Pages:
Author

Topic: Game theory involving Quantum Resistance protocol (Read 897 times)

legendary
Activity: 1456
Merit: 1010
Ad maiora!
Hi all guys and girls speaking in this exciting thread (finally someone speaking of QC!?!)

I will not actively step in to say more of what has been said but I would like to point you to https://faqq.info/

There you can find the Frequently Asked Quantum Questions, very informative Wink

And last but not least an XMSS signature based cryptocurrency & blockchain exists and its running smoothly on mainnet for over 1 year now: www.theqrl.org

Cheers and keep this great discussion up, I will enjoy keeping read it.  Wink

legendary
Activity: 1610
Merit: 1183
What if pools and wallet companies and devs decided (for the interests of their multi-billion business) to block terrorist wallets, e.g. because of US authorities threatening the whole community?  Huh

you are comparing apples and oranges!

your other arguments are like saying our browsers must not have stopped rejecting SHA1 SSL certificates because some people might be lazy in upgrading their certificate to a more secure hash algorithm even though there was a transition period given to everyone to move to new algorithms! instead they should have given the "lazy server" a workaround to push their SHA1 certificates as valid!!!
It is the true apples and oranges comparison, what you are doing. A digital asset, especially a cryptocurrency deposit is absolutely different artifact. I'm done rehashing the same argument over and over, it is the code, a constitutional right, for users not to be worried about developments and forks, their assets should be kept immune. period.

And it is not all about laziness (which is absolutely a right), people may be away for a long period of time from tech news, maybe they are paranoid about tracking/surveillance systems being watching them and trying to locate them, whales may feel uncomfortable with moving their strategic wallets, some may possibly lose their keys temporarily, others may have deposited their keys in a safe box to be handed to the heirs in a special occasion, ...

Plus, if missing a deadline should have a penalty it is not necessarily losing all funds. In my proposal users that you are calling them lazy have tp pay for it but in a reasonable way.


If Bitcoin wants to be digital gold, you can't be having arbitrary countdowns in which you are going to lose all of your affected funds unless you move them from A to B. That is what has been my point for a while.

However, what do you really and concisely propose? I have not seen convincing arguments, when it comes to avoiding the need for funds being moved in case of an exploit on the algorithm (QC attack or otherwise).

Perhaps it's something we can't avoid, and every generation or so, you will need to do this, at least once in your lifetime.
With gold, the analogy could be that you may need to reallocate all of your holdings... the place in which they are sitting isn't supposedly safe forever.
legendary
Activity: 1456
Merit: 1176
Always remember the cause!
What if pools and wallet companies and devs decided (for the interests of their multi-billion business) to block terrorist wallets, e.g. because of US authorities threatening the whole community?  Huh

you are comparing apples and oranges!

your other arguments are like saying our browsers must not have stopped rejecting SHA1 SSL certificates because some people might be lazy in upgrading their certificate to a more secure hash algorithm even though there was a transition period given to everyone to move to new algorithms! instead they should have given the "lazy server" a workaround to push their SHA1 certificates as valid!!!
It is the true apples and oranges comparison, what you are doing. A digital asset, especially a cryptocurrency deposit is absolutely different artifact. I'm done rehashing the same argument over and over, it is the code, a constitutional right, for users not to be worried about developments and forks, their assets should be kept immune. period.

And it is not all about laziness (which is absolutely a right), people may be away for a long period of time from tech news, maybe they are paranoid about tracking/surveillance systems being watching them and trying to locate them, whales may feel uncomfortable with moving their strategic wallets, some may possibly lose their keys temporarily, others may have deposited their keys in a safe box to be handed to the heirs in a special occasion, ...

Plus, if missing a deadline should have a penalty it is not necessarily losing all funds. In my proposal users that you are calling them lazy have tp pay for it but in a reasonable way.
legendary
Activity: 3472
Merit: 10611
What if pools and wallet companies and devs decided (for the interests of their multi-billion business) to block terrorist wallets, e.g. because of US authorities threatening the whole community?  Huh

you are comparing apples and oranges!

your other arguments are like saying our browsers must not have stopped rejecting SHA1 SSL certificates because some people might be lazy in upgrading their certificate to a more secure hash algorithm even though there was a transition period given to everyone to move to new algorithms! instead they should have given the "lazy server" a workaround to push their SHA1 certificates as valid!!!
legendary
Activity: 1456
Merit: 1176
Always remember the cause!
The protocol I suggested above, is safe and secure and a very good compromise saving everybody without taking rough measures against people who miss deadlines. You need to take another look at and sleep on it, imo.

if something were broken it must be removed right away. you can't compromise the entire multi billion dollar worth of system just because some people might be lazy!
when people enter bitcoin world the first thing they learn is that they are now responsible and in full control of their own money. that includes keeping an eye on development of bitcoin and changing directions if needed.
Firstly, it is a good compromise, not a bad one! Being rough and harsh against people because they have missed some deadline is neither a good practice nor a part of bitcoin culture.

