PQ signatures are significantly larger than regular ECDSA signatures used today. This proposal builds on BIP-360, which suggests a witness discount increase to mitigate this (not precisely specified, but external discussions by the author have suggested 16-64x). A discount would mean larger blocks, while no discount would mean higher transaction fees and even lower on-chain throughput. Are we entering a new blocksize war? A 64MB block size, in exchange for defense against a vulnerability that at this moment remains hypothetical, seems unlikely to pass without some controversy.
As long as a ZK recovery path is provided, this stays true to the ethos. The ethos was never“if it breaks we won’t fix it”. Responsible handling of this issue does not have to distort the ledger.
OTOH, if they freeze vulnerable wallets and don’t provide a recovery path, then Bitcoin becomes just another, less useful ethereum where intervention in the ledger is to be expected.
how do you secure this zk recovery path? can’t prove that only the hash of the pubkey was ever revealed (and thus that the secret key couldn’t be computed from the pubkey — as it was not available)
Idk, it’s also confusing to me. “I have been told” by someone who knows a lot more about cryptography than most people (including me) that it should be possible to, but I can’t see how because I suppose if you could spend the coins it means you must have the private key? But maybe it is actually possible to spend the coins without reverse engineering the actual private key, but rather only by faking the signature?
This would be interesting to see. Hopefully everyone who is sitting on their coins hears about this and moves them, then we'll really see how many coins are dead.
It depends. If miners handle this in a manner true to the ethos, it’s a nothing burger, just things working as intended. If they opt to burn legacy coins, then the chain will split and we will see what fork is deemed more valuable, and a bunch of new value will be sucked out of fiat in the process.
PQ signatures are significantly larger than regular ECDSA signatures used today. This proposal builds on BIP-360, which suggests a witness discount increase to mitigate this (not precisely specified, but external discussions by the author have suggested 16-64x). A discount would mean larger blocks, while no discount would mean higher transaction fees and even lower on-chain throughput. Are we entering a new blocksize war? A 64MB block size, in exchange for defense against a vulnerability that at this moment remains hypothetical, seems unlikely to pass without some controversy.
As long as a ZK recovery path is provided, this stays true to the ethos. The ethos was never“if it breaks we won’t fix it”. Responsible handling of this issue does not have to distort the ledger.
OTOH, if they freeze vulnerable wallets and don’t provide a recovery path, then Bitcoin becomes just another, less useful ethereum where intervention in the ledger is to be expected.
how do you secure this zk recovery path? can’t prove that only the hash of the pubkey was ever revealed (and thus that the secret key couldn’t be computed from the pubkey — as it was not available)
Idk, it’s also confusing to me. “I have been told” by someone who knows a lot more about cryptography than most people (including me) that it should be possible to, but I can’t see how because I suppose if you could spend the coins it means you must have the private key? But maybe it is actually possible to spend the coins without reverse engineering the actual private key, but rather only by faking the signature?
IDK.
This would be interesting to see. Hopefully everyone who is sitting on their coins hears about this and moves them, then we'll really see how many coins are dead.
And no-one cares (about how significant this is).
It depends. If miners handle this in a manner true to the ethos, it’s a nothing burger, just things working as intended. If they opt to burn legacy coins, then the chain will split and we will see what fork is deemed more valuable, and a bunch of new value will be sucked out of fiat in the process.
so much for decentalization
Um… the miners choose what forks to accept. Devs do not have the say. Miners do. Decentralization is intact, insofar as mining is decentralized.