- Elliptic Curve Digital Signature Algorithm - Bitcoin Wiki
- The Bitcoin Cryptography & Bitcoin Algorithm Pluralsight ...
- ASC X9 Issues New Standard for Public Key Cryptography/ECDSA
- Secp256k1 - Bitcoin Wiki
- How Does Blockchain Use Public Key Cryptography?

As requested by estradata here: https://old.reddit.com/Bitcoin/comments/iylou9/what_are_some_of_the_latest_innovations_in_the/g6heez1/

It is a general issue that crops up at the extremes of cryptography, with quantum breaks being just one of the extremes of (classical) cryptography.

## Computational vs Information-Theoretic

The dichotomy is between *computationally infeasible* vs *informationally-theoretic infeasible*. Basically:

For example, suppose you want to know what 256-bit preimages map to 256-bit hashes. In theory, you*just* need to build a table with 2^{256} entries and start from 0x0000000000000000000000000000000000000000000000000000000000000000 and so on. This is computationally infeasible, but not information-theoretic infeasible.

However, suppose you want to know what preimages, of*any* size, map to 256-bit hashes. Since the preimages can be of any size, after finishing with 256-bit preimages, you have to proceed to 257-bit preimages. And so on. And there is no size limit, so you will literally *never* finish. Even if you lived forever, you would not complete it. This is information-theoretic infeasible.

## Commitments

How does this relate to confidential transactions? Basically, every confidential transaction simply hides the value behind a homomorphic commitment. What is a homomorphic commitment? Okay, let's start with commitments. A commitment is something which lets you hide something, and later reveal what you hid. Until you reveal it, even if somebody has access to the commitment, they cannot reverse it to find out what you hid. This is called the "hiding property" of commitments. However, when you **do** reveal it (or "open the commitment"), then you cannot replace what you hid with some other thing. This is called the "binding property" of commitments.

For example, a hash of a preimage is a commitment. Suppose I want to commit to something. For example, I want to show that I can predict the future using the energy of a spare galaxy I have in my pocket. I can hide that something by hashing a description of the future. Then I can give the hash to you. You still cannot learn the future, because it's just a hash, and you can't reverse the hash ("hiding"). But suppose the future event occurs. I can reveal that I did, in fact, know the future. So I give you the description, and you hash it and compare it to the hash I gave earlier. Because of preimage resistance, I cannot retroactively change what I hid in the hash, so what I gave must have been known to me at the time that I gave you the commitment i..e. hash ("binding").

## Homomorphic Commitments

A *homomorphic* commitment simply means that if I can do certain operations on preimages of the commitment scheme, there are certain operations on the commitments that would create similar ("homo") changes ("morphic") to the commitments. For example, suppose I have a magical function h() which is a homomorphic commitment scheme. It can hide very large (near 256-bit) numbers. Then if h() is homomorphic, there may be certain operations on numbers behind the h() that have homomorphisms after the h(). For example, I might have an operation <+> that is homomorphic in h() on +, or in other words, if I have two large numbers a and b, then h(a + b) = h(a) <+> h(b). + and <+> are different operations, but they are homomorphic to each other.

For example, elliptic curve scalars and points have homomorphic operations. Scalars (private keys) are "just" very large near-256-bit numbers, while points are a scalar times a standard generator point G. Elliptic curve operations exist where there is a <+> between points that is homomorphic on standard + on scalars, and a <*> between a scalar and a point that is homomorphic on standard * multiplication on scalars.

For example, suppose I have two large scalars a and b. I can use elliptic curve points as a commitment scheme: I can take a <*> G to generate a point A. It is hiding since nobody can learn what a is unless I reveal it (a and A can be used in standard ECDSA private-public key cryptography, with the scalar a as the private key and the point A as the public key, and the a cannot be derived even if somebody else knows A). Thus, it is hiding. At the same time, for a particular point A and standard generator point G, there is only one possible scalar a which when "multiplied" with G yields A. So scalars and elliptic curve points are a commitment scheme, with both hiding and binding properties.

Now, as mentioned there is a <+> operation on points that is homomorphic to the + operation on corresponding scalars. For example, suppose there are two scalars a and b. I can compute (a + b) <*> G to generate a particular point. But even if I don't know scalars a and b, but I do know*points* A = a <*> G and B = b <*> G, then I can use A <+> B to derive (a + b) <*> G (or equivalently, (a <*> G) <+> (b <*> G) == (a + b) <*> G). This makes points a homomorphic commitment scheme on scalars.

## Confidential Transactions: A Sketch

This is useful since we can easily use the near-256-bit scalars in SECP256K1 elliptic curves to easily represent values in a monetary system, and hide those values by using a homomorphic commitment scheme. We can use the hiding property to prevent people from learning the values of the money we are sending and receiving.

Now, in a proper cryptocurrency, a normal, non-coinbase transaction does not create or destroy coins: the values of the input coins are equal to the value of the output coins. We can use a*homomorphic* commitment scheme. Suppose I have a transaction that consumes an input value a and creates two output values b and c. That is, a = b + c, i.e. the sum of all inputs a equals the sum of all outputs b and c. But remember, with a homomorphic commitment scheme like elliptic curve points, there exists a <+> operation on points that is homomorphic to the ordinary school-arithmetic + addition on large numbers. So, confidential transactions can use points a <*> G as input, and points b <*> G and c <*> G as output, and we can easily prove that a <*> G = (b <*> G) <+> (c <*> G) if a = b + c, without revealing a, b, or c to anyone.

## Pedersen Commitments

Actually, we cannot just use a <*> G as a commitment scheme in practice. Remember, Bitcoin has a cap on the number of satoshis ever to be created, and it's less than 2^{53} satoshis, which is fairly trivial. I can easily compute all values of a <*> G for all values of a from 0 to 2^{53} and know which a <*> G corresponds to which actual amount a. So in confidential transactions, we cannot naively use a <*> G commitments, we need Pedersen commitments.

If you know what a "salt" is, then Pedersen commitments are fairly obvious. A "salt" is something you add to e.g. a password so that the hash of the password is much harder to attack. Humans are idiots and when asked to generate passwords, will output a password that takes less than 2^{30} possibilities, which is fairly easy to grind. So what you do is that you "salt" a password by prepending a random string to it. You then hash the random string + password, and store the random string --- the salt --- together with the hash in your database. Then when somebody logs in, you take the password, prepend the salt, hash, and check if the hash matches with the in-database hash, and you let them log in. Now, with a hash, even if somebody copies your password database, the can't get the password. They're hashed. But with a salt, even techniques like rainbow tables make a hacker's life even harder. They can't hash a possible password and check every hash in your db for something that matches. Instead, if they get a possible password, they have to prepend *each* salt, hash, then compare. That greatly increases the computational needs of a hacker, which is why salts are good.

What a Pedersen commitment is, is a point a <*> H, where a is the actual value you commit to, plus <+> another point r <*> G. H here is a second standard generator point, different from G. The r is the salt in the Pedersen commitment. It makes it so that even if you show (a <*> H) <+> (r <*> G) to somebody, they can't grind all possible values of a and try to match it with your point --- they*also* have to grind r (just as with the password-salt example above). And r is much larger, it can be a true near-256-bit number that is the range of scalars in SECP256K1, whereas a is constrained to "reasonable" numbers of satoshi, which cannot exceed 21 million Bitcoins.

Now, in order to validate a transaction with input a and outputs b and c, you only have to prove a = b + c. Suppose we are hiding those amounts using Pedersen commitments. You have an input of amount a, and you know a and r. The blockchain has an amount (a <*> H) <+> (r <*> G). In order to create the two outputs b and c, you just have to create two new r scalars such that r = r[0] + r[1]. This is trivial, you just select a new random r[0] and then compute r[1] = r - r[0], it's just basic algebra.

Then you create a transaction consuming the input (a <*> H) <+> (r <*> G) and outputs (b <*> H) <+> (r[0] <*> G) and (c <*> H) <+> (r[1] <*> G). You know that a = b + c, and r = r[0] + r[1], while fullnodes around the world, who don't know any of the amounts or scalars involved, can just take the points (a <*> H) <+> (r <*> G) and see if it equals (b <*> H) <+> (r[0] <*> G) <+> (c <*> H) <+> (r[1] <*> G). That is all that fullnodes have to validate, they just need to perform <+> operations on points and comparison on points, and from there they validate transactions, all without knowing the actual values involved.

## Computational Binding, Information-Theoretic Hiding

Like all commitments, Pedersen Commitments are binding and hiding.

However, there are really two kinds of commitments:

*what* got hidden behind the commitment.

But why?

Now, we have been using a and a <*> G as private keys and public keys in ECDSA and Schnorr. There is an operation <*> on a scalar and a point that generates another point, but we cannot "revrese" this operation. For example, even if I know A, and know that A = a <*> G, but do not know a, I cannot derive a --- there is no operation between A G that lets me know a.

Actually there is: I "just" need to have so much time, space, and energy that I just start counting a from 0 to 2^{256} and find *which* a results in A = a <*> G. This is a computational limit: I don't have a spare universe in my back pocket I can use to do all those computations.

Now, replace a with h and A with H. Remember that Pedersen commitments use a "second" standard generator point. The generator points G and H are "not really special" --- they are just random points on the curve that we selected and standardized. There is no operation H G such that I can learn h where H = h <*> G, though if I happen to have a spare universe in my back pocket I can "just" brute force it.

Suppose I*do* have a spare universe in my back pocket, and learn h = H G such that H = h <*> G. What can I do in Pedersen commitments?

Well, I have an amount a that is committed to by (a <*> H) <+> (r <*> G). But I happen to know h! Suppose I want to double my money a without involving Elon Musk. Then:

**That** is what we mean by computationally binding: if I can compute h such that H = h <*> G, then I can find another number which opens the same commitment. And of course I'd make sure that number is much larger than what I originally had in that address!

Now, the*reason* why it is "only" computationally binding is that it is information-theoretically hiding. Suppose somebody knows h, but has no money in the cryptocurrency. All they see are points. They can try to find what the original amounts are, but because any amount can be mapped to "the same" point with knowledge of h (e.g. in the above, a and 2 * a got mapped to the same point by "just" replacing the salt r with r - a * h; this can be done for 3 * a, 4 * a etc.), they cannot learn historical amounts --- the a in historical amounts could be *anything*.

The drawback, though, is that --- as seen above --- arbitrary inflation is now introduced once somebody knows h. They can multiply their money by any arbitrary factor with knowledge of h.

It is impossible to have*both* perfect hiding (i.e. historical amounts remain hidden even after a computational break) *and* perfect binding (i.e. you can't later open the commitment to a different, much larger, amount).

Pedersen commitments just happen to have perfect hiding, but only computationally-infeasible binding. This means they allow hiding historical values, but in case of anything that allows better computational power --- including*but not limited to* quantum breaks --- they allow arbitrary inflation.

## Changing The Tradeoffs with ElGamal Commitments

An ElGamal commitment is just a Pedersen commitment, but with the point r <*> G also stored in a separate section of the transaction.

This commits the r, and fixes it to a specific value. This prevents me from opening my (a <*> H) <+> (r <*> G) as ((2 * a) <*> H) <+> ((r - a * h) <*> G), because the (r - a * h) would not match the r <*> G sitting in a separate section of the transaction. This forces me to be bound to that specific value, and no amount of computation power will let me escape --- it is information-theoretically binding i.e. perfectly binding.

But that is now computationally hiding. An evil surveillor with arbitrary time and space can focus on the r <*> G sitting in a separate section of the transaction, and grind r from 0 to 2^{256} to determine what r matches that point. Then from there, they can negate r to get (-r) <*> G and add it to the (a <*> H) <+> (r <*> G) to get a <*> H, and *then* grind that to determine the value a. With massive increases in computational ability --- including *but not limited to* quantum breaks --- an evil surveillor can see all the historical amounts of confidential transactions.

## Conclusion

This is the source of the tradeoff: either you design confidential transactions so in case of a quantum break, historical transactions continue to hide their amounts, but inflation of the money is now unavoidable, OR you make the money supply sacrosanct, but you potentially sacrifice amount hiding in case of some break, including but not limited to quantum breaks.

submitted by almkglor to Bitcoin [link] [comments]
It is a general issue that crops up at the extremes of cryptography, with quantum breaks being just one of the extremes of (classical) cryptography.

- Something is
*computationally infeasible*if it could in theory be done, but you would not be able to build a practical computer to do it within the age of the universe and using only the power available in just one galaxy or thereabouts. - Something is
*informationally-theoretic infeasible*if even if you had any arbitrarily large amount of time, space, and energy, you cannot do it.

For example, suppose you want to know what 256-bit preimages map to 256-bit hashes. In theory, you

However, suppose you want to know what preimages, of

For example, a hash of a preimage is a commitment. Suppose I want to commit to something. For example, I want to show that I can predict the future using the energy of a spare galaxy I have in my pocket. I can hide that something by hashing a description of the future. Then I can give the hash to you. You still cannot learn the future, because it's just a hash, and you can't reverse the hash ("hiding"). But suppose the future event occurs. I can reveal that I did, in fact, know the future. So I give you the description, and you hash it and compare it to the hash I gave earlier. Because of preimage resistance, I cannot retroactively change what I hid in the hash, so what I gave must have been known to me at the time that I gave you the commitment i..e. hash ("binding").

For example, elliptic curve scalars and points have homomorphic operations. Scalars (private keys) are "just" very large near-256-bit numbers, while points are a scalar times a standard generator point G. Elliptic curve operations exist where there is a <+> between points that is homomorphic on standard + on scalars, and a <*> between a scalar and a point that is homomorphic on standard * multiplication on scalars.

For example, suppose I have two large scalars a and b. I can use elliptic curve points as a commitment scheme: I can take a <*> G to generate a point A. It is hiding since nobody can learn what a is unless I reveal it (a and A can be used in standard ECDSA private-public key cryptography, with the scalar a as the private key and the point A as the public key, and the a cannot be derived even if somebody else knows A). Thus, it is hiding. At the same time, for a particular point A and standard generator point G, there is only one possible scalar a which when "multiplied" with G yields A. So scalars and elliptic curve points are a commitment scheme, with both hiding and binding properties.

Now, as mentioned there is a <+> operation on points that is homomorphic to the + operation on corresponding scalars. For example, suppose there are two scalars a and b. I can compute (a + b) <*> G to generate a particular point. But even if I don't know scalars a and b, but I do know

Now, in a proper cryptocurrency, a normal, non-coinbase transaction does not create or destroy coins: the values of the input coins are equal to the value of the output coins. We can use a

If you know what a "salt" is, then Pedersen commitments are fairly obvious. A "salt" is something you add to e.g. a password so that the hash of the password is much harder to attack. Humans are idiots and when asked to generate passwords, will output a password that takes less than 2

What a Pedersen commitment is, is a point a <*> H, where a is the actual value you commit to, plus <+> another point r <*> G. H here is a second standard generator point, different from G. The r is the salt in the Pedersen commitment. It makes it so that even if you show (a <*> H) <+> (r <*> G) to somebody, they can't grind all possible values of a and try to match it with your point --- they

Now, in order to validate a transaction with input a and outputs b and c, you only have to prove a = b + c. Suppose we are hiding those amounts using Pedersen commitments. You have an input of amount a, and you know a and r. The blockchain has an amount (a <*> H) <+> (r <*> G). In order to create the two outputs b and c, you just have to create two new r scalars such that r = r[0] + r[1]. This is trivial, you just select a new random r[0] and then compute r[1] = r - r[0], it's just basic algebra.

Then you create a transaction consuming the input (a <*> H) <+> (r <*> G) and outputs (b <*> H) <+> (r[0] <*> G) and (c <*> H) <+> (r[1] <*> G). You know that a = b + c, and r = r[0] + r[1], while fullnodes around the world, who don't know any of the amounts or scalars involved, can just take the points (a <*> H) <+> (r <*> G) and see if it equals (b <*> H) <+> (r[0] <*> G) <+> (c <*> H) <+> (r[1] <*> G). That is all that fullnodes have to validate, they just need to perform <+> operations on points and comparison on points, and from there they validate transactions, all without knowing the actual values involved.

However, there are really two kinds of commitments:

- computationally binding, information-theoretic hiding
- information-theoretic binding, computationally hiding

But why?

Now, we have been using a and a <*> G as private keys and public keys in ECDSA and Schnorr. There is an operation <*> on a scalar and a point that generates another point, but we cannot "revrese" this operation. For example, even if I know A, and know that A = a <*> G, but do not know a, I cannot derive a --- there is no operation between A G that lets me know a.

Actually there is: I "just" need to have so much time, space, and energy that I just start counting a from 0 to 2

Now, replace a with h and A with H. Remember that Pedersen commitments use a "second" standard generator point. The generator points G and H are "not really special" --- they are just random points on the curve that we selected and standardized. There is no operation H G such that I can learn h where H = h <*> G, though if I happen to have a spare universe in my back pocket I can "just" brute force it.

Suppose I

Well, I have an amount a that is committed to by (a <*> H) <+> (r <*> G). But I happen to know h! Suppose I want to double my money a without involving Elon Musk. Then:

- (a <*> H) <+> (r <*> G)
- == (a <*> (h <*> G)) <+> (r <*> G)
- == ((a * h) <*> G) <+> (r <*> G); remember, <*> is
*also*homomorphic on multiplication *. - == ((a * h + a * h - a * h) <*> G) <+> (r <*> G); just add 0.
- == ((a * h + a * h) <*> G) <+> ((-a * h) <*> G) <+> (r <*> G)
- == ((2 * a * h) <*> G) <+> ((r - a * h) <*> G)
- == ((2 * a) <*> (h <*> G)) <+> ((r - a * h) <*> G)
- == ((2 * a) <*> H) <+> ((r - a * h) <*> G); TADA!! I doubled my money!

Now, the

The drawback, though, is that --- as seen above --- arbitrary inflation is now introduced once somebody knows h. They can multiply their money by any arbitrary factor with knowledge of h.

It is impossible to have

Pedersen commitments just happen to have perfect hiding, but only computationally-infeasible binding. This means they allow hiding historical values, but in case of anything that allows better computational power --- including

This commits the r, and fixes it to a specific value. This prevents me from opening my (a <*> H) <+> (r <*> G) as ((2 * a) <*> H) <+> ((r - a * h) <*> G), because the (r - a * h) would not match the r <*> G sitting in a separate section of the transaction. This forces me to be bound to that specific value, and no amount of computation power will let me escape --- it is information-theoretically binding i.e. perfectly binding.

But that is now computationally hiding. An evil surveillor with arbitrary time and space can focus on the r <*> G sitting in a separate section of the transaction, and grind r from 0 to 2

Announcing v0.4.0 releases of these RustCrypto elliptic curve crates:

The major notable new features in these releases are:

# Elliptic Curve Diffie-Hellman

Key exchange protocol which establishes a shared secret between two parties.

# Elliptic Curve Digital Signature Algorithm

Pervasively used public-key scheme for authenticating messages.

# Notes on this release

These crates contain *experimental* pure Rust implementations of scalafield arithmetic for the respective elliptic curves (secp256k1, NIST P-256). These implementations are new, unaudited, and haven't received much public scrutiny. We have explicitly labeled them as being at a "USE AT YOUR OWN RISK" level of maturity.

That said, these implementations utilize the best modern practices for this class of elliptic curves (complete projective formulas providing constant time scalar multiplication).

In particular:

*EDIT: the version in the title is incorrect. The correct version is v0.4.0, unfortunately the title cannot be edited.*

submitted by bascule to rust [link] [comments]
- k256: secp256k1 (as used by Bitcoin, Ethereum, etc)
- GitHub: https://github.com/RustCrypto/elliptic-curves/tree/mastek256
- crates.io: https://crates.io/crates/k256
- docs.rs: https://docs.rs/k256/

- p256: NIST P-256 (as used by SSL/TLS, Bluetooth, etc)
- GitHub: https://github.com/RustCrypto/elliptic-curves/tree/mastep256
- crates.io: https://crates.io/crates/p256
- docs.rs: https://docs.rs/p256/

The major notable new features in these releases are:

- k256 docs (secp256k1)
- p256 docs (NIST P-256)
- Generic implementation

That said, these implementations utilize the best modern practices for this class of elliptic curves (complete projective formulas providing constant time scalar multiplication).

