Daira-Emma Hopwood
Daira-Emma Hopwood
@shielded-nate mentioned Bitcoin-style wallets that do not follow ZIP 317: > This is a practical migration strategy to nudge older bitcoin-style wallets towards the prescribed fee regime. The reason why...
@imichaelmiers Post-quantum security does not mean security against computationally unbounded attackers. The commitment scheme [in Sprout] is post-quantum secure if the SHA-256 compression function is a post-quantum collision-resistant PRF. (It...
Grover's algorithm (the multi-target version) is provably optimal for a black-box quantum preimage search. I think there is considerable value in choosing parameters to resist that if we can do...
@defuse wrote: > Grover can also be used to speed up collision-finding to the cube-root rather than the square-root, e.g. http://arxiv.org/pdf/quant-ph/9705002.pdf Dan Bernstein [disagrees](https://cr.yp.to/hash/collisioncost-20090823.pdf): > A quantum algorithm by Brassard,...
Note that Pedersen commitments are not post-quantum binding. Neither are the potentially more SNARK circuit-efficient commitments in section 4 of https://eprint.iacr.org/2014/719 Later edit: commitments based on circuit-efficient hashes such as...
BTW, let's agree to use "[plausibly] post-quantum" only for protocols that, as far as we know now, actually have some hope of being secure against quantum computers. Let's use "plausibly...
I'd like to reiterate that Zcash as it stands, already is conjectured to be PPQ forward private when addresses are kept secret.
@elibensasson et al's work on post-quantum STARKs is relevant here: https://www.youtube.com/watch?v=HJ9K_o-RRSY
See https://github.com/zcash/zcash/issues/570#issuecomment-296450324 for a note on PPQ forward privacy.
https://www.youtube.com/watch?v=kYmnXxs9kUM is a version of Eli's talk with more technical detail.