4

I've read a great deal about the impact of quantum computing on cryptocurrencies in:

IOTA also claims to be quantum resistant, unfortunately in their whitepaper that is just briefly mentioned in the last paragraph.

I believe they are talking about the impact from Grover's algorithm where doubling the bit-size help. I can't find any information on how they deal with signatures (which would be broken due to Shor's algorithm) however.

Their wallet code mentions:

You can use an address for receiving as long as you have not used it for any outgoing transaction. What this means is that once you have sent a transaction with a specific address as input, you should never use it again. This is because IOTA uses Winternitz one-time signatures which degrade security exponentially after each reuse.

So I suppose they are using a Winternitz variant of Lamport's OTS scheme. But how exactly?

I also found an interesting pull request

In order to prevent the reUse of adresses a message could be display to say that if you re-use the same adresses for transaction the security of your wallet will decrease quadratically .

What does it mean that the "security of your wallet decreases quadratically"? Do they have some Merkele tree with keys to be used? Or how is the relation between address and public/private key in IOTA? If there can only be one transaction with a given input that somehow implies that you always have to transfer all funds?

fiction
  • 518
  • 3
  • 13

1 Answers1

3

Yes, it uses a Winternitz OTS scheme. It is believed that Lamport signatures would still be secure against a quantum adversary. No merkle signature scheme used with IOTA for transactions, as the result of a number of design and security decisions, for instance, signature size. It was a conscious decision to not use a stateless merkle scheme like sphincs. So yes, you should always transfer change to a new address. The implications of reusing a private key in a lamport scheme is that each reuse halves the security level of the signature (assuming a random message).

Paul
  • 146
  • 2
  • So basically it boils down to: if i have two bitstrings of identical length, how many bits with same index (on average) will be different? Because for all those positions it is possible to spoof the signature bit in whatever way you want (for others just the exact value) Probability of zero or one is 0.5 like with a coin toss. This means that for half of the indices we win. With 3 bitstrings the question is basically what is the probability I tossed 3 same results. (0.5*0.5) and then for n (0.5)^(n-1). That is the unfavourable case and that the outcome played nice is then 1 - (0.5)^(n-1). – fiction Aug 23 '17 at 19:40
  • Instead of solving it through protocol IOTA then relies on a "smart" client. I'd expect that the change is automatically returned to a newly generated address of mine? Not completely sure, what does it mean that an "address is attached to the tangle" (which happens when you generate a new address through the light client)? Isn't that something that can be done locally? – fiction Aug 23 '17 at 19:48
  • 1
    Found https://www.reddit.com/r/Iota/comments/6jknwe/purpose_of_attaching_an_address_to_tangle/ already regarding "attachment". – fiction Aug 23 '17 at 19:51