In particular:

- The k256 crate now implements optimized "lazy" field arithmetic based on the bitcoin-core/secp256k1 C library optimized for both 32-bit and 64-bit architectures.
- The p256 crate includes sidechannel-resistant scalar arithmetic optimized for creating signatures on embedded platforms and presently provides 64-bit scalafield arithmetic.

So over a lunch conversation with a nocoiner I got what i thought sounded like a far fetched conspiracy theory, went a little like this... "Mmm yeah I reckon the NSA has a backdoor code that would allow them access to any private key simply by looking at the public key" ... I'm used to the "Bitcoin will be hacked" arguement but this seems to be on a different level.

Thoughts? It's a new one for me for sure and not sure how to answer it....

submitted by hungdoge to Bitcoin [link] [comments]
Thoughts? It's a new one for me for sure and not sure how to answer it....

Good day, the price is going up to 0.3USDT.

ABCMint Second Foundation

ABCMint has been a first third-party organization that focuses on post-quantum cryptography research and technology and aims to help improve the ecology of ABCMint technology since 2018.

https://abcmintsf.com

https://abcmintsf.com/exchange

What is ABCMint?

ABCMint is a quantum resistant cryptocurrency with the Rainbow Multivariable Polynomial Signature Scheme.

Cryptocurrencies and blockchain technology have attracted a significant amount of attention since 2009. While some cryptocurrencies, including Bitcoin, are used extensively in the world, these cryptocurrencies will eventually become obsolete and be replaced when the quantum computers avail. For instance, Bitcoin uses the elliptic curved signature (ECDSA). If a bitcoin user?s public key is exposed to the public chain, the quantum computers will be able to quickly reverse-engineer the private key in a short period of time. It means that should an attacker decide to use a quantum computer to decrypt ECDSA, he/she will be able to use the bitcoin in the wallet.

The ABCMint Foundation has improved the structure of the special coin core to resist quantum computers, using the Rainbow Multivariable Polynomial Signature Scheme, which is quantum resisitant, as the core. This is a fundamental solution to the major threat to digital money posed by future quantum computers. In addition, the ABCMint Foundation has implemented a new form of proof of arithmetic (mining) "ABCardO" which is different from Bitcoin?s arbitrary mining. This algorithm is believed to be beneficial to the development of the mathematical field of multivariate.

Rainbow Signature - the quantum resistant signature based on Multivariable Polynomial Signature Scheme

Unbalanced Oil and Vinegar (UOV) is a multi-disciplinary team of experts in the field of oil and vinegar. One of the oldest and most well researched signature schemes in the field of variable cryptography. It was designed by J. Patarin in 1997 and has withstood more than two decades of cryptanalysis. The UOV scheme is a very simple, smalls and fast signature. However, the main drawback of UOV is the large public key, which will not be conducive to the development of block practice technology.

The rainbow signature is an improvement on the oil and vinegar signature which increased the efficiency of unbalanced oil and vinegar. The basic concept is a multi-layered structure and generalization of oil and vinegar.

PQC - Post Quantum Cryptography

The public key cryptosystem was a breakthrough in modern cryptography in the late 1970s. It has become an increasingly important part of our cryptography communications network over The Internet and other communication systems rely heavily on the Diffie-Hellman key exchange, RSA encryption, and the use of the DSA, ECDSA or related algorithms for numerical signatures. The security of these cryptosystems depends on the difficulty level of number theory problems such as integer decomposition and discrete logarithm problems. In 1994, Peter Shor demonstrated that quantum computers can solve all these problems in polynomial time, which made this security issue related to the cryptosystems theory irrelevant. This development is known as the "post-quantum cryptography" (PQC)

In August 2015, the U.S. National Security Agency (NSA) released an announcement regarding its plans to transition to quantum-resistant algorithms. In December 2016, the National Institute of Standards and Technology (NIST) announced a call for proposals for quantum-resistant algorithms. The deadline was November 30, 2017, which also included the rainbow signatures used for ABCMint.

submitted by WrapBeautiful to ABCMint [link] [comments]

ABCMint Second Foundation

ABCMint has been a first third-party organization that focuses on post-quantum cryptography research and technology and aims to help improve the ecology of ABCMint technology since 2018.

https://abcmintsf.com

https://abcmintsf.com/exchange

What is ABCMint?

ABCMint is a quantum resistant cryptocurrency with the Rainbow Multivariable Polynomial Signature Scheme.

Cryptocurrencies and blockchain technology have attracted a significant amount of attention since 2009. While some cryptocurrencies, including Bitcoin, are used extensively in the world, these cryptocurrencies will eventually become obsolete and be replaced when the quantum computers avail. For instance, Bitcoin uses the elliptic curved signature (ECDSA). If a bitcoin user?s public key is exposed to the public chain, the quantum computers will be able to quickly reverse-engineer the private key in a short period of time. It means that should an attacker decide to use a quantum computer to decrypt ECDSA, he/she will be able to use the bitcoin in the wallet.

The ABCMint Foundation has improved the structure of the special coin core to resist quantum computers, using the Rainbow Multivariable Polynomial Signature Scheme, which is quantum resisitant, as the core. This is a fundamental solution to the major threat to digital money posed by future quantum computers. In addition, the ABCMint Foundation has implemented a new form of proof of arithmetic (mining) "ABCardO" which is different from Bitcoin?s arbitrary mining. This algorithm is believed to be beneficial to the development of the mathematical field of multivariate.

Rainbow Signature - the quantum resistant signature based on Multivariable Polynomial Signature Scheme

Unbalanced Oil and Vinegar (UOV) is a multi-disciplinary team of experts in the field of oil and vinegar. One of the oldest and most well researched signature schemes in the field of variable cryptography. It was designed by J. Patarin in 1997 and has withstood more than two decades of cryptanalysis. The UOV scheme is a very simple, smalls and fast signature. However, the main drawback of UOV is the large public key, which will not be conducive to the development of block practice technology.

The rainbow signature is an improvement on the oil and vinegar signature which increased the efficiency of unbalanced oil and vinegar. The basic concept is a multi-layered structure and generalization of oil and vinegar.

PQC - Post Quantum Cryptography

The public key cryptosystem was a breakthrough in modern cryptography in the late 1970s. It has become an increasingly important part of our cryptography communications network over The Internet and other communication systems rely heavily on the Diffie-Hellman key exchange, RSA encryption, and the use of the DSA, ECDSA or related algorithms for numerical signatures. The security of these cryptosystems depends on the difficulty level of number theory problems such as integer decomposition and discrete logarithm problems. In 1994, Peter Shor demonstrated that quantum computers can solve all these problems in polynomial time, which made this security issue related to the cryptosystems theory irrelevant. This development is known as the "post-quantum cryptography" (PQC)

In August 2015, the U.S. National Security Agency (NSA) released an announcement regarding its plans to transition to quantum-resistant algorithms. In December 2016, the National Institute of Standards and Technology (NIST) announced a call for proposals for quantum-resistant algorithms. The deadline was November 30, 2017, which also included the rainbow signatures used for ABCMint.

'''

As the world’s leading regulatory compliant digital asset exchange, Coinbase sets one of the most stringent requirements for digital asset listing which includes technical evaluation of projects, legal and risk analysis, market supply and demand analysis, and crypto-economics. Coinbase holds a strong reputation in the digital asset industry, and thus the “Coinbase Standard” is considered as the industry benchmark for other digital asset projects, and the market has even seen the “Coinbase effect”.

On July 25 2020, Coinbase quietly launched the pricing chart of a decentralized oracle project, NEST Protocol (NEST), into its portal. Although Coinbase has yet to announce the inclusion of the project in its evaluation list, it represents a keen interest in the DeFi sector, and particularly in the DeFi price oracle projects.

NEST Protocol is the rising star in the decentralized price oracle sector

Decentralized financial services offered by the current mainstream DeFi platforms such as MakerDAO, Compound, dYdX, etc. rely heavily on the market data provided by the oracle projects. Oracle projects act as reliable information sources to feed these price data to other DeFi Projects, connecting the price data from the centralized world to the DeFi space. As such, the price oracle is an integral part of the decentralized financial services infrastructure.

Traditionally, the price oracle collects data from different platforms and feeds these data points to the DeFi space to create data reference points to enable them to function properly. However, many problems currently exist in the DeFi space, for example, blockchain network congestion, malicious attacks, wild market fluctuations, and other factors that may cause the data given by the price oracle to deviate from the true market data. These ultimately cause users to trade on wrong information in the DeFi space and increases such transaction costs.

Decentralized finance requires a fast, secure, and reliable price oracle. The birth of the decentralized price oracle is the embodiment of the blockchain industry’s thinking, and the current market projects offering decentralized price oracle services which includes NEST Protocol, Chainlink, Band Protocol, Tellor, Witness, Oraclize, and many others.

The innovation of NEST-Price is that every data point has been agreed upon by market validators, in line with the blockchain consensus mechanism. NEST-Price synchronizes the off-chain price in a highly decentralized manner, creating real and valid price data on-chain. This is the unique differentiator between NEST-Price and other price oracles.

Compared with other price oracle projects, NEST also has other features and advantages, such as the proposed peer-to-peer quotation matching as well as its unique verifier verification structure, making NEST more resilient to malicious attacks, resulting in a more decentralized network, and it’s on-chain prices closer to the fair market price. All of this has resulted in the NEST Protocol becoming a rising star in the DeFi price oracle sector. HBTC.com selects high-quality projects to list and partnering with NEST to promote the development of DeFi ecosystem

During the selection of quality assets, exchanges like [HBTC.com]^{1} and Coinbase adhere to the principle of a rigorous selection of assets from different projects to enable a proper range of digital assets. At the same time, in order to solve existing pain points in the digital asset industry, which currently lacks a market-making management solution, HBTC.com also has launched its own “coin listing crowdsourcing [liquidity initiative]^{2} “, redefining the exchange market making model.

HBTC.com, through its coin listing strategy, effectively reduces the problem of low liquidity in the early stages of high-quality projects, ensuring the smoothness of the user experience, and achieves a win-win situation for traders, the community, and the respective trading platform. These initiatives, coupled with reliable user protection and a responsible attitude, have earned a positive reputation among users.

Since its inception, the HBTC.com exchange has been committed to the discovery of both quality and promising digital asset projects. At a time when DeFi is growing rapidly, HBTC.com has a unique perspective for the decentralized price oracle sector and has prioritized NEST as a premium partner to debut the project alongside with its global branding upgrade. In addition, HBTC.com has [100% proof of reserves]^{3} for traders to validate the existence of assets via the Merkle tree, which brings transparency to the extreme.

In May 2020, NEST token delivered a 883.29% of return, at its peak, after its global debut on HBTC.com. At present, HBTC Exchange addresses holding NEST token accounts in a total of 141 million, ranked first in the overall network. At the same time, the HBTC Exchange network exclusively releases NEST staking mining and data show that NEST 24-hour turnover has reached $20.4 million.

Post-listing of the NEST token, HBTC.com has also listed DeFi projects such as DF, OKS, NEST, SWTH, JST, NVT, and other DeFi projects with market potential; some projects have achieved astonishing performance in the secondary market.

HBTC.com’s path to DeFi: developing public chains to prepare for the future ecosystem breakout.

In terms of the DeFi product and ecosystem infrastructure, HBTC has deployed HBTC Chain since launched in 2018, an infrastructure designed for decentralized finance and DeFi business with patented Bluehelix decentralized cross-chain clearing and custody technology.

The HBTC Chain is the DeFi ecosystem infrastructure that the team has spent a significant amount of effort to build. It is based on decentralization and community consensus and integrates cryptography and blockchain technologies to support decentralized association-based governance capabilities at the technical level. Based on decentralized key management, combining various cryptography tools including ECDSA, commitment, zero-knowledge proof, and multi-party computation, It implements the distributed private key generation and signature for cross-chain assets among all validators. On top of that, this technology can realize light-weight and non-intrusive cross-chain asset custody. On the clearing layer, HBTC Chain employs BHPOS consensus and horizontal sharding mechanisms to achieve high-performing transaction clearing, and implementation of OpenDex protocol to help the development of the DeFi ecosystem.

In addition, with the success experience of Bluehelix Cloud SaaS and white label solutions and the HBTC Brokerage system, HBTC’s public chain also innovatively supports CEX+DEX mixed matchmaking model and OpenDex protocol and proposes the three-tier node system which consists of standard node + consensus node + core node. This structure provides HBTC public chain certain advantages in terms of performance and cross-chain transactions. Users can easily establish a DEX with OpenDex protocol at nearly zero cost, and all DEX will share the liquidity and support customized user interface and trading parameters. The trading experience can be completely comparable to centralized spot exchanges.

With the launch of its test network, it is now possible to develop various DeFi applications on the HBTC public chain, such as decentralized swap, so that private keys are not controlled by any party; no KYC, which can prevent personal information leakage; and asset security through the setting of invalidation, cancellation of transactions and other functions, cross-chain asset mappings, such as the ability to issue cross-chain cBTC or other chain tokens, fully decentralized asset mapping contracts, and 100% reserves.

Conclusion

In the past few months, the DeFi market has been extremely active, the price of DeFi tokens has been rising, and a new round of competition with the centralized exchanges has started. HBTC Chain relies on the powerful technology of Bluehelix and [HBTC.com]^{1} , giving all public chains the ability to interconnect, and put into both DeFi and SaaS levels. Undoubtedly, as one of the first exchanges to build the DeFi ecosystem, HBTC is leading the breakout in the current DeFi craze and has now become the first choice of users to engage with quality DeFi projects.

From BITCOIN news([[link]^{6} )

'''

Building the Infrastructure for the Future Decentralized Financial Market, Coinbase Included HBTC.Com Debut DeFi Project - Nest Protocol

Go1dfish undelete link

unreddit undelete link

Author: Nest_Fan

1: *btc*com/ 2: m*diu**com/hbt***ficia*/hbt*-launches-ba**liquidi*y***owd*unding-li*ti*g-plan-redefine-t*e*exch*nge-*i*tin**m*d*l***6*58f*f1d* 3: hbtc.ze**e*k*co*/hc/*n-us/a**icles/3***46287754-HBT*-10*-*ro***of*Reserve 4: hb*c.co*/ 5: n*ws.bitcoin.c*m*bu*ld*ng-t**-infr***ructur*-f*r-the*fut*re*decen**ali**d-*inanc*a*-market-coi**as*-*ncluded-h*t*-*o*-*ebut-de**-p*oject-n*st-**otocol* 6: n**s.bit*oin*com/building-th*-infrast*u*ture*for-t*e-fut****decen**a**zed**inancia*-m*rket-coinbase-**c*uded-*b*c-c***deb***defi-**oject-*est**r**ocol/]^^5

Unknown links are censored to prevent spreading illicit content.

submitted by removalbot to removalbot [link] [comments]
As the world’s leading regulatory compliant digital asset exchange, Coinbase sets one of the most stringent requirements for digital asset listing which includes technical evaluation of projects, legal and risk analysis, market supply and demand analysis, and crypto-economics. Coinbase holds a strong reputation in the digital asset industry, and thus the “Coinbase Standard” is considered as the industry benchmark for other digital asset projects, and the market has even seen the “Coinbase effect”.

On July 25 2020, Coinbase quietly launched the pricing chart of a decentralized oracle project, NEST Protocol (NEST), into its portal. Although Coinbase has yet to announce the inclusion of the project in its evaluation list, it represents a keen interest in the DeFi sector, and particularly in the DeFi price oracle projects.

NEST Protocol is the rising star in the decentralized price oracle sector

Decentralized financial services offered by the current mainstream DeFi platforms such as MakerDAO, Compound, dYdX, etc. rely heavily on the market data provided by the oracle projects. Oracle projects act as reliable information sources to feed these price data to other DeFi Projects, connecting the price data from the centralized world to the DeFi space. As such, the price oracle is an integral part of the decentralized financial services infrastructure.

Traditionally, the price oracle collects data from different platforms and feeds these data points to the DeFi space to create data reference points to enable them to function properly. However, many problems currently exist in the DeFi space, for example, blockchain network congestion, malicious attacks, wild market fluctuations, and other factors that may cause the data given by the price oracle to deviate from the true market data. These ultimately cause users to trade on wrong information in the DeFi space and increases such transaction costs.

Decentralized finance requires a fast, secure, and reliable price oracle. The birth of the decentralized price oracle is the embodiment of the blockchain industry’s thinking, and the current market projects offering decentralized price oracle services which includes NEST Protocol, Chainlink, Band Protocol, Tellor, Witness, Oraclize, and many others.

The innovation of NEST-Price is that every data point has been agreed upon by market validators, in line with the blockchain consensus mechanism. NEST-Price synchronizes the off-chain price in a highly decentralized manner, creating real and valid price data on-chain. This is the unique differentiator between NEST-Price and other price oracles.

Compared with other price oracle projects, NEST also has other features and advantages, such as the proposed peer-to-peer quotation matching as well as its unique verifier verification structure, making NEST more resilient to malicious attacks, resulting in a more decentralized network, and it’s on-chain prices closer to the fair market price. All of this has resulted in the NEST Protocol becoming a rising star in the DeFi price oracle sector. HBTC.com selects high-quality projects to list and partnering with NEST to promote the development of DeFi ecosystem

During the selection of quality assets, exchanges like [HBTC.com]

HBTC.com, through its coin listing strategy, effectively reduces the problem of low liquidity in the early stages of high-quality projects, ensuring the smoothness of the user experience, and achieves a win-win situation for traders, the community, and the respective trading platform. These initiatives, coupled with reliable user protection and a responsible attitude, have earned a positive reputation among users.

Since its inception, the HBTC.com exchange has been committed to the discovery of both quality and promising digital asset projects. At a time when DeFi is growing rapidly, HBTC.com has a unique perspective for the decentralized price oracle sector and has prioritized NEST as a premium partner to debut the project alongside with its global branding upgrade. In addition, HBTC.com has [100% proof of reserves]

In May 2020, NEST token delivered a 883.29% of return, at its peak, after its global debut on HBTC.com. At present, HBTC Exchange addresses holding NEST token accounts in a total of 141 million, ranked first in the overall network. At the same time, the HBTC Exchange network exclusively releases NEST staking mining and data show that NEST 24-hour turnover has reached $20.4 million.

Post-listing of the NEST token, HBTC.com has also listed DeFi projects such as DF, OKS, NEST, SWTH, JST, NVT, and other DeFi projects with market potential; some projects have achieved astonishing performance in the secondary market.

HBTC.com’s path to DeFi: developing public chains to prepare for the future ecosystem breakout.

In terms of the DeFi product and ecosystem infrastructure, HBTC has deployed HBTC Chain since launched in 2018, an infrastructure designed for decentralized finance and DeFi business with patented Bluehelix decentralized cross-chain clearing and custody technology.

The HBTC Chain is the DeFi ecosystem infrastructure that the team has spent a significant amount of effort to build. It is based on decentralization and community consensus and integrates cryptography and blockchain technologies to support decentralized association-based governance capabilities at the technical level. Based on decentralized key management, combining various cryptography tools including ECDSA, commitment, zero-knowledge proof, and multi-party computation, It implements the distributed private key generation and signature for cross-chain assets among all validators. On top of that, this technology can realize light-weight and non-intrusive cross-chain asset custody. On the clearing layer, HBTC Chain employs BHPOS consensus and horizontal sharding mechanisms to achieve high-performing transaction clearing, and implementation of OpenDex protocol to help the development of the DeFi ecosystem.

In addition, with the success experience of Bluehelix Cloud SaaS and white label solutions and the HBTC Brokerage system, HBTC’s public chain also innovatively supports CEX+DEX mixed matchmaking model and OpenDex protocol and proposes the three-tier node system which consists of standard node + consensus node + core node. This structure provides HBTC public chain certain advantages in terms of performance and cross-chain transactions. Users can easily establish a DEX with OpenDex protocol at nearly zero cost, and all DEX will share the liquidity and support customized user interface and trading parameters. The trading experience can be completely comparable to centralized spot exchanges.

With the launch of its test network, it is now possible to develop various DeFi applications on the HBTC public chain, such as decentralized swap, so that private keys are not controlled by any party; no KYC, which can prevent personal information leakage; and asset security through the setting of invalidation, cancellation of transactions and other functions, cross-chain asset mappings, such as the ability to issue cross-chain cBTC or other chain tokens, fully decentralized asset mapping contracts, and 100% reserves.

