Quantum computing and Bitcoin - Bitcoin Wiki

Technical: Taproot: Why Activate?

This is a follow-up on https://old.reddit.com/Bitcoin/comments/hqzp14/technical_the_path_to_taproot_activation/
Taproot! Everybody wants it!! But... you might ask yourself: sure, everybody else wants it, but why would I, sovereign Bitcoin HODLer, want it? Surely I can be better than everybody else because I swapped XXX fiat for Bitcoin unlike all those nocoiners?
And it is important for you to know the reasons why you, o sovereign Bitcoiner, would want Taproot activated. After all, your nodes (or the nodes your wallets use, which if you are SPV, you hopefully can pester to your wallet vendoimplementor about) need to be upgraded in order for Taproot activation to actually succeed instead of becoming a hot sticky mess.
First, let's consider some principles of Bitcoin.
I'm sure most of us here would agree that the above are very important principles of Bitcoin and that these are principles we would not be willing to remove. If anything, we would want those principles strengthened (especially the last one, financial privacy, which current Bitcoin is only sporadically strong with: you can get privacy, it just requires effort to do so).
So, how does Taproot affect those principles?

Taproot and Your /Coins

Most HODLers probably HODL their coins in singlesig addresses. Sadly, switching to Taproot would do very little for you (it gives a mild discount at spend time, at the cost of a mild increase in fee at receive time (paid by whoever sends to you, so if it's a self-send from a P2PKH or bech32 address, you pay for this); mostly a wash).
(technical details: a Taproot output is 1 version byte + 32 byte public key, while a P2WPKH (bech32 singlesig) output is 1 version byte + 20 byte public key hash, so the Taproot output spends 12 bytes more; spending from a P2WPKH requires revealing a 32-byte public key later, which is not needed with Taproot, and Taproot signatures are about 9 bytes smaller than P2WPKH signatures, but the 32 bytes plus 9 bytes is divided by 4 because of the witness discount, so it saves about 11 bytes; mostly a wash, it increases blockweight by about 1 virtual byte, 4 weight for each Taproot-output-input, compared to P2WPKH-output-input).
However, as your HODLings grow in value, you might start wondering if multisignature k-of-n setups might be better for the security of your savings. And it is in multisignature that Taproot starts to give benefits!
Taproot switches to using Schnorr signing scheme. Schnorr makes key aggregation -- constructing a single public key from multiple public keys -- almost as trivial as adding numbers together. "Almost" because it involves some fairly advanced math instead of simple boring number adding, but hey when was the last time you added up your grocery list prices by hand huh?
With current P2SH and P2WSH multisignature schemes, if you have a 2-of-3 setup, then to spend, you need to provide two different signatures from two different public keys. With Taproot, you can create, using special moon math, a single public key that represents your 2-of-3 setup. Then you just put two of your devices together, have them communicate to each other (this can be done airgapped, in theory, by sending QR codes: the software to do this is not even being built yet, but that's because Taproot hasn't activated yet!), and they will make a single signature to authorize any spend from your 2-of-3 address. That's 73 witness bytes -- 18.25 virtual bytes -- of signatures you save!
And if you decide that your current setup with 1-of-1 P2PKH / P2WPKH addresses is just fine as-is: well, that's the whole point of a softfork: backwards-compatibility; you can receive from Taproot users just fine, and once your wallet is updated for Taproot-sending support, you can send to Taproot users just fine as well!
(P2WPKH and P2WSH -- SegWit v0 -- addresses start with bc1q; Taproot -- SegWit v1 --- addresses start with bc1p, in case you wanted to know the difference; in bech32 q is 0, p is 1)
Now how about HODLers who keep all, or some, of their coins on custodial services? Well, any custodial service worth its salt would be doing at least 2-of-3, or probably something even bigger, like 11-of-15. So your custodial service, if it switched to using Taproot internally, could save a lot more (imagine an 11-of-15 getting reduced from 11 signatures to just 1!), which --- we can only hope! --- should translate to lower fees and better customer service from your custodial service!
So I think we can say, very accurately, that the Bitcoin principle --- that YOU are in control of your money --- can only be helped by Taproot (if you are doing multisignature), and, because P2PKH and P2WPKH remain validly-usable addresses in a Taproot future, will not be harmed by Taproot. Its benefit to this principle might be small (it mostly only benefits multisignature users) but since it has no drawbacks with this (i.e. singlesig users can continue to use P2WPKH and P2PKH still) this is still a nice, tidy win!
(even singlesig users get a minor benefit, in that multisig users will now reduce their blockchain space footprint, so that fees can be kept low for everybody; so for example even if you have your single set of private keys engraved on titanium plates sealed in an airtight box stored in a safe buried in a desert protected by angry nomads riding giant sandworms because you're the frickin' Kwisatz Haderach, you still gain some benefit from Taproot)
And here's the important part: if P2PKH/P2WPKH is working perfectly fine with you and you decide to never use Taproot yourself, Taproot will not affect you detrimentally. First do no harm!

Taproot and Your Contracts

No one is an island, no one lives alone. Give and you shall receive. You know: by trading with other people, you can gain expertise in some obscure little necessity of the world (and greatly increase your productivity in that little field), and then trade the products of your expertise for necessities other people have created, all of you thereby gaining gains from trade.
So, contracts, which are basically enforceable agreements that facilitate trading with people who you do not personally know and therefore might not trust.
Let's start with a simple example. You want to buy some gewgaws from somebody. But you don't know them personally. The seller wants the money, you want their gewgaws, but because of the lack of trust (you don't know them!! what if they're scammers??) neither of you can benefit from gains from trade.
However, suppose both of you know of some entity that both of you trust. That entity can act as a trusted escrow. The entity provides you security: this enables the trade, allowing both of you to get gains from trade.
In Bitcoin-land, this can be implemented as a 2-of-3 multisignature. The three signatories in the multisgnature would be you, the gewgaw seller, and the escrow. You put the payment for the gewgaws into this 2-of-3 multisignature address.
Now, suppose it turns out neither of you are scammers (whaaaat!). You receive the gewgaws just fine and you're willing to pay up for them. Then you and the gewgaw seller just sign a transaction --- you and the gewgaw seller are 2, sufficient to trigger the 2-of-3 --- that spends from the 2-of-3 address to a singlesig the gewgaw seller wants (or whatever address the gewgaw seller wants).
But suppose some problem arises. The seller gave you gawgews instead of gewgaws. Or you decided to keep the gewgaws but not sign the transaction to release the funds to the seller. In either case, the escrow is notified, and if it can sign with you to refund the funds back to you (if the seller was a scammer) or it can sign with the seller to forward the funds to the seller (if you were a scammer).
Taproot helps with this: like mentioned above, it allows multisignature setups to produce only one signature, reducing blockchain space usage, and thus making contracts --- which require multiple people, by definition, you don't make contracts with yourself --- is made cheaper (which we hope enables more of these setups to happen for more gains from trade for everyone, also, moon and lambos).
(technology-wise, it's easier to make an n-of-n than a k-of-n, making a k-of-n would require a complex setup involving a long ritual with many communication rounds between the n participants, but an n-of-n can be done trivially with some moon math. You can, however, make what is effectively a 2-of-3 by using a three-branch SCRIPT: either 2-of-2 of you and seller, OR 2-of-2 of you and escrow, OR 2-of-2 of escrow and seller. Fortunately, Taproot adds a facility to embed a SCRIPT inside a public key, so you can have a 2-of-2 Taprooted address (between you and seller) with a SCRIPT branch that can instead be spent with 2-of-2 (you + escrow) OR 2-of-2 (seller + escrow), which implements the three-branched SCRIPT above. If neither of you are scammers (hopefully the common case) then you both sign using your keys and never have to contact the escrow, since you are just using the escrow public key without coordinating with them (because n-of-n is trivial but k-of-n requires setup with communication rounds), so in the "best case" where both of you are honest traders, you also get a privacy boost, in that the escrow never learns you have been trading on gewgaws, I mean ewww, gawgews are much better than gewgaws and therefore I now judge you for being a gewgaw enthusiast, you filthy gewgawer).

Taproot and Your Contracts, Part 2: Cryptographic Boogaloo

Now suppose you want to buy some data instead of things. For example, maybe you have some closed-source software in trial mode installed, and want to pay the developer for the full version. You want to pay for an activation code.
This can be done, today, by using an HTLC. The developer tells you the hash of the activation code. You pay to an HTLC, paying out to the developer if it reveals the preimage (the activation code), or refunding the money back to you after a pre-agreed timeout. If the developer claims the funds, it has to reveal the preimage, which is the activation code, and you can now activate your software. If the developer does not claim the funds by the timeout, you get refunded.
And you can do that, with HTLCs, today.
Of course, HTLCs do have problems:
Fortunately, with Schnorr (which is enabled by Taproot), we can now use the Scriptless Script constuction by Andrew Poelstra. This Scriptless Script allows a new construction, the PTLC or Pointlocked Timelocked Contract. Instead of hashes and preimages, just replace "hash" with "point" and "preimage" with "scalar".
Or as you might know them: "point" is really "public key" and "scalar" is really a "private key". What a PTLC does is that, given a particular public key, the pointlocked branch can be spent only if the spender reveals the private key of the given public key to you.
Another nice thing with PTLCs is that they are deniable. What appears onchain is just a single 2-of-2 signature between you and the developemanufacturer. It's like a magic trick. This signature has no special watermarks, it's a perfectly normal signature (the pledge). However, from this signature, plus some datta given to you by the developemanufacturer (known as the adaptor signature) you can derive the private key of a particular public key you both agree on (the turn). Anyone scraping the blockchain will just see signatures that look just like every other signature, and as long as nobody manages to hack you and get a copy of the adaptor signature or the private key, they cannot get the private key behind the public key (point) that the pointlocked branch needs (the prestige).
(Just to be clear, the public key you are getting the private key from, is distinct from the public key that the developemanufacturer will use for its funds. The activation key is different from the developer's onchain Bitcoin key, and it is the activation key whose private key you will be learning, not the developer's/manufacturer's onchain Bitcoin key).
So:
Taproot lets PTLCs exist onchain because they enable Schnorr, which is a requirement of PTLCs / Scriptless Script.
(technology-wise, take note that Scriptless Script works only for the "pointlocked" branch of the contract; you need normal Script, or a pre-signed nLockTimed transaction, for the "timelocked" branch. Since Taproot can embed a script, you can have the Taproot pubkey be a 2-of-2 to implement the Scriptless Script "pointlocked" branch, then have a hidden script that lets you recover the funds with an OP_CHECKLOCKTIMEVERIFY after the timeout if the seller does not claim the funds.)

Quantum Quibbles!

Now if you were really paying attention, you might have noticed this parenthetical:
(technical details: a Taproot output is 1 version byte + 32 byte public key, while a P2WPKH (bech32 singlesig) output is 1 version byte + 20 byte public key hash...)
So wait, Taproot uses raw 32-byte public keys, and not public key hashes? Isn't that more quantum-vulnerable??
Well, in theory yes. In practice, they probably are not.
It's not that hashes can be broken by quantum computes --- they're still not. Instead, you have to look at how you spend from a P2WPKH/P2PKH pay-to-public-key-hash.
When you spend from a P2PKH / P2WPKH, you have to reveal the public key. Then Bitcoin hashes it and checks if this matches with the public-key-hash, and only then actually validates the signature for that public key.
So an unconfirmed transaction, floating in the mempools of nodes globally, will show, in plain sight for everyone to see, your public key.
(public keys should be public, that's why they're called public keys, LOL)
And if quantum computers are fast enough to be of concern, then they are probably fast enough that, in the several minutes to several hours from broadcast to confirmation, they have already cracked the public key that is openly broadcast with your transaction. The owner of the quantum computer can now replace your unconfirmed transaction with one that pays the funds to itself. Even if you did not opt-in RBF, miners are still incentivized to support RBF on RBF-disabled transactions.
So the extra hash is not as significant a protection against quantum computers as you might think. Instead, the extra hash-and-compare needed is just extra validation effort.
Further, if you have ever, in the past, spent from the address, then there exists already a transaction indelibly stored on the blockchain, openly displaying the public key from which quantum computers can derive the private key. So those are still vulnerable to quantum computers.
For the most part, the cryptographers behind Taproot (and Bitcoin Core) are of the opinion that quantum computers capable of cracking Bitcoin pubkeys are unlikely to appear within a decade or two.
So:
For now, the homomorphic and linear properties of elliptic curve cryptography provide a lot of benefits --- particularly the linearity property is what enables Scriptless Script and simple multisignature (i.e. multisignatures that are just 1 signature onchain). So it might be a good idea to take advantage of them now while we are still fairly safe against quantum computers. It seems likely that quantum-safe signature schemes are nonlinear (thus losing these advantages).

Summary

I Wanna Be The Taprooter!

So, do you want to help activate Taproot? Here's what you, mister sovereign Bitcoin HODLer, can do!

But I Hate Taproot!!

That's fine!