Removing OP_CHECKSIGHASH is too harsh. Unlike what you say, people have no obligation to keep an eye on what pool operators and devs dictate. It is not part of the code, I've bought some coins as an eternally safe asset without signing any contract to be online or keeping an eye on anything. It is basic.

I think even talking about such a hypothetical fork hurts bitcoin and should be immediately stopped! No matter who first put it this way and in what condition such nonsense ideas have been formed in his mind (or probably he has been drunk or high?) but it is not what bitcoin is.
What if pools and wallet companies and devs decided (for the interests of their multi-billion business) to block terrorist wallets, e.g. because of US authorities threatening the whole community?  Huh
legendary
Activity: 3472
Merit: 10611
The protocol I suggested above, is safe and secure and a very good compromise saving everybody without taking rough measures against people who miss deadlines. You need to take another look at and sleep on it, imo.

if something were broken it must be removed right away. you can't compromise the entire multi billion dollar worth of system just because some people might be lazy!
when people enter bitcoin world the first thing they learn is that they are now responsible and in full control of their own money. that includes keeping an eye on development of bitcoin and changing directions if needed.
legendary
Activity: 1456
Merit: 1176
Always remember the cause!
what "deal"? what are you referring to as if some scripture exists re our duty of care obligations? at what point is putting the entire bitcoin economy's well being at stake not acceptable to you?

i don't believe duty of care implies the necessity to protect specifically irresponsible and unsafe behavior that can/will harm other people. it seems like you'd rather see bitcoin burned to the ground before budging on this. is that the case?
The protocol I suggested above, is safe and secure and a very good compromise saving everybody without taking rough measures against people who miss deadlines. You need to take another look at and sleep on it, imo.

I don't believe in antagonistic conflicts of interests between users but we all need to respect the code and destroying coins is not part of the code. I understand for exposed public keys there is no choice and should put the safety of the whole ecosystem first, but for unexposed ones, I see no justification for taking rough actions just because they are easier to implement.
legendary
Activity: 1652
Merit: 1483
there is a dilemma here. firstly, this scheme of yours involves too much trust---in miners to privately mine transactions without stealing and in p2pkh holders to properly secure their coins. they are theoretically a threat to us all.
In the real world, trust works fine for many use-cases, it is one of them. It is the penalty a lazy or careless wallet owner or a paranoid one has to pay, her decision, not the community.

you're missing the point. i've emphasized the relevant sentence in bold. we---the rest of the bitcoin economy---could theoretically pay for their carelessness. i find that unacceptable.

as a bitcoin holder, their interests are directly in conflict with mine. how do you plan to reconcile this? this network operates on the basis of economic rationality. you seem to expect us to embrace irrational behavior that threatens our financial interests. why?

The coins are not lost, they are deliberately destroyed by the majority (by a UASF for instance), it is not part of the deal and reminds me of Ethereum and its centralized ecosystem.

what "deal"? what are you referring to as if some scripture exists re our duty of care obligations? at what point is putting the entire bitcoin economy's well being at stake not acceptable to you?

i don't believe duty of care implies the necessity to protect specifically irresponsible and unsafe behavior that can/will harm other people. it seems like you'd rather see bitcoin burned to the ground before budging on this. is that the case?
newbie
Activity: 5
Merit: 0
We think that the early mined coins of Satoshi are created as a prize competition (Re: Maybe Satoshi created the greatest prize competition https://bitcointalksearch.org/topic/maybe-satoshi-created-the-greatest-prize-competition-5150688) and that Satoshi is waiting this coins to be moved. We also think that he will not respond when somebody moves the first coins but it will be a message to the Bitcoin community that the private keys are somehow on the blockchain. Satoshi could move the coins (2009/2010) to P2PKH addresses but did not.

and there is also zero evidence of any of that

not sure, but maybe:

Look at these 19 public keys:

