Can Quantum Computer's destroy Blockchain and Bitcoins[SHA-256 specifically]

[BlackHatCoiner]

In hard-forks "things invalid today are valid tomorrow", but we don't need that.

Isn't invalid today to consider P2PK unspendable? It's currently spendable.

If ECDSA will be broken, we would need just another Scripts, nothing more than that.

How would the new Scripts resist? Are you saying that we wouldn't need a resistant algorithm?

[1714770704]

1714770704

[1714770704]

1714770704

[1714770704]

1714770704

[1714770704]

1714770704

[vjudeu]

Isn't invalid today to consider P2PK unspendable? It's currently spendable.

It is perfectly valid. You can run a node and make P2PK non-standard in your node (and reject all transactions that create or spend any P2PK coins), you will stay in the network if you do that. If most nodes will do that, then in practice P2PK will be unspendable by any average user. It is the same as in case of Value Overflow Incident: you can run some old node with old rules, you can create a transaction that will create coins out of thin air, but your transaction will be ignored by other nodes. On the other hand, you will still stay in the network, as long as the heaviest chain moved to the new rules. So, making P2PK non-standard is a no-fork solution that can work right now. Soft-fork is just one step further, where you make P2PK invalid and reject blocks, in the same way as you reject P2TR blocks without signatures (but they were accepted in the past), and in the same way as you reject blocks creating coins out of thin air because of Value Overflow Incident.

How would the new Scripts resist? Are you saying that we wouldn't need a resistant algorithm?

And how would P2TR resist? We just moved to "OP_1 <pubkeyX>". We can move to "OP_2 <newPubkey>" in the same way (if calculating the private key for any public key will be possible and P2TR will be vulnerable) and add any rules, any algorithm we want, for example it can require lattice-based signature. The same with script, we have tapscript with OP_CHECKSIGADD, it is entirely new Script version, where we have OP_SUCCESS opcodes, and where OP_CHECKMULTISIG(VERIFY) is invalid. If only spending by key in P2TR will be vulnerable, we can force spending by script, invalidate OP_CHECKSIG(ADD) and force using some new OP_SUCCESS that can be replaced for example by OP_CHECKLATTICE.

[BlackHatCoiner]

You can run a node and make P2PK non-standard in your node (and reject all transactions that create or spend any P2PK coins), you will stay in the network if you do that.

How will I stay in a network where blocks contain transactions that I consider invalid?

[o_e_l_e_o]

If P2PK coins are vulnerable, then P2TR coins also are. In both cases you reveal your public key.

As are all the coins in reused addresses. As are all the coins in light wallets which send master public keys to servers to look up their balances. As are all the coins received via payment processors where the user uploads their master public key to generate new addresses for each customer. And eventually, as are all coins as soon between the time they are spent and they are confirmed.

Taproot was never designed to be quantum resistant. Still, with taproot you can use specific script-paths rather than use key-paths at no extra cost to avoid the issue of your public key being revealed.

[vjudeu]

How will I stay in a network where blocks contain transactions that I consider invalid?

You will stay in a network if you make them non-standard (that would be no-fork). You will also stay in a network if some soft-fork will make them invalid and you will use some old version.

Still, with taproot you can use specific script-paths rather than use key-paths at no extra cost to avoid the issue of your public key being revealed.

Yes, but all P2TR addresses has an option to spend by key. And if P2PK is broken, then you can ignore a script path (that can be even some unspendable OP_RETURN) and use key path. Only P2TR coins sent to invalid public keys can be considered unspendable by consensus, for example when you send coins to bc1pqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqpqqenm (on the other hand, bc1pqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqs5pgpxg seems to be unspendable, but it may be, if you somehow reach the private key for 020000000000000000000000000000000000000000000000000000000000000001).

[o_e_l_e_o]

Yes, but all P2TR addresses has an option to spend by key.

