fsebugoutzone.org:9999

       Post 9jJN9VIbcSPyK6bGts by laurentmt@mamot.fr
 (DIR) More posts by laurentmt@mamot.fr
 (DIR) Post #9jJN9UFNWyF53o5BEO by kallewoof@mastodon.social
       2019-05-29T16:13:05Z
       
       0 likes, 0 repeats
       
       RT @kallewoof@twitter.com@jb55@twitter.com @manfred_karrer@twitter.com @pwuille@twitter.com @Mario_Gibney@twitter.com @AaronvanW@twitter.com Only if you get the tx fees right... and only if the attacker doesn&#39;t have enough power to out-beat your confirmation time. I don&#39;t think these are solid assumptions to make.🐦🔗: https://twitter.com/kallewoof/status/1133765561987477504
       
 (DIR) Post #9jJN9URQo9spfBio1A by kallewoof@mastodon.social
       2019-05-29T16:13:07Z
       
       0 likes, 0 repeats
       
       There is a more down-to-earth scenario related to this: say I create a transaction that does &quot;CSV 2 weeks &amp; pubkey X&quot;. I.e. in order to spend the output I have to wait 2 weeks. The reason I do this is to &quot;freeze&quot; some funds up, by destroying the original private key.
       
 (DIR) Post #9jJN9UbiBw6gB4X12e by kallewoof@mastodon.social
       2019-05-29T16:13:08Z
       
       0 likes, 0 repeats
       
       The idea here is, if someone came up to me on the street and put a gun to my head saying &quot;send me all your bitcoins&quot;, I would actually not be able to do so without waiting 2 weeks. If everyone did this, robbers would eventually figure that out, and stop trying to rob bitcoiners.
       
 (DIR) Post #9jJN9UsNBzQz0kKK0m by kallewoof@mastodon.social
       2019-05-29T16:13:08Z
       
       0 likes, 0 repeats
       
       The way this works is, yes, I can broadcast that transaction, but I can&#39;t touch the output until 2 weeks later. The problem with this is obviously that they can simply ask me to hand them the private key for X, and after 2 weeks, it&#39;s a race (and they have less to lose).
       
 (DIR) Post #9jJN9V6uJx3njp7vfM by kallewoof@mastodon.social
       2019-05-29T16:13:09Z
       
       0 likes, 0 repeats
       
       If I manage to spend X first, I win. If they do it, they win.  That&#39;s the sum of my security in this case. Not very convincing. The same goes for pubkey hashes in a QC world. They&#39;re only marginally helpful, and shouldn&#39;t be counted on for security. At all.
       
 (DIR) Post #9jJN9VIbcSPyK6bGts by laurentmt@mamot.fr
       2019-05-29T16:46:39Z
       
       0 likes, 0 repeats
       
       @kallewoof If I&#39;m correct, the rationale here is that the first action of an evil actor with a QC would be to destroy Bitcoin. IMHO, this hypothesis is questiionable. I would even say that a smart evil actor with a QC would first try to enjoy the benefits of his new tool while staying under the radar. For example, it would be smarter to start with the hack of exchanges which frequently reuse addresses. And who is surprised by the hack of a cryptoexchange ?
       
 (DIR) Post #9jJN9VSt0EdopzPTvM by laurentmt@mamot.fr
       2019-05-29T16:50:29Z
       
       0 likes, 0 repeats
       
       @kallewoof Let&#39;s take the example of an evil state. For sure, this evil state would be fine with a world without Bitcoin but it would be far smarter for this state to keep bitcoin running and enjoy some free money (for blackops, paiement of ransoms, etc) by hacking services or wallets which reuse addresses. It just requires some basic blockchain analysis... and a QC.
       
 (DIR) Post #9jJN9VgMC9PtVliEvA by laurentmt@mamot.fr
       2019-05-29T17:08:20Z
       
       0 likes, 0 repeats
       
       @kallewoof Let&#39;s also note that this strategy is a double win for an evil state. Beyond enjoying some free money, it also damages the reputation of Bitcoin (&quot;See, this Bitcoin thing is insecure,  people are always hacked,&quot;, etc). A nice way to control its spreading and to shill fiat money.
       
