Notes on the US Grincon
1.28.19
Please send me edits/additional information at @jzlegion on Twitter!
Transcript by Bryan Bishop/@Kanzure:http://diyhpl.us/wiki/transcripts/grincon/2019/
-To break crypto, you need ~100m qubits because of error correction.
-Considering Moore's law, this will take about 30 years. No ECDSA blockchains can be used past this point.
-There's a business case to use post-quantum crypto for data encryption today so that it won't be broken in the future.
-Post Quantum Crypto:Cryptography that runs on a classical computer that is secured even when adversary has a quantum computer
-Hash based signature (Sha256). These signatures are thicc in a bad way. Faster to verify than ECDSA.
-Lattice Based. Finding a solution to a system of linear equations but with small numbers. We're just assuming this is hard. Signatures are thicc but not too thicc. Faster to verify than ECDSA.
-Isogony Based Crypto. Group actions instead of groups. Thicc signatures.
-Clear need for post quantum sigs that is similar to size/usability as ECDSA
-Post Quantum Accumulators:More efficient proofs than Merkle Trees. Current accumulators are not quantum secure.
-Verifiable Delay Function (Beaconchain)-Way for anyone to generate a puzzle that takes a certain amount of time to solve even w/ a bunch of computing power. Good for consensus. Uses groups of unknown order. Quantum vulnerable.
-Quantum computers could mess with PoW with quadratic speedup. Uses Grover's algorithm. Takes only the square root of the difficulty time. (Difficulty 2^70 takes 2^70 hashes. With Grover's, it takes 2^35) Haha just kidding, it might now work because of noise. But as engineering gets better, we get closer to 2^35.
-MW is quantum resistant
(This stuff is way beyond me so the accuracy of this section is questionable. Suggestions are super welcome, just tweet me @jzlegion)
-MW has no scripts
-Need to put scripting system semantics into signatures. The answer is Scriptless Scripts.
-MW has a kernel with a kernel proof. This proves the commitment to zero (inputs matches outputs) and looks like a multisig.
-Nothing really links the kernel to transactions unless you're running some attack. So how do we attach script info?
-Kernels are Schnorr multisignatures
-Two people add their public keys together. Create two signatures and add their signatures together. They create a partial signature.
-These scripts have deniability. Transcripts of the signatures don't prove anything.
-Limits:
-Only useful for 2-signer protocols
-Needs the publication of complete signatures
-No timelocks