J. Lopp's Post-Quantum Migration BIP

[OgNasty]

Unreal that the conversation of bad actors attempting to steal Bitcoins is even a thing.

Not shocking because they do it in Testnet too, but my god...

Lopp is a bad actor hands down.

He calls it a contingency plan, which he hopes never gets implemented, if the quantum computing progression stall out, meaning he assumes it's the best thing to do regarding the dormant legacy wallets vulnerable to the quantum attack. This phony proposal is a big threat to the Bitcoin network, trust is almost creeping out, and most big whales could sell their big holdings to have a safe rest on their assets, the whole argument is getting out of hand and investors could get restless over the steady weird development, diminishing the whole point of long term holding.

Unemployment was a contingency plan.  Welfare was a contingency plan.  How did those work out? 

Are we expecting quantum computing to not be a threat at some point and then this power will be returned?

I'm all for addressing how to deal with quantum computing, but the solution shouldn't involve touching other people's coins.

[kTimesG]

I don't know why people think, that breaking secp256k1 with 128-bit security would be faster, than reaching RIPEMD-160 collisions, where they have 80-bit security against collisions.

I think you mean 80-bit security before you get to a collision between two random hashes, not to a collision with a particular selected hash (which is a one in 2**160 tries success, on average, more or less). Or do you know of some weakness in RIPEMD-160?

[fillippone]

Phase C (TBD): Pending further research, a separate BIP proposing a method to allow quantum safe recovery of legacy UTXOs, likely via zero knowledge proof of possession of a corresponding BIP-39 seed phrase.

This is nonsense.
Which kind of ZK proof can you construct without using the private key? Obviously, Private Key cannotbe part of the ZK proof, otherwise the same proof could be manufactured by the attacker.
I am in no way a technical person, but it fails me to understand what other proof I can provide to my own stash apart from the private key.
Weird stuff.

[stwenhao]

I think you mean 80-bit security before you get to a collision between two random hashes, not to a collision with a particular selected hash (which is a one in 2**160 tries success, on average, more or less). Or do you know of some weakness in RIPEMD-160?

Well, if you have a single user, then to break a particular hash, you need a second preimage. Which needs around 2^160 computations.

However, there is also for example P2SH. And then, you can have someone, willing to lock funds on 2-of-2 multisig. And then, you could use a collision, to provide a public key, where "2 <alicePubKey> <bobPubKey> 2 OP_CHECKMULTISIG", and "<alicePubKey> OP_CHECKSIG" will give you the same address. Then, Bob may put coins into a contract, thinking that this is a multisig, while Alice could sweep it directly.

And in this context, are people still going to say, that P2PK is the weakest link? Even if P2PKH, and other single-user addresses will be theoretically safe, imagine how much FUD will be there, if someone will start making collisions. Judging by the fact, that people are working on puzzle 71 for hashes, and puzzle 135 for public keys, we are probably closer to breaking puzzle 81, and making real collisions, than to breaking 256-bit random public keys.

[ertil]

Which kind of ZK proof can you construct without using the private key?

If you have a HD wallet, then you have more things, than just a private key. Of course, it won't cover randomly generated keys, but still, there are many HD wallets, and that's how a lot of them can be protected.

[Pmalek]

Bitcoin is very transparent contrary to traditional systems, and even just a few addresses being stolen would trigger all kinds of alarms and further vigilance and monitoring.

We should also not forget that old addresses and holders wake up all the time. Addresses that have remained dormant for 5 or 10 years suddenly spend their coins one day. No one knows if satoshi is dead or alive, and no one knows if anyone has access to the keys to what are believed to be satoshi's addresses. It's possible that one day someone will spend those coins the normal way, without them having been hacked. I don't think it's likely but it's still possible. That would then lead to speculations about what happened. I don't see satoshi or someone close to him coming back to say: "Don't worry, it's me, satoshi. I didn't get hacked, I just wanted to spend my bitcoin". At the same time, a malicious nation state or state actor won't boast publicly about having stolen billions of dollars worth of BTC. We will just see speculations pilling up.

