@googlegroups.com; h=ARLLPAI+MccRsn5q4bpN5pdMOt+UDGeMmaLoA9V1sxRzt/e5iA== Received: by 2002:a05:6820:2993:b0:600:8edd:9ee7 with SMTP id 006d021491bc7-601d8960a51ls1128567eaf.2.-pod-prod-02-us; Tue, 18 Mar 2025 05:59:01 -0700 (PDT) X-Received: by 2002:a05:6808:3c46:b0:3f7:da57:3952 with SMTP id 5614622812f47-3fea182bd70mr1748794b6e.21.1742302741087; Tue, 18 Mar 2025 05:59:01 -0700 (PDT) Received: by 2002:a05:6808:3712:b0:3fa:da36:efcd with SMTP id 5614622812f47-3fddff56d2fmsb6e; Tue, 18 Mar 2025 05:48:26 -0700 (PDT) X-Received: by 2002:a17:903:2444:b0:220:c813:dfd1 with SMTP id d9443c01a7336-2262c5f0403mr46324465ad.36.1742302105788; Tue, 18 Mar 2025 05:48:25 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1742302105; cv=none; d=google.com; s=arc-20240605; b=RzJ8g1hkbHfsu/8N7EQS+puJxS6HV4EjkSfkq9FBg1+QwfnRaMYKWStIgS6Ln7IgNM Jt/ezJ/w7lxaBobPTd8cR0khjRAfYXifwg4KQY9CDJoktWHGCGQm2eKL43Cy4zaWNeUx Hk7jBJUr8SyvkG1mPHgyBYo8q+rtlvffVfOhjalQ1NiEdCIOWAzOrvDAvU1z9JVsmFZI GVxpXRLrOBCDB7FJxM29Ls5grreZw2fHIGf1iTsRSXSmyG7KxvIvmNnKAAF0TD6LxZ0O iiNCLBgSHi7ULbluEKwDQBw4fc87ctU57NY4t49IOVCnAshAsZQR1p9msjVtPQpZ0sn3 Ffew== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=to:references:message-id:content-transfer-encoding:cc:date :in-reply-to:from:subject:mime-version:feedback-id:dkim-signature :dkim-signature; bh=tQrfun4qLdHxq/g4E1tzuYEdmZ+RvrkPUd+Cg2XTkx0=; fh=5icq5hSlLSj4APtmgiMdNhzoY7SP78//NNKf20avp3Y=; b=URR9fkqbsFaKanhJFO5/qTe9vwoh1q4h93mDPBXZqwB+7d03oPgawOs4Nt5+KfwSaF Y9tFa+dW2shRZyR5SetX1+d630JWsWzNvowIY81+RvSdjcR1VE7Z+zeHCBK1OkPJNiCt IAWmEVUn7OycGCK7O9qLHji7qwpwnMvJtR5f4vVqVK2wr7Dfak0vCAWFJ5suIkP/wNoQ ZDDX4KUrQyNfDz7ioeV5nrku8cW3RlhQdW6kXUcwvZetJ60f66QfxNK0FnwibMD56g7Z RAaFRAgIyy6QilI6PEqyjIAs5I0zEVZWGSZbtbMTYk5xYioDHThOSFapQ4mhRHBoAtho Ecbw==; dara=google.com ARC-Authentication-Results: i=1; gmr-mx.google.com; dkim=pass header.i=@sprovoost.nl header.s=fm2 header.b=hzxImOO9; dkim=pass header.i=@messagingengine.com header.s=fm1 header.b=FMdtbrgx; spf=pass (google.com: domain of sjors@sprovoost.nl designates 202.12.124.152 as permitted sender) smtp.mailfrom=sjors@sprovoost.nl; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=sprovoost.nl Received: from fhigh-b1-smtp.messagingengine.com (fhigh-b1-smtp.messagingengine.com. [202.12.124.152]) by gmr-mx.google.com with ESMTPS id d9443c01a7336-225c6c00f47si4665495ad.6.2025.03.18.05.48.25 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 18 Mar 2025 05:48:25 -0700 (PDT) Received-SPF: pass (google.com: domain of sjors@sprovoost.nl designates 202.12.124.152 as permitted sender) client-ip=202.12.124.152; Received: from phl-compute-10.internal (phl-compute-10.phl.internal [10.202.2.50]) by mailfhigh.stl.internal (Postfix) with ESMTP id 448432540245; Tue, 18 Mar 2025 08:48:24 -0400 (EDT) Received: from phl-mailfrontend-02 ([10.202.2.163]) by phl-compute-10.internal (MEProxy); Tue, 18 Mar 2025 08:48:24 -0400 X-ME-Sender: X-ME-Received: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeefvddrtddtgddugedvgeekucetufdoteggodetrf dotffvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdggtfgfnhhsuhgsshgtrhhisggv pdfurfetoffkrfgpnffqhgenuceurghilhhouhhtmecufedttdenucesvcftvggtihhpih gvnhhtshculddquddttddmnecujfgurheptggguffhjgffvefgkfhfvffosehtqhhmtdhh tddvnecuhfhrohhmpefujhhorhhsucfrrhhovhhoohhsthcuoehsjhhorhhssehsphhroh hvohhoshhtrdhnlheqnecuggftrfgrthhtvghrnhepjeekueduieeihfelkeeifffhgefh teefuddtveffhfdvieduheefvefgtddtueeknecuffhomhgrihhnpehgihhthhhusgdrtg homhenucevlhhushhtvghrufhiiigvpedtnecurfgrrhgrmhepmhgrihhlfhhrohhmpehs jhhorhhssehsphhrohhvohhoshhtrdhnlhdpnhgspghrtghpthhtohepfedpmhhouggvpe hsmhhtphhouhhtpdhrtghpthhtohepsghithgtohhinhguvghvsehgohhoghhlvghgrhho uhhpshdrtghomhdprhgtphhtthhopehjrghmvghsohhnrdhlohhpphesghhmrghilhdrtg homhdprhgtphhtthhopehlfhdqlhhishhtshesmhgrthhttghorhgrlhhlohdrtghomh X-ME-Proxy: Feedback-ID: ie5e042df:Fastmail Received: by mail.messagingengine.com (Postfix) with ESMTPA; Tue, 18 Mar 2025 08:48:23 -0400 (EDT) Content-Type: text/plain; charset="UTF-8" Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3826.400.131.1.6\)) Subject: Re: [bitcoindev] Against Allowing Quantum Recovery of Bitcoin From: Sjors Provoost In-Reply-To: <43afd5bb-244e-4698-ba3d-139efa2c2058@mattcorallo.com> Date: Tue, 18 Mar 2025 13:48:12 +0100 Cc: Jameson Lopp , Matt Corallo Content-Transfer-Encoding: quoted-printable Message-Id: References: <43afd5bb-244e-4698-ba3d-139efa2c2058@mattcorallo.com> To: Bitcoin Development Mailing List X-Mailer: Apple Mail (2.3826.400.131.1.6) X-Original-Sender: sjors@sprovoost.nl X-Original-Authentication-Results: gmr-mx.google.com; dkim=pass header.i=@sprovoost.nl header.s=fm2 header.b=hzxImOO9; dkim=pass header.i=@messagingengine.com header.s=fm1 header.b=FMdtbrgx; spf=pass (google.com: domain of sjors@sprovoost.nl designates 202.12.124.152 as permitted sender) smtp.mailfrom=sjors@sprovoost.nl; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=sprovoost.nl Precedence: list Mailing-list: list bitcoindev@googlegroups.com; contact bitcoindev+owners@googlegroups.com List-ID: X-Google-Group-Id: 786775582512 List-Post: , List-Help: , List-Archive: , List-Unsubscribe: , X-Spam-Score: -0.8 (/) > Op 17 mrt 2025, om 13:00 heeft Matt Corallo he= t volgende geschreven: >=20 > I think this is a strong motivation to do "simple PQC" today - while we d= on't need to decide on the tough question of seizing non-PQC coins today, w= e want to have the option to do so in the future. >=20 > In order for that option to be practical, wallets need to be embedding PQ= C public keys in their outputs probably at least a decade before the seizur= e occurs, with any additional time giving us an important safety margin. I don't think that in practice we can deploy a PCQ scheme without at the sa= me time making a decision with regards to burn vs free-for-all. The best we= can do is to have all that stuff well researched and tested long before on= a signet. Let's say the burn consensus rule is that no pk(), bare multisig, pkh()*, = wpkhk() output can be spent, in addition to any tr() key path.=20 To be triggered at some point far enough in the future that people can migr= ate, but not too late. Let's ignore for now that this will be very hard to = agree on, because people will disagree on the nature and timing of the thre= at until it's undeniable. In principe a PQC (Post-quantum cryptography) tap leaf scheme could be prop= osed in a BIP and activated in a soft-fork, without having to decide on the= burn issue. Any time your wallet needs to generate a new address, it could= add such a tap leaf just in case.=20 But this adds a bunch of complexity to wallets, makes descriptor backups lo= nger, etc. So adoption might be minimal. And since no sane person spends fr= om the PQC path, we'd have no idea how much adoption there is. More importantly, the activation of a PQC tapleaf soft fork would not be su= fficient to permanently migrate coins. That's because in a free-for-all qua= ntum scenario it's the wrong approach. The quantum attacker would just spen= d from your key path. In that scenario you'd need to use a NUMS point for the key path. Or maybe = that's unsafe, in which case we'd need a new Taproot version without key pa= th support (or BIP360). That's also not a difficult soft fork, but now agai= n you have something that only a small set of users will want to use. This new address type is only suitable for very long term storage since it'= s more expensive to use in a pre-quantum world (using the a regular Schnorr= signature in a script path). So now we'd have two soft forks that ~nobody uses, because it's a bunch of = extra wallet complexity and you don't know if you should use the tapleaf or= the taproot-without-keypath address for your cold storage. I doubt that soft forks which nobody intends to use will be activated anyti= me soon. - Sjors --- *=20 See appendix B of BIP380 for notation: https://github.com/bitcoin/bips/blob= /master/bip-0380.mediawiki#appendix-b-index-of-script-expressions Since we don't know which public keys are reused, the pkh() underlying publ= ic key can be brute force guessed by trying all known keys. There is also n= o alternative spending path. So it should be included in the burn. sh() and wsh() would not be frozen. Some scripts may be guessable from cont= ext, but imo that doesn't outweigh the possibly that someone designed a qua= ntum proof script - even a bad one. Neither would any scriptPubKey that's different from the above standard tem= plates. This allows implementing the freeze rule in a way that doesn't requ= ire deep / complicated inspection of the script --=20 You received this message because you are subscribed to the Google Groups "= Bitcoin Development Mailing List" group. To unsubscribe from this group and stop receiving emails from it, send an e= mail to bitcoindev+unsubscribe@googlegroups.com. To view this discussion visit https://groups.google.com/d/msgid/bitcoindev/= ED96C777-5BBD-4ACE-8821-A53FDE8FA128%40sprovoost.nl.