Bitcoin’s race to outrun the quantum computer

[Voland.V]

Quantum cryptography is what?
The transmission of information through the use of quantum states of a particle of light, a photon - it's understandable.
This is a photon Internet, which is proudly called "quantum Internet", although it has nothing to do with "quantum" itself, as elementary particles.
And there is no quantum cryptography, no interaction with quanta, encryption with quanta.

And what's quantum cryptography? I can't figure it out.
There's only post quantum cryptography, math.

What's quantum cryptography?

Hello again! We've discussed this on another thread, so I won't go into it in depth again, but I'll mention China's Micius satellite as an example of quantum cryptography in action. Micius is already enabling a (small) quantum internet. A pair of entangled photons is generated using an interferometer, and one photon is sent to each party in the communication. The quantum entanglement is the vital part of the encryption, the use of the laws of quantum mechanics to create the exchange of information: Quantum Key Distribution.

I will concede that whilst QKD removes some classical vulnerabilities, it does not remove them all: man-in-the-middle as an example.
But Micius is only the start. Other variants of quantum cryptography are also being advanced. Kak's 3 stage protocol for example (a quantum version of double-lock), a multi-photon variant of which is being developed to protect precisely against man-in-the-middle.

I am certainly not saying that post-quantum cryptography (classical cryptography used as a defence against quantum attack) is useless, it's not, it's extremely important.
But quantum cryptography (using the laws of quantum mechanics to implement cryptography) is important too.

Here's a time-lapse photo of Micius in action. https://cosmosmagazine.com/technology/the-quantum-internet-is-already-being-built

--------------------
What you call "quantum cryptography", and that's what everyone calls it, is only needed to agree on common encryption keys for common symmetric cryptography, such as AES-256. They use AES-256 because it cannot be cracked by any quantum computer.
It will be a post quantum symmetric system, so NIST, USA, decided.

It's a wordplay - it's not cryptography, it's a way to generate the same keys for 2 people.
China has developed this topic so well that it is already used in practice for banks, nowadays.
Why did this technology start developing?
Because the asymmetric encryption system (RSA, ECC) was performing this function, namely the function of matching the common key over a public channel for a symmetric encryption system.
But all asymmetric modern systems are unreliable.
This was a very controversial and very closed question until the threat of quantum computing appeared.
Today, for specialists, it is no longer a controversial issue, but a fact.
All modern asymmetric systems will collapse at any key length.
In fact, they have long been considered "conditionally reliable", but this is not what we are talking about.
The whole world, for many years now, has been looking for a reliable post-quantum asymmetric system.
For what?
Only for the main purpose of agreeing on a shared encryption key for symmetric systems.
As such model, approved by NIST, is not yet offered, began to develop technologies of the last century (the first such successful experiments Americans made in 1980), on a new element base.
It's a photon transmission of the polarization direction of the photon.
It is expensive, not convenient and it is not for those who have a smartphone, computer, tablet and ordinary Internet wi-fi. It's for VIPs. In addition, the option of fiber optic is a very slow Internet. But it's not cryptography in its normal sense.

You're wrong about the "quantum internet" being afraid of the "man in the middle" attack. This attack is only dangerous when it can be conducted invisibly.
You can't do it inconspicuously on the quantum internet.
This is a huge advantage of this method.

But there are other solutions.

1.
Here is the technological direction, and fast and reliable, and in no comparison with "quantum transmission":

"Science...
The new, non-hackable security system created by researchers at the King Abdullah University of Science and Technology (KAUST), the University of St Andrews and the Center for Unconventional Science Processes (CUP Sciences) aims to revolutionize communications privacy.

The essence of it is that the optical chip communicates over the fiber Internet with another optical chip, both chips have their own chaos, based on the second law of thermodynamics, the law of entropy, exchange through an open channel photons, different photons with different physical characteristics, the common encryption key is output as a digitization of the superposition of photon states at the output with the photon at the input. Simple, elegant. But the reliability of this method is that this key is calculated at both ends of the communication channel - and the channel is never transmitted.
Not only is it long enough to make a module 2 addition with the message itself. And this gives the Vernam class cipher, the only cipher for which absolute reliability in the absolute sense has been proven.

This was invented in the century before last (!), proved in the middle of the last century (!), all old reliable technologies - return in a new quality.

This is the technological way of cryptography development. It requires new chips and fiber optic cable between subscribers. But it will bury "quantum internet."

