Re: Should wallets warn if you re-use addresses due to quantum computers?
[...] the security of Bitcoin as a whole doesn't rely on how many addresses are vulnerable. It is based on whether any of them are. In other words if one address were vulnerable then the whole system would have been considered vulnerable.[...]This is why I've always said the move to a new algorithm should be done through a hard fork with a deadline and any coins that don't move before that deadline should be considered unspendable.
Thanks for your explanation. I can understand the logic now even if I don't really agree. For example, we have already some vulnerable addresses now such as these created with low entropy. That's a small percentage (hopefully) but they exist, but I wouldn't consider them a security threat.My stance against Jameson Lopp's approach is based on simply trying to evaluate the "catastrophe potential" of the following threats:
- market disruptions and feelings of unsafety due to massive sales of quantum hacked vulnerable coins
- disruptions and inefficiencies due to the (much) higher data consumption of post-quantum signatures like FALCON-512
- the possibility that one of the "post quantum" schemes discussed today isn't as secure as thought (which was one of the main points in the early BIP360 discussion)
And I think Lopp underestimates the problems of the second and third threat. That's why I'm favouring an optional approach. A stricter "no reuse" policy in wallets including warnings would fit with this approach.
Optional new address type and stricter "no reuse" policy combined with social educational campaigns would be a good combination, and much less controversial. Don't let perfect be the enemy of good. Still, the question remains open as to what kind of signature type should we use for the new address type. - market disruptions and feelings of unsafety due to massive sales of quantum hacked vulnerable coins
- disruptions and inefficiencies due to the (much) higher data consumption of post-quantum signatures like FALCON-512
- the possibility that one of the "post quantum" schemes discussed today isn't as secure as thought (which was one of the main points in the early BIP360 discussion)
And I think Lopp underestimates the problems of the second and third threat. That's why I'm favouring an optional approach. A stricter "no reuse" policy in wallets including warnings would fit with this approach.
I think it would be worthwhile to do a deeper analysis of this situation,
I had (last year or so) seen a better analysis, but unfortunately I lost the link and haven't found it. I agree that a more detailed view would be desirable to really assess the magnitude of the problem.Do you have an idea what an exchange could do instead of their current setups? I don't think not reusing cold storage wallets is feasible for them right now.
I'm no expert at that matter. From my knowledge it should be possible to create a setup where a cold wallet only receives coins (this doesn't add the vulnerability of course) and regularly, when coins are needed for the hot wallet, is "renewed" (i.e. all coins sent to another address, dividing the coins between "hot wallet" and "continue in cold wallet". But of course this could create higher fee costs than a single, re-used cold wallet where utxos could be directed individually to the hot wallet.Multisig wallet looks like a good idea to improve security.
@Forsynth Jones: Thanks for the mention of Sparrow. It's a wallet I always wanted to test but never did (because at the end it didn't deliver the features I would consider important in comparison to Electrum). I may take the opportunity to do that finally 
and check out their warning policy.
Off topic, but what is it that it is missing for you compared to Electrum? and check out their warning policy.Not quite perse.
Here you can see where there was a flaw in random number generator for ECDSA and some addresses were affected
https://bitcointalk.org/index.php?topic=581411.0
It is just users who weren't there rehashing text that they have read elsewhere. Just because someone isn't aren't aware of something that doesn't mean that it didn't happen. Address reuse is both a privacy and security mistake, always has been. Here you can see where there was a flaw in random number generator for ECDSA and some addresses were affected
https://bitcointalk.org/index.php?topic=581411.0
