Benjamin, I don't agree that quantum resistance should be a blocker to deployment of scriptless scripts on lightning because 1) it is a layer-2 solution and 2) it already critically depends on the security of DL.
There are arguments against making certain protocol changes to the base Bitcoin blockchain for the reason that they may not be quantum resistant. The most notable is Confidential Transactions. There reason is that the worst case attack is much worse: an attacker could print money freely and without detection. In Bitcoin today, a DL break would compromise funds in any addresses for which the pubkey has been revealed and it's not even clear what to do about the remaining funds on chain. Compromising the fundamental security of the blockchain is a valid cause for concern. In the case of Lightning, the attack scenario on scriptless scripts is that a peer is going to use a quantum computer to steal all live payments routed through them from their senders before they get to the recipient. This would be bad, but not catastrophic, and once it is recognized that the attack is possible, insecure channels could be closed. But furthermore, an attacker with a quantum computer could just steal the multisig funding output directly instead of attacking scriptless scripts. So additional protocol changes relying on the DL assumption don't bother me in the least. On Tue, May 8, 2018, 6:32 AM Benjamin Mord <b...@mord.io> wrote: > > Sorry, I do not wish to spam the list, but I need to correct a rather > serious error in my last email. We must never call something > "post-quantum", absent mathematical proof. (And good luck with that.) I > apologise for my mistake in doing so myself. > > I should not even refer to lattice based cryptography as a post-quantum > algorithm, I should at best call it a Shor's algorithm-resistant scheme. At > least, it is not (yet) known how Shor's algorithm could be used to break > it. Not in public circles, anyhow. > > A cursory glance at the history of cryptanalysis shows that primitives > generally have finite life, which makes it odd that systems seldom use > redundant primitives, and seldom provide for their rapid and safe swap. A > system whose entire security rests on nothing but cryptography, ought to > take particular care! The spectre of quantum computers may render the > finite life of certain primitives more salient than others, but we must not > suppose that, absent Shor's algorithm, there would be no need to plan for > cryptographic failures. The question is not if, but when, Bitcoin and > lightning will contend with broken primitives, whether due to classical or > quantum cryptanalysis. Likely, both will come into play at various times, > and one must plan accordingly. > > On Tue, May 8, 2018, 9:09 AM Benjamin Mord <b...@mord.io> wrote: > >> >> That would be awesome. Do you have a reference? >> >> As pertains to the whole of asymmetric cryptography, I believe there are >> not a variety of post quantum schemes, there is only one*: lattice-based >> cryptography. (Which scares me, because it is not all that different from >> the others.) >> >> (* Actually, in contexts where time can be used for asymmetry, as in >> TESLA, we can then use hash functions to create something like asymmetric >> signatures as well. But the functional context has to be compatible with >> delayed verification.) >> >> (But I do not mean to focus exclusively on Schor's algorithm, the history >> of even pre-quantum cryptanalysis shows that primitives tend to have finite >> lifespan. Redundancy of any sort of good, even when not focused >> specifically on quantum risks.) >> >> On Tue, May 8, 2018, 8:58 AM Greg Sanders <gsander...@gmail.com> wrote: >> >>> From what I understand talking to folks, the linear properties of these >>> signature tricks are maintained under a number of post-quantum schemes. >>> >>> On Tue, May 8, 2018 at 8:44 AM, Benjamin Mord <ben@mord.family> wrote: >>> >>>> >>>> If I'm not mistaken, the scriptless scripts concept (as currently >>>> formulated) falls to Schor's algorithm, and at present there is no >>>> alternative implementation of the concept to fall back on. Correct? Lest we >>>> build a house of cards, I'd strongly urge everyone to not depend on >>>> functional concepts whose underlying cryptographic primitives cannot be >>>> swapped in an emergency. >>>> >>>> Sure, we use ecdsa for example (which is also vulnerable to Schor's >>>> algorithm), but in contrast to scriptless scripts we have a variety of >>>> backup primitives at our disposal that fulfill the same functional >>>> objective. >>>> >>>> If scriptless scripts are found possible under lattice-based >>>> cryptography for example, that would be something I suppose. The functional >>>> concept of scriptless scripts is indeed very awesome - we just need to add >>>> some cryptographic conservatism before we build on it. >>>> >>>> >>>> _______________________________________________ >>>> Lightning-dev mailing list >>>> Lightning-dev@lists.linuxfoundation.org >>>> https://lists.linuxfoundation.org/mailman/listinfo/lightning-dev >>>> >>>> >>> _______________________________________________ > Lightning-dev mailing list > Lightning-dev@lists.linuxfoundation.org > https://lists.linuxfoundation.org/mailman/listinfo/lightning-dev >
_______________________________________________ Lightning-dev mailing list Lightning-dev@lists.linuxfoundation.org https://lists.linuxfoundation.org/mailman/listinfo/lightning-dev
