pull down to refresh
how do you think about the risks of using some of these fairly new cryptographic techniques?
The fundamental problems like the endomorphism ring problem are fairly well studied. Not as well-studied as the EC discrete log problem we rely on today but still, I think if isogeny-based schemes are broken, they'll be broken one at a time, by flaws in their security proofs rather than by flaws in the underlying core assumptions of the field.
PRISM is an interesting case study. They have a curious security proof. They make the assumption that it's hard to find prime degree isogenies from an arbitrary curve.
It just so happens that if producing prime-degree isogenies from an arbitrary curve was easy, it would prove SQIsign secure because SQIsign assumes the existence of prime-degree isogeny oracles in their security proofs. So if SQIsign is broken, this would prove no such oracles exist, and that PRISM's assumption is secure. Vice versa, if a prime-degree isogeny oracle does exist it would break PRISM but prove SQIsign secure.
I've heard one of their authors refer to this as "security by common belief". This doesn't necessarily mean that only one OR the other is secure. It's possible that both are secure, but no one knows how to prove it rigidly yet.
Would you feel comfortable using them for Bitcoin in the next year or two (if there was lots of time and energy put into it) or would you want to wait longer?
Personally I see isogeny crypto as a long-term replacement to consider in maybe 10 years or more, not something that should be rushed into consensus.
i don't think waiting is the right thing to do either though. We as a community should be investing in research that shows promise, tech that may play a role in our future. Right now that's what i'm trying to do with my time, and i hope others will join me in that effort so that someday we can still do fun stuff on top of bitcoin's cryptography even after QCs come around.
SQIsign verifies fast but signing takes seconds on current hardware
That's not true anymore. Using Kani's lemma, the SQIsign authors boosted signing speed so it's now much more competitive. The new SQIsign (also known as SQIsign2D-West) can sign in a few tens of milliseconds on a decent CPU.
The primary candidates I know of are SLH-DSA (AKA SPHINCS+) or SHRINCS. You could technically use plain XMSS or even WOTS, but while more space-efficient these algorithms require statefulness.
Personally I would prefer that knotsers delude themselves, and proceed with their soft-fork confident. Gets it over with faster and less contentiously that way.
Fortunately though, you're right. Regular (non bip110) Bitcoin nodes do not simply follow the longest chain- they follow the chain with the most cumulative proof of work. This metric is called "chainwork". It's basically the overall expected number of hashes needed to get to a chain of this size, after all previous difficulty adjustments.
If BIP110 activates without majority hashpower right off the bat, then legacy nodes will (eventually) follow the regular legacy chain as it accumulates more chainwork.
For BIP110 miners to "wipe out" and reorg the legacy chain in the future, as some have conjectured, they must not merely attract a majority of hashpower- they'd have to attract it and keep it for a very long time. The BIP110 miners would need to (on average) compute more hashes than the legacy miners did while the legacy miners had the advantage. The longer it took BIP110 miners to earn their hashpower advantage, the longer the BIP110 miners must maintain it for, to exceed legacy miners' chainwork and cause a reorg for the legacy nodes.
The rules of PoW favor whichever ruleset has more work put into it over time, not just whichever chain has majority hashpower in the moment. Think integrals, not derivatives.
This isn't about a mint stealing funds from its own users. It's about a malicious mint stealing funds from users of another mint. E.g. you trust Alice's mint and have $1000 on there. You don't trust Bob's mint, but someone airdrops you $5 in ecash from Bob's mint. You try to transfer (melt) the ecash to Alice's mint (which you trust) but doing so allows Bob to steal the $1000 of valid ecash that you already had on Alice's mint.
This is partially correct, but it's not the whole picture. Lava's old custody model used DLCs as one component of a complex cross-chain (Solana) multi-transaction smart contract where, in theory, the user would always have a unilateral exit back to Bitcoin when the loan expires. In theory, the user should always be able to get their Bitcoin back in full by repaying the stablecoins on Solana. Vice versa: Lava should always be able to recover the loan capital plus any accrued interest even if the user is malicious.