Discussions About Taproot Activation

submitted by almkglor to Bitcoin [link] [comments]

Quantum Resistance

Before jumping to conclusions about this post, know that I am not looking to spread any FUD but rather am trying to understand a forthcoming risk and potential solutions from an unbiased standpoint. My research has not yielded any definitive answer so I am turning here to seek direction from those more knowledgable than me.
--
When it comes to predicting quantum computing's ability to break Bitcoin cryptographically, I've seen estimates as small as two years and as large as 25 years. Either way, it is easily conceivable that quantum processors will improve to the point of threatening Bitcoin as a reliable form of currency and store of value.
One way to prevent vulnerability to quantum threats is by storing Bitcoin in an address that has only ever received Bitcoin and never sent it. Although, this is an unrealistic mitigant for an asset/currency that is intended to be bought and sold, for all trust will be lost in the network once quantum computing becomes powerful enough to hack Bitcoin. Nobody will place any value in a currency that can be hacked by sending a transaction.
Another argument I've seen is that once quantum computing is strong enough to hack Bitcoin's cryptography, Bitcoin will be a non-factor compared to the other digital security breakdowns that will have transpired. For example, nuclear codes, bank accounts, digital privacy, etc. However, those centralized networks will have the ability to preemptively update their internal security to the standard required in a quantum computing world. In a similar manner, cryptocurrency and blockchain as a whole will survive such transition via improved cryptography.
But when it comes to Bitcoin specifically, will it be possible to generate consensus among the miners to switch to a quantum resistant protocol? My research has found conflicting perspectives - one side being that in order to upgrade Bitcoin's security, it would require manual movement of coins to a new address by all users, and a burning of the coins that did not move after a "sufficient" amount of time. Burning one's assets would undoubtedly not hold in a court of law. Even if we are still several years away, an unsolvable existential threat on the horizon would be priced into the value of Bitcoin and drive it down to zero.
With that being said, are there any feasible solutions to bring Bitcoin to quantum resistance? How can Bitcoin survive this threat in the long run? What is being done currently to resolve such problem?
submitted by fuegoblue to Bitcoin [link] [comments]

[ Bitcoin ] Technical: Taproot: Why Activate?

Topic originally posted in Bitcoin by almkglor [link]
This is a follow-up on https://old.reddit.com/Bitcoin/comments/hqzp14/technical_the_path_to_taproot_activation/
Taproot! Everybody wants it!! But... you might ask yourself: sure, everybody else wants it, but why would I, sovereign Bitcoin HODLer, want it? Surely I can be better than everybody else because I swapped XXX fiat for Bitcoin unlike all those nocoiners?
And it is important for you to know the reasons why you, o sovereign Bitcoiner, would want Taproot activated. After all, your nodes (or the nodes your wallets use, which if you are SPV, you hopefully can pester to your wallet vendoimplementor about) need to be upgraded in order for Taproot activation to actually succeed instead of becoming a hot sticky mess.
First, let's consider some principles of Bitcoin.
I'm sure most of us here would agree that the above are very important principles of Bitcoin and that these are principles we would not be willing to remove. If anything, we would want those principles strengthened (especially the last one, financial privacy, which current Bitcoin is only sporadically strong with: you can get privacy, it just requires effort to do so).
So, how does Taproot affect those principles?

Taproot and Your /Coins

Most HODLers probably HODL their coins in singlesig addresses. Sadly, switching to Taproot would do very little for you (it gives a mild discount at spend time, at the cost of a mild increase in fee at receive time (paid by whoever sends to you, so if it's a self-send from a P2PKH or bech32 address, you pay for this); mostly a wash).
(technical details: a Taproot output is 1 version byte + 32 byte public key, while a P2WPKH (bech32 singlesig) output is 1 version byte + 20 byte public key hash, so the Taproot output spends 12 bytes more; spending from a P2WPKH requires revealing a 32-byte public key later, which is not needed with Taproot, and Taproot signatures are about 9 bytes smaller than P2WPKH signatures, but the 32 bytes plus 9 bytes is divided by 4 because of the witness discount, so it saves about 11 bytes; mostly a wash, it increases blockweight by about 1 virtual byte, 4 weight for each Taproot-output-input, compared to P2WPKH-output-input).
However, as your HODLings grow in value, you might start wondering if multisignature k-of-n setups might be better for the security of your savings. And it is in multisignature that Taproot starts to give benefits!
Taproot switches to using Schnorr signing scheme. Schnorr makes key aggregation -- constructing a single public key from multiple public keys -- almost as trivial as adding numbers together. "Almost" because it involves some fairly advanced math instead of simple boring number adding, but hey when was the last time you added up your grocery list prices by hand huh?
With current P2SH and P2WSH multisignature schemes, if you have a 2-of-3 setup, then to spend, you need to provide two different signatures from two different public keys. With Taproot, you can create, using special moon math, a single public key that represents your 2-of-3 setup. Then you just put two of your devices together, have them communicate to each other (this can be done airgapped, in theory, by sending QR codes: the software to do this is not even being built yet, but that's because Taproot hasn't activated yet!), and they will make a single signature to authorize any spend from your 2-of-3 address. That's 73 witness bytes -- 18.25 virtual bytes -- of signatures you save!
And if you decide that your current setup with 1-of-1 P2PKH / P2WPKH addresses is just fine as-is: well, that's the whole point of a softfork: backwards-compatibility; you can receive from Taproot users just fine, and once your wallet is updated for Taproot-sending support, you can send to Taproot users just fine as well!
(P2WPKH and P2WSH -- SegWit v0 -- addresses start with bc1q; Taproot -- SegWit v1 --- addresses start with bc1p, in case you wanted to know the difference; in bech32 q is 0, p is 1)
Now how about HODLers who keep all, or some, of their coins on custodial services? Well, any custodial service worth its salt would be doing at least 2-of-3, or probably something even bigger, like 11-of-15. So your custodial service, if it switched to using Taproot internally, could save a lot more (imagine an 11-of-15 getting reduced from 11 signatures to just 1!), which --- we can only hope! --- should translate to lower fees and better customer service from your custodial service!
So I think we can say, very accurately, that the Bitcoin principle --- that YOU are in control of your money --- can only be helped by Taproot (if you are doing multisignature), and, because P2PKH and P2WPKH remain validly-usable addresses in a Taproot future, will not be harmed by Taproot. Its benefit to this principle might be small (it mostly only benefits multisignature users) but since it has no drawbacks with this (i.e. singlesig users can continue to use P2WPKH and P2PKH still) this is still a nice, tidy win!
(even singlesig users get a minor benefit, in that multisig users will now reduce their blockchain space footprint, so that fees can be kept low for everybody; so for example even if you have your single set of private keys engraved on titanium plates sealed in an airtight box stored in a safe buried in a desert protected by angry nomads riding giant sandworms because you're the frickin' Kwisatz Haderach, you still gain some benefit from Taproot)
And here's the important part: if P2PKH/P2WPKH is working perfectly fine with you and you decide to never use Taproot yourself, Taproot will not affect you detrimentally. First do no harm!

Taproot and Your Contracts

No one is an island, no one lives alone. Give and you shall receive. You know: by trading with other people, you can gain expertise in some obscure little necessity of the world (and greatly increase your productivity in that little field), and then trade the products of your expertise for necessities other people have created, all of you thereby gaining gains from trade.
So, contracts, which are basically enforceable agreements that facilitate trading with people who you do not personally know and therefore might not trust.
Let's start with a simple example. You want to buy some gewgaws from somebody. But you don't know them personally. The seller wants the money, you want their gewgaws, but because of the lack of trust (you don't know them!! what if they're scammers??) neither of you can benefit from gains from trade.
However, suppose both of you know of some entity that both of you trust. That entity can act as a trusted escrow. The entity provides you security: this enables the trade, allowing both of you to get gains from trade.
In Bitcoin-land, this can be implemented as a 2-of-3 multisignature. The three signatories in the multisgnature would be you, the gewgaw seller, and the escrow. You put the payment for the gewgaws into this 2-of-3 multisignature address.
Now, suppose it turns out neither of you are scammers (whaaaat!). You receive the gewgaws just fine and you're willing to pay up for them. Then you and the gewgaw seller just sign a transaction --- you and the gewgaw seller are 2, sufficient to trigger the 2-of-3 --- that spends from the 2-of-3 address to a singlesig the gewgaw seller wants (or whatever address the gewgaw seller wants).
But suppose some problem arises. The seller gave you gawgews instead of gewgaws. Or you decided to keep the gewgaws but not sign the transaction to release the funds to the seller. In either case, the escrow is notified, and if it can sign with you to refund the funds back to you (if the seller was a scammer) or it can sign with the seller to forward the funds to the seller (if you were a scammer).
Taproot helps with this: like mentioned above, it allows multisignature setups to produce only one signature, reducing blockchain space usage, and thus making contracts --- which require multiple people, by definition, you don't make contracts with yourself --- is made cheaper (which we hope enables more of these setups to happen for more gains from trade for everyone, also, moon and lambos).
(technology-wise, it's easier to make an n-of-n than a k-of-n, making a k-of-n would require a complex setup involving a long ritual with many communication rounds between the n participants, but an n-of-n can be done trivially with some moon math. You can, however, make what is effectively a 2-of-3 by using a three-branch SCRIPT: either 2-of-2 of you and seller, OR 2-of-2 of you and escrow, OR 2-of-2 of escrow and seller. Fortunately, Taproot adds a facility to embed a SCRIPT inside a public key, so you can have a 2-of-2 Taprooted address (between you and seller) with a SCRIPT branch that can instead be spent with 2-of-2 (you + escrow) OR 2-of-2 (seller + escrow), which implements the three-branched SCRIPT above. If neither of you are scammers (hopefully the common case) then you both sign using your keys and never have to contact the escrow, since you are just using the escrow public key without coordinating with them (because n-of-n is trivial but k-of-n requires setup with communication rounds), so in the "best case" where both of you are honest traders, you also get a privacy boost, in that the escrow never learns you have been trading on gewgaws, I mean ewww, gawgews are much better than gewgaws and therefore I now judge you for being a gewgaw enthusiast, you filthy gewgawer).

Taproot and Your Contracts, Part 2: Cryptographic Boogaloo

Now suppose you want to buy some data instead of things. For example, maybe you have some closed-source software in trial mode installed, and want to pay the developer for the full version. You want to pay for an activation code.
This can be done, today, by using an HTLC. The developer tells you the hash of the activation code. You pay to an HTLC, paying out to the developer if it reveals the preimage (the activation code), or refunding the money back to you after a pre-agreed timeout. If the developer claims the funds, it has to reveal the preimage, which is the activation code, and you can now activate your software. If the developer does not claim the funds by the timeout, you get refunded.
And you can do that, with HTLCs, today.
Of course, HTLCs do have problems:
Fortunately, with Schnorr (which is enabled by Taproot), we can now use the Scriptless Script constuction by Andrew Poelstra. This Scriptless Script allows a new construction, the PTLC or Pointlocked Timelocked Contract. Instead of hashes and preimages, just replace "hash" with "point" and "preimage" with "scalar".
Or as you might know them: "point" is really "public key" and "scalar" is really a "private key". What a PTLC does is that, given a particular public key, the pointlocked branch can be spent only if the spender reveals the private key of the given private key to you.
Another nice thing with PTLCs is that they are deniable. What appears onchain is just a single 2-of-2 signature between you and the developemanufacturer. It's like a magic trick. This signature has no special watermarks, it's a perfectly normal signature (the pledge). However, from this signature, plus some datta given to you by the developemanufacturer (known as the adaptor signature) you can derive the private key of a particular public key you both agree on (the turn). Anyone scraping the blockchain will just see signatures that look just like every other signature, and as long as nobody manages to hack you and get a copy of the adaptor signature or the private key, they cannot get the private key behind the public key (point) that the pointlocked branch needs (the prestige).
(Just to be clear, the public key you are getting the private key from, is distinct from the public key that the developemanufacturer will use for its funds. The activation key is different from the developer's onchain Bitcoin key, and it is the activation key whose private key you will be learning, not the developer's/manufacturer's onchain Bitcoin key).
So:
Taproot lets PTLCs exist onchain because they enable Schnorr, which is a requirement of PTLCs / Scriptless Script.
(technology-wise, take note that Scriptless Script works only for the "pointlocked" branch of the contract; you need normal Script, or a pre-signed nLockTimed transaction, for the "timelocked" branch. Since Taproot can embed a script, you can have the Taproot pubkey be a 2-of-2 to implement the Scriptless Script "pointlocked" branch, then have a hidden script that lets you recover the funds with an OP_CHECKLOCKTIMEVERIFY after the timeout if the seller does not claim the funds.)

Quantum Quibbles!

Now if you were really paying attention, you might have noticed this parenthetical:
(technical details: a Taproot output is 1 version byte + 32 byte public key, while a P2WPKH (bech32 singlesig) output is 1 version byte + 20 byte public key hash...)
So wait, Taproot uses raw 32-byte public keys, and not public key hashes? Isn't that more quantum-vulnerable??
Well, in theory yes. In practice, they probably are not.
It's not that hashes can be broken by quantum computes --- they're still not. Instead, you have to look at how you spend from a P2WPKH/P2PKH pay-to-public-key-hash.
When you spend from a P2PKH / P2WPKH, you have to reveal the public key. Then Bitcoin hashes it and checks if this matches with the public-key-hash, and only then actually validates the signature for that public key.
So an unconfirmed transaction, floating in the mempools of nodes globally, will show, in plain sight for everyone to see, your public key.
(public keys should be public, that's why they're called public keys, LOL)
And if quantum computers are fast enough to be of concern, then they are probably fast enough that, in the several minutes to several hours from broadcast to confirmation, they have already cracked the public key that is openly broadcast with your transaction. The owner of the quantum computer can now replace your unconfirmed transaction with one that pays the funds to itself. Even if you did not opt-in RBF, miners are still incentivized to support RBF on RBF-disabled transactions.
So the extra hash is not as significant a protection against quantum computers as you might think. Instead, the extra hash-and-compare needed is just extra validation effort.
Further, if you have ever, in the past, spent from the address, then there exists already a transaction indelibly stored on the blockchain, openly displaying the public key from which quantum computers can derive the private key. So those are still vulnerable to quantum computers.
For the most part, the cryptographers behind Taproot (and Bitcoin Core) are of the opinion that quantum computers capable of cracking Bitcoin pubkeys are unlikely to appear within a decade or two.
So:
For now, the homomorphic and linear properties of elliptic curve cryptography provide a lot of benefits --- particularly the linearity property is what enables Scriptless Script and simple multisignature (i.e. multisignatures that are just 1 signature onchain). So it might be a good idea to take advantage of them now while we are still fairly safe against quantum computers. It seems likely that quantum-safe signature schemes are nonlinear (thus losing these advantages).

