Bitcoin must upgrade or fall victim to quantum computing in 5 years

[QuantumPenisJamesonLopp]

This thread again?

5 more years meme has been around since 25 years. Quantum computing is still immature, overhyped, and needs physics defying hardware before even rivaling classical systems. No algorithm is going to fix the noise issue which is ultimately a boundary of physics. So unless we are hoping to discover new physics in the next 5 years, I do not see any danger to Bitcoin. Noise isn't just an engineering challenge, it's a physics limit.

No, that is not quite correct. One danger I do see:  Quantum FUD as a soft attack vector, used in social engineering to leverage consensus.

Quantum computing was and is nothing but a hype. I don't care about new algorithms which beat out the old ones.

https://i.imgflip.com/a2hpbl.jpg

You should really read https://bitcointalk.org/index.php?topic=5550298.msg65666459#msg65666459 and if you can please comment on the BIP on GitHub.

[Wind_FURY]

This is just a random news I get but people are really talking about it.

I have just read about it not long ago but I have also read somewhere before that by 2030, it is possible that ECDSA becomes vulnerable to quantum computing. This is 2025 which means 2030 is just 5 years away from now.

What do you think about this disturbing news, I have been read more than 5 news about this and I saw another one today. What are bitcoin developers doing about it?

If you need the source that I get today's news from, I can post it which has the the title that I have as the title on this thread.

if they can crack btc sha 256 they can crack most banks wide open.

also most credit cards 💳.

So the issue is not “real” in the way you state it.


does it mean back to cash carried in bags and placed in vaults with no online security?

we would have more to worry about than btc.

But ser, you were here before the majority of users that has posted in this topic, you're also a technical person and a miner. What's your opinion about OP's claim that Bitcoin, or SHA-256, has merely FIVE years left before Quantum Computers will start breaking it?

Did you say it's "not an issue" because there are bigger things in the world to worry about, or did you say it because it will take more than "five years" to build an actual Quantum Computer to break SHA-256?

[stwenhao]

What's your opinion about OP's claim that Bitcoin, or SHA-256, has merely FIVE years left before Quantum Computers will start breaking it?

I think they should prove it on-chain, by claiming some puzzles, or inventing a better Script: https://bitcointalk.org/index.php?topic=5551080.0

If someone thinks, that breaking secp256k1 is easy, then go on, find the private key to 020000000000000000000000000000000000000000000000000000000000000001, and use it to sweep all puzzles, up to 40-byte signatures. If you think, that there is not enough incentive, then put more coins in, by signing your coins with SIGHASH_NONE, along with some puzzles, as it was demonstrated in transaction 8349df0753e80cce322322f1b76789e1d0fd6693aed2f4de4e49576423081ae7. And if you think, that my puzzle is stupid, then make a better one, post it on-chain, announce it, explain it, and promote it, so that all of us can see, how close we are to breaking secp256k1.

[Wind_FURY]

What's your opinion about OP's claim that Bitcoin, or SHA-256, has merely FIVE years left before Quantum Computers will start breaking it?

I think they should prove it on-chain, by claiming some puzzles, or inventing a better Script: https://bitcointalk.org/index.php?topic=5551080.0

If someone thinks, that breaking secp256k1 is easy, then go on, find the private key to 020000000000000000000000000000000000000000000000000000000000000001, and use it to sweep all puzzles, up to 40-byte signatures. If you think, that there is not enough incentive, then put more coins in, by signing your coins with SIGHASH_NONE, along with some puzzles, as it was demonstrated in transaction 8349df0753e80cce322322f1b76789e1d0fd6693aed2f4de4e49576423081ae7. And if you think, that my puzzle is stupid, then make a better one, post it on-chain, announce it, explain it, and promote it, so that all of us can see, how close we are to breaking secp256k1.

Is there a reward to break that? I believe the attackers would rather break Satoshi's wallet and take all of this coins.

Although, going back to the argument that "there are bigger things than Bitcoin" to worry about when Quantum Computers start breaking things. I had the same argument, but wouldn't it be better if Bitcoin was already quantum-resistant when Quantum Computers actually start breaking things?

Banks wouldn't be safe, but Bitcoin will be.

[stwenhao]

Is there a reward to break that?

The next unsolved puzzle is bc1qn9vp8l5rs7huyl237s4q9lhrzcs0mzaajt528ysq3wgnzvlkay5sdfz6am. The initial reward is only 53k satoshis, because I am not a whale. However, other people can put more coins in, without making the puzzle harder, than it currently is. Transaction 8349df0753e80cce322322f1b76789e1d0fd6693aed2f4de4e49576423081ae7 can show you how.

I believe the attackers would rather break Satoshi's wallet and take all of this coins.

Sure, but it is unlikely, that anyone will solve harder puzzle, without solving some easier ones first.

wouldn't it be better if Bitcoin was already quantum-resistant when Quantum Computers actually start breaking things?

Of course it would be. But currently, there are many puzzles, which can show us the progress. And as long as they are unsolved, then I am not worried about it, because if someone cannot break for example secp160k1, or claim 160-bit key 1NBC8uXJy1GiJ6drkiZa1WuKn51ps7EPTv, then why that person should be able to solve real, random, 256-bit keys?

And, as I said: if someone doesn't like existing puzzles, then that person should propose a better Script, and put some coins on that. Because there is no need to wait, when things will be fully broken. The progress can be measured, because it is unlikely, that everything will fail instantly (and also, it is very hard to prepare for "all of us will die" scenario, and by trying to do that, there is more FUD, than useful actions, if someone tries to handle it).

[nameisnotknown]

How a "puzzle" is related to "Bitcoin must upgrade or fall victim to quantum computing in 5 years"? You just spamming now. Open a new topic somewhere else with your "puzzle".

[kTimesG]

How a "puzzle" is related to "Bitcoin must upgrade or fall victim to quantum computing in 5 years"? You just spamming now. Open a new topic somewhere else with your "puzzle".

He did, did you read it?

The point of a "puzzle" is to be solved. If it can't be solved, maybe, uhm, it proves a point, for example, that all this quantum mania BIPs are BS and that Bitcoin's safe as it is right now, today, and will be even if ECDSA gets broken.

BTW I'm the guy who broke the first 7 of those "puzzles" (it took several dozens of quadrillion hashes to do it). I'm eagerly waiting for the quantum computers to hack into all the wallets that I transferred the funds into, since apparently in a short time everyone and their dog will be able to. Not.

[stwenhao]

You just spamming now.

If you don't like puzzles, then how do you want to measure quantum progress? And if you don't like specifically my puzzle, then why don't you post a better Script, which would better measure the progress?

Bitcoin's safe as it is right now, today, and will be even if ECDSA gets broken

Yes, even if secp256k1 will be fully broken, then SHA-256 will still prevent attackers from sweeping everything. Then, they will get to 40-byte signatures quite quickly, but going further will force them to start breaking SHA-256 as well.

If it can't be solved, maybe, uhm, it proves a point, for example, that all this quantum mania BIPs are BS and that Bitcoin's safe as it is right now, today, and will be even if ECDSA gets broken.

It only proves, that OP_CHECKSIG alone as an opcode can be still safe, if used differently than today. If people will do nothing, then of course, outputs with only "<pubkey> OP_CHECKSIG" can be moved in the future. However, if something will be locked behind optional Proof of Work, and if it will be hidden behind some hashed address, like P2WSH, then it can still remain safe. And then, users could use any proofs, like ZK-proof, DLEQ proof, or something else, to prove to the miners, that their transaction is valid, while keeping the details hidden, which could make it possible to move coins under future soft-forks in a safe way, depending on which kinds of proofs will be accepted.

Because some people want to fully invalidate OP_CHECKSIG as an opcode. But then, I think it shouldn't be done, because that opcode can still remain useful, even in post-quantum world, because then, it could behave just like some 256-bit calculator (and we don't have any other such calculators in non-checksig opcodes today; or they require much more complex scripts, like building it on top of 32-bit numbers).

[NotATether]

I've said this before, but I don't think we should be disabling any legacy addresses and we should just let nature take its course like it did with brainwallets. By then, wallets will only support P2QRH anyway.

To see the largest asset suddenly disabling addresses will undermine investor confidence.

[Wind_FURY]

Is there a reward to break that?