The biggest giveaway that something is wrong would be if a big batch of old P2PK addresses got emptied all around the same time.

[Wind_FURY]

Because what if China goes Quantum first?

My main scenario is that China, namely the Chinese Government (as if there were something in China that is not the Government), will achieve Quantum Supremacy.

My strong belief is that they won't use it for a quick gain disrupting Bitcoin, but will operate it undercover for a longer-term gain: spying on the USA and EU above all.

Why use a Quantum computer on Bitcoin, being discovered after a few seconds, when you can profit for YEARS from the benefit of breaking the cryptography everyone relies on. 

Whatever the situation may be, with China or any entity going Quantum FIRST, the actual POINT is Bitcoin will not he safe and it will NOT be considered a robust system anymore, no?

Plus if that's YOUR "defense" that it's OK for the Core Developers not to get worried about the coming of Quantum, then I would say that that's a laughable viewpoint.

Do you actually believe that Bitcoin should be the last mover against this threat?

 ¯\_(ツ)_/¯

[Pmalek]

Do you actually believe that Bitcoin should be the last mover against this threat?

We don't know how big of a threat it's going to be. Everything is just theory and speculation at this point. The only thing cryptographers can do is plan for the worst possible scenario and hope it won't be that severe. Some quantum-resistant algorithms already exist and I guess centralized systems can already go ahead and experiment with those. It's much more difficult to get bitcoin to pick one with the way consensus works and because all the suggested schemes have their shortcomings.

[Satofan44]

Bitcoin is very transparent contrary to traditional systems, and even just a few addresses being stolen would trigger all kinds of alarms and further vigilance and monitoring.

We should also not forget that old addresses and holders wake up all the time. Addresses that have remained dormant for 5 or 10 years suddenly spend their coins one day. No one knows if satoshi is dead or alive, and no one knows if anyone has access to the keys to what are believed to be satoshi's addresses. It's possible that one day someone will spend those coins the normal way, without them having been hacked. I don't think it's likely but it's still possible. That would then lead to speculations about what happened. I don't see satoshi or someone close to him coming back to say: "Don't worry, it's me, satoshi. I didn't get hacked, I just wanted to spend my bitcoin". At the same time, a malicious nation state or state actor won't boast publicly about having stolen billions of dollars worth of BTC. We will just see speculations pilling up.

The biggest giveaway that something is wrong would be if a big batch of old P2PK addresses got emptied all around the same time.

We do not forget, because the activities that you describe happening "all the time" are exactly activities that always trigger alarms and monitoring. Heck depending on the amount they get covered by the media too. Therefore, that is part of what I am talking about. It is extremely unlikely that it would go unnoticed because the pattern would be clear, either it is concentrated in the early days like satoshi coins which is a red flag or it is random but with that it has a chance to hit some old and passive holder which would be a big red flag. In most likelihood, doing this covertly even for a short period of time is impossible.

Whatever the situation may be, with China or any entity going Quantum FIRST, the actual POINT is Bitcoin will not he safe and it will NOT be considered a robust system anymore, no?

Bitcoin remains robust and continues to function uninterrupted. No quantum computer can stop the Bitcoin protocol or network learn the difference between user balanced and the actual network itself.

We don't know how big of a threat it's going to be. Everything is just theory and speculation at this point. The only thing cryptographers can do is plan for the worst possible scenario and hope it won't be that severe. Some quantum-resistant algorithms already exist and I guess centralized systems can already go ahead and experiment with those. It's much more difficult to get bitcoin to pick one with the way consensus works and because all the suggested schemes have their shortcomings.

Actually we are quite certain about the worst possible cases, and the theory confirms that the network will continue to function. This solution takes 1 day to build and release, so stop panicking people. The blockchain will continue to function and you will be even able to transact in the worst possible cases (real time private key derivation) using traditional solutions such as the one below -- until the thing is patched accordingly.

