BLOG
Tick tock, next block: Quantum FUD is real—but so is Bitcoin’s ability to adapt. We don’t panic, we prepare. BIP 360 opens the door to quantum resistance without a hard fork.
The rumors are true: Bitcoin is not quantum-resistant… but it could be. So, considering how long it takes for the Bitcoin network to achieve consensus and authorize updates, shouldn’t we discuss possible solutions to the quantum threat? Or, on the other hand, is it too soon to start worrying about a danger that might never come? Is a working quantum computer even on the horizon?
Maybe we could all agree that we should make Bitcoin quantum-resistant at some point, sure, but what does that look like? A change of this magnitude implies many challenges, questions, obstacles. It might be beneficial to start the conversation and see how it goes.
For example, the solution will probably imply everyone moving their coins to a quantum-resistant wallet, a process that would take years. What about the coins that cannot be moved, though? What happens with the lost Bitcoin?
The “lost Bitcoin” concept is problematic from an epistemological perspective. Many argue that Bitcoin are never lost, and they might have a point. Even if someone loses access to their private keys, it’s impossible for anyone to validate that the keys are lost. Also, it’s impossible to prove that nobody has the keys.
What’s the solution? If the plan is to prevent quantum recovery by burning coins, then a proxy must be established. How? We set a deadline and tell all holders to migrate their coins until a specified date - e.g., in 10 years at X blockheight - and after that point, we can consider those coins that have not moved as lost.
The Bitcoin community is hard at work debating these and other fascinating subjects related to quantum resistance, and things are moving. A draft for a Bitcoin Improvement Proposal or BIP is already in circulation; it presents concrete steps and describes how the network could evolve to face the quantum threat.
Join Blink as we explore the different ways to make Bitcoin quantum-resistant; and explain the financial, ethical, and philosophical implications of quantum recovery. Should we burn the lost coins or let them be reclaimed and released into the wild?
Help Blink help you. To understand the problem that the Bitcoin network is about to face, let’s first explore the vocabulary of quantum-resistant Bitcoin and define some concepts. We will need them to explain the situation, the risks, and the implications.
“A hardware-agnostic computer supposed to have the architecture to keep coherent a sufficient number of logical qubits to be able to run the Shor algorithm in an efficient fashion. is their potential to break the cryptographic assumptions of Elliptic Curve Cryptography (ECC), which secures Bitcoin's signatures and Taproot commitments.”
“In 1994, the mathematician Peter Shor published a quantum algorithm that can break the security assumption of the most common algorithms of asymmetric cryptography. This means that anyone with a sufficiently large quantum computer could use this algorithm to derive a private key from its corresponding public key, and thus, falsify any digital signature.”
That leads us straight into private and public keys territory, an aspect of Bitcoin we should review to explain its relationship to quantum resistance.
In Bitcoin, there’s a private key that no one should see and a public key that everyone can freely share. The latter is derived from the former. There’s a “mathematical relation between them,” as Deloitte puts it. “This allows individuals to produce a digital signature (using their private key) that can be verified by anyone who has the corresponding public key. This scheme is very common in the financial industry to prove authenticity and integrity of transactions.”
In that balanced system, it’s easy to prove that a public key matches the private one. However, it’s almost impossible to derive a private key from its public key. Or, should we say, it’s almost impossible until stable and powerful quantum computers arrive. That mixed with the following fact makes for a dangerous combination. Quoting BIP 360:
“Ordinarily, when a transaction is signed, the public key is explicitly stated in the input script. This means that the public key is exposed on the blockchain when the transaction is spent, making it vulnerable to quantum attack until it's mined.”
Since the bitcoin network produces a block every ten minutes on average, there’s a ten-minute window that a quantum computer would have to beat to be considered a Cryptoanalytically-Relevant Quantum Computer. This is not easy. According to the research article “The impact of hardware specifications on reaching quantum advantage in the fault tolerant regime”:
“In this window, transactions wait in the “mem pool” for an amount of time dependent on the fee paid; the time taken for this process is on average 10 min, but it can often take much longer. Gidney and Ekerå estimated that it would require 20 × 106 noisy qubits and 8 h to break the 2048 Rivest-Shamir-Adleman (RSA) encryption, which is of a comparable difficulty to the EC encryption of Bitcoin.”
That’s right, that theoretical quantum computer that doesn’t exist yet would take eight hours to break Bitcoin.
