sipa changed the topic of #bitcoin-wizards to: This channel is for discussing theoretical ideas with regard to cryptocurrencies, not about short-term Bitcoin development | http://bitcoin.ninja/ | This channel is logged. | For logs and more information, visit http://bitcoin.ninja
<gmaxwell>
I've never seen one that was sutiable for production use. (maybe some exists that are, but I've not seen them)-- usually they're a software engineering disaster, with no comprehensive tests (or no tests at all), thoughtless layering (E.g. socket calls intermixed with big num calculations), and little to no sidechannel resistance.
<gmaxwell>
(I don't hold this against them, like 99% of what I've seen was written by academics as part of their publications, and I'm thankful they published code at all... but the code is usually more or less "what was required to write a paper on the subject" and it shows.)
<gmaxwell>
If someone finds something that actually looks nice from the perspective of production use, I'd love to hear about it.
<bsm117532>
gmaxwell: Agreed on all that. I'm trying to push the state of the art, because I fundamentally believe it will be part of this ecosystem in the future.
<gmaxwell>
Arguably the field of "what cryptosystem is best for this" isn't clear enough yet right now that its even worth the engineering effort to create something production ready.
<gmaxwell>
like... by the time you finished it, there would be some newer hotter cryptosystem, and you'd need to start over, maybe only preserving some of the API and test design.
tromp has joined #bitcoin-wizards
<bsm117532>
Agreed. And I'm even confused as to how to know when a given protocol is even a candidate for being "productionalized". The papers I've read are ridicously complex, with a bazillion assumptions and sub-protocols. I don't think I (or anyone) can reasonably evaluate whether they're secure.
ccdle12 has joined #bitcoin-wizards
pinheadmz has quit [Quit: pinheadmz]
tromp has quit [Remote host closed the connection]
<gmaxwell>
As I was mentioning for PIR before, that what I found for PIR using simple elgamal encryptions wasn't actively secure, even where it claimed to be, that actual properties it had didn't precisely map to what would be needed in production.
<gmaxwell>
So I suspect it'll be a lot like we found with multisig... that there is a bunch of published and folklore techniques, which if you implement it the obvious way, ends up materially insecure, in practice.
<bsm117532>
And that's what I love about this space. Once you put real money behind it, shit becomes real, very fast. Bitcoin is advancing cryptography in a way it couldn't without it.
<gmaxwell>
a little, I dunno, careful not to read too much into that. Like plenty of stuff gets real money put behind it and remains totally insecure for a long time. It's certantly more effective at getting it fixed then not using it at all.
<gmaxwell>
but production use alone isn't a magic elixer than makes things secure.
<bsm117532>
A refrain I keep repeating to certain teams in charge of keys...
<gmaxwell>
I think really things will be secure only if they've had conscious attention from people with the right backgrounds and perspectives, ... and thats more likely to happen if they're used for something actually useful. But it's certantly possible for something to be a well engineered ship in a bottle, just as its not uncommon for people to run into full production use with barely working
<gmaxwell>
disasters and pull it off for years (before all the money vanishes)
spinza has quit [Quit: Coyote finally caught up with me...]
spinza has joined #bitcoin-wizards
<bsm117532>
Re: "Like plenty of stuff gets real money put behind it and remains totally insecure for a long time" -- there's a number of people in this space interested in active attacks. I don't think it's morally defensible and I don't want to participate, but hedge funds are mercinaries, and they're entering the game.
<bsm117532>
Let's call it Iota for instance...
pinheadmz has joined #bitcoin-wizards
schmidty has joined #bitcoin-wizards
Dizzle has joined #bitcoin-wizards
schmidty has quit [Ping timeout: 245 seconds]
schmidty has joined #bitcoin-wizards
pinheadmz has quit [Quit: pinheadmz]
schmidty has quit [Ping timeout: 246 seconds]
bildramer has joined #bitcoin-wizards
bildramer1 has quit [Ping timeout: 264 seconds]
moa has joined #bitcoin-wizards
moa has quit [Changing host]
moa has joined #bitcoin-wizards
bildramer1 has joined #bitcoin-wizards
bildramer has quit [Ping timeout: 252 seconds]
ccdle12 has quit [Ping timeout: 245 seconds]
schmidty has joined #bitcoin-wizards
<gmaxwell>
bsm117532: It doesn't look like you can really monetize attacks much.
