Any Quantum Secure Address in the Horizon?

[RocketSingh]

Certain Crypto Currencies are claiming to have them already. When Bitcoin?

[mcdouglasx]

Certain Crypto Currencies are claiming to have them already. When Bitcoin?

In fact, there are clear proposals for this, namely P2MR or pay-to-merk root addresses from BIP-360.

These addresses (bc1z) are expected to be Bitcoin's first step as a measure to protect against quantum computing.

This new type of address eliminates the disclosure of public-key spending, forcing all transactions to be carried out through a script. This is based on hash functions, which are much more resistant to quantum attacks, and never exposes the public key directly on the blockchain, although at the moment there is no imminent threat related to quantum computing.

[ABCbits]

Certain Crypto Currencies are claiming to have them already. When Bitcoin?

In fact, there are clear proposals for this, namely P2MR or pay-to-merk root addresses from BIP-360.

These addresses (bc1z) are expected to be Bitcoin's first step as a measure to protect against quantum computing.

This new type of address eliminates the disclosure of public-key spending, forcing all transactions to be carried out through a script. This is based on hash functions, which are much more resistant to quantum attacks, and never exposes the public key directly on the blockchain, although at the moment there is no imminent threat related to quantum computing.

And it's important to note BIP 360 itself isn't enough.

P2MR does not, by itself, protect against short exposure quantum attacks, but these attacks can be mitigated by future activation of post-quantum signatures.

Combined with P2MR, post-quantum signature schemes can provide comprehensive quantum resistance to P2MR outputs, including protection from short exposure attacks.

Who knows how long before developer choose suitable QC-resistant cryptography, partly because such cryptography are relative new and not really "battle tested".

[Cricktor]

Curious to know why specifically you ask, OP?

To my knowledge it's not so, that capable enough quantum computers to come any close to be a threat to encryption or Bitcoin are any near some far far away horizon (if at all). So, why do you beat the bush about it?

I don't say, bitcoiners or devs shouldn't care and/or ignore quantum computers or what they might be capable of one day. I'm definitely no quantum computer expert or working in that field. I've scientific background and am working in IT for quite some years now. I think I can partly understand some of the stuff that is published, besides the media hype, about QC stuff.

QC is an interesting topic and research field, but in my opinion it's an inflated hype bubble where a lot of money is poured in and everybody wants a share of it. I'm still waiting to see any QC solve real problems faster and not some carefully constructed shit to prove "QC supremacy".  

[ABCbits]

I'm still waiting to see any QC solve real problems faster and not some carefully constructed shit to prove "QC supremacy".  

How about government agency that actually run with principle "Harvest now, decrypt later"?

[Satofan44]

I'm still waiting to see any QC solve real problems faster and not some carefully constructed shit to prove "QC supremacy".  

How about government agency that actually run with principle "Harvest now, decrypt later"?

In the context of Bitcoin this would be a misunderstanding and misapplication of this principle. I know that you are responding in general, but some readers have actually brought this up in other threads as applicable for Bitcoin too so I want to expand to avoid idiots repeating wrong information in other threads.

This principle does not apply for networks like Bitcoin where the data is always publicly available, so you do not need to harvest it now to decrypt it later -- actually doing this would be a mistake because a lot of the data would have changed by the time you start decrypting so you could waste a lot of computing resources decrypting empty addresses. The correct approach in this context and Bitcoin is only: decrypt the current data when you are able to decrypt it.

The "harvest now, decrypt" later approach is applied in the context of data that is in transit or data that is not publicly available today, so we would be talking about things like communications. Some of those will contain value that will be important for a long time to come. Therefore, some more basic examples of what they would capture would be VPN traffic, TLS sessions, secure email and so forth. In the case of Bitcoin you are not decrypting hidden information, you are recovering signing keys from publicly available information -- which is why "harvesting now" is pointless.

Certain Crypto Currencies are claiming to have them already. When Bitcoin?

Certain "crypto currencies" are completely centralized scam projects, and as such doing something incredibly stupid and risky with them is an option. Bitcoin does not have the luxury to be fast, and that is a benefit.

[BlackHatCoiner]

It's coming, but slowly. BIP-360 got merged into the BIP repo in February, so there's finally a quantum-resistant output type on paper. Thing is, it's still just a spec, only running on a testnet. Most of those altcoins waving the "quantum safe" flag are mostly centralized bullshit anyway. No quantum computer is remotely close to 256-bit ECDSA (biggest public crack so far was like 15-bit key?).

And with how consensus changes go, don't expect it activated any time soon.

[ABCbits]

The "harvest now, decrypt" later approach is applied in the context of data that is in transit or data that is not publicly available today, so we would be talking about things like communications. Some of those will contain value that will be important for a long time to come. Therefore, some more basic examples of what they would capture would be VPN traffic, TLS sessions, secure email and so forth. In the case of Bitcoin you are not decrypting hidden information, you are recovering signing keys from publicly available information -- which is why "harvesting now" is pointless.

Yeah, this is exactly what i mean. Those communication usually use public key cryptography and it's public key could extracted either from TLS certificate or parse and extract from the traffic itself.

Certain Crypto Currencies are claiming to have them already. When Bitcoin?

Certain "crypto currencies" are completely centralized scam projects, and as such doing something incredibly stupid and risky with them is an option. Bitcoin does not have the luxury to be fast, and that is a benefit.

Even if it's not obvious scam or highly centralized, it could be red flag if the team behind it emphasize QC-resistant cryptography as main way to attract investor.

[Satofan44]

It's coming, but slowly. BIP-360 got merged into the BIP repo in February, so there's finally a quantum-resistant output type on paper. Thing is, it's still just a spec, only running on a testnet. Most of those altcoins waving the "quantum safe" flag are mostly centralized bullshit anyway. No quantum computer is remotely close to 256-bit ECDSA (biggest public crack so far was like 15-bit key?).

And with how consensus changes go, don't expect it activated any time soon.

Even without a specific BIP number, many proposals are being worked on - some in public and others in private. For those that really want to follow these things, they need to learn where to look instead of hopelessly falling for marketing and propaganda at the same time. For starters, OