ECSDA secp256k1 are on borrowed time.

[WhyFhy]

Yall need to get to work on protocol proposals soon.

I dont have a complete solution yet, but its time to seriously consider Taproot upgrades, a new SegWit branch, and double or triple signature signing.

Focus on the lowest common denominator right now.    signatures.

Something like ECDSA + SPHINCS+ + Merkle Tree could be a start but its still just a patch.

Nothing will be secure soon.

nTimelock can buy time temporarily, but this barely scratches the surface.

People are already researching curve collapse functions and log resolution methods.

If youre stuck in infosec field practices and principles its time to get creative and step out of your comfort zone.

Deterministic functions are not truly one way they only feel that way because of current computational limits. Thats temporary.

My 2 Sats FWIW

[NotFuzzyWarm]

Oh bloody hell, yet another SC (Super Computer) & QC (Quantum Computer) calamity FUD thread...
Get over it folks and dig deeper into where progress in computing power actually is and stop repeating crap based on pure speculation.

People are already researching curve collapse functions and log resolution methods.

Just like they have been for decades and still with no real progress.

Just like fusion power, the reality is still very far away from what is circulating on the 'net.

[WhyFhy]

Oh bloody hell, yet another SC (Super Computer) & QC Quantum Computer) calamity FUD thread...
Get over it folks and dig deeper into where progress in computing power actually is and stop repeating crap based on pure speculation.

People are already researching curve collapse functions and log resolution methods.

Just like they have been for decades and still with no real progress.

Just like fusion power, the reality is still very far away from what is circulating on the 'net.

Your complacency bias is actually the biggest threat right now.
Patching after the fact won’t be an option, that’s exactly why I said “if you’re stuck in infosec principles, it’s time to get creative.”
People like you are a predictable factor. Constrained.

[Mia Chloe]

Oh bloody hell, yet another SC (Super Computer) & QC Quantum Computer) calamity FUD thread...
Get over it folks and dig deeper into where progress in computing power actually is and stop repeating crap based on pure speculation.

Actually I see no reason why people are still scared that quantum computing will crash Bitcoin when even they said capabilities of quantum computing haven't even been harnessed yet. Basically everything you see online emphasizing on how much quantum computing beats regular micro computing are just speculations.
I've said this multiple times and the fact is almost no one will waste Quantum computing in crashing bitcoin when they can use it it make a ton of profit from it through a means like mining.