 (DIR) Post #9jJN9VyR6vsWPqAg6K by htimsxela@bitcoinhackers.org
       2019-05-29T18:55:56Z
       
       1 likes, 0 repeats
       
       @laurentmt @kallewoof I think an argument could be made that a nation capable of breaking the related encryption mechanisms using a QC might be more interested in breaking other encryption systems quietly, rather than just attacking Bitcoin. Being able to decipher all of your rival nation&#39;s communications might be worth more than siphoning some value from / destroying Bitcoin. If Bitcoin is the canary in the coal mine, the attacker would be prudent to let it live as long as possible.
       
 (DIR) Post #9jJdkHr4ALJsblHR3I by harding@hash.social
       2019-05-29T22:01:54.154491Z
       
       0 likes, 0 repeats
       
       @laurentmt @kallewoof I&#39;m not an expert, but I think that, if someone is willing to sacrifice their funds, it&#39;s possible to detect theft because of a broken protocol (e.g. QC, fast classical computers, DL prob broken, etc).  The trick is to create a pubkey for which it&#39;s provably nobody should know the corresponding priv key.  If funds secured by that key move, you can trustlessly prove a break.  This makes it dangerous to try theft if you want to keep your QC secret.
       
 (DIR) Post #9jJu3pMNPxWLI5GUNc by waxwing@mastodon.social
       2019-05-29T23:42:21Z
       
       1 likes, 0 repeats
       
       @harding @laurentmt @kallewoof Well, but you&#39;d have to luck out that the attacker happened to go after that specific output.But this nicely illustrates how badly Confidential Transactions interacts with the QC threat - if the attacker was resource constrained and only could go after one pubkey, going after H in xG + aH would yield infinite BTC from that one crack, and do so invisibly ...
       
 (DIR) Post #9jJuz69NfE4Ds5Ukcq by harding@hash.social
       2019-05-30T01:15:03.497968Z
       
       0 likes, 0 repeats
       
       @waxwing @kallewoof @laurentmt I actually wonder whether it&#39;s possible to create a public key that&#39;s valid with Bitcoin checksig but which requires much less than the normal work to crack for someone with a QC to crack.  You could then use that as an early warning system similar to Peter Todd&#39;s hash collision rewatds.
       
 (DIR) Post #9jKNkZHnx7XGYsrJuj by waxwing@mastodon.social
       2019-05-30T06:12:37Z
       
       1 likes, 0 repeats
       
       @harding @kallewoof @laurentmt I was about to say &quot;I doubt it because ECDLP has random self-reducibility&quot; (crudely if one instance of the problem is hard then it&#39;s basically always hard), but that doesn&#39;t apply if we&#39;re crafting the instance.So ... I think you could probably create a ZKP that the discrete log was constrained somehow (obvious example: range proof); what I don&#39;t know is how that impacts quantum algos (Shor specifically, I guess).
       
 (DIR) Post #9jKNkZawnwqdWFobke by waxwing@mastodon.social
       2019-05-30T06:23:37Z
       
       1 likes, 0 repeats
       
       @harding @kallewoof @laurentmt But even if it were possible, a publicised bounty scenario is not quite the same as &quot;a bunch of money in a weak key set as a trap&quot;, similar to a honeypot concept.If the attacker wanted to keep it secret, he&#39;d just leave it alone.
       
 (DIR) Post #9jKNkZolyXuID8HeIi by harding@hash.social
       2019-05-30T06:37:22.421732Z
       
       0 likes, 0 repeats
       
       @waxwing @laurentmt @kallewoof sure, my thinking is that, before an attacking organization can compromise 128 bit keys, they&#39;d probably have the ability to compromise 80 bit keys for years, meaning each member of the team would need to resist the personal payout for years.
       
 (DIR) Post #9jLaMWFP5lVIkWYhk0 by waxwing@mastodon.social
       2019-05-30T07:39:09Z
       
       1 likes, 0 repeats
       
       @harding @laurentmt @kallewoof Understood.This looks relevant: https://twitter.com/BobMcElrath/status/1133849001881681921?s=19