Miners can accept transactions through private channels and not broadcast them to others, they can only include them in blocks that they mine -- this will protect the chain from real-time private key derivation (which is even more unlikely as a concept anyway).

[fillippone]

Do you actually believe that Bitcoin should be the last mover against this threat?

 ¯\_(ツ)_/¯

Absolutely not.
Bitcoin should prove himself a resilient store of value against all the present and future threats.
My pion is that the advent of a CRQC will unfold in a very different way compared to what we can phatom today.
We, as bitcoiners, should act fast, but in a conscious way. what we are building is going to outlast greatly our lives, and we must act in the (very) long term benefit of the (very distant future) holders of bitcoin.

[NotATether]

Phase C (TBD): Pending further research, a separate BIP proposing a method to allow quantum safe recovery of legacy UTXOs, likely via zero knowledge proof of possession of a corresponding BIP-39 seed phrase.

This is nonsense.
Which kind of ZK proof can you construct without using the private key? Obviously, Private Key cannotbe part of the ZK proof, otherwise the same proof could be manufactured by the attacker.
I am in no way a technical person, but it fails me to understand what other proof I can provide to my own stash apart from the private key.
Weird stuff.

It is not possible. There is no workaround around this. I have already voiced my concerns about this on the mailing list, and this provision should be removed from the BIP.

And actually, this whole BIP needs to be rejected, as without a means to recover locked coins, this introduces BSV-style blacklisting into the protocol.

[Satofan44]

Do you actually believe that Bitcoin should be the last mover against this threat?
 ¯\_(ツ)_/¯

Absolutely not.
Bitcoin should prove himself a resilient store of value against all the present and future threats.
My pion is that the advent of a CRQC will unfold in a very different way compared to what we can phatom today.
We, as bitcoiners, should act fast, but in a conscious way. what we are building is going to outlast greatly our lives, and we must act in the (very) long term benefit of the (very distant future) holders of bitcoin.

A balanced and reasonable approach is what we need, and if we do not have one it would be better to be a last mover than a first mover clearly -- as you can see how many idiotic ideas and proposals keep coming up. People are already calling for sacrificing core principles of Bitcoin in order to avoid getting some coins back into the circulating market, which indicates that they are obsessed with the price instead of the fundamentals. Even if we only freeze Satoshi's alleged stash, Bitcoin will never be the same. There are lines which you do not cross, and if you do cross them then there is no coming back from that.

Phase C (TBD): Pending further research, a separate BIP proposing a method to allow quantum safe recovery of legacy UTXOs, likely via zero knowledge proof of possession of a corresponding BIP-39 seed phrase.

This is nonsense.
Which kind of ZK proof can you construct without using the private key? Obviously, Private Key cannotbe part of the ZK proof, otherwise the same proof could be manufactured by the attacker.
I am in no way a technical person, but it fails me to understand what other proof I can provide to my own stash apart from the private key.
Weird stuff.

It is not possible. There is no workaround around this. I have already voiced my concerns about this on the mailing list, and this provision should be removed from the BIP.

And actually, this whole BIP needs to be rejected, as without a means to recover locked coins, this introduces BSV-style blacklisting into the protocol.

There are ideas and ways that could be explored for coins that do not have their public key revealed, but I don't think that is going to be the biggest obstacle anyway. Once there are quantum-safe addressed, I expect every big reused address that is active (exchanges, custodians, etc.) to be emptied relatively swiftly with a migration to newer addresses. That will leave the satoshi-era coins with P2PK addresses, and for those I do not see any workaround other than freeze or let them get eventually taken. Obviously anyone who is not obsessed with the short-term price is going to side with letting them get taken. It is absolutely terrible how deeply corrupted individuals have gotten from various events in the shitcoin space and in the traditional fiat world. It is insane to consider sacrificing what Bitcoin is over introducing a million or two coins back into the circulating supply.

