12021-03-16T00:18:37  <jeremyrubin> it sounds like a ~ easy fix would be to use a key derivation algorithm such that the secret key is always H("quantum proof key" || lamport_key(entropy)) or a musig combined key of the equivalent
  22021-03-16T00:19:29  <jeremyrubin> that way if there is ever a full DL break, the QC attacker would have to not only computer points, but compute points with a known preimage and a valid lamport key underneath?
  32021-03-16T00:20:00  <jeremyrubin> Then taproot spends can be soft-forked out
  42021-03-16T00:20:24  <jeremyrubin> and reveal DL with valid hash structure + lamport key can be forked in
  52021-03-16T00:21:39  <robert_spigler> luke-jr: I think that's what it is, thanks
  62021-03-16T00:33:40  *** shesek` <shesek`!~shesek@164.90.217.137> has joined ##taproot-bip-review
  72021-03-16T00:35:04  *** shesek <shesek!~shesek@unaffiliated/shesek> has quit IRC (Ping timeout: 245 seconds)
  82021-03-16T00:57:51  *** stortz <stortz!c8b9cbcf@200.185.203.207> has quit IRC (Quit: Connection closed)
  92021-03-16T01:07:03  *** maaku_ <maaku_!~quassel@ec2-54-186-10-232.us-west-2.compute.amazonaws.com> has joined ##taproot-bip-review
 102021-03-16T01:08:03  *** willcl_ark <willcl_ark!~quassel@unaffiliated/willcl-ark/x-8282106> has joined ##taproot-bip-review
 112021-03-16T01:12:39  *** willcl_ark_ <willcl_ark_!~quassel@unaffiliated/willcl-ark/x-8282106> has quit IRC (*.net *.split)
 122021-03-16T01:12:40  *** maaku <maaku!~quassel@ec2-54-186-10-232.us-west-2.compute.amazonaws.com> has quit IRC (*.net *.split)
 132021-03-16T03:39:16  <maaku_> harding: please don't strawman these issues
 142021-03-16T03:45:23  *** jonatack_ <jonatack_!~jon@37.172.178.208> has quit IRC (Ping timeout: 256 seconds)
 152021-03-16T03:47:38  *** pipilainen <pipilainen!pinne@bsd.douchedata.com> has quit IRC (Read error: Connection reset by peer)
 162021-03-16T03:47:57  *** pipilainen <pipilainen!~g@bsd.douchedata.com> has joined ##taproot-bip-review
 172021-03-16T03:54:07  <harding> maaku_: what elements of my summary did you think were strawmaned?
 182021-03-16T03:58:57  <maaku_> "movie plot" threat
 192021-03-16T03:59:01  *** maaku_ is now known as maaku
 202021-03-16T04:03:30  <luke-jr> I think that's challenging the premise that it's a real danger, more than a strawman
 212021-03-16T04:06:05  <maaku> the way it is written up is extremely implausible--some entity dumping coins in a way that maximizes loss of value--then it is called a "movie plot" threat
 222021-03-16T04:06:51  <maaku> I'm not going to spell out in a logged chanel or mailing list how to maximize payoff if you have a QC and are willing to steal, but there are much better strategies that seem quite straight forward to me
 232021-03-16T04:07:57  <maaku> and since we're talking about around ~$100bn worth of value, it's not at all unreasonable to assume someone might do this in real life
 242021-03-16T04:10:13  <harding> maaku: how come you get to frame your argument with "Devs: and we're arranging for every bitcoin to get stolen at some unpredictable date in the near future" but I can't frame my argument as a "movie plot" threat?
 252021-03-16T04:16:07  <maaku> harding: that was a tongue-in-cheek lead in joke designed to hook the audience; I believe I've failthfully represented the majority opinion within the meat of the article
 262021-03-16T04:16:38  <maaku> However I got the impression that you really didn't find a sudden quantum attack to be plausible.  If that was not the case, I apologize.
 272021-03-16T04:19:00  *** belcher_ <belcher_!~belcher@unaffiliated/belcher> has joined ##taproot-bip-review
 282021-03-16T04:20:50  <harding> maaku: indeed, it seems unlikely to me given that current QC accomplishments appear to be publicized, allowing us to track progress.  I did suggest (and ask for help) in my post a way to help incentivize revealing private QC capacities in case your concern is well founded.
