From mboxrd@z Thu Jan 1 00:00:00 1970 Delivery-date: Wed, 01 Jan 2025 16:47:13 -0800 Received: from mail-yb1-f186.google.com ([209.85.219.186]) by mail.fairlystable.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.94.2) (envelope-from ) id 1tT9Mm-00065t-Ff for bitcoindev@gnusha.org; Wed, 01 Jan 2025 16:47:13 -0800 Received: by mail-yb1-f186.google.com with SMTP id 3f1490d57ef6-e35e0e88973sf24226346276.0 for ; Wed, 01 Jan 2025 16:47:11 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlegroups.com; s=20230601; t=1735778826; x=1736383626; darn=gnusha.org; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:x-original-sender:mime-version :subject:references:in-reply-to:message-id:to:from:date:sender:from :to:cc:subject:date:message-id:reply-to; bh=FbNcYbSaOmjzvnPqXkdDzR/kF4Eagt+rWQTrcHHuqtE=; b=V3kWTur8OO+sJ4reHUVuEtGIUTR3QZUM9zQCN4dzdzs/PDS5k38MAqVIZ/AAI7e5UJ LVzXdPVxFtQKJdaUGk9ZJRGibFUshJWj9v0HsNWUsP5tHsfXDOtgqZdICERW5O/k83M1 FcTjwmYDRGnYGqLPP1quElVkQul+xFn8vfUVi2idr3DLBf18EAJ9kTK+/cuwiDwRIU5F wmAqGlwROLBp5Q4lyi1KQ4yZaNjqC/JTJoPKxl/AIqz+vGw+EMUirvParqwj5R0LThPh jNpEUhexT+Holz92WqlMPkwraCM195yybNBbA05dVhR16f0JzXqQ3ufX5RsKs+t5ziGn //sw== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1735778826; x=1736383626; darn=gnusha.org; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:x-original-sender:mime-version :subject:references:in-reply-to:message-id:to:from:date:from:to:cc :subject:date:message-id:reply-to; bh=FbNcYbSaOmjzvnPqXkdDzR/kF4Eagt+rWQTrcHHuqtE=; b=dJBVkKraHmWd8BqEJLrrolQ9lw6wZ26kZ6rhR9v53SK1Od1L5T/FpodyMCNYYRHyKZ Tw5SQxbr4LFBNjeNcLVOeuod/rlhfCEVeFJg9BpHVOuchzNiMij6M7tWTdmIXh8+cT9R AStYNQcn9iJ/fKl3uGq7/hpAYNWDSXFBjRHjzilebF1nMb4Twg9hnOKe2vU5+/fyRhqm Y0QNWkd38y/GrVijvtAtAm55m2GLI++sqv8cokwMps+j+k2jM+4cUNgnEoHWoKM5G2Vk CIJECyzklhEuaSWn8GgS9B7DONkjXit51dMeTwIMw1/AbVPBvGTusJa3I0AJg2om1boc BeXQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1735778826; x=1736383626; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:x-original-sender:mime-version :subject:references:in-reply-to:message-id:to:from:date:x-beenthere :x-gm-message-state:sender:from:to:cc:subject:date:message-id :reply-to; bh=FbNcYbSaOmjzvnPqXkdDzR/kF4Eagt+rWQTrcHHuqtE=; b=dHfsmKEHoiFiPeatd0rnTC1WCT0NKJJNC3Dv8wGkgoyA3Dr+NoZfEMraCJWW20qEJV dOzm78dGE9N/WqClXRVTR93h93Nb9KwnjDWKBbk3WrbUhqH02r/Xh1PsrkV08Nwu/R9C P8xjVs8IT874eLG0ygXwruaVGPaV3/nZEXtYz0M4VDmqH/JDG7/y452ooM4JqWOddnLh tRpJl0Js8Vj7iRGp1JWgg5/kUKhPiz2eYVaGCYUzeyxHg9TMFr16TJYaO+2j8D1k09Nc EqXeyHQABxoCc4bCDx9/lb+xhhkRzydvvWhgsSYpd9vnWuT5teGewIf4EHfCoyQtehoD Ebxw== Sender: bitcoindev@googlegroups.com X-Forwarded-Encrypted: i=1; AJvYcCXLbJhkD6MSnl9HzWKYu4NIPapgj9/3KgmVelOK7WK0RhHS1S2dttCekxlocxQmxoc8F2KPMxMhVYpz@gnusha.org X-Gm-Message-State: AOJu0YyP60MymMmTGL8KXBKkVI4hrnn5KcUInshuexCF5hEnzPGPwRP4 +Yba5Cj76DLIncEw7p3343K8ckQ/b3KQFjqw1iR8kFVKEbT867kV X-Google-Smtp-Source: AGHT+IHsisIMOakw0Cek490I77kGBEml2+QnhCaGOfOdkxTDpU+Lv8jyAPhidQ4gmtgpzhlJnAGqdw== X-Received: by 2002:a25:744f:0:b0:e53:7c95:2894 with SMTP id 3f1490d57ef6-e537c952ae1mr33079548276.24.1735778825703; Wed, 01 Jan 2025 16:47:05 -0800 (PST) X-BeenThere: bitcoindev@googlegroups.com Received: by 2002:a25:2d1f:0:b0:e48:8566:cded with SMTP id 3f1490d57ef6-e537603154els2269610276.1.-pod-prod-04-us; Wed, 01 Jan 2025 16:47:02 -0800 (PST) X-Received: by 2002:a05:690c:6187:b0:6ea:7c35:e2ab with SMTP id 00721157ae682-6f3f8115849mr336411987b3.15.1735778821992; Wed, 01 Jan 2025 16:47:01 -0800 (PST) Received: by 2002:a05:690c:951:b0:6ef:b1a3:15f0 with SMTP id 00721157ae682-6f3f552f45fms7b3; Wed, 1 Jan 2025 16:43:48 -0800 (PST) X-Received: by 2002:a05:690c:6ac3:b0:6ee:6a2a:a517 with SMTP id 00721157ae682-6f3e2b86036mr310037087b3.18.1735778627434; Wed, 01 Jan 2025 16:43:47 -0800 (PST) Date: Wed, 1 Jan 2025 16:43:46 -0800 (PST) From: Ian Quantum To: Bitcoin Development Mailing List Message-Id: In-Reply-To: <56e0005eb75e4f1720a5aabbcdb0535c@dtrt.org> References: <374d6201-fb43-48df-abbc-f01ef1944a7dn@googlegroups.com> <56e0005eb75e4f1720a5aabbcdb0535c@dtrt.org> Subject: Re: [bitcoindev] Trivial QC signatures with clean upgrade path MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="----=_Part_756820_498320882.1735778626974" X-Original-Sender: ianquantum2027@gmail.com Precedence: list Mailing-list: list bitcoindev@googlegroups.com; contact bitcoindev+owners@googlegroups.com List-ID: X-Google-Group-Id: 786775582512 List-Post: , List-Help: , List-Archive: , List-Unsubscribe: , X-Spam-Score: -0.5 (/) ------=_Part_756820_498320882.1735778626974 Content-Type: multipart/alternative; boundary="----=_Part_756821_1219968086.1735778626974" ------=_Part_756821_1219968086.1735778626974 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable FALCON failed the NIST vetting. Since 2022 they have said they will fix it= =20 next year. Same answer in 2024 when they formalized CRYSTALS-Dilithium,=20 CRYSTALS-KYBER and SPHINCS+. At the end they again say, " NIST is also=20 developing a FIPS that specifies a digital signature algorithm derived from= =20 FALCON as an additional alternative to these standards."=20 https://csrc.nist.gov/News/2024/postquantum-cryptography-fips-approved If it takes 1.5-3 years to get the entire ecosystem of software updated,=20 tested, implemented and then allow users to migrate to quantum safety, then= =20 Bitcoin code is future proofed. It will still require months (if BTC blocks= =20 normal transactions) to years (as a supported address type but not=20 required) in order to migrate the wallets to safety. The longer the quantum= =20 resistant upgrade is delayed, the harsher the migration will need to=20 become.=20 Alice and Bob recently announced a new algorithm that breaks ECC-256 in 9= =20 hours with 127k qubits.=20 https://alice-bob.com/blog/computing-256-bit-elliptic-curve-logarithm-in-9-= hours-with-126133-cat-qubits/ The=20 algorithms will continue to improve and the costs will continue to go down.= =20 While some people are very confident what the quantum hardware will look=20 like in 3 years, can they be so confident about the algorithms? We have=20 switched from supercomputer to network node method of growing quantum=20 calculations. Parallel instead of Serial. Fault tolerant algorithms that=20 prefetch results. Can we really be as confident about the algorithms as=20 people seem to be about the hardware not being ready? Most people in=20 quantum computing aren't aware of how much their competition has=20 progressed, how can devs who don't read 10 or 50 new quantum computing=20 papers per week be more confident than the people who do? On Wednesday, January 1, 2025 at 1:25:24=E2=80=AFPM UTC+1 David A. Harding = wrote: > On 2024-12-16 12:20, Tadge Dryja wrote: > > An on-chain proof of quantum computer (PoQC I guess :) ) would be a > > way to reduce the damage of activation forks. One way to build it: > > Create a NUMS point pubkey - something like described in BIP341. Send > > some coins to that address, then watch if it gets spent. [...] > > Nodes can then have code which > > watches for such a proof and changes consensus rules based on it. > > I think this could be even more useful if combined with a previous idea= =20 > far creating a NUMS[1][3] (or trust minimized[2]) pubkey compatible with= =20 > Bitcoin but with a security strength less than 128 bits. That way=20 > someone might claim the bounty of the key with (say) 96 bits security=20 > potentially months or years before QC advances made regular keys=20 > insecure and tempted operators of QCs into stealing from regular user=20 > addresses. > > -Dave > > [1]=20 > > https://gnusha.org/pi/bitcoindev/CAH5Bsr20n2T7KRTYqycSUx0i...@mail.gmail.= com/=20 > > [2]=20 > > https://gnusha.org/pi/bitcoindev/aRiFFJKz5wyHFDi2dXcGbNEHZD2nIwDRk7gaXIte= -N1BoOEOQ-ySYRnk0P70S5igANSr2iqF2ZKV1dWvipaQHK4fJSv9A61-uH7w4pzxKRE=3D@prot= onmail.com/ > [3]=20 > > https://gnusha.org/pi/bitcoindev/CAH5Bsr39kw08ki76aezJ1EM9...@mail.gmail.= com/=20 > > --=20 You received this message because you are subscribed to the Google Groups "= Bitcoin Development Mailing List" group. To unsubscribe from this group and stop receiving emails from it, send an e= mail to bitcoindev+unsubscribe@googlegroups.com. To view this discussion visit https://groups.google.com/d/msgid/bitcoindev/= eaca24fe-b1ee-4309-ae88-ae8e4c82c003n%40googlegroups.com. ------=_Part_756821_1219968086.1735778626974 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable FALCON failed the NIST vetting. Since 2022 they h= ave said they will fix it next year. Same answer in 2024 when they formaliz= ed CRYSTALS-Dilithium, CRYSTALS-KYBER=C2=A0and SPHINCS+. At the end they ag= ain say, "=C2=A0https://csrc.nist.= gov/News/2024/postquantum-cryptography-fips-approved