The next unsolved puzzle is bc1qn9vp8l5rs7huyl237s4q9lhrzcs0mzaajt528ysq3wgnzvlkay5sdfz6am. The initial reward is only 53k satoshis, because I am not a whale. However, other people can put more coins in, without making the puzzle harder, than it currently is. Transaction

8349df0753e80cce322322f1b76789e1d0fd6693aed2f4de4e49576423081ae7 can show you how.

I believe the attackers would rather break Satoshi's wallet and take all of this coins.

Sure, but it is unlikely, that anyone will solve harder puzzle, without solving some easier ones first.

I didn't mean to offend you. To give you a context, it's like a nefarious entity with a zero-day exploit. Why make it known that that's in the wild by using it for a small "reward" if the attacker could wait and use it for a larger "reward".

wouldn't it be better if Bitcoin was already quantum-resistant when Quantum Computers actually start breaking things?

Of course it would be. But currently, there are many puzzles, which can show us the progress. And as long as they are unsolved, then I am not worried about it, because if someone cannot break for example secp160k1, or claim 160-bit key 1NBC8uXJy1GiJ6drkiZa1WuKn51ps7EPTv, then why that person should be able to solve real, random, 256-bit keys?

And, as I said: if someone doesn't like existing puzzles, then that person should propose a better Script, and put some coins on that. Because there is no need to wait, when things will be fully broken. The progress can be measured, because it is unlikely, that everything will fail instantly (and also, it is very hard to prepare for "all of us will die" scenario, and by trying to do that, there is more FUD, than useful actions, if someone tries to handle it).

In your opinion, how hard/challenging would it be for developers in general, not just Bitcoin, to patch/upgrade their systems to become quantum-resistant? Plus how ready are we if it indeed does become an serious issue?

[stwenhao]

To give you a context, it's like a nefarious entity with a zero-day exploit.

It can always happen. For example: any miner, at any time, can be very, very lucky, and produce the next block hash, with leading 128-bit zeroes, or even with 256-bit zeroes. The first one would prove, that SHA-256 is broken, when it comes to collisions, and the second one for preimages. Every time, when every user tries to make a new transaction, that person could become extremely lucky, and find some serious weakness in SHA-256, and break everything. Every time, when random seed is created, it has some non-zero chance to produce the private key, equal to one.

However, all of those things are unlikely. Mathematically possible, but unlikely. The system is not explicitly protected from things like that, because they can always happen, no matter if classical, quantum, or any other technology is in use, and we can be protected only from attacks, where we know, how to fix things, and how to detect them properly in the first place.

Why make it known that's in the wild by using for a small "reward" if the attacker could wait and use it for a larger reward"reward".

Because the whole system assumes, that the heaviest computing power is in honest hands. Which means, that attacks will be honestly revealed faster, than attackers will start exploiting them. If that's not the case, then it is equivalent to the situation, where someone would suddenly have 99% computing power, and overwrite the full chain. Each system always has some limitations, and Bitcoin is not an exception.

In your opinion, how hard/challenging would it be for developers in general, not just Bitcoin, to patch/upgrade their systems to become quantum-resistant?

It depends on particular attack. For some attacks, things can be patched quite easily. For others, they are impossible to patch. For example, if you have some old embedded device, where you have 64 kB of available space for your software, then how do you want to switch to quantum cryptography, where signatures or public keys would take a significant space? Or: how do you want to send something fast, if some old protocol can handle up to 450 bytes per second?

On the other hand, Value Overflow Incident was patched quite easily in a soft-fork way, and if you reintroduce that vulnerability on top of the latest version, then you will still land in the same chain as today. Which means, that a particular fix depends on particular attack, and you won't reach "one size fits all" answer for this question.

Plus how ready are we if it indeed does become an serious issue?

Every attack, which becomes publicly known, not only can break things. It can also let us understand the world better. Which means, that new things can be built on top of existing software. For example: if for every public key, it would be possible to recover the private key, then OP_CHECKSIG would become just some 256-bit calculator. Which means, that features like OP_CHECKSIGFROMSTACK or OP_CHECKTEMPLATEVERIFY, could be easily re-wired into something, which would use OP_CHECKSIG, and some attack, to reach a given feature.

When SHA-1 collision was revealed, then also hardened SHA-1 version was instantly deployed. And the whole protection is strictly based on known attacks, and nothing else. If someone would attack SHA-1 in a different way, than publicly revealed, then that person could reach SHA-1 collisions, even in hardened SHA-1 version. However, in that case, it would tell us more about its internal construction, so a second hardened version could be made.

