Is moving to Quantum-Resistant Signatures in Bitcoin realistic?

16 replies 180 views
calmguruSenior Member
Posts: 215 · Reputation: 1355
#1Sep 17, 2018, 08:38 PM
When it comes to Bitcoin and quantum computing, the conversation often goes from one extreme to another. Some people just brush it off as FUD, while others are convinced we're headed for a cryptographic disaster. I'm not here for that debate, just want to get a straight-up technical answer. So here’s my question: Can we really call the quantum threat a "myth"? If we eventually get advanced quantum computers, could that put exposed public keys at risk? We know Bitcoin keeps evolving (it’s still labeled as beta, right?). So, there’s room for upgrading signature schemes. Now, for my follow-up question: If a powerful quantum computer that can crack secp256k1 ever comes into play, would it be technically possible to switch to quantum-resistant cryptography within Bitcoin’s consensus rules? What I’m really worried about isn’t whether quantum computers are around now, but if Bitcoin can pivot before these machines are actually usable. We’ve seen Bitcoin be adaptable in the past, but changing cryptographic methods isn’t an easy task. I’d love to hear some technical insights on how likely such a migration would be.
5 Reply Quote Share
darkguruHero Member
Posts: 849 · Reputation: 4147
#2Sep 18, 2018, 01:54 AM
Read some of the numerous existing threads about QC & BTC.You will find your questions have already been answered many many times...
4 Reply Quote Share
byte2019Senior Member
Posts: 270 · Reputation: 1836
#3Sep 18, 2018, 02:30 AM
Currently? Yes. In the future? Nobody knows. Theoretically? They can be broken, without any quantum computers at all. For each and every valid public key, there is one, and only one valid private key. In smaller curves, you can see it exactly, how public keys are turned into private keys. In bigger ones, it is exponentially harder, but during curve construction, the total number of keys is calculated, and is mathematically proven to be correct. Yes. You will have just a new address type, with a different cryptography. We already migrated from ECDSA to Schnorr signatures. Migration to "foobar signatures" can be done in exactly the same way. I said "foobar", because it is not yet sure, what exactly will be picked. There are some proposals, but nothing is set in stone yet. Technically? Yes. Socially and politically? Nobody knows. Even if new signatures would be deployed tomorrow, it is unknown, how long it would take for people to upgrade, and how many people will refuse to do so, for various reasons. Instead of "OP_1 <taproot_key>", you would have something like "OP_2 <quantum_key>", or something similar. And maybe that key will be hashed, when people will scream, that hashing with many collisions is more difficult to break than provably collisionless secp256k1. Or if these things would take too much space, when used, so they will be moved to inputs. By the way, the main reason why Satoshi hashed public keys, was because of space. Public keys took 65 bytes in uncompressed form, then 32 bytes after SHA-256, and then 20 bytes after RIPEMD-160. Maybe quantum keys will also be hashed, just to make outputs smaller.
3 Reply Quote Share
paul.ninjaFull Member
Posts: 152 · Reputation: 539
#4Sep 18, 2018, 02:44 PM
Also worth separating "quantum breaks Bitcoin" from "quantum breaks keys that are already exposed." A lot of UTXOs are still sitting behind a hash of a pubkey, so there's no pubkey on-chain until you spend. Those are in better shape in a Shor-doomsday timeline than anything that's already published a raw pubkey in the output script (old P2PK, and yes, Taproot outputs are literally a pubkey on-chain). If you're trying to be rational-paranoid today, the lowest-effort move is boring: stop address reuse, keep long-term coins in hashed-pubkey outputs, and don't be the guy broadcasting the same pubkey to the world for a decade like it's a bumper sticker.
4 Reply Quote Share
hash_bossLegendary
Posts: 1166 · Reputation: 5261
#5Sep 18, 2018, 07:19 PM
Yeah, Bitcoin isn't static. There are many forks that upgrade/change Bitcoin protocol. But do you say "labeled beta" that because Bitcoin Core claim it's experimental software on the about page? We can roughly estimate minimum time required for migration, based on block size, total "old" UTXO (that doesn't use QC resistant signature) and average TX size for the migration purpose (while estimate average "old" UTXO). I also recall one of BIP 360 author make speculation that 90% people/UTXO will migrate within 5 years, although it seems he don't explain in detail.