A sufficiently powerful quantum computer would pose another risk. By attacking SHA-256, it could disrupt the mining process and the proof-of-work consensus mechanism. According to the research article quoted in the previous section:
“A quantum computer may achieve a quadratic speedup on the hashing of the SHA256 protocol with the Grover's algorithm. The algorithmic sp for the considerably slower clock cycle times relative to state of the art classical computing for the foreseeable future.
It’s unlikely. Plus, let’s get something straight, the BIP 360 emphasizes: “The practical impact of quantum attacks on SHA-256 remains theoretical since quantum circuits for SHA-256 are still theoretical.”
The research article quoted in the previous section continues:
The second and more serious threat would be an attack on the elliptic curve encryption of signatures.”
We’re focusing on that second threat: the possibility of deriving the private key from the public key, or “an attack on the elliptic curve encryption of signatures.”
To achieve quantum-resistance, the Bitcoin network has to change its signatures. The first Bitcoin Improvement Proposal that tackles the subject, BIP 360, proposes:
“To implement a Pay to Quantum Resistant Hash (P2QRH) output type that relies on a PQC signature algorithm. This new output type protects transactions submitted to the mempool and helps preserve the free market by preventing the need for private, out-of-band mempool transactions.”
Authors Surmount Systems’ main selling point is that “this approach for adding a post-quantum secure output type does not require a hard fork or block size increase.” Which is a lot. However, they ask for an increase in the witness discount. This is not trivial, and it should be noted that the authors acknowledge it: “An increase in the witness discount must not be taken lightly. It must be resistant to applications that might take advantage of this discount (e.g., storage of arbitrary data as seen with "inscriptions") without a corresponding increase in economic activity.”
In Bitcoin circles, the debate around quantum-resistance is heating up. The original agitator was Jameson Lopp and his “Against Allowing Quantum Recovery of Bitcoin” article. In it, Lopp analyzes the quantum threat and tries to argue for and against quantum recovery. What should the Bitcoin network do about the so-called lost coins?
According to Lopp, we should burn them.
However, not everything is black and white.
Even though Lopp seems to be for burning lost coins and getting it over with, he acknowledges the difficulties this decision might bring.
To finish with Lopp’s thesis, he would “expect a neutral proposal to burn all funds in locking script types that are known to be quantum vulnerable. Thus, we could eliminate any subjectivity from the code.” A seemingly minor change that could have gargantuan implications. No pressure, but this decision could be as defining to Bitcoin’s ethos as the Blocksize War.
And there are no right answers…
Be that as it may, there are silver linings all around. “On the plus side, burning all quantum vulnerable bitcoin would allow us to prune all of those UTXOs out of the UTXO set, which would also clean up a lot of dust. Dust UTXOs are a bit of an annoyance and there has even been a recent proposal for how to incentivize cleaning them up.”
Quantum computers might be evolving, even evolving fast, but Cryptoanalytically-Relevant Quantum Computers might still be far away. Even the optimistic article “The impact of hardware specifications on reaching quantum advantage in the fault tolerant regime” theorizes they are a decade away.
The authors ran the numbers and the results are clear. “We quantify the number of physical qubits required to break the encryption in one hour as a function of code cycle time and the base physical error rate. It would require approximately 317 × 106 physical qubits to break the encryption within one hour.” That’s a lot of qubits.
The previous information might be too technical for most of us, but the author’s conclusion is clear: “This large physical qubit requirement implies that the Bitcoin network will be secure from quantum computing attacks for many years (potentially over a decade).”
Are we jumping the gun by discussing all of this a decade early? Or does it signal a healthy and proactive Bitcoin network?
Let’s return to BIP 360 to see how the US government is dealing with quantum-resistance:
“The Commercial National Security Algorithm Suite (CNSA) 2.0 has a timeline for software and networking equipment to be upgraded by 2030, with browsers and operating systems fully upgraded by 2033. According to NIST IR 8547, Elliptic Curve Cryptography is planned to be disallowed within the US federal government after 2035.”
The US government is also working on a 10-year timeframe, how about that? Considering they’re a centralized entity and can make unilateral decisions, it might be crucial for the Bitcoin network to start discussing the issue early. Especially considering how divided the community is.
In a recent Stacker News pool titled “What should be done about Satoshi's coins when ECC is broken?,” 50% voted for “Nothing, let the attacker have them” and the other half floated among options like “burn them,” “disalow p2p transactions in memepool,” and others.
The game is afoot. The debate is just starting. The discussion about how to make Bitcoin quantum-resistant and the debate around quantum recovery will go on for years. Thanks for starting your journey into it with Blink.