<gmaxwell>
short of outright ripping people off.
<bsm117532>
Shorts are available on numerous platforms like BitMex...
<gmaxwell>
but like "ha ha I made your blockchain unusable for three weeks until all users abandoned it for a hardfork that works around this attack" doesn't appear to be something you can turn into profit.
<bsm117532>
But good point. As financial infrastructure develops this becomes more of a possibility...
<gmaxwell>
because it doesn't actually drop the price
<kanzure>
sometimes it increases the price!
<gmaxwell>
what kanzure said.
<kanzure>
so you can win if you capture volatility
<gmaxwell>
yes, a straddle that predicts volitility is probably a better trade but probably still not very good.
<gmaxwell>
I'm sure we can find examples of total breaks where the price just didn't change.
<gmaxwell>
Like, _maybe_ an attack combined with a concerted marketing push.
<gmaxwell>
and doing things like paying exchanges to delist it.
schmidty has quit [Ping timeout: 245 seconds]
<bsm117532>
I *hope* institutional traders are wiser. :-/
<gmaxwell>
bsm117532: the problem is that for 99% of cryptocurrencies (to some extent including bitcoin) people aren't actually actively using it in commerce.. so "totally busted and insecure for a couple weeks" doesn't ruin the value because "I'll get fixed".
<gmaxwell>
so we saw this with iota, for example where it's centeralized signer 'coordinator' was down for what.. weeks? (days at least).
<bsm117532>
That's changing, albeit slowly.
<gmaxwell>
and I don't even think that was visible on the market feeds for it.
<kanzure>
another observation is how irrational the market is (note the value of garbage trash "crypto" projects)
<gmaxwell>
kanzure: ehhh. If your hypothesis is that the market is irrational perhaps you should consider other alternatives.
<bsm117532>
Yeah I think this is mostly driven by irrational investors who don't understand.
<kanzure>
well i struggle to justify a million spinoffs
<gmaxwell>
I think the market isn't irrational in investing in obviously broken stuff like iota, in fact. But rather the market is buying something different than what we're assuming they're buying.
* bsm117532
prices hype
<gmaxwell>
For a lot of these things the market price isn't a "this is a useful/purposeful/secure cryptocurrency" the market price is "maybe something useful will be based off the ownership of this in the future" or other similar things.
<gmaxwell>
or even "a bigger fool will buy this"
<bsm117532>
Markets generally assume price is a proxy for everything else.
<gmaxwell>
And history supports these sorts of theories.
<gmaxwell>
so for example bcash (and esp bsv) you could look as a bet that craig wright really did create bitcoin and will eventually prove it. (among other things)
<gmaxwell>
As that sort of hedge it's radically overpriced, as far as I'm concerned but considering how many people believe it's true or at least vaguely possible, it's almost surprising how low the price is...
<kanzure>
even the greater fool theory can't support a million copycats
<bsm117532>
And price is a proxy for it. Someone else did the DD, not me.
<gmaxwell>
kanzure: well it can until there is enough, like how coingen largely killed the "take bitcoin relaunch with a premine and a new name"
<kanzure>
coingen was killed because someone acquired it and killed it
<gmaxwell>
but before coingen there was still hundreds of them.
<gmaxwell>
kanzure: it served its purpose.
<gmaxwell>
and yes, someone who'd been creating worthless altcoins bought it and let it die.
<bsm117532>
With larger investors, more of them will do due diligence.
<bsm117532>
Because no one will risk a retirement fund on this shit.
<gmaxwell>
I am not sure many people aren't doing due diligence. They're just buying something they _know_ is currently worthless.
<bsm117532>
You overestimate investor's abilities...
<Varunram>
I think people want to invest in 50 scams and hope 1 succeeds
<bsm117532>
yes
<gmaxwell>
bsm117532: I'm certantly not speaking about everyone.