For now, sure. But there is nothing stopping us from implementing script-path only taproot addresses or even just hashing P2TR addresses and creating some P2PKH-P2TR hybrid, which would allow us to use taproot addresses in a more quantum resistant way prior to the implementation of whatever full quantum resistant scheme we end up with.

[mamuu]

Hello
someone else mentioned this
do you mean something like this?

https://coinmarketcap.com/cryptown/profile/xufd90jiwedh?guid=77572615

"Quantum Apocalypse"
I think it's trying .

Thanks.

[d5000]

do you mean something like this?

https://coinmarketcap.com/cryptown/profile/xufd90jiwedh?guid=77572615

I think this is somebody who wants to profit from the fear of some Bitcoiners about "quantum computers hacking the blockchain!!" luring people into his shitcoin.

Iota tried this, too, but they're now worth much less than before. I wouldn't call them outright scams still, but quantum resistant cryptography has much less testing until to date than traditional algorithms, and this coin was created in 2017 so it has even less testing than "current" quantum resistant algos (they may be hardforking to newer crypto algorithm versions - but Bitcoin could do that, too, in theory, so they haven't any advantage).

Stay away.

[o_e_l_e_o]

I think this is somebody who wants to profit from the fear of some Bitcoiners about "quantum computers hacking the blockchain!!" luring people into his shitcoin.

I don't see the point in any "quantum resistant" coin at the moment when we are still decades away from quantum computers being a threat to elliptic curve cryptography. Whatever quantum resistant algorithm they implement today will either be completely outdated by the time it is relevant (so maybe things such as much larger signatures and transactions than necessary, far less functionality allowing for different script/address types, much more resource heavy or slower to computer/verify, etc.), or might itself be broken and completely insecure.

It would be like a video game developer building a game today which won't be released until 2045 for the PlayStation 9. They have no idea what the technology will be or what its capabilities will be 20 years in the future, and whatever they come up with today will be incredibly outdated and might not even work by the time it becomes relevant.

[mamuu]

the problem here is not sha256
The problem is that the private key of the pubkey entering sha256 is broken.
if ECDLP of secp256k1 is decrypted.
then we can talk about this apocalypse.
In this case, the blockchain and all values are 0 and cannot be moved.
If we want to move the values, we can do it according to the priv key, but we can't because it breaks. I think new blockchain movable with losses. bitcoin can suffer serious damage from this. Unclaimed coins can be used.

[o_e_l_e_o]

In this case, the blockchain and all values are 0 and cannot be moved.

Even ignoring that it will be decades before there is a quantum computer which can solve the ECDLP, it will be many more years between one can that solve the ECDLP over a period of weeks and one which can solve the ECDLP in less than the 10 minutes required to attempt to double spend an unconfirmed transaction.

Unclaimed coins can be used.

I don't think we should intervene here. We have absolutely no way of knowing which coins are simply being held long term by their owners and which coins are lost or otherwise inaccessible. The network and the community absolutely shouldn't be taking decisions to deprive the rightful owners access to their coins, even if the inaction of these owners to move their coins to a quantum resistant address will result in their coins being stolen.

[Accardo]

QC is actually a way for brands like Microsoft to get funds from investors. Quantum computer cannot exist in the first place because of the number of qubits required to solve a cryptographic problem is much and they are fragile too. The qubits cannot stay in some environments. It depends on weather conditions.

[Easteregg69]

What I was imagining was a computer that tried all possible outcome for private keys in one run.

At once. No queue.

[o_e_l_e_o]

What I was imagining was a computer that tried all possible outcome for private keys in one run.

At once. No queue.

2²⁵⁶ private keys * 32 bytes each = 3.7*10⁵⁴ yottabytes.

Current estimates for the amount of data ever created in the entire world are less than 0.2 yottabytes.

So even if there were 1 billion galaxies, each with 1 billion planet Earths, and each Earth produced a billion times more data than us, and each Earth had been churning out this much data for a billion years, you still need a computer which can handle a billion billion times more data than that all at once.

Good luck.

[BlackHatCoiner]

[...]

