One thing that is not addressed: say this quantum attack happens tomorrow and everyone agrees it was an attack, what would prevent the community (miners, node operators, and users) to hard fork the chain at a snapshot before the attack, patch the protocol, and call that Bitcoin? There would be loss of value of course, but it is not unrecoverable.
It’s worth remembering that Ethereum forked for much less (not even a bug in the protocol, but a bug in a private application running on the protocol) and nobody seems too upset about it a decade later.
> fork the chain at a snapshot before the attack, patch the protocol, and call that Bitcoin?
It won't work. The only way to authenticate who ones what coins is with signatures. If the signature algorithm is broken, you can't tell who the original owner is to move the coins to a safe signature algorithm.
You need to more to safer signature algorithm before the break, after the break it is game over.
> It’s worth remembering that Ethereum forked for much less
Ethereum could simply return the coins to the original owners. If the signature scheme is insecure, returning the coins just means the attacker can steal them again.
> The only way to authenticate who owns what coins is with signatures
Maybe the only fully cryptographic absolutely zero-trust way? In practice there are very few bitcoin outputs that aren't linked to an offline identity and most users could easily produce a proof of ownership.
Of course, this is not ideal and everyone would prefer not to go down that route. But even if we prepare in time and Bitcoin provides a quantum-secure address scheme before "Q-day", what happens to all the wallets that didn't upgrade? Is it open season on them? Satoshi's wallet alone could crash Bitcoin's value as a currency if dumped on the open market. I think even with the upgrade plan in place, a hard-fork + recovery will be on the menu, with various degrees of community support.
In practice, what you really need is consensus. As long as enough of the important participants agree, that's how it will be.
And since there are millions of identical copies of the entire pre-attack ledger out there, this should not be that difficult.
Potential future buyers might reevaluate whether this whole thing has any monetary value, but that's a separate concern. Bitcoin's market value was never about the technical details.
In theory nothing prevents that but it would be so contentious that the backlash (e.g. 90% drawdown) may be even worse than just letting the hacks stand.
In my humble opinion (because I'm not a "crypto investor"), Ethereum lost all credibility with that fork. You can't trust a system/currency that changes the rules like that.
The mostly likely quantum attack on Bitcoin will be a catastrophic transfer of large wallets to burn addresses along with a massive short position. No need to worry about washing stolen coins when you can just enjoy your "well timed" legal short position's windfall.
As was alluded to in the comments, my colleagues at Blockstream Research are doing some work on this with mechanisms called SHRINCS and SHRIMPS.
Of course, inventing and demonstrating a quantum-resistant signature mechanism isn't the same thing as deploying it in consensus or upgrading everyone's UTXOs to it, and it's fair to say that there are many steps in between!
"A CRQC is an existential threat to Bitcoin (you might believe this is very low-likehood). Your measurement of this threat should literally be:
(A) How likely you think it is a CRQC appears by a given time, multiplied by
(B) How likely it is you think Bitcoin will not successfully upgrade by that time."
It would interesting to survey people about their answers.
My off the cuff answer is:
2030: A=0.05, B=0.01
2035: A=0.50, B=0.001
2045: A=~1.0, B=~0.0
I reserve the right to change my mind on these answers at any point. This is not a serious prediction.
Somewhat ironic question, but as ETFs holdings of BTC continue to grow, is there a possibility that the custodians of those ETFs start to have a backup plan for ETF holders or create an alliance to push a fork forward? The management fee those companies generate is non-trivial, so they're incentivized to stay ahead of this.
Now, of course, the irony here would be traditional finance infrastructure winning out over decentralized, which could definitely deal a psychological blow to BTC's perceived value... but it's something I've been thinking about lately as this existential threat rises on the horizon.
This is one of the most lazy writings i've ever heard... CRQC is not non-zero across all timeslines, it is inevitable. With the inevitability, the satoshi wallets can never be secured.
