📅 Original date posted:2018-01-24 📝 Original message:On Wed, 2018-01-24 at ...

Tim Ruffing [ARCHIVE] /

npub1cmt…wkls

2023-06-07 18:10:09

in reply to nevent1q…g7qw

📅 Original date posted:2018-01-24
📝 Original message:On Wed, 2018-01-24 at 01:52 +0000, Andrew Poelstra via bitcoin-dev
wrote:
>
> > They are. But I don't believe that is relevant; the attacker would
> > simply steal the coins on spend.
>
>
> Then the system would need to be hardforked to allow spending through
> a
> quantum-resistant ZKP of knowledge of the hashed public key. I expect
> that in a post-quantum world there will be demand for such a fork,
> especially if we came into such a world through surprise evidence of
> a discrete log break.
>

There are simpler ways using consensus / waiting instead of zero-
knowledge, e.g.,

1. Include H(classic_pk, tx) to blockchain, wait until confirmed.
2. Reveal classic_pk, tx

This is taken from my tweet [1] but now I realize that these are
basically Guy Fawkes "signatures" [2]. Joseph Bonneau and Andrew Miller
[3] had the idea to use this for cryptocurrency without asymmetric
cryptography.

Best,
Tim

[1] https://twitter.com/real_or_random/status/948226830166786048
[2] https://www.cl.cam.ac.uk/~rja14/Papers/fawkes.pdf
[3] http://www.jbonneau.com/doc/BM14-SPW-fawkescoin.pdf

Author Public Key

npub1cmt6gqyfw3sdngkq0wadtpe3kmgyyeld6ad0g2h5tar3kpzcrmpqddwkls

Show more details

Published at

2023-06-07 18:10:09

Kind type

1 Short Text Note

Event JSON

{ "id": "c6162348df70feafafe31a17a3ebce9e43ce6a509afdd1a0208e8fca1ce86ce7", "pubkey": "c6d7a400897460d9a2c07bbad58731b6d04267edd75af42af45f471b04581ec2", "created_at": 1686161409, "kind": 1, "tags": [ [ "e", "3098b6cd22aeee78f0db7c45c94594dc578b6094452b2f8e3129789af2cd6fd4", "", "root" ], [ "e", "3e16d945af76e4c91f1b2854925be672729379eb053d897e066980e1fdbe353e", "", "reply" ], [ "p", "ee55eb03423bd4db01d5c92ad434d52c602d9da1de37ed37cc5bf7d2a13a4cab" ] ], "content": "📅 Original date posted:2018-01-24\n📝 Original message:On Wed, 2018-01-24 at 01:52 +0000, Andrew Poelstra via bitcoin-dev\nwrote:\n\u003e \n\u003e \u003e They are. But I don't believe that is relevant; the attacker would\n\u003e \u003e simply steal the coins on spend.\n\u003e \n\u003e \n\u003e Then the system would need to be hardforked to allow spending through\n\u003e a\n\u003e quantum-resistant ZKP of knowledge of the hashed public key. I expect\n\u003e that in a post-quantum world there will be demand for such a fork,\n\u003e especially if we came into such a world through surprise evidence of\n\u003e a discrete log break.\n\u003e \n\nThere are simpler ways using consensus / waiting instead of zero-\nknowledge, e.g., \n\n1. Include H(classic_pk, tx) to blockchain, wait until confirmed.\n2. Reveal classic_pk, tx\n\nThis is taken from my tweet [1] but now I realize that these are\nbasically Guy Fawkes \"signatures\" [2]. Joseph Bonneau and Andrew Miller\n [3] had the idea to use this for cryptocurrency without asymmetric\ncryptography.\n\nBest,\nTim\n\n[1] https://twitter.com/real_or_random/status/948226830166786048\n[2] https://www.cl.cam.ac.uk/~rja14/Papers/fawkes.pdf\n[3] http://www.jbonneau.com/doc/BM14-SPW-fawkescoin.pdf", "sig": "2db522af5cbe0aa54e8113d22f7eeeda0af61f2575c259d2a3c401f6dd2606a037906148bd4f72d2f206d504acc491ea7038ad1abb0308999fd0f5b5647cf5cd" }