Feature request: Quantum resistant watching only wallets

[TierNolan]

I realize that new features aren't really a thing but I was thinking about quantum computer vulnerabilities.

Normally, as long as you don't re-use addresses, P2PK addresses (as Armory uses) are safe from quantum attack.

An attacker would need to be able to break the signature algorithm in the time between when the transaction is broadcast and confirmed in the blockchain.

However, the way Armory works, it has an additional vulnerability.

An Armory watching-only wallet has 2 pieces of information. 

It has a chain code and the root public key.

Using the chain code with a public key, it is possible to generate the next public key.

This allows the watching only wallet to generate all the public keys for the wallet, one after another.

The problem is that a quantum computer can convert a public key into a private key.

It could be used to convert the root public key from the watching-only wallet into the root private key.  This has the effect of converting the watching-only wallet into a full wallet.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

A defense against this would be to encrypt the root public key and pre-generate all the addresses.

The client could ask for the password, generate 1000 or so addresses, and then store them in an unencrypted file.

That way the watching only wallet could monitor for those addresses without having access to the public key.

When the client runs low on new addresses, it could ask for the password and then create 1000 more addresses.

This means that the watching only wallet is convenient to use.   It would only require the password a small number of times.  For many users they would only use the password once when setting it up.

A watching-only wallet paper backup would still be a vulnerability though.

[PostQuantumBTC]

Normally, as long as you don't re-use addresses, P2PK addresses (as Armory uses) are safe from quantum attack.

This is not true, P2PK means Pay to Public Key which is not a bitcoin address that bitcoin was sent to but it was sent to a public key, that is enough for the bitcoin sent to the public key not to be safe from quantum computers if there become a time that quantum computers become a threat to bitcoin.

You do not need to give yourself a headache, do not reuse bitcoin address which will make your bitcoin to be resistant to the quantum computers. That is what that is very necessary to do.

A watching-only wallet paper backup would still be a vulnerability though.

I backup seed phrase and not public keys. Also if you are able to secure your seed phrase, public key should not be a problem.

[goatpig]

This is not true, P2PK means Pay to Public Key which is not a bitcoin address that bitcoin was sent to but it was sent to a public key, that is enough for the bitcoin sent to the public key not to be safe from quantum computers if there become a time that quantum computers become a threat to bitcoin.

There is very little P2PK use in bitcoin. The most common legacy output type in Bitcoin is P2PKH, as in pay to public key hash. This isn't significantly different from SegWit P2WPKH. At any rate, the only real difference is when the public key is revealed: when receiving coins (P2PK) or when spending them (P2PKH).

The problem is that a quantum computer can convert a public key into a private key.

I'm not sure what your quantum threat model is. These claims are all speculative and up in the air. There's a question out there of whether such speculative attack applies to simply a public key, or public key + signature, which changes the threat model a lot.

An Armory watching-only wallet has 2 pieces of information.

It has a chain code and the root public key.

BIP32 hierarchically deterministic wallets have both chaincodes and node pub keys too. BIP32 is inspired by Armory's design. Armory's design is less versatile and more expensive, but more robust. Each address is a "hard" derivation of the previous one. If you reveal a private key + chaincode, you can compute only later key pairs.
BIP32 address chains employ soft derivation, in most part cause it was designed by the guys from Trezor, to fit weak embedded hardware specs. If you reveal a private key + chaincode, you can derive all key pairs for the node, even those that precede the revealed private key.

A defense against this would be to encrypt the root public key and pre-generate all the addresses.

New wallet format for 0.97 comes with public data encryption.

[TierNolan]

There is very little P2PK use in bitcoin. The most common legacy output type in Bitcoin is P2PKH, as in pay to public key hash. This isn't significantly different from SegWit P2WPKH. At any rate, the only real difference is when the public key is revealed: when receiving coins (P2PK) or when spending them (P2PKH).

Sorry I meant P2PKH outputs.  Bad typo . 

If you spend one of them, then you must publish the public key.  They are therefore safe until one of them is spent.

Once an address is used once, then all future coins held at that address could be stolen.

The problem is that a quantum computer can convert a public key into a private key.

I'm not sure what your quantum threat model is. These claims are all speculative and up in the air. There's a question out there of whether such speculative attack applies to simply a public key, or public key + signature, which changes the threat model a lot.

It is possible for a quantum computer to take a public key (point) and work out the corresponding private key.

Shor's algorithm can be tweaked slightly to do elliptic curves.

This assumes that quantum computers actually work and have the accuracy to do crypto breaking.

As I understand it, Armory watching only wallets generate all the public keys based on a root public key and the chain code.

A spending wallet has the root private key and the chaincode.  It can do the same generation process, but gets the private keys.

You could use a quantum computer to break all of the public keys after generating them.

However, by breaking the root public key, you can convert a watch-only wallet into a full wallet, which would be just 1 break required.

If you reveal a private key + chaincode, you can compute only later key pairs.

Right, though a watching-only wallet has the first public key and the chain code.

A defense against this would be to encrypt the root public key and pre-generate all the addresses.

New wallet format for 0.97 comes with public data encryption.

It is intermediate security.

It would mean just the public key (and chaincode) to be encrypted. 

The user would just need to enter their password to generate new addresses.

The aim is to have the similar security as before quantum, with a little increase in hassle (password required every few hundred addresses used)

Watching only wallet -> privacy if lost
Spending wallet -> coins if lost

[goatpig]

It is intermediate security.

It would mean just the public key (and chaincode) to be encrypted. 

Again, in what threat model?

1) If the attacker can access data at rest, he still has to break encryption to reveal the root pubkey and chaincode with a wallet that encrypts its public data.
2) If this is an adversary scenario, there's a wealth of things the attacker can do with today's technology that jeopardize your coins. Such an attacker does not to defeat any of the ECC security assumptions, by quantum means or otherwise.

The aim is to have the similar security as before quantum, with a little increase in hassle (password required every few hundred addresses used)

How is this different from importing a bunch of public keys into the wallet at your own convenience? New wallet code allows for that.