No one has provided any argument against my upthread point about Zerocoin (if it were added to Bitcoin or an altcoin):
- If we adopt something like Zerocoin to add more anonymity to the tracing of trail of ownership of a coin, these signatures can't be retroactively hardened later, thus all that history of anonymity is suddenly lost once the adversary gains a quantum computer.
If you aren't interested in looking up any of the many, many threads on QC, but still want to know about it, I'll give you the very short version. QC is hard to scale up. At the moment, it looks like QC devices will not be following Moore's law because the difficulty of retaining coherence appears to scale close to linearly with the number of gates, rather than inversely with the feature size like in classical devices. Even in the worst case, we should have years of warning before devices capable of breaking ECDSA are created, with decades much more likely.*
And he still hasn't refuted what I asserted upthread as re-quoted as follows.
- How do we know when the adversary has a quantum computer, given the capability of the NSA to issue national security letter gag orders? They had differential analysis to break cryptography in the 1970s and 80s and the public was unaware.
He is speculating on what science knows now and what it can do in the future (and I don't even agree with his speculation but any way speculation is speculation, not fact). Due to National Security gag orders we can't even be sure we know what the current science is. The USA's covert agencies including the NSA have a $52 billion ANNUAL budget. And this doesn't include the black budget which Secretary of Defense Donald Rumsfeld admitted the day before 9/11 on national TV was $3 trillion unaccounted for in the defense budget (over the years), then the relevant records were conveniently destroyed when the Pentagon was hit by an "airplane" the next day. No backup copies of the records.
And his is ignoring the fact of history of what happened in the 1970s and 1980s (see what I wrote before as quoted above) which is an example that we can't always know.
Don't forget that
Edward Snowden leaked (Washington Post) that the NSA is actively attempting to build a quantum computer.
Why risk it? Why not switch to Lamport signatures so no more risk at all.
The reason is because Bitcoin's blockchain is design in a way that switching to Lamport probably won't scale well. But an altcoin can fix this. Bitcoin probably can't, although maybe if they get off their lazy arse and finish the UXTO pruning, they might be able to do it.
Here is an excellent article on this quantum computing topic and also explains how Bitcoin's three encryption methods are combined, so it is relevant to this thread's title as well:
http://www.bitcoinnotbombs.com/bitcoin-vs-the-nsas-quantum-computer/There are two things I dispute from the article.
Let’s consider the type attack most people think of when hear of quantum computers―a brute force attack.
Nonsense. Shor's algorithm is not a brute force attack. The author inserted this disinformation into his otherwise good article, because most users don't understand that
Shor's algorithm doesn't require a brute force capability.
The good news is that ECDSA should be relatively easy to swap out if/when it becomes compromised.
I already refuted that upthread:
And Shor's does not magically provide instant answers to questions posed, it allows a reduction in the search space, to the square root. sqrt(xy) = xy/2, so it will reduce the strength of our keys from 2128 to 264**. Note that 264 is still a huge number, and it is not at all a given that a real world system can accomplish it in 10 minutes.***
http://crypto.stackexchange.com/a/2642A security level of about 64 bits can be broken by a determined attacker, and a level of 32 bits can be trivially broken on a single home computer.
Also I think you are wrong. Grover's algorithm is what halves the effective bit length, i.e. square root of the solution space. As I explained upthread, Grover's algorithm applies (in theory) to cryptographic hashes, but for ECDSA and RSA the much more powerful Shor's algorithm applies. Shor's algorithm reduces to polynomial time as I explained upthread. If I am not mistaken, you've just shown yourself to be incompetent and not worth listening to.
http://security.stackexchange.com/a/37638http://en.wikipedia.org/wiki/Key_size#Effect_of_quantum_computing_attacks_on_key_strengthhttp://crypto.stackexchange.com/a/9940
Also note I wrote upthread that
in addition to the quantum computing threat, we can't be sure that the curve chosen for ECDSA isn't backdoored or that some mathematical algorithm couldn't be discovered secretly by the NSA, as they did with differential cryptographic analysis in the 1970s and 1980s and they could crack everyone, but no one knew.
Cryptographic hashes are much less likely than mathematical group algorithms (e.g. RSA and ECDSA) to fall to mathematical cryptographic analysis if they
are designed correctly to break algebraic linearity over all mathematical groups.
So, hardly the end of the world. And that isn't even considering non-technical solutions, like a mining service that cultivates a reputation for safely embedding transactions into the blockchain in exchange for fees****.
Here we go again depending on miners which are now becoming very centralized.
* It is not clear whether or not it is possible to apply Grover's algorithm to hashing in reality. Grover's works on quantum circuits, and we can't even design a classical circuit for single SHA-256, much less double, and vastly much less for a quantum version. Note that I said circuit. The distinction is important, it isn't that I'm unaware of FPGAs and ASICS.
If anything that is argument for using cryptographic hashes such as Lamport for public key cryptography. You are reinforcing my point.
** ECDSA has a work factor of 1/2, so 256 bit ECDSA is as strong as an ideal 128 bit crypto system.
*** Incidentally, 264 falling down to the hour-or-two range is likely to trigger a crypto upgrade, in my opinion. Assuming, of course, that we haven't done so already for aesthetic reasons.
You are talking about conventional computers. My point above is we might not know the progress of quantum computers or mathematical attacks not released to the public.
**** The service would solicit transactions spending from old keys into new keys and would only accept transactions that met their fee structure. They would then mine internally, without revealing the pubkey to the rest of the network. Presumably for large enough transactions, they could even be convinced to mine at a loss by discarding blocks until they had two that they could publish at once. I leave the rest of the details as an exercise for the reader.
Here we go again depending on miners which are now becoming very centralized.
I thought we were supposed to have a decentralized paradigm in play yet the Bitwards always fall back to centralization when ever they lose the technical argument...