 2.
Two, not technological, but software. It's not worth anything.
It's not known, it doesn't claim to be laurels, but it works well for individuals, quietly and smoothly.
Here it is:
https://bitcointalk.org/index.php?topic=5204368.0.

[1714922917]

1714922917

[1714922917]

1714922917

[1714922917]

1714922917

[1714922917]

1714922917

[1714922917]

1714922917

[Cnut237]

What you call "quantum cryptography", and that's what everyone calls it, is only needed to agree on common encryption keys for common symmetric cryptography, such as AES-256.

I definitely agree that the accepted term 'quantum cryptography' is a bit of a misnomer. In general it refers to quantum key distribution, so it's less about cryptography and more about using the laws of quantum mechanics to establish secure communication.

It's a wordplay - it's not cryptography, it's a way to generate the same keys for 2 people.

Sure. It's a way to generate a shared key that due to the underlying laws of physics cannot be hacked.

But all asymmetric modern systems are unreliable [...] All modern asymmetric systems will collapse at any key length.

I absolutely agree. From a quantum attack perspective, classical asymmetric cryptography is hugely vulnerable to Shor's algorithm.
But classical symmetric cryptography is vulnerable to Grover. Not to the same extent, but still there is a vulnerability.

You're wrong about the "quantum internet" being afraid of the "man in the middle" attack. This attack is only dangerous when it can be conducted invisibly.
You can't do it inconspicuously on the quantum internet.
This is a huge advantage of this method.

It depends how it's implemented, and what the external dependencies are, for example how the quantum channel is itself established. Work is ongoing and suggests that QKD can be secure, but the standard implementation isn't necessarily so, as assumptions of security are made. A variant of Kak's 3 stage model looks like it might be secure, but this needs to be confirmed. My point about MITM is really that whilst a quantum approach can in theory be 100% secure in a way that a classical approach cannot, it is still dangerous to assume that there are no vulnerable external dependencies.

They use AES-256 because it cannot be cracked by any quantum computer.

True at the moment. Grover reduces the time to crack it, but not significantly.

Post-quantum cryptography is very important, I agree with you wholeheartedly on that. My basic point is that a purely cryptographic defence can never be as absolutely and fundamentally secure as a defence that is based on the laws of physics.

Given the huge technical obstacles to creating a workable quantum cryptography that can be used by everyone, I agree with you that in the short- and medium-term, PQC is definitely the answer.

Long-term though? I would argue that using a quantum mechanical defence may provide a better solution.

[Voland.V]

I agree with all your comments.
Except for one, one.

There is reliable, absolutely reliable cryptography, in the absolute sense. It's Vernam's cipher.
It's the only cipher for which there's evidence of its 100% reliability, C.Shannon, 1945.

It has been used for over 120 years and (attention) is still used today.  The most secret diplomatic and other messages are still sent only by the Vernam code!

No AES with any length of key, about asymmetric systems I am silent at all, categorically forbidden.

The thing is that modern cryptography has appeared as an alternative to Vernam's cipher.

No modern cryptographic system has any proof of its crypto stability, and that proof cannot be, because the principles of encoding them - so to speak, are more cunning than reliable.

The 2 versions of cryptographic systems that I mentioned at the end of last post use Vernam's cipher. But they're not used anywhere yet. It's not time.

The first cryptosystem I did not give a link to, here it is, I really like it:
https://www.nature.com/articles/s41467-019-13740-y

[Cnut237]

I agree with all your comments.

Excellent! Finally our discussion across multiple threads reaches a consensus

Except for one, one.

Damn it.

There is reliable, absolutely reliable cryptography, in the absolute sense. It's Vernam's cipher.
It's the only cipher for which there's evidence of its 100% reliability [...]
The first cryptosystem I did not give a link to, here it is, I really like it:
https://www.nature.com/articles/s41467-019-13740-y

Aha, yes, one-time pad stuff... which brings us back to quantum cryptography and QKD.



It's an inventive approach, but I'm not convinced of how this is better than the quantum alternative, BB84 QKD. I don't think OTPs are the answer here. An OTP by itself and used properly is secure, but the key needs to be shared in a 100% safe way. And if you have a means to share the key 100% safely, then you just use that method and there is no need for the OTP. Quantum entanglement is the 100% safe method (sorry, I wanted to focus on PQC and not return to quantum cryptography again!).
But we still have vulnerabilities so long as we have external classical dependencies.

No modern cryptographic system has any proof of its crypto stability, and that proof cannot be, because the principles of encoding them - so to speak, are more cunning than reliable.

Yes, agreed. AES256 looks secure against a Grover attack, so is likely safe in the medium-term, but longer term, who knows? Longer term the solution I still contend is likely to use some quantum mechanical mechanism such as entanglement to create fundamental 100% security, the big caveat here being that our understanding of quantum mechanics may change, and new possibilities and challenges in physics may present themselves...

"I think I can safely say that nobody understands quantum mechanics." Richard Feynman knew what he was talking about. The maths is one thing, but it's an abstraction, it only helps us so far in understanding QM from a human perspective.

[Voland.V]

I agree with all your comments.

Excellent! Finally our discussion across multiple threads reaches a consensus

Except for one, one.

Damn it.

There is reliable, absolutely reliable cryptography, in the absolute sense. It's Vernam's cipher.
It's the only cipher for which there's evidence of its 100% reliability [...]
The first cryptosystem I did not give a link to, here it is, I really like it:
https://www.nature.com/articles/s41467-019-13740-y

Aha, yes, one-time pad stuff... which brings us back to quantum cryptography and QKD.



It's an inventive approach, but I'm not convinced of how this is better than the quantum alternative, BB84 QKD. I don't think OTPs are the answer here. An OTP by itself and used properly is secure, but the key needs to be shared in a 100% safe way. And if you have a means to share the key 100% safely, then you just use that method and there is no need for the OTP. Quantum entanglement is the 100% safe method (sorry, I wanted to focus on PQC and not return to quantum cryptography again!).
But we still have vulnerabilities so long as we have external classical dependencies.

No modern cryptographic system has any proof of its crypto stability, and that proof cannot be, because the principles of encoding them - so to speak, are more cunning than reliable.

Yes, agreed. AES256 looks secure against a Grover attack, so is likely safe in the medium-term, but longer term, who knows? Longer term the solution I still contend is likely to use some quantum mechanical mechanism such as entanglement to create fundamental 100% security, the big caveat here being that our understanding of quantum mechanics may change, and new possibilities and challenges in physics may present themselves...

"I think I can safely say that nobody understands quantum mechanics." Richard Feynman knew what he was talking about. The maths is one thing, but it's an abstraction, it only helps us so far in understanding QM from a human perspective.

-----------------
I thought you were in a hurry to jump to conclusions. If you don't just study the scheme, but read the description of this method, let's call it OTP, it clearly says that it's not quantum cryptography at all (as I call it - "photonic bond"), on the contrary, it's the opposite of quantum cryptography.

This method excludes all the disadvantages of quantum cryptography, which in practice will have a function of key distribution for symmetric encryption systems.

For true cryptography, it is not suitable. It can be used as cryptography, but it's like going to rent a huge truck and carry a desktop computer on it. It's stupid. It looks ridiculous.

Quantum cryptography is very slow, very capricious, very resource-intensive.

And OTP completely eliminates these drawbacks, it's super fast, it works near light speed, it's super reliable, the only proven method in the history of cryptography, many orders of magnitude more reliable than AES with any key length.
In order to agree on a common key, the parties do not need to meet or transfer it over communication channels, or store it.

It is fantastic, it is real, it is the present future of modern cryptography, it is super-reliable, it has no drawbacks.

This isn't your "quantum key transmission", it's snail-speed. It's an old 1980s method. There were already successful experiments back then. But people thought back then, they could still think, not point their finger at the smartphone screen.

And vice versa, the OTP method is a modern method.
It's a technological way of developing cryptography.

But do not forget about the logical path of cryptography, because it is a program that everyone can put on your smartphone, with almost the same level of encryption reliability, but still get a plus:
- two-way, continuous, 100% accurate authentication;
- full match of the decrypted and encrypted message, up to 1 bit accuracy;
- alternative non-scalable blockchain;
- hiding the transmission or reception of information from an unauthorized observer;
- instant verification of any amount of information;
- many other things that no technological cryptographic method can do. 

No technological way of developing cryptography provides uninterrupted authentication. Only trust, or again, keys, passwords.

Our method has no keys and no passwords, no shortcomings.
 

[Voland.V]

The entire security system today, these are key encryption systems and password authentication technologies.