[Cricktor]

~~~

Can you elaborate why you make it sound urgent?

I don't want to say, there's no need to do something, there's already discussions about this and that for potential upcoming threats. You may perceive such processes as too slow or whatnot, but rarely a single person oversees all details and their consequences.

I'm generally curious why you call it out like you did. What do you think to know that you left out in your post? Deliberately? You don't explain at all what could possibly become a real, not imagined, problem. So what's this all about?

[mcdouglasx]

There are enough more urgent classical problems that are moving away from QC at the moment to focus 100% on quantum technology. I think that when quantum is a possible problem, this will probably already be well posed in Bitcoin and in classical cryptography in general. I think that not only Bitcoin depends on this but all current security in the world, so believe me, the arrival of quantum rather than a concern will end up being an improvement for information security.

[pooya87]

People are already researching curve collapse functions and log resolution methods.

I entered Bitcoin world back in 2014 and I remember people working on the same exact thing back then too! In other words this is not new. Hardware has improved but not enough to make a significant difference in order to make this a possibility. That means your attempt at conveying a sense of urgency is wrong.

However, I fully support any discussion about our replacement options.

I dont have a complete solution yet, but its time to seriously consider Taproot upgrades, a new SegWit branch, and double or triple signature signing.

If ECDSA and ECSDSA on secp256k1 curve are to become obsolete, they need to be removed completely IMO; and that requires a hard fork. In such a scenario we no longer need SegWit, it too can be removed.

[stwenhao]

If ECDSA and ECSDSA on secp256k1 curve are to become obsolete, they need to be removed completely IMO

I don't know if people will decide to destroy the only 256-bit calculator in Script, that we currently have. And also: it is possible to use OP_CHECKSIG in a way, where it would be safe, if ECDSA will be broken, but if SHA-256 will still stay strong (for example by using it to check Proof of Work in output scripts, so second-layer protocols on top of Bitcoin could be mineable).

and that requires a hard fork

No, because even if all existing UTXOs will be made unspendable, and the block will be required to have zero coin amounts in the coinbase transaction, and nothing else, then it would still be a soft-fork. More about evil soft-forks: https://petertodd.org/2016/forced-soft-forks#radical-changes

In such a scenario we no longer need SegWit, it too can be removed.

So, you want to soft-fork-out of Segwit? Interesting. Because if everything will be done only in legacy space, and no additional commitment will be done anywhere (for example in the coinbase transaction), then it will reintroduce malleability, O(n^2) transaction hashing, and other problems, for no reason.

It is technically possible, but I would say unlikely. Rather, I would expect "second witness", where you would have "legacy space", "witness space", and for example "commitment space", created only for new address types. Which means, that we could have "max_block_size = N * ((4 * legacy) + witness) + commitment", and instead of 1 MB legacy, or 4 MB witness limit, we could have "N" MB commitment limit, as a new max block size definition (along with other restrictions, to make new outputs JPEG-resistant).

[BitBastard]

AI/Quantum FUD has nothing to do with abstract algebreic and number theory innovations.

They will one day find that it's not actually computationally hard to perform the calculations. Perhaps they map the system over another system like Sinewaves or they find that some esoteric concept turns the curve into Gouda cheese.

[Medusah]

Hardware has improved but not enough to make a significant difference in order to make this a possibility. That means your attempt at conveying a sense of urgency is wrong.

I interpret his urgency as to "begin finding consensus".  I too agree that it might take a long time until a quantum computer breaks ECDSA, but we must not wait until it's relatively, possibly feasible.  We cannot upgrade to a quantum-safe algorithm the same way that a Windows update can.  It will take many years.  Just imagine that even if we have everything ready, developers done writing code and miners done signaling, we still need at least one year of nearly optimal consolidations in a hypothetical clogged up network to migrate most of the coins to quantum-safe addresses.  (And that's just hypothetical, it'll take many years for most bitcoiners to move to quantum-safe.)

And I'm not even discussing about the dilemma with the satoshi-era coins and whether to freeze them or not to freeze. 

[pooya87]

So, you want to soft-fork-out of Segwit? Interesting. Because if everything will be done only in legacy space, and no additional commitment will be done anywhere (for example in the coinbase transaction), then it will reintroduce malleability, O(n^2) transaction hashing, and other problems, for no reason.

Part of SegWit is about keeping things backward compatible which has created a slight overhead. That can be removed with a hardfork and everything else including the malleability related changes can become the default behavior. For example what we call P2PKH right now could use the same sighash mechanism as SegWit v0 is right now without needing the overhead and definitely without needing the wrapped SegWit scripts.

we still need at least one year of nearly optimal consolidations in a hypothetical clogged up network to migrate most of the coins to quantum-safe addresses.

Exactly. This is why I support discussion about replacement options even though it is still too soon.

[WhyFhy]

AI/Quantum FUD has nothing to do with abstract algebreic and number theory innovations.

And applying abstract algebraic and number theory innovations across unexpected vectors. Knowledge graphs and embeddings are just the surface layer. Historically, when breakthroughs move this fast, they’re intentionally obscured.


I'm speculating here, not fud.
If I had a quantum system id use it for topology recursion of the current system and solve for hierarchical error correction.
the first iteration of this would jump 10:1 vs Moore's 2.5 year iteration.

Then I'd fix the logical substrate with my new toy, and see 1000:1 gains after I solved for that X.
ECDSA and RSA would be a dinosaur in the iteration of this event.


Id bet we are in a 36 month window for the error correction phase without topology recursion.
To think, this post could be read by a key individual, can compress that timeline if they are not already utilizing a similar strategy.
Or retrieved by a topic research crawler. or both. Who knows I'm speculating and betting.

If I'm wrong we are conservatively in the 7 year range.


Again I'm not trying to create a panic/fud or anything, but the variables say its time to get to work!
Unfortunately the rules of mathematics are a dictatorship.

sorry ive been late to respond. been busy, didn't intend to look like I was dropping a fud piece, i figured my OP & response to fuzzy solidified my stance a little to take a break. 

[alani123]

OP could you go into a little more depth about what the worst case scenario is here so it can be understood more widely?

What's the research you're citing? What happens if secp256k1 is broken tomorrow and how does it affect BTC?

Dissemination is an important thing when trying to get a message across about scientific matters. Especially given that for bitcoin to be upgraded without issue a wider user base would need to agree including miners and mining pools most importantly.

