I believe it is not a matter of if, but when ECDSA is broken by a quantum computer running Shor's algorithm.
When this happens, all P2PK and all P2TR (including "script only" addresses) will become immediately compromised. Any hash-obfuscated addresses (like P2PKH or P2SH) will be safe, however any attempts to spend them will be vulnerable to attack once a spend tx hits the mempool.
One option is to do nothing, while joking about how IBM can't build a qbit processor that reliably factors beyond double-digits. Indeed, there is skepticism whether quantum computers can ever scale. However I think betting against IBM (and every nation-state interested in breaking ECDSA) is a stupid move, and we should maybe start thinking about what a post-quantum bitcoin future would look like.
There are proposals for a quantum-resistant signature scheme to replace ECDSA, and the current front-runner (that I am aware of) is lattice-based cryptography. This form of cryptography goes well over my head, and is still in an experimental stage.
I am curious what other people think about this subject.
  • How worried are you about ECDSA being broken in the next 30 years?
  • How close are we to building a quantum processor that can actually scale?
  • What are some promising or cool solutions that could replace ECDSA?
For me personally, I am worried that we currently do not have any experimental alternatives in place, just in case some radical development happens to accelerate things. Also, lattices make my brain melt. 🫠
I’m guessing some BIPs and solutions would accelerate if quantum became a threat.
Would the threat always be from the perspective of reverse engineering an address or theoretically could it create collisions with the private key without needing to know a corresponding address?
reply
For Shor's algorithm, you would need the public key as a starting point.
This is why addresses that use a pubkey (without any hashing) are immediately vulnerable.
Someone else in the thread also mentioned lightning nodes, which reveal their public key often.
reply
ECDSA being broken doesn't break bitcoin, unless you use bitcoin incorrectly (address re-use).
reply
Receiving and spending from the same address?
Would multiple receipts to the same address also be compromised if the address has never been spent from?
reply
It breaks P2PK and P2TR immediately. You are right that it also breaks addresses that have been re-used, since the pubkey has been revealed.
reply
It breaks P2PK and P2TR immediately
A quantum computer that can break ECDSA "immediately" is science fiction. Even when we have working quantum computers we'd probably still have decades or centuries before they can perform the necessary attack in the required time. It will be trivial to upgrade bitcoin when necessary.
reply
when an attack becomes feasible, those address types are already compromised, so they will immediately become vulnerable
you are debating when an attack will become feasible, which is fine
I don't know about centuries, or it will be trivial to upgrade, lol
reply
ECDSA being broken doesn't break bitcoin, unless you use bitcoin incorrectly (address re-use).
So you're saying that Lightning Network is using bitcoin incorrectly? In LN you reveal your public key when setting up the channel.
It just one example of how you oversimplification is plainly wrong. There are legitimate use-cases that require revealing the public key.
Here we go again with the FUD..
reply
Oh come on. It's a legitimate problem that needs to be addressed at some point. Closing your eyes and pretending there is no problem is very irresponsible thing to do.
Gladly developers/builders are not like that and are actively researching the problem and solutions.
Still, downplaying the problem by network participants is actively harmful to the network.
reply
Can you elaborate?
reply
Some of us just get tired of seeing these posts. Maybe the below articles can provide some insights?
reply
reply
Aside from all the snark and blatantly false statements, you could replace "quantum computing" with "machine learning" and pretty much make the same exact argument. And 5-10 years ago, you would be right.
Also, IBM's Quikset program let's you run computation on their quantum machines for free if you want to test whether they are real or not.
reply
In terms of the current state of quantum computing, while IBM and other organizations have made significant progress in developing quantum processors, it is still a developing technology that faces many technical challenges before it can be scaled up to the point where it can reliably factor large numbers. It's important to keep in mind that the development of practical quantum computers is a complex and ongoing process, and it's difficult to predict exactly when or if it will happen.
reply
It's difficult to predict when breakthroughs will happen but a practical quantum computer is not outside the realm of possibility. It would be nice to have a backup plan.
reply
You bring up a good point. DoD recently has been looking for both a way in and resistance to "Q day".
As for bitcoin, it's not ECDSA alone, but even sha256 becomes more vulnerable. ⚰️
On the plus side, there's work right now in building out [zk stark proof]https://www.techopedia.com/definition/zero-knowledge-stark-zkstark) used by zerosync. But that would also require a full state proof implementation for bitcoin. Something that is likely away from realization by at least a decade. 🫠
reply
Do not be worried. There are already alternatives to it. We would fork to a quantum resistant method in a moment. There is just no need to accelerate anything right now because the keys would be much larger in size. Just be happy and keep stacking ;)
reply
Do you know of any projects that you can link to?
reply
Tons of smart builders in the space attacking issues as they become real threats. In time my friend!
reply
Do you have any examples that I can check out?
reply