J. Lopp's Post-Quantum Migration BIP

[kTimesG]

Key words to that is "Estimate" and "Projected". No mention of the fact no one has yet to actually build a QC that has even a tenth of the number of qubits and gates required.

Have you read the paper? It sounds to me, that they built a sort-of invertible EC point addition circuit, which sounds crazy. They have a ZK proof of it working.

So the advancements are not simply on the hardware side (which evolves exponentially anyway if you check the timelines) but also on the algo side. Maybe pretending that we're not there yet doesn't end well if we simply count down from 1 million to zero, in bigger and bigger decrements.

[LFC_Bitcoin]

Key words to that is "Estimate" and "Projected". No mention of the fact no one has yet to actually build a QC that has even a tenth of the number of qubits and gates required.

The FUD is always way over blown. If/when a QC powerful enough is a reality, stealing Bitcoin is going to be way down the list of priorities for whoever possesses the QC power.

If it’s Google or some Government body they will not decide to start stealing Bitcoin. It’d likely be used to hack other countries classified info/documents. There would be a desire to get other countries nuke codes and stuff like that.

Bitcoin is not even a 2T marketcap, it’s a tiny market. A QC breakthrough would be huge, whoever has the power will not be rushing to do anything with Bitcoin.

 

[Wind_FURY]

Key words to that is "Estimate" and "Projected". No mention of the fact no one has yet to actually build a QC that has even a tenth of the number of qubits and gates required.

Edit: Fact is, no one has yet to build a physical, working, QC that can do anything more than act as very limited-scope testbeds to verify how the quantum circuits actually work and what areas need improvement. There's still a long way to go before anything resembling a fully functional QC is built that can even begin to address the problems that will be thrown at it.

OK, but what did Google currently discover that they shortened their "estimated" and "projected" Quantum Timeline? It's probably a suggestion that we as a community should also start having some awareness towards the Quantum Threat, no? Ignoring the situation, because "estimated and projected" won't make it go away.

Key words to that is "Estimate" and "Projected". No mention of the fact no one has yet to actually build a QC that has even a tenth of the number of qubits and gates required.

The FUD is always way over blown. If/when a QC powerful enough is a reality, stealing Bitcoin is going to be way down the list of priorities for whoever possesses the QC power.

If it’s Google or some Government body they will not decide to start stealing Bitcoin. It’d likely be used to hack other countries classified info/documents. There would be a desire to get other countries nuke codes and stuff like that.

Bitcoin is not even a 2T marketcap, it’s a tiny market. A QC breakthrough would be huge, whoever has the power will not be rushing to do anything with Bitcoin.

I used to believe that Bitcoin should be the least of our worries if the Quantum Threat arrives, but Satoshi's wallet could be the first testbed for early Quantum Computers.

If you're a Core Developer, would you merely allow that threat not to be mitigated?

The point is awareness, which leads to a discussion, then a solution.

[LFC_Bitcoin]

I used to believe that Bitcoin should be the least of our worries if the Quantum Threat arrives, but Satoshi's wallet could be the first testbed for early Quantum Computers.

If you're a Core Developer, would you merely allow that threat not to be mitigated?

The point is awareness, which leads to a discussion, then a solution.

I am happy to move my coins to Quantum Resistant addresses if/when the need is required.

I actually got a bit paranoid last year (reading about QC) and moved all the remaining coins in Legacy Addresses that I HODL from back in the day.

[Satofan44]

Today, Google claims it will soon be possible to break in-transit (mempool) TXs in 9 minutes.

This seems quite a suspicious number because the block time is 10 minutes, it seems to me that someone manipulated the outcome of this paper in order to tailor to a result. When extremely complex stuff ends up coincidentally on favorable numbers like this, it indicates that something is fishy even if the whole thing may be valid. I would have believed it even if they said something extremely low such as 1 minute, but this number is fraudulent. Perhaps a researcher biased or bribed in order to tip the data a little bit. Happens almost daily, even in medicine but most people here wouldn't know that.  