It's not necessary that those mining BTC will be knowledgeable in the field of computer science and cryptography though.

[WhyFhy]

OP could you go into a little more depth about what the worst case scenario is here so it can be understood more widely?

What's the research you're citing? What happens if secp256k1 is broken tomorrow and how does it affect BTC?

Dissemination is an important thing when trying to get a message across about scientific matters. Especially given that for bitcoin to be upgraded without issue a wider user base would need to agree including miners and mining pools most importantly.

It's not necessary that those mining BTC will be knowledgeable in the field of computer science and cryptography though.

Worst case scenario? Every legacy wallet thats ever exposed its pubkeys gets contents swiped.

I don't have time to do a whitepaper, just like we don't really have time for politics on the matter. the logistics alone are already working against us.

Bitcoins already handicapped in this scenario, Moving millions of UTXOs through network capacity constraints for starters.

2017 Had time to argue, low stakes ($2500-20000)
2025 No time to argue, catastrophic stakes($100k+)

Almost impossible logistics compared to 2017.

Corporate treasury managers,
Institutional fund managers,
Government regulators,
International treaty obligations,
Pension fund fiduciaries

Institutional Stakeholders can't move fast have compliance requirements
Nation-State Actors some want Bitcoin to succeed, others want it to fail
Regulatory Oversight SEC, Treasury, international coordination needed
Economic Integration Bitcoin failure would cascade through financial markets

[alani123]

Surely the effects would be catastrophic but for research concerning bitcoin the real question would be if old addresses holding funds could be salvaged.

Of the encryption is broken and it could result in a compromise of funds, could the original owners keep access to their funds without the community having to "burn" their coins? That's the real question worth looking into. Has the theoretical research touched on it?

[mindrust]

I entered Bitcoin world back in 2014 and I remember people working on the same exact thing back then too! In other words this is not new. Hardware has improved but not enough to make a significant difference in order to make this a possibility. That means your attempt at conveying a sense of urgency is wrong.

However, I fully support any discussion about our replacement options.

In 2014 AI wasn’t a thing. Let alone AGI, which is still not a thing today but we are getting closer.

A decade ago all people had was google and when they decide to build a very complex algorithm or do a complicated math problem, they were on their own.

Nowadays you can explain a 10 step algorithm to chatgpt and it will do the math for you.

These might not seem related but they are because somebody somewhere is using these tools way more intelligently than the average consumer.

I saw yesterday Jameson Lopp has already made a proposal to make btc quantum resistant and that means some alarms are ringing.

[stwenhao]

Nowadays you can explain a 10 step algorithm to chatgpt and it will do the math for you.

Good luck trying to calculate hash functions step-by-step with Chat GPT (it won't be even close to results, which you can get on sha256algorithm, and it will just hallucinate some constants out of Wikipedia description, but nothing beyond that). Or try asking about Schoof-Elkies-Atkin algorithm on real elliptic curves (it will repeat, that this topic is too complex, because many PowerPoints said that; or it will hallucinate, and tell you completely wrong results, even if all numbers will be below 100). Existing AI models are really bad, when it comes to math. They are nowhere close to tools like Sage or WolframAlpha.

[pooya87]

A decade ago all people had was google and when they decide to build a very complex algorithm or do a complicated math problem, they were on their own.

Nowadays you can explain a 10 step algorithm to chatgpt and it will do the math for you.

Well from what I've seen from AI, I wouldn't call it intelligence. It is just database of whatever information that existed and its devs included in its database. In other words it is not capable of innovation. It just provides you with solutions that already exist. For example if you ask it to help you solve ECDLP, it will give you the information that already exists in its database which is something you could have found on google 10 years ago as well as today.

AI is also not improving computation speed which is what's needed to solve ECDLP.

[mindrust]

Nowadays you can explain a 10 step algorithm to chatgpt and it will do the math for you.

Good luck trying to calculate hash functions step-by-step with Chat GPT (it won't be even close to results, which you can get on sha256algorithm, and it will just hallucinate some constants out of Wikipedia description, but nothing beyond that). Or try asking about Schoof-Elkies-Atkin algorithm on real elliptic curves (it will repeat, that this topic is too complex, because many PowerPoints said that; or it will hallucinate, and tell you completely wrong results, even if all numbers will be below 100). Existing AI models are really bad, when it comes to math. They are nowhere close to tools like Sage or WolframAlpha.

You are the expert.

If you say we are good, then I can’t argue. J-Lopp clearly is not in the same boat.

A decade ago all people had was google and when they decide to build a very complex algorithm or do a complicated math problem, they were on their own.

Nowadays you can explain a 10 step algorithm to chatgpt and it will do the math for you.

Well from what I've seen from AI, I wouldn't call it intelligence. It is just database of whatever information that existed and its devs included in its database. In other words it is not capable of innovation. It just provides you with solutions that already exist. For example if you ask it to help you solve ECDLP, it will give you the information that already exists in its database which is something you could have found on google 10 years ago as well as today.

AI is also not improving computation speed which is what's needed to solve ECDLP.

How do we know that what they have shown us so far is all they got?

[stwenhao]

You are the expert.

I am far from that. But you don't have to trust me: you can ask Chat GPT, to lead you step-by-step, and teach you, how all of that works. You can ask how SHA-256 works, how ECDSA works, and so on. You can ask it to write code, and let it help you to understand all of that. But even if you ask basic questions, then you will probably quickly see, how often it can hallucinate, and how often the given code won't work at all, or will try to solve a completely different problem, than you asked about. So, just try it, instead of believing, that I am an expert who knows how to draw lines.

J-Lopp clearly is not in the same boat.

Willing to start discussion is not the same, as spreading FUD, that all of us will die tomorrow. I think discussion about quantum computers and AI should happen now, but I also know, that today, we are still far from many dangers, because there are many canaries, and none of them warned us, that things are bad today. If you disagree, then, as I said: you can put more coins in, or invent a better canary.

How do we know that what they have shown us so far is all they got?

We don't. And how do we know, that the current chain has the heaviest Proof of Work in existence? We don't know that too. But there are incentives to share blocks, which is why miners do that in the first place. And there are already some incentives, to show publicly the progress of cryptography, and be rewarded directly in BTC for doing just that. If you think, that there is not enough incentive, then again: put more coins in, or invent a better puzzle. What else can be done?