Bitcoin must upgrade or fall victim to quantum computing in 5 years

[Wind_FURY]

Let's pretend that a Quantum Computer that could break the encryption and steal Satoshi's coins is close to being built - in one year let's say, how long can the Core Developers code a patch and have it merged?

If this ever happens then I presume the entire internet will be compromised for all of us.  Bitcoin is a financial motive for such a computer to be created.  But by breaking encryption, there are a TON of other things to break and steal.  Such as government information and other things.  Bitcoin would become useless at least for a while, clearly.  Why steal something and render it useless when you can steal US, Russia, China intel and sell it?

In my opinion, we simply can not function based off this 'what if?' fear.  For all we know, North Korea may be preparing to show the world for the first time something more powerful than what any other scientists have ever created, a computer that breaks encryption way before the known most powerful quantum computers can.  In fact, it would be an advantage to Kim.  Yet, living in this fear is no good.  Because what is the point?

Considering this is an issue already being worked on, I believe we are on the right path.  Things can happen along the way, we simply have to accept the facts and move on.  Bitcoin is digital after all, it is definitely prone to a few attacks.  And on the other side of the blade, you have yet another risk.  What if a better currency comes ahead of Bitcoin proving it can do things better than Bitcoin can, including being bullet proof in front of any type of computer known to be concievable to man?  What do we do then?

I know that Bitcoin should be the least of our worries. In fact, I have already said that like a broken record a few months ago when other posters were asking about it.

But in this context, I merely asking. How fast can the Core Developers react IF an actual Quantum Computer is projected start breaking SHA-256 in one year?

[Satofan44]

But in this context, I merely asking. How fast can the Core Developers react IF an actual Quantum Computer is projected start breaking SHA-256 in one year?

Core developers are not the ones developing quantum resistant hashes and encryption, they usually would be doing the implementing of such thing for Bitcoin. If there is a need, an implementation can be delivered fast assuming that there are solutions. Time to implement is not really a concern.

Anyhow, the chance of SHA-256 being broken within this century is close to 0%. Why worry about such stuff today, you won't even be alive to see it?

[stwenhao]

How fast can the Core Developers react IF an actual Quantum Computer is projected start breaking SHA-256 in one year?

If people will be in a hurry, then everyone can agree, that vulnerable coins should be timelocked for example for a few years, and in the meantime, the transition plan can be prepared. Which means, that even if unexpected things will happen, then still: freezing coins for a while, and giving developers more time, to prepare a proper transition, is something that can be done, in the worst case. And by seeing existing discussions, I doubt there will be no proposal: I'd rather expect a lot of different competing versions, and many discussions, related to activating BIP-X, BIP-Y, or BIP-Z.

Also, it is very unlikely, that everything will be broken at once, because different people use different keys, which means, that if breaking a single key takes for example a day, then still: it will take a whole year to break 365 keys. And also, even if keys can be broken instantly, in seconds, then still, the maximum block size can limit the damage, because nobody will be able to confirm more than 4 MB of data per 10 minutes, even if all private keys will be publicly known.

Time to implement is not really a concern.

Exactly. Many times, it took much longer to decide, how to activate a given BIP, than writing the actual implementation. And even in quantum scenarios, today's discussions are more focused on "how to activate things", rather than "which algorithm should be picked". Because for the latter, there are many options, and if people will be in a hurry, then they will just take their favourite signature scheme, and the one, who will be the fastest to make the Pull Request, will likely win. And the more time we have, the more quality can be put into picked solutions.

Why worry about such stuff today, you won't even be alive to see it?

Yes, for hash functions, we don't have preimages even for broken MD5 or SHA-1. And by seeing how SHA-1 was patched, I wouldn't worry too much about attacks on SHA-256, because this hash function is very similar, so can be hardened in the same way, based on discovered attacks (also, breaking ECDSA through SHA-256 requires preimages; even if ECDSA would use MD5 inside, you wouldn't break it, by having only collisions).

[Wind_FURY]

But in this context, I merely asking. How fast can the Core Developers react IF an actual Quantum Computer is projected start breaking SHA-256 in one year?

Core developers are not the ones developing quantum resistant hashes and encryption, they usually would be doing the implementing of such thing for Bitcoin. If there is a need, an implementation can be delivered fast assuming that there are solutions. Time to implement is not really a concern.