Conclusion

In the past few months, the DeFi market has been extremely active, the price of DeFi tokens has been rising, and a new round of competition with the centralized exchanges has started. HBTC Chain relies on the powerful technology of Bluehelix and [HBTC.com]

From BITCOIN news([[link]

'''

Building the Infrastructure for the Future Decentralized Financial Market, Coinbase Included HBTC.Com Debut DeFi Project - Nest Protocol

Go1dfish undelete link

unreddit undelete link

Author: Nest_Fan

1: *btc*com/ 2: m*diu**com/hbt***ficia*/hbt*-launches-ba**liquidi*y***owd*unding-li*ti*g-plan-redefine-t*e*exch*nge-*i*tin**m*d*l***6*58f*f1d* 3: hbtc.ze**e*k*co*/hc/*n-us/a**icles/3***46287754-HBT*-10*-*ro***of*Reserve 4: hb*c.co*/ 5: n*ws.bitcoin.c*m*bu*ld*ng-t**-infr***ructur*-f*r-the*fut*re*decen**ali**d-*inanc*a*-market-coi**as*-*ncluded-h*t*-*o*-*ebut-de**-p*oject-n*st-**otocol* 6: n**s.bit*oin*com/building-th*-infrast*u*ture*for-t*e-fut****decen**a**zed**inancia*-m*rket-coinbase-**c*uded-*b*c-c***deb***defi-**oject-*est**r**ocol/]^^5

Unknown links are censored to prevent spreading illicit content.

Of all the options available at that time, he chose the one that met these criteria: Elliptic Curve Digital Signature Algorithm, or ECDSA.

At that time, native support for ECDSA was provided in OpenSSL, an open set of encryption tools developed by experienced cipher banks in order to increase the confidentiality of online communications. Compared to other popular schemes, ECDSA had such advantages as:

- Low demand for computing resources;
- Short key lengths.

ECDSA has two separate procedures for signing and verifying. Each procedure is an algorithm consisting of several arithmetic operations. The signature algorithm uses the private key, and the verification algorithm uses only the public key.

To use ECDSA, such protocol as Bitcoin must fix a set of parameters for the elliptic curve and its finite field, so that all users of the protocol know and apply these parameters. Otherwise, everyone will solve their own equations, which will not converge with each other, and they will never agree on anything.

For all these parameters, Bitcoin uses very, very large (well, awesomely incredibly huge) numbers. It is important. In fact, all practical applications of ECDSA use huge numbers. After all, the security of this algorithm relies on the fact that these values are too large to pick up a key with a simple brute force. The 384-bit ECDSA key is considered safe enough for the NSA's most secretive government service (USA).

Schnorr's signature takes the process of using “keys” to a new level. It takes only 64 bytes when it gets into the block, which reduces the space occupied by transactions by 4%. Since transactions with the Schnorr signature are the same size, this makes it possible to pre-calculate the total size of the part of the block that contains such signatures. A preliminary calculation of the block size is the key to its safe increase in the future.

Keep up with the news of the crypto world at CoinJoy.io Follow us on Twitter and Medium. Subscribe to our YouTube channel. Join our Telegram channel. For any inquiries mail us at [[email protected]](mailto:[email protected]).

Of all the options available at that time, he chose the one that met these criteria: Elliptic Curve Digital Signature Algorithm, or ECDSA.

At that time, native support for ECDSA was provided in OpenSSL, an open set of encryption tools developed by experienced cipher banks in order to increase the confidentiality of online communications. Compared to other popular schemes, ECDSA had such advantages as:

- Low demand for computing resources;
- Short key lengths.

ECDSA has two separate procedures for signing and verifying. Each procedure is an algorithm consisting of several arithmetic operations. The signature algorithm uses the private key, and the verification algorithm uses only the public key.

To use ECDSA, such protocol as Bitcoin must fix a set of parameters for the elliptic curve and its finite field, so that all users of the protocol know and apply these parameters. Otherwise, everyone will solve their own equations, which will not converge with each other, and they will never agree on anything.

For all these parameters, Bitcoin uses very, very large (well, awesomely incredibly huge) numbers. It is important. In fact, all practical applications of ECDSA use huge numbers. After all, the security of this algorithm relies on the fact that these values are too large to pick up a key with a simple brute force. The 384-bit ECDSA key is considered safe enough for the NSA's most secretive government service (USA).

Schnorr's signature takes the process of using “keys” to a new level. It takes only 64 bytes when it gets into the block, which reduces the space occupied by transactions by 4%. Since transactions with the Schnorr signature are the same size, this makes it possible to pre-calculate the total size of the part of the block that contains such signatures. A preliminary calculation of the block size is the key to its safe increase in the future.

Keep up with the news of the crypto world at CoinJoy.io Follow us on Twitter and Medium. Subscribe to our YouTube channel. Join our Telegram channel. For any inquiries mail us at [[email protected]](mailto:[email protected]).

As can be read in this article. Although quantum supremacy simply means that at least 1 specific problem has been proven to be solved by a quantum computer that can't be solved (in a realistic timeframe) by any existing classical computer, it is a very important milestone. Many have been skeptical on crossing this milestone at all.

Supremacy does not mean that current cryptography is at risk tomorrow. It does however prove quantum computing is real, and has advantage over classical computers in certain tasks as has always been thought. For blockchain this means that in the future, Shor's algorithm could be used to break ECDSA, the signature scheme that is used in most blockchain. This signature scheme can be upgraded to a quantum resistant signature scheme. It does come with specific challenges though. As opposed to banks, websites, government systems, email services etc, blockchain is decentralized. That makes the following challenges exclusive blockchain challenges:

Blockchains that implement quantum resistance from the very beginning, from genesis block, will not face these challenges. See for example QRL which has launched over a year ago.

submitted by QRCollector to CryptoCurrency [link] [comments]
Supremacy does not mean that current cryptography is at risk tomorrow. It does however prove quantum computing is real, and has advantage over classical computers in certain tasks as has always been thought. For blockchain this means that in the future, Shor's algorithm could be used to break ECDSA, the signature scheme that is used in most blockchain. This signature scheme can be upgraded to a quantum resistant signature scheme. It does come with specific challenges though. As opposed to banks, websites, government systems, email services etc, blockchain is decentralized. That makes the following challenges exclusive blockchain challenges:

- QR crypto will influence performance of current blockchains
- There is no drop in replacement.
- Consensus will be needed. However consensus on the result (quantum resistance) will be a given, the consensus on how to reach this and when to implement is not going to be a smooth process due to the fact different schemes and ways of implementation are possible.
- User migration. All users need to migrate their coins to new QR addresses. If this is not done by the full 100% of all users, a certain % of the circulating supply will stay vulnerable to hacks. Such a hack will influence the value of all coins, including the ones on QR addresses.
- Lost addresses. These are addresses nobody has access to. Like the Satoshi addresses (which have full published public keys) and all addresses of which people have lost their private keys. These will stay vulnerable for ever.
- Time factor. More on the timeframe on upgrading existing cryptocurrencies here. (To make a complete and realistic estimate of the expected timeline for upgrading and migration we use Mosca’s theorem of risk determination.)

Blockchains that implement quantum resistance from the very beginning, from genesis block, will not face these challenges. See for example QRL which has launched over a year ago.

As the Bitcoin hash rate reaches new all-time highs, there’s never been a better time to discuss blockchain security and its relation to the hashing power and the Proof of Work (PoW) that feed the network. The Bitcoin system is based on a form of decentralized trust, heavily relying on cryptography. This makes its blockchain highly secure and able to be used for financial transactions and other operations requiring a trustless ledger. submitted by BlockDotCo to u/BlockDotCo [link] [comments] Far from popular belief, cryptography dates back to thousands of years ago. The same root of the word encryption — crypt — comes from the Greek word ‘kryptos’, meaning hidden or secret. Indeed, humans have always wanted to keep some information private. The Assyrians, the Chinese, the Romans, and the Greeks, they all tried over the centuries to conceal some information like trade deals or manufacturing secrets by using symbols or ciphers carved in stone or leather. In 1900 BC, Egyptians used hieroglyphics and experts often refer to them as the first example of cryptography.Back to our days, Bitcoin uses cryptographic technologies such as: - Cryptographic hash functions (i.e. SHA-256 and RIPEMD-160)
- Public Key Cryptography (i.e. ECDSA — the Elliptic Curve Digital Signature Algorithm)
hash function is a mathematical function that verifies the integrity of data by transforming it into a unique unidentifiable code.Here is a graphic example to make things more clear: – Extract from the MOOC (Massive Open Online Course) in Digital Currencies at the University of Nicosia. Furthermore, hash functions are used as part of the PoW algorithm, which is a prominent part of the Bitcoin mining algorithm and this is what is of more interest to understand the security of the network. Mining creates new bitcoins in each block, almost like a central bank printing new money and creates trust by ensuring that transactions are confirmed only when enough computational power is devoted to the block that contains them. More blocks mean more computation, which means more trust.With PoW, miners compete against each other to complete transactions on the network and get rewarded. Basically they need to solve a complicated mathematical puzzle and a possibility to easily prove the solution. The more hashing power, the higher the chance to resolve the puzzle and therefore perform the proof of work. In more simple words, bitcoins exist thanks to a peer to peer network that helps validate transactions in the ledger and provides enough trust to avoid that a third party is involved in the process. It also exists because miners give it life by resolving that computational puzzle, through the mining reward incentive they are receiving. For more info, contact Block.co directly or email at [email protected].Tel +357 70007828Get the latest from Block.co, like and follow us on social media:✔️YouTube ✔️Medium ✔️Telegram ✔️GitHub |

The family of public-key cryptosystems, a fundamental breakthrough in modern cryptography in the late 1970s, has increasingly become a part of our communication networks over the last three decades. The Internet and other communication systems rely principally on the Diffie-Hellman key exchange, RSA encryption, and digital signatures using DSA, ECDSA, or related algorithms. The security of these cryptosystems depends on the difficulty of number theory problems such as Integer Factorization and the Discrete Log Problem. In 1994, Peter Shor showed that quantum computers could solve each of these problems in polynomial time, thus rendering the security of all cryptosystems based on such assumptions impotent. In the academic world, this new science bears the moniker Post-Quantum Cryptography (PQC).

In August 2015, the National Security Agency (NSA) published an online announcement stating a plans to transition to quantum-resistant algorithms. In December 2016, the National Institute of Standards and Technology (NIST) announced a call for proposals of quantum resistant algorithms with a deadline of November 30th 2017.

In light of the threat that quantum computers pose to cryptosystems such as RSA and ECC, the once-distant need to develop and deploy quantum-resistant technologies is quickly becoming a reality. Cryptocurrencies like Bitcoin are new financial instruments which are created to make financial transactions more efficient, cheaper, and decentralized. Their fundamental building blocks are cryptographic algorithms such as ECC digital signatures which are used to perform various functions to ensure the integrity and security of the whole system. However, the use of ECC signatures and other similar cryptographic algorithms means that quantum computing could pose a fatal threat to the security of existing cryptocurrencies, which deploy number theory-based public key cryptosystems extensively.

The mission of the ABCMint Foundation is to successfully develop quantum-resistant blockchain technology. We also look to promote and support fundamental research for quantum computing technology and post-quantum algorithms.

submitted by prelude406 to ABCardO_PQC [link] [comments]
In August 2015, the National Security Agency (NSA) published an online announcement stating a plans to transition to quantum-resistant algorithms. In December 2016, the National Institute of Standards and Technology (NIST) announced a call for proposals of quantum resistant algorithms with a deadline of November 30th 2017.

In light of the threat that quantum computers pose to cryptosystems such as RSA and ECC, the once-distant need to develop and deploy quantum-resistant technologies is quickly becoming a reality. Cryptocurrencies like Bitcoin are new financial instruments which are created to make financial transactions more efficient, cheaper, and decentralized. Their fundamental building blocks are cryptographic algorithms such as ECC digital signatures which are used to perform various functions to ensure the integrity and security of the whole system. However, the use of ECC signatures and other similar cryptographic algorithms means that quantum computing could pose a fatal threat to the security of existing cryptocurrencies, which deploy number theory-based public key cryptosystems extensively.

The mission of the ABCMint Foundation is to successfully develop quantum-resistant blockchain technology. We also look to promote and support fundamental research for quantum computing technology and post-quantum algorithms.

OK, I keep reading about people worried that being able to break encryption really well, an ability that will get easier and easier as time passes, will destroy and put an end to Bitcoin.

So how exactly does this happen? Is it because people will easily be able to break passwords and get into peoples accounts? because it seems that the entire internet economy would be screwed if there really wasn't a solution to this.

Or is it that their ability to mine on the network or reverse transactions and split the chain etc would be easier to accomplish? It seems that even if you had a lot of power its only relative to the rest of the network, because they would, as I see it, simply be fighting other computers for the validity of any transactions. That makes me think that no matter how powerful the computers get, as long as most of the processing is put toward the correct chain it doesn't really change anything.

My problem is that a lot of people act as if there is some master Bitcoin code that, if cracked, could just make it not function anymore... but it doesn't really seem that way to me. Could anyone clarify exactly how and why being able to break encryption is bad specifically for Bitcoin, and/or if its just bad for everything?

My Theoretical solution for Super Secure passwords: So thinking about this got me brainstorming... couldn't you use an entire image as a "password." Simply use all the information stored in the image as the encryption key. Then you could have 1,000 or 10,000 bit keys without even thinking about it. And then you just need the image or whatever file you use as your "key" on you when you log in.

Anyway, just thought that might be neat.

submitted by FreeToEvolve to Bitcoin [link] [comments]
So how exactly does this happen? Is it because people will easily be able to break passwords and get into peoples accounts? because it seems that the entire internet economy would be screwed if there really wasn't a solution to this.

Or is it that their ability to mine on the network or reverse transactions and split the chain etc would be easier to accomplish? It seems that even if you had a lot of power its only relative to the rest of the network, because they would, as I see it, simply be fighting other computers for the validity of any transactions. That makes me think that no matter how powerful the computers get, as long as most of the processing is put toward the correct chain it doesn't really change anything.

My problem is that a lot of people act as if there is some master Bitcoin code that, if cracked, could just make it not function anymore... but it doesn't really seem that way to me. Could anyone clarify exactly how and why being able to break encryption is bad specifically for Bitcoin, and/or if its just bad for everything?

My Theoretical solution for Super Secure passwords: So thinking about this got me brainstorming... couldn't you use an entire image as a "password." Simply use all the information stored in the image as the encryption key. Then you could have 1,000 or 10,000 bit keys without even thinking about it. And then you just need the image or whatever file you use as your "key" on you when you log in.

Anyway, just thought that might be neat.

Is this possible?

Would it break bitcoin?

submitted by AintNoFortunateSon to Bitcoin [link] [comments]
Would it break bitcoin?

The previous parts will give you usefull basic blockchain knowledge and insights on quantum resistance vs blockchain that are not explained in this part.

Part 1, what makes blockchain reliable?

Part 2, The mathematical concepts Hashing and Public key cryptography.

Part 3, Quantum resistant blockchain vs Quantum computing.

Part 4A, The advantages of quantum resistance from genesis block, A

Part 4B, The advantages of quantum resistance from genesis block, A

**Why BTC is vulnerable for quantum attacks sooner than you would think.**

Content:

**The BTC misconception: “Original public keys are not visible until you make a transaction, so BTC is quantum resistant.”**

**Already exposed public keys.**

**Hijacking transactions.**

**Hijacks during blocktime**

**Hijacks pre-blocktime.**

**MITM attacks**

**- Why BTC is vulnerable for quantum attacks sooner than you would think. -**

Blockchain transactions are secured by public-private key cryptography. The keypairs used today will be at risk when quantum computers reach a certain critical level: Quantum computers can at a certain point of development, derive private keys from public keys. See for more sourced info on this subject in part 3. So if a public key can be obtained by an attacker, he can then use a quantum computer to find the private key. And as he has both the public key and the private key, he can control and send the funds to an address he owns.

Just to make sure there will be no misconceptions: When public-private key cryptography such as ECDSA and RSA can be broken by a quantum computer, this will be an issue for all blockchains who don't use quantum resistant cryptography. The reason this article is about BTC is because I take this paper as a reference point: https://arxiv.org/pdf/1710.10377.pdf Here they calculate an estimate when BTC will be at risk while taking the BTC blocktime as the window of opportunity.

**The BTC misconception: “Original public keys are not visible until you make a transaction, so BTC is quantum resistant.”**

In pretty much every discussion I've read and had on the subject, I notice that people are under the impression that BTC is quantum resistant as long as you use your address only once. BTC uses a hashed version of the public key as a send-to address. So in theory, all funds are registered on the chain on hashed public keys instead of to the full, original public keys, which means that the original public key is (again in theory) not public. Even a quantum computer can't derive the original public key from a hashed public key, therefore there is no risk that a quantum computer can derive the private key from the public key. If you make a transaction, however, the public key of the address you sent your funds from will be registered in full form in the blockchain. So if you were to only send part of your funds, leaving the rest on the old address, your remaining funds would be on a published public key, and therefore vulnerable to quantum attacks. So the workaround would be to transfer the remaining funds, within the same transaction, to a new address. In that way, your funds would be once again registered on the blockchain on a hashed public key instead of a full, original public key.

If you feel lost already because you are not very familiar with the tech behind blockchain, I will try to explain the above in a more familiar way:

You control your funds through your public- private key pair. Your funds are registered on your public key. And you can create transactions, which you need to sign to be valid. You can only create a signature if you have your private key. See it as your e-mail address (public key) and your password (Private key). Many people got your email address, but only you have your password. So the analogy is, that if you got your address and your password, then you can access your mail and send emails (Transactions). If the right quantum computer would be available, people could use that to calculate your password (private key), if they have your email address (public key).

Now, because BTC doesn’t show your full public key anywhere until you make a transaction. That sounds pretty safe. It means that your public key is private until you make a transaction. The only thing related to your public key that is public is the hash of your public key. Here is a short explanation of what a hash is: a hash is an outcome of an equation. Usually one-way hash functions are used, where you can not derive the original input from the output; but every time you use the same hash function on the same original input (For example IFUHE8392ISHF), you will always get the same output (For example G). That way you can have your coins on public key "IFUHE8392ISHF", while on the chain, they are registered on "G".

So your funds are registered on the blockchain on the "Hash" of the public key. The Hash of the public key is also your "email address" in this case. So you give "G" as your address to send BTC to.

As said before: since it is, even for a quantum computer, impossible to derive a public key from the Hash of a public key, your coins are safe for quantum computers as long as the public key is only registered in hashed form. The obvious safe method would be, never to reuse an address, and always make sure that when you make a payment, you send your remaining funds to a fresh new address. (There are wallets that can do this for you.) In theory, this would make BTC quantum resistant, if used correctly. This, however, is not as simple as it seems. Even though the above is correct, there is a way to get to your funds.

**Already exposed public keys.**

But before we get to that, there is another point that is often overlooked: Not only is the security of your personal BTC is important, but also the security of funds of other users. If others got hacked, the news of the hack itself and the reaction of the market to that news, would influence the marketprice. Or, if a big account like the Satoshi account were to be hacked and dumped, the dump itself, combined with the news of the hack, could be even worse. An individual does not have the control of other people’s actions. So even though one might make sure his public key is only registered in hashed form, others might not do so, or might no know their public key is exposed. There are several reasons why a substantial amount of addresses actually have exposed full public keys:

**Hijacking transactions.**

But even if you consider the above an acceptable risk, just because you yourself will make sure you never reuse an address, then still, the fact that only the hashed public key is published until you make a transaction is a false sense of security. It only works, if you never make a transaction. Why? Public keys are revealed while making a transaction, so transactions can be hijacked while being made.

Here it is important to understand two things:

**1.) How is a transaction sent?**

The owner has the private key and the public key and uses that to log into the secured environment, the wallet. This can be online or offline. Once he is in his wallet, he states how much he wants to send and to what address.

When he sends the transaction, it will be broadcasted to the blockchain network. But before the actual transaction will be sent, it is formed into a package, created by the wallet. This happens out of sight of the sender.

That package ends up carrying roughly the following info: the public key to point to the address where the funds will be coming from, the amount that will be transferred, the address the funds will be transferred to (depending on the blockchain this could be the hashed public key, or the original public key of the address the funds will be transferred to). This package also carries the most important thing: a signature, created by the wallet, derived from the private- public key combination. This signature proves to the miners that you are the rightful owner and you can send funds from that public key.

