BTC Core has a speculative PR for Quantum resistant addresses as a soft fork: QuBit - P2QRH spending rules by cryptoquick · Pull Request #1670 · bitcoin/bips · GitHub
Of course it’s overengineered, yet another level of segregating the witness.
But anyway, nice doc, here’s the link to view the doc: https://github.com/bitcoin/bips/blob/e186b52cff5344c789bc5996de86697e62244323/bip-p2qrh.mediawiki
1 Like
smells like FUD, and conveniently there’s a bunch of new coins claiming quantum resistance
1 Like
Check the community note. This is an industry/insider joke.
1 Like
Look guys, you need to not just follow what some companies or governments say.
Companies and universaties have had this quantum computing “dream” for more than a century and billions have gone into actual research for 40 years. The results are basically that we see papers and results published at a rate that is really only about getting more funding.
Governments are a really big part of getting funding nowadays, they are afterall experts in spending other people’s money.
And in the meantime we see no real progress. And the next billions burned in research and building something to make it look good.
There is basically zero risk to old funds stored in p2pkh transactions, even if some quantum crypto is available tomorrow with actually a useful amount of bits. So stop worrying and wasting money on protecting against something that literally doesn’t exist.
You have some reading up to do. It is evolving, it is not just for more research dollars. There is and will be a market. Things take time.
Google’s latest QC breakthrough
This is not to say it is close to being a threat, on that I would agree, but it also does not mean we should ignore it or assume:
That is not an assumption. A ripe160 hashed pubkey on chain is safe from quantum computers for quite some time yet.
(also, as ps. Please be more careful about quoting actual statements, not one that looks like one but isn’t)
Interesting, this is your response to my stating it is all about getting more funding. You might make the connection yourself, how google is indeed getting work from nasa based on this, how the Department of Energy is stating it will buy contracts based on this. (that took me 5 minutes of research, follow the money is not that hard!)
So, do your research and again: you need to not just follow what some companies or governments say.
Welcome to BCH Research! Good to see you!
1 Like
I love how terrified they are of a blocksize increase, author specifically mentions it several times (emphasis mine).
This approach for adding a post-quantum secure output type does not require a hard fork or block size increase.
Also pretty funny they have to split things up even further with a new type of address as they’re trying to avoid even more Inscriptions & SegWit disaster. Tech debt always stacking up for them.
But otherwise yeah a pretty good summary and worth us keeping an eye on.
Good thread to keep an eye on with regards to Quantum Discussion from the BTC guys: https://groups.google.com/g/bitcoindev/c/Aee8xKuIC2s/m/cu6xej1mBQAJ
It would depend on how fast the QCs are.
You could spend P2SH / P2PKH outputs safely if the time to break them was much longer than the block time and there was at least 1 honest miner. By the time an attacker could find the private key, your transaction would be buried in the blockchain.
There are effectively 3 cases
A) QC can’t break ECC: current situation
B) QC can break ECC slowly (it takes days, or more, to find the private key)
C) QC can break ECC quickly (it takes < 1 minute to find the private key)
We would probably move through B for a while before we hit C. A massive breakthough might move things from A to C suddenly though.
If the first seen rule is enforced widely, then that helps even in case C. An attacker would have to break your key and then get a new transaction broadcast before your transaction got to any of the miners.
I take your point that some P2SH outputs might already be quantum safe. It would be sufficient if there was a way to “lock” outputs before releasing the key.
For example, with P2SH, you could release the RIPEMD preimage without releasing the actual script.
You could publish
<SHA256(old_script), SHA256(nonce, old_script, new_script>>
in a commit transaction.
This can be checked by computing RIPEMD160<SHA256<old_script>>. This proves that the owner of the output wants it locked.
An attacker could publish alternative versions of the commit script, but none of them would be valid since they wouldn’t know old_script.
Once it is buried deeply enough, then the owner can publish nonce, old_script, new_script and spend their coins.
There is still a potential timing issue when the actual publication occurs. A dishonest miner (cartel) could try to block publication of the spending transaction while submitting an “updated” lock/commit transaction.
1 Like
“them” here refers to their pubkey which would be exposed on 1st spend, so the attacker isn’t breaking the P2SH or P2PKH wrapping - he’s breaking the pubkey
the key is vulnerable between unwrapping and next wrapping, e.g. if you avoid address reuse then you limit the window of opportunity for the attacker, as you correctly pointed out
my comment was regarding the wrapping itself - which would require breaking the preimage (Grover’s algo) and is a much harder problem than ECC and in theory possible against 160 bits: address - Post-quantum preimage resistance of HASH160 addresses - Bitcoin Stack Exchange
On BCH, there is a way because we can make such a lock using our new smart contract capabilities, see here: Quantum-resistant One-time-use Lock
Ahh I see.
The commit must be at least N blocks deep.
Thus if a miner creates his own fake commit as soon as he sees the private information, it won’t be buried deep enough.
Thus a miner would have to win the next N blocks to use his fake commit. If a different miner mined any of those blocks, then they could include the legitimate transaction and negate his fake commit.
It does mean that a dishonest miners majority could block any other honest miner. However, a 51% attack is pretty damaging either way.
It does mean that a long duration 51% fork might be able to pay for itself, since it can steal all coins in the fork that is replaced.
This is inherent in any such scheme. If, say, 50 BCH of non-quantum protected outputs were redeemed in each block, then that would pay for the hash power for the alternative fork (assuming it is for sale).
Ideally, less than the block reward would be redeemed on average per block.
Fawkescoin was a proposal for a hash-only commit based currency (no signatures at all).
1 Like
Chaincode Labs report investigating if Bitcoin is ready for the quantum era:
3 Likes
Jason just released a developer preview of “Quantumroot” - which if I’m reading it right means BCH can start building quantum resistant vaults (at very impressive levels of economic efficiency / low fees) into all wallets after the 2026 upgrade (provided all relevant upgrades lock in).
Would be amazing if BCH is already rolling out quantum resistant protection options & tooling by the end of next year. I think that should put us nicely ahead of the game & hopefully attract industry attention to our innovations.
I’m sure he’ll jump in with his own comments at some point.
4 Likes
Jameson Lopp’s proposed under-development Quantum BIP.
The proposal is to announce a sunset date at which non-quantum coins become unspendable, rather than letting a quantum attacker grab them and dump. But this by default burns all coins of anyone who doesn’t migrate to the quantum version in the meantime (Satoshi, people not following things closely etc.).
Interesting take on it.
2 Likes