Post Quantum Cryptography

Technical
#28

smells like FUD, and conveniently there’s a bunch of new coins claiming quantum resistance

1 Like
#29

Check the community note. This is an industry/insider joke.

1 Like
#30

Look guys, you need to not just follow what some companies or governments say.

Companies and universaties have had this quantum computing “dream” for more than a century and billions have gone into actual research for 40 years. The results are basically that we see papers and results published at a rate that is really only about getting more funding.

Governments are a really big part of getting funding nowadays, they are afterall experts in spending other people’s money.

And in the meantime we see no real progress. And the next billions burned in research and building something to make it look good.

There is basically zero risk to old funds stored in p2pkh transactions, even if some quantum crypto is available tomorrow with actually a useful amount of bits. So stop worrying and wasting money on protecting against something that literally doesn’t exist.

#31

You have some reading up to do. It is evolving, it is not just for more research dollars. There is and will be a market. Things take time.
Google’s latest QC breakthrough

#32

This is not to say it is close to being a threat, on that I would agree, but it also does not mean we should ignore it or assume:

#33

That is not an assumption. A ripe160 hashed pubkey on chain is safe from quantum computers for quite some time yet.

(also, as ps. Please be more careful about quoting actual statements, not one that looks like one but isn’t)

#34

Interesting, this is your response to my stating it is all about getting more funding. You might make the connection yourself, how google is indeed getting work from nasa based on this, how the Department of Energy is stating it will buy contracts based on this. (that took me 5 minutes of research, follow the money is not that hard!)

So, do your research and again: you need to not just follow what some companies or governments say.

#35

Welcome to BCH Research! Good to see you!

1 Like
#36

I love how terrified they are of a blocksize increase, author specifically mentions it several times (emphasis mine).

This approach for adding a post-quantum secure output type does not require a hard fork or block size increase.

Also pretty funny they have to split things up even further with a new type of address as they’re trying to avoid even more Inscriptions & SegWit disaster. Tech debt always stacking up for them.

But otherwise yeah a pretty good summary and worth us keeping an eye on.

#37

Good thread to keep an eye on with regards to Quantum Discussion from the BTC guys: https://groups.google.com/g/bitcoindev/c/Aee8xKuIC2s/m/cu6xej1mBQAJ

#38

It would depend on how fast the QCs are.

You could spend P2SH / P2PKH outputs safely if the time to break them was much longer than the block time and there was at least 1 honest miner. By the time an attacker could find the private key, your transaction would be buried in the blockchain.

There are effectively 3 cases

A) QC can’t break ECC: current situation
B) QC can break ECC slowly (it takes days, or more, to find the private key)
C) QC can break ECC quickly (it takes < 1 minute to find the private key)

We would probably move through B for a while before we hit C. A massive breakthough might move things from A to C suddenly though.

If the first seen rule is enforced widely, then that helps even in case C. An attacker would have to break your key and then get a new transaction broadcast before your transaction got to any of the miners.

I take your point that some P2SH outputs might already be quantum safe. It would be sufficient if there was a way to “lock” outputs before releasing the key.

For example, with P2SH, you could release the RIPEMD preimage without releasing the actual script.

You could publish

<SHA256(old_script), SHA256(nonce, old_script, new_script>>

in a commit transaction.

This can be checked by computing RIPEMD160<SHA256<old_script>>. This proves that the owner of the output wants it locked.

An attacker could publish alternative versions of the commit script, but none of them would be valid since they wouldn’t know old_script.

Once it is buried deeply enough, then the owner can publish nonce, old_script, new_script and spend their coins.

There is still a potential timing issue when the actual publication occurs. A dishonest miner (cartel) could try to block publication of the spending transaction while submitting an “updated” lock/commit transaction.

1 Like
#39

“them” here refers to their pubkey which would be exposed on 1st spend, so the attacker isn’t breaking the P2SH or P2PKH wrapping - he’s breaking the pubkey

the key is vulnerable between unwrapping and next wrapping, e.g. if you avoid address reuse then you limit the window of opportunity for the attacker, as you correctly pointed out

my comment was regarding the wrapping itself - which would require breaking the preimage (Grover’s algo) and is a much harder problem than ECC and in theory possible against 160 bits: address - Post-quantum preimage resistance of HASH160 addresses - Bitcoin Stack Exchange

On BCH, there is a way because we can make such a lock using our new smart contract capabilities, see here: Quantum-resistant One-time-use Lock

#40

Ahh I see.

The commit must be at least N blocks deep.

Thus if a miner creates his own fake commit as soon as he sees the private information, it won’t be buried deep enough.

Thus a miner would have to win the next N blocks to use his fake commit. If a different miner mined any of those blocks, then they could include the legitimate transaction and negate his fake commit.

It does mean that a dishonest miners majority could block any other honest miner. However, a 51% attack is pretty damaging either way.

It does mean that a long duration 51% fork might be able to pay for itself, since it can steal all coins in the fork that is replaced.

This is inherent in any such scheme. If, say, 50 BCH of non-quantum protected outputs were redeemed in each block, then that would pay for the hash power for the alternative fork (assuming it is for sale).