6 Reply Quote Share
john.cobraHero Member
Posts: 408 · Reputation: 2145
#6Sep 18, 2018, 10:12 PM
I wonder why someone would refuse to move their coins to an address that would theoretically be resistant to a quantum computer attack - is there perhaps some pitfall/risk in that? I know that even today there are those who for some reason do not want to use SegWit, but it's just about someone saving on fees and those who hold long-term do not feel threatened - but if the quantum threat became real, I don't know what anyone would cite as a meaningful reason not to secure their coins.
2 Reply Quote Share
hodler2019Legendary
Posts: 2182 · Reputation: 12913
#7Sep 19, 2018, 03:16 AM
Broadcasting the same pubkey addresses is what satoshi has done since 2009-2011.  Pretty good advertisement that cracking them is not POSSIBLE. Since he is doing that for us for no charge. WE can take advantage and move from older addresses
3 Reply Quote Share
paul.stakeHero Member
Posts: 651 · Reputation: 3798
#8Sep 19, 2018, 06:30 AM
People resist making the first move out of fear, so it will not surprise me if it takes a long time for the migration. Remember how much time it took to move from Legacy to Segwit and how little Taproot usage there is today even after so many years. A good argument as to why people might not feel entirely confident with the quantum-safe addresses is that the quantum math might break and a classical computer can break them before a quantum is capable of being a threat.
0 Reply Quote Share
LuckyCoinLegendary
Posts: 832 · Reputation: 4795
#9Sep 19, 2018, 11:55 PM
Would Bech32m still be used in such a case? For instance, let's suppose that we have a keypads generated by some quantum-safe curve. Then you also presumably have to replace SHA256 and RIPEMD160 with something else which then adjusts the final payload size, violating BIP 142 constraints. Or do we keep a RIPEMD160 hash last for compatibility purposes, hash it again with something else, and accept that people will be able to peel off one layer of the onion?
4 Reply Quote Share
byte2019Senior Member
Posts: 270 · Reputation: 1836
#10Sep 20, 2018, 05:24 AM
Breaking secp256k1 is a different thing, than breaking SHA-256. If you can break this hash function, then it affects mining, merkle root construction, and many other things. Which means, that SHA-256 will stay as it is. And even if it will be upgraded anyhow, then still: it will be similar as to what was done to SHA-1, when hardened SHA-1 was created. But even then, OP_SHA1 is still executed in the old way, just like it was. Which is why 37k7toV1Nv4DfmQbmZ8KuZDQCYK9x5KpzP is still spendable. By the way: there are challenges for hash function collisions, and puzzles for SHA-256 or RIPEMD-160 are still unsolved.
4 Reply Quote Share
byte_orbitFull Member
Posts: 186 · Reputation: 738
#11Sep 20, 2018, 09:22 AM
Don't waste time on such thoughts as they are pointless. Average people do all sorts of stupid things for stupid reasons. There are people who still have legacy addresses, I am not talking about addresses before SegWit I am talking about P2PK which are the most vulnerable types of addresses when it comes to this topic. You can find also all kinds of stupid reasoning for other decisions, refusing to update Core to some version, refusing to use LN at any cost and so forth it goes. Don't confuse good reasons with meaningful reasons. Anyone can draw any kind of stupid reason, and no matter how wrong it is, they can assign meaning to it. Many people in the modern world are lost, they have no purpose and some of these acts are their own way of coping with their own failure -- vanity and other bullshit. Exactly, breaking SHA-256 is the least probably scenario of quantum computers. Given the number of unknowns today and the number of assumptions that are made when talking about these theoretical discussions, this topic can be completely ignored right now. We should focus where we are primarily vulnerable, and design ways to deal with various scenarios of the future. That we need new signatures is clear. The question is which ones, and the other question is how to deal with those that don't upgrade (for whatever reason) starting with the oldest addresses. If we were a centralized shitcoin like ETH it would be simple, you have 6 months to upgrade and anyone who does not will be unable to spend their coins. That is how many shitcoin projects did various transitions from different tokens within the same blockchain or across different blockchains.