Then this package is sent out of the secure wallet environment to multiple nodes. The nodes don’t need to trust the sender or establish the sender’s "identity”, because the sender proofs he is the rightful owner by adding the signature that corresponds with the public key. And because the transaction is signed and contains no confidential information, private keys, or credentials, it can be publicly broadcast using any underlying network transport that is convenient. As long as the transaction can reach a node that will propagate it into the network, it doesn’t matter how it is transported to the first node.

**2.) How is a transaction confirmed/ fulfilled and registered on the blockchain?**

After the transaction is sent to the network, it is ready to be processed. The nodes have a bundle of transactions to verify and register on the next block. This is done during a period called the block time. In the case of BTC that is 10 minutes.

If we process the information written above, we will see that there are two moments where you can actually see the public key, while the transaction is not fulfilled and registered on the blockchain yet.

1: during the time the transaction is sent from the sender to the nodes

2: during the time the nodes verify the transaction. (The blocktime)

**Hijacks during blocktime**

This paper describes how you could hijack a transaction and make a new transaction of your own, using someone else’s address and send his coins to an address you own during moment 2: the time the nodes verify the transaction:

https://arxiv.org/pdf/1710.10377.pdf

"(Unprocessed transactions) After a transaction has been broadcast to the network, but before it is placed on the blockchain it is at risk from a quantum attack. If the secret key can be derived from the broadcast public key before the transaction is placed on the blockchain, then an attacker could use this secret key to broadcast a new transaction from the same address to his own address. If the attacker then ensures that this new transaction is placed on the blockchain first, then he can effectively steal all the bitcoin behind the original address." (Page 8, point 3.)

So this means that BTC obviously is not a quantum secure blockchain. Because as soon as you will touch your funds and use them for payment, or send them to another address, you will have to make a transaction and you risk a quantum attack.

**Hijacks pre-blocktime.**

The story doesn't end here. The paper doesn't describe the posibility of a pre-blocktime hijack.

So back to the paper: as explained, while making a transaction your public key is exposed for at least the transaction time. This transaction time is 10 minutes where your transaction is being confirmed during the 10 minute block time. That is the period where your public key is visible and where, as described in the paper, a transaction can be hijacked, and by using quantum computers, a forged transaction can be made. So the critical point is determined to be the moment where quantum computers can derive private keys from public keys within 10 minutes. Based on that 10 minute period, they calculate (estimate) how long it will take before QC's start forming a threat to BTC. (“ By our most optimistic estimates, as early as 2027 a quantum computer could exist that can break the elliptic curve signature scheme in less than 10 minutes, the block time used in Bitcoin.“ This is also shown in figure 4 on page 10 and later more in depth calculated in appendix C, where the pessimistic estimate is around 2037.) But you could extend that 10 minutes through network based attacks like DDoS, BGP routing attacks, NSA Quantum Insert, Eclipse attacks, MITM attacks or anything like that. (And I don’t mean you extend the block time by using a network based attack, but you extend the time you have access to the public key before the transaction is confirmed.) Bitcoin would be earlier at risk than calculated in this paper.

Also other Blockchains with way shorter block times imagine themselves safe for a longer period than BTC, but with this extension of the timeframe within which you can derive the private key, they too will be vulnerable way sooner.

Not so long ago an eclipse attack demonstrated it could have done the trick. and here Causing the blockchain to work over max capacity, means the transactions will be waiting to be added to a block for a longer time. This time needs to be added on the blocktime, expanding the period one would have time to derive the private key from the public key.

That seems to be fixed now, but it shows there are always new attacks possible and when the incentive is right (Like a few billion $ kind of right) these could be specifically designed for certain blockchains.

**MITM attacks**

An MITM attack could find the public key in the first moment the public key is exposed. (During the time the transaction is sent from the sender to the nodes) So these transactions that are sent to the network, contain public keys that you could intercept. So that means that if you intercept transactions (and with that the private keys) and simultaneously delay their arrival to the blockchain network, you create extra time to derive the private key from the public key using a quantum computer. When you done that, you send a transaction of your own before the original transaction has arrived and is confirmed and send funds from that stolen address to an address of your choosing. The result would be that you have an extra 10, 20, 30 minutes (or however long you can delay the original transactions), to derive the public key. This can be done without ever needing to mess with a blockchain network, because the attack happens outside the network. Therefore, slower quantum computers form a threat. Meaning that earlier models of quantum computers can form a threat than they assume now.

When MITM attacks and hijacking transactions will form a threat to BTC, other blockchains will be vulnerable to the same attacks, especially MITM attacks. There are ways to prevent hijacking after arrival at the nodes. I will elaborate on that in the next article. At this point of time, the pub key would be useless to an attacker due to the fact there is no quantum computer available now. Once a quantum computer of the right size is available, it becomes a problem. For quantum resistant blockchains this is differetn. MITM attacks and hijacking is useless to quantum resistant blockchains like QRL and Mochimo because these projects use quantum resistant keys.

submitted by QRCollector to CryptoTechnology [link] [comments]
Part 1, what makes blockchain reliable?

Part 2, The mathematical concepts Hashing and Public key cryptography.

Part 3, Quantum resistant blockchain vs Quantum computing.

Part 4A, The advantages of quantum resistance from genesis block, A

Part 4B, The advantages of quantum resistance from genesis block, A

Content:

Blockchain transactions are secured by public-private key cryptography. The keypairs used today will be at risk when quantum computers reach a certain critical level: Quantum computers can at a certain point of development, derive private keys from public keys. See for more sourced info on this subject in part 3. So if a public key can be obtained by an attacker, he can then use a quantum computer to find the private key. And as he has both the public key and the private key, he can control and send the funds to an address he owns.

Just to make sure there will be no misconceptions: When public-private key cryptography such as ECDSA and RSA can be broken by a quantum computer, this will be an issue for all blockchains who don't use quantum resistant cryptography. The reason this article is about BTC is because I take this paper as a reference point: https://arxiv.org/pdf/1710.10377.pdf Here they calculate an estimate when BTC will be at risk while taking the BTC blocktime as the window of opportunity.

In pretty much every discussion I've read and had on the subject, I notice that people are under the impression that BTC is quantum resistant as long as you use your address only once. BTC uses a hashed version of the public key as a send-to address. So in theory, all funds are registered on the chain on hashed public keys instead of to the full, original public keys, which means that the original public key is (again in theory) not public. Even a quantum computer can't derive the original public key from a hashed public key, therefore there is no risk that a quantum computer can derive the private key from the public key. If you make a transaction, however, the public key of the address you sent your funds from will be registered in full form in the blockchain. So if you were to only send part of your funds, leaving the rest on the old address, your remaining funds would be on a published public key, and therefore vulnerable to quantum attacks. So the workaround would be to transfer the remaining funds, within the same transaction, to a new address. In that way, your funds would be once again registered on the blockchain on a hashed public key instead of a full, original public key.

If you feel lost already because you are not very familiar with the tech behind blockchain, I will try to explain the above in a more familiar way:

You control your funds through your public- private key pair. Your funds are registered on your public key. And you can create transactions, which you need to sign to be valid. You can only create a signature if you have your private key. See it as your e-mail address (public key) and your password (Private key). Many people got your email address, but only you have your password. So the analogy is, that if you got your address and your password, then you can access your mail and send emails (Transactions). If the right quantum computer would be available, people could use that to calculate your password (private key), if they have your email address (public key).

Now, because BTC doesn’t show your full public key anywhere until you make a transaction. That sounds pretty safe. It means that your public key is private until you make a transaction. The only thing related to your public key that is public is the hash of your public key. Here is a short explanation of what a hash is: a hash is an outcome of an equation. Usually one-way hash functions are used, where you can not derive the original input from the output; but every time you use the same hash function on the same original input (For example IFUHE8392ISHF), you will always get the same output (For example G). That way you can have your coins on public key "IFUHE8392ISHF", while on the chain, they are registered on "G".

So your funds are registered on the blockchain on the "Hash" of the public key. The Hash of the public key is also your "email address" in this case. So you give "G" as your address to send BTC to.

As said before: since it is, even for a quantum computer, impossible to derive a public key from the Hash of a public key, your coins are safe for quantum computers as long as the public key is only registered in hashed form. The obvious safe method would be, never to reuse an address, and always make sure that when you make a payment, you send your remaining funds to a fresh new address. (There are wallets that can do this for you.) In theory, this would make BTC quantum resistant, if used correctly. This, however, is not as simple as it seems. Even though the above is correct, there is a way to get to your funds.

But before we get to that, there is another point that is often overlooked: Not only is the security of your personal BTC is important, but also the security of funds of other users. If others got hacked, the news of the hack itself and the reaction of the market to that news, would influence the marketprice. Or, if a big account like the Satoshi account were to be hacked and dumped, the dump itself, combined with the news of the hack, could be even worse. An individual does not have the control of other people’s actions. So even though one might make sure his public key is only registered in hashed form, others might not do so, or might no know their public key is exposed. There are several reasons why a substantial amount of addresses actually have exposed full public keys:

- Only unused addresses are quantum secure, but in reality, there are a lot of people, who reuse addresses. (To clarify: with unused I mean an address that has only been used to deposit money
**on**, and not used to make transactions**from**. Because if you make a deposit, your public key stays hidden, but if you make a transaction from that address to another address, your public key will be revealed.) - Bitcoin transactions with P2PK UTXOs, so these are the addresses from the period that public keys were not hashed, but published in full. (about 1.77 million BTC fall into this category) (https://eprint.iacr.org/2018/213.pdf p. 7) This includes the Satoshi funds.
- Bitcoin users publishing their public key on a Bitcoin fork, e.g. Bitcoin Cash [1] or Bitcoin Gold [2]. (https://eprint.iacr.org/2018/213.pdf p. 7)
- Any other revealing of public keys, such as part of signed messages to ensure integrity, in forums, or in payment channels (e.g. Lightning Network [51]). (https://eprint.iacr.org/2018/213.pdf p. 7)

But even if you consider the above an acceptable risk, just because you yourself will make sure you never reuse an address, then still, the fact that only the hashed public key is published until you make a transaction is a false sense of security. It only works, if you never make a transaction. Why? Public keys are revealed while making a transaction, so transactions can be hijacked while being made.

Here it is important to understand two things:

The owner has the private key and the public key and uses that to log into the secured environment, the wallet. This can be online or offline. Once he is in his wallet, he states how much he wants to send and to what address.

When he sends the transaction, it will be broadcasted to the blockchain network. But before the actual transaction will be sent, it is formed into a package, created by the wallet. This happens out of sight of the sender.

That package ends up carrying roughly the following info: the public key to point to the address where the funds will be coming from, the amount that will be transferred, the address the funds will be transferred to (depending on the blockchain this could be the hashed public key, or the original public key of the address the funds will be transferred to). This package also carries the most important thing: a signature, created by the wallet, derived from the private- public key combination. This signature proves to the miners that you are the rightful owner and you can send funds from that public key.

Then this package is sent out of the secure wallet environment to multiple nodes. The nodes don’t need to trust the sender or establish the sender’s "identity”, because the sender proofs he is the rightful owner by adding the signature that corresponds with the public key. And because the transaction is signed and contains no confidential information, private keys, or credentials, it can be publicly broadcast using any underlying network transport that is convenient. As long as the transaction can reach a node that will propagate it into the network, it doesn’t matter how it is transported to the first node.

After the transaction is sent to the network, it is ready to be processed. The nodes have a bundle of transactions to verify and register on the next block. This is done during a period called the block time. In the case of BTC that is 10 minutes.

If we process the information written above, we will see that there are two moments where you can actually see the public key, while the transaction is not fulfilled and registered on the blockchain yet.

1: during the time the transaction is sent from the sender to the nodes

2: during the time the nodes verify the transaction. (The blocktime)

This paper describes how you could hijack a transaction and make a new transaction of your own, using someone else’s address and send his coins to an address you own during moment 2: the time the nodes verify the transaction:

https://arxiv.org/pdf/1710.10377.pdf

"(Unprocessed transactions) After a transaction has been broadcast to the network, but before it is placed on the blockchain it is at risk from a quantum attack. If the secret key can be derived from the broadcast public key before the transaction is placed on the blockchain, then an attacker could use this secret key to broadcast a new transaction from the same address to his own address. If the attacker then ensures that this new transaction is placed on the blockchain first, then he can effectively steal all the bitcoin behind the original address." (Page 8, point 3.)

So this means that BTC obviously is not a quantum secure blockchain. Because as soon as you will touch your funds and use them for payment, or send them to another address, you will have to make a transaction and you risk a quantum attack.

The story doesn't end here. The paper doesn't describe the posibility of a pre-blocktime hijack.

So back to the paper: as explained, while making a transaction your public key is exposed for at least the transaction time. This transaction time is 10 minutes where your transaction is being confirmed during the 10 minute block time. That is the period where your public key is visible and where, as described in the paper, a transaction can be hijacked, and by using quantum computers, a forged transaction can be made. So the critical point is determined to be the moment where quantum computers can derive private keys from public keys within 10 minutes. Based on that 10 minute period, they calculate (estimate) how long it will take before QC's start forming a threat to BTC. (“ By our most optimistic estimates, as early as 2027 a quantum computer could exist that can break the elliptic curve signature scheme in less than 10 minutes, the block time used in Bitcoin.“ This is also shown in figure 4 on page 10 and later more in depth calculated in appendix C, where the pessimistic estimate is around 2037.) But you could extend that 10 minutes through network based attacks like DDoS, BGP routing attacks, NSA Quantum Insert, Eclipse attacks, MITM attacks or anything like that. (And I don’t mean you extend the block time by using a network based attack, but you extend the time you have access to the public key before the transaction is confirmed.) Bitcoin would be earlier at risk than calculated in this paper.

Also other Blockchains with way shorter block times imagine themselves safe for a longer period than BTC, but with this extension of the timeframe within which you can derive the private key, they too will be vulnerable way sooner.

Not so long ago an eclipse attack demonstrated it could have done the trick. and here Causing the blockchain to work over max capacity, means the transactions will be waiting to be added to a block for a longer time. This time needs to be added on the blocktime, expanding the period one would have time to derive the private key from the public key.

That seems to be fixed now, but it shows there are always new attacks possible and when the incentive is right (Like a few billion $ kind of right) these could be specifically designed for certain blockchains.

An MITM attack could find the public key in the first moment the public key is exposed. (During the time the transaction is sent from the sender to the nodes) So these transactions that are sent to the network, contain public keys that you could intercept. So that means that if you intercept transactions (and with that the private keys) and simultaneously delay their arrival to the blockchain network, you create extra time to derive the private key from the public key using a quantum computer. When you done that, you send a transaction of your own before the original transaction has arrived and is confirmed and send funds from that stolen address to an address of your choosing. The result would be that you have an extra 10, 20, 30 minutes (or however long you can delay the original transactions), to derive the public key. This can be done without ever needing to mess with a blockchain network, because the attack happens outside the network. Therefore, slower quantum computers form a threat. Meaning that earlier models of quantum computers can form a threat than they assume now.

When MITM attacks and hijacking transactions will form a threat to BTC, other blockchains will be vulnerable to the same attacks, especially MITM attacks. There are ways to prevent hijacking after arrival at the nodes. I will elaborate on that in the next article. At this point of time, the pub key would be useless to an attacker due to the fact there is no quantum computer available now. Once a quantum computer of the right size is available, it becomes a problem. For quantum resistant blockchains this is differetn. MITM attacks and hijacking is useless to quantum resistant blockchains like QRL and Mochimo because these projects use quantum resistant keys.

The previous parts will give you usefull basic blockchain knowledge and insights on quantum resistance vs blockchain that are not explained in this part.

Part 1, what makes blockchain reliable?

Part 2, The mathematical concepts Hashing and Public key cryptography.

Part 3, Quantum resistant blockchain vs Quantum computing.

Part 4A, The advantages of quantum resistance from genesis block, A

Part 4B, The advantages of quantum resistance from genesis block, A

Part 5, Why BTC is vulnerable for quantum attacks sooner than you would think.

**Failing shortcuts in an attempt to accomplish Quantum Resistance**

Content:

**Hashing public keys**

**“Instant” transactions**

**FIFO**

**Standardized fees**

**Multicast**

**Timestamped transactions**

Change my mind: If a project doesn't use a Quantum Resistant signature scheme, it is not 100% Quantum Resistant.

Here are some of the claims regarding Quantum Resistance without the use of a quantum resistant signature scheme that I have come across so far. For every claim, I give arguments to substantiate why these claims are incorrect.

The most famous blockchain to use hashed public keys is Bitcoin. Transactions can be hijacked during the period a user sends a transaction from his or her device to the blockchain and the moment a transaction is confirmed. For example: during Bitcoins 10 minute blockchain, the full public keys can be obtained to find private keys and forge transactions. Page 8, point 3 Hashing public keys does have advantages: they are smaller than the original public keys. So it does save space on the blockchain. It doesn't give you Quantum Resistance however. That is a misconception.

However, when there is high transaction density, transactions can be stuck in the pool for a while. During this period the transactions are published and the full public keys can be obtained. Just as with the previous hijacking example, a transaction can be forged in that period of time. It can be done when the blockchain functions normally, and whenever the maximum capacity is exceeded, the window of opportunity grows for hackers.

Besides the risk that rush hours would bring by extending the time to work with the public key and forge transactions, there are network based attacks that could serve the same purpose: slow the confirmation time and create a bigger window to forge transactions. These types are attacks where the attacker targets the network instead of the sender of the transaction: Performing a DDoS attack or BGP routing attack or NSA Quantum Insert attack on a peer-to-peer network would be hard. But when provided with an opportunity to earn billions, hackers would find a way.

For example: https://bitcoinmagazine.com/articles/researchers-explore-eclipse-attacks-ethereum-blockchain/

For BTC: https://eprint.iacr.org/2015/263.pdf

An eclipse attack is a network-level attack on a blockchain, where an attacker essentially takes control of the peer-to-peer network, obscuring a node’s view of the blockchain.

That is exactly the recipe for what you would need to create extra time to find public keys and derive private keys from them. Then you could sign transactions of your own and confirm them before the originals do.

This specific example seems to be fixed now, but it most definitely shows there is a risk of other variations to be created. Keep in mind, before this variation of attack was known, the common opinion was that it was impossible. With little incentive to create such an attack, it might take a while until another one is developed. But when the possession of full public keys equals the possibility to forge transactions, all of a sudden billions are at stake.

Only quantum resistant signature schemes will secure blockchain to quantum hacks. Every blockchain will need their users to communicate their public key to the blockchain to authenticate signatures and make transactions. There will always be ways to obtain those keys while being communicated and to stretch the period where these keys can be used to forge transactions. Once you have, you can move funds to your own address, a bitcoin mixer, Monero, or some other privacy coin.

**Conclusion**

There is only one way to currently achieve Quantum Resistance: by making sure the public key can be made public without any risks, as is done now in the pre-quantum period and as Satoshi has designed blockchain. Thus by the use of quantum resistant signature schemes. The rest is all a patchwork of risk mitigation and delaying strategies; they make it slightly harder to obtain a public key and forge a transaction but not impossible.

**Addition**

And then there is quite often this strategy of postponing quantum resistant signature schemes

And every upgrade the signatures get bigger, and closer to the quantum resistant signature sizes and thus the advantage you have over blockchains with quantum resistant signature schemes gets smaller. While the quantum resistant blockchains are just steady going and their users aren’t bothered with all the hassle. At the same time the users of the blockchain that is constantly upgrading to a bigger key size, keep on needing to migrate their coins to the new and upgraded addresses to stay safe.

submitted by QRCollector to CryptoTechnology [link] [comments]
Part 1, what makes blockchain reliable?

Part 2, The mathematical concepts Hashing and Public key cryptography.

Part 3, Quantum resistant blockchain vs Quantum computing.

Part 4A, The advantages of quantum resistance from genesis block, A

Part 4B, The advantages of quantum resistance from genesis block, A

Part 5, Why BTC is vulnerable for quantum attacks sooner than you would think.

Content:

Change my mind: If a project doesn't use a Quantum Resistant signature scheme, it is not 100% Quantum Resistant.

Here are some of the claims regarding Quantum Resistance without the use of a quantum resistant signature scheme that I have come across so far. For every claim, I give arguments to substantiate why these claims are incorrect.