Summary

I Wanna Be The Taprooter!

So, do you want to help activate Taproot? Here's what you, mister sovereign Bitcoin HODLer, can do!

But I Hate Taproot!!

That's fine!

Discussions About Taproot Activation

almkglor your post has been copied because one or more comments in this topic have been removed. This copy will preserve unmoderated topic. If you would like to opt-out, please send a message using [this link].
[deleted comment]
[deleted comment]
[deleted comment]
submitted by anticensor_bot to u/anticensor_bot [link] [comments]

What is Blockchain Technology?

What is Blockchain Technology?
The original article appeared here: https://www.securities.io/what-is-blockchain-technology/
Its been almost ten years since Satoshi Nakamoto first introduced Blockchain technology to the world in his 2008 Bitcoin Whitepaper. Since that time, these revolutionary networks have gained popularity in both the corporate and governmental sectors. This growth is easily explained when you consider that blockchain technology provides the world with some unique advantages that were previously unimaginable. Consequently, today, you can find blockchain technology in nearly every sector of the global economy.

What is Blockchain Technology?

A blockchain is a network of computers that share a distributed ledger across all network participants (nodes). This strategy is far different than say, fiat currencies that originate from a centralized authority figure. Importantly, this ledger keeps an unbroken chain of transactions since the birth of the network. This “chain” of transactions grows larger as new “blocks” of transactions are approved and added to it.
Bitcoin Whitepaper
In order to approve new transactions, each node works together with others to validate new blocks. Additionally, the nodes also validate the current state of the entire blockchain. In order for a new block of transactions to be added to the blockchain, they must receive approval from 51% of the network’s nodes. Nodes are also referred to as miners. In this manner, blockchain networks are decentralized networks that provide unmatched security to the world of digital assets.

Security via Decentralization

Decentralization is an important aspect of blockchain technology because it makes these revolutionary ledgers immutable and unalterable. In fact, since there is no centralized attack vector, hacking a blockchain is nearly impossible. The larger the blockchain network, the more secure the data on it remains.
For example, let’s look at the world’s largest blockchain, Bitcoin. Currently, the Bitcoin blockchain has over 10,000 active nodes located across the globe. This distribution means that in order for an attacker to alter even just one tiny piece of information on the blockchain, they would need to successfully hack 5,000+ computers at once.
While this task may not be impossible for the quantum computers of the future, it’s so unprofitable that it makes no sense to even attempt such a monumental task. Additionally, on top of successfully hacking 5000+ computers at once, an attacker would also need a supercomputer to recalculate the new blockchain transactions in time to introduce them into the network. It would literally be more affordable to create a new cryptocurrency from scratch.

Consensus Mechanisms

One of the reasons why blockchain networks are so secure is the integration of consensus mechanisms. Consensus mechanisms are cryptographic protocols that leverage the participants of a blockchain network in securing its data. In the case of Bitcoin, the Proof-of-Work (PoW) consensus mechanism is used.

Proof-of-Work (PoW)

The Proof-of-Work consensus mechanism was revolutionary to the world of cryptography when it was first introduced years prior by Adam Back in his Hashcash whitepaper. In the concept, Back describes the integration of a mathematical equation to the network’s security protocols. In this way, every computer can show “proof” of their work securing the network.

Miner Rewards

It’s important to understand that nodes receive a reward for their mining efforts. These rewards adjust automatically depending on the network’s difficulty and value. In the case of Bitcoin, miners originally received 50 Bitcoin for their efforts. Today, this seems like fortune, but back in 2009, Bitcoin was only worth pennies. As the value of the token rises and the network goes, the mining rewards shrink. Today, Bitcoin miners receive 6.5 BTC if they add the next block to the chain.

SHA-256

Notably, every node validates and secures the blockchain, but only one gets to add the next block of transactions to the network. To determine who the next miner is that gets to add this block, every computer competes in a mathematical race to figure out the PoW equation. In the case of Bitcoin, the equation is known as SHA-256. Importantly, the first SHA algorithm dates back to Hashcash. This early version of the equation was known as SHA-1.
Notably, the SHA-256 equation is so difficult that it’s easier and more efficient for your computer to just make random guesses rather than attempting to figure out the equation directly. The answer to the equation must begin with a predetermined amount of 0s. In the Bitcoin blockchain, the equation’s answer must start with four zeros. However, if the network’s congestion rises, so does the difficulty of these equations. This difficulty adjusts by the addition of another zero at the beginning of the required SHA-256 answer.
Similarly to traditional commodities such as gold, there are costs that are associated with the creation and introduction of these digital assets into the market. These random guesses utilize intense computational power. This power equates to real-world costs such as electricity bills. Studies have shown that securing the Bitcoin network can use more electricity than required by entire countries. Luckily, over 80% of Bitcoin’s power consumption comes from renewable sources such as solar or hydroelectric. This cost of mining also adds measurable value to each Bitcoin.

Miners

As Bitcoin began to gain in profitability, its network’s computing power expanded significantly. In the beginning, nodes, also known as miners, could mine for Bitcoin using nothing more than your home PC. Eventually, miners realized that graphic cards were far better at the repetitive guessing required to figure out the SHA-256 algorithm. This led to a computational race in the market.

ASIC

Eventually, large blockchain firms such as Bitmain introduced Application Specific Integrated Circuit (ASIC) miners into the equation. These purpose-built miners were thousands of times more efficient at guessing the SHA-256 algorithm than the GPUs and CPUs before them. Consequently, their introduction created a scenario in which the average miner now needed to invest thousands in mining equipment to stay relevant.

Mining Pools

Luckily, some creative minds in the field began to think of ways to level the playing field out again. They developed “mining pools.” A mining pool is a network of miners that all share computational power for the common goal of mining blockchain transactions. Importantly, mining pool participants receive a percentage of the reward based on their contributions to the network’s overall hash (computational power).
Importantly, over the last three years, there has been a push to move away from power-hungry consensus mechanisms such as PoW. This desire to secure blockchains in a more efficient manner has led to the development of some truly unique consensus mechanisms in the sector.

Proof-of-Stake (PoS)

The Proof-of-Stake mechanism does away with the difficult mathematical algorithms and instead utilizes a more psychological approach to securing the network. In a PoS blockchain, users don’t need to compete mathematically to add the next block to the blockchain. Instead, PoS users “stake” their coins via network wallets to secure the network. The way staking works is simple.
Keeping a certain amount of coins in your wallet allows you to participate in transaction validations. The more coins you stake, the more likely the chances are you get to add the next block of transactions to the network. In most PoS systems, a miner from those with the most tokens staked at the time receives the chance to add the blocks.
The advantages of a PoS consensus mechanism are immediately evident. For one, you don’t need to pour tons of resources into your network to keep it safe. Additionally, since nodes are chosen based on their amount of staked coins, there is never a scenario in which a node gains anything from validating incorrect transactions. Basically, a hacker would have to fully invest in the cryptocurrency prior to attacking the network. In this way, PoS systems create a huge deterrent to attackers.

The Future of Blockchain Technology

Blockchain technology has come a long way from its early days as a means to secure cryptocurrency networks. Today, blockchain technology has numerous uses across every type of industry imaginable. Specifically, blockchain programs have impacted the logistical, financial, and data security sectors in a major way.

Blockchain Technology Logistics

Blockchain logistical systems are more efficient and cost-effective to operate than traditional paper-based models. In fact, the immutable and unalterable nature of blockchain tech makes it ideally suited to logistical tasks. Soon, you may be able to ascertain much more information regarding the creation and delivery of your products thanks to these new-age systems emerging.

Fundraising

Blockchain technology has also altered the way in which businesses raise funds. In a traditional corporate crowdfunding strategy such as an IPO, companies must balance between cost-effectiveness and participation. The inability to process smaller transactions meant that for the longest time, companies had to turn away potential investors. Nowadays, blockchain technology enables businesses to easily automate these procedures via smart contracts.

Smart Contracts

Smart Contracts feature preprogrammed protocols that execute when they receive a certain amount of cryptocurrency sent to their address. These contracts live on the blockchain and enable remarkable functionality. For example, in the case of fundraising, a smart contract can automate processes such as the approval of investors and the distribution of funds.

Blockchain Technology Today

You can expect to see further expansion of the blockchain sector in the coming months as more governments and institutions explore its benefits. For now, the blockchain revolution is well underway.
submitted by BlockDotCo to u/BlockDotCo [link] [comments]

Any thoughts about making Tezos Quantum Resistant?

There is this quote in Wikipedia regarding btc Proof of Work:
"The Proof of Work involved in cryptography could also become easier with the use of a sufficiently large quantum computer.[6] For example, Bitcoin's block validation is essentially a trial and error problem that, on average, takes N number of tries.[6] In this case, N is the number of possible nonces someone must check before coming across the correct one.[6] For Bitcoin, although it varies depending on the current state of the network, there were roughly 2{75} nonces on July 15th, 2019.[47] Given a quantum computer can find an appropriate nonce in sqrt {N} operations, it would only take sqrt 2{75} operations for a quantum miner to validate a block.[6] This equates to quantum computers being 2{37.5}, or approx 194 Billion times more efficient at mining Bitcoin.[6]"
I dont know how the stats are if applied to Tezos, but quantum computers are just a few years away. How could Tezos be affected, and how could the protocol be adjusted to the threat?
One nice thing is that the governance model would allow easy changes!
submitted by celentano1234 to tezos [link] [comments]

A couple questions...

I'm getting to a layman's understanding of the tech aspects of BTC...
Exactly what role does encryption play in BTC?
At the current rate of growth for computing power at what date is it estimated that is BTC encryption is beatable? My understanding is that the only way this could occur is if someone could recreate the entire block chain in less than 10 minutes and distribute it? Is this the only way?
What are the ramifications of cracking BTC's encryption?
Have any solutions been postulated assuming that this is inevitable?
submitted by utstroh to BitcoinDiscussion [link] [comments]

IOTA and Tangle discussion/info, scam or not?

In the past weeks I heard a lot pros and cons about IOTA, many of them I believe were not true (I'll explain better). I would like to start a serious discussion about IOTA and help people to get into it. Before that I'll contribute with what I know, most things that I will say will have a source link providing some base content.
 
The pros and cons that I heard a lot is listed below, I'll discuss the items marked with *.
Pros
Cons
 

Scalability

Many users claim that the network infinitely scales, that with more transactions on the network the faster it gets. This is not entirely true, that's why we are seeing the network getting congested (pending transactions) at the moment (12/2017).
The network is composed by full-nodes (stores all transactions), each full-node is capable of sending transactions direct to the tangle. An arbitrary user can set a light-node (do not store all transactions, therefore a reduced size), but as it does not stores all transactions and can't decide if there are conflicting transactions (and other stuff) it needs to connect to a full-node (bitifinex node for example) and then request for the full-node to send a transaction to the tangle. The full-node acts like a bridge for a light-node user, the quantity of transactions at the same time that a full-node can push to the tangle is limited by its brandwidth.
What happens at the moment is that there are few full-nodes, but more important than that is: the majority of users are connected to the same full-node basically. The full-node which is being used can't handle all the requested transactions by the light-nodes because of its brandwidth. If you are a light-node user and is experiencing slow transactions you need to manually select other node to get a better performance. Also, you need to verify that the minimum weight magnitude (difficulty of the Hashcash Proof of Work) is set to 14 at least.
The network seems to be fine and it scales, but the steps an user has to make/know are not friendly-user at all. It's necessary to understand that the technology envolved is relative new and still in early development. Do not buy iota if you haven't read about the technology, there is a high chance of you losing your tokens because of various reasons and it will be your own fault. You can learn more about how IOTA works here.
There are some upcoming solutions that will bring the user-experience to a new level, The UCL Wallet (expected to be released at this month, will talk about that soon and how it will help the network) and the Nelson CarrIOTA (this week) besides the official implementations to come in december.
 

Centralization

We all know that currently (2017) IOTA depends on the coordinator because the network is still in its infancy and because of that it is considered centralized by the majority of users.
The coordinator are several full-nodes scattered across the world run by the IOTA foundation. It creates periodic Milestones (zero value transactions which reference valid transactions) which are validated by the entire network. The coordinator sets the general direction for the tangle growth. Every node verifies that the coordinator is not breaking consensus rules by creating iotas out of thin air or approving double-spendings, nodes only tells other nodes about transactions that are valid, if the Coordinator starts issuing bad Milestones, nodes will reject them.
The coordinator is optional since summer 2017, you can choose not implement it in your full-node, any talented programmer could replace Coo logic in IRI with Random Walk Monte Carlo logic and go without its milestones right now. A new kind of distributed coordinator is about to come and then, for the last, its completely removal. You can read more about the coordinator here and here.