6 Reply Quote Share
calmguruSenior Member
Posts: 215 · Reputation: 1355
#12Sep 20, 2018, 02:32 PM
Searched the github to confirm what Achow101 said years ago. Even though the beta line is removed, Bitcoin Core still acknowledges it is experimental. I read from a post, that was actually a factoid in the early days. I think the hesitation may come from cold storages, lost keys, inactive hodlers. Also people could fear unforeseen bugs in the new cryptography. Humans are afraid of change, especially when they are not part of those that implemented the change. I'm curious: would a mandatory migration via hard fork ever be acceptable, if the danger looms and there is slow migration.
4 Reply Quote Share
byte_orbitFull Member
Posts: 186 · Reputation: 738
#13Sep 22, 2018, 05:54 PM
No. Who are you to mandate a migration to me? It seems that you want to go back to the days of centralization with these sorts of ideas. To understand decentralization, you must be aware that such proposals are impossible without a extreme majority of 95% or higher. A proposal that leads to the freezing or confiscation of coins is never going to get that much consensus. Therefore, it is not going to happen.
4 Reply Quote Share
hash_bossLegendary
Posts: 1166 · Reputation: 5261
#14Sep 23, 2018, 10:04 AM
It's also one of reason some cryptocurrency and system haven't switched to QC-resistant cryptography. It's probably why BIP 360 doesn't introduce new QC-resistant cryptography. How would it work? Even idea thrown on Are there ideas how to protect P2PK outputs from quantum computers? add more complexity to the Bitcoin protocol and require some action from owner side.
0 Reply Quote Share
SwiftMinerSenior Member
Posts: 259 · Reputation: 1036
#15Sep 24, 2018, 06:57 AM
There's a possibility it's gonna happen even more than you think. The more coins you Hodl the more cautious you are on a general scale. If quantum attacks eventually turns out feasible in the future then a lot of top holders wouldn't migrate on the go to quantum resistant wallets too. Many of them are gonna make a split between quantum resistant wallets and their regular SEGWIT most likely tagging it as ; "Don't trust verify".
4 Reply Quote Share
calmguruSenior Member
Posts: 215 · Reputation: 1355
#16Sep 24, 2018, 08:55 AM
It is obviously not happening, the reason is not far fetched. In bitcoin's history, upgrades are always designed to be opt-in-first, rather than forced.  We will just expect long transition period, while both will co-exist It's not gonna work. The old P2PK output containing the public keys is already exposed.
0 Reply Quote Share
byte_orbitFull Member
Posts: 186 · Reputation: 738
#17Sep 24, 2018, 01:47 PM
That's the backwards way of thinking and is a reason why some idiots still have money in P2PK wallets. Smart top holders should embrace advancements in technology as soon as they are mature enough, similarly how they adopted multisignatures. The speed of adoption must be adapted to the risk that is present -- one should not be stuck in demagogue ideologies like many users here are, especially WO "independent thinkers". In this case, speedier adoption of at least improvements in security using existing possibilities should happen. That doesn't make any sense unless they do not plan to use those wallets at all. "Regular SEGWIT" is also vulnerable to quantum computers as soon as one spending transaction is made. As of today, we do not know the amount of time that will be required to crack the keys. If it becomes possible to do it in real time, even using Segwit wallets that are not reused will be extremely risky. I don't think we will reach an era where the prior addresses don't exist anymore except under perfect circumstances. As of today, we could have banned P2PK addresses long ago and we still didn't. They are much less safe than P2PKH, yet we still have them supported. I guess you could argue the primary reason is because there are still UTXOs on them. Perhaps when quantum computers empty out all P2PK addresses then we can ban that address type for good, hopefully. Did you even read the thread at all? Whether it is a good idea is debatable, but that it would work is not debatable.
4 Reply Quote Share

Related topics