“We only have public keys in hashed form published. Even quantum computers can't reverse the Hash, so no one can use those public keys to derive the private key. That's why we are quantum resistant.”This example has been explained in the previous article. To summarize: Hashed public keys can be used as an address for deposits. Deposits do not need signature authentication. Alternatively, withdrawals do need signature authentication. To authenticate a signature, the public key will always need to be made public in full, original form. As a necessary requirement, the full public key would be needed to spend coins. Therefore the public key will be included in the transaction.This is incorrect.

The most famous blockchain to use hashed public keys is Bitcoin. Transactions can be hijacked during the period a user sends a transaction from his or her device to the blockchain and the moment a transaction is confirmed. For example: during Bitcoins 10 minute blockchain, the full public keys can be obtained to find private keys and forge transactions. Page 8, point 3 Hashing public keys does have advantages: they are smaller than the original public keys. So it does save space on the blockchain. It doesn't give you Quantum Resistance however. That is a misconception.

“Besides having only hashed public keys on the blockchain, we also have instant transactions. So there is no time to hijack a transaction and to obtain the public key fast enough to forge a transaction. That's why we are quantum resistant.”There is no such thing as instant transactions. A zero second blocktime for example is a claim that can’t be made. Period. Furthermore, transactions are collected in pools before they are added to a block that is going to be processed. The time it takes for miners to add them to a new block before processing that block depends on the amount of transactions a blockchain needs to process at a certain moment. When a blockchain operates within its maximum capacity (the maximum amount of transactions that a blockchain can process per second), the adding of transactions from the pool will go quite swiftly, but still not instantaneously.This is incorrect and impossible.

However, when there is high transaction density, transactions can be stuck in the pool for a while. During this period the transactions are published and the full public keys can be obtained. Just as with the previous hijacking example, a transaction can be forged in that period of time. It can be done when the blockchain functions normally, and whenever the maximum capacity is exceeded, the window of opportunity grows for hackers.

Besides the risk that rush hours would bring by extending the time to work with the public key and forge transactions, there are network based attacks that could serve the same purpose: slow the confirmation time and create a bigger window to forge transactions. These types are attacks where the attacker targets the network instead of the sender of the transaction: Performing a DDoS attack or BGP routing attack or NSA Quantum Insert attack on a peer-to-peer network would be hard. But when provided with an opportunity to earn billions, hackers would find a way.

For example: https://bitcoinmagazine.com/articles/researchers-explore-eclipse-attacks-ethereum-blockchain/

For BTC: https://eprint.iacr.org/2015/263.pdf

An eclipse attack is a network-level attack on a blockchain, where an attacker essentially takes control of the peer-to-peer network, obscuring a node’s view of the blockchain.

That is exactly the recipe for what you would need to create extra time to find public keys and derive private keys from them. Then you could sign transactions of your own and confirm them before the originals do.

This specific example seems to be fixed now, but it most definitely shows there is a risk of other variations to be created. Keep in mind, before this variation of attack was known, the common opinion was that it was impossible. With little incentive to create such an attack, it might take a while until another one is developed. But when the possession of full public keys equals the possibility to forge transactions, all of a sudden billions are at stake.

“Besides only using hashed public keys as addresses, we use the First In First Out (FIFO) mechanism. This solves the forged transaction issue, as they will not be confirmed before the original transactions. That's why we are quantum resistant.”There is another period where the public key is openly available: the moment where a transaction is sent from the users device to the nodes on the blockchain network. The sent transaction can be delayed or totally blocked from arriving to the blockchain network. While this happens the attacker can obtain the public key. This is a man-in-the-middle (MITM) attack. A MITM is an attack where the attacker secretly relays and possibly alters the communication between two parties who believe they are directly communicating with each other. No transaction is 100% safe from a MITM attack. This type of attack isn’t commonly known amongst average usergroups due to the fact communication is done either encrypted or by the use of private- public key cryptography. Therefore, at this point of time MITM attacks are not an issue, because the information in transactions is useless for hackers. To emphasize the point made: a MITM attack can be done at this point of time to your transactions. But the information obtained by a hacker is useless because he can not break the cryptography. The encryption and private- public key cryptography is safe at this point of time. ECDSA and RSA can not be broken yet. But in the era of quantum computers the problem is clear: an attacker can obtain the public key and create enough time to forge a transaction which will be sent to the blockchain and arrive there first without the network having any way of knowing the transaction is forged. By doing this before the transaction reaches the blockchain, FIFO will be useless. The original transaction will be delayed or blocked from reaching the blockchain. The forged transaction will be admitted to the network first. And First In First Out will actually help the forged transaction to be confirmed before the original.This is incorrect.

“Besides having only hashed public keys, we use small standardized fees. Forged transactions will not be able to use higher fees to get prioritized and confirmed before the original transactions, thus when the forged transaction will try to confirm the address is already empty. This is why we are quantum resistant.”The same arguments apply as with the FIFO system. The attack can be done before the original transaction reaches the network. Thus the forged transaction will still be handled first no matter the fee hight.This is incorrect.

“Besides the above, we use multicast so all nodes receive the transaction at the same time. That's why we are quantum resistant.”Multicast is useless against a MITM attack when the attacker is close enough to the source.This is incorrect.

“Besides the above, we number all our transactions and authenticate nodes so the user always knows who he's talking to. That's why we are quantum resistant.”Besides the fact that you’re working towards a centralized system if only verified people can become nodes. And besides the fact that also verified nodes can go bad and work with hackers. (Which would be useless if quantum resistant signature schemes would be implemented because a node or a hacker would have no use for quantum resistant public keys and signatures.) There are various ways of impersonating either side of a communication channel. IP-spoofing, ARP-spoofing, DSN-spoofing etc. All a hacker needs is time and position. Time can be created in several ways as explained above. All the information in the transaction an original user sends is valid. When a transaction is hijacked and the communication between the user and the rest of the network is blocked, a hacker can copy that information to his own transaction while using a forged signature. The only real effective defense against MITM attacks can be done on router or server-side by a strong encryption between the client and the server (Which in this case would be quantum resistant encryption, but then again you could just as well use a quantum resistant signature scheme.), or you use server authentication but then you would need that to be quantum resistant too. There is no serious protection against MITM attacks when the encryption of the data and the authentication of a server can be broken by quantum computers.This is incorrect.

Only quantum resistant signature schemes will secure blockchain to quantum hacks. Every blockchain will need their users to communicate their public key to the blockchain to authenticate signatures and make transactions. There will always be ways to obtain those keys while being communicated and to stretch the period where these keys can be used to forge transactions. Once you have, you can move funds to your own address, a bitcoin mixer, Monero, or some other privacy coin.

There is only one way to currently achieve Quantum Resistance: by making sure the public key can be made public without any risks, as is done now in the pre-quantum period and as Satoshi has designed blockchain. Thus by the use of quantum resistant signature schemes. The rest is all a patchwork of risk mitigation and delaying strategies; they make it slightly harder to obtain a public key and forge a transaction but not impossible.

And then there is quite often this strategy of postponing quantum resistant signature schemes

“Instead of ECDSA with 256 bit keys we will just use 384 bit keys. And after that 521 bit keys, and then RSA 4096 keys, so we will ride it out for a while. No worries we don’t need to think about quantum resistant signature schemes for a long time.”Besides the fact that this doesn’t make a project quantum resistant, it is nothing but postponing the switch to quantum resistant signatures, it is not a solution. Going from 256 bit keys to 384 bit keys would mean a quantum computer with ~ 3484 qubits instead of ~ 2330 qubits could break the signature scheme. That is not even double and postpones the problem either half a year or one year, depending which estimate you take. (Doubling of qubits every year, or every two years). It does however have the same problems as a real solution and is just as much work. (Changing the code, upgrading the blockchain, finding consensus amongst the nodes, upgrading all supporting systems, hoping the exchanges all go along with the new upgrade and migrate their coins, heaving all users migrate their coins.) And then quite soon after that, they'll have to go at it again. What they will do next? Go for 512 bit curves? Same issues. It's just patchworks and just as much hassle, but then over and over again for every “upgrade” from 384 to 521 etc.This is highly inefficient, and creates more problems than it solves.

And every upgrade the signatures get bigger, and closer to the quantum resistant signature sizes and thus the advantage you have over blockchains with quantum resistant signature schemes gets smaller. While the quantum resistant blockchains are just steady going and their users aren’t bothered with all the hassle. At the same time the users of the blockchain that is constantly upgrading to a bigger key size, keep on needing to migrate their coins to the new and upgraded addresses to stay safe.

In our last article, we explored the fundamentals of TBU (or Tachyon Booster UDP). TBU is the core of Tachyon’s architecture which will replace the Application, Transport and Internet layers of the conventional TCP/IP protocol.

What Is TBU? How Does TBU Work?

The core of Tachyon Protocol includes four parts — TBU(Tachyon Booster UDP), TSP(Tachyon Security Protocol)…

medium.com

Today we will take a look at TSP, or Tachyon Security Protocol. As the name suggests, TSP is that part of Tachyon which ensures that the ecosystem remains safe from hackers and user data remains hidden from the outside world. The two main weapons in TSP’s arsenal are Asymmetric end-to-end Encryption and Protocol Simulation Scheme.

ECDHE-ECDSA Asymmetric end-to-end Encryption

The data that you send over the Internet passes through a host of servers, routers, and devices. There’s simply no way of knowing how secure any of these data gateways are. For all you know, your data might be intercepted by hackers at multiple points.

The most reliable safeguard against this problem is end-to-end encryption, which scrambles user data such that only the recipient can make any sense out of it. Even if a hacker intercepts this data, it would seem all gibberish. It’s only when the data reaches its correct destination that it is unscrambled and the original message is revealed.

Let’s say at a birthday party, Jim wants to send a secret message to his friend Rob; but the party is teeming with other kids, and he can’t risk the secret being let out. Luckily for Jim, both he and Rob have been taking French classes outside their school hours. Jim jots down the message in French on a piece of paper, and asks the other kids to relay it over to Rob. Now even if any of his friends open the chit, he won’t be able to make any meaning out of it. Smart move, Jim!

Ordinary point-to-point networking suffers from 2 major threats:

1.Network Sniffing

Hackers can use Network Sniffing tools to intercept and analyze the data flowing over computer network links. Most of these Sniffers work mainly with TCP/IP packets, but more sophisticated tools can work lower in the network hierarchy and even intercept Ethernet frames.

To counter such data hacking techniques, TSP creates encryption keys in insecure channels (where data points are unfamiliar with the credentials of each other) by implementing ECDH — ECDSA and Ephemeral Key. ECDH — ECDSA are a class of cryptographic algorithms which come under what is known as Elliptic Curve Cryptography.

TSP also uses AES (Advanced Encryption Standard) to ensure that even if the message is intercepted, the attacker wouldn’t be able to read it. In addition to this, a set of hash algorithms, such as HMAC, SHA2 and Keccak, are deployed so that in case the attacker is able to alter the data, the message would be automatically ignored.

In some instances, although the attacker is unable to decode the message, he might still be able to acquire some statistical feature information from it. TSP safeguards against this through a combination of different techniques, such as using a public symmetric encryption key, adding random data to the transmitted message, and encrypting the information part (such as the frame byte of the data packet).

Moreover, the likelihood of an encryption key being deciphered increases with multiple usages. TSP avoids any such risks by automatically renegotiating the encryption key after the connection transmits a certain length of data.

TSP protects against MITM attacks by using ECDH (or Elliptic-Curve Diffie–Hellman), a key agreement protocol that allows two parties to establish a shared secret communication over an insecure channel. This makes it possible for the identities of both parties to be verified before any data is transmitted. Through ECDH, each of these parties generates an elliptic-curve public-private key pair. As long as this private key is not exposed, MITM attacks can be prevented.

Protocol Simulation Scheme

A distinct feature of TSP is the Protocol Simulation Scheme, which allows Tachyon to simulate well known communication protocols, such as UDP, TCP, HTTP, HTTPS, FTP and SMTP. So while Tachyon encrypts data packets using its own TBU protocol stack (discussed in our last article), anyone who intercepts this data would assume that the data belongs to the communication protocol being simulated.

Though Protocol Simulation, TSP guarantees that the real content of the communication is concealed, in order to avoid information unwarranted interception and exposure. It also fools firewalls and other third party applications into letting Tachyon data flow unhindered — a feature that is really useful in Tachyon’s VPN application.

Today, HTTP/HTTPS is the most commonly used communication protocol in the World Wide Web. However, in most cases, the data that is transmitted is completely unencrypted, which makes it vulnerable to hacking. Moreover, HTTP-based communication checks neither the identity of the node with which communicating is being established, nor the integrity of the message being transmitted.

In case of Tachyon, not only is the data encrypted in multiple levels, but the nature of the data packet is concealed as well. For example, in case of SMTP simulation, the data will resemble an ordinary e-mail; while in case of HTTPS simulation, the data traffic will appear like the user is visiting a website such as Google or BBC News.

submitted by Rlindras to Crypto_General [link] [comments]
What Is TBU? How Does TBU Work?

The core of Tachyon Protocol includes four parts — TBU(Tachyon Booster UDP), TSP(Tachyon Security Protocol)…

medium.com

Today we will take a look at TSP, or Tachyon Security Protocol. As the name suggests, TSP is that part of Tachyon which ensures that the ecosystem remains safe from hackers and user data remains hidden from the outside world. The two main weapons in TSP’s arsenal are Asymmetric end-to-end Encryption and Protocol Simulation Scheme.

ECDHE-ECDSA Asymmetric end-to-end Encryption

The data that you send over the Internet passes through a host of servers, routers, and devices. There’s simply no way of knowing how secure any of these data gateways are. For all you know, your data might be intercepted by hackers at multiple points.

The most reliable safeguard against this problem is end-to-end encryption, which scrambles user data such that only the recipient can make any sense out of it. Even if a hacker intercepts this data, it would seem all gibberish. It’s only when the data reaches its correct destination that it is unscrambled and the original message is revealed.

Let’s say at a birthday party, Jim wants to send a secret message to his friend Rob; but the party is teeming with other kids, and he can’t risk the secret being let out. Luckily for Jim, both he and Rob have been taking French classes outside their school hours. Jim jots down the message in French on a piece of paper, and asks the other kids to relay it over to Rob. Now even if any of his friends open the chit, he won’t be able to make any meaning out of it. Smart move, Jim!

Ordinary point-to-point networking suffers from 2 major threats:

1.Network Sniffing

Hackers can use Network Sniffing tools to intercept and analyze the data flowing over computer network links. Most of these Sniffers work mainly with TCP/IP packets, but more sophisticated tools can work lower in the network hierarchy and even intercept Ethernet frames.

To counter such data hacking techniques, TSP creates encryption keys in insecure channels (where data points are unfamiliar with the credentials of each other) by implementing ECDH — ECDSA and Ephemeral Key. ECDH — ECDSA are a class of cryptographic algorithms which come under what is known as Elliptic Curve Cryptography.

TSP also uses AES (Advanced Encryption Standard) to ensure that even if the message is intercepted, the attacker wouldn’t be able to read it. In addition to this, a set of hash algorithms, such as HMAC, SHA2 and Keccak, are deployed so that in case the attacker is able to alter the data, the message would be automatically ignored.

In some instances, although the attacker is unable to decode the message, he might still be able to acquire some statistical feature information from it. TSP safeguards against this through a combination of different techniques, such as using a public symmetric encryption key, adding random data to the transmitted message, and encrypting the information part (such as the frame byte of the data packet).

Moreover, the likelihood of an encryption key being deciphered increases with multiple usages. TSP avoids any such risks by automatically renegotiating the encryption key after the connection transmits a certain length of data.

- Man-in-the-middle Attack (MITM)

TSP protects against MITM attacks by using ECDH (or Elliptic-Curve Diffie–Hellman), a key agreement protocol that allows two parties to establish a shared secret communication over an insecure channel. This makes it possible for the identities of both parties to be verified before any data is transmitted. Through ECDH, each of these parties generates an elliptic-curve public-private key pair. As long as this private key is not exposed, MITM attacks can be prevented.

Protocol Simulation Scheme

A distinct feature of TSP is the Protocol Simulation Scheme, which allows Tachyon to simulate well known communication protocols, such as UDP, TCP, HTTP, HTTPS, FTP and SMTP. So while Tachyon encrypts data packets using its own TBU protocol stack (discussed in our last article), anyone who intercepts this data would assume that the data belongs to the communication protocol being simulated.

Though Protocol Simulation, TSP guarantees that the real content of the communication is concealed, in order to avoid information unwarranted interception and exposure. It also fools firewalls and other third party applications into letting Tachyon data flow unhindered — a feature that is really useful in Tachyon’s VPN application.

Today, HTTP/HTTPS is the most commonly used communication protocol in the World Wide Web. However, in most cases, the data that is transmitted is completely unencrypted, which makes it vulnerable to hacking. Moreover, HTTP-based communication checks neither the identity of the node with which communicating is being established, nor the integrity of the message being transmitted.

In case of Tachyon, not only is the data encrypted in multiple levels, but the nature of the data packet is concealed as well. For example, in case of SMTP simulation, the data will resemble an ordinary e-mail; while in case of HTTPS simulation, the data traffic will appear like the user is visiting a website such as Google or BBC News.

What's this? I don't make a Technical post for a month and now BitPay is censoring the Hong Kong Free Press? Shit I'm sorry, it's all my fault for not posting a Technical post regularly!! Now posting one so that we have a censorship-free Bitcoin universe!

Pay-to-contract and sign-to-contract are actually cryptographic techniques to allow you to embed a commitment in a public key (pay-to-contract) or signature (sign-to-contract). This commitment can be revealed independently of the public key / signature without leaking your private key, and the existence of the commitment does not prevent you from using the public key / signature as a normal pubkey/signature for a normal digital signing algorithm.

Both techniques utilize*elliptic curve homomorphism*. Let's digress into that a little first.

## Elliptic Curve Homomorphism

Let's get an oversimplified view of the maths involved first.

First, we have two "kinds" of things we can compute on.

If you have an Elliptic Curve, and require that all points you work with are on some Elliptic Curve, then you can do these operations.

In Elliptic Curve Cryptography, scalars are used as private keys, while points are used as public keys. This is particularly useful since if you have a private key (scalar), you can derive a public key (point) from it (by multiplying the scalar with a certain standard point, which we call the "generator point", traditionally G). But there is no reverse operation to get the private key from the public key.

## Commitments

Let's have another mild digression.

Sometimes, you want to "commit' to something that you want to keep hidden for now. This is actually important in some games and so on. For example, if you are paying a game of Twenty Questions, one player must first write the object they are thinking of, then fold or hide it in such a way that what they wrote is not visible. Then, after the guessing player has asked twenty questions to narrow down what the object is and has revealed what he or she thinks the object being guessed was, the guessee reveals the object by unfodling and showing the paper.

The act of writing down*commits* you to the specific thing you wrote down. Folding the paper and/or hiding it, err, *hides* what you wrote down. Later, when you unfold the paper, you *reveal* your commitment.

The above is the analogy to the development of cryptographic commitments.

### Salting

Now, sometimes there are only a few possible things you can select from. For example, instead of Twenty Questions you might be playing a Coin Toss Guess game.

What we'd do would be that, for example, I am the guesser and you the guessee. You select either "heads" or "tails" and put it in a commitment which you hand over to me. Then, I say "heads" or "tails" and have you reveal your commitment. If I guessed correctly I win, if not you win.

Unfortunately, if we were to just use a one-way function like an SHA hash function, it would be very trivial for me to win. All I would need to do would be to try passing "heads" and "tails" to the one-way function and see which one matches the commitment you gave me. Then I can very easily find out what your committed value was, winning the game consistently. In hacking, this can be made easier by making Rainbow Tables, and is precisely the technique used to derive passwords from password databases containing hashes of the passwords.

The way to solve this is to add a*salt*. This is basically just a large random number that we prepend (or append, order doesn't matter) to the actual value you want to commit to. This means that not only do I have to feed "heads" or "tails", I also have to guess the large random number (the salt). If the possible space of large random numbers is large enough, this prevents me from being able to peek at your committed data. The salt is sometimes called a *blinding factor*.

## Pay-to-contract

Hiding commitments in pubkeys!

