Post Quantum Crypto

Stumbled upon this today: To stop quantum hackers, the US just chose these four quantum-resistant encryption algorithms | ZDNet

so thought to create a general topic for future reference. I’ll edit in some more links later.

While writing the P2SH bulletin post-quantum section which focused on hash functions I dug up some literature:


While looking at the section, I think you should include the P2SH48 info in the table.

You could have an extra horizontal line to show that it isn’t one of the 3 current ones.

It would allow an easy comparison pf the proposed P2SH48.

P2SH32 (classical): 256-bit/128-bit (preimage/collision)
P2SH48 (quantum): 192-bit/128-bit (preimage/collision)

Is there a specific proposal for P2SH48? Would it use the SHA3-384 algorithm?

Old addresses seem hard to handle.

Some of Satoshi’s original coinbase outputs use raw pay to public key.

Has there been an analysis of how much money is held by the various output types?

No, there’s no point now when our other primitives (block and TX hashes) would still be (theoretically) vulnerable to quantum collision attack. So, when time comes then we’ll have to upgrade it all to 384bits, and P2SH is easiest since it’d be a non-breaking upgrade while TX and block hashes would break a lot of node-dependent software. Re. choice of hash function, there are other candidates, I think Blake is faster.

Fair enough, hopefully the choice of hash doesn’t derail any future upgrade.

Speed is not the primary target, but not completely unimportant.