Mining-Blockchain-based Cryptocurrencies

These are blockchain-based cryptocurrencies (Bitcoin) that has miners to guarantee its security. Satoshi Nakamoto states several times in the Bitcoin whitepaper that "The system is secure as long as honest nodes collectively control more CPU power than any cooperating group of attacker nodes". We can see in Blockchain.info that nowadays half of the total hashpower in Bitcoin is controlled by 3 companies (maybe only 1 in the future?). Users must trust that these companies will behave honestly and will not use its 50%> hashpower to attack the network eventually. With all that said it's reasonable to consider the IOTA network more decentralized (even with the coordinator) than any mining-blockchain-based cryptocurrency
You can see a comparison between DAG cryptocurrencies here
 

IOTA partnerships

Some partnerships of IOTA foundation with big companies were well known even when they were not officialy published. Some few examples of confirmed partnerships are listed below, others cofirmed partnerships can be seem in the link Partnerships with big companies at the pros section.
So what's up with all alarming in social media about IOTA Foundation faking partnerships with big companies like Microsoft and Cisco?
At Nov. 28th IOTA Foundation announced the Data Marketplace with 30+ companies participating. Basically it's a place for any entity sell data (huge applications, therefore many companies interested), at time of writing (11/12/2017) there is no API for common users, only companies in touch with IOTA Foundation can test it.
A quote from Omkar Naik (Microsoft worker) depicted on the Data Marketplace blog post gave an idea that Microsoft was in a direct partnership with IOTA. Several news websites started writing headlines "Microsoft and IOTA launches" (The same news site claimed latter that IOTA lied about partnership with Microsoft) when instead Microsoft was just one of the many participants of the Data Marketplace. Even though it's not a direct partnership, IOTA and Microsoft are in close touch as seen in IOTA Microsoft and Bosch meetup december 12th, Microsoft IOTA meetup in Paris 14th and Microsoft Azure adds 5 new Blockchain partners (may 2016). If you join the IOTA Slack channel you'll find out that there are many others big companies in close touch with IOTA like BMW, Tesla and other companies. This means that right now there are devs of IOTA working directly with scientists of these companies to help them integrate IOTA on their developments even though there is no direct partnership published, I'll talk more about the use cases soon.
We are excited to partner with IOTA foundation and proud to be associated with its new data marketplace initiative... - Omkar Naik
 

IOTA's use cases

Every cryptocurrency is capable of being a way to exchange goods, you pay for something using the coin token and receive the product. Some of them are more popular or have faster transactions or anonymity while others offers better scalablity or user-friendness. But none of them (except IOTA) are capable of transactioning information with no costs (fee-less transactions), in an securely form (MAM) and being sure that the network will not be harmed when it gets more adopted (scales). These characteristics open the gates for several real world applications, you probably might have heard of Big Data and how data is so important nowadays.
Data sets grow rapidly - in part because they are increasingly gathered by cheap and numerous information-sensing Internet of things devices such as mobile devices, aerial (remote sensing), software logs, cameras, microphones, radio-frequency identification (RFID) readers and wireless sensor networks.
 
It’s just the beginning of the data period. Data is going to be so important for human life in the future. So we are now just starting. We are a big data company, but compared to tomorrow, we are nothing. - Jack Ma (Alibaba)
There are enormous quantities of wasted data, often over 99% is lost to the void, that could potentially contain extremely valuable information if allowed to flow freely in data streams that create an open and decentralized data lake that is accessible to any compensating party. Some of the biggest corporations of the world are purely digital like Google, Facebook and Amazon. Data/information market will be huge in the future and that's why there so many companies interested in what IOTA can offer.
There are several real world use cases being developed at the moment, many of them if successful will revolutionize the world. You can check below a list of some of them.
Extra
These are just few examples, there are a lot more ongoing and to explore.
 

IOTA Wallet (v2.5.4 below)

For those who have read a lot about IOTA and know how it works the wallet is fine, but that's not the case for most users. Issues an user might face if decide to use the current wallet:
Problems that could be easily avoided with a better understand of the network/wallet or with a better wallet that could handle these issues. As I explained before, some problems during the "congestion" of the network could be simply resolved if stuff were more user-friendly, this causes many users storing their iotas on exchanges which is not safe either.
The upcoming (dec 2017) UCL Wallet will solve most of these problems. It will switch between nodes automatically and auto-reattach transactions for example (besides other things). You can have full a overview of it here and here. Also, the upcoming Nelson CarrIOTA will help on automatic peer discovery for users setup their nodes more easily.
 

IOTA Vulnerability issue

On sept 7th 2017 a team from MIT reported a cryptographic issue on the hash function Curl. You can see the full response of IOTA members below.
Funds were never in danger as such scenarios depicted on the Neha's blogpost were not pratically possible and the arguments used on the blogpost had'nt fundamentals, all the history you can check by yourself on the responses. Later it was discovered that the whole Neha Narula's team were envolved in other concurrent cryptocurrency projects
Currently IOTA uses the relatively hardware intensive NIST standard SHA-3/Keccak for crucial operations for maximal security. Curl is continuously being audited by more cryptographers and security experts. Recenlty IOTA Foundation hired Cybercrypt, the world leading lightweight cryptography and security company from Denmark to take the Curl cryptography to its next maturation phase.
 
It took me a couple of days to gather the informations presented, I wanted it to make easier for people who want to get into it. It might probably have some mistakes so please correct me if I said something wrong. Here are some useful links for the community.
This is my IOTA donation address, in case someone wants to donate I will be very thankful. I truly believe in this project's potential.
I9YGQVMWDYZBLHGKMTLBTAFBIQHGLYGSAGLJEZIV9OKWZSHIYRDSDPQQLTIEQEUSYZWUGGFHGQJLVYKOBWAYPTTGCX
 
This is a donation address, if you want to do the same you might pay attention to some important details:
  • Create a seed for only donation purposes.
  • Generate a address and publish it for everyone.
  • If you spend any iota you must attach a new address to the tangle and refresh your donation address published before to everyone.
  • If someone sends iota to your previous donation address after you have spent from it you will probably lose the funds that were sent to that specific address.
  • You can visualize how addresses work in IOTA here and here.
This happens because IOTA uses Winternitz one-time signature to become quantum resistent. Every time you spend iota from a address, part of the private key of that specific address is revealed. This makes easier for attackers to steal that address balance. Attackers can search if an address has been reused on the tangle explorer and try to brute force the private key since they already know part of it.
submitted by mvictordbz to CryptoCurrency [link] [comments]

Is Crypto Currency truly at risk due to Quantum Computers, and what can you do about it?

Is Crypto Currency truly at risk due to Quantum Computers, and what can you do about it?

There is no denying that the Quantum revolution is coming. Security protocols for the internet, banking, telecommunications, etc... are all at risk, and your Bitcoins (and alt-cryptos) are next!
This article is not really about quantum computers[i], but, rather, how they will affect the future of cryptocurrency, and what steps a smart investor will take. Since this is a complicated subject, my intention is to provide just enough relevant information without being too “techy.”

The Quantum Evolution

In 1982, Nobel winning physicist, Richard Feynman, hypothesized how quantum computers[ii] would be used in modern life.
Just one year later, Apple released the “Apple Lisa”[iii] – a home computer with a 7.89MHz processor and a whopping 5MB hard drive, and, if you enjoy nostalgia, it used 5.25in floppy disks.
Today, we walk around with portable devices that are thousands of times more powerful, and, yet, our modern day computers still work in a simple manner, with simple math, and simple operators[iv]. They now just do it so fast and efficient that we forget what’s happening behind the scenes.
No doubt, the human race is accelerating at a remarkable speed, and we’ve become obsessed with quantifying everything - from the everyday details of life to the entire universe[v]. Not only do we know how to precisely measure elementary particles, we also know how to control their actions!
Yet, even with all this advancement, modern computers cannot “crack” cryptocurrencies without the use of a great deal more computing power, and since it’s more than the planet can currently supply, it could take millions, if not billions, of years.
However, what current computers can’t do, quantum computers can!
So, how can something that was conceptualized in the 1980’s, and, as of yet, has no practical application, compromise cryptocurrencies and take over Bitcoin?
To best answer this question, let’s begin by looking at a bitcoin address.

What exactly is a Bitcoin address?

Well, in layman terms, a Bitcoin address is used to send and receive Bitcoins, and looking a bit closer (excuse the pun), it has two parts:[vi]
A public key that is openly shared with the world to accept payments. A public key that is derived from the private key. The private key is made up of 256 bits of information in a (hopefully) random order. This 256 bit code is 64 characters long (in the range of 0-9/a-f) and further compressed into a 52 character code (using RIPEMD-160).
NOTE: Although many people talk about Bitcoin encryption, Bitcoin does not use Encryption. Instead, Bitcoin uses a hashing algorithm (for more info, please see endnote below[vii]).
Now, back to understanding the private key:
The Bitcoin address “1EHNa6Q4Jz2uvNExL497mE43ikXhwF6kZm” translates to a private key of “5HpHagT65TZzG1PH3CSu63k8DbpvD8s5ip4nEB3kEsreAnchuDf” which further translates to a 256 bit private key of “0000000000000000000000000000000000000000000000000000000000000001” (this should go without saying, but do not use this address/private key because it was compromised long ago.) Although there are a few more calculations that go behind the scenes, these are the most relevant details.
Now, to access a Bitcoin address, you first need the private key, and from this private key, the public key is derived. With current computers, it’s classically impractical to attempt to find a private key based on a public key. Simply put, you need the private key to know the public key.
However, it has already been theorized (and technically proven) that due to private key compression, multiple private keys can be used to access the same public key (aka address). This means that your Bitcoin address has multiple private keys associated with it, and, if someone accidentally discovers or “cracks” any one of those private keys, they have access to all the funds in that specific address.
There is even a pool of a few dedicated people hunting for these potential overlaps[viii], and they are, in fact, getting very efficient at it. The creator of the pool also has a website listing every possible Bitcoin private key/address in existence[ix], and, as of this writing, the pool averages 204 trillion keys per day!
But wait! Before you get scared and start panic selling, the probability of finding a Bitcoin address containing funds (or even being used) is highly unlikely – nevertheless, still possible!
However, the more Bitcoin users, the more likely a “collision” (finding overlapping private/public key pairs)! You see, the security of a Bitcoin address is simply based on large numbers! How large? Well, according to my math, 1.157920892373x1077 potential private keys exist (that number represents over 9,500 digits in length! For some perspective, this entire article contains just over 14,000 characters. Therefore, the total number of Bitcoin addresses is so great that the probability of finding an active address with funds is infinitesimal.

So, how do Quantum Computers present a threat?

At this point, you might be thinking, “How can a quantum computer defeat this overwhelming number of possibilities?” Well, to put it simple; Superposition and Entanglement[x].
Superposition allows a quantum bit (qbit) to be in multiple states at the same time. Entanglement allows an observer to know the measurement of a particle in any location in the universe. If you have ever heard Einstein’s quote, “Spooky Action at a Distance,” he was talking about Entanglement!
To give you an idea of how this works, imagine how efficient you would be if you could make your coffee, drive your car, and walk your dog all at the same time, while also knowing the temperature of your coffee before drinking, the current maintenance requirements for your car, and even what your dog is thinking! In a nutshell, quantum computers have the ability to process and analyze countless bits of information simultaneously – and so fast, and in such a different way, that no human mind can comprehend!
At this stage, it is estimated that the Bitcoin address hash algorithm will be defeated by quantum computers before 2028 (and quite possibly much sooner)! The NSA has even stated that the SHA256 hash algorithm (the same hash algorithm that Bitcoin uses) is no longer considered secure, and, as a result, the NSA has now moved to new hashing techniques, and that was in 2016! Prior to that, in 2014, the NSA also invested a large amount of money in a research program called “Penetrating Hard Targets project”[xi] which was used for further Quantum Computer study and how to break “strong encryption and hashing algorithms.” Does NSA know something they’re not saying or are they just preemptively preparing?
Nonetheless, before long, we will be in a post-quantum cryptography world where quantum computers can crack crypto addresses and take all the funds in any wallet.

What are Bitcoin core developers doing about this threat?

Well, as of now, absolutely nothing. Quantum computers are not considered a threat by Bitcoin developers nor by most of the crypto-community. I’m sure when the time comes, Bitcoin core developers will implement a new cryptographic algorithm that all future addresses/transactions will utilize. However, will this happen before post-quantum cryptography[xii]?
Moreover, even after new cryptographic implementation, what about all the old addresses? Well, if your address has been actively used on the network (sending funds), it will be in imminent danger of a quantum attack. Therefore, everyone who is holding funds in an old address will need to send their funds to a new address (using a quantum safe crypto-format). If you think network congestion is a problem now, just wait…
Additionally, there is the potential that the transition to a new hashing algorithm will require a hard fork (a soft fork may also suffice), and this could result in a serious problem because there should not be multiple copies of the same blockchain/ledger. If one fork gets attacked, the address on the other fork is also compromised. As a side-note, the blockchain Nebulas[xiii] will have the ability to modify the base blockchain software without any forks. This includes adding new and more secure hashing algorithms over time! Nebulas is due to be released in 2018.

Who would want to attack Bitcoin?

Bitcoin and cryptocurrency represent a threat to the controlling financial system of our modern economy. Entire countries have outright banned cryptocurrency[xiv] and even arrested people[xv], and while discrediting it, some countries are copying cryptocurrency to use (and control) in their economy[xvi]!
Furthermore, Visa[xvii], Mastercard[xviii], Discover[xix], and most banks act like they want nothing to do with cryptocurrency, all the while seeing the potential of blockchain technology and developing their own[xx]. Just like any disruptive technology, Bitcoin and cryptocurrencies have their fair share of enemies!
As of now, quantum computers are being developed by some of the largest companies in the world, as well as private government agencies.
No doubt, we will see a post-quantum cryptography world sooner than most realize. By that point, who knows how long “3 letter agencies” will have been using quantum technology - and what they’ll be capable of!

What can we do to protect ourselves today?