Code:
0434f3e8e75ec56591490b558a6f31211f0f5c92345addee268418af70e8c4b38e69843aa0139d3a393b7353388dcb3e809f28d2f61f998c0299abd5ed3eb3165b
041fb2bee6523163f21f6f7f2918b3c674f5ea1d68abb753537d1eb2d4256bfa632f175e47bf0cea7bc0ad9d4caf158ae7a8a82de70587535922ed7fe94f131459
048743aa38b310b19a9fb5066d82df970c1925503b9e0e8c71099c4a6ec95959de6edf701c94df1e92b04959426fd7b9e5f1875b574400a6778e898a4ae1e09e4d
045015405eb7650997d571ccdf5d9667b6452af2446aa6f39443d6631ccde8cf2f817d3e8713f22fa4f0c066275608db54e1ae2e4b85b9ce0e33fc7de72176d917
041c34b55dbe9793aa023733fddfb0caefbae5b0fdf44dfb28505794ee2e30640a880da077f97733a164ec248bffef94d2104579a989e64c4fa9962807fdf5013c
048583734a32ed0f19c8fb4ef1d53f907eae51b051c946d92160be837dcd8d33dccdbb5d25c9008b8244fc6031b28140520dcc6e34a0aacbd73ab89c38e8aa0c85
044ed97015499143d2945601dcb1539c00fd143c9880fd8086dd609f27d7e6ee720f5557eb1c1104b2d7cf6257221bd332f452a1874475946aaf22a860f1f90960
04cd0e16ec7aabea7c35bf230a59631e38a15c7a491c62f3d9e2d0398bbd48e13c1bfabe822458f8d45cc90c4e06b9c3f220f0c0744f25b81d213c1a28e6d42215
040d38158d879b1da30951cf39f2b31f105601a5c7fdf30442573e9a84b8c00c8ca95f712e76647b54a87db08489c7f76a958dc87278e8311f4c04ae0ac6613ca2
04b61c2d88ad4b579bb4b2193e0e6ec4b9c3b393a34545a0eb7686b02205385133f2179e450da372f9f810b6415835b5121a2ea822820c31ab1f5dc6655f1ae97a
0431ed84b6a2615c121eee1837da2353a4b39c7e176f32d2792d8384e0a7f658871d9d2c2e955b5f9f83d35ecac6c4bec52d02e76d14f85ad74536ac51e38df986
046a54d74528db63cd2164dc7483a7a479bb82dc62aa4e40cf5bcff7871ba839025a0476aa9a1258b657019a4f281a78eb56b6f841c6a363c98ac8713109bdcc7c
04b18527cf6f53ad751f90faad335b094fe5129ca6133a24b901af545bb1b067189574c52a5c8ce0be292e1304a96b77cde70ccf16324717c218c89ef7bc03e5c9
04ac115090af184a8463f16e09bb8225e8c5c9e420646aa3e5327c1bc44d325cd7d180157f02e9d50a056d2d2b84356f9cc7398f0c95e25b6ba68f04f0172166de
04ef7dfdb71a90cf896642c498a7fe702e3d87b3600b4b57c632d2d28cd0ae4b66ca668dc0eb8d1f66cb9ed56167d311953eefb5ed511bba78627eca697cb935ca
046ea9c3ad7b850b085f2c96b5fc8774086514dd297cf2765ad4930a63c0d860cd21302b93cf991d0b711435d0c6ec62ce863450abe6492ead7fd145045daf827f
049d6993e6a9a312f16db0f0b60781472ec5ff9e4a343e2a6a1b2008db9bb5aea018dd838ff572b0bcaf2ada7661b8172960b6846b1e366bb9e9a8f04614608be3
04e76b0e053769e7b213d067f3b5f82b428cec48d3a217a7623d56b69ad4428618185f2d59c3263a50a7887364dbc3dfc60b5f461cbeb57af3cd0121c0e59617da
048b74872254d33cf08cd695c29580b541c4732d30730fa541078ef2d9d0e542132ce0963cb765eb94320d2a2c704b52e41f65536ef53acd8e09c886fd808fd2f0

They correspond to uncompressed addresses with the first transactions in 2011 year, and fund release only in September 2019. The amounts for every address are 100-500BTC. For example the first 3 addresses (released 147BTC, 122BTC and 147BTC) are:
13GUJutC6GKgJQTcGzCtznDDYFQKVJFVwp
13Sa73PU9Ar5sE4SdFcBdbg9ntbNcMQhaA
14k4GhqA1svNZPbssdAjgdnfzWTpAigZVH

Is this Satoshi releasing his early mined funds? This could not be a luck, so huge luck.

