Could Quantum-Resistant Bitcoin Render ASIC Miners Useless?

9 replies 183 views
greg.satMember
Posts: 2 · Reputation: 53
#1Jul 28, 2022, 09:31 AM
Hey folks, I've been digging into quantum computing and how it could impact Bitcoin, and I've got a big question on my mind: If Bitcoin upgrades to a quantum-resistant signature system (like swapping out ECDSA), wouldn't that basically make all current ASIC miners outdated since they're built for the existing cryptographic setup? This brings up a few major questions: Would such a change make all the current mining rigs totally worthless unless they're redesigned for the new algorithm? How would companies like Bitmain and others in the space adjust to this? What do you think the timeline for this shift would look like if it happens? 5 years? 10? And lastly, how would this impact small-time miners who are still pouring money into the current hardware? Is this a genuine threat we're overlooking, or just some far-off theory? Appreciate your input!
5 Reply Quote Share
5wiftS4geHero Member
Posts: 850 · Reputation: 3880
#2Jul 28, 2022, 12:19 PM
The public keys of the first Satoshi wallets can be found freely available on the blockchain. If someone can use a quantum PC to pick up the private key, then the old wallets will probably change owners. I think it's still too long for that. Read about quantum security https://bitcointalk.org/index.php?topic=5536662
2 Reply Quote Share
hash_bossLegendary
Posts: 1166 · Reputation: 5261
#3Jul 28, 2022, 04:07 PM
ASIC only perform SHA-256 twice on 80-byte data (block header), so it doesn't care what kind of signature cryptography used in Bitcoin TX.
0 Reply Quote Share
byte2019Senior Member
Posts: 270 · Reputation: 1836
#4Jul 28, 2022, 10:43 PM
No. If ECDSA will be fully broken, and SHA-256 will be still strong, then nothing will change from the miners' perspective. And if SHA-256 will be broken, then everything else will be broken too (including ECDSA), but in that case, re-hashing the whole chain will be needed. For SHA-256, there are no known shortcuts today, when it comes to post-quantum algorithms, which means, that mining is unaffected, as long as nobody invented any quantum attack on hash functions. Even MD5, which has trivial collisions, is still quantum-safe. Also, even if no quantum-resistant addresses will be deployed, then still, OP_CHECKSIG alone can be used to require small DER signatures, which would make double-spending harder. For example: https://mempool.space/testnet4/tx/cc159432ffb7a166abeccc79800e9616a09ea9ac6937080c2ca37b38671970e5 (the private key is known, but because coins are protected by Proof of Work, they are still quantum-safe, even though I used OP_CHECKSIG). No. Even when you have Proof of Work inside Script, then still, applying double SHA-256 on around 200 byte message is not that much different, than applying it on 80 byte block headers. Also, hashed transaction size can be made smaller, to fit on exactly 80 bytes, if needed. Raw Script of "OP_SIZE <difficulty> OP_LESSTHAN OP_VERIFY <templatePubKey> OP_CHECKSIG" can be used now (even if it is non-standard), to hash exactly 80 byte data chunks in legacy transactions, or a new witness can be made, like "<newSegwitVersion> <difficulty>", which would require grinding any message with Merged Mining, meeting a given difficulty. As long as SHA-256 is safe, no changes are needed. And as long as grinding nLockTime is similar to grinding nonces in block headers, there is not that much to change, so things can be tweaked quite easily. And if SHA-256 will be broken, then it will require re-hashing the whole chain, and re-signing every single message, which would be a huge earthquake everywhere, and in that case, Bitcoin will be the least important problem, if major network protocols, and half of the Internet will burn. If you are worried about SHA-256, then you can observe total chainwork. As soon as it starts getting close to 2^128, then upgrading SHA-256 to something else will be needed, because then, the whole effort of Bitcoin network from N years would be sufficient, to produce a single SHA-256 collision (and still: having 2^128 chainwork could mean for example 64k blocks with 2^112 chainwork each, which still means, that it will be rather "one collision per year" than "one collision per 10 minutes", and we will still have plenty of time to react, if it will happen gradually). In general, big miners push small ones away, and it is harder and harder to compete. As Satoshi said, there will be big server farms. And smaller ones will probably switch to something else, or will