[tbtftg]

That will leave the satoshi-era coins with P2PK addresses, and for those I do not see any workaround other than freeze or let them get eventually taken. Obviously anyone who is not obsessed with the short-term price is going to side with letting them get taken.

Why is it obvious? It is obvious to me that the only ethical option is freezing them and that is not at all because of the influence of those additional coins to the price. I do not believe their effect will be significant, there are other much more significant factors (*). What greatly bothers me is that letting them taken encourages and rewards the thieves. I am perfectly fine if those forgotten coins are not frozen but instead, for example, donated to some charity, and thus added to the circulating supply but not via theft. I am not fine when the community openly invites the criminals by doing nothing.

(*) One of the much more significant factors that is affecting the price and will do so in future is that the importance of the PQ security is repeatedly downplayed by part of developers and the community, which makes the investors think that bitcoin is unable to solve this issue at all.

[Pmalek]

Why is it obvious? It is obvious to me that the only ethical option is freezing them and that is not at all because of the influence of those additional coins to the price.

It's not ethical to freeze or confiscate something that doesn't belong to you.

I do not believe their effect will be significant, there are other much more significant factors (*). What greatly bothers me is that letting them taken encourages and rewards the thieves.

Bitcoin has functioned that way from day one. The moment someone gets a copy of your keys, they get access to your coins. In other words, the thieves who stole the keys get rewarded but the network is doing what it's supposed to do and there shouldn't be any meddling. It's your job to protect your secrets. The one who first presents the right signing keys gets the reward. 

I am perfectly fine if those forgotten coins are not frozen but instead, for example, donated to some charity, and thus added to the circulating supply but not via theft.

That's also theft and stealing. You would be taking someone else's coins and deciding what to do with them.
Who gets to decide when certain coins can be considered forgotten and ripe for the taking? How much time must pass before they get that status? Old wallets that have been dormant for many years wake up sometimes and people have the right to never spend their coins if they don't want to. That doesn't mean others should be able to take them or even donate them.

As you can see, this is a very complex question.

[andyfibe]

Why is it obvious? It is obvious to me that the only ethical option is freezing them and that is not at all because of the influence of those additional coins to the price.

It's not ethical to freeze or confiscate something that doesn't belong to you.

I do not believe their effect will be significant, there are other much more significant factors (*). What greatly bothers me is that letting them taken encourages and rewards the thieves.

Bitcoin has functioned that way from day one. The moment someone gets a copy of your keys, they get access to your coins. In other words, the thieves who stole the keys get rewarded but the network is doing what it's supposed to do and there shouldn't be any meddling. It's your job to protect your secrets. The one who first presents the right signing keys gets the reward. 

I am perfectly fine if those forgotten coins are not frozen but instead, for example, donated to some charity, and thus added to the circulating supply but not via theft.

That's also theft and stealing. You would be taking someone else's coins and deciding what to do with them.
Who gets to decide when certain coins can be considered forgotten and ripe for the taking? How much time must pass before they get that status? Old wallets that have been dormant for many years wake up sometimes and people have the right to never spend their coins if they don't want to. That doesn't mean others should be able to take them or even donate them.

As you can see, this is a very complex question.
It really comes down to control and ownership in digital environments—something that’s also relevant across many modern platforms, including services like this, where user assets and access are expected to remain clearly defined and protected.

This really comes down to property rights. If coins are still technically accessible via private keys, then they are not abandoned in any legal or ethical sense, regardless of how long they’ve been dormant.

[d5000]

(*) One of the much more significant factors that is affecting the price and will do so in future is that the importance of the PQ security is repeatedly downplayed by part of developers and the community, which makes the investors think that bitcoin is unable to solve this issue at all.

You are aware of BIP-360, which in its current two-step iteration has a lot of support? And of Blockstream's research about SHRINCS and SHRIMPS (two post quantum schemes which reduce the signature size)? This does not look like "downplaying". And if a developer says that from his point of view the threat is decades away, it's his personal opinion, and there is still not really a clear path to Shor capable QCs, despite of all the "theoretical" work done to decrease the number of qubits.