I'm not the author of these pubkeys collection. I found it here: https://bitcointalksearch.org/topic/m.52879592

This puzzle is very strange. If it's for measuring the world's brute forcing capacity, 161-256 are just a waste (RIPEMD160 entropy is filled by 160, and by all of P2PKH Bitcoin). The puzzle creator could improve the puzzle's utility without bringing in any extra funds from outside - just spend 161-256 across to the unsolved portion 51-160, and roughly treble the puzzle's content density.

If on the other hand there's a pattern to find... well... that's awfully open-ended... can we have a hint or two? Cheesy

I am the creator.

You are quite right, 161-256 are silly.  I honestly just did not think of this.  What is especially embarrassing, is this did not occur to me once, in two years.  By way of excuse, I was not really thinking much about the puzzle at all.

I will make up for two years of stupidity.  I will spend from 161-256 to the unsolved parts, as you suggest.  In addition, I intend to add further funds.  My aim is to boost the density by a factor of 10, from 0.001*length(key) to 0.01*length(key).  Probably in the next few weeks.  At any rate, when I next have an extended period of quiet and calm, to construct the new transaction carefully.

A few words about the puzzle.  There is no pattern.  It is just consecutive keys from a deterministic wallet (masked with leading 000...0001 to set difficulty).  It is simply a crude measuring instrument, of the cracking strength of the community.

Finally, I wish to express appreciation of the efforts of all developers of new cracking tools and technology.  The "large bitcoin collider" is especially innovative and interesting!

saatoshi_rising, are you satoshi? If you don't want to tell something, we respect your privacy! Maybe you could support us here:

Maybe Satoshi created the greatest prize competition https://bitcointalksearch.org/topic/maybe-satoshi-created-the-greatest-prize-competition-5150688
Open letter/question to Satoshi https://bitcointalksearch.org/topic/open-letterquestion-to-satoshi-5159185

legendary
Activity: 1456
Merit: 1176
Always remember the cause!
Keeping bitcoin promise as far as it is possible and pushing to the limits, it is the point.
Disabling OP_CHECKSIG means destroying wallets that do not follow our orders, It wasn't part of the code, the contract bitcoin has "signed" with the user. You can't just show up with a new address scheme ordering people to migrate. They have a right not to follow, it is constitutional.

there is a dilemma here. firstly, this scheme of yours involves too much trust---in miners to privately mine transactions without stealing and in p2pkh holders to properly secure their coins. they are theoretically a threat to us all.
In the real world, trust works fine for many use-cases, it is one of them. It is the penalty a lazy or careless wallet owner or a paranoid one has to pay, her decision, not the community. We have already provided her with a free alternative approach (migrating to the new scheme) and she has refused or missed it and now she should pay costs to secure her funds but the good news is that she has not lost everything.

Quote
secondly, bitcoin's economic design implies what satoshi said explicitly---"Lost coins only make everyone else's coins worth slightly more.  Think of it as a donation to everyone."

so it becomes a point of contention. whose interests are more important---
a. people who want to keep their outputs in vulnerable format for eternity (despite safe alternatives) and who will require trusted/centralized solutions to spend them, or
b. the rest of the bitcoin economy?

even if we table the discussion about needless complexity, bitcoin holders will not be interested in your way. they will prefer a predictable outcome that more reliably ensures that bitcoin's value remains intact.
The way you formulate it is not fair  Cheesy

The coins are not lost, they are deliberately destroyed by the majority (by a UASF for instance), it is not part of the deal and reminds me of Ethereum and its centralized ecosystem. Bitcoin is not about majorities neither whales nor celebrities, on the contrary, its strength is in the maximum protection of minorities.
legendary
Activity: 1652
Merit: 1483
Keeping bitcoin promise as far as it is possible and pushing to the limits, it is the point.
Disabling OP_CHECKSIG means destroying wallets that do not follow our orders, It wasn't part of the code, the contract bitcoin has "signed" with the user. You can't just show up with a new address scheme ordering people to migrate. They have a right not to follow, it is constitutional.

there is a dilemma here. firstly, this scheme of yours involves too much trust---in miners to privately mine transactions without stealing and in p2pkh holders to properly secure their coins. they are theoretically a threat to us all.

secondly, bitcoin's economic design implies what satoshi said explicitly---"Lost coins only make everyone else's coins worth slightly more.  Think of it as a donation to everyone."