Also, Value Overflow Incident was serious. Many blocks were produced, but everything was fixed, before the bad transaction reached 100 confirmations. In case of breaking SHA-256, it could be possible to, for example, instantly halt the chain, by producing a chainwork of ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff.

[Wind_FURY]

To give you a context, it's like a nefarious entity with a zero-day exploit.

It can always happen. For example: any miner, at any time, can be very, very lucky, and produce the next block hash, with leading 128-bit zeroes, or even with 256-bit zeroes. The first one would prove, that SHA-256 is broken, when it comes to collisions, and the second one for preimages. Every time, when every user tries to make a new transaction, that person could become extremely lucky, and find some serious weakness in SHA-256, and break everything. Every time, when random seed is created, it has some non-zero chance to produce the private key, equal to one.

However, all of those things are unlikely. Mathematically possible, but unlikely. The system is not explicitly protected from things like that, because they can always happen, no matter if classical, quantum, or any other technology is in use, and we can be protected only from attacks, where we know, how to fix things, and how to detect them properly in the first place.

Why make it known that's in the wild by using for a small "reward" if the attacker could wait and use it for a larger reward"reward".

Because the whole system assumes, that the heaviest computing power is in honest hands. Which means, that attacks will be honestly revealed faster, than attackers will start exploiting them. If that's not the case, then it is equivalent to the situation, where someone would suddenly have 99% computing power, and overwrite the full chain. Each system always has some limitations, and Bitcoin is not an exception.

"It assumes" goes against the point of the question because what should actually be assumed is every participant/entity should be acting according to their own incentives. I believe that having that premise in how the network was designed is what made Bitcoin successful.

In your opinion, how hard/challenging would it be for developers in general, not just Bitcoin, to patch/upgrade their systems to become quantum-resistant?

It depends on particular attack. For some attacks, things can be patched quite easily. For others, they are impossible to patch. For example, if you have some old embedded device, where you have 64 kB of available space for your software, then how do you want to switch to quantum cryptography, where signatures or public keys would take a significant space? Or: how do you want to send something fast, if some old protocol can handle up to 450 bytes per second?

On the other hand, Value Overflow Incident was patched quite easily in a soft-fork way, and if you reintroduce that vulnerability on top of the latest version, then you will still land in the same chain as today. Which means, that a particular fix depends on particular attack, and you won't reach "one size fits all" answer for this question.

Let's pretend that a Quantum Computer that could break the encryption and steal Satoshi's coins is close to being built - in one year let's say, how long can the Core Developers code a patch and have it merged?

Plus how ready are we if it indeed does become an serious issue?

Every attack, which becomes publicly known, not only can break things. It can also let us understand the world better. Which means, that new things can be built on top of existing software. For example: if for every public key, it would be possible to recover the private key, then OP_CHECKSIG would become just some 256-bit calculator. Which means, that features like OP_CHECKSIGFROMSTACK or OP_CHECKTEMPLATEVERIFY, could be easily re-wired into something, which would use OP_CHECKSIG, and some attack, to reach a given feature.

When SHA-1 collision was revealed, then also hardened SHA-1 version was instantly deployed. And the whole protection is strictly based on known attacks, and nothing else. If someone would attack SHA-1 in a different way, than publicly revealed, then that person could reach SHA-1 collisions, even in hardened SHA-1 version. However, in that case, it would tell us more about its internal construction, so a second hardened version could be made.

Also, Value Overflow Incident was serious. Many blocks were produced, but everything was fixed, before the bad transaction reached 100 confirmations. In case of breaking SHA-256, it could be possible to, for example, instantly halt the chain, by producing a chainwork of ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff.

It would probably fair to say that we are not ready?

[stwenhao]

Let's pretend that a Quantum Computer that could break the encryption and steal Satoshi's coins is close to being built - in one year let's say, how long can the Core Developers code a patch and have it merged?

The simplest patch can be coded quite quickly. All old coins can be timelocked by consensus, up to a given block number. And then, a future soft-fork can decide, how these coins should be unlocked, by meeting old ECDSA conditions, and any new conditions, introduced by the next soft-fork.