<gmaxwell>
There are also a lot of really unsophicated buyers that are duped by variance... they buy 50 scams, make 10x their money on one (which wasn't enough to offset the losses on the others, surely not net of taxes, but maybe it came close) and then they think they have a viable trading strategy until the ruin themselves.
<bsm117532>
We're about to see the same pattern repeated with the balance sheet of hedge funds instead.
<gmaxwell>
but the existence of identifable rubes is one reason why not every participant is irrational.
<bsm117532>
What's a rube?
schmidty has joined #bitcoin-wizards
e4xit has quit [Ping timeout: 245 seconds]
AaronvanW has quit [Ping timeout: 250 seconds]
<gmaxwell>
bsm117532: a sucker
<gmaxwell>
(freeking wikipedia cites "the office" like its the orgin of the term, lol no.)
schmidty has quit [Ping timeout: 252 seconds]
schmidty has joined #bitcoin-wizards
schmidty has quit [Ping timeout: 245 seconds]
TheoStorm has quit [Quit: Leaving]
thomasan_ has joined #bitcoin-wizards
Belkaar has quit [Ping timeout: 255 seconds]
Belkaar has joined #bitcoin-wizards
Belkaar has quit [Changing host]
Belkaar has joined #bitcoin-wizards
thomasan_ has quit [Remote host closed the connection]
moa has quit [Ping timeout: 250 seconds]
tromp has joined #bitcoin-wizards
pinheadmz has joined #bitcoin-wizards
tromp has quit [Ping timeout: 246 seconds]
pinheadmz has quit [Quit: pinheadmz]
schmidty has joined #bitcoin-wizards
schmidty has quit [Ping timeout: 246 seconds]
AaronvanW has joined #bitcoin-wizards
pinheadmz has joined #bitcoin-wizards
AaronvanW has quit [Remote host closed the connection]
pinheadmz has quit [Quit: pinheadmz]
echonaut has joined #bitcoin-wizards
echonaut18 has quit [Read error: Connection reset by peer]
harrymm has quit [Ping timeout: 245 seconds]
harrymm has joined #bitcoin-wizards
pinheadmz has joined #bitcoin-wizards
AaronvanW has joined #bitcoin-wizards
tromp has joined #bitcoin-wizards
AaronvanW has quit [Ping timeout: 272 seconds]
tromp has quit [Ping timeout: 246 seconds]
schmidty has joined #bitcoin-wizards
schmidty has quit [Ping timeout: 245 seconds]
tromp has joined #bitcoin-wizards
tromp has quit [Ping timeout: 245 seconds]
pinheadmz has quit [Quit: pinheadmz]
Dizzle has quit [Quit: Leaving...]
Dizzle has joined #bitcoin-wizards
ccdle12 has joined #bitcoin-wizards
tromp has joined #bitcoin-wizards
AaronvanW has joined #bitcoin-wizards
ccdle12 has quit [Remote host closed the connection]
ccdle12 has joined #bitcoin-wizards
andytoshi has quit [Ping timeout: 245 seconds]
andytoshi has joined #bitcoin-wizards
AaronvanW has quit [Ping timeout: 245 seconds]
harrymm has quit [Ping timeout: 246 seconds]
harrymm has joined #bitcoin-wizards
harrymm has quit [Ping timeout: 255 seconds]
schmidty has joined #bitcoin-wizards
schmidty has quit [Ping timeout: 272 seconds]
tromp has quit [Remote host closed the connection]
tromp has joined #bitcoin-wizards
arubi has quit [Remote host closed the connection]
arubi has joined #bitcoin-wizards
tromp has quit [Remote host closed the connection]
setpill has joined #bitcoin-wizards
tromp has joined #bitcoin-wizards
schmidty has joined #bitcoin-wizards
AaronvanW has joined #bitcoin-wizards
ccdle12 has quit [Remote host closed the connection]
harrymm has joined #bitcoin-wizards
schmidty has quit [Remote host closed the connection]
schmidty has joined #bitcoin-wizards
schmidty has joined #bitcoin-wizards
schmidty has quit [Changing host]
AaronvanW has quit [Ping timeout: 268 seconds]
spinza has quit [Quit: Coyote finally caught up with me...]
