Matt Corallo [ARCHIVE] on Nostr: 📅 Original date posted:2021-03-15 📝 Original message:Right, totally. There was ...
📅 Original date posted:2021-03-15
📝 Original message:Right, totally. There was substantial debate on the likelihood of such a QC existing (ie a slow one) on the original
thread several years ago, but ignoring that, my broader point was about the address reuse issue. Given that, there's
just not much we can do with the existing hash-indirection.
Matt
On 3/15/21 19:01, Karl-Johan Alm via bitcoin-dev wrote:
> On Tue, 16 Mar 2021 at 07:48, Matt Corallo via bitcoin-dev
> <bitcoin-dev at lists.linuxfoundation.org> wrote:
>>
>> Overall, the tradeoffs here seem ludicrous, given that any QC issues in Bitcoin need to be solved in another way, and
>> can't practically be solved by just relying on the existing hash indirection.
>
> The important distinction here is that, with hashes, an attacker has
> to race against the spending transaction confirming, whereas with
> naked pubkeys, the attacker doesn't have to wait for a spend to occur,
> drastically increasing the available time to attack.
>
> It may initially take months to break a single key. In such a
> scenario, anyone with a hashed pubkey would be completely safe* (even
> at spend time), until that speeds up significantly, while Super Secure
> Exchange X with an ultra-cold 38-of-38 multisig setup using Taproot
> would have a timer ticking, since the attacker need only find a single
> privkey like with any old P2PK output.
>
> (* assuming no address reuse)
> _______________________________________________
> bitcoin-dev mailing list
> bitcoin-dev at lists.linuxfoundation.org
> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
>
📝 Original message:Right, totally. There was substantial debate on the likelihood of such a QC existing (ie a slow one) on the original
thread several years ago, but ignoring that, my broader point was about the address reuse issue. Given that, there's
just not much we can do with the existing hash-indirection.
Matt
On 3/15/21 19:01, Karl-Johan Alm via bitcoin-dev wrote:
> On Tue, 16 Mar 2021 at 07:48, Matt Corallo via bitcoin-dev
> <bitcoin-dev at lists.linuxfoundation.org> wrote:
>>
>> Overall, the tradeoffs here seem ludicrous, given that any QC issues in Bitcoin need to be solved in another way, and
>> can't practically be solved by just relying on the existing hash indirection.
>
> The important distinction here is that, with hashes, an attacker has
> to race against the spending transaction confirming, whereas with
> naked pubkeys, the attacker doesn't have to wait for a spend to occur,
> drastically increasing the available time to attack.
>
> It may initially take months to break a single key. In such a
> scenario, anyone with a hashed pubkey would be completely safe* (even
> at spend time), until that speeds up significantly, while Super Secure
> Exchange X with an ultra-cold 38-of-38 multisig setup using Taproot
> would have a timer ticking, since the attacker need only find a single
> privkey like with any old P2PK output.
>
> (* assuming no address reuse)
> _______________________________________________
> bitcoin-dev mailing list
> bitcoin-dev at lists.linuxfoundation.org
> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
>