→ q-day: My confidence in q-day by 2032 has shot up significantly. IMO there's at least a 10% chance that by 2032 a quantum computer recovers a secp256k1 ECDSA private key from an exposed public key.
https://x.com/drakefjustin/status/2038847732152996108

This is nothing compared to the in-transit claim, and for previously exposed keys we do not have a solution. They may stay as they are or get merely slowed down with the hourglass proposal or something similar.

Maybe pretending that we're not there yet doesn't end well if we simply count down from 1 million to zero, in bigger and bigger decrements.

You seem to misunderstand this space entirely. Let's all pretend that we are already there. What now? Nothing. We do not know what the right solution is, there is no assured solution yet. There are many bad solutions to this, so stop believing that people don't want to do something about this because that is not accurate -- the problem lies in what exactly should be done and how. Many things are still in their maturation process.

OK, but what did Google currently discover that they shortened their "estimated" and "projected" Quantum Timeline? It's probably a suggestion that we as a community should also start having some awareness towards the Quantum Threat, no? Ignoring the situation, because "estimated and projected" won't make it go away.

Other than educating people to not resuse addresses, "community members" should not do shit about this. When "community members" start getting intensely involved in topics that go way beyond their head, we get another misinformation shitstorm like we did with OP_RETURN. Let cryptographers do their jobs, developers will implement solutions when they are available. If randoms start getting emotionally invested in individual quantum-proof signatures or other solution methods, it will just lead to useless bickering over false claims.

Assuming that there is a good candidate, deploying a new address type with quantum safe signatures is easy. The issue with old coins, reused addresses and that will remain open. Still people forget how this world works. It is not going to be some random hacker in the world that will be able to steal money using this as he can from various shitcoins and their Defi protocols. Google is not legally able to steal any of these coins so even once they succeed it will remain merely a demonstration of what can be done by an extremely well funded and state of the art actor (not by everyone, not by random small or medium entities). What do you actually think a public company is able to steal digital property from others legally, including other legal entities from the USA?  

I actually got a bit paranoid last year (reading about QC) and moved all the remaining coins in Legacy Addresses that I HODL from back in the day.

Unless you are referring to P2PK addresses (and taproot but this is less of an issue for the network as a whole as of today), this did not do anything. Only unused P2PK addresses are vulnerable. When it comes to resused addresses, all types are vulnerable. Most people have never seen a P2PK address in their wallet.

There is this terrible negative side effects from technology and social media that pushes normies and average people into getting involved in every topic that exists. Sit the fuck down, know your place and don't do anything. The illusion of knowledge is the greatest danger that exists in this context.

[kTimesG]

Unless you are referring to P2PK addresses, this did not do anything. Only unused P2PK addresses are vulnerable. When it comes to resused addresses, all types are vulnerable. Most people have never seen a P2PK address in their wallet.

What about TapRoot? Even if it's the "new and shiny format" it is vulnerable to QC because it exposes the tweaked public key, which, if broken, makes the UTXO spendable. What I did, after seeing TR listed as quantum vulnerable at rest was to promptly transfer the funds I kept in TR to a P2PKH address.

[fillippone]

A very intersting post today:




I know QR signatures were heavier, but I didn't suspect that was the scale of the problem.
Wondering if this would allow for bigger blocks to allow for the same TPS as today.

[Wind_FURY]

OK, but what did Google currently discover that they shortened their "estimated" and "projected" Quantum Timeline? It's probably a suggestion that we as a community should also start having some awareness towards the Quantum Threat, no? Ignoring the situation, because "estimated and projected" won't make it go away.