Scammers, government, corporations are the ones on the other side, not ours. We're the victim to them, they're hunting us, we're defending ourselves against them. It's the real picture.

They're not hacking into cryptography, they take our keys and passwords and use them.

What was suggested above is encryption systems where the keys are variables, not stored, not used twice and not transmitted over any communication channels.
Option 1 is an almost keyless system:
https://www.nature.com/articles/s41467-019-13740-y.
Option 2 is a completely keyless system:
https://bitcointalk.org/index.php?topic=5204368.0.

They have the future behind them.
And today:
Penetration and surveillance systems are evolving.
There is an accumulation of data on all users without exception.

Such exotic attack vectors are also used to capture information about passwords and keys:
- the level of power consumption;
- the sound of keystrokes (the information is taken remotely from window panes - by laser);
- electromagnetic background of the monitor, allowing at a distance (about 300 meters) to determine the area of the mouse movement on the screen or move the active items "menu" windows;
- modulation of electromagnetic radiation at the points of mechanical contacts of electrical connectors (for example, a 3.5 jack from a headset inserted into the device, modulates the useful signal to the frequency of radiation of the device processor and successfully demodulates at a distance);
- removing information from the LED light bulb to signal system access to the PC hard drive (via a hidden spyware pre-installed on the PC. This is what the Israeli security services did with the help of a drone helicopter, which captures information through a window from the LED winchester at speeds up to 6000 bits per second);
- a two-way communication channel established by means of ultrasound through conventional acoustic devices - speakers, a portable device or a personal computer.
Interestingly, a normal speaker, notebook, even a modern smartphone, is able to not only emit in the ultrasonic range (above 22 kHz), but also act as a microphone for such signals.

In general, the situation with our personal security is not only bad, but it is also deteriorating.

That's why, when developing keyless encryption technology, all possible attacks on third-party channels should be taken into account.

[Cnut237]

I thought you were in a hurry to jump to conclusions.

No, I read the article through a couple of times. It's an OTP approach, and I maintain that it is similar to BB84 QKD. It's a classical version of QKD.
I know it's not quantum cryptography, I'm saying it's a classical version of it. It's cleverly done, yes, but I think it has drawbacks...

This method excludes all the disadvantages of quantum cryptography, which in practice will have a function of key distribution for symmetric encryption systems.

But the Vernam cipher method still needs that original authentication to start things off, right? I'll concede it may be me not understanding it properly, but the paper seems to skim over that a bit. If you have that initial 100% secure channel for authentication, then just use that for everything, you don't need anything else.

Quantum cryptography is very slow, very capricious, very resource-intensive.

Quantum cryptography is early in development. Yes, there are some huge technical hurdles, and likely we are decades away from full implementation for everyday users. Which is why post-quantum cryptography is also important.

I remain skeptical of the OTP method though, for the reason given above.

[Voland.V]

But the Vernam cipher method still needs that original authentication to start things off, right? I'll concede it may be me not understanding it properly, but the paper seems to skim over that a bit. If you have that initial 100% secure channel for authentication, then just use that for everything, you don't need anything else.
[/quote]
------------------
I think that as in the optical implementation of the OTP method, and just as in the QKD method, and just as in any other encryption method, there is always the issue of second party authentication. It is a question of verifying the other side of the communication.

But I do not think that the issue of authentication and the issue of having a closed, secret channel are the same thing.
Just the opposite, authentication must be done over an open channel in order to verify the originality of the conversation partner. If this confidence appears, then a closed channel based on encryption is established with the help of some kind of cryptography.

So, you're right, and the description of this method explicitly refers to the question of authenticating the conversation partner.

Now let's analyze what solutions we have now on this crucial issue.

We have numeric identifiers that are formed from either:
- A password that only the original interlocutor (Alice or Bob) presumably knows;
- biometrics, which ultimately always takes the form of a numeric code, a numeric identifier;
- keys that are not transmitted in the same pure form as a password or other, but as a numeric code obtained by a one-way cryptographic function;
- and so on.

And what in essence: - a constant digital code (one or more) digital code, digital identifier.

All these technological rudiments can be successfully used both in optical OTP, and in all advertised QKD.

All of them have the same drawback, from which neither quantum technology nor post quantum cryptography saves, it is a constant digital identifier.

Attacks are all similar as two drops of water, only come to us from different sides, always the same thing happens:
- stealing our digital identifiers;
- passwords;
- keys.