If it takes 1.5-3 years to get t= he entire ecosystem of software updated, tested, implemented and then allow= users to migrate to quantum safety, then Bitcoin code is future proofed. I= t will still require months (if BTC blocks normal transactions) to years (a= s a supported address type but not required) in order to migrate the wallet= s to safety. The longer the quantum resistant upgrade is delayed, the harsh= er the migration will need to become.=C2=A0
<= br />
Alice and Bob recently announced a new = algorithm that breaks ECC-256 in 9 hours with 127k qubits.=C2=A0https://alice-bob.com/blog/computing-256-bit-elliptic-curve-logari= thm-in-9-hours-with-126133-cat-qubits/=C2=A0The algorithms will continu= e to improve and the costs will continue to go down. While some people are = very confident what the quantum hardware will look like in 3 years, can the= y be so confident about the algorithms? We have switched from supercomputer= to network node method of growing quantum calculations. Parallel instead o= f Serial. Fault tolerant algorithms that prefetch results. Can we really be= as confident about the algorithms as people seem to be about the hardware = not being ready? Most people in quantum computing aren't aware of how much = their competition has progressed, how can devs who don't read 10 or 50 new = quantum computing papers per week be more confident than the people who do?=

On Wednesday, January 1, 2025 at 1:25:24=E2=80=AFPM UTC+1 David A. Hardi= ng wrote:
On = 2024-12-16 12:20, Tadge Dryja wrote:
> An on-chain proof of quantum computer (PoQC I guess :) ) would be = a
> way to reduce the damage of activation forks. One way to build it= :
> Create a NUMS point pubkey - something like described in BIP341. = Send
> some coins to that address, then watch if it gets spent. [...]
> Nodes can then have code which
> watches for such a proof and changes consensus rules based on it.

I think this could be even more useful if combined with a previous idea= =20
far creating a NUMS[1][3] (or trust minimized[2]) pubkey compatible wit= h=20
Bitcoin but with a security strength less than 128 bits. That way=20
someone might claim the bounty of the key with (say) 96 bits security= =20
potentially months or years before QC advances made regular keys=20
insecure and tempted operators of QCs into stealing from regular user= =20
addresses.

-Dave

[1]=20
https://gnusha.org/pi/bitcoindev/CAH5Bsr20= n2T7KRTYqycSUx0i...@mail.gmail.com/
[2]=20
https://gnusha.org/pi/bitcoindev/aRiFFJKz5wyHFDi2dXcGbNEHZD2nIwDRk7gaXIte-= N1BoOEOQ-ySYRnk0P70S5igANSr2iqF2ZKV1dWvipaQHK4fJSv9A61-uH7w4pzxKRE=3D@proto= nmail.com/
[3]=20
https://gnusha.org/pi/bitcoindev/CAH5Bsr39= kw08ki76aezJ1EM9...@mail.gmail.com/

--
You received this message because you are subscribed to the Google Groups &= quot;Bitcoin Development Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an e= mail to bitcoind= ev+unsubscribe@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/bitcoind= ev/eaca24fe-b1ee-4309-ae88-ae8e4c82c003n%40googlegroups.com.
------=_Part_756821_1219968086.1735778626974-- ------=_Part_756820_498320882.1735778626974--