So what are we doing about the quantum elephant in the room? \ stacker news ~bitcoin

So what are we doing about the quantum elephant in the room?

4455 sats \ 22 comments \ @BlueSlime 22 Dec 2023 bitcoin

I believe it is not a matter of if, but when ECDSA is broken by a quantum computer running Shor's algorithm.

When this happens, all P2PK and all P2TR (including "script only" addresses) will become immediately compromised. Any hash-obfuscated addresses (like P2PKH or P2SH) will be safe, however any attempts to spend them will be vulnerable to attack once a spend tx hits the mempool.

One option is to do nothing, while joking about how IBM can't build a qbit processor that reliably factors beyond double-digits. Indeed, there is skepticism whether quantum computers can ever scale. However I think betting against IBM (and every nation-state interested in breaking ECDSA) is a stupid move, and we should maybe start thinking about what a post-quantum bitcoin future would look like.

There are proposals for a quantum-resistant signature scheme to replace ECDSA, and the current front-runner (that I am aware of) is lattice-based cryptography. This form of cryptography goes well over my head, and is still in an experimental stage.

I am curious what other people think about this subject.

How worried are you about ECDSA being broken in the next 30 years?
How close are we to building a quantum processor that can actually scale?
What are some promising or cool solutions that could replace ECDSA?

For me personally, I am worried that we currently do not have any experimental alternatives in place, just in case some radical development happens to accelerate things. Also, lattices make my brain melt. 🫠

view all related items

687 sats \ 1 reply \ @HardMoney 23 Dec 2023

I’m guessing some BIPs and solutions would accelerate if quantum became a threat.

Would the threat always be from the perspective of reverse engineering an address or theoretically could it create collisions with the private key without needing to know a corresponding address?

0 sats \ 0 replies \ @BlueSlime OP 23 Dec 2023

For Shor's algorithm, you would need the public key as a starting point.

This is why addresses that use a pubkey (without any hashing) are immediately vulnerable.

Someone else in the thread also mentioned lightning nodes, which reveal their public key often.

303 sats \ 6 replies \ @harrr 22 Dec 2023

ECDSA being broken doesn't break bitcoin, unless you use bitcoin incorrectly (address re-use).

687 sats \ 0 replies \ @HardMoney 23 Dec 2023

Receiving and spending from the same address?

Would multiple receipts to the same address also be compromised if the address has never been spent from?

0 sats \ 2 replies \ @BlueSlime OP 24 Dec 2023

It breaks P2PK and P2TR immediately. You are right that it also breaks addresses that have been re-used, since the pubkey has been revealed.

0 sats \ 1 reply \ @harrr 24 Dec 2023

It breaks P2PK and P2TR immediately

A quantum computer that can break ECDSA "immediately" is science fiction. Even when we have working quantum computers we'd probably still have decades or centuries before they can perform the necessary attack in the required time. It will be trivial to upgrade bitcoin when necessary.

0 sats \ 0 replies \ @BlueSlime OP 24 Dec 2023

when an attack becomes feasible, those address types are already compromised, so they will immediately become vulnerable

you are debating when an attack will become feasible, which is fine

I don't know about centuries, or it will be trivial to upgrade, lol

0 sats \ 1 reply \ @CruncherDefi 23 Dec 2023 freebie

ECDSA being broken doesn't break bitcoin, unless you use bitcoin incorrectly (address re-use).

So you're saying that Lightning Network is using bitcoin incorrectly? In LN you reveal your public key when setting up the channel.

It just one example of how you oversimplification is plainly wrong. There are legitimate use-cases that require revealing the public key.

115 sats \ 3 replies \ @badabing 23 Dec 2023

Here we go again with the FUD..

131 sats \ 0 replies \ @CruncherDefi 23 Dec 2023

Oh come on. It's a legitimate problem that needs to be addressed at some point. Closing your eyes and pretending there is no problem is very irresponsible thing to do.

Gladly developers/builders are not like that and are actively researching the problem and solutions.

Still, downplaying the problem by network participants is actively harmful to the network.

0 sats \ 1 reply \ @BlueSlime OP 24 Dec 2023

Can you elaborate?

0 sats \ 0 replies \ @badabing 24 Dec 2023

Some of us just get tired of seeing these posts. Maybe the below articles can provide some insights?

https://endthefud.org/tech

1 sat \ 1 reply \ @legxxi 23 Dec 2023

Quantum computing as a field is obvious bullshit

https://scottlocklin.wordpress.com/2019/01/15/quantum-computing-as-a-field-is-obvious-bullshit/

0 sats \ 0 replies \ @BlueSlime OP 24 Dec 2023

Aside from all the snark and blatantly false statements, you could replace "quantum computing" with "machine learning" and pretty much make the same exact argument. And 5-10 years ago, you would be right.

Also, IBM's Quikset program let's you run computation on their quantum machines for free if you want to test whether they are real or not.

1 sat \ 1 reply \ @hisatoshi 23 Dec 2023

In terms of the current state of quantum computing, while IBM and other organizations have made significant progress in developing quantum processors, it is still a developing technology that faces many technical challenges before it can be scaled up to the point where it can reliably factor large numbers. It's important to keep in mind that the development of practical quantum computers is a complex and ongoing process, and it's difficult to predict exactly when or if it will happen.

0 sats \ 0 replies \ @BlueSlime OP 24 Dec 2023

It's difficult to predict when breakthroughs will happen but a practical quantum computer is not outside the realm of possibility. It would be nice to have a backup plan.

0 sats \ 0 replies \ @thursday 24 Dec 2023

You bring up a good point. DoD recently has been looking for both a way in and resistance to "Q day".

As for bitcoin, it's not ECDSA alone, but even sha256 becomes more vulnerable. ⚰️

On the plus side, there's work right now in building out [zk stark proof]https://www.techopedia.com/definition/zero-knowledge-stark-zkstark) used by zerosync. But that would also require a full state proof implementation for bitcoin. Something that is likely away from realization by at least a decade. 🫠

0 sats \ 1 reply \ @quark 23 Dec 2023

Do not be worried. There are already alternatives to it. We would fork to a quantum resistant method in a moment. There is just no need to accelerate anything right now because the keys would be much larger in size. Just be happy and keep stacking ;)

0 sats \ 0 replies \ @BlueSlime OP 24 Dec 2023

Do you know of any projects that you can link to?

0 sats \ 1 reply \ @BitcoinIsTheFuture 23 Dec 2023

Tons of smart builders in the space attacking issues as they become real threats. In time my friend!

0 sats \ 0 replies \ @BlueSlime OP 24 Dec 2023

Do you have any examples that I can check out?