These attacks are only possible for one reason - because of the constant constants that identify us, identifying one user from the multitude of others.

Getting out of this enchanted circle, I see only one thing - variable numeric identifiers.
For example, your identifier has 256 bits of binary code.
If it changes all the time, but in such a way that only the party that has formed a closed channel with you knows about it (of course with normal encryption, not with quantum technological rudiments that are promoted and prepared for sale), it means it changes synchronously, then his stealing - it makes no sense.

And if your ID changes when you send each new packet of data, no one will ever even think about attacking your personal data.

I think that this kind of technology is possible, and the future belongs to it.
I call them: Keyless encryption and passwordless authentication technologies.
As an example of how to demonstrate the theoretical feasibility of such a communications channel and such technologies, I developed my own version, tested it, and came to the conclusion that it is not a utopia.

[Buff Mage]

elon musks priority is public utility.
by this i mean space transport
human transport
goods transport
..
so i dont see elon getting in on the QC game..

VOLKSWAGEN CARRIED OUT THE WORLD'S FIRST PILOT PROJECT FOR TRAFFIC OPTIMIZATION WITH A QUANTUM COMPUTER
https://www.quantaneo.com/Volkswagen-carried-out-the-world-s-first-pilot-project-for-traffic-optimization-with-a-quantum-computer_a366.html

Ford and Microsoft pilot quantum-inspired routing to reduce congestion
https://www.intelligenttransport.com/transport-news/93711/ford-microsoft-pilot-quantum-inspired-routing-reduce-congestion/

Microsoft and Ford try using quantum-style computing to solve Seattle’s traffic problem
https://www.geekwire.com/2019/microsoft-ford-try-using-quantum-style-computing-solve-seattles-traffic-problems/


In the future: no optimized transportation without quantum computers
Re: Is Elon Musk developing a quantum computer?

Quantum chip solves ‘travelling salesman’ problem for 22 cities
https://www.electronicsweekly.com/news/research-news/quantum-chip-solves-travelling-salesman-problem-22-cities-2020-01/
'''According to the university, this is “something that would take about 1,200 years for a high-performance von Neumann CPU”, but the chip “can solve the travelling salesman problem for 22 cities instantly” until now using quantum processing it “has only been able to solve the travelling salesman problem involving a maximum of 16 cities”.
A quantum annealing computer is not a full-blown quantum computer, of the type that could crack encryption for example, which no one has yet made – or if they have, they are keeping quiet about it.'''


My opinion:

Quantum computers will surprise the Bitcoin community..

[Cnut237]

Quantum chip solves ‘travelling salesman’ problem for 22 cities
https://www.electronicsweekly.com/news/research-news/quantum-chip-solves-travelling-salesman-problem-22-cities-2020-01/
'''According to the university, this is “something that would take about 1,200 years for a high-performance von Neumann CPU”, but the chip “can solve the travelling salesman problem for 22 cities instantly” until now using quantum processing it “has only been able to solve the travelling salesman problem involving a maximum of 16 cities”.
A quantum annealing computer is not a full-blown quantum computer, of the type that could crack encryption for example, which no one has yet made – or if they have, they are keeping quiet about it.'''

It's an interesting development, but yes, a quantum annealing computer can't be used to break cryptography, and will never threaten bitcoin. The annealing approach is more for problems where there are a huge number of possible solutions, and we're just looking for one that is sufficient out of that multitude of possibilities.

The biggest threat to bitcoin from quantum computing, as I've outlined previously, is the use of Shor's algorithm against re-used addresses:

Re-used BTC addresses are 100% vulnerable to QCs.
Address Re-Use. Simply, any address that is re-used is 100% vulnerable because a QC can use Shor’s algorithm to break public-key cryptography. This is a quantum algorithm designed specifically to solve for prime factors. As with Grover’s algorithm, the key is in dramatically reducing the number of computational steps required to solve the problem. The upshot is that for any known public key, a QC can use Shor’s approach to derive the private key. The vulnerability cannot be overstated here. Any re-used address is utterly insecure.

... but a quantum annealing computer (the type that is used above for the Travelling Salesman problem), is not going to run Shor. For that you need a universal gate QC, which is generally what we mean when we refer to a 'quantum computer'. I remember all the fuss about D-Wave, but the mainstream media tended to overlook the fact that D-Wave is an annealer, not a fully-fledged UG-QC.