Of course, the best option is to start looking at how Bitcoin can implement new cryptographic features immediately, but it will take time, and we have seen how slow the process can be just for scaling[xxi].
The other thing we can do is use a Bitcoin address only once for outgoing transactions. When quantum computers attack Bitcoin (and other crypto currencies), their first target will be addresses that have outgoing transactions on the blockchain that contain funds.
This is due to the fact that when computers first attempt to crack a Bitcoin address, the starting point is when a transaction becomes public. In other words, when the transaction is first signed – a signed transaction is a digital signature derived from the private key, and it validates the transaction on the network. Compared to classical computers, quantum computers can exponentially extrapolate this information.
Initially, Bitcoin Core Software might provide some level of protection because it only uses an address once, and then sends the remaining balance (if any) to another address in your keypool. However, third party Bitcoin wallets can and do use an address multiple times for outgoing transactions. For instance, this could be a big problem for users that accept donations (if they don’t update their donation address every time they remove funds). The biggest downside to Bitcoin Core Software is the amount of hard-drive space required, as well as diligently retaining an up-to-date copy of the entire blockchain ledger.
Nonetheless, as quantum computers evolve, they will inevitably render SHA256 vulnerable, and although this will be one of the first hash algorithms cracked by quantum computers, it won’t be the last!

Are any cryptocurrencies planning for the post-quantum cryptography world?

Yes, indeed, there are! Here is a short list of ones you may want to know more about:

Full disclosure:

Although I am in no way associated with any project listed above, I do hold coins in all as well as Bitcoin, Litecoin and many others.
The thoughts above are based on my personal research, but I make no claims to being a quantum scientist or cryptographer. So, don’t take my word for anything. Instead, do your own research and draw your own conclusions. I’ve included many references below, but there are many more to explore.
In conclusion, the intention of this article is not to create fear or panic, nor any other negative effects. It is simply to educate. If you see an error in any of my statements, please, politely, let me know, and I will do my best to update the error.
Thanks for reading!

References

[i] https://www.youtube.com/watch?v=JhHMJCUmq28 – A great video explaining quantum computers.
[ii] https://www.doc.ic.ac.uk/~nd/surprise_97/journal/vol4/spb3/ - A brief history of quantum computing.
[iii] https://en.wikipedia.org/wiki/Apple_Lisa - More than you would ever want to know about the Apple Lisa.
[iv] https://www.youtube.com/watch?v=tpIctyqH29Q&list=PL8dPuuaLjXtNlUrzyH5r6jN9ulIgZBpdo - Want to learn more about computer science? Here is a great crash course for it!
[v] https://www.collinsdictionary.com/dictionary/english/quantify - What does quantify mean?
[vi] https://en.bitcoin.it/wiki/Private_key - More info about Bitcoin private keys.
[vii] https://www.securityinnovationeurope.com/blog/page/whats-the-difference-between-hashing-and-encrypting - A good example of the deference between Hash and Encryption
[viii] https://lbc.cryptoguru.org/stats - The Large Bitcoin Collider.
[ix] http://directory.io/ - A list of every possible Bitcoin private key. This website is a clever way of converting the 64 character uncompressed key to the private key 128 at a time. Since it is impossible to save all this data in a database and search, it is not considered a threat! It’s equated with looking for a single needle on the entire planet.
[x] https://uwaterloo.ca/institute-for-quantum-computing/quantum-computing-101#Superposition-and-entanglement – Brief overview of Superposition and Entanglement.
[xi] https://www.washingtonpost.com/world/national-security/nsa-seeks-to-build-quantum-computer-that-could-crack-most-types-of-encryption/2014/01/02/8fff297e-7195-11e3-8def-a33011492df2_story.html?utm_term=.e05a9dfb6333 – A review of the Penetrating Hard Targets project.
[xii] https://en.wikipedia.org/wiki/Post-quantum_cryptography - Explains post-quantum cryptography.
[xiii] https://www.nebulas.io/ - The nebulas project has some amazing technology planned in their roadmap. They are currently in testnet stage with initial launch expected taking place in a few weeks. If you don’t know about Nebulas, you should check them out. [xiv] https://en.wikipedia.org/wiki/Legality_of_bitcoin_by_country_or_territory - Country’s stance on crypto currencies.
[xv] https://www.cnbc.com/2017/08/30/venezuela-is-one-of-the-worlds-most-dangerous-places-to-mine-bitcoin.html - Don’t be a miner in Venezuela!
[xvi] http://www.newsweek.com/russia-bitcoin-avoid-us-sanctions-cryptocurrency-768742 - Russia’s plan for their own crypto currency.
[xvii] http://www.telegraph.co.uk/technology/2018/01/05/visa-locks-bitcoin-payment-cards-crackdown-card-issue - Recent attack from visa against crypto currency.
[xviii] https://www.ccn.com/non-government-digital-currency-junk-says-mastercard-ceo-rejecting-bitcoin/ - Mastercards position about Bitcoin.
[xix] http://www.livebitcoinnews.com/discover-joins-visa-mastercard-barring-bitcoin-support/ - Discovers position about Bitcoin.
[xx] http://fortune.com/2017/10/20/mastercard-blockchain-bitcoin/ - Mastercard is making their own blockchain.
[xxi] https://bitcoincore.org/en/2015/12/21/capacity-increase/ - News about Bitcoin capacity. Not a lot of news…
[xxii] https://learn.iota.org/faq/what-makes-iota-quantum-secure - IOTA and quantum encryption.
[xxiii] https://eprint.iacr.org/2011/191.pdf - The whitepaper of Winternitz One-Time Signature Scheme
[xxiv] https://cardanoroadmap.com/ - The Cardano project roadmap.
[xxv] https://eprint.iacr.org/2017/490 - More about the BLISS hash system.
[xxvi] https://www.ethereum.org/ - Home of the Ethereum project.
[xxvii] https://en.wikipedia.org/wiki/SHA-3#Security_against_quantum_attacks – SHA3 hash algorithm vs quantum computers.
[xxviii] https://en.wikipedia.org/wiki/Lamport_signature - Lamport signature information.
[xxix] https://theqrl.org/ - Home of the Quantum Resistant Ledger project.
submitted by satoshibytes to CryptoCurrency [link] [comments]

Part 5. I'm writing a series about blockchain tech and possible future security risks. This is the fifth part of the series talking about an advanced vulnerability of BTC.

The previous parts will give you usefull basic blockchain knowledge and insights on quantum resistance vs blockchain that are not explained in this part.
Part 1, what makes blockchain reliable?
Part 2, The mathematical concepts Hashing and Public key cryptography.
Part 3, Quantum resistant blockchain vs Quantum computing.
Part 4A, The advantages of quantum resistance from genesis block, A
Part 4B, The advantages of quantum resistance from genesis block, A

Why BTC is vulnerable for quantum attacks sooner than you would think.
Content:
The BTC misconception: “Original public keys are not visible until you make a transaction, so BTC is quantum resistant.”
Already exposed public keys.
Hijacking transactions.
Hijacks during blocktime
Hijacks pre-blocktime.
MITM attacks

- Why BTC is vulnerable for quantum attacks sooner than you would think. -

Blockchain transactions are secured by public-private key cryptography. The keypairs used today will be at risk when quantum computers reach a certain critical level: Quantum computers can at a certain point of development, derive private keys from public keys. See for more sourced info on this subject in part 3. So if a public key can be obtained by an attacker, he can then use a quantum computer to find the private key. And as he has both the public key and the private key, he can control and send the funds to an address he owns.
Just to make sure there will be no misconceptions: When public-private key cryptography such as ECDSA and RSA can be broken by a quantum computer, this will be an issue for all blockchains who don't use quantum resistant cryptography. The reason this article is about BTC is because I take this paper as a reference point: https://arxiv.org/pdf/1710.10377.pdf Here they calculate an estimate when BTC will be at risk while taking the BTC blocktime as the window of opportunity.
The BTC misconception: “Original public keys are not visible until you make a transaction, so BTC is quantum resistant.”
In pretty much every discussion I've read and had on the subject, I notice that people are under the impression that BTC is quantum resistant as long as you use your address only once. BTC uses a hashed version of the public key as a send-to address. So in theory, all funds are registered on the chain on hashed public keys instead of to the full, original public keys, which means that the original public key is (again in theory) not public. Even a quantum computer can't derive the original public key from a hashed public key, therefore there is no risk that a quantum computer can derive the private key from the public key. If you make a transaction, however, the public key of the address you sent your funds from will be registered in full form in the blockchain. So if you were to only send part of your funds, leaving the rest on the old address, your remaining funds would be on a published public key, and therefore vulnerable to quantum attacks. So the workaround would be to transfer the remaining funds, within the same transaction, to a new address. In that way, your funds would be once again registered on the blockchain on a hashed public key instead of a full, original public key.
If you feel lost already because you are not very familiar with the tech behind blockchain, I will try to explain the above in a more familiar way:
You control your funds through your public- private key pair. Your funds are registered on your public key. And you can create transactions, which you need to sign to be valid. You can only create a signature if you have your private key. See it as your e-mail address (public key) and your password (Private key). Many people got your email address, but only you have your password. So the analogy is, that if you got your address and your password, then you can access your mail and send emails (Transactions). If the right quantum computer would be available, people could use that to calculate your password (private key), if they have your email address (public key).
Now, because BTC doesn’t show your full public key anywhere until you make a transaction. That sounds pretty safe. It means that your public key is private until you make a transaction. The only thing related to your public key that is public is the hash of your public key. Here is a short explanation of what a hash is: a hash is an outcome of an equation. Usually one-way hash functions are used, where you can not derive the original input from the output; but every time you use the same hash function on the same original input (For example IFUHE8392ISHF), you will always get the same output (For example G). That way you can have your coins on public key "IFUHE8392ISHF", while on the chain, they are registered on "G".
So your funds are registered on the blockchain on the "Hash" of the public key. The Hash of the public key is also your "email address" in this case. So you give "G" as your address to send BTC to.
As said before: since it is, even for a quantum computer, impossible to derive a public key from the Hash of a public key, your coins are safe for quantum computers as long as the public key is only registered in hashed form. The obvious safe method would be, never to reuse an address, and always make sure that when you make a payment, you send your remaining funds to a fresh new address. (There are wallets that can do this for you.) In theory, this would make BTC quantum resistant, if used correctly. This, however, is not as simple as it seems. Even though the above is correct, there is a way to get to your funds.
Already exposed public keys.
But before we get to that, there is another point that is often overlooked: Not only is the security of your personal BTC is important, but also the security of funds of other users. If others got hacked, the news of the hack itself and the reaction of the market to that news, would influence the marketprice. Or, if a big account like the Satoshi account were to be hacked and dumped, the dump itself, combined with the news of the hack, could be even worse. An individual does not have the control of other people’s actions. So even though one might make sure his public key is only registered in hashed form, others might not do so, or might no know their public key is exposed. There are several reasons why a substantial amount of addresses actually have exposed full public keys:
In total, about 36% of all BTC are on addresses with exposed public keys Of which about 20% is on lost addresses. and here
Hijacking transactions.
But even if you consider the above an acceptable risk, just because you yourself will make sure you never reuse an address, then still, the fact that only the hashed public key is published until you make a transaction is a false sense of security. It only works, if you never make a transaction. Why? Public keys are revealed while making a transaction, so transactions can be hijacked while being made.
Here it is important to understand two things:
1.) How is a transaction sent?
The owner has the private key and the public key and uses that to log into the secured environment, the wallet. This can be online or offline. Once he is in his wallet, he states how much he wants to send and to what address.
When he sends the transaction, it will be broadcasted to the blockchain network. But before the actual transaction will be sent, it is formed into a package, created by the wallet. This happens out of sight of the sender.
That package ends up carrying roughly the following info: the public key to point to the address where the funds will be coming from, the amount that will be transferred, the address the funds will be transferred to (depending on the blockchain this could be the hashed public key, or the original public key of the address the funds will be transferred to). This package also carries the most important thing: a signature, created by the wallet, derived from the private- public key combination. This signature proves to the miners that you are the rightful owner and you can send funds from that public key.
Then this package is sent out of the secure wallet environment to multiple nodes. The nodes don’t need to trust the sender or establish the sender’s "identity”, because the sender proofs he is the rightful owner by adding the signature that corresponds with the public key. And because the transaction is signed and contains no confidential information, private keys, or credentials, it can be publicly broadcast using any underlying network transport that is convenient. As long as the transaction can reach a node that will propagate it into the network, it doesn’t matter how it is transported to the first node.
2.) How is a transaction confirmed/ fulfilled and registered on the blockchain?
After the transaction is sent to the network, it is ready to be processed. The nodes have a bundle of transactions to verify and register on the next block. This is done during a period called the block time. In the case of BTC that is 10 minutes.
If we process the information written above, we will see that there are two moments where you can actually see the public key, while the transaction is not fulfilled and registered on the blockchain yet.
1: during the time the transaction is sent from the sender to the nodes
2: during the time the nodes verify the transaction. (The blocktime)
Hijacks during blocktime
This paper describes how you could hijack a transaction and make a new transaction of your own, using someone else’s address and send his coins to an address you own during moment 2: the time the nodes verify the transaction:
https://arxiv.org/pdf/1710.10377.pdf
"(Unprocessed transactions) After a transaction has been broadcast to the network, but before it is placed on the blockchain it is at risk from a quantum attack. If the secret key can be derived from the broadcast public key before the transaction is placed on the blockchain, then an attacker could use this secret key to broadcast a new transaction from the same address to his own address. If the attacker then ensures that this new transaction is placed on the blockchain first, then he can effectively steal all the bitcoin behind the original address." (Page 8, point 3.)
So this means that BTC obviously is not a quantum secure blockchain. Because as soon as you will touch your funds and use them for payment, or send them to another address, you will have to make a transaction and you risk a quantum attack.
Hijacks pre-blocktime.
The story doesn't end here. The paper doesn't describe the posibility of a pre-blocktime hijack.
So back to the paper: as explained, while making a transaction your public key is exposed for at least the transaction time. This transaction time is 10 minutes where your transaction is being confirmed during the 10 minute block time. That is the period where your public key is visible and where, as described in the paper, a transaction can be hijacked, and by using quantum computers, a forged transaction can be made. So the critical point is determined to be the moment where quantum computers can derive private keys from public keys within 10 minutes. Based on that 10 minute period, they calculate (estimate) how long it will take before QC's start forming a threat to BTC. (“ By our most optimistic estimates, as early as 2027 a quantum computer could exist that can break the elliptic curve signature scheme in less than 10 minutes, the block time used in Bitcoin.“ This is also shown in figure 4 on page 10 and later more in depth calculated in appendix C, where the pessimistic estimate is around 2037.) But you could extend that 10 minutes through network based attacks like DDoS, BGP routing attacks, NSA Quantum Insert, Eclipse attacks, MITM attacks or anything like that. (And I don’t mean you extend the block time by using a network based attack, but you extend the time you have access to the public key before the transaction is confirmed.) Bitcoin would be earlier at risk than calculated in this paper.
Also other Blockchains with way shorter block times imagine themselves safe for a longer period than BTC, but with this extension of the timeframe within which you can derive the private key, they too will be vulnerable way sooner.
Not so long ago an eclipse attack demonstrated it could have done the trick. and here Causing the blockchain to work over max capacity, means the transactions will be waiting to be added to a block for a longer time. This time needs to be added on the blocktime, expanding the period one would have time to derive the private key from the public key.
That seems to be fixed now, but it shows there are always new attacks possible and when the incentive is right (Like a few billion $ kind of right) these could be specifically designed for certain blockchains.
MITM attacks
An MITM attack could find the public key in the first moment the public key is exposed. (During the time the transaction is sent from the sender to the nodes) So these transactions that are sent to the network, contain public keys that you could intercept. So that means that if you intercept transactions (and with that the private keys) and simultaneously delay their arrival to the blockchain network, you create extra time to derive the private key from the public key using a quantum computer. When you done that, you send a transaction of your own before the original transaction has arrived and is confirmed and send funds from that stolen address to an address of your choosing. The result would be that you have an extra 10, 20, 30 minutes (or however long you can delay the original transactions), to derive the public key. This can be done without ever needing to mess with a blockchain network, because the attack happens outside the network. Therefore, slower quantum computers form a threat. Meaning that earlier models of quantum computers can form a threat than they assume now.
When MITM attacks and hijacking transactions will form a threat to BTC, other blockchains will be vulnerable to the same attacks, especially MITM attacks. There are ways to prevent hijacking after arrival at the nodes. I will elaborate on that in the next article. At this point of time, the pub key would be useless to an attacker due to the fact there is no quantum computer available now. Once a quantum computer of the right size is available, it becomes a problem. For quantum resistant blockchains this is differetn. MITM attacks and hijacking is useless to quantum resistant blockchains like QRL and Mochimo because these projects use quantum resistant keys.
submitted by QRCollector to CryptoTechnology [link] [comments]