 292021-03-16T04:22:13  *** belcher <belcher!~belcher@unaffiliated/belcher> has quit IRC (Ping timeout: 256 seconds)
 302021-03-16T04:31:37  <midnight> That's some odd QC fud..
 312021-03-16T04:35:52  <maaku> midnight: ?
 322021-03-16T04:40:31  <midnight> It's illogical.
 332021-03-16T04:55:08  <maaku> midnight: I don't know to which thing you are referring
 342021-03-16T08:22:15  *** jeremyrubin <jeremyrubin!~jr@024-176-247-182.res.spectrum.com> has quit IRC (Ping timeout: 240 seconds)
 352021-03-16T09:00:08  *** amptwo <amptwo!segwitmatr@gateway/shell/matrix.org/x-qkvyvxbkyxdsaiae> has quit IRC (Quit: Idle for 30+ days)
 362021-03-16T09:51:37  <michaelfolkson> robert_spigler luke-jr: Same here, seems like luck of the draw whether a response makes it to the mailing list or not. Who are the moderators on the mailing list?
 372021-03-16T11:38:05  *** belcher_ is now known as belcher
 382021-03-16T11:48:04  *** queip <queip!~queip@unaffiliated/rezurus> has quit IRC (Remote host closed the connection)
 392021-03-16T11:50:33  *** queip <queip!~queip@unaffiliated/rezurus> has joined ##taproot-bip-review
 402021-03-16T12:40:21  *** stortz <stortz!c8b9cbcf@200.185.203.207> has joined ##taproot-bip-review
 412021-03-16T12:47:25  *** ghost43_ <ghost43_!~daer@gateway/tor-sasl/daer> has joined ##taproot-bip-review
 422021-03-16T12:48:04  *** ghost43 <ghost43!~daer@gateway/tor-sasl/daer> has quit IRC (Ping timeout: 268 seconds)
 432021-03-16T12:51:01  *** gnusha <gnusha!~gnusha@unaffiliated/kanzure/bot/gnusha> has joined ##taproot-bip-review
 442021-03-16T13:28:21  *** jonatack_ <jonatack_!~jon@37.165.122.66> has joined ##taproot-bip-review
 452021-03-16T14:12:22  *** jonatack_ <jonatack_!~jon@37.165.122.66> has quit IRC (Quit: jonatack_)
 462021-03-16T14:12:46  *** jonatack <jonatack!~jon@37.165.122.66> has joined ##taproot-bip-review
 472021-03-16T14:24:21  *** luke-jr <luke-jr!~luke-jr@unaffiliated/luke-jr> has quit IRC (Read error: Connection reset by peer)
 482021-03-16T14:29:19  *** luke-jr <luke-jr!~luke-jr@unaffiliated/luke-jr> has joined ##taproot-bip-review
 492021-03-16T15:01:04  *** DeanGuss <DeanGuss!~dean@gateway/tor-sasl/deanguss> has joined ##taproot-bip-review
 502021-03-16T15:01:52  *** luke-jr <luke-jr!~luke-jr@unaffiliated/luke-jr> has quit IRC (Excess Flood)
 512021-03-16T15:02:26  *** luke-jr <luke-jr!~luke-jr@unaffiliated/luke-jr> has joined ##taproot-bip-review
 522021-03-16T15:03:07  *** DeanWeen <DeanWeen!~dean@gateway/tor-sasl/deanguss> has quit IRC (Ping timeout: 268 seconds)
 532021-03-16T16:12:06  *** Teleportando <Teleportando!8eb30758@d142-179-7-88.bchsia.telus.net> has joined ##taproot-bip-review
 542021-03-16T16:20:26  <michaelfolkson> robert_spigler: I think both of our emails have showed up on the mailing list now
 552021-03-16T16:38:12  *** jeremyrubin <jeremyrubin!~jr@024-176-247-182.res.spectrum.com> has joined ##taproot-bip-review
 562021-03-16T17:20:44  *** rgrant <rgrant!~rgrant@unaffiliated/rgrant> has joined ##taproot-bip-review
 572021-03-16T17:50:00  *** stortz <stortz!c8b9cbcf@200.185.203.207> has quit IRC (Quit: Connection closed)
 582021-03-16T18:04:02  *** lucasmoten <lucasmoten!~lucasmote@136.144.35.169> has joined ##taproot-bip-review
 592021-03-16T18:59:12  *** r251d <r251d!~r251d@50.121.84.2> has joined ##taproot-bip-review
 602021-03-16T19:08:26  *** shesek` is now known as shesek
 612021-03-16T19:21:16  *** luke-jr <luke-jr!~luke-jr@unaffiliated/luke-jr> has quit IRC (Read error: Connection reset by peer)
 622021-03-16T19:23:02  *** luke-jr <luke-jr!~luke-jr@unaffiliated/luke-jr> has joined ##taproot-bip-review