schmidty has quit [Remote host closed the connection]
spinza has joined #bitcoin-wizards
schmidty has joined #bitcoin-wizards
AaronvanW has joined #bitcoin-wizards
schmidty has quit [Ping timeout: 255 seconds]
schmidty has joined #bitcoin-wizards
TheoStorm has joined #bitcoin-wizards
Dean_Guss has quit [Ping timeout: 256 seconds]
TheoStorm_ has joined #bitcoin-wizards
TheoStorm_ has quit [Remote host closed the connection]
schmidty has quit []
TheoStorm has quit [Quit: Leaving]
TheoStorm has joined #bitcoin-wizards
schmidty has joined #bitcoin-wizards
schmidty has quit [Remote host closed the connection]
schmidty has joined #bitcoin-wizards
schmidty has quit [Changing host]
schmidty has joined #bitcoin-wizards
schmidty has quit [Remote host closed the connection]
schmidty has joined #bitcoin-wizards
schmidty has quit [Changing host]
schmidty has joined #bitcoin-wizards
schmidty has quit [Ping timeout: 246 seconds]
AaronvanW has quit [Remote host closed the connection]
e4xit has joined #bitcoin-wizards
son0p has joined #bitcoin-wizards
schmidty has joined #bitcoin-wizards
schmidty has quit [Ping timeout: 252 seconds]
<nsh>
so what are the BIPs for replacing the elliptic curve component of bitcoin if a break of ECDLP looks immanent/imminent?
<nsh>
can someone moot this at one of the next conferences/symposia?
<nsh>
don't wanna be chicken little but there is now a serious chance (in my mind at least) that this is going to be a problem that has to be faced within a few years
michaelfolkson has left #bitcoin-wizards [#bitcoin-wizards]
michaelfolkson has joined #bitcoin-wizards
michaelfolkson has quit []
michaelfolkson has joined #bitcoin-wizards
michaelf_ has joined #bitcoin-wizards
michaelf_ has quit [Client Quit]
<waxwing>
just make sure the BIP specifies that the update should not be distributed over TLS (including 1.3) ;)
m8tion has quit [Quit: Leaving]
m8tion has joined #bitcoin-wizards
Dizzle has quit [Quit: Leaving...]
<real_or_random>
nsh: there are no BIPs yet :)
* nsh
nods, smiles
<real_or_random>
it's not in the focus currently. we should work on it, at some point (tm). apparently noone has taken it serious enough to work on it.
<nsh>
strong candidate replacement primitives are yet to emerge
<nsh>
but the ground work of considering a transition can be started imho
<real_or_random>
yes, that's another issue. see for example the NIST post-quantum competition
<nsh>
right, i half watched djb and tanja's CCC presentation
<nsh>
but there's movement now at least
<real_or_random>
it's not clear if this will serious issue in the next years. I guess most people (including me) assume it won't
<real_or_random>
but maybe better be safe than sorry
<nsh>
well, attack evolves faster than defence and sometimes it evolves very rapidly through a puncture equilibrium
<nsh>
and it's better to be 10 years too safe than 1 month not safe enough
<nsh>
anything else i could say to elaborate would just make me look more crazy than i already do :)
<real_or_random>
what would be groundwork? my impression is that people are at least aware of the issue
<nsh>
decoupling addresses from pubkeys further. figuring out to what extent keyholding can be migrated to a new cryptosystem primitive
<nsh>
what happens if there has to be a suspension of the network
<nsh>
worst case scenarios for a reboot
<real_or_random>
the simplest plan is 1) introduce a post-quantum secure signature scheme and 2) hope that people transform their coins to the new scheme
<nsh>
etc.
<real_or_random>
decoupling addresses from pubkeys: I assumed you're asking because you've seen sipa's tweets? have you?