Part 6. (Last part) I'm writing a series about blockchain tech and possible future security risks. Failing shortcuts in an attempt to accomplish Quantum Resistance

The previous parts will give you usefull basic blockchain knowledge and insights on quantum resistance vs blockchain that are not explained in this part.
Part 1, what makes blockchain reliable?
Part 2, The mathematical concepts Hashing and Public key cryptography.
Part 3, Quantum resistant blockchain vs Quantum computing.
Part 4A, The advantages of quantum resistance from genesis block, A
Part 4B, The advantages of quantum resistance from genesis block, A
Part 5, Why BTC is vulnerable for quantum attacks sooner than you would think.

Failing shortcuts in an attempt to accomplish Quantum Resistance
Content:
Hashing public keys
“Instant” transactions
FIFO
Standardized fees
Multicast
Timestamped transactions
Change my mind: If a project doesn't use a Quantum Resistant signature scheme, it is not 100% Quantum Resistant.
Here are some of the claims regarding Quantum Resistance without the use of a quantum resistant signature scheme that I have come across so far. For every claim, I give arguments to substantiate why these claims are incorrect.
“We only have public keys in hashed form published. Even quantum computers can't reverse the Hash, so no one can use those public keys to derive the private key. That's why we are quantum resistant.” This is incorrect.
This example has been explained in the previous article. To summarize: Hashed public keys can be used as an address for deposits. Deposits do not need signature authentication. Alternatively, withdrawals do need signature authentication. To authenticate a signature, the public key will always need to be made public in full, original form. As a necessary requirement, the full public key would be needed to spend coins. Therefore the public key will be included in the transaction.
The most famous blockchain to use hashed public keys is Bitcoin. Transactions can be hijacked during the period a user sends a transaction from his or her device to the blockchain and the moment a transaction is confirmed. For example: during Bitcoins 10 minute blockchain, the full public keys can be obtained to find private keys and forge transactions. Page 8, point 3 Hashing public keys does have advantages: they are smaller than the original public keys. So it does save space on the blockchain. It doesn't give you Quantum Resistance however. That is a misconception.
“Besides having only hashed public keys on the blockchain, we also have instant transactions. So there is no time to hijack a transaction and to obtain the public key fast enough to forge a transaction. That's why we are quantum resistant.” This is incorrect and impossible.
There is no such thing as instant transactions. A zero second blocktime for example is a claim that can’t be made. Period. Furthermore, transactions are collected in pools before they are added to a block that is going to be processed. The time it takes for miners to add them to a new block before processing that block depends on the amount of transactions a blockchain needs to process at a certain moment. When a blockchain operates within its maximum capacity (the maximum amount of transactions that a blockchain can process per second), the adding of transactions from the pool will go quite swiftly, but still not instantaneously.
However, when there is high transaction density, transactions can be stuck in the pool for a while. During this period the transactions are published and the full public keys can be obtained. Just as with the previous hijacking example, a transaction can be forged in that period of time. It can be done when the blockchain functions normally, and whenever the maximum capacity is exceeded, the window of opportunity grows for hackers.
Besides the risk that rush hours would bring by extending the time to work with the public key and forge transactions, there are network based attacks that could serve the same purpose: slow the confirmation time and create a bigger window to forge transactions. These types are attacks where the attacker targets the network instead of the sender of the transaction: Performing a DDoS attack or BGP routing attack or NSA Quantum Insert attack on a peer-to-peer network would be hard. But when provided with an opportunity to earn billions, hackers would find a way.
For example: https://bitcoinmagazine.com/articles/researchers-explore-eclipse-attacks-ethereum-blockchain/
For BTC: https://eprint.iacr.org/2015/263.pdf
An eclipse attack is a network-level attack on a blockchain, where an attacker essentially takes control of the peer-to-peer network, obscuring a node’s view of the blockchain.
That is exactly the recipe for what you would need to create extra time to find public keys and derive private keys from them. Then you could sign transactions of your own and confirm them before the originals do.
This specific example seems to be fixed now, but it most definitely shows there is a risk of other variations to be created. Keep in mind, before this variation of attack was known, the common opinion was that it was impossible. With little incentive to create such an attack, it might take a while until another one is developed. But when the possession of full public keys equals the possibility to forge transactions, all of a sudden billions are at stake.
“Besides only using hashed public keys as addresses, we use the First In First Out (FIFO) mechanism. This solves the forged transaction issue, as they will not be confirmed before the original transactions. That's why we are quantum resistant.” This is incorrect.
There is another period where the public key is openly available: the moment where a transaction is sent from the users device to the nodes on the blockchain network. The sent transaction can be delayed or totally blocked from arriving to the blockchain network. While this happens the attacker can obtain the public key. This is a man-in-the-middle (MITM) attack. A MITM is an attack where the attacker secretly relays and possibly alters the communication between two parties who believe they are directly communicating with each other. No transaction is 100% safe from a MITM attack. This type of attack isn’t commonly known amongst average usergroups due to the fact communication is done either encrypted or by the use of private- public key cryptography. Therefore, at this point of time MITM attacks are not an issue, because the information in transactions is useless for hackers. To emphasize the point made: a MITM attack can be done at this point of time to your transactions. But the information obtained by a hacker is useless because he can not break the cryptography. The encryption and private- public key cryptography is safe at this point of time. ECDSA and RSA can not be broken yet. But in the era of quantum computers the problem is clear: an attacker can obtain the public key and create enough time to forge a transaction which will be sent to the blockchain and arrive there first without the network having any way of knowing the transaction is forged. By doing this before the transaction reaches the blockchain, FIFO will be useless. The original transaction will be delayed or blocked from reaching the blockchain. The forged transaction will be admitted to the network first. And First In First Out will actually help the forged transaction to be confirmed before the original.
“Besides having only hashed public keys, we use small standardized fees. Forged transactions will not be able to use higher fees to get prioritized and confirmed before the original transactions, thus when the forged transaction will try to confirm the address is already empty. This is why we are quantum resistant.” This is incorrect.
The same arguments apply as with the FIFO system. The attack can be done before the original transaction reaches the network. Thus the forged transaction will still be handled first no matter the fee hight.
“Besides the above, we use multicast so all nodes receive the transaction at the same time. That's why we are quantum resistant.” This is incorrect.
Multicast is useless against a MITM attack when the attacker is close enough to the source.
“Besides the above, we number all our transactions and authenticate nodes so the user always knows who he's talking to. That's why we are quantum resistant.” This is incorrect.
Besides the fact that you’re working towards a centralized system if only verified people can become nodes. And besides the fact that also verified nodes can go bad and work with hackers. (Which would be useless if quantum resistant signature schemes would be implemented because a node or a hacker would have no use for quantum resistant public keys and signatures.) There are various ways of impersonating either side of a communication channel. IP-spoofing, ARP-spoofing, DSN-spoofing etc. All a hacker needs is time and position. Time can be created in several ways as explained above. All the information in the transaction an original user sends is valid. When a transaction is hijacked and the communication between the user and the rest of the network is blocked, a hacker can copy that information to his own transaction while using a forged signature. The only real effective defense against MITM attacks can be done on router or server-side by a strong encryption between the client and the server (Which in this case would be quantum resistant encryption, but then again you could just as well use a quantum resistant signature scheme.), or you use server authentication but then you would need that to be quantum resistant too. There is no serious protection against MITM attacks when the encryption of the data and the authentication of a server can be broken by quantum computers.
Only quantum resistant signature schemes will secure blockchain to quantum hacks. Every blockchain will need their users to communicate their public key to the blockchain to authenticate signatures and make transactions. There will always be ways to obtain those keys while being communicated and to stretch the period where these keys can be used to forge transactions. Once you have, you can move funds to your own address, a bitcoin mixer, Monero, or some other privacy coin.
Conclusion
There is only one way to currently achieve Quantum Resistance: by making sure the public key can be made public without any risks, as is done now in the pre-quantum period and as Satoshi has designed blockchain. Thus by the use of quantum resistant signature schemes. The rest is all a patchwork of risk mitigation and delaying strategies; they make it slightly harder to obtain a public key and forge a transaction but not impossible.
Addition
And then there is quite often this strategy of postponing quantum resistant signature schemes
“Instead of ECDSA with 256 bit keys we will just use 384 bit keys. And after that 521 bit keys, and then RSA 4096 keys, so we will ride it out for a while. No worries we don’t need to think about quantum resistant signature schemes for a long time.” This is highly inefficient, and creates more problems than it solves.
Besides the fact that this doesn’t make a project quantum resistant, it is nothing but postponing the switch to quantum resistant signatures, it is not a solution. Going from 256 bit keys to 384 bit keys would mean a quantum computer with ~ 3484 qubits instead of ~ 2330 qubits could break the signature scheme. That is not even double and postpones the problem either half a year or one year, depending which estimate you take. (Doubling of qubits every year, or every two years). It does however have the same problems as a real solution and is just as much work. (Changing the code, upgrading the blockchain, finding consensus amongst the nodes, upgrading all supporting systems, hoping the exchanges all go along with the new upgrade and migrate their coins, heaving all users migrate their coins.) And then quite soon after that, they'll have to go at it again. What they will do next? Go for 512 bit curves? Same issues. It's just patchworks and just as much hassle, but then over and over again for every “upgrade” from 384 to 521 etc.
And every upgrade the signatures get bigger, and closer to the quantum resistant signature sizes and thus the advantage you have over blockchains with quantum resistant signature schemes gets smaller. While the quantum resistant blockchains are just steady going and their users aren’t bothered with all the hassle. At the same time the users of the blockchain that is constantly upgrading to a bigger key size, keep on needing to migrate their coins to the new and upgraded addresses to stay safe.
submitted by QRCollector to CryptoTechnology [link] [comments]