Ideally, less than the block reward would be redeemed on average per block.

Fawkescoin was a proposal for a hash-only commit based currency (no signatures at all).

1 Like
#41

Chaincode Labs report investigating if Bitcoin is ready for the quantum era:

https://chaincode.com/bitcoin-post-quantum.pdf

3 Likes
#42
#43

Jason just released a developer preview of “Quantumroot” - which if I’m reading it right means BCH can start building quantum resistant vaults (at very impressive levels of economic efficiency / low fees) into all wallets after the 2026 upgrade (provided all relevant upgrades lock in).

Would be amazing if BCH is already rolling out quantum resistant protection options & tooling by the end of next year. I think that should put us nicely ahead of the game & hopefully attract industry attention to our innovations.

I’m sure he’ll jump in with his own comments at some point.

https://x.com/bitjson/status/1940156575689166893

5 Likes
#44

Jameson Lopp’s proposed under-development Quantum BIP.

The proposal is to announce a sunset date at which non-quantum coins become unspendable, rather than letting a quantum attacker grab them and dump. But this by default burns all coins of anyone who doesn’t migrate to the quantum version in the meantime (Satoshi, people not following things closely etc.).

Interesting take on it.

2 Likes
#45

Hunter Beast has published his proposal “Hourglass” in a draft format. The idea is to limit P2PK spends (ie Satoshi & other early coins, 1.7m total) to 1 output per block. This would slow down quantum harvesting of those coins to take nearly a year, instead of happening potentially within just a few hours.

The only downside is that it essentially deprecates P2PK, but that’s already been dead for years.

Seems like an excellent proposal to me at first consideration.

As BCH has no issue with hardforks, we could even consider a variant of this like limiting the P2PK spend to only once every X blocks (like once per 10) to slow things down further, although that might introduce mining games since there would possibly be a huge benefit to reorging that “special” block which harvests the 50 BCH from early P2PK addresses.

Edit: this proposal has anti-synergy with 1 minute blocks, which would again speed up the release of such coins (although it would be slower than without any hourglass).

Edit 2: A good counterargument by Jameson Lopp:

I think this could benefit from a lot more blockchain analysis in order to support the claim that it will reduce economic volatility. On its surface it feels like a half measure.

Sure, requiring P2PK output spends to be spread out over a year /could/ slow down the /tail end/ of said economic volatility. This is assuming that post-QDay, the machines doing the cracking can crack a key in less than 10 minutes.

However, a rational quantum adversary will seek to maximize their revenue. For example, the most valuable likely lost funds are 12ib7dApVFvg82TXKycWBNpN8kFyiAN1dr which has 31,000 BTC spread across only a handful of UTXOs. It’s not a P2PK address, but a P2PKH with an exposed pubkey due to address re-use. Even if this proposal is implemented we can still expect massive economic volatility at the front-end of the quantum era. Even if this proposal was extended to INCLUDE spends from re-used addresses, that would be 31,000 BTC in an hour or two.

Moving on to P2PK specifically, I’d expect a similar issue of front-loaded volatility once a quantum adversary runs through the high value reused addresses that haven’t migrated to a quantum safe scheme. Take, for example, James Howells’ funds at 198aMn6ZYAczwrE5NvNTUMyJ5qkfy4g3Hi - 8,000 BTC spread out across just 16 UTXOs, which would be spendable in a 3 hour timeframe in this proposal.

#46

Quantum has been a huge topic of FUD/discussion the last couple of weeks. Nic Carter having a big meltdown over the whole thing (his published articles and research were fairly quality, but his discussion and debate on the issue afterwards was just appalling).

https://x.com/nic_carter/status/2002223319022776605
https://x.com/TheBCHPodcast/status/2003308460046451034

Also, BIP 360 guys have added Isabel Foxen Duke (who followed me on Twitter after I brought up the BCH quantum solutions) as a co-editor and reworked their proposal. Their current idea seems to be just adding a new Taproot Script Hash P2TSH, which is kinda quantum resistant or fixes the Taproot bug but doesn’t sound like it really addresses the issue entirely and is more of a “first step”. They won’t even get anywhere near shipping that, but I’m surprised to see them make such a weak attempt in the first place. Anyway, they’ll learn one day.

4 Likes
#47

We are in a good position with Quantumroot. I expect first wallets to become available end of 2026 or in 2027. Currently, QCs can’t do anything, threat is still hypothetical. Still, the fear of QCs is real and can strain people psychologically. Having a plan for q-day will help that, so here’s a plan.

There’s been a lot of fear about quantum computers threatening Bitcoin Cash. Let’s cut through the noise and look at what we can actually do.

The Good News First

Quantum computers aren’t magic. According to Google’s own research paper:

  • Cracking one key would take ~9 minutes (30 min for 100% success)
  • Cracking enough keys to access 1 million BCH would take ~125 days minimum
  • Cost: hundreds of millions to billions of dollars
  • That’s almost as slow as it took to originally mine them (~194 days)

This isn’t a switch that gets flipped and suddenly someone owns all the old coins. It would be an expensive, slow process where attackers compete with each other and have to sell at prices that recoup their costs.