Pay-to-contract allows you to publish a public key, whose private key you can derive, while also being a cryptographic commitment. In particular, your private key is also used to derive a salt.

The key insight here is to realize that "one-way function" is not restricted to hash functions like SHA. The operation below is an example of a one-way function too:

First, pay-to-contract requires you to have a public and private keypair.

*contract*. This is just any arbitrary message containing any arbitrary thing (it could be an object for Twenty Questions, or "heads" or "tails" for Coin Toss Guessing). Traditionally, this is symbolized as the small letter s.

In order to have a pay-to-contract public key, you need to compute the below from your public key P (called the*internal public key*; by analogy the private key p is the *internal private key*):

The cute thing is that P serves as your salt. Any private key is just an arbitrary random scalar. Multiplying the private key by the generator results in an arbitrary-seeming point. That random point is now your salt, which makes this into a genuine bonafide hiding cryptographic commitment!

Now Q is a point, i.e. a public key. You might be interested in knowing its private key, a scalar. Suppose you postulate the existence of a scalar q such that:

Now Q is supposed to be a commitment, and once somebody else knows Q, they can challenge you to reveal your committed value, the contract s. Revealing the pay-to-contract commitment is done by simply giving the internal public key P (which doubles as the salt) and the committed value contract s.

The challenger then simply computes:

Some very important properties are:

Of course, you can't sign for Q (you need to know p to compute the private key q) but this is sometimes an interesting use.

The original proposal for*pay*-to-contract was that a merchant would publish their public key, then a customer would "order" by writing the contract s with what they wanted to buy. Then, the customer would generate the public key Q (committing to s) using the merchant's public key as the internal public key P, then use that in a P2PKH or P2WPKH. Then the customer would reveal the contract s to the merchant, placing their order, and the merchant would now be able to claim the money.

Another general use for pay-to-contract include publishing a commitment on the blockchain without using an OP_RETURN output. Instead, you just move some of your funds to yourself, using your own public key as the internal public key, then selecting a contract s that commits or indicates what you want to anchor onchain. This should be the preferred technique rather than OP_RETURN. For example, colored coin implementations over Bitcoin usually used OP_RETURN, but the new RGB colored coin technique uses pay-to-contract instead, reducing onchain bloat.

### Taproot

Pay-to-contract is also used in the nice new Taproot concept.

Briefly, taproot anchors a Merkle tree of scripts. The root of this tree is the contract s committed to. Then, you pay to a SegWit v1 public key, where the public key is the Q pay-to-contract commitment.

When spending a coin paying to a SegWit v1 output with a Taprooted commitment to a set of scripts s, you can do one of two things:

#### Escrow Under Taproot

Traditionally, escrow is done with a 2-of-3 multisignature script.

However, by use of Taproot and pay-to-contract, it's possible to get more privacy than traditional escrow services.

Suppose we have a buyer, a seller, and an escrow service. They have keypairs B = b * G, S = s * G, and E = e * G.

The buyer and seller then generate a Taproot output (which the buyer will pay to before the seller sends the product).

The Taproot itself uses an internal public key that is the 2-of-2 MuSig of B and S, i.e. MuSig(B, S). Then it commits to a pair of possible scripts:

*another* pay-to-contract, this time with the script s containing the details of the transaction. For example, if the buyer wants to buy some USD, the contract could be "Purchase of 50 pieces of United States Federal Reserve Green Historical Commemoration papers for 0.357 satoshis".

This takes advantage of the fact that the committer need not know the private key behind the public key being used in a pay-to-contract commitment. The actual transaction it is being used for is committed to onchain, because the public key published on the blockchain ultimately commits (via a taproot to a merkle tree to a script containing a MuSig of a public key modified with the committed contract) to the contract between the buyer and seller.

Thus, the cases are:

#### Smart Contracts Unchained

Developed by ZmnSCPxj here: https://zmnscpxj.github.io/bitcoin/unchained.html

A logical extension of the above escrow case is to realize that the "contract" being given to the escrow service is simply some text that is interpreted by the escrow, and which is then executed by the escrow to determine where the funds should go.

Now, the*language* given in the previous escrow example is English. But nothing prevents the contract from being written in another language, including a machine-interpretable one.

Smart Contracts Unchained simply makes the escrow service an interpreter for some Smart Contract scripting language.

The cute thing is that there still remains an "everything good" path where the participants in the smart contract all agree on what the result is. In that case, with Taproot,*there is no need to publish the smart contract* --- only the participants know, and nobody else has to. This is an improvement in not only privacy, but also blockchain size --- the smart contract itself never has to be published onchain, only the commitment to it is (and that is embedded in a public key, which is necessary for basic security on the blockchain anyway!).

## Sign-to-contract

Hiding commitments in signatures!

Sign-to-contract is something like the dual or inverse of pay-to-contract. Instead of hiding a commitment in the public key, it is hidden in the signature.

Sign-to-contract utilizes the fact that signatures need to have a random scalar r which is then published as the point R = r * G.

Similarly to pay-to-contract, we can have an internal random scalar p and internal point P that is used to compute R:

This is in fact just the same method of commitment as in pay-to-contract. The operations of committing and revealing are the same. The only difference is*where* the commitment is stored.

Importantly, however, is that you*cannot* take somebody else's signature and then create an alternate signature that commits to some s you select. This is in contrast with pay-to-contract, where you can take somebody else's public key and then create an alternate public key that commits to some s you select.

Sign-to-contract is somewhat newer as a concept than pay-to-contract. It seems there are not as many applications of pay-to-contract yet.

### Uses

Sign-to-contract can be used, like pay-to-contract, to publish commitments onchain.

The difference is below:

Instead of using such an OP_RETURN, individual wallets can publish a timestamped commitment by making a self-paying transaction, embedding the commitment inside the signature for that transaction. Such a feature can be added to any individual wallet software. https://blog.eternitywall.com/2018/04/13/sign-to-contract/

This does not require any additional infrastructure (i.e. no aggregating servers like in Open Timestamps).

### R Reuse Concerns

ECDSA and Schnorr-based signature schemes are vulnerable to something called "R reuse".

Basically, if the same R is used for different messages (transactions) with the same public key, a third party with both signatures can compute the private key.

This is concerning especially if the signing algorithm is executed in an environment with insufficient entropy. By complete accident, the environment might yield the same random scalar r in two different runs. Combined with address reuse (which implies public key reuse) this can leak the private key inadvertently.

For example, most hardware wallets will not have any kind of entropy at all.

The usual solution to this is, instead of selecting an arbitrary random r (which might be impossible in limited environments with no available entropy), is to hash the message and use the hash as the r.

This ensures that if the same public key is used again for a different message, then the random r is also different, preventing reuse at all.

Of course, if you are using sign-to-contract, then you can't use the above "best practice".

It seems to me plausible that computing the internal random scalar p using the hash of the message (transaction) should work, then add the commitment on top of that. However, I'm not an actual cryptographer, I just play one on Reddit. Maybe apoelstra or pwuille can explain in more detail.

Copyright 2019 Alan Manuel K. Gloria. Released under CC-BY.

submitted by almkglor to Bitcoin [link] [comments]
Pay-to-contract and sign-to-contract are actually cryptographic techniques to allow you to embed a commitment in a public key (pay-to-contract) or signature (sign-to-contract). This commitment can be revealed independently of the public key / signature without leaking your private key, and the existence of the commitment does not prevent you from using the public key / signature as a normal pubkey/signature for a normal digital signing algorithm.

Both techniques utilize

First, we have two "kinds" of things we can compute on.

- One kind is "scalars". These are just very large single numbers. Traditionally represented by small letters.
- The other kind is "points". These are just pairs of large numbers. Traditionally represented by large letters.

If you have an Elliptic Curve, and require that all points you work with are on some Elliptic Curve, then you can do these operations.

- Add, subtract, multiply, and divide scalars. Remember, scalars are just very big numbers. So those basic mathematical operations still work on big numbers, they're just big numbers.
- "Multiply" a scalar by a point, resulting in a point. This is written as a * B, where a is the scalar and B is a point. This is not just multiplying the scalar to the point coordinates, this is some special Elliptic Curve thing that I don't understand either.
- "Add" two points together. This is written as A + B. Again, this is some special Elliptic Curve thing.

A = a * G B = b * G Q = A + BThen:

q = a + b Q = q * GThat is, if you add together two points that were each derived from multiplying an arbitarry scalar with the same point (G in the above), you get the same result as adding the scalars together first, then multiplying their sum with the same point will yield the same number. Or:

a * G + b * G = (a + b) * GAnd because multiplication is just repeated addition, the same concept applies when multiplying:

a * (b * G) = (a * b) * G = (b * a) * G = b * (a * G)Something to note in particular is that there are few operations on points. One operation that's missing is "dividing" a point by a point to yield a scalar. That is, if you have:

A = a * GThen, if you know A but don't know the scalar a, you can't do the below:

a = A / GYou can't get a even if you know both the points A and G.

In Elliptic Curve Cryptography, scalars are used as private keys, while points are used as public keys. This is particularly useful since if you have a private key (scalar), you can derive a public key (point) from it (by multiplying the scalar with a certain standard point, which we call the "generator point", traditionally G). But there is no reverse operation to get the private key from the public key.

Sometimes, you want to "commit' to something that you want to keep hidden for now. This is actually important in some games and so on. For example, if you are paying a game of Twenty Questions, one player must first write the object they are thinking of, then fold or hide it in such a way that what they wrote is not visible. Then, after the guessing player has asked twenty questions to narrow down what the object is and has revealed what he or she thinks the object being guessed was, the guessee reveals the object by unfodling and showing the paper.

The act of writing down

The above is the analogy to the development of cryptographic commitments.

- First you select some thing --- it could be anything, a song, a random number, a promise to deliver products and services, the real identity of Satoshi Nakamoto.
- You
*commit*to it by giving it as input to a one-way function. A one-way function is a function which allows you to get an output from an input, but after you perform that there is no way to reverse it and determine the original input knowing only the final output. Hash functions like SHA are traditionally used as one-way functions. As a one-way function, this*hides*your original input. - You give the commitment (the output of the one-way function given your original input) to whoever wants you to commit.
- Later, when somebody demands to show what you committed to (for example after playing Twenty Questions), you
*reveal*the commitment by giving the original input to the one-way function (i.e. the thing you selected in the first step, which was the thing you wanted to commit to). - Whoever challenged you can
*verify*your commitment by feeding your supposed original input to the same one-way function. If you honestly gave the correct input, then the challenger will get the output that you published above in step 3.

What we'd do would be that, for example, I am the guesser and you the guessee. You select either "heads" or "tails" and put it in a commitment which you hand over to me. Then, I say "heads" or "tails" and have you reveal your commitment. If I guessed correctly I win, if not you win.

Unfortunately, if we were to just use a one-way function like an SHA hash function, it would be very trivial for me to win. All I would need to do would be to try passing "heads" and "tails" to the one-way function and see which one matches the commitment you gave me. Then I can very easily find out what your committed value was, winning the game consistently. In hacking, this can be made easier by making Rainbow Tables, and is precisely the technique used to derive passwords from password databases containing hashes of the passwords.

The way to solve this is to add a

Pay-to-contract allows you to publish a public key, whose private key you can derive, while also being a cryptographic commitment. In particular, your private key is also used to derive a salt.

The key insight here is to realize that "one-way function" is not restricted to hash functions like SHA. The operation below is an example of a one-way function too:

h(a) = a * GThis results in a point, but once the point (the output) is known, it is not possible to derive the input (the scalar a above). This is of course restricted to having the input be a scalar only, instead of an arbitrary-length message, but you can add a hash function (which can accept an arbitrary-length input) and then make its output (a fixed-length scalar) as the scalar to use.

First, pay-to-contract requires you to have a public and private keypair.

; p is private key P = p * G ; P is now public keyThen, you have to select a

In order to have a pay-to-contract public key, you need to compute the below from your public key P (called the

Q = P + h(P | s) * G"h()" is any convenient hash function, which takes anything of arbitrary length, and outputs a scalar, which you can multiply by G. The syntax "P | s" simply means that you are prepending the point P to the contract s.

The cute thing is that P serves as your salt. Any private key is just an arbitrary random scalar. Multiplying the private key by the generator results in an arbitrary-seeming point. That random point is now your salt, which makes this into a genuine bonafide hiding cryptographic commitment!

Now Q is a point, i.e. a public key. You might be interested in knowing its private key, a scalar. Suppose you postulate the existence of a scalar q such that:

Q = q * GThen you can do the below:

Q = P + h(P | s) * G Q = p * G + h(P | s) * G Q = (p + h(P | s)) * GThen we can conclude that:

q = p + h(P | s)Of note is that somebody else cannot learn the private key q unless they already know the private key p. Knowing the internal public key P is not enough to learn the private key q. Thus, as long as you are the only one who knows the internal private key p, and you keep it secret, then only you can learn the private key q that can be used to sign with the public key Q (that is also a pay-to-contract commitment).

Now Q is supposed to be a commitment, and once somebody else knows Q, they can challenge you to reveal your committed value, the contract s. Revealing the pay-to-contract commitment is done by simply giving the internal public key P (which doubles as the salt) and the committed value contract s.

The challenger then simply computes:

P + h(P | s) * GAnd verifies that it matches the Q you gave before.

Some very important properties are:

- If you reveal first, then you still remain in sole control of the private key. This is because revelation only shows the internal public key and the contract, neither of which can be used to learn the internal private key. So you can reveal and sign in any order you want, without precluding the possibility of performing the other operation in the future.
- If you sign with the public key Q first, then you do not need to reveal the internal public key P or the contract s. You can compute q simply from the internal private key p and the contract s. You don't even need to pass those in to your signing algorithm, it could just be given the computed q and the message you want to sign!
- Anyone verifying your signature using the public key Q is unaware that it is
*also*used as a cryptographic commitment.

- You don't have to know the internal private key p in order to create a commitment pay-to-contract public key Q that commits to a contract s you select.

Q = P + h(P | s) * GThe above equation for Q does not require that you know the internal private key p. All you need to know is the internal public key P. Since public keys are often revealed publicly, you can use somebody else's public key as the internal public key in a pay-to-contract construction.

Of course, you can't sign for Q (you need to know p to compute the private key q) but this is sometimes an interesting use.

The original proposal for

Another general use for pay-to-contract include publishing a commitment on the blockchain without using an OP_RETURN output. Instead, you just move some of your funds to yourself, using your own public key as the internal public key, then selecting a contract s that commits or indicates what you want to anchor onchain. This should be the preferred technique rather than OP_RETURN. For example, colored coin implementations over Bitcoin usually used OP_RETURN, but the new RGB colored coin technique uses pay-to-contract instead, reducing onchain bloat.

Briefly, taproot anchors a Merkle tree of scripts. The root of this tree is the contract s committed to. Then, you pay to a SegWit v1 public key, where the public key is the Q pay-to-contract commitment.

When spending a coin paying to a SegWit v1 output with a Taprooted commitment to a set of scripts s, you can do one of two things:

- Sign directly with the key. If you used Taproot, use the commitment private key q.
- Reveal the commitment, then select the script you want to execute in the Merkle tree of scripts (prove the Markle tree path to the script). Then satisfy the conditions of the script.

- If you reveal first, then you still remain in sole control of the private key.
- This is important if you take the Taproot path and reveal the commitment to the set of scripts s. If your transaction gets stalled on the mempool, others can know your commitment details. However, revealing the commitment will
*not*reveal the internal private key p (which is needed to derive the commitment private key q), so nobody can RBF out your transaction by using the sign-directly path.

- This is important if you take the Taproot path and reveal the commitment to the set of scripts s. If your transaction gets stalled on the mempool, others can know your commitment details. However, revealing the commitment will
- If you sign with the public key Q first, then you do not need to reveal the internal public key P or the contract s.
- This is important for privacy. If you are able to sign with the commitment public key, then that automatically hides the fact that you
*could*have used an alternate script s instead of the key Q.

- This is important for privacy. If you are able to sign with the commitment public key, then that automatically hides the fact that you
- Anyone verifying your signature using the public key Q is unaware that it is
*also*used as a cryptographic commitment.- Again, privacy. Fullnodes will not know that you had the ability to use an alternate script path.

- It is possible to generate a single public key that cannot be signed, except by the agreement of multiple signers who each contribute part of the public key. I.e. this is MuSig, which allows to create an n-of-n signing group that has a single public key.

However, by use of Taproot and pay-to-contract, it's possible to get more privacy than traditional escrow services.

Suppose we have a buyer, a seller, and an escrow service. They have keypairs B = b * G, S = s * G, and E = e * G.

The buyer and seller then generate a Taproot output (which the buyer will pay to before the seller sends the product).

The Taproot itself uses an internal public key that is the 2-of-2 MuSig of B and S, i.e. MuSig(B, S). Then it commits to a pair of possible scripts:

- Release to a 2-of-2 MuSig of seller and escrow. This path is the "escrow sides with seller" path.
- Release to a 2-of-2 MuSig of buyer and escrow. This path is the "escrow sides with buyer" path.

This takes advantage of the fact that the committer need not know the private key behind the public key being used in a pay-to-contract commitment. The actual transaction it is being used for is committed to onchain, because the public key published on the blockchain ultimately commits (via a taproot to a merkle tree to a script containing a MuSig of a public key modified with the committed contract) to the contract between the buyer and seller.

Thus, the cases are:

- Buyer and seller are satisfied, and cooperatively create a signature that spends the output to the seller.
- The escrow service
*never learns it could have been an escrow*. The details of their transaction remain hidden and private, so the buyer is never embarrassed over being so tacky as to waste their hard money buying USD.

- The escrow service
- The buyer and seller disagree (the buyer denies having received the goods in proper quality).
- They contact the escrow, and reveal the existence of the onchain contract, and provide the data needed to validate just what, exactly, the transaction was supposed to be about. This includes revealing the "Purchase of 50 pieces of United States Federal Reserve Green Historical Commemoration papers for 0.357 satoshis", as well as all the data needed to validate up to that level. The escrow then investigates the situation and then decides in favor of one or the other. It signs whatever transaction it decides (either giving it to the seller or buyer), and possibly also extracts an escrow fee.

A logical extension of the above escrow case is to realize that the "contract" being given to the escrow service is simply some text that is interpreted by the escrow, and which is then executed by the escrow to determine where the funds should go.

Now, the

Smart Contracts Unchained simply makes the escrow service an interpreter for some Smart Contract scripting language.

The cute thing is that there still remains an "everything good" path where the participants in the smart contract all agree on what the result is. In that case, with Taproot,

Sign-to-contract is something like the dual or inverse of pay-to-contract. Instead of hiding a commitment in the public key, it is hidden in the signature.

Sign-to-contract utilizes the fact that signatures need to have a random scalar r which is then published as the point R = r * G.

Similarly to pay-to-contract, we can have an internal random scalar p and internal point P that is used to compute R:

R = P + h(P | s) * GThe corresponding random scalar r is:

r = p + h(P | s)The signing algorithm then uses the modified scalar r.

This is in fact just the same method of commitment as in pay-to-contract. The operations of committing and revealing are the same. The only difference is

Importantly, however, is that you

Sign-to-contract is somewhat newer as a concept than pay-to-contract. It seems there are not as many applications of pay-to-contract yet.

The difference is below:

- Signatures are attached to transaction inputs.
- Public keys are attached to transaction outputs.

Instead of using such an OP_RETURN, individual wallets can publish a timestamped commitment by making a self-paying transaction, embedding the commitment inside the signature for that transaction. Such a feature can be added to any individual wallet software. https://blog.eternitywall.com/2018/04/13/sign-to-contract/

This does not require any additional infrastructure (i.e. no aggregating servers like in Open Timestamps).

Basically, if the same R is used for different messages (transactions) with the same public key, a third party with both signatures can compute the private key.

This is concerning especially if the signing algorithm is executed in an environment with insufficient entropy. By complete accident, the environment might yield the same random scalar r in two different runs. Combined with address reuse (which implies public key reuse) this can leak the private key inadvertently.

For example, most hardware wallets will not have any kind of entropy at all.

The usual solution to this is, instead of selecting an arbitrary random r (which might be impossible in limited environments with no available entropy), is to hash the message and use the hash as the r.

This ensures that if the same public key is used again for a different message, then the random r is also different, preventing reuse at all.

Of course, if you are using sign-to-contract, then you can't use the above "best practice".