Plus: You would need to find a way to transfer information unbelievably fast. Even if one planet in one of those galaxies found a collision, they had to somehow share it with others. Good luck on that too! 

BTW, that's just for one type of addresses. If you wanted both Legacy (1) and SegWit (3, bc1) you'd have to triple the effort.

2²⁵⁶ private keys * 32 bytes each = 3.7*10⁵⁴ yottabytes.

You could find ways to compress all this, though. For instance, private key 1 doesn't need to take 32 bytes.

[o_e_l_e_o]

You could find ways to compress all this, though. For instance, private key 1 doesn't need to take 32 bytes.

Sure, but I'm just pointing out how infeasible this would all be. Compression would save some time, but I also glossed over that for each and every key you would also need to perform an elliptic curve multiplication, four hash functions, and a hex to Base58 conversion, all just for the legacy addresses. And then of course you would need to look the address up against a full node to see if it contains any coins. And even if you someone managed to compress a billion private keys in to the space usually occupied by a single private key (32 bytes), you're still looking at needing an entire galaxy filled with Dyson spheres to have the energy to do something like this.

[ABCbits]

BTW, that's just for one type of addresses. If you wanted both Legacy (1) and SegWit (3, bc1) you'd have to triple the effort.

With recent Taproot update, actually it's 4x effort. Native SegWit have prefix bc1q while Taproot have prefix bc1p.

You could find ways to compress all this, though. For instance, private key 1 doesn't need to take 32 bytes.

Alternatively don't store private key without coin.

[larry_vw_1955]

I think this is somebody who wants to profit from the fear of some Bitcoiners about "quantum computers hacking the blockchain!!" luring people into his shitcoin.

I don't see the point in any "quantum resistant" coin at the moment when we are still decades away from quantum computers being a threat to elliptic curve cryptography. Whatever quantum resistant algorithm they implement today will either be completely outdated by the time it is relevant (so maybe things such as much larger signatures and transactions than necessary, far less functionality allowing for different script/address types, much more resource heavy or slower to computer/verify, etc.), or might itself be broken and completely insecure.

It would be like a video game developer building a game today which won't be released until 2045 for the PlayStation 9. They have no idea what the technology will be or what its capabilities will be 20 years in the future, and whatever they come up with today will be incredibly outdated and might not even work by the time it becomes relevant.

Well, it's not just that. Another problem is these Post Quantum algorithms aren't really vetted in the sense like AES encryption is or say Elliptic Curve is. They dont have decades of trying to crack them so they might even be vulnerable to a normal computer to say nothing of a Quantum Computer. Bitcoin might be better off sticking to what it has than going with a shiny new object that ends up being cracked by a pentium 4 laptop running for a weekend or two. There's nothing magic about post quantum crypto it's still a game of cat and mouse. No one can prove anything... As long as they keep trying to rely on complexity, they're in trouble. Complexity should be in quotation marks that is.

[ABCbits]

Another problem is these Post Quantum algorithms aren't really vetted in the sense like AES encryption is or say Elliptic Curve is. They dont have decades of trying to crack them so they might even be vulnerable to a normal computer to say nothing of a Quantum Computer. Bitcoin might be better off sticking to what it has than going with a shiny new object that ends up being cracked by a pentium 4 laptop running for a weekend or two.

Such risk could be significantly reduced with proper cryptography and implementation audit. Besides, Bitcoin is quite conservative where new feature took very long time of testing.

There's nothing magic about post quantum crypto it's still a game of cat and mouse. No one can prove anything... As long as they keep trying to rely on complexity, they're in trouble. Complexity should be in quotation marks that is.

Cryptography has always been "game of cat and mouse". There's good reason why cryptography software (such as pgp) generate key with expiration date.

[zatoshi_zakamoto]

you really have to love the amount of wishful thinking regarding quantum computer and its threats to btc & al.
the attitude I read here is like knowing a tsunami alert was raised, the ocean is retreating and still beachgoers are standing watching and want to see the first big wave before running for their lives  

to each his own exit strategy ...