The problem is that a part of the community wants a very fast solution with still immature technology. And that's what many are opposing, as long as there is no clear path to a quantum computer which can run Shor's algorithm. And coordinating a freeze now, or in the next 2 years (even if the freezing deadline is then 5 years away), is simply premature.

I'll also repeat that the only real problem is exposed public keys, as for all other ECDSA addresses there are solutions. If there is a freeze, only P2PK/P2MS/P2TR keyspend funds should be frozen. Reusing addresses is bad practice (wallets should begin to alert people about that, I think).

[stwenhao]

I'll also repeat that the only real problem is exposed public keys, as for all other ECDSA addresses there are solutions.

What solution would be used for multisigs, wrapped in P2SH? There is a reason, why P2WSH uses SHA-256 alone, instead of applying RIPEMD-160 on top of it. In multiparty scenarios, collision-resistance may be more important, than secp256k1, because checking 2^81 RIPEMD-160 hashes, and finding a matching public key, which would give the same address for different scripts, is solvable on classical computers, and could become reality faster, than quantum computers will break 256-bit random public keys. Even today, there are Bitcoin blocks with 80 leading zeroes, produced every 10 minutes, for example: 000000000000000000003c5ff410ed3c66b3cb803c2aac90b5b6600b20ba91e5. Changing double SHA-256 to HASH160, and using it to produce collisions, is just a matter of incentives: for now, mining new coins is still more profitable, than trying to reach RIPEMD-160 collisions.

Reusing addresses is bad practice

Which doesn't protect multisig P2SH users from anything, if making RIPEMD-160 collisions will be practical. Even if all addresses are unique, then still: convincing someone to put coins in a new P2SH address, which seems to be a multisig, and then moving it alone, would require a new grinded address anyway.

[hmbdofficial]

Changing double SHA-256 to HASH160, and using it to produce collisions, is just a matter of incentives: for now, mining new coins is still more profitable, than trying to reach RIPEMD-160 collisions.

Just might though about this if a successful RIPEMD -160 collision attack allow an attacker to create two different public keys that hash to same address, what will be the practical implication for users?

[stwenhao]

what will be the practical implication for users?

It will cause a lot of FUD, but mainly only multiparty addresses will be affected in practice. However, if collisions will be there, then you will no longer know, if any new 160-bit address cannot be spent in a different way, which was not yet revealed on-chain.

2) Note that the value of your SHA256, RIPEMD160, RIPEMD160(SHA256()) or SHA256^2 bounty may be diminished by the act of collecting it.

And also, it will put other puzzles in question, because finding a second preimage may be easier than solving them. Because all of them are just behind P2SH. And also, practical collisions would mean, that people could use P2SH instead of a TapScript, where each branch would just collide with each other, so the same P2SH address could be moved in many different ways, just like it is true for P2TR.

[statoshi]

Hi folks,

I don't spend much time on this forum any more but came across the thread while looking for discussions to sift through. Thoughtful replies are appreciated; personal attacks will be ignored  

I'll note that we have collapsed phases B and C together because it's clear that this already controversial proposal does itself no favors without a recovery option. The primary reason I wrote is as optional (nearly a year ago) was due to the lack of R&D on the matter. Just in the past few months we've seen significant advancements in this particular area. In fact, it looks like it should be possible to support quantum safe recovery not only for HD wallets, but also for P2PK addresses that haven't had their public key exposed.

Beyond that, I just want to say that I find this subject to be particularly fascinating because it involves half a dozen thorny issues that are all gnarled together. Never before have we been faced with such a complicated theoretical dilemma where all of the options are terrible!

At the moment I'm continuing to think deeply about all of the problems regarding quantum threats and am planning on posting a series of lengthy thought pieces at https://blog.lopp.net so if you don't want to miss them, feel free to subscribe.