It seems to me plausible that computing the internal random scalar p using the hash of the message (transaction) should work, then add the commitment on top of that. However, I'm not an actual cryptographer, I just play one on Reddit. Maybe apoelstra or pwuille can explain in more detail.

Copyright 2019 Alan Manuel K. Gloria. Released under CC-BY.

Part 1 and part 2 will give you usefull basic blockchain knowledge that is not explained in this part.

Part 1 here

Part 2 here

**Quantum resistant blockchains explained.**

**- How would quantum computers pose a threat to blockchain?**

**- Expectations in the field of quantum computer development.**

**- Quantum resistant blockchains**

**- Why is it easier to change cryptography for centralized systems such as banks and websites than for blockchain?**

**- Conclusion**

The fact that whatever is registered on a blockchain can’t be tampered with is one of the great reasons for the success of blockchain. Looking ahead, awareness is growing in the blockchain ecosystem that quantum computers might cause the need for some changes in the cryptography that is used by blockchains to prevent hackers from forging transactions.

**How would quantum computers pose a threat to blockchain?**

First, let’s get a misconception out of the way. When talking about the risk quantum computers could pose for blockchain, some people think about the risk of quantum computers out-hashing classical computers. This, however, is**not** expected to pose a real threat when the time comes.

This paper explains why: https://arxiv.org/pdf/1710.10377.pdf "In this section, we investigate the advantage a quantum computer would have in performing the hashcash PoW used by Bitcoin. Our findings can be summarized as follows: Using Grover search, a quantum computer can perform the hashcash PoW by performing quadratically fewer hashes than is needed by a classical computer. However, the extreme speed of current specialized ASIC hardware for performing the hashcash PoW, coupled with much slower projected gate speeds for current quantum architectures, essentially negates this quadratic speedup, at the current difficulty level, giving quantum computers no advantage. Future improvements to quantum technology allowing gate speeds up to 100GHz could allow quantum computers to solve the PoW about 100 times faster than current technology.

However, such a development is unlikely in the next decade, at which point classical hardware may be much faster, and quantum technology might be so widespread that no single quantum enabled agent could dominate the PoW problem."

**The real point of vulnerability is this:** attacks on signatures wherein the private key is derived from the public key. That means that if someone has your public key, they can also calculate your private key, which is unthinkable using even today’s most powerful classical computers. So in the days of quantum computers, the public-private keypair will be the weak link. Quantum computers have the potential to perform specific kinds of calculations significantly faster than any normal computer. Besides that, quantum computers can run algorithms that take fewer steps to get to an outcome, taking advantage of quantum phenomena like quantum entanglement and quantum superposition. So quantum computers can run these certain algorithms that could be used to make calculations that can crack cryptography used today. https://en.wikipedia.org/wiki/Elliptic-curve_cryptography#Quantum_computing_attacks and https://eprint.iacr.org/2017/598.pdf

Most blockchains use Elliptic Curve Digital Signature Algorithm (ECDSA) cryptography. Using a quantum computer, Shor's algorithm can be used to break ECDSA. (See for reference: https://arxiv.org/abs/quant-ph/0301141 and pdf: https://arxiv.org/pdf/quant-ph/0301141.pdf ) Meaning: they can derive the private key from the public key. So if they got your public key (and a quantum computer), then they got your private key and they can create a transaction and empty your wallet.

RSA has the same vulnerability while RSA will need a stronger quantum computer to be broken than ECDSA.

At this point in time, it is already possible to run Shor’s algorithm on a quantum computer. However, the amount of qubits available right now makes its application limited. But it has been proven to work, we have exited the era of pure theory and entered the era of practical applications:

It is however still in development, and only works for 18 binary bits at the time of this writing, but it shows new developments that could mean that, rather than a speedup in quantum computing development posing the most imminent threat to RSA and ECDSA, a speedup in the mathematical developments could be even more consequential. More info on VQF here: https://arxiv.org/abs/1808.08927

It all comes down to this: when your public key is visible, which is always necessary to make transactions, you are at some point in the future vulnerable for quantum attacks. (This also goes for BTC, which uses the hash of the public key as an address, but more on that in the following articles.) If you would have keypairs based on post quantum cryptography, you would not have to worry about that since in that case not even a quantum computer could derive your private key from your public key.

The conclusion is that future blockchains should be quantum resistant, using post-quantum cryptography. It’s very important to realize that post quantum cryptography is not just adding some extra characters to standard signature schemes. It’s the mathematical concept that makes it quantum resistant. to become quantm resistant, the algorithm needs to be changed. “The problem with currently popular algorithms is that their security relies on one of three hard mathematical problems: the integer factorization problem, the discrete logarithm problem or the elliptic-curve discrete logarithm problem. All of these problems can be easily solved on a sufficiently powerful quantum computer running Shor's algorithm. Even though current, publicly known, experimental quantum computers lack processing power to break any real cryptographic algorithm, many cryptographers are designing new algorithms to prepare for a time when quantum computing becomes a threat.” https://en.wikipedia.org/wiki/Post-quantum_cryptography

**Expectations in the field of quantum computer development.**

To give you an idea what the expectations of quantum computer development are in the field (Take note of the fact that the type and error rate of the qubits is not specified in the article. It is not said these will be enough to break ECDSA or RSA, neither is it said these will not be enough. What these articles do show, is that a huge speed up in development is expected.):

The National Academy of Sciences (NAS) has made a very thourough report on the development of quantum computing. The report came out in the end of 2018. They brought together a group of scientists of over 70 people from different interconnecting fields in quantum computing who, as a group, have come up with a close to 200 pages report on the development, funding, implications and upcoming challenges for quantum computing development. But, even though this report is one of the most thourough up to date, it doesn't make an estimate on when the risk for ECDSA or RSA would occur. They acknowledge this is quite impossible due to the fact there are a lot of unknowns and due to the fact that they have to base any findings only on publicly available information, obviously excluding any non available advancements from commercial companies and national efforts. So if this group of specialized scientists can’t make an estimate, who can make that assessment? Is there any credible source to make an accurate prediction?

The conclusion at this point of time can only be that we do not know the answer to the big question "when".

Now if we don't have an answer to the question "when", then why act? The answer is simple. If we’re talking about security, most take certainty over uncertainty. To answer the question when the threat materializes, we need to guess. Whether you guess soon, or you guess not for the next three decades, both are guesses. Going for certain means you'd have to plan for the worst, hope for the best. No matter how sceptical you are, having some sort of a plan ready is a responsible thing to do. Obviously not if you're just running a blog about knitting. But for systems that carry a lot of important, private and valuable information, planning starts today. The NAS describes it quite well. What they lack in guessing, they make up in advice. They have a very clear advice:

What these organizations both advice is to start taking action. They don't say "implement this type of quantum resistant cryptography now". They don't say when at all. As said before, the "when" question is one that is a hard one to specify. It depends on the system you have, the value of the data, the consequences of postponing a security upgrade. Like I said before: you just run a blog, or a bank or a cryptocurrency? It's an individual risk assesment that's different for every organization and system. Assesments do need to be made now though. What time frame should organisationds think about when changing cryptography? How long would it take to go from the current level of security to fully quantum resistant security? What changes does it require to handle bigger signatures and is it possible to use certain types of cryptography that require to keep state? Do your users need to act, or can al work be done behind the user interface? These are important questions that one should start asking. I will elaborate on these challenges in the next articles.

Besides the unsnswered question on "when", the question on what type of quantum resistant cryptography to use is unanswered too. This also depends on the type of system you use. The NSA and NAS both point to NIST as the authority on developments and standardization of quantum resistant cryptography. NIST is running a competition right now that should end up in one or more standards for quantum resistant cryptography. The NIST competition handles criteria that should filter out a type of quantum resistant cryptography that is feasable for a wide range of systems. This takes time though. There are some new algorithms submitted and assessing the new and the more well known ones must be done thouroughly. They intend to wrap things up around 2022 - 2024. From a blockchain perspective it is important to notice that a specific type of quantum resistant cryptography is excluded from the NIST competition: Stateful Hash-Based Signatures. (LMS and XMSS) This is not because these are no good. In fact they are excelent and XMSS is accepted to be provable quantum resistant. It's due to the fact that implementations will need to be able to securely deal with the requirement to keep state. And this is not a given for most systems.

At this moment NIST intends to approve both LMS and XMSS for a specific group of applications that can deal with the statefull properties. The only loose end at this point is an advice for which applications LMS and XMSS will be adviced and for what applications it is discouraged. These questions will be answered in the beginning of april this year: https://csrc.nist.gov/news/2019/stateful-hbs-request-for-public-comments This means that quite likely LMS and XMSS will be the first type of standardized quantum resistant cryptography ever. To give a small hint: keeping state, is pretty much a naturally added property of blockchain.

**Quantum resistant blockchains**

“Quantum resistant” is only used to describe networks and cryptography that are secure against any attack by a quantum computer of any size in the sense that there is no algorithm known that makes it possible for a quantum computer to break the applied cryptography and thus that system.

Also, to determine if a project is fully quantum resistant, you would need to take in account not only how a separate element that is implemented in that blockchain is quantum resistant, but also the way it is implemented. As with any type of security check, there should be no backdoors, in which case your blockchain would be just a cardboard box with bulletproof glass windows. Sounds obvious, but since this is kind of new territory, there are still some misconceptions. What is considered safe now, might not be safe in the age of quantum computers. I will address some of these in the following chapters, but first I will elaborate a bit about the special vulnerability of blockchain compared to centralized systems.

**Why is it easier to change cryptography for centralized systems such as banks and websites than for blockchain?**

Developers of a**centralized** system can decide from one day to the other that they make changes and update the system without the need for consensus from the nodes. They are in charge, and they can dictate the future of the system. But a **decentralized** blockchain will need to reach consensus amongst the nodes to update. Meaning that the majority of the nodes will need to upgrade and thus force the blockchain to only have the new signatures to be valid. We can’t have the old signature scheme to be valid besides the new quantum resistant signature scheme. Because that would mean that the blockchain would still allow the use of vulnerable, old public- and private keys and thus the old vulnerable signatures for transactions. So at least the majority of the nodes need to upgrade to make sure that blocks which are constructed using the old rules and thus the old vulnerable signature scheme, are rejected by the network. This will eventually result in a fully upgraded network which only accepts the new post quantum signature scheme in transactions. So, consensus is needed. The most well-known example of how that can be a slow process is Bitcoin’s need to scale. Even though everybody agrees on the need for a certain result, reaching consensus amongst the community on how to get to that result is a slow and political process. Going quantum resistant will be no different, and since it will cause lesser performance due to bigger signatures and it will need hardware upgrades quite likely it will be postponed rather than be done fast and smooth due to lack of consensus. And because there are several quantum resistant signature schemes to choose from, agreement an automatic given. The discussion will be which one to use, and how and when to implement it. The need for consensus is exclusively a problem decentralized systems like blockchain will face.

Another issue for decentralized systems that change their signature scheme, is that users of decentralized blockchains will have to manually transfe migrate their coins/ tokens to a quantum safe address and that way decouple their old private key and activate a new quantum resistant private key that is part of an upgraded quantum resistant network. Users of centralized networks, on the other hand, do not need to do much, since it would be taken care of by their centralized managed system. As you know, for example, if you forget your password of your online bank account, or some website, they can always send you a link, or secret question, or in the worst case they can send you mail by post to your house address and you would be back in business. With the decentralized systems, there is no centralized entity who has your data. It is you who has this data, and only you. So in the centralized system there is a central entity who has access to all the data including all the private accessing data, and therefore this entity can pull all the strings. It can all be done behind your user interface, and you probably wouldn’t notice a thing.

And a third issue will be the lost addresses. Since no one but you has access to your funds, your funds will become inaccessible once you lose your private key. From that point, an address is lost, and the funds on that address can never be moved. So after an upgrade, those funds will never be moved to a quantum resistant address, and thus will always be vulnerable to a quantum hack.

To summarize: banks and websites are centralized systems, they will face challenges, but decentralized systems like blockchain will face some extra challenges that won't apply for centralized systems.

**Conclusion**

Bitcoin and all currently running traditional cryptocurrencies are not excluded from this problem. In fact, it will be central to ensuring their continued existence over the coming decades. All cryptocurrencies will need to change their signature schemes in the future. When is the big guess here. I want to leave that for another discussion. There are enough certain specifics we can discuss right now on the subject of quantum resistant blockchains and the challenges that existing blockchains will face when they need to transfer. This won’t be an easy transfer. There are some huge challenges to overcome and this will not be done overnight. I will get to this in the next few articles.

Part 1, what makes blockchain reliable?

Part 2, The two most important mathematical concepts in blockchain.

Part 4A, The advantages of quantum resistance from genesis block, A

Part 4B, The advantages of quantum resistance from genesis block, B

Part 5, Why BTC will be vulnerable sooner than expected.

submitted by QRCollector to CryptoTechnology [link] [comments]
Part 1 here

Part 2 here

The fact that whatever is registered on a blockchain can’t be tampered with is one of the great reasons for the success of blockchain. Looking ahead, awareness is growing in the blockchain ecosystem that quantum computers might cause the need for some changes in the cryptography that is used by blockchains to prevent hackers from forging transactions.

First, let’s get a misconception out of the way. When talking about the risk quantum computers could pose for blockchain, some people think about the risk of quantum computers out-hashing classical computers. This, however, is

This paper explains why: https://arxiv.org/pdf/1710.10377.pdf "In this section, we investigate the advantage a quantum computer would have in performing the hashcash PoW used by Bitcoin. Our findings can be summarized as follows: Using Grover search, a quantum computer can perform the hashcash PoW by performing quadratically fewer hashes than is needed by a classical computer. However, the extreme speed of current specialized ASIC hardware for performing the hashcash PoW, coupled with much slower projected gate speeds for current quantum architectures, essentially negates this quadratic speedup, at the current difficulty level, giving quantum computers no advantage. Future improvements to quantum technology allowing gate speeds up to 100GHz could allow quantum computers to solve the PoW about 100 times faster than current technology.

However, such a development is unlikely in the next decade, at which point classical hardware may be much faster, and quantum technology might be so widespread that no single quantum enabled agent could dominate the PoW problem."

Most blockchains use Elliptic Curve Digital Signature Algorithm (ECDSA) cryptography. Using a quantum computer, Shor's algorithm can be used to break ECDSA. (See for reference: https://arxiv.org/abs/quant-ph/0301141 and pdf: https://arxiv.org/pdf/quant-ph/0301141.pdf ) Meaning: they can derive the private key from the public key. So if they got your public key (and a quantum computer), then they got your private key and they can create a transaction and empty your wallet.

RSA has the same vulnerability while RSA will need a stronger quantum computer to be broken than ECDSA.

At this point in time, it is already possible to run Shor’s algorithm on a quantum computer. However, the amount of qubits available right now makes its application limited. But it has been proven to work, we have exited the era of pure theory and entered the era of practical applications:

- 2001: First execution of Shor's algorithm at IBM's Almaden Research Center and Stanford University. The paper here: (Experimental realization of Shor's quantum factoring algorithm using nuclear magnetic resonance Lieven M. K. Vandersypen, https://arxiv.org/abs/quant-ph/0112176 )
- 2009: Researchers at University of Bristol demonstrate Shor's algorithm on a silicon photonic chip: http://science.sciencemag.org/content/325/5945/1221also the paper here: https://arxiv.org/abs/0911.1242
- IBM on Shor’s: https://quantumexperience.ng.bluemix.net/proxy/tutorial/full-user-guide/004-Quantum_Algorithms/110-Shor's_algorithm.html?highlight=shor

It is however still in development, and only works for 18 binary bits at the time of this writing, but it shows new developments that could mean that, rather than a speedup in quantum computing development posing the most imminent threat to RSA and ECDSA, a speedup in the mathematical developments could be even more consequential. More info on VQF here: https://arxiv.org/abs/1808.08927

It all comes down to this: when your public key is visible, which is always necessary to make transactions, you are at some point in the future vulnerable for quantum attacks. (This also goes for BTC, which uses the hash of the public key as an address, but more on that in the following articles.) If you would have keypairs based on post quantum cryptography, you would not have to worry about that since in that case not even a quantum computer could derive your private key from your public key.

The conclusion is that future blockchains should be quantum resistant, using post-quantum cryptography. It’s very important to realize that post quantum cryptography is not just adding some extra characters to standard signature schemes. It’s the mathematical concept that makes it quantum resistant. to become quantm resistant, the algorithm needs to be changed. “The problem with currently popular algorithms is that their security relies on one of three hard mathematical problems: the integer factorization problem, the discrete logarithm problem or the elliptic-curve discrete logarithm problem. All of these problems can be easily solved on a sufficiently powerful quantum computer running Shor's algorithm. Even though current, publicly known, experimental quantum computers lack processing power to break any real cryptographic algorithm, many cryptographers are designing new algorithms to prepare for a time when quantum computing becomes a threat.” https://en.wikipedia.org/wiki/Post-quantum_cryptography

To give you an idea what the expectations of quantum computer development are in the field (Take note of the fact that the type and error rate of the qubits is not specified in the article. It is not said these will be enough to break ECDSA or RSA, neither is it said these will not be enough. What these articles do show, is that a huge speed up in development is expected.):

- https://www.nextbigfuture.com/2018/06/intel-superconducting-quantum-technology-could-push-to-1000-qubits-by-2023-and-silicon-spin-qubits-to-1-million-qubits-by-2028.html "It should be about 5 years to 1000 qubit chips with superconducting technology. It should be about 10 years to million qubit chips."
- https://www.technologyreview.com/s/603495/10-breakthrough-technologies-2017-practical-quantum-computers/ "And a million-physical-qubit system, whose general computing applications are still difficult to even fathom? It’s conceivable, says Neven, “on the inside of 10 years.” " (That is Harmut Neven of Google’s quantum computing effort)
- https://www.research.ibm.com/5-in-5/quantum-computing/ IBM believes quantum computers will be mainstream in 5 years. (Meaning outside of research labs, but not necessarily in livingrooms of the average Joe. And no amount of qubits mentioned though)
- https://www.barrons.com/articles/microsoft-we-have-the-qubits-you-want-1519434417 “Five years from now, we will have a commercial quantum computer,” says Holmdahl.
- And those are just the commercial companies. The pentagon sees quantum computing as the next arms race. China is about to pump $10 Billion in a research centre. They won't be open about their developments as Google etc. https://www.nextgov.com/emerging-tech/2018/07/pentagon-seeks-edge-quantum-computing/149718/ It’s not a bad idea to start looking for solutions and new opportunities in blockchain.
- This paper estimates ECDSA being at risk as soon as 2027. https://arxiv.org/pdf/1710.10377.pdf

The National Academy of Sciences (NAS) has made a very thourough report on the development of quantum computing. The report came out in the end of 2018. They brought together a group of scientists of over 70 people from different interconnecting fields in quantum computing who, as a group, have come up with a close to 200 pages report on the development, funding, implications and upcoming challenges for quantum computing development. But, even though this report is one of the most thourough up to date, it doesn't make an estimate on when the risk for ECDSA or RSA would occur. They acknowledge this is quite impossible due to the fact there are a lot of unknowns and due to the fact that they have to base any findings only on publicly available information, obviously excluding any non available advancements from commercial companies and national efforts. So if this group of specialized scientists can’t make an estimate, who can make that assessment? Is there any credible source to make an accurate prediction?

The conclusion at this point of time can only be that we do not know the answer to the big question "when".