Assuming that there is a good candidate, deploying a new address type with quantum safe signatures is easy. The issue with old coins, reused addresses and that will remain open. Still people forget how this world works. It is not going to be some random hacker in the world that will be able to steal money using this as he can from various shitcoins and their Defi protocols. Google is not legally able to steal any of these coins so even once they succeed it will remain merely a demonstration of what can be done by an extremely well funded and state of the art actor (not by everyone, not by random small or medium entities). What do you actually think a public company is able to steal digital property from others legally, including other legal entities from the USA?  

 

Do you actually believe that it helps the network if Google won't steal Satoshi's coins?

It looks like you didn't get the point. It's not about what they could still or not steal. It doesn't matter if they won't steal Satoshi's coins. What matters is the world knows that the cryptographic foundations of Bitcoin has been CRACKED.

[mindrust]

Yeah that sounds quite desperate tbh.

From uncracklable, invincible to, “it can be cracked but google won’t do that because cracking btc won’t benefit them. Trust google, they are the good bois”

Once the word is out and nothing is done about it, good luck stopping people.

The news are quite fresh btw and who knows at what stage of the development google is really at.

Trusting google’s good will is like trusting your best friend who has a loaded gun pointing at you. He won’t shoot because he is a gud guy but the gun is there

And once you know it is there, your friend’s (in this example it is google’s) words become the law. That picture reminds me of the US too.

[Satofan44]

Do you actually believe that it helps the network if Google won't steal Satoshi's coins?

Of course it does, learn how to world works. This is very different from just anyone can do it -- it gives us a significant amount of extra time to do something about this. If only Google is able to do this in 2030, that also means that no nefarious entity will be able to do it until 2035, 2040, 2050 or even beyond. We do not KNOW the exact timeline. Stop pretending like someone knows, they fucking don't.

It looks like you didn't get the point. It's not about what they could still or not steal. It doesn't matter if they won't steal Satoshi's coins. What matters is the world knows that the cryptographic foundations of Bitcoin has been CRACKED.

Nothing has been "cracked", cracking implies that the cryptography is broken through a fundamental flaw as is the case of some past algorithms. Bitcoin's cryptography was never about being unbreakable, it was about being computationally infeasible to compute with existing technology. That is the key difference here. This means that eventually computers CAN be built for which these computations are feasible. That is not a flaw in cryptography, it just means that assumptions relating to computational power no longer hold for these algorithms.

Yeah that sounds quite desperate tbh.

From uncracklable, invincible to, “it can be cracked but google won’t do that because cracking btc won’t benefit them. Trust google, they are the good bois”

Wrong. Google is legally not allowed to do this, they can be sued by countless parties to the ground over this. Don't hallucinate here with your normie arguments from 3rd world shitholes, that is not how a developed country works.

Once the word is out and nothing is done about it, good luck stopping people.

What word is out? Nobody will be able to do anything just because Google is able to do this one day in the future. Are you able to simulate at home what the biggest supercomputer can do now?  
Keep it down with your shitposts, you don't even know the basic definitions and terms from cryptography let alone their implications.

A very intersting post today:


I know QR signatures were heavier, but I didn't suspect that was the scale of the problem.
Wondering if this would allow for bigger blocks to allow for the same TPS as today.

This post does not provide the data that is required to answer the question that you are wondering about. Size of the signatures is not necessarily related to the signing and verification cost. Some signatures could be very large in size but be efficient to verify, others could be relatively smaller (compared to those) but be extremely inefficient for verification. It says that there is a verification oriented post below, but I can't see that on that shit website. Here is some information slightly outdated about the topic in a wider context: https://pqshield.github.io/nist-sigs-zoo/#performance. There was another table that compared potential candidates for Bitcoin on Github but I am unable to locate it. If someone finds it, please post it -- it was a really nice table comparing size, signing cost, verification cost, everything.

But yes, the overall outcome is most likely: Less TPS for ANY real candidate. Therefore, to have the same amount of TPS we would have to increase the block size or increase the signature discount. How much more space we will need is going to depend on the exact signatures that we go with.