Anyhow, the chance of SHA-256 being broken within this century is close to 0%. Why worry about such stuff today, you won't even be alive to see it?

I know, and please get the context instead of starting another debate merely for the sake of it. I was merely asking how fast can the Core Developers release an update/patch FOR Bitcoin, whatever that might be, IF Quantum Computers are projected to start breaking things?

The question is actually about the speed of reaction by the Core Developers, how fast are they, NOT about if "X event" is an actual threat within one year.

 ¯\_(ツ)_/¯

[Rgram]

I have just read about it not long ago but I have also read somewhere before that by 2030, it is possible that ECDSA becomes vulnerable to quantum computing. This is 2025 which means 2030 is just 5 years away from now.

I suppose in 5 years we would find out how true these doom speculations are and then we would move past it and wait on the next.

But in this context, I merely asking. How fast can the Core Developers react IF an actual Quantum Computer is projected start breaking SHA-256 in one year?

In the case of this eventuality, what reaction can there be if it isn’t in the same speed as quantum computing, where the same device would be used to get the same difficulty and solution.

[Alpha Marine]

If so, then why should Bitcoin be the only thing that should be worried?  Or will Bitcoin or its blockchain be the only affected? How about the banks? How about every other payment system that is in existence? 
The stock market will crash, because it will not be safe either. In fact the whole financial system will be at risk. I am not an expert on the matter, so I would like to be educated further, but from what I understand, if quantum computing is as dangerous as they say, then the whole of the internet will be at risk, don't you think?

I'm not trying to wave this as something that should not be taken seriously, but I see this as the usual fear and exaggeration people have towards the unknown. It's the same way people feared electricity before it, because mainstream, the same way people feared the internet taking their jobs, and the same people fear AI taking jobs today and causing more harm today. I'm not saying they don't have their risks, but the world is a better place with electricity and the internet in it, and it will be a better place with further innovations. 

[d5000]

If so, then why should Bitcoin be the only thing that should be worried?

One reason why Bitcoin may be a bit more affected than other cryptographic system is that its blockchain is space-limited, and thus a transition to a post-quantum algorithm which requires more space would bring a shift in its economics. Even if we allow bigger blocks to accomodate the signatures, then operating a full node would become a lot more expensive, above all due to the rising bandwidth cost (not so much the storage). That would have consequences for its decentralization.

That's why such a move would be much slower than a bank's software platform in reacting to that threat once it emerges. A bank would simply upgrade their software to another cryptographic system, they would need a bit more space on their devices and perhaps more computing power to sign communications, but that wouldn't be a major problem (it could increase their operational costs a bit but not so decisively that their business model would change).

If we had a quantum secure algorithm with signatures/public keys roughly as large as the ECDSA keys/signatures (and not much costlier to validate like in the case of SQIsign), then it would be also much more straightforward to plan a transition. One could even try out such an algorithm without major damage.

[stwenhao]

its blockchain is space-limited, and thus a transition to a post-quantum algorithm which requires more space would bring a shift in its economics

It can be solved in two ways: first is hiding quantum signatures behind existing ECDSA signatures. Which means, that quantum-safe addresses will take exactly the same on-chain space as today, as long as ECDSA is still strong, and longer validation time, or bigger signatures will be shared, only when quantum alert will be broadcasted, and when old ECDSA transactions will be non-standard, timelocked, or unspendable.

Another way is signature aggregation: now, Taproot can already be used to aggregate many signatures into one, as long as all of them commit to the same message, and the sum of public keys is equal to the on-chain shared key. Which means, that if quantum signatures will be aggregated, then by having more than one user per UTXO, it can scale, even if the maximum size of the post-quantum chain will be similar to the current version (if you have thousands of users per signature, then a single 50 kB signature means around 50 bytes or less per user).

Also, I think we should focus more on sigops limit, than on the block size limit. We now have 80k sigops per block, where legacy signatures take 4 sigops, and witness signatures take 1 sigop. It is just a matter of setting quantum commitment size, and the number of consumed sigops per quantum signature.