My growing collection of info about NEO

It can be very time consuming to keep up to date on a single blockchain project let alone multiple ones. If you just heard about NEO a few weeks ago it would be impossible catch up on past occurrences due to high volume of Reddit posts and articles made on the project. I’m going to try and simplify the past, present and future as much as I can into one well thought-out post. I hope I can be helpful to anyone who has been investigating like myself. I will include sources with all of my research.
https://imgur.com/a/NBI7S (img for mobile backround)
Key notes from the White Paper http://docs.neo.org/en-us/
Digital Assets
Digital assets are programmable assets that exist in the form of electronic data. With blockchain technology, the digitization of assets can be decentralized, trustful, traceable, highly transparent, and free of intermediaries. On the NEO blockchain, users are able to register, trade, and circulate multiple types of assets. Proving the connection between digital and physical assets is possible through digital identity. Assets registered through a validated digital identity are protected by law.
Digital Identity
Digital identity refers to the identity information of individuals, organizations, and other entities that exist in electronic form. The more mature digital identity system is based on the PKI (Public Key Infrastructure) X.509 standard. In NEO, we will implement a set of X.509 compatible digital identity standards. This set of digital identity standards, in addition to compatible X.509 level certificate issuance model, will also support Web Of Trust point-to-point certificate issuance model. Our verification of identity when issuing or using digital identities includes the use of facial features, fingerprint, voice, SMS and other multi-factor authentication methods.
Smart Contracts
The NeoContract smart contract system is the biggest feature of the seamless integration of the existing developer ecosystem. Developers do not need to learn a new programming language but use C#, Java and other mainstream programming languages in their familiar IDE environments (Visual Studio, Eclipse, etc.) for smart contract development, debugging and compilation. NEO's Universal Lightweight Virtual Machine, NeoVM, has the advantages of high certainty, high concurrency, and high scalability. The NeoContract smart contract system will allow millions of developers around the world to quickly carry out the development of smart contracts.
Economic Model
NEO has two native tokens, NEOand NeoGas NEO represents the right to manage the network. Management rights include voting for bookkeeping, NEO network parameter changes, and so on. The minimum unit of NEO is 1 and tokens cannot be subdivided. GAS is the fuel token for the realization of NEO network resource control. The NEO network charges for the operation and storage of tokens and smart contracts, thereby creating economic incentives for bookkeepers and preventing the abuse of resources. The minimum unit of GAS is 0.00000001.
Distribution Mechanism
NEO's 100 million tokens are divided into two portions. The first portion is 50 million tokens distributed proportionally to supporters of NEO during the crowdfunding. This portion has been distributed.
The second portion is 50 million NEO managed by the NEO Council to support NEO's long-term development, operation and maintenance and ecosystem. The NEO in this portion has a lockout period of 1 year and is unlocked only after October 16, 2017. This portion WILL NOT enter the exchanges and is only for long-term support of NEO projects. The plans for it are as below:
▪ 10 million tokens (10% total) will be used to motivate NEO developers and members of the NEO Council
▪ 10 million tokens (10% total) will be used to motivate developers in the NEO ecosystem
▪ 15 million tokens (15% total) will be used to cross-invest in other block-chain projects, which are owned by the NEO Council and are used only for NEO projects
▪ 15 million (15% total) will be retained as contingency
▪ The annual use of NEO in principle shall NOT exceed 15 million tokens
GAS distribution
GAS is generated with each new block. The initial total amount of GAS is zero. With the increasing rate of new block generation, the total limit of 100 million GAS will be achieved in about 22 years. The interval between each block is about 15-20 seconds, and 2 million blocks are generated in about one year. According to this release curve, 16% of the GAS will be created in the first year, 52% of the GAS will be created in the first four years, and 80% of the GAS will be created in the first 12 years. GAS will be distributed proportionally in accordance with the NEO holding ratio, recorded in the corresponding addresses. NEO holders can initiate a claim transaction at any time and claim these GAS tokens at their holding addresses.
Consensus mechanism: dBFT
The dBFT is called the Delegated Byzantine Fault Tolerant, a Byzantine fault-tolerant consensus mechanism that enables large-scale participation in consensus through proxy voting. The holder of the NEO token can, by voting, pick the bookkeeper it supports. The selected group of bookkeepers, through BFT algorithm, reach a consensus and generate new blocks. Voting in the NEO network continues in real time, rather than in accordance with a fixed term.
Cross-chain assets exchange agreement
NeoX has been extended on existing double-stranded atomic assets exchange protocols to allow multiple participants to exchange assets across different chains and to ensure that all steps in the entire transaction process succeed or fail together. In order to achieve this function, we need to use NeoContract function to create a contract account for each participant. If other blockchains are not compatible with NeoContract, they can be compatible with NeoX as long as they can provide simple smart contract functionality.
Cross-chain distributed transaction protocol
Cross-chain distributed transactions mean that multiple steps of a transaction are scattered across different blockchains and that the consistency of the entire transaction is ensured. This is an extension of cross-chain assets exchange, extending the behavior of assets exchange into arbitrary behavior. In layman's terms, NeoX makes it possible for cross-chain smart contracts where a smart contract can perform different parts on multiple chains, either succeeding or reverting as a whole. This gives excellent possibilities for cross-chain collaborations and we are exploring cross-chain smart contract application scenarios.
Distributed Storage Protocol: NeoFS
NeoFS is a distributed storage protocol that utilizes Distributed Hash Table technology. NeoFS indexes the data through file content (Hash) rather than file path (URI). Large files will be divided into fixed-size data blocks that are distributed and stored in many different nodes
Anti-quantum cryptography mechanism: NeoQS
The emergence of quantum computers poses a major challenge to RSA and ECC-based cryptographic mechanisms. Quantum computers can solve the large number of decomposition problems (which RSA relies on) and the elliptic curve discrete logarithm (which ECC relies on) in a very short time. NeoQS (Quantum Safe) is a lattice-based cryptographic mechanism. At present, quantum computers do not have the ability to quickly solve the Shortest Vector Problem (SVP) and the Closest Vector Problem (CVP), which is considered to be the most reliable algorithm for resisting quantum computers.
Reasons for choosing dBFT over PoW and PoS:
With the phenomenal success of Bitcoin and its increasing mainstream adoption, the project’s unbounded appetite for energy grew accordingly. Today, the average Bitcoin transaction costs as much energy as powering 3.67 average American homes, which amounts to about 3000 times more than a comparable Credit Card settlement.
This mind boggling amount of energy is not, as it is commonly believed, being wasted. It is put to good use: securing the Bitcoin network and rendering attacks on it infeasible. However, the cost of this security mechanism and its implications for an increasingly warming and resource hungry planet led almost the entire crypto industry to the understanding that an alternative has to be found, at least if we’re interested in seeing blockchain technology gaining overwhelming mainstream adoption.
The most popular alternative to PoW, used by most alternative cryptocurrency systems, is called Proof-of-Stake, or PoS. PoS is highly promising in the sense that it doesn’t require blockchain nodes to perform arduous, and otherwise useless, cryptographic tasks in order to render potential attacks costly and infeasible. Hence, this algorithm cuts the power requirements of PoS blockchains down to sane and manageable amounts, allowing them to be more scalable without guzzling up the planet's energy reserves.
As the name suggests, instead of requiring proof of cryptographic work, PoS requires blockchain nodes to proof stake in the currency itself. This means that in order for a blockchain node to be eligible for a verification reward, the node has to hold a certain amount of currency in the wallet associated with it. This way, in order to execute an attack, a malevolent node would have to acquire the majority of the existing coin supply, rendering attacks not only costly but also meaningless, since the attackers would primarily harm themselves.
PoS, as well as PoW, simply cause the blockchain to fork into two alternative versions if for some reason consensus breaks. In fact, most blockchains fork most of the time, only to converge back to a single source of truth a short while afterwards.
By many crypto enthusiasts, this obvious bug is very often regarded as a feature, allowing several versions of the truth to survive and compete for public adoption until a resolution is generated. This sounds nice in theory, but if we want to see blockchain technology seriously disrupt and/or augment the financial sector, this ever lurking possibility of the blockchain splitting into two alternative versions cannot be tolerated.
Furthermore, even the fastest PoS blockchains out there can accomodate a few hundred transactions per second, compare that to Visa’s 56,000 tx/s and the need for an alternative becomes clear as day.
A blockchain securing global stock markets does not have the privilege to fork into two alternative versions and just sit and wait it out until the market (or what’s left of it) declares a winner. What belongs to whom should be engraved in an immutable record, functioning as a single source of truth with no glitches permitted.
After investigating and studying the crypto industry and blockchain technologies for several years, we came to the conclusion that the delegated Byzantine Fault Tolerance alternative (or dBFT) is best suited for such a system. It provides swift transaction verification times, de-incentivises most attack vectors and upholds a single blockchain version with no risk of forks or alternative blockchain records emerging - regardless of how much computing power, or coins an attacker possesses.
The term Byzantine Fault Tolerance (BFT) derives its name from the Byzantine Generals problem in Game Theory and Computer Science, describing the problematic nature of achieving consensus in a distributed system with suboptimal communication between agents which do not necessarily trust each other.
The BFT algorithm arranges the relationship between blockchain nodes in such a way that the network becomes as good as resilient to the Byzantine Generals problem, and allows the system to remain consensus even if some nodes bare malicious intentions or simply malfunction.
To achieve this, Antshare’s version of the delegated BFT (or dBFT) algorithm acknowledges two kinds of players in the blockchain space: professional node operators, called bookkeeping nodes, who run nodes as a source of income, and users who are interested in accessing blockchain advantages. Theoretically, this differentiation does not exist in PoW and most PoS environments, practically, however, most Bitcoin users do not operate miners, which are mostly located in specialized venues run by professionals. At Antshares we understand the importance of this naturally occurring division of labor and use it to provide better security for our blockchain platform.
Accordingly, block verification is achieved through a consensus game held between specialized bookkeeping nodes, which are appointed by ordinary nodes through a form of delegated voting process. In every verification round one of the bookkeeping nodes is pseudo-randomly appointed to broadcast its version of the blockchain to the rest of the network. If ⅔ of the remaining nodes agree with this version, consensus is secured and the blockchain marches on. If less than ⅔ of the network agrees, a different node is appointed to broadcast its version of the truth to the rest of the system, and so forth until consensus is established.
In this way, successful system attacks are almost impossible to execute unless the overwhelming majority of the network is interested in committing financial suicide. Additionally, the system is fork proof, and at every given moment only one version of the truth exists. Without complicated cryptographic puzzles to solve, nodes operate much faster and are able to compete with centralized transaction methods.
https://www.econotimes.com/Blockchain-project-Antshares-explains-reasons-for-choosing-dBFT-over-PoW-and-PoS-659275
OnChain
It is important to note the technical difference between Onchain and NEO. Onchain is a private VC-backed company with over 40 employees. NEO is a public platform with different community-led groups contributing to this public project. There exists NEO council comprised of the original NEO creators, employees from Onchain, full time NEO council members and there is also the first Western based group called City of Zion. This confusion is likely the source of the rumour about Antshares and Alibaba having a connection. Onchain and NEO are separate entities who are intimately related via cross-chain communications and similar designs.
Onchain, a Shanghai-based blockchain R&D company, first started developing Antshares in February of 2014 which will eventually become the foundation of DNA. Onchain was founded by CEO Da HongFei and CTO Erik Zhang in response to the attention from private companies garnered by the development of Antshares, China’s first public blockchain. In contrast to the weeks-old start-ups launching ICOs that is happening currently in the blockchain world, it took them 22 long months of R&D to even begin providing services to their first customers. Finally, in April 2016, the first whitepaper on consensus protocol from China was born — the dBFT (delegated Byzantine Fault Tolerance) protocol.
2016 was a busy year for Onchain and they really picked up the pace that year. Other than continuing the development of Antshares, brushing shoulders with Fortune 500 companies, Onchain became the first Chinese blockchain company to join Hyperledger — an open source blockchain project started by the Linux Foundation specifically focusing on the development of private and consortium chains for businesses. It is here where the Da HongFei and Erik Zhang, entered the hyperbolic time chamber that is now known as Fabric, a platform by Hyperledger for distributed ledger solutions, and has consequently helped them to develop many aspects underpinning the design of DNA.
In June of 2016, during the first of many future partnerships with Microsoft China, Onchain founded Legal Chain specifically targeting the inadequacies of the digital applications within the legal system. In 2005, (Digital Signature Act) was passed into national law which permitted an effective digital signatures to gain the same legal rights as a real signature.
In company with Microsoft China, they are also aiming to integrate the technology with Microsoft’s face and voice recognition API function to kick start this digital revolution within the legal system. At the same time, a partnership was formed with FaDaDa, a third-party platform for electronic contracts that has processed over 27 million contracts to date, to provide secure evidence storage with DNA. If that’s not enough, they were also voted as KPMG’s top 50 Fintech Company in China and established a relationship with the Japanese Ministry of Economy, Trade and Industry which led to the recent tour to Japan. Finally, at the end of 2016 they announced a partnership with Alibaba to provide attested email service for Ali Cloud with Legal Chain where it provides a proof-of-existence for a blockchain-powered email evidence repository for enterprise-level use.
Fosun Group, China’s largest private conglomerate, have recently invested into Onchain in order to apply DNA across all of its businesses. Currently, Fosun International has a market cap of 102.98 billion dollars on the Hong Kong Stock Exchange and that is only its international branch.
The role of Onchain so far is reminiscent of Ethereum’s EEA in addition to a stronger emphasis of governmental cooperation. Onchain has identified the shortcomings of present laser focus of hype on public platforms such as NEO and Ethereum and addressing that with DNA. DNA envisions a future where a network of assorted, specifically designed blockchains serving private enterprises, consortiums, government and the public communicating with each other forming an interconnected blockchain network.
This is the goal of DNA — infiltrating every little inefficient niche that had no better alternatives before the invention of blockchain. What is especially critical to remember during this explosive time of hype driven partly by the obscene degree of greed is that not every little niche that blockchain can fill will be holding its own little ICO for you to “go to the moon on your rocket powered lambos”. Some of those efficiencies gained will simply be consumed by companies privately or by public systems such as the legal system.
https://hackernoon.com/neo-onchain-and-its-ultimate-plan-dna-4c33e9b6bfaa
http://www.onchain.com/
https://github.com/DNAProject/DNA
https://siliconangle.com/blog/2016/10/20/onchain-partners-with-alibaba-for-blockchain-powered-email-evidence-repository/
https://www.reuters.com/article/us-fosun-blockchain/chinas-fosun-invests-in-local-version-of-bitcoin-tech-blockchain-idUSKCN1B30KM
City of Zion (CoZ)
City of Zion (CoZ) is a global community of open source enthusiasts, with the shared goal of helping NEO achieve its full potential. CoZ primarily operates through the community Slack and CoZ Github, central places where the community shares knowledge and contributes to projects.
CoZ is neither a corporation, nor a consulting firm or a devshop / for-hire group.
Members
https://imgur.com/a/Gc9jT
CoZ aims to be low barrier of entry, the process is straightforward:
  1. Join the channel #develop.
  2. Fork or create a project.
  3. Publish as open source.
  4. After a couple of contributions a CoZ council member will invite you to the proper channel for your contributions.
  5. Receive rewards and back to 3.
Unit testing - Ongoing effort to implement code coverage for the core
Integration testing - Tools for automated testing, performance metrics and functionality validation on private test nets
Continuous integration - Automated multi-platform testing of all pull requests at GitHub.
Deployment pipeline - Automated tools and processes to ensure fast and reliable updates upon code changes
New C# implementation (NEO2) - Improve code quality, speed & testability
Roadmap
https://imgur.com/a/4CDhw
dApps competition
https://cityofzion.io/dapps/1
10 prizes of 1350 GAS, with 500 GAS to be used for smart contract deployment. Currently 19 dApps registered. Deadline is 16 of November 11:59 EST.
https://drive.google.com/drive/folders/0B4wu5lNlukwybEstaEJMZ19kbjQ
Traveling
August 8th to August 12th:
From August 8th to August 12th, 2017, the NEO core team, led by founder & CEO Da Hongfei will travel to Japan to explore the forefront of Japan's Blockchain innovation. This trip represents the first in a series of trips around the world with the goal to foster international cooperation's and to keep up with the fast pace in Blockchain innovation. Starting in Japan, the NEO core team will visit famous local Blockchain research institutions and active communities to engage in bilateral communication. NEO will meet with Japanese tech-celebrities to gain insights about the latest developments in the Japanese Blockchain and digital currency community. Additionally, Japanese local tech media will conduct an interview allowing NEO to present its development status and its latest technological innovations.
https://www.reddit.com/NEO/comments/6ry4s9/japan_the_neo_core_team_starts_out_on_an/
https://www.youtube.com/watch?v=SgTQ32CkxlU
https://www.reddit.com/NEO/comments/6ssfx1/neo_meetup_in_tokyo_august_10th_2017_2100h/
19th August, 2017
Blockchain X Series - NEO example applications
20th August, 2017
NEO and Microsoft Azure host a blockchain programming training in Shanghai
23rd August, 2017
INNOxNEO Blockchain Open Nights: 2nd Meeting
24th August, 2017
NEO Meetup in Taipei
https://www.reddit.com/NEO/comments/6wbebneo_taipei_meetup_long_post/
13th September, 2017
INNOxNEO Blockchain Open Nights: 3rd Meeting
14th September, 2017
NEO Shanghai Meetup with NEO team
24th September, 2017
NEO Blockchain Programming Day - Hangzhou Station
27th September, 2017
INNOxNEO Blockchain Open Nights: 4th Meeting
27th September, 2017
First London NEO Developer Meetup!
4th October, 2017
First San Francisco NEO Developer Social!
14th-16th October, 2017
GNOME.Asia Summit 2017, Chongqing, China
21st October, 2017
NEO JOY, Exploring Blockchain application, Nanjing, China
26th October, 2017
Inaugural Global Fintech & Blockchain China Summit 2017
Networks proves itself with the first ICO
ICOs, on other platforms such as Ethereum, often resulted in a sluggish network and transaction delays. While NEO’s dBFT consensus algorithm is designed to achieve consensus with higher efficency and greater network throughputt, no amount of theoretical calculations can simulate the reality of real-life conditions.
--Key Observations--
Smart Contract Invocations:
A total of 13,966 smart contracts invocations were executed on the NEO network over this time period, of which, nearly all called the RPX smart contract method mintTokens. A total of 543,348,500 RPX tokens were successfully minted and transferred to user accounts, totalling 10,097 smart contract executions.
Refunded Invocations:
A total of 4182 refund events were triggered by the smart contract method mintTokens. (Note: RPX has stated that these refunds will be processed within the next two weeks.)
Crowdsale statistics:
A successful mintTokens execution used around 1043 VM operations, while an execution that resulted in a refund used 809 VM operations. Within the hour and six minutes that the token sale was active, a total of 12,296,409 VM operations were executed. A total of 9,575 unique addresses participated in the RPX ICO. Half of these, approximately 4,800 unique addresses, participated through CoZ’s Neon wallet. The top 3 blocks with the most transactions were block 1445025 (3,242 transactions), block 1444902 (2,951 transactions), and block 1444903 (1609 transactions).
Final Thoughts
At the moment, the consensus nodes for the NEO network are operated by the NEO Council in China. By Q1 2018, NEO Council aims to control less than two-thirds of the consensus nodes.
We are pleased to note that the NEO network continuted to operate efficiently with minimal network impact, even under extreme network events. Block generation time initially slowed down to 3 minutes to process the largest block, but quickly recovered to approximately 25 seconds. Throughout the entire RPX ICO, consensus nodes were able to achieve consensus and propagate new block transactions to the rest of the network. In closing, while we consider this performance to be excellent, NEO Council and City of Zion areworking closely together on upgrades, that will increase the throughputs of the NEO network.
Hyperledger
Members and governance of Hyperledger:
Early members of the initiative included blockchain ISVs, (Blockchain, ConsenSys, Digital Asset, R3, Onchain), well-known technology platform companies (Cisco, Fujitsu, Hitachi, IBM, Intel, NEC, NTT DATA, Red Hat, VMware), financial services firms (ABN AMRO, ANZ Bank, BNY Mellon, CLS Group, CME Group, the Depository Trust & Clearing Corporation (DTCC), Deutsche Börse Group, J.P. Morgan, State Street, SWIFT, Wells Fargo), Business Software companies like SAP, Systems integrators and others such as: (Accenture, Calastone, Credits, Guardtime, IntellectEU, Nxt Foundation, Symbiont).
The governing board of the Hyperledger Project consists of twenty members chaired by Blythe Masters, (CEO of Digital Asset), and a twelve-member Technical Steering Committee chaired by Christopher Ferris, CTO of Open Technology at IBM.
http://www.8btc.com/onchain-hyperledger
https://en.wikipedia.org/wiki/Hyperledger
“As a leading open-source contributor in China’s blockchain community, Onchain shares the same values as the Linux Foundation and the Hyperledger project intrinsically. We believe international collaboration plus local experience are key to the adoption of distributed ledger technology in China; we are also very excited to see other Chinese blockchain startups join Hyperledger and look forward to adding our combined expertise to the project.” Da Hongfei, Founder and CEO of Onchain
https://hyperledger.org/testimonials/onchain
Important Articles
Distribution technology DNA framework went through the national block chain standard test On May 16th, the first China block chain development competition in Hangzhou announced that Onchain, became the first through the national standard test block system.
http://www.51cto.com/art/201705/539824.htm?mobile
Da Hongfei and OnChain working relationship with Chinese Government
https://finance.sina.cn/2017-04-13/detail-ifyeifqx5554606.d.html?from=wap
http://www.gz.chinanews.com/content/2017/05-28/73545.shtml
The Chinese government is reportedly preparing to allow the resumption of cryptocurrency trading in the country in the coming months, with the required anti-money laundering (AML) systems and licensing programs in place.
https://coingeek.com/cryptocurrency-trading-poised-to-make-a-return-in-china-report/
Japanese Ministry of Economy, Trade and Industry - Working with OnChain and NEO
http://www.8btc.com/onchain-ribenjingjichanyesheng
Notice NEO will be invited to attend the INNO x Austrade China-Australia chain high-end exchange
AUSTRADE - The Australian Trade and Investment Commission is the official government, education and investment promotion agency of the Australian Government
https://mp.weixin.qq.com/s/LmXnW7MtzOX_fqIo7diU9A
Source for NEO/OnChain Microsoft Cooperation:
http://www.8btc.com/onchain-microsoft
Da Hongfei quotes
"There is no direct cooperation between Alibaba and NEO/Onchain, other than their mailbox service is using Law Chain to provide attested email service. In terms of Microsoft, yes we have cooperation with Microsoft China because NEO is built with C# and .NET Core, and NeoContract is the first in the world to support writing smart contract with C#"
https://www.reddit.com/NEO/comments/6puffo/we_are_da_hongfei_and_erik_zhang_founders_of_neo/dksm5ga/
"We have pretty good communication with government, with regulators. They don't have any negative impression with NEO and they like our technology and the way we deal with things. Regulation is not an issue for us"
https://www.youtube.com/watch?v=qpUdTIQdjVE&feature=youtu.be&t=1m16s
“Before they started cleaning up the market, I was asked for information and suggestions” “I do not expect the government to call me in the short-term and say, ‘Let’s use NEO as the blockchain technology infrastructure of China.’ But in the medium term? Why not? I think it’s possible.”
https://medium.com/@TheCoinEconomy/neo-founder-da-hongfei-advised-china-on-ico-exchange-ban-says-govt-4631b9f7971
-Upcoming Roadmap-
Decentralization of consensus nodes
▪ P2P Network optimization (2017Q4) – Network optimizations to ensure fast block generation after decentralization.
▪ Voting Algorithm Optimization (2017Q4) – Adjustments in voting algorithm to prevent identified attack vectors.
▪ Candidate List Website (2018Q1) – Published list of candidates so that voters know who they are voting for.
▪ NEO Council Consensus Node < 2/3 (2018Q1) – NEO Council shall operate less than two thirds of consensus nodes by the end of quarter 1, 2018.
Universal Data Format for Wallet/Node Prog.
▪ NEP2 – Private Key Encryption/Decryption (2017Q4) - Method for encrypting and encoding a passphrase-protected private key.
▪ NEP3 – Universal Data Format (2017Q4) – Standard data format to allow easier wallet and node programming.
https://neo.org/en-us/blog/details/65
Promotion/Ecosystem
▪ Globally Legal Token-raising Framework (2017Q4) – Following government interest to regulate ICO’s, NEO will complete a framework to raise tokens legally in all major markets by the end of 2017.
▪ NEO DevCon 1 (2017Q4) – First NEO Development Conference! More details at later date.
▪ CoZ Funding (2017Q4) – Continuous funding plan for CoZ covering next 5 years.
▪ Seed Projects (2017Q4) – First seed projects to be cross-invested with the dedicated NEO pool.
https://neo.org/en-us/blog/details/65
https://github.com/neo-project
Repositories - 14
People - 5
Contributors- 12
https://github.com/CityOfZion
Repositories - 35
People - 14
Contributors- 22
https://github.com/DNAProject/DNA
Repositories - 4
Contributors - 17
Donations welcome: ASdNxSa3E8bsxCE9KFKBMm3NA43sYJU9qZ
submitted by NEOcryptotrader to CryptoCurrency [link] [comments]