The problem was, like Spark's protocol, there were many assumptions made to get to that goal. The oracle behaving, the Solana smart contract key staying secure, the closed-source software being authentic, etc. The on-chain protocol itself was as well-designed as it could be, but ultimately brittle and susceptible to subtle implementation bugs or misuse.
If they wanted to, it would've been easy for Lava to rug-pull everyone, which is exactly the same as any other closed-source bitcoin wallet, because of remote code updates, naive users, etc. Lava's CEO Shehzan and I have spoken about this subject quite a bit, and while I'm more optimistic about self-custody than he is, we mostly see eye to eye.
There was no practical path to fixing all of these issues definitively. All the while, if even the smallest bug were to sneak through, if they were hit by a phishing attack, or an NPM supply chain attack, etc, it would lead to a catastrophic hack or lost user funds. This never happened, but it was a factor on their minds.
Knowing this, and also having opportunities to build a better product by doing so... Lava rebuilt everything and moved to an institutional custody model. But unlike most custodians, every user's deposits are kept isolated until they are withdrawn. You can audit on-chain to confirm your collateral isn't being rehypothecated and gambled away SBF-style. You can find more info about their new system here.
Having audited both the old and the new code bases, I would be far more confident using the new platform rather than the old DLC-based on-chain protocol.
Source: I work part time for Lava as a security contractor.
Just based on historical precedent alone, I imagine people would default to whichever fork is more economically popular (larger market cap)
I do really hope that if a fork comes, there isn't a protracted fight over naming rights
I'm happy to report I worked with Ken from paywithmoon to get my coins returned without doxxing myself. Turns out the problem was just old-fashioned buggy chainalysis, big surprise. I verified the source of my funds without KYC and that did the trick. I might give their service another try in the future, but when I do i'll make sure I deposit only with Lightning where chainalysis flagging me is less of a concern.
Neat, but it's nothing new IMO. To me this appears functionally the same as an HTLC with a really long delayed-activation timeout path, and with a 2-of-2 key-spend path where the server gives its half of the signing key to the user after the preimage is revealed.
I won't comment on the code, as it's clearly still in early development stages. But i will mention some gaps in the protocol which could become vulnerabilities if not filled in correctly.
the user optimistically hopes the preimage given by the server in step 8 of the protocol is also the private key to the public key which, when tweaked with the user’s pubkey, yields the key required for spending the money via the keypath
This must be done carefully using musig or some other key aggregation scheme. If they use naive point addition to perform this "tweak" as he calls it, the two parties could defraud each other using key-cancellation attacks.
User waits for the funding tx to confirm, verifies that the smart contract contains the exact amount needed for the swap (and that the funding utxo is the one they expected), and pays the lightning invoice
The protocol doesn't describe how it handles uncooperative LN edgecases. What if the server doesn't cooperatively disclose the preimage in a timely manner? If the in-flight LN HTLCs need to be settled on-chain, they can take weeks to resolve if the LN onion route is long enough - potentially long enough for the server to claw back the coins in the smart contract while also claiming the LN HTLC (the user gets shorted).
When paying the invoice, the user must set up proper CLTV limits which ensure the user will learn the preimage well before the server has a chance to sweep the on-chain coins back with the tx1 -> tx2 timeout path.
As soon as they pay the lightning invoice, they have everything they need to spend the money to whatever address they want, whenever they want. Nothing bad can happen.
I would be wary of this pitch. The user clearly has a liveness requirement similar to LN, or else the server can steal the money back. I'm not saying a liveness requirement is bad - but it's not the same custody profile as a two-stage HTLC, so it's silly to compare them the way he does in the readme. The user's funds are still at risk until she moves the coins out of the smart contract, and only then may she safely go offline (just like an HTLC).
Hey stackers, posting to update anyone reading this 5+ days later. My money is still locked in moon sadly. I have received no reply from their team or CEO.
NYKNYC rings truer every day.
First, let me apologize on behalf of bitcoiners everywhere for your IRL frustrations, and for the terrible advice given by my peers in other comments here. Bitcoiners can be a bit dramatic at times, and sometimes feel so righteously invigorated by their beliefs that they forget they can be wrong and do wrong.