If we had a quantum secure algorithm with signatures/public keys roughly as large as the ECDSA keys/signatures (and not much costlier to validate like in the case of SQIsign), then it would be also much more straightforward to plan a transition.

It is chicken and egg problem: before SHA-1 was attacked, people didn't know, how to properly make hardened version of it. Which means, that it is quite likely, that ECDSA will behave in a similar way: when practical attacks will materialize (or at least PDFs describing practical attacks), only then we will know, how to turn ECDSA into "hardened ECDSA". And it is quite likely, that something will be already deployed, so we will be stuck with ECDSA, and some slow quantum signature scheme, with big signatures, and only practical attacks will tell us, where to look, and how to protect things. And then, we could have hardened ECDSA, and some inefficient quantum scheme. Which is yet another reason, to think about downgrade from quantum, because it is quite likely, that something better will be invented, and we may need to switch from quantum proposal A, to quantum proposal B.

[Satofan44]

But in this context, I merely asking. How fast can the Core Developers react IF an actual Quantum Computer is projected start breaking SHA-256 in one year?

Core developers are not the ones developing quantum resistant hashes and encryption, they usually would be doing the implementing of such thing for Bitcoin. If there is a need, an implementation can be delivered fast assuming that there are solutions. Time to implement is not really a concern.

Anyhow, the chance of SHA-256 being broken within this century is close to 0%. Why worry about such stuff today, you won't even be alive to see it?

I know, and please get the context instead of starting another debate merely for the sake of it. I was merely asking how fast can the Core Developers release an update/patch FOR Bitcoin, whatever that might be, IF Quantum Computers are projected to start breaking things?

The question is actually about the speed of reaction by the Core Developers, how fast are they, NOT about if "X event" is an actual threat within one year.

 ¯\_(ツ)_/¯

I answered but you didn't understand my reply. Time to implement is not a relevant concern for any of this, in any scenario of this. The answer is that it always depends on the specifics of the situation. Nobody can give you a specific number in units of time in advance for an unknown scenario, so don't ask for one.

In the case of this eventuality, what reaction can there be if it isn’t in the same speed as quantum computing, where the same device would be used to get the same difficulty and solution.

That does not make any sense.

[edroi]

This is just a random news I get but people are really talking about it.

I have just read about it not long ago but I have also read somewhere before that by 2030, it is possible that ECDSA becomes vulnerable to quantum computing. This is 2025 which means 2030 is just 5 years away from now.

What do you think about this disturbing news, I have been read more than 5 news about this and I saw another one today. What are bitcoin developers doing about it?

If you need the source that I get today's news from, I can post it which has the the title that I have as the title on this thread.

yep i have seen those discussions too & honestly it’s something worth paying attention to... quantum computing definitely poses a challenge to ecdsa but it’s not like bitcoin devs are ignoring it.. the community has been talking about quantum resistance for years and there are already proposals for post quantum signature schemes.. the hard part isn’t just switching the algorithm.. it’s doing it in a way that keeps security, compatibility & consensus across millions of users

2030 sounds close when you say 5 years but the reality is quantum computers that can actually break ecdsa at bitcoin scale are still not here yet.. the news articles often make it sound more urgent than it really is but that doesn’t mean the risk is fake.. i think the most likely path is bitcoin will move to a stronger signature scheme before quantum computers are realistically dangerous

so yep it’s a concern but no it’s not the end of bitcoin... the devs are aware, the research is ongoing & the transition will happen when the time is right

[stwenhao]

I was merely asking how fast can the Core Developers release an update/patch FOR Bitcoin, whatever that might be, IF Quantum Computers are projected to start breaking things?

If you don't care about the specific solution being deployed, then it means you accept every proposal. And if Hourglass is sufficient, then it is now optionally deployed, since 2016 or something like that, when OP_CHECKLOCKTIMEVERIFY or OP_CHECKSEQUENCEVERIFY is active: Optional Hourglass is now deployed

And if you need just any Proof of Work, instead of the best one, then it can be done since 2009: Proof of Work transaction puzzle, based on DER signature size. In that case, your only limit is the standardness of the Script, but in early days, when anyone could be a CPU miner, people could use raw scripts, to achieve the same things.

I hope these examples will cut some of the "we are all going to die" FUD. Again, Proof of Work will solve a lot of things.