Now if we don't have an answer to the question "when", then why act? The answer is simple. If we’re talking about security, most take certainty over uncertainty. To answer the question when the threat materializes, we need to guess. Whether you guess soon, or you guess not for the next three decades, both are guesses. Going for certain means you'd have to plan for the worst, hope for the best. No matter how sceptical you are, having some sort of a plan ready is a responsible thing to do. Obviously not if you're just running a blog about knitting. But for systems that carry a lot of important, private and valuable information, planning starts today. The NAS describes it quite well. What they lack in guessing, they make up in advice. They have a very clear advice:

"Even if a quantum computer that can decrypt current cryptographic ciphers is more than a decade off, the hazard of such a machine is high enough—and the time frame for transitioning to a new security protocol is sufficiently long and uncertain—that prioritization of the development, standardization, and deployment of post-quantum cryptography is critical for minimizing the chance of a potential security and privacy disaster."Another organization that looks ahead is the National Security Agency (NSA) They have made a threat assessment in 2015. In August 2015, NSA announced that it is planning to transition "in the not too distant future" (statement of 2015) to a new cipher suite that is resistant to quantum attacks. "Unfortunately, the growth of elliptic curve use has bumped up against the fact of continued progress in the research on quantum computing, necessitating a re-evaluation of our cryptographic strategy." NSA advised: "For those partners and vendors that have not yet made the transition to Suite B algorithms, we recommend not making a significant expenditure to do so at this point but instead to prepare for the upcoming quantum resistant algorithm transition.” https://en.wikipedia.org/wiki/NSA_Suite_B_Cryptography#cite_note-nsa-suite-b-1

What these organizations both advice is to start taking action. They don't say "implement this type of quantum resistant cryptography now". They don't say when at all. As said before, the "when" question is one that is a hard one to specify. It depends on the system you have, the value of the data, the consequences of postponing a security upgrade. Like I said before: you just run a blog, or a bank or a cryptocurrency? It's an individual risk assesment that's different for every organization and system. Assesments do need to be made now though. What time frame should organisationds think about when changing cryptography? How long would it take to go from the current level of security to fully quantum resistant security? What changes does it require to handle bigger signatures and is it possible to use certain types of cryptography that require to keep state? Do your users need to act, or can al work be done behind the user interface? These are important questions that one should start asking. I will elaborate on these challenges in the next articles.

Besides the unsnswered question on "when", the question on what type of quantum resistant cryptography to use is unanswered too. This also depends on the type of system you use. The NSA and NAS both point to NIST as the authority on developments and standardization of quantum resistant cryptography. NIST is running a competition right now that should end up in one or more standards for quantum resistant cryptography. The NIST competition handles criteria that should filter out a type of quantum resistant cryptography that is feasable for a wide range of systems. This takes time though. There are some new algorithms submitted and assessing the new and the more well known ones must be done thouroughly. They intend to wrap things up around 2022 - 2024. From a blockchain perspective it is important to notice that a specific type of quantum resistant cryptography is excluded from the NIST competition: Stateful Hash-Based Signatures. (LMS and XMSS) This is not because these are no good. In fact they are excelent and XMSS is accepted to be provable quantum resistant. It's due to the fact that implementations will need to be able to securely deal with the requirement to keep state. And this is not a given for most systems.

At this moment NIST intends to approve both LMS and XMSS for a specific group of applications that can deal with the statefull properties. The only loose end at this point is an advice for which applications LMS and XMSS will be adviced and for what applications it is discouraged. These questions will be answered in the beginning of april this year: https://csrc.nist.gov/news/2019/stateful-hbs-request-for-public-comments This means that quite likely LMS and XMSS will be the first type of standardized quantum resistant cryptography ever. To give a small hint: keeping state, is pretty much a naturally added property of blockchain.

“Quantum resistant” is only used to describe networks and cryptography that are secure against any attack by a quantum computer of any size in the sense that there is no algorithm known that makes it possible for a quantum computer to break the applied cryptography and thus that system.

Also, to determine if a project is fully quantum resistant, you would need to take in account not only how a separate element that is implemented in that blockchain is quantum resistant, but also the way it is implemented. As with any type of security check, there should be no backdoors, in which case your blockchain would be just a cardboard box with bulletproof glass windows. Sounds obvious, but since this is kind of new territory, there are still some misconceptions. What is considered safe now, might not be safe in the age of quantum computers. I will address some of these in the following chapters, but first I will elaborate a bit about the special vulnerability of blockchain compared to centralized systems.

Developers of a

Another issue for decentralized systems that change their signature scheme, is that users of decentralized blockchains will have to manually transfe migrate their coins/ tokens to a quantum safe address and that way decouple their old private key and activate a new quantum resistant private key that is part of an upgraded quantum resistant network. Users of centralized networks, on the other hand, do not need to do much, since it would be taken care of by their centralized managed system. As you know, for example, if you forget your password of your online bank account, or some website, they can always send you a link, or secret question, or in the worst case they can send you mail by post to your house address and you would be back in business. With the decentralized systems, there is no centralized entity who has your data. It is you who has this data, and only you. So in the centralized system there is a central entity who has access to all the data including all the private accessing data, and therefore this entity can pull all the strings. It can all be done behind your user interface, and you probably wouldn’t notice a thing.

And a third issue will be the lost addresses. Since no one but you has access to your funds, your funds will become inaccessible once you lose your private key. From that point, an address is lost, and the funds on that address can never be moved. So after an upgrade, those funds will never be moved to a quantum resistant address, and thus will always be vulnerable to a quantum hack.

To summarize: banks and websites are centralized systems, they will face challenges, but decentralized systems like blockchain will face some extra challenges that won't apply for centralized systems.

- Updating the signature scheme will need consensus in the sense that all nodes need to update after implementation of a quantum resistant signature scheme.
- Users of blockchain will personally need to move their funds from old addresses to new quantum resistant addresses. You won't need to move your bank funds.
- Lost addresses where people lost access to their funds will never be moved and stay vulnerable to quantum hacks. Blockchain doesn't know their users, can't communicate with them and won't be able to distinguish coins on lost addresses from coins from users who still have access but somehow have not migrated their coins after a quantum resistant update. So burning lost coins will be legally a big issue.

Bitcoin and all currently running traditional cryptocurrencies are not excluded from this problem. In fact, it will be central to ensuring their continued existence over the coming decades. All cryptocurrencies will need to change their signature schemes in the future. When is the big guess here. I want to leave that for another discussion. There are enough certain specifics we can discuss right now on the subject of quantum resistant blockchains and the challenges that existing blockchains will face when they need to transfer. This won’t be an easy transfer. There are some huge challenges to overcome and this will not be done overnight. I will get to this in the next few articles.

Part 1, what makes blockchain reliable?

Part 2, The two most important mathematical concepts in blockchain.

Part 4A, The advantages of quantum resistance from genesis block, A

Part 4B, The advantages of quantum resistance from genesis block, B

Part 5, Why BTC will be vulnerable sooner than expected.

- Is elliptic curve cryptography quantum resistant?
- Why do people say that BTC is quantum resistant, while they use elliptic curve cryptography? (Here comes the idea from that never reusing a private key (and public key since they form a pair) from elliptic curve cryptography would be quantum resistant.)
- Why would Nexus be any differtent?
- Why are WOTS+ signatures (and by extension XMSS) quantum resistant?
- What is WOTS+?
- What are the risks of WOTS+?
- How is XMSS different?

No. Using a quantum computer, Shor's algorithm can be used to break Elliptic Curve Digital Signature Algorithm (ECDSA). Meaning: they can derive the private key from the public key. So if they got your public key, they got your private key, and they can empty your funds. https://en.wikipedia.org/wiki/Elliptic-curve_cryptography#Quantum_computing_attacks https://eprint.iacr.org/2017/598.pdf

Ok, just gonna start with the basics here. Your address, where you have your coins stalled, is locked by your public- private key pair. See it as your e-mail address (public key) and your password (Private key). Many people got your email address, but only you have your password. If you got your address and your password, then you can access your mail and send emails (Transactions). Now if there would be a quantum computer, people could use that to calculate your password/ private key, if they have your email address/ public key.

What is the case with BTC: they don't show your public key anywhere, untill you make a transaction. So your public key is private untill you make a transaction. How do they do that while your funds must be registered on the ledger? Wel, they only show the Hash of your public key (A hash is an outcome of an equation. Usually one-way hash functions are used, where you can not derive the original input from the output. But everytime you use the same hash function on the same original input (For example IFUHE8392ISHF), you will always get the same output (For example G). That way you can have your coins on public key IFUHE8392ISHF, while on the chain, they are on G.) So your funds are registered on the blockchain on the "Hash" of the public key. The Hash of the public key is also your "email address" in this case. So you give "G" as your address to send BTC to.

By the way, in the early days you could use your actual public key as your address. And miners would receive coins on their public key, not on the hashed public key. That is why all the Satoshi funds are vulnerable to quantum attacks even though these addresses have never been used to make transactions from. These public keys are already public instead of hashed. Also certain hard forks have exposed the public keys of unused addresses. So it's really a false sense of security that most people hang on to in the first place.

But it's actually a false sense of security over all.

Since it is impossible to derive a public key from the Hash of a public key, your coins are safe for quantum computers as long as you don't make any transaction. Now here follows the biggest misconseption: Pretty much everyone will think, great, so BTC is quantum secure! It's not that simple. Here it is important to understand two things:

1 How is a transaction sent? The owner has the private key and the public key and uses that to log into the secured environment, the wallet. This can be online or offline. Once he is in his wallet, he states how much he wants to send and to what address.

When he sends the transaction, it will be broadcasted to the blockchain network. But before the actual transaction that will be sent, it is formed into a package, created by the wallet. This happens out of sight of the sender.

That package ends up carrying roughly the following info: The public key to point to the address where the funds will be coming from, the amount that will be transferred, the public key of the address the funds will be transferred to.

Then this package caries the most important thing: a signature, created by the wallet, derived from the private- public key combination. This signature proves to the miners that you are the rightfull owner and you can send funds from that public key.

So this package is then sent out of the secure wallet environment to multiple nodes. The nodes don’t need to trust the sender or establish the sender’s "identity." And because the transaction is signed and contains no confidential information, private keys, or credentials, it can be publicly broadcast using any underlying network transport that is convenient. As long as the transaction can reach a node that will propagate it into the network, it doesn’t matter how it is transported to the first node.

2 How is a transaction confirmed/ fullfilled and registered on the blockchain?

After the transaction is sent to the network, it is ready to be processed. The nodes have a bundle of transactions to verify and register on the next block. This is done during a period called the block time. In the case of BTC that is 10 minutes.

If you comprehend the information written above, you can see that there are two moments where you can actually see the public key, while the transaction is not fullfilled and registered on the blockchain yet.

1: during the time the transaction is sent from the sender to the nodes

2: during the time the nodes verify the transaction.

This paper describes how you could hijack a transaction and make a new transaction of your own, using someone elses address to send his coins to an address you own during moment 2: the time the nodes verify the transaction:

https://arxiv.org/pdf/1710.10377.pdf

"(Unprocessed transactions) After a transaction has been broadcast to the network, but before it is placed on the blockchain it is at risk from a quantum attack. If the secret key can be derived from the broadcast public key before the transaction is placed on the blockchain, then an attacker could use this secret key to broadcast a new transaction from the same address to his own address. If the attacker then ensures that this new transaction is placed on the blockchain first, then he can effectively steal all the bitcoin behind the original address."

So this means that practically, you can't call BTC a quantum secure blockchain. Because as soon as you will touch your coins and use them for payment, or send them to another address, you will have to make a transaction and you risk a quantum attack.

If you ask the wrong person they will tell you "Nexus uses a combination of the Skein and Keccak algorithms which are the 2 recognized quantum resistant algorithms (keccal is used by the NSA) so instead of sha-256, Nexus has SK-1024 making it much harder to break." Which would be the same as saying BTC is quantum resistant because they use a Hashing function to hash the private key as long as no transaction is made.

No, this is their sollid try to be quantum resistant: Nexus states it's different because they have instant transactions (So there wouldn't be a period during which time the nodes verify the transaction. This period would be instant.) Also they use a particular order in which the miners verify transactions: First-In-First-Out (FIFO) (So even if instant is not instant after all, and you would be able to catch a public key and derive the private key, you would n't be able to have your transaction signed before the original one. The original one is first in line, and will therefore be confirmed first. Also for some reason Nexus has standardized fees which are burned after a transaction. So if FIFO wouldn't do the trick you would not be able to use a higher fee to get prioritized and get an earlyer confirmation.

So, during during the time the nodes verify the transaction, you would not be able to hijack a transaction. GREAT, you say? Yes, great-ish. Because there is still moment # 1: during the time the transaction is sent from the sender to the nodes. This is where network based attacks could do the trick:

There are network based attacks that can be used to delay or prevent transactions to reach nodes. In the mean time the transactions can be hijacked before they reach the nodes. And thus one could hijack the non quantum secure public keys (they are openly included in sent signed transactions) who then can be used to derive privatekeys before the original transaction is made. So this means that even if Nexus has instant transactions in FIFO order, it is totally useless, because the public key would be obtained by the attacker before they reach the nodes. Conclusion: Nexus is Nnot quantum resistant. You simply can't be without using a post quantum signature scheme.

Performing a DDoS attack or BGP routing attacks or NSA Quantum Insert attacks on a peer to peer newtork would be hard. But when provided with an opportunitiy to steal billions, hackers would find a way. For example:

https://bitcoinmagazine.com/articles/researchers-explore-eclipse-attacks-ethereum-blockchain/

For BTC:

https://eprint.iacr.org/2015/263.pdf

"An eclipse attack is a network-level attack on a blockchain, where an attacker essentially takes control of the peer-to-peer network, obscuring a node’s view of the blockchain."

That is exactly the receipe for what you would need to create extra time to find public keys and derive private keys from them. Then you could sign transactions of your own and confirm them before the originals do.

By the way, yes this seems to be fixed now, but it most definately shows it's possible. And there are other creative options. Either you stop tranasctions from the base to get out, while the sender thinks they're sent, or you blind the network and catch transactions there. There are always options, and they will be exploited when billions are at stake. The keys can also be hijacked when a transaction is sent from the users device to the blockchain network using a MITM attack. The result is the same as for network based attacks, only now you don't mess with the network itself. These attacks make it possible to 1) retrieve the original public key that is included in the transaction message. 2) Stop or delay the transaction message to arrive at the blockchain network. So, using a quantum computer, you could hijack transactions and create forged transactions, which you then send to the nodes to be confirmed before the nodes even receive the original transaction. There is nothing you could change to the Nexus network to prevent this. The only thing they can do is implement a quantum resistant signature scheme. They plan to do this in the future, like any other serious blockchain project. Yet Nexus is the only of these future quantum resistant projects to prematurely claim to be quantum resistant. There is only one way to get quantum resistancy: POST QUANTUM SIGNATURE SCHEMES. All the rest is just a shitty shortcut that won't work in the end.

(If you use this info on BTC, you will find that the 10 minutes blocktime that is used to estimate when BTC will be vulnerable for quantum attacks, can actually be more then 10 minutes if you catch the public key before the nodes receive them. This makes BTC vulnerable sooner thatn the 10 min blocktime would make you think.)

By the way, Nexus using FIFO and standadrized fees which are burned after the transaction comes with some huge downsides:

- FIFO: If there are a lot of transactions, there would be nothing you can do to create a faster transaction. If you need a quick transaction during rush hours, you can’t pay a higher fee to get priority.
- Fees are burned after the transactions. This means they are not sent to miners, which would lesser the incentive to mine. Also, because only Blockrewards pay miners, what if the max supply is reached in the future and there is nothing to pay out blockrewards? What would be the incentive to mine or stake?
- The risk that comes with small standardized fees is that when someone is willing to pay to harm or spam your chain, they can force spam or small transactions into the system without you being able to stop them. (Miners wouldn't be able to exclude lower fee transactions containing spam or extremely small amounts meant for clogging the chain)
- Another risk that comes with small standardized fees would be this: How do you prevent big backlog if there is no higher fee incentive for miners at rush hours to come mine? Usually fees follow the free market? So the larger the backlog of transactions, the higher the fees usually are. This then leads to more miners joining in and that way reducing backlog. Having fixed fees would cancel out that possibility. So the risk of backlog would be huge.

First of all, this is where the top notch mathematicians work their magic. Cryptography is mostly maths. As Jackalyst puts it talking about post quantum signature schemes: "Having papers written and cryptographers review and discuss it to nauseating levels might not be important for butler, but it's really important with signature schemes and other cryptocraphic methods, as they're highly technical in nature."

If you don't believe in math, think about Einstein using math predicting things most coudldn't even emagine, let alone measure back then.

Then there is implementing it the right way into your blockchain without leaving any backdoors open.

So why is WOTS+ and by extension XMSS quantum resistant? Because math papers say so. With WOTS it would even take a quantum computer too much time to derive a private key from a public key. https://en.wikipedia.org/wiki/Hash-based_cryptography https://eprint.iacr.org/2011/484.pdf

It's basiclally an optimized version of Lamport-signatures. WOTS+ (Winternitz one-time signature) is a hash-based, post-quantum signature scheme. So it's a post quantum signature scheme meant to be used once.

Because each WOTS publishes some part of the private key, they rapidly become less secure as more signatures created by the same public/private key are published. The first signature won't have enough info to work with, but after two or three signatures you will be in trouble.

IOTA uses WOTS. Here's what the people over at the cryptography subreddit have to say about that:

https://www.reddit.com/crypto/comments/84c4ni/iota_signatures_private_keys_and_address_reuse/?utm_content=comments&utm_medium=user&utm_source=reddit&utm_name=u_QRCollector

With the article:

http://blog.lekkertech.net/blog/2018/03/07/iota-signatures/

Mochimo uses WOTS+. They kinda solved the problem: A transaction consists of a "Source Address", a "Destination Address" and a "Change Address". When you transact to a Destination Address, any remaining funds in your Source Address will move to the Change Address. To transact again, your Change Address then becomes your Source Address.

But what if someone already has your first address and is unaware of the fact you already send funds from that address? He might just send funds there. (I mean in a business environment this would make Mochimo highly impractical.) They need to solve that. Who knows, it's still a young project. But then again, for some reason they also use FIFO and fixed fees, so there I have the same objections as for Nexus.

XMSS uses WOTS in a way that you can actually reuse your address. WOTS creates a quantum resistant one time signature and XMSS creates a tree of those signatures attached to one address so that the address can be reused for sending an asset.

ASC X9 Issues New Standard for Public Key Cryptography/ECDSA. October 6, 2020 By Business Wire. Standard Focuses on Elliptic Curve Digital Signature Algorithm Use. ANNAPOLIS, Md.--(BUSINESS WIRE)--#ECDSA--The Accredited Standards Committee X9 Inc. today announced that it has published a new standard, X9.142, The Elliptic Curve Digital Signature Algorithm (ECDSA). This standard defines a ... Public Key Cryptography in Bitcoin. Public Key Cryptography is an essential part of Bitcoin’s protocol and is used in several places to ensure the integrity of messages created in the protocol. Wallet creation and signing of transactions, which are the core components of any currency rely heavily on public key cryptography. Bitcoin’s protocol uses what’s called the Elliptic Curve Digital ... In Bitcoin, private keys produce a public key via an Elliptical Curve Digital Signature Algorithm, or ECDSA. A private key that is an input for that algorithm will always produce its corresponding public key. However, the public key can never be reverse-engineered to produce its corresponding private key due to the one-sided nature of this algorithm. A Bitcoin private key is usually a 256-bit ... • In Public Key Cryptography one key CAN be made public. In practice this means that – some group of people has it – NO obligation to disclose, to make it really public (and it is almost never done in serious financial applications) 51 • Full disclosure for public keys is unbelievably stupid… – cf. next slide! Open Source Critique Do NOT Disclose Public Keys! • Full disclosure ... Elliptic Curve Digital Signature Algorithm or ECDSA is a cryptographic algorithm used by Bitcoin to ensure that funds can only be spent by their rightful owners. A few concepts related to ECDSA: private key: A secret number, known only to the person that generated it. A private key is essentially a randomly generated number. In Bitcoin, someone with the private key that corresponds to funds on ...

[index] [26905] [39792] [44477] [3442] [51104] [47920] [15325] [17638] [743] [31880]

Welcome to part four in our series on Elliptic Curve Cryptography. I this episode we dive into the development of the public key. In just 44 lines of code, w... We are going to recover a ECDSA private key from bad signatures. Same issue the Playstation 3 had that allowed it to be hacked. -=[ 🔴 Stuff I use ]=- → Micro... Blockchain/Bitcoin for beginners 3: public/private keys, signatures ... Bitcoin 101 - Elliptic Curve Cryptography - Part 4 - Generating the Public Key (in Python) - Duration: 21:22. CRI 26,257 ... Bitcoin ECDSA- Elliptic curve Digital Signature ... Understanding ECC through the Diffie-Hellman Key Exchange - Duration: 11:34. Fullstack Academy 38,997 views. 11:34. Elliptic Curve Cryptography ... Vídeo original: https://youtu.be/iB3HcPgm_FI Welcome to part four in our series on Elliptic Curve Cryptography. I this episode we dive into the development o...