so it becomes a point of contention. whose interests are more important---
a. people who want to keep their outputs in vulnerable format for eternity (despite safe alternatives) and who will require trusted/centralized solutions to spend them, or
b. the rest of the bitcoin economy?

even if we table the discussion about needless complexity, bitcoin holders will not be interested in your way. they will prefer a predictable outcome that more reliably ensures that bitcoin's value remains intact.
legendary
Activity: 1456
Merit: 1176
Always remember the cause!
What is the point of that?
Keeping bitcoin promise as far as it is possible and pushing to the limits, it is the point.
Disabling OP_CHECKSIG means destroying wallets that do not follow our orders, It wasn't part of the code, the contract bitcoin has "signed" with the user. You can't just show up with a new address scheme ordering people to migrate. They have a right not to follow, it is constitutional.

What is the point of burning the coins?
As of 2018 June 4, 19% of p2pkh addresses (4,204,148 of 22,275,753) holding 25% bitcoins (4,319,806 of 17,072,361) were revealing their public keys because of address-reuse.

Such addresses are in the most vulnerable state just like their p2pk counterparts and are indistinguishable from more secure p2pkh addresses with unexposed public keys. They should be blocked too but we want safer p2pkh addresses to be kept valid, burning such addresses by miners through an incentive mechanism is what I've recommended.

Why would anyone even want to reveal their pubkeys to a miner just to gain nothing? Only the miners benefit from that, it's completely pointless to anyone else. it's the equivalent of just having a fork that completely disallows OP_CHECKSIG.
It can be a service with a very low fee, centralized and based on trust. The owners of abandoned, expired p2pkh give both their public and private keys to a trusted solo-miner/pool to include it directly in the blocks. lease note that mining is permissionless in bitcoin and there is always a possibility for paranoid minted owners of very fat wallets to lease power and mine their transactions privately.

but we are dealing with a mess, aren't we?
I disagree. It isn't a mess until QCs actually show up. Migration to PQC is pretty straightforward and non-messy, just needs a lot of time and warning.
Forcing people to move their funds and threatening to announce those funds void otherwise? Believe me it is a mess.


Noways to minimize the damage unless you get hands dirty, no choice. And yet it is not too much, implementing both forks is easier than what they look like in the first glance
The two forks are just so much more complex than a single fork which disallows OP_CHECKSIG and OP_CHECKMULTISIG after a deadline. And I don't think they're any easier than they seem, consensus and the script interpreter and far more complicated than you think, especially with anything that requires storing state or remembering previously executed scripts.
Disagree.
Storing state in a single thread of execution of a single script is required and it is nothing more than playing around with one or two booleans and I've explicitly described the rules. This is not dark magic.
staff
Activity: 3458
Merit: 6793
Just writing some code
Fork #2: Up to a deadline, simulate an advanced zero-cost QC attack by letting any miner who has access to the corresponding public key of the address is authorized to spend it into a null address deducting a fixed fee. After the deadline, we are back to the normal situation.
...
Fork #2: Before the second deadline OP_CHECKSIG  always pushes 1 (true) if a special flag is set. This flag is set if the transaction follows a defined format which guarantees that after deducting a predefined amount it is burning its (single) input to a specific (void) address. This behavior is reset to default after the deadline.

Interestingly, unlike what happens with your, rough approach, p2pkh legacy wallets that are not been moved for any reason are expendable for eternity as long as they are privately mined (not being relayed in the public network before being confirmed) in the presence of QC equipped thieves. 

What is the point of that? Instead of having two forks, why not just have the one fork have the deadline be farther away so that people have more time to migrate. The point is that during the migration period, ECDLP is still not broken yet.

What is the point of burning the coins? Why would anyone even want to reveal their pubkeys to a miner just to gain nothing? Only the miners benefit from that, it's completely pointless to anyone else. it's the equivalent of just having a fork that completely disallows OP_CHECKSIG.

but we are dealing with a mess, aren't we?
I disagree. It isn't a mess until QCs actually show up. Migration to PQC is pretty straightforward and non-messy, just needs a lot of time and warning.

Noways to minimize the damage unless you get hands dirty, no choice. And yet it is not too much, implementing both forks is easier than what they look like in the first glance
The two forks are just so much more complex than a single fork which disallows OP_CHECKSIG and OP_CHECKMULTISIG after a deadline. And I don't think they're any easier than they seem, consensus and the script interpreter and far more complicated than you think, especially with anything that requires storing state or remembering previously executed scripts.
legendary
Activity: 1456
Merit: 1176
Always remember the cause!
@achow101,
Above thread, I've suggested a strategy for different stages of the QC evolution it includes measures and actions to be taken:

1- Implement a new QC resistant signature and install/promote it in bitcoin.