My opinion:

Quantum computers will surprise the Bitcoin community..

My opinion is actually the exact opposite. I think that crypto developers, certainly for the big coins, and most definitely for bitcoin, are well aware of potential threats from quantum computers, and are actively developing safeguards.
We've covered previously and in considerable depth what QCs can and can't do. Asymmetric cryptography is massively vulnerable, but symmetric cryptography far less so -particularly AES256, as discussed above. It's a common misconception, perpetuated by mainstream media, that QCs instantly break all types of cryptography in all circumstances, when that is clearly not the case. QCs are great for certain specific types of problem, but it's technology, not magic, and it has limitations.

I am some random uninformed idiot posting opinions on a web forum, and even I am aware of what QCs can and can't do, and of the nature of their potential threat to cryptocurrencies in certain situations. People far smarter than me are developing these coins, and I'm absolutely certain that they are on top of the QC question. This is why I am convinced that the threat of QCs will not come as a surprise.

[Voland.V]

Quantum chip solves ‘travelling salesman’ problem for 22 cities
https://www.electronicsweekly.com/news/research-news/quantum-chip-solves-travelling-salesman-problem-22-cities-2020-01/
'''According to the university, this is “something that would take about 1,200 years for a high-performance von Neumann CPU”, but the chip “can solve the travelling salesman problem for 22 cities instantly” until now using quantum processing it “has only been able to solve the travelling salesman problem involving a maximum of 16 cities”.
A quantum annealing computer is not a full-blown quantum computer, of the type that could crack encryption for example, which no one has yet made – or if they have, they are keeping quiet about it.'''

It's an interesting development, but yes, a quantum annealing computer can't be used to break cryptography, and will never threaten bitcoin. The annealing approach is more for problems where there are a huge number of possible solutions, and we're just looking for one that is sufficient out of that multitude of possibilities.

The biggest threat to bitcoin from quantum computing, as I've outlined previously, is the use of Shor's algorithm against re-used addresses:

Re-used BTC addresses are 100% vulnerable to QCs.
Address Re-Use. Simply, any address that is re-used is 100% vulnerable because a QC can use Shor’s algorithm to break public-key cryptography. This is a quantum algorithm designed specifically to solve for prime factors. As with Grover’s algorithm, the key is in dramatically reducing the number of computational steps required to solve the problem. The upshot is that for any known public key, a QC can use Shor’s approach to derive the private key. The vulnerability cannot be overstated here. Any re-used address is utterly insecure.

... but a quantum annealing computer (the type that is used above for the Travelling Salesman problem), is not going to run Shor. For that you need a universal gate QC, which is generally what we mean when we refer to a 'quantum computer'. I remember all the fuss about D-Wave, but the mainstream media tended to overlook the fact that D-Wave is an annealer, not a fully-fledged UG-QC.

My opinion:

Quantum computers will surprise the Bitcoin community..

My opinion is actually the exact opposite. I think that crypto developers, certainly for the big coins, and most definitely for bitcoin, are well aware of potential threats from quantum computers, and are actively developing safeguards.
We've covered previously and in considerable depth what QCs can and can't do. Asymmetric cryptography is massively vulnerable, but symmetric cryptography far less so -particularly AES256, as discussed above. It's a common misconception, perpetuated by mainstream media, that QCs instantly break all types of cryptography in all circumstances, when that is clearly not the case. QCs are great for certain specific types of problem, but it's technology, not magic, and it has limitations.

I am some random uninformed idiot posting opinions on a web forum, and even I am aware of what QCs can and can't do, and of the nature of their potential threat to cryptocurrencies in certain situations. People far smarter than me are developing these coins, and I'm absolutely certain that they are on top of the QC question. This is why I am convinced that the threat of QCs will not come as a surprise.

----------------------------
What exactly are the dangers of quantum computing today, which is not there now, but can be tomorrow?
It's very simple and consistent.
My answer is this.

I'll talk about global danger, the danger to most cases, not to one person.

All protection protocols, we will talk only about cryptographic methods of protection, built on a principle:
1. Asymmetric cryptography is the first step in any protocol to agree on a common session key for symmetric cryptography.
2. The second step is symmetric cryptography encryption, where secrets are encrypted securely (AES).

Why is a quantum computer dangerous today that will work far tomorrow?