It would probably fair to say that we are not ready?

Ready for what? There is a difference between bug like Value Overflow Incident, bug like SIGHASH_SINGLE, a weakness in ECDSA, which would allow getting private key after 2^80 operations, another weakness, which would allow going from any public to any private key instantly, a weakness in SHA-256, which would allow collisions, a weakness which would allow preimages, and so on, and so forth. For which attack do you want to be prepared? There is no tool, which can protect you from everything. Depending on a particular attack, it can be trivial to fix it, or impossible.

what should actually be assumed is every participant/entity should be acting according to their own incentives

Of course. But you don't have attacks, which breaks everything at once, and you don't have protections, which fixes all bugs at once. There are always particular attacks, and particular fixes. If you think, that SHA-256 is weak, then prove it, by claiming some of the puzzles (not necessarily created by me, because there are many others). If you believe, that there is not enough reward in existing puzzles, then put more coins in. And if you think, that existing scripts cannot measure the progress correctly, then make a better puzzle. A Script can do a lot of things, and even if it cannot, then still, you can write a version, where new feature is activated, and convince people, that a given soft-fork is needed. Or: you can make a sidechain, which can have any rules, and peg it into Bitcoin. And also, you can make LN nodes, which will execute existing rules, and also some new ones, which would be available only in L2, only between selected clients.

[PrivacyG]

Let's pretend that a Quantum Computer that could break the encryption and steal Satoshi's coins is close to being built - in one year let's say, how long can the Core Developers code a patch and have it merged?

If this ever happens then I presume the entire internet will be compromised for all of us.  Bitcoin is a financial motive for such a computer to be created.  But by breaking encryption, there are a TON of other things to break and steal.  Such as government information and other things.  Bitcoin would become useless at least for a while, clearly.  Why steal something and render it useless when you can steal US, Russia, China intel and sell it?

In my opinion, we simply can not function based off this 'what if?' fear.  For all we know, North Korea may be preparing to show the world for the first time something more powerful than what any other scientists have ever created, a computer that breaks encryption way before the known most powerful quantum computers can.  In fact, it would be an advantage to Kim.  Yet, living in this fear is no good.  Because what is the point?

Considering this is an issue already being worked on, I believe we are on the right path.  Things can happen along the way, we simply have to accept the facts and move on.  Bitcoin is digital after all, it is definitely prone to a few attacks.  And on the other side of the blade, you have yet another risk.  What if a better currency comes ahead of Bitcoin proving it can do things better than Bitcoin can, including being bullet proof in front of any type of computer known to be concievable to man?  What do we do then?

[markm]

For all we know, North Korea may be preparing to show the world for the first time something more powerful than what any other scientists have ever created, a computer that breaks encryption way before the known most powerful quantum computers can.  In fact, it would be an advantage to Kim.  Yet, living in this fear is no good.  Because what is the point?

Hey that sounds like a plan!

Kim could put as much bitcoin as he can muster into an address and pretend to "break" it, or even pay people who have existing large addresses that have survived a long long time so far already to pretend his famous hacker team "broke" it.

Use chatGPT type things if necessary to manufacture "superhumanly convincing despite not being true" rationalisations for why they haven't bothered to break this that or another address that someone or someones proposes ought to be broken by them if the world is to be convinced they really have the capability they claim to have...


-MarkM-

[Synchronice]

If this ever happens then I presume the entire internet will be compromised for all of us.  Bitcoin is a financial motive for such a computer to be created.  But by breaking encryption, there are a TON of other things to break and steal.  Such as government information and other things.  Bitcoin would become useless at least for a while, clearly.  Why steal something and render it useless when you can steal US, Russia, China intel and sell it?

Do you think that an average person will have access to quantum computer? They'll have access to it when everything will be quantum resistant. Good luck building a quantum computer yourself and good luck stealing or selling US, Russia and Chinese intel.

By the way, how does quantum computer beat a good 2FA and a password. I mean, after typing each password, you should be receiveing 2FA code on your smartphone, for example on your phone number. New 2FA code each time there is password written and log in is clicked. Am I saying nonsense or does it actually make a sense? I'm curious, I am not expert in this field

[stwenhao]

Do you think that an average person will have access to quantum computer?

No. Or: at least not at the beginning.