2- starting from the p2pk group of the UTXOs, because they are the most vulnerable segment. It is mandatory for this group to migrate, If they wouldn't, their coins will be announced void after a deadline. More propaganda for convincing p2pkh owners to take actions, no obligations tho.

3- When we are closer to the doomsday, we give anybody with access to the public key behind a hashed address, a right to claim a very tiny and fixed portion of the UTXO just like a txn fee, destroying the remainder. Practically it may be just miners who take advantage of this feature, we don't care.

4- After the QC apocalyptus, we will have a percentage of untouched p2pkh addresses that their public keys are not exposed to the public. For the owners of such UTXOs, there will be still a chance to privately mine their transactions or buying such a service from a trusted pool or mining farm.
There's no reason to take so many steps and add even more special cases to the scripting system. To allow P2PKH but not P2PK requires adding special cases to OP_CHECKSIG which then needs to inspect the script to check whether it was P2PKH. And then you aren't covering things like multisigs or any complex script that uses OP_CHECKSIG. What about if the P2PK was nested inside of P2SH (because that's allowed)? Or people using bare multisig? So now we need to have tons more logic to handle all the weird things people can do with scripts? That's completely unnecessary.

The simpler and easier, and just as safe solution is to soft fork in a hard deadline (that can be several years in the future) where OP_CHECKSIG and OP_CHECKMULTISIG both become immediate script failures thus outlawing ECDSA. People can move their coins to whatever PQC signature scheme is introduced up until that deadline, regardless of script type, and then after the deadline, any usage of OP_CHECKSIG and OP_CHECKMULTISIG is disallowed.

I don't see why it is necessary at all to roll out such a migration so slowly with different script types getting different treatment. And it really doesn't generalize at all.
Oh, thank you for being so specific, it is what I always expected from you.  Smiley

unlike what it looks like the strategy is not that complicated, it is about two deadlines instead of just one, this is it!

We need two deadlines because we should deal with three radically different cases:

Case #1: P2PK UTXOs (including multisigs); they are exposed to the first wave of commercially available QCs that are able to break ECDSA in feasible time.

Case #2: Compromised P2PKH and P2SH UTXO; they are compromised in the sense that their corresponding raw counterparts are leaked either because of address re-use or other reasons like transaction generation process, wallets being implemented with loose security considerations, ...

Case #3: Abandoned P2PKH and p2SH UTXos; they are wallets that do not follow the recommended practice of migrating to the new PQC scheme and are vulnerable to hijacking by scalable and commercialized QCs capable of breaking secp256k1 keys on the fly.  

In the big picture, each of the above cases is radically different and deserves special treatment. My proposed strategy covers this situation by 2 soft forks or a two-phase fork.

Fork #1: Implement a PQC scheme, set a deadline for P2PK and multisigs to migrate, announce them void thereafter (kick them out of the UTXO set practically)

Fork #2: Up to a deadline, simulate an advanced zero-cost QC attack by letting any miner who has access to the corresponding public key of the address is authorized to spend it into a null address deducting a fixed fee. After the deadline, we are back to the normal situation.


As of implementation considerations:

I understand the second fork is messy but we are dealing with a mess, aren't we? Noways to minimize the damage unless you get hands dirty, no choice. And yet it is not too much, implementing both forks is easier than what they look like in the first glance:

Fork #1: besides the PQC scheme, the script processing engine should fail OP_CHECKSIG after the deadline whenever an OP_HASH160 or OP_HASH256 is not executed freshly and followed by an OP_EQUALVERIFY. Script processing engine can take care of this by maintaining a flag that is set with OP_HASHxxx and reset after the execution of any OP_CODE other than OP_EQUALVERIFY while OP_CHECKSIG checks whether this is flag is set before doing anything, easy.

Fork #2: Before the second deadline OP_CHECKSIG  always pushes 1 (true) if a special flag is set. This flag is set if the transaction follows a defined format which guarantees that after deducting a predefined amount it is burning its (single) input to a specific (void) address. This behavior is reset to default after the deadline.