<nsh>
oh no i haven't
<nsh>
this has been on my mind for the last few months
<nsh>
for reasons i won't expand on
echonaut has quit [Remote host closed the connection]
<nsh>
so in theory there's a hash step between privkey<->pubkey to address
<nsh>
but i don't think it's the case atm that you can't derive pubkeys from most addresses from scripts
<nsh>
this could be progressively softfork enforced though
<nsh>
(in theory there's two hash steps, even?)
<nsh>
right, so i had a look
<nsh>
and it's a lot i think
<nsh>
:(
<nsh>
.tw
<yoleaux>
1) This question was clearly a bit underspecified, as some of the more creative responses showed. Despite that, my answer is (c) 5M-10M BTC. This includes all outputs with P2PK/raw multisig outputs, plus P2PKH outputs with known pubkeys, and P2SH/P2WSH with known scripts. https://twitter.com/pwuille/status/1107720144300572672 (@pwuille)
<real_or_random>
yeah but you need the read the following tweets too
<nsh>
right, thanks
<nsh>
so let's just assume for sake of argument the hypothesis that by feb 29th next year there's a way to break ecdlp that will be within the reach of a nontrivial amount of player
<nsh>
actors/entities
<nsh>
how quickly can the network (with encouragement of keyholders) move this directly ecpubkey exposed coin to behind two hashes
<nsh>
that's my thought-experiment anyway
<nsh>
even a small but nonvanishing percentage of observed expropriation would have potentially devastating confidence consequences
<nsh>
(but conversely would spur development of transition solutions)
<nsh>
anyway i'm glad sipa picked up on the, ehm, notion
<nsh>
that's very heartening to me :)
michaelfolkson has quit [Quit: Sleep mode]
<andytoshi>
nsh: the ecosystem is not going to move to "EC behind hashes", as sipa's analysis shows an unbelievable proportion of all EC keys have been exposed despite years of people being encouraged not to do that. and even if they did, that will not help if the timeline is 1 year because there is no way to spend those without revealing EC keys
* nsh
nods
<andytoshi>
if there were a "EC break in a year" situation there would be a softfork to add some giant hash-based signature followed by a softfork to freeze all EC keys, and it'd be a real shitshow
<nsh>
right
<nsh>
i mean this is just me throwing dates at random more of less
<andytoshi>
but there is no non-shitshow alternative right now, which is why there are no BIPs
* nsh
nods
<andytoshi>
it might be worthwhile to write a shitshow bip :) but i certainly don't feel like doing it..
<nsh>
convince some prof to set it as a class project :)
setpill has quit [Quit: o/]
<andytoshi>
haha i can't even imagine the bikeshedding and conspiracy theories and insanely-wrong media coverage and personal attacks the proposer would get..
* nsh
nods
<nsh>
the problem is that the possibility is undeniable and (let me volunteer to be the person who looks crazy and worthy of person attacks for a second) once the mathematics is nearly crystalised in the collective unconsciouness of humanity - ie once the 'time is ripe' for the breakthrough - then it can't be kept under wraps for very long
<nsh>
the one advantage is that the bits that might self-organise into the breakthrough are split and diffracted into a whole bunch of different partial results
<andytoshi>
sure, but it doesn't seem like a mathematical problem, but an engineering one, to get efficient QCs. and it would be really shocking and unprecedented if such an engineering challenge were surprise-solved
<nsh>
and there isn't necessarily cross talk between the people
<nsh>
oh well
<nsh>
imagine it isn't
<nsh>
just for hypothesis :)
<andytoshi>
like, imagine a classical EC break?
