{"type":"rich","version":"1.0","title":"Lloyd Fournier [ARCHIVE] wrote","author_name":"Lloyd Fournier [ARCHIVE] (npub1kh…y05yp)","author_url":"https://yabu.me/npub1khlhcuz0jrjwa0ayznq2q9agg4zvxfvx5x7jljrvwnpfzngrcf0q7y05yp","provider_name":"njump","provider_url":"https://yabu.me","html":"📅 Original date posted:2021-04-04\n📝 Original message:On Tue, 16 Mar 2021 at 11:25, David A. Harding via bitcoin-dev \u003c\nbitcoin-dev at lists.linuxfoundation.org\u003e wrote:\n\n\u003e\n\u003e I curious about whether anyone informed about ECC and QC\n\u003e knows how to create output scripts with lower difficulty that could be\n\u003e used to measure the progress of QC-based EC key cracking.  E.g.,\n\u003e NUMS-based ECDSA- or taproot-compatible scripts with a security strength\n\u003e equivalent to 80, 96, and 112 bit security.\n\n\nHi Dave,\n\nThis is actually relatively easy if you are willing to use a trusted setup.\nThe trusted party takes a secp256k1 secret key and verifiably encrypt it\nunder a NUMS public key from the weaker group. Therefore if you can crack\nthe weaker group's public key you get the secp256k1 secret key.\nCamenisch-Damgard[1] cut-and-choose verifiable encryption works here.\nPeople then pay the secp256k1 public key funds to create the bounty. As\nlong as the trusted party deletes the secret key afterwards the scheme is\nsecure.\n\nSplitting the trusted setup among several parties where only one of them\nneeds to be honest looks doable but would take some engineering and\nanalysis work.\n\n[1] https://link.springer.com/content/pdf/10.1007/3-540-44448-3_25.pdf\n\nCheers,\n\nLL\n-------------- next part --------------\nAn HTML attachment was scrubbed...\nURL: \u003chttp://lists.linuxfoundation.org/pipermail/bitcoin-dev/attachments/20210405/599aee9f/attachment-0001.html\u003e"}