Interestingly, unlike what happens with your, rough approach, p2pkh legacy wallets that are not been moved for any reason are expendable for eternity as long as they are privately mined (not being relayed in the public network before being confirmed) in the presence of QC equipped thieves.  
staff
Activity: 3458
Merit: 6793
Just writing some code
@achow101,
Above thread, I've suggested a strategy for different stages of the QC evolution it includes measures and actions to be taken:

1- Implement a new QC resistant signature and install/promote it in bitcoin.

2- starting from the p2pk group of the UTXOs, because they are the most vulnerable segment. It is mandatory for this group to migrate, If they wouldn't, their coins will be announced void after a deadline. More propaganda for convincing p2pkh owners to take actions, no obligations tho.

3- When we are closer to the doomsday, we give anybody with access to the public key behind a hashed address, a right to claim a very tiny and fixed portion of the UTXO just like a txn fee, destroying the remainder. Practically it may be just miners who take advantage of this feature, we don't care.

4- After the QC apocalyptus, we will have a percentage of untouched p2pkh addresses that their public keys are not exposed to the public. For the owners of such UTXOs, there will be still a chance to privately mine their transactions or buying such a service from a trusted pool or mining farm.
There's no reason to take so many steps and add even more special cases to the scripting system. To allow P2PKH but not P2PK requires adding special cases to OP_CHECKSIG which then needs to inspect the script to check whether it was P2PKH. And then you aren't covering things like multisigs or any complex script that uses OP_CHECKSIG. What about if the P2PK was nested inside of P2SH (because that's allowed)? Or people using bare multisig? So now we need to have tons more logic to handle all the weird things people can do with scripts? That's completely unnecessary.

The simpler and easier, and just as safe solution is to soft fork in a hard deadline (that can be several years in the future) where OP_CHECKSIG and OP_CHECKMULTISIG both become immediate script failures thus outlawing ECDSA. People can move their coins to whatever PQC signature scheme is introduced up until that deadline, regardless of script type, and then after the deadline, any usage of OP_CHECKSIG and OP_CHECKMULTISIG is disallowed.

I don't see why it is necessary at all to roll out such a migration so slowly with different script types getting different treatment. And it really doesn't generalize at all.
legendary
Activity: 3430
Merit: 3080
assuming satoshi can still move their/his coins
He can

there is zero evidence of that


but he will not.

and there is also zero evidence of that


We think that the early mined coins of Satoshi are created as a prize competition (Re: Maybe Satoshi created the greatest prize competition https://bitcointalksearch.org/topic/maybe-satoshi-created-the-greatest-prize-competition-5150688) and that Satoshi is waiting this coins to be moved. We also think that he will not respond when somebody moves the first coins but it will be a message to the Bitcoin community that the private keys are somehow on the blockchain. Satoshi could move the coins (2009/2010) to P2PKH addresses but did not.

and there is also zero evidence of any of that

in particular, all of the above would be crazy (assuming that satoshi is/was not crazy) if the intention was for Bitcoin to ever succeed. The uncertainty could potentially cause alot of chaos in the Bitcoin economy, it makes little sense to store up such a problem just so Bitcoin might one day catch on fire, for what reason? To enjoy watching it burn? Huh (<--- rhetorical question, although I have this funny feeling some joker in the pack is going to try answering it anyway Roll Eyes )
newbie
Activity: 9
Merit: 0
assuming satoshi can still move their/his coins

He can but he will not. We think that the early mined coins of Satoshi are created as a prize competition (Re: Maybe Satoshi created the greatest prize competition https://bitcointalksearch.org/topic/maybe-satoshi-created-the-greatest-prize-competition-5150688) and that Satoshi is waiting this coins to be moved. We also think that he will not respond when somebody moves the first coins but it will be a message to the Bitcoin community that the private keys are somehow on the blockchain. Satoshi could move the coins (2009/2010) to P2PKH addresses but did not.
legendary
Activity: 3430
Merit: 3080
In particular, all coins suspected to be Satoshi's are in P2PK outputs. If those moved ever, even to a different sig algo, it would cause enormous chaos.

assuming satoshi can still move their/his coins, this is a likely reason why it's not happening. Although we shouldn't discount the most conservative thing that all 2009 era mined BTC key holders could do; start by moving their BTC with the highest block number, and do it very very slowly. Satoshi could potentially do so too (we have zero clue what's going on with satoshi in so many ways), so assuming that chaos was not the intention, I expect that if those coins ever did move, that's what would happen; starting at block ~50,000, then working backwards from there.