You've done nothing unreasonable here. Maybe you should've had a talk with your hubby earlier, but you didn't, and eventually temper got the better of you. It's OK, it happens to us all sometimes.
The important thing is that you and he have a frank and honest discussion once both of you have calmed down. If the snap was on 4th of July, i'd say you're overdue for a good sit-down chat, assuming you otherwise haven't talked about it yet. I think both of you have reason to apologize.
I can't give you the "magic words" because after 9 years' marriage, you likely know him better than anyone else, including anyone on this website or anyone on his podcast.
My only advice is: When/if he asks you why you don't want to listen to his podcast, don't let him press you for constructive criticism - it may not end well. Just say "it's not my thing". Sounds like the podcast means a lot to him. He needs to understand that you support him and his podcasting in a way that doesn't involve you listening to it.
Good luck!
Thanks for posting here. I replied to the email ticket with a detailed description of my coins' origin.
They came from my employer originally. I used them to buy XMR on an instant-exchange before depositing some of the BTC change into PayWithMoon, so maybe that's the cause of the flag. Chainalysis will sometimes flag coins even if they don't directly originate from a known "bad" source - One of their many flawed heuristics which lead to situations like this.
I appreciate that your business has to comply with KYC laws to keep the governement off your back. We can all agree KYC/AML sucks, and I can live with being denied access sometimes, but opaque rug-pulling isn't an acceptable solution. If your team had simply refunded my coins I would've had no cause to complain. Instead they stonewall me, effectively saying "Your money belongs to us now, unless you KYC."
It sucks that I have to complain publicly to get any recourse. I hope you can train your team to deal with these situations better, and I hope we can come to a resolution where I can get my money back without doxxing myself. Let's take the rest to email.
Hey there, quantum cryptography researcher here. I've written extensively on the subject: #735909 #1288781 #1453183 #1419471
Nobody can answer the question "When will quantum computers be powerful enough to threaten classical cryptography?". You're right to be skeptical of anyone who claims the threat is imminent without proof. But i would like to dispell a few inaccurate notions in your post and its comments.
First, facts only:
Now some corrections:
We do not need to change Bitcoin's block-mining hash algorithm any time soon. Grover's Algorithm gives at best a mild speedup over classical computers. IF in the distant future quantum computers start threatening classical mining, they will be a centralizing force (due to the nature of QCs, see https://stephanlivera.com/episode/670/), and we should soft fork in a change of hash algorithm (no hard fork needed).
There are quantum-resistant sidechains pegged to bitcoin, but their bridges are still vulnerable to sufficiently advanced quantum computers. At best they are a stopgap. There are suggestions which use newly proposed opcodes like OP_CAT to implement PQ-safe address formats. There are BIPs currently being drafted which may someday introduce explicit PQ-safe cryptography opcodes.
But AFAIK there is no consensus mechanism on bitcoin (mainnet) in existence today which fully secures coins against big quantum computers (QCs). At best you can avoid being the low-hanging fruit by using hashed addresses and spreading your coins out among many smaller UTXOs.
Correct, but that's not why people are worried.
In total about a third of all bitcoins which will ever exist are currently locked to pubkeys which are exposed on-chain. Even if your coins stay secure in a hashed address, a QC could steal a large portion of the Bitcoin supply because many coins are pubkey-exposed, and are (conjecturally) held by dead hands who can make no moves to rescue them. So this inheritance falls to the first organization to aim a sufficiently big QC at it.
The FUD comes from the idea of supply flooding: That if a QC attacker wanted to, they could flood the market selling stolen dormant bitcoins and crash the value of bitcoin, at least in the short term.
Whether this would actually happen is unknown - We can't know what the motivation of a QC attacker would be (see this article for an examination of that question), or what legal precedent such an attacker would use to justify mass theft, or whether exchanges would permit such high volume from a single customer who is clearly malicious. I think most of the FUD comes from fear of the many unknown outcomes of that scenario.
The good news is that scalable and quantum-safe signature schemes exist, which can replace the current quantum-vulnerable scheme used today, and they're only going to get better. So most people have no reason to worry. Just hodl tight in hashed addresses and move to PQ-safe addresses once they become available.