 632021-03-16T20:06:22  *** rgrant <rgrant!~rgrant@unaffiliated/rgrant> has left ##taproot-bip-review
 642021-03-16T20:10:36  *** r251d <r251d!~r251d@50.121.84.2> has quit IRC (Quit: r251d)
 652021-03-16T20:25:56  *** lucasmoten_ <lucasmoten_!~lucasmote@136.144.35.169> has joined ##taproot-bip-review
 662021-03-16T20:28:29  *** lucasmoten <lucasmoten!~lucasmote@136.144.35.169> has quit IRC (Ping timeout: 265 seconds)
 672021-03-16T20:59:37  <real_or_random> jeremyrubin: I think ideas in that direction do exist, and they may or may not be clever. the point is that doing this is not visible now, so we don't need to introduce this with taproot
 682021-03-16T21:01:31  <real_or_random> it's certainly a discussion we could have but it seems independent of the proposed Taproot fork (because it's not relevant for current consensus)
 692021-03-16T21:01:53  <real_or_random> maybe I should post a longer explanation of this to the ML
 702021-03-16T21:47:37  <midnight> I'm referring to the absurdity of objecting to taproot as a result of a future attack which makes us all totally screwed anyway without a concrete QC-ready overall plan.
 712021-03-16T21:47:57  <luke-jr> midnight: it wouldn't make us all screwed anyway, pre-Taproot
 722021-03-16T21:52:37  *** jonatack_ <jonatack_!~jon@37.171.42.2> has joined ##taproot-bip-review
 732021-03-16T21:56:57  *** jonatack <jonatack!~jon@37.165.122.66> has quit IRC (Ping timeout: 264 seconds)
 742021-03-16T22:12:52  <michaelfolkson> Internet banking would be screwed. A desperate run from fiat to Bitcoin to be protected by that impregnable hash
 752021-03-16T22:14:54  <michaelfolkson> And in that attempt to move from fiat to Bitcoin you'd probably lose the Bitcoin you were trying to swap into as pubkeys are leaked in the process of spending from the previous address
 762021-03-16T22:15:23  <luke-jr> michaelfolkson: no, you wouldn't be able to buy bitcoins in this situation
 772021-03-16T22:15:50  <michaelfolkson> So everyone without Bitcoin would lose all their money in their internet banking
 782021-03-16T22:15:53  <luke-jr> and banks would probably just undo everything online
 792021-03-16T22:16:14  <luke-jr> actually, online banking could freeze for the same safety level
 802021-03-16T22:16:24  <luke-jr> QC won't get you passwords after all
 812021-03-16T22:17:46  <michaelfolkson> No internet banking until quantum crypto rolled out. I think we go back to barter and stones
 822021-03-16T22:18:04  <michaelfolkson> HODLing my stash of stones
 832021-03-16T22:20:21  <luke-jr> yep, same as Bitcoin today
 842021-03-16T22:20:57  <maaku> michaelfolkson: by 2025 there will be a NIST standard for post-quantum symmetric key agreement, which will be a drop-in replacement for TLS, SSH, etc.
 852021-03-16T22:22:33  <maaku> the earliest reasonable date for a QC that can break 2048-bit RSA or secp256k1 is 2030-ish, so with a proactive Y2K-level of effort it is likely that we can avoid the whole world collapsing
 862021-03-16T22:23:11  <luke-jr> maaku: that's reassuring. maybe worth pointing out more often.
 872021-03-16T22:23:14  <michaelfolkson> 2025 an estimate obviously. You'd expect that to be pushed back (as everything does)
 882021-03-16T22:23:22  <maaku> but Bitcoin needs to take its own steps to transition to post-quantum cryptography, and has challenges which make it more difficult than TLS or SSH
 892021-03-16T22:24:01  <maaku> michaelfolkson: I'm talking about the PQC competition, which is operating on a fixed timeline : https://csrc.nist.gov/projects/post-quantum-cryptography
 902021-03-16T22:24:11  <maaku> there are already multiple acceptable finalists
 912021-03-16T22:24:39  <michaelfolkson> Interesting...