In such a sequence of events, it could be interpreted as a signal that those early miners are losing confidence in the safety of ECDLP protected coins. Of course, those people may have other reasons to not publicly announce why they're moving to different keys (which are not necessarily anything to do with the safety of the public key cryptography), so you are indeed correct; the lack of information will cause uncertainty, and the uncertainty will rock the Bitcoin ecosystem.

I hope such people (whether satoshi or not, there are others) are reading some of these discussions (it would surely be prudent to do so). If so, I also hope they will consider a slow and orderly move to new key types, and act sooner rather than later.
legendary
Activity: 1456
Merit: 1176
Always remember the cause!
We are not expecting large QCs showing up out of nowhere, breaking sec256k1 keys in few seconds.

That's not a reasonable expectation, when you consider the range of adversaries
Yes, it is. It is how we do our job in technology fields: We study trends and speculate developments then decide. We don't take fiction about a monster that suddenly shows up with super-power, as being serious.

Hashed public keys are safe in such a transient phase and what I absolutely don't understand is why we should include a proposal about public keys being exposed for an eternity waiting for their turn to be destroyed by any innovation or technology that shows up?
That depends massively on how long this transient phase lasts.
It will be long enough: When a technology is in its infancy, i.e. it is not scalable, doubling the speed needs quadratic or higher costs, QC is in such a phase, it is definitively not scalable right now.
If a breakthrough happens in the future and scalable QC technology becomes available, it won't be commercialized for a long time because of governments and military and corporates who need it for their devious plans. It would be very unlikely to be used against the day to day bitcoin transactions. It is also worth mentioning that scalable technology needs time to mature. We are talking about a few years for the least, to be very paranoid.

The safest thing to do is as suggested in the stackexchange article: soft fork to prevent ECDSA transfers, but invoke zero knowledge proofs of BIP32 seeds to indirectly spend them to QC resistant keys.
You need a non-Interactive zero-knowledge proof protocol which is not a piece of cake, it is complicated and both time and space consuming. I don't think it will be ever used in a performance-hungry system like bitcoin. Forget about it.

maybe if you find this so compelling, you could start working on the zero-knowledge proofs to spend ECDSA outputs to QC resistant keys? Like, today for instance? (you'll be busy a while hopefully Smiley ) Won't your super coin (or is it a Bitcoin fork, I forget) need it, or will you stick with hashed public keys? We don't want to hold you back, off you go...
Why should you show your trolling face once a week to me?  Cheesy

For my line of research, the main challenge, regarding this issue, is a time&space efficient QC resistant signature algorithm which is an open problem for the whole cryptography community. Although I don't think it would be a wise decision for me to focus on such an algorithm, I wouldn't hesitate to take part and implement it in my proposal, at any point that we might have become close enough to a consensus about a superior algorithm.
legendary
Activity: 1456
Merit: 1176
Always remember the cause!
@achow101,
Above thread, I've suggested a strategy for different stages of the QC evolution it includes measures and actions to be taken:

1- Implement a new QC resistant signature and install/promote it in bitcoin.

2- starting from the p2pk group of the UTXOs, because they are the most vulnerable segment. It is mandatory for this group to migrate, If they wouldn't, their coins will be announced void after a deadline. More propaganda for convincing p2pkh owners to take actions, no obligations tho.

3- When we are closer to the doomsday, we give anybody with access to the public key behind a hashed address, a right to claim a very tiny and fixed portion of the UTXO just like a txn fee, destroying the remainder. Practically it may be just miners who take advantage of this feature, we don't care.

4- After the QC apocalyptus, we will have a percentage of untouched p2pkh addresses that their public keys are not exposed to the public. For the owners of such UTXOs, there will be still a chance to privately mine their transactions or buying such a service from a trusted pool or mining farm.

The only argument against this strategy, from your side, would be the chaos thing:
It's not even just the high proportion, it's also the visibility of some of the coins. In particular, all coins suspected to be Satoshi's are in P2PK outputs. If those moved ever, even to a different sig algo, it would cause enormous chaos. If those are stolen, there would be even more chaos. And those coins are just ~4% of the final money supply. So even if everyone else moved to non-ECDLP keys, the fact that those high profile coins are still secured by ECDLP poses a huge problem.
While I agree there will be some turbulence but I think it is too much to consider it as chaos. Prices will fluctuate but game theory will work eventually and there will be no catastrophe.

Back to taproot proposal, how do you put it in the context of such a strategy? I'm assuring you right here, right now: this is a must-go strategy.







Pages:
Jump to: