This is a quick note to jot down an idea I had the other day.
Silent payments (BIP352) are a very neat little cryptographic trick we can do today with elliptic curves to derive unlinkable addresses from a single static pubkey. But unfortunately it seems they admit a harvest-now-decrypt-later (HNDL) deanonymization attack if and when ECDLP is ever broken. This means the full transaction history of everyone using silent payments today will eventually be public knowledge, if silent payment addresses are cached today.
Basics
Silent payments work roughly like so.
- Receiver Bob generates a secret key
and publishes public key . - Sender Alice has a coin held on public key
that she wants to send to Bob. - Alice computes an ECDH shared secret
. - Alice randomizes Bob’s pubkey
using :
- Alice pays her coin to
. - Bob scans the blockchain and for each TX he computes a shared secret
with the sender’s key and checks if any outputs are a silent payment.
- If
, then , and Bob found Alice’s payment. - Bob computes the secret key
to spend the coin.
Classically this is secure: Only Bob can recover the new spending key
It is also private: Nobody can link
HNDL
But if ECDLP is ever broken, say if a cryptographically-relevant quantum computer (CRQC) existed, then an attacker could invert the receiver’s public key
This is a bit different from traditional BIP32-based HD wallets, where a CRQC would need the chain code from an xpub to link payments from/to distinct addresses. Most HD wallets discourage users from publishing xpubs online because they leak your entire past and future transaction history, but silent payment (SP) wallets encourage posting SP addresses publicly on the internet, based on the premise that randomizations of the SP public key are unlinkable.
This may hold for today, but with HNDL, attackers can store SP addresses posted today and deanonymize them later if/when ECDLP breaks.
Conclusion
So all this is to say: If you use silent payments today then just bear in mind that even if you successfully move all your coins to quantum-safe addresses before Q-day, your silent payment history may not remain so silent forever. If this worries you, I suggest treating your SP address more as you would treat a BIP32 xpub.
Thankfully this attack requires the quantum-enabled attacker to have stored your silent payment address. Without it, the shared secret hash
SP addresses are normally posted off-chain which makes an HNDL attack somewhat harder to execute on a massive scale. I expect this attack will affect only those who post SP addresses very publicly, e.g. on their social media profiles or websites, where anyone can scrape them. SP addresses given out privately off-chain seem less likely to be stored, and so are less likely to be victimized later.