renting Quantum computer for mining Etherium in 2017? QASM is here and it's API 3 MILLION BITCOIN IN 2 SECONDS: GOOGLE QUANTUM COMPUTER  $1,000 BTC Price Analysis Bitcoin Q&A: Migrating to post-quantum cryptography Will Quantum Computing Destroy Bitcoin? New quantum computer miner with using multiverse for Bitcoin mining.

Bitcoin Post-Quantum is a bit different than Bitcoin. Instead of multiple addresses, the best practice is to reuse a single address. In contrast with Bitcoin the address can be used a limited number of times (from a thousand to a million, depending on the chosen height of the Merkle tree). You can receive coins to your address if you had bitcoins in your wallet at the time of the fork, or by ... Quantum computing is typically feared due to its potential to render bitcoin obsolete by cracking its cryptography. However, one analyst alleges that there may be a much simpler way to do it: by beating bitcoin at its own game. The Quantum Threat. A Medium post theorized on the capabilities of the quantum computer, “Sycamore,” Google’s latest quantum breakthrough. Sycamore, which ... How To use a QC for Bitcoin Mining. So this brings us to how I used the quantum computer to solve the bitcoin mining problem. If you have 9 qubits, you can try out all the values from 1 to 511 simultaneously. If you had 64 bits, you could try out the hash algorithm for all possible values of x to figure out which ones when input into function f ... Through the sheer speed of computation, a quantum computer could overwhelm the rest of the miner nodes on the Bitcoin network and attain at least 51 percent of the network’s hash rate. As such, the quantum computer would be able to create and validate blocks on its own, erasing all of the trust users now have in Bitcoin’s blockchain. Since Google announced that it achieved quantum supremacy there has been an increasing number of articles on the web predicting the demise of currently used cryptography in general, and Bitcoin in particular. The goal of this article is to present a balanced view regarding the risks that quantum computers pose to Bitcoin.

[index] [8620] [3871] [29588] [37225] [11333] [47667] [33356] [14531] [20873] [42206]

renting Quantum computer for mining Etherium in 2017? QASM is here and it's API

Keywords/phrases: Quantum cryptography, quantum cryptoanalysis, quantum computing. Bitcoin uses SHA-256. In cryptography there is a 20-30 year lifecycle for an algorithm before it gets exceeded by ... New quantum computer miner with using multiverse for Bitcoin mining. If you want know how it work, use me pool for mining https://zmining.in.ua/ PS:music Fringe - Theme. Bitcoin Mining with Decentralized Super Computer (Elastic PL use-case) - Duration: 14:08. ... Bitcoin Q&A: Migrating to post-quantum cryptography - Duration: 6:47. aantonop 21,441 views. 6:47 ... Keywords/phrases: Quantum cryptography, quantum cryptoanalysis, quantum computing. Bitcoin uses SHA-256. In cryptography there is a 20-30 year lifecycle for ... No. Sources: We’re Close to a Universal Quantum Computer, Here’s Where We're At https://www.youtube.com/watch?v=6yaY4Fw-ovM&t=403s McAfee Interview - ICO Shi...

#