be focused on producing just enough Proof of Work, to protect single transactions from double-spending. Because in general, if you use "pay to Proof of Work" output types, then even if your private key is publicly known, you can safely run a second layer network on top of Bitcoin, because as long as double-spending your coins require re-mining them, and it takes more than 10 minutes, then you can adjust your difficulty, to finalize your transactions on-chain for example every three months (like proposed in sidechain BIPs), and then, no attacker will be strong enough, to compete with the whole, honest network, and produce a second double-spending version in 10 minutes. Which means, that even if mining 80 bytes Bitcoin block headers will be too hard for smaller miners, then still, they can be used to protect second layers with their Proof of Work (which could be smaller than in Bitcoin, but still significant, and resistant to double-spend attempts from most attackers). Also, as long as mining template for "pay to Proof of Work" outputs will be unknown by the outside world, it is quite unlikely to see any double-spending attempts at all. Just observe total chainwork, and you will know, how close we are. Or put your coins on "pay to Proof of Work" outputs, if you want to be sure, and observe, how many of them will be stolen, and how much time it will take. It is possible to make a mainnet puzzle, similar to what I made in testnet4, or even launch some decentralized sidechains on top of mainnet, and by putting coins in, it can be measured, how much Proof of Work is needed to be safe. So far, nobody took even a single test coin out of my addresses, so I think attacks are quite unlikely, because for now, nobody is interested in stealing my coins (but of course, mainnet test would be more bulletproof, than my testnet4 examples; but I don't have around 2k mainnet BTCs to replicate it there).
4 Reply Quote Share
hodler2019Legendary
Posts: 2182 · Reputation: 12913
#5Jul 29, 2022, 02:16 AM
Basically we would need a new math invented. Now since other matches have been invented. I suppose  one could be invented. I don't worry much about it since it would likely be able to do more damage  to banks and credit cards and the entire financial  world.
1 Reply Quote Share
Posts: 6 · Reputation: 110
#6Jul 29, 2022, 05:17 PM
I wouldn't necessarily say that since the people with access to a quantum pc are the only ones holding the original keys.
5 Reply Quote Share
darkguruHero Member
Posts: 849 · Reputation: 4147
#7Jul 29, 2022, 07:12 PM
So now yer talking about quantum PC's? As in personal consumer-grade?   Folks you do know that QC's capable of doing ANYTHING significant beyond very simple and specific test problems do not even exist yet right? Once they progress to actually being able to do something significant, give it maybe another 30 years or more before they exist outside of large corporations, universities & government labs much less being available & affordable to us regular folks. Right now they are almost at the stage where standard computers were back in the late 1940's - early 50's: huge machines filling entire rooms. Difference is at least those ancient original computers were able to actually process data whereas the current prototype QC's can't even do that...
0 Reply Quote Share
5wiftS4geHero Member
Posts: 850 · Reputation: 3880
#8Jul 29, 2022, 09:21 PM
I think that if a quantum computer can extract a private key from a public key in the blockchain, then this attack will have a certain cost. I would assume that it will be unprofitable for them to attack wallets with a small balance. You can transfer coins to a new wallet and not make payments to protect yourself from hacking. When the first Satoshi wallets are hacked, we will all know about it.
4 Reply Quote Share
greg.satMember
Posts: 2 · Reputation: 53
#9Jul 29, 2022, 11:30 PM
Thanks a lot for your detailed response — very informative and helpful! I appreciate you taking the time to clarify all these points.
4 Reply Quote Share
hodler2019Legendary
Posts: 2182 · Reputation: 12913
#10Jul 30, 2022, 03:08 AM
the numbers involved are huge. so 21,000,000 btc to 1 sat is 2,100,000,000,000,000 to 1 that is really tiny as compared to the numbers involved in sha-256 115,792,089,237,316,195,423,570,985,008,687,907,853,269,984,665,640,564,039,457,584,007,913,129,639,936  to 1 so the idea that it is worth trying for a 50 coin address while true doe not impose the math much as compared to the number of sha-256 combos
3 Reply Quote Share
?Reply
Sign in to reply to this topic

Related topics