 922021-03-16T22:24:52  <luke-jr> why do we need to wait for a winner to be chosen?
 932021-03-16T22:25:09  <luke-jr> and why does NIST refuse to show anything unless I let them run JS code
 942021-03-16T22:25:13  <luke-jr> not sure I want to do that
 952021-03-16T22:25:36  * michaelfolkson closes browser tab quickly
 962021-03-16T22:25:40  <michaelfolkson> Haha
 972021-03-16T22:25:42  <maaku> so I don't think it is alarmist or out of line to be insisting that we also be proactive towards fixing Bitcoin on a similar timeline
 982021-03-16T22:27:04  <maaku> luke-jr: we don't need to wait for NIST. it's just what with respect to TLS, SSH, etc. it's easier when there is an obvious Shelling point
 992021-03-16T22:27:20  <michaelfolkson> Are you a cryptographer maaku? Amateur or professional? I don't know if any of the small number of cryptographers in Bitcoin have looked into quantum crypto in great depth
1002021-03-16T22:28:03  <maaku> however for Bitcoin specifically, it is unlikely that the chosen standard will be suitable for our use. IIRC there's only one finalist that operates as a digital signature (and it is not as good for us as one of the non-finalists which has a better zkp system)
1012021-03-16T22:30:12  <maaku> michaelfolkson: my credentials are only at the undergratuate level--my degree is in physics with a QC advisor
1022021-03-16T22:30:35  <michaelfolkson> maaku: Fair enough
1032021-03-16T22:31:04  <maaku> but if you took credentials as a filter you'd have to ignore half of the developers who write cryptographic code for Bitcoin
1042021-03-16T22:31:46  <michaelfolkson> Oh sure, please don't take that as a criticism. Just wondered if this was going to be a research topic for you or something you were going to focus on
1052021-03-16T22:33:19  <luke-jr> michaelfolkson: maaku is an altcoin developer; just friendly and cooperative with Bitcoin
1062021-03-16T22:33:20  <maaku> It's just something I learned a bit about my senior year in college, then kept an eye on ever since.
1072021-03-16T22:33:47  <luke-jr> (his altcoin is also not competing against Bitcoin, to be clear)
1082021-03-16T22:33:52  <maaku> I have an interest in QC for solving ab-initio quantum simulations of atoic systems
1092021-03-16T22:35:26  *** queip <queip!~queip@unaffiliated/rezurus> has quit IRC (*.net *.split)
1102021-03-16T22:37:08  *** queip <queip!~queip@unaffiliated/rezurus> has joined ##taproot-bip-review
1112021-03-16T22:44:03  *** stortz <stortz!c8b9cbcf@200.185.203.207> has joined ##taproot-bip-review
1122021-03-16T22:53:31  <jeremyrubin> real_or_random: yep that can be added after, that was my point (e.g., at the key derivation level)
1132021-03-16T22:55:21  <maaku> I would be more acquiescent to taproot activating if I thought there was a concerted effort to actually transition to post-quantum crypto
1142021-03-16T22:55:58  <maaku> But instead there just seems to be hand waving over the issue and kicking the can down the road
1152021-03-16T22:57:38  <maaku> this medium post does a decent writeup of why there needs to be many-years-long transition effort rather than waiting to act when QC is finally near : https://medium.com/the-capital/going-quantum-resistant-in-blockchain-a-plausible-timeframe-afc174a0da5c
1162021-03-16T22:58:21  <jeremyrubin> maaku: does ability to slip a commitment into the key and fork in a new spending path not work for you?
1172021-03-16T22:58:30  <jeremyrubin> do you want the code ready & written?
1182021-03-16T22:59:12  <maaku> jeremyrubin: yes someone should actually be writing code, and operating a testnet, etc.
1192021-03-16T22:59:54  <maaku> you can't even assess whether the idea will work until there is a concrete proposal with code. could be issues we're not seeing
1202021-03-16T23:00:02  <jeremyrubin> sounds like you just volunteered?
1212021-03-16T23:04:31  <maaku> not my project...
1222021-03-16T23:04:51  <maaku> which is why I also haven't NACK'd anything
1232021-03-16T23:05:05  <maaku> but it is a conversation we all benefit from participating in
1242021-03-16T23:07:32  <luke-jr> FYI there were some errors in my GDocs link earlier; I have corrected them