The thing that supposedly sets Bitcoin apart from other cryptocurrencies is that it's deflationary and 'immutable', in that Satoshi is gone forever and any deviation of Bitcoin from his golden idea will result in undermining its essence. If Bitcoin can get quantum-attacked then, from a technical point of view, nothing will be lost. The Bitcoin core devs can issue a word-of-god statement stating that they'll roll back the chain to before the attack, and all is well. Then they'll change the cryptography. But at that point, is it still Bitcoin? Because you've undermined the immutability. If the core devs can just say "this core property of Bitcoin is now something completely different", who's to say that they won't change their minds about the deflationary nature in the future? All credibility will be lost. Now, if you accept that, is perhaps all credibility lost already? ...
I think we still have a 3-4 years of escape window to reach the necessary qubit range of breaking the encryption. But China is unstoppable and advancing rapidly, So crypto community needs to upgrade to Post-Quantum Cryptography before the threshold breaks.
Q: Stealing is illegal, so why would anyone use a CRQC to steal Bitcoin?
I've had this thought for awhile actually: how would reproducing some random number be legally "stealing" under any legal system in the world? Putting aside that cryptocurrencies have always been about "code decides" etc, that they're outside of the legal system entirely, but I'm struggling to see where there's any actual property interest here. Randomly generated numbers are not protected by IP in any way. There's no computer fraud act angle or the like here, nobody would be having so much as the slightest interaction with anyone else's private system. They'd merely be taking publicly available unprotected numbers and doing some math on them with their own quantum computer. Somebody else who has something related to those numbers is never deprived of them or interacted with in the slightest. There is nothing resembling "hacking", no flaws in the software exploited, all just math there from the start.
I can understand how suddenly a lot of proponents might wish to cling to and push the idea that it's "illegal" or "stealing", but doesn't appear to be any meat on dem bones. Maybe they hope to generate support to get laws passed banning it, though hard to see that working out either. As a practical matter seems like they're just going to have to agree on a transition to new version using PQE algorithms and try to convert over before it's too late?
I assume that the solution to this would be a modification of the cryptographic basis of Bitcoin. Is there any way at all to do that without leaving behind people who aren't available at the time of transfer? Like if Satoshi was in a coma and not dead, is there any way at all to harden Bitcoin against attacks that would leave his wallet accessible to him?
> Q: Stealing is illegal, so why would anyone use a CRQC to steal Bitcoin?
> A: If you truly believe this, you really should value Bitcoin at 0 – it has many unnecessary components with a lot of overhead, like proof-of-work and digital signatures.
Proof of work is still necessary for two reasons:
1) to fairly distribute all coins (it's not sufficient though, e.g. Bitcoin's halvings still concentrate wealth on early miners/adopters)
2) to provide objective proof for the true transaction history, anchored in energy expenditure.
I think the tricky part is ownership after the break.
If signatures are no longer trustworthy, rolling back doesn't really tell you who the coins belong to. It just rewinds you to a state where the same problem still exists. So this seems more like a migration problem than a governance problem.
In practice, wouldn't it only be the dead wallets that would be affected? Granted, it is not a small number - IIRC, around 20% of all mined bitcoin are stored on these so-called dead wallets. With current prices that's a quarter trillion dollar worth BTC.
Naive question may be. But if quantum can break bitcoin, won't it also be able to break other encryptions that literally everyone else uses as well? So, it's not that bitcoin is particularly vulnerable right any more than banks and Gmails?
Apparently bitcoin foundation is already working on SHRINCS and SHRIMPS. But whether they will forcibly revoke keys of satoshi and all early bitcoin whales or not is another question!
ETH is not afraid of doing hard forks, so I'm expecting that they will lead in adopting post quantum cryptography. And then BTC ecosystem participants can learn from ETH.
The world digital economy is worth more than 20T and we're concerned about an asset <2T!? If quantum breaks the highest form of encryption we have today, we have bigger problems at hand.
138 comments
It’s worth remembering that Ethereum forked for much less (not even a bug in the protocol, but a bug in a private application running on the protocol) and nobody seems too upset about it a decade later.
> fork the chain at a snapshot before the attack, patch the protocol, and call that Bitcoin?