The Plan: Commit-Delay-Reveal

Here’s a scheme that would protect real owners without freezing or stealing anyone’s coins.

How it would work:

  1. Commit: Publish a hash of your intended transaction. This reveals nothing about your keys. It just says “I plan to move these coins.”

  2. Delay: Wait for the commitment to age (say, a few months to a year).

  3. Reveal: Broadcast your actual transaction. The network checks that it matches your earlier commitment.

Why this protects real owners:

  • Oldest commitment wins. If you committed before an attacker cracked your key, you win automatically.
  • Attackers face uncertainty. Even if they crack a key, they don’t know if the real owner already has an older commitment waiting. They could spend billions cracking keys only to get front-run.
  • No coins get frozen or burned. The rule just requires a commitment before spending. Everyone plays by the same rules.

This would work for ALL coin types: P2PK (like Satoshi’s coins) and P2PKH alike. The only requirement is that real owners commit before attackers do.

How We Get There

The technical path is straightforward:

  1. Spec out the OP_CHECKSIG overload to require a pre-commitment as part of signature validation
  2. Implement and test the upgrade
  3. Activate via network upgrade when ready, or keep it dormant until QCs actually arrive

Once the spec is finalized, users would be able to start publishing commitments immediately. The “delay” period starts counting from when you commit, so early adopters get maximum protection.

If quantum computers never materialize, no harm done. The commitments just sit there unused. If they do arrive, everyone who committed early is protected.

This is a solvable problem on a relatively quick timeframe. We don’t need to panic, and we definitely don’t need to freeze anyone’s coins.

The Three Types of Coins

P2PK (Pay to Public Key): ~1.7 million BCH including Satoshi’s coins. The public key is directly visible on-chain, so attackers could start working on these before any spend attempt. But with commit-delay-reveal, real owners would protect themselves by committing early. Oldest commitment wins.

P2PKH (Pay to Public Key Hash): The public key is only revealed when you spend. If you’ve never spent from an address, attackers don’t even know which key to crack. Commit-delay-reveal would add another layer: even if your key gets exposed and cracked later, your earlier commitment wins.

New coins going forward: Quantumroot vaults become available after May 15, 2026. Full quantum resistance using only SHA256. Problem solved for anyone who uses them.

What About Satoshi’s Coins?

Once the commit-delay-reveal spec is live, Satoshi (or any P2PK holder) could publish a commitment. If he does before QCs arrive, he’s protected. His aged commitment would beat any attacker who cracks the key later.

If he doesn’t, well, he’s had 15+ years to move those coins and hasn’t. At some point we have to accept that either:

  • He lost his keys
  • He’s deliberately leaving them as a QC bounty
  • He won’t bother to publish a simple commitment
  • He’s no longer alive

Whatever the reason, it’s not our place to interpret his intentions or “protect” coins he chose not to protect himself. The locking script is a contract. With commit-delay-reveal, the rule becomes: whoever has the oldest valid commitment gets the coins. Fair and simple.

Burning or freezing coins would be theft dressed up as protection. We’d be stealing from Satoshi (or his heirs, or his intended beneficiaries) to protect our bags from a hypothetical liquidity event.

BCH doesn’t do that.

What You Can Do Today

  1. Stop reusing addresses. Every time you spend, your public key is revealed. Fresh addresses give you better privacy anyway.

  2. Move to Quantumroot when wallet support arrives (late 2026 - 2027). This gives you full quantum resistance going forward.

  3. Watch for the commit-delay-reveal spec. When it’s finalized, commit your old coins early. Oldest commitment wins.

  4. Don’t panic. The timeline for cryptographically relevant quantum computers is likely 2030s at earliest. We have time to prepare.

Why Not Just Freeze the Old Coins?

Some people are pushing for blanket freezing or burning of “vulnerable” coins. This is wrong for several reasons:

It’s theft. You’re taking someone’s coins without their consent. Doesn’t matter if you call it “protection.”

It sets a deadly precedent. Once developers can freeze coins “for the greater good,” where does it stop? Dormant coins today, “criminal” coins tomorrow, sanctioned addresses next week.

It’s unnecessary. Commit-delay-reveal would protect everyone who bothers to use it. If you don’t protect your own coins when given an easy way to do so, that’s on you.

BCH survived worse. The chain absorbed millions of coins being dumped by BTC maxis after the fork. Someone bought them. Life went on.

The Bottom Line

BCH has a clear path forward:

  • Quantumroot for new coins (available May 2026)
  • Commit-delay-reveal to protect existing coins (spec it out, flip the switch when needed)
  • No freezing, no burning, no theft

This is a solvable problem. The technical work is straightforward. Real owners who publish commitments early would be protected. Those who don’t, after years of warning, have made their choice.

Anyone pushing for blanket freezing while ignoring these solutions is either uninformed or has an agenda. Now you know the difference.

4 Likes
Quantum Computers and Satoshi’s keys
2027 protocol upgrade ideas