By the way, how does quantum computer beat a good 2FA and a password.

It doesn't, because 2FA uses hash functions, and not public key cryptography. More than that: you can use three hash functions inside Script: OP_SHA1, OP_RIPEMD160, and OP_SHA256. And also, it is possible to add more restrictions, by using OP_CHECKLOCKTIMEVERIFY or OP_CHECKSEQUENCEVERIFY. Which means, that even if the whole public key cryptography will be broken, then still, the system can be safely used by miners, as long as block reorganizations won't be too deep. And again: users can lock their coins with Proof of Work, if needed.

Am I saying nonsense or does it actually make a sense?

Currently, it is very difficult to break many hash functions, when it comes to their preimage resistance. Even if you use MD5, and you can generate collisions in seconds on a CPU, then nobody still knows, how to make MD5 preimages fast. And to successfully break ECDSA through SHA-256, preimage attack is needed.

When it comes to quantum algorithms, they can break things based on public key cryptography. But they are very far from breaking any hash functions, and it is quite likely, that they won't beat existing ASICs, when it comes to mining, and grinding double SHA-256 hashes.

[PrivacyG]

Do you think that an average person will have access to quantum computer? They'll have access to it when everything will be quantum resistant. Good luck building a quantum computer yourself and good luck stealing or selling US, Russia and Chinese intel.

I believe we are on the same set of mind.  If the internet will be ready by the time quantum computing reaches hands of average people then I highly, HIGHLY doubt Bitcoin will not be secured against it.  If it is not secured within the right time, clearly Bitcoin will either die or at least a ton of us will lose faith and get out.

Considering it is being worked on however, I do not see why it should be a scare.  If quantum computing will be announced to be ready for consumer end in less than 6 months, I also highly doubt there will be no group of people who will work hard on making Bitcoin secure against it in two to three months, way before any thing bad can happen to it.

[nameisnotknown]

Do you think that an average person will have access to quantum computer? They'll have access to it when everything will be quantum resistant. Good luck building a quantum computer yourself and good luck stealing or selling US, Russia and Chinese intel.

I believe we are on the same set of mind.  If the internet will be ready by the time quantum computing reaches hands of average people then I highly, HIGHLY doubt Bitcoin will not be secured against it.  If it is not secured within the right time, clearly Bitcoin will either die or at least a ton of us will lose faith and get out.

Considering it is being worked on however, I do not see why it should be a scare.  If quantum computing will be announced to be ready for consumer end in less than 6 months, I also highly doubt there will be no group of people who will work hard on making Bitcoin secure against it in two to three months, way before any thing bad can happen to it.

Actually there are many companies with quantum-computers offering free use. You can use IBM, Google, and after approval even D-wave (has about 2000 qubits, they claim).

[Synchronice]

Do you think that an average person will have access to quantum computer? They'll have access to it when everything will be quantum resistant. Good luck building a quantum computer yourself and good luck stealing or selling US, Russia and Chinese intel.

I believe we are on the same set of mind.  If the internet will be ready by the time quantum computing reaches hands of average people then I highly, HIGHLY doubt Bitcoin will not be secured against it.  If it is not secured within the right time, clearly Bitcoin will either die or at least a ton of us will lose faith and get out.

Considering it is being worked on however, I do not see why it should be a scare.  If quantum computing will be announced to be ready for consumer end in less than 6 months, I also highly doubt there will be no group of people who will work hard on making Bitcoin secure against it in two to three months, way before any thing bad can happen to it.

That's impossible for Bitcoin to not be ready. Just look at Bitcoin's market cap, it's becoming the next gold but digital, i.e. in other words, it's a digital gold. There is so much money invested in Bitcoin that it's the interest of major exchanges, casinos and other Bitcoin related businesses to make Bitcoin quantum resistant when the time comes, that's why I'm sure that it will be ready for that time. There is no way that companies like Binance, Coinbase, Bitmain and others will lose billions of dollars and do nothing. Also its in developers' interest to keep Bitcoin healthy and resistant against threats.

Actually there are many companies with quantum-computers offering free use. You can use IBM, Google, and after approval even D-wave (has about 2000 qubits, they claim).

As far as I know, there is a difference. Quantum computer can be good at something but bad at other things. It's not like an universal tool.