It won't work. The only way to authenticate who ones what coins is with signatures. If the signature algorithm is broken, you can't tell who the original owner is to move the coins to a safe signature algorithm.
You need to more to safer signature algorithm before the break, after the break it is game over.
> It’s worth remembering that Ethereum forked for much less
Ethereum could simply return the coins to the original owners. If the signature scheme is insecure, returning the coins just means the attacker can steal them again.
> The only way to authenticate who owns what coins is with signatures
Maybe the only fully cryptographic absolutely zero-trust way? In practice there are very few bitcoin outputs that aren't linked to an offline identity and most users could easily produce a proof of ownership.
Of course, this is not ideal and everyone would prefer not to go down that route. But even if we prepare in time and Bitcoin provides a quantum-secure address scheme before "Q-day", what happens to all the wallets that didn't upgrade? Is it open season on them? Satoshi's wallet alone could crash Bitcoin's value as a currency if dumped on the open market. I think even with the upgrade plan in place, a hard-fork + recovery will be on the menu, with various degrees of community support.
And since there are millions of identical copies of the entire pre-attack ledger out there, this should not be that difficult.
Potential future buyers might reevaluate whether this whole thing has any monetary value, but that's a separate concern. Bitcoin's market value was never about the technical details.
Existing wallets need to actively commit to some PQ signature mechanism, prior to Q-day.
Of course, inventing and demonstrating a quantum-resistant signature mechanism isn't the same thing as deploying it in consensus or upgrading everyone's UTXOs to it, and it's fair to say that there are many steps in between!
(A) How likely you think it is a CRQC appears by a given time, multiplied by (B) How likely it is you think Bitcoin will not successfully upgrade by that time."
It would interesting to survey people about their answers.
My off the cuff answer is:
2030: A=0.05, B=0.01
2035: A=0.50, B=0.001
2045: A=~1.0, B=~0.0
I reserve the right to change my mind on these answers at any point. This is not a serious prediction.
Now, of course, the irony here would be traditional finance infrastructure winning out over decentralized, which could definitely deal a psychological blow to BTC's perceived value... but it's something I've been thinking about lately as this existential threat rises on the horizon.
> I personally care more about using Bitcoin than its price
I suspect that the author is in a pretty drastic minority here.
>
Q: Stealing is illegal, so why would anyone use a CRQC to steal Bitcoin?I've had this thought for awhile actually: how would reproducing some random number be legally "stealing" under any legal system in the world? Putting aside that cryptocurrencies have always been about "code decides" etc, that they're outside of the legal system entirely, but I'm struggling to see where there's any actual property interest here. Randomly generated numbers are not protected by IP in any way. There's no computer fraud act angle or the like here, nobody would be having so much as the slightest interaction with anyone else's private system. They'd merely be taking publicly available unprotected numbers and doing some math on them with their own quantum computer. Somebody else who has something related to those numbers is never deprived of them or interacted with in the slightest. There is nothing resembling "hacking", no flaws in the software exploited, all just math there from the start.
I can understand how suddenly a lot of proponents might wish to cling to and push the idea that it's "illegal" or "stealing", but doesn't appear to be any meat on dem bones. Maybe they hope to generate support to get laws passed banning it, though hard to see that working out either. As a practical matter seems like they're just going to have to agree on a transition to new version using PQE algorithms and try to convert over before it's too late?
> Q: Stealing is illegal, so why would anyone use a CRQC to steal Bitcoin?
> A: If you truly believe this, you really should value Bitcoin at 0 – it has many unnecessary components with a lot of overhead, like proof-of-work and digital signatures.
Proof of work is still necessary for two reasons:
1) to fairly distribute all coins (it's not sufficient though, e.g. Bitcoin's halvings still concentrate wealth on early miners/adopters)
2) to provide objective proof for the true transaction history, anchored in energy expenditure.
A related article on Bitcoin Core resistance to upgrading: https://murmurationstwo.substack.com/p/bitcoin-developers-ar...
If signatures are no longer trustworthy, rolling back doesn't really tell you who the coins belong to. It just rewinds you to a state where the same problem still exists. So this seems more like a migration problem than a governance problem.