You know I used post-quantum security as one of the arguments against Qedit’s “compliance” proposal, right? We’ve been pretty consistent in holding the line against any such pressure. Anyway see this thread: [PROPOSAL] Ztarknet — A Starknet L2 for Zcash - #30 by abdel
1 Like
3 Likes
Not sure what to make of this, but possibly relevant:
That article seems to miss the biggest issue with Bitcoin. It’s not that Bitcoin can’t become QR, it’s that it’s nearly impossible to make core do so. Theoretically they could also fork and add fully private addresses like Zcash too if they were so inclined.
The BTC core team has been taken over with risk adverse ideals and promoting ossification over innovation. I would be very surprised if they could implement such a required hard fork until it’s blindingly obvious quantum has come online, and by that time it may be too late.
1 Like
@Shawn yeah, that’s the core of it. The article says “manageable” but it’s managing the wrong thing.
They split the 1.6M exposed BTC into ~10k that “matter” and 34k addresses at ~50 BTC each that would “take decades to steal.” That only works if you assume a quantum adversary cracks one key at a time instead of running many in parallel.
“Owners can migrate voluntarily” is the other weak spot. Those 34k addresses are mostly early coinbase outputs from 2009-2010, a big chunk likely Satoshi’s. None have moved in 15+ years. Nobody’s migrating those.
The bigger miss: if even one key gets provably broken via quantum, the market impact isn’t the coins sold. It’s the signal. Every ECC-based system is suddenly in question. That’s not a “routine trade.”
You’re right about governance too. The article assumes Bitcoin can fork when it needs to. Big assumption given Core’s track record.
The Zcash angle is different though. Bitcoin’s quantum risk is about theft. Zcash’s is about retroactive privacy. Can a quantum adversary decrypt old shielded transactions? Based on str4d and daira’s analysis earlier in this thread, brute forcing shielded outputs still takes ~2^127 work without knowing the recipient’s address. That’s above the protocol’s 2^125 security target.
Different problem, different exposure. Though it does raise a practical question: if quantum privacy depends on addresses staying secret, should we be treating any address we share as eventually compromisable and keeping our main wallet on a separate seed entirely?
2 Likes
there have been extensive research reports from bitcoin’s largest r&d orgs (chaincode and blockstream), a quantum-specific event at presidio in sf attended by many core dev teams, a BIP related to removing they key spend in taproot for improved quantum resistance, and more efforts around quantum resistance all in the last 12 months alone.
4 Likes
Let’s hope that I’m wrong and they can actually get the changes into the network.
Bitcoin failing due to something on such a long time horizon would be bad for all crypto, not just Bitcoin.
2 Likes
I saw a talk at ethdenver about adding PQR to BTC p2pkh addresses so if that work ever completes, we could possibly pull that down. Theres a community call every once in while called office hours (though there have been other things called that) and the latest was about this and Orchard. https://www.youtube.com/watch?v=R6916H2IMKI&t=1s
It’s just utterly wrong, incompetent, head-hiding-in-sand stuff.
Theoretical risks from Shor’s algorithm exposing keys in ECDSA/Schnorr and Grover’s weakening SHA-256; threats distant, limited to ~1.7M BTC in P2PK addresses (8% supply), minimal potential for market disruption (see last point below)
No. If you reuse an address, which people do because that is the entire point of addresses, then the first spend exposes the public key and then other all other funds in the address are vulnerable. There is no limitation on how long funds might be vulnerable for in that case. People who make bald assertions about how address reuse is rare, do not understand how Bitcoin and similar cryptocurrencies are actually used.
We also do not know whether there are quantum precomputation attacks on a given curve that allow finding specific discrete logarithms quickly — potentially with a classical attack. This has not been a well-studied problem, and it needs to be. If there are such attacks, then all of the reasoning about address exposure is flat-out wrong.
“And as soon as you add one more qubit, it becomes exponentially more difficult to maintain the coherence system”, cybersecurity firm Ledger CTO Charles Guillemet confirmed to CoinShares.
Just absurdly incompetent, made up, clueless nonsense by people who have no idea what they’re talking about. There is no exponential increase in difficulty of maintaining coherent error correction.
1 Like