<nsh>
if there's somethink like a way to efficiently extend finite fields such that you have complex analyticity and way to translate back efficiently unto the unextended field
<nsh>
ah it's catch-22 because i should just keep my mouth shut and everyone should just assume i have no idea what i'm rambling about
<nsh>
but do things about it anyway
<nsh>
the assumption that we need to solve very hard engineering problems may not be safe
<nsh>
is a reasonable summary
<andytoshi>
well, if there is a mathematical breakthrough and we have hours or days to react then it's game over. probably we softfork to unilaterally freeze all coins then hardfork to allow STARK-proving bip32 paths (thanks adam3us for the observation that BIP32 hardened derivation is quantum secure) or something, after multiple years of engineering work to make this possible. assuming anyone is motivated
<andytoshi>
to do this
* nsh
nods
<nsh>
there could be hedging with a kind of sidechain peg that allows people to bail out of the secp256k1 at the drop of a hat / script precondition
<nsh>
so a fork-to-PQ
<nsh>
that can run alongside bitcoin and backs up the spend-authority state
<nsh>
(but would have to be voluntary participation probably)
dgenr8 has quit [Ping timeout: 255 seconds]
dgenr8 has joined #bitcoin-wizards
michaelfolkson has joined #bitcoin-wizards
spinza has quit [Quit: Coyote finally caught up with me...]
thomasan_ has joined #bitcoin-wizards
thomasan_ has quit [Ping timeout: 245 seconds]
spinza has joined #bitcoin-wizards
bildramer1 is now known as bildramer
<RubenSomsen>
Afaik p2c is quantum secure, so taproot keys could be made STARK spendable.
<sipa>
RubenSomsen: it's not :)
<sipa>
oh, it is if you disable key spending, and only allow script spending
<adiabat>
I think that's a nice transition though; have a taproot key which commits to a PQ hash based pubkey
michaelfolkson has quit [Quit: Sleep mode]
<adiabat>
everyone keeps using the EC signing, but if there's a QC that comes out, can soft-fork to disable EC spending, and everyone's already got hash based pubkeys on their outputs
<adiabat>
(for very weak definitions of "everyone")
khs9ne has joined #bitcoin-wizards
Guyver2 has joined #bitcoin-wizards
ccdle12 has joined #bitcoin-wizards
<RubenSomsen>
sipa: yeah I'm assuming a soft fork coin freeze to disallow key spending
<adiabat>
having a PQ pubkey in your taproot address seems like a nice thing to have as a backup, and costs nothing for verifiers, and very little for wallets / signers
<RubenSomsen>
adiabat: I believe you'd have to reveal it if you want to script spend in taproot, so maybe not ideal
<RubenSomsen>
Maybe you can add the PQ pubkey as the final spending condition in g'root... that seems to be quantum secure at first glance
m8tion_ has joined #bitcoin-wizards
m8tion has quit [Ping timeout: 244 seconds]
<RubenSomsen>
But what I initially meant is that no special PQ pubkey would be required. The knowledge required to open the taproot commitment would be the secret that is used to spend the coins via a STARK. Ideally you'd also get the STARK to evaluate the taproot script.
BlueMatt has quit [Quit: Quit]
BlueMatt has joined #bitcoin-wizards
<adiabat>
RubenSomsen: for taproot keys, you can spend from then with an EC signature without revealing the script, and without revealing that there even is a script
<adiabat>
so having a PQ pubkey as the whole script in a taproot key carries no additional verification cost, as long as you don't need it
<sipa>
if you need a general ZKP anyway, the signature scheme can just be the preimage of a hash
ccdle12 has quit [Remote host closed the connection]
<RubenSomsen>
adiabat: agreed, it doesn't matter when you don't need the script
tromp has quit [Remote host closed the connection]
<RubenSomsen>
sipa: what about multisig, though? You don't want a 2-of-2 to turn into a 1-of-2.
user__ has joined #bitcoin-wizards
ccdle12 has joined #bitcoin-wizards
m8tion_ has quit [Ping timeout: 252 seconds]
thomasan_ has joined #bitcoin-wizards
tromp has joined #bitcoin-wizards
CryptoDavid has joined #bitcoin-wizards
thomasan_ has quit [Ping timeout: 268 seconds]
m8tion_ has joined #bitcoin-wizards
user__ has quit [Ping timeout: 245 seconds]
Krellan has joined #bitcoin-wizards
ccdle12 has quit [Remote host closed the connection]
enemabandit has joined #bitcoin-wizards
DougieBot5000_ has joined #bitcoin-wizards
DougieBot5000 has quit [Ping timeout: 268 seconds]
ccdle12 has joined #bitcoin-wizards
ccdle12 has quit [Remote host closed the connection]