Because all of our encrypted messages are stored.
Details:
- those encryptions that are very interesting - stored many times, it's communication between interesting and big people of our time;
- all other messages are also stored, just in case, they can be interesting, probably.

Now how quantum cheaters will work:
1) they will only crack the first stage of the encryption protocol - only asymmetric cryptography, where the shared session encryption key was encrypted. That's it.
2) They use the resulting key to quietly read the AES cipher, the second step of the encryption protocol.

And now, everything falls into place: AES-256, the symmetric system, is not cracked, and RSA (with any length of key) or ECC (with any length of key), the asymmetric system is cracked without a doubt, even by very weak, first quantum computers.

That's why everyone is so concerned, that's why post quantum asymmetric encryption systems are already needed.

Yes, not all people encrypt good messages, there are so many that lead two lives at once and one of those lives is very bad.
But the bad thing is to read and decide what's bad and what's good will be guys with the same questionable reputation as the first ones.

Here is the real vulnerability of all the key encryption methods: everything secret, sooner or later, becomes known and not secret.

This vulnerability is completely devoid of new keyless encryption systems.

[Cnut237]

Yes, sooner or later a QC will be developed that can run Shor to break public key cryptography. ECDSA is utterly insecure. Private keys can be derived from public keys. A solution is obviously needed in advance of such a QC becoming available. The problem here is that all coins will have to be moved to quantum-proof addresses. What happens to those coins that (for whatever reason) aren't moved? Do we leave them to be stolen by a QC, wreaking havoc and potentially destroying all of crypto? This is not hyperbole; it's a genuine threat. Or do we burn them before they can be stolen? It's a hugely contentious issue that goes right to the heart of bitcoin, cryptocurrencies, and decentralisation.

Theymos, ahead of the (elliptic) curve, posted about this back in 2016 (quote below). The thread that this triggered on bitcointalk was full of misunderstanding and outrage, and is perhaps indicative of the scale of opposition that such a move to QC-safe cryptography will face.

I've been looking for later news on the web, but not found much. Presumably (hopefully) the discussion has moved on considerably since 2016. If anyone is familiar with the latest discussions on this topic, please respond in this thread!

Edit: To be absolutely clear: I am not proposing (and would never propose) a policy that would have the goal of depriving anyone of his bitcoins. Satoshi's bitcoins (which number far below 1M, I think) rightfully belong to him, and he can do whatever he wants with them. Even if I wanted to destroy Satoshi's bitcoins in particular, it's not possible to identify which bitcoins are Satoshi's. I am talking about destroying presumably-lost coins that are going to be stolen, ideally just moments before the theft would occur.

This issue has been discussed for several years. I think that the very-rough consensus is that old coins should be destroyed before they are stolen to prevent disastrous monetary inflation. People joined Bitcoin with the understanding that coins would be permanently lost at some low rate, leading to long-term monetary deflation. Allowing lost coins to be recovered violates this assumption, and is a systemic security issue.

So if we somehow learn that people will be able to start breaking ECDSA-protected addresses in 5 years (for example), two softforks should be rolled out now:

One softfork, which would activate ASAP, would assign an OP_NOP to OP_LAMPORT (or whatever QC-resistant crypto will be used). Everyone would be urged to send all of their bitcoins to new OP_LAMPORT-protected addresses.

One softfork set to trigger in 5 years would convert OP_CHECKSIG to OP_RETURN, destroying all coins protected by OP_CHECKSIG. People would have until then to move their BTC to secure addresses. Anyone who fails to do so would almost certainly have lost their money due to the ECDSA failure anyway -- the number of people who lose additional BTC would be very low. (There might be a whitelist of UTXOs protected by one-time-use addresses, which would remain secure for a long time.)

_{https://www.reddit.com/r/Bitcoin/comments/4isxjr/petition_to_protect_satoshis_coins/d30we6f/}

[mda]

I've been looking for later news on the web, but not found much. Presumably (hopefully) the discussion has moved on considerably since 2016. If anyone is familiar with the latest discussions on this topic, please respond in this thread!

I'm unsure if it counts as a considerable move but my imagination has stopped there.

https://bitcointalk.org/index.php?topic=5191219.msg52769870#msg52769870

[Cnut237]

^^
Thanks, that looks like the sort of thing I was after. I'll have a read through it tomorrow. Not sure how I missed it.
Every other quantum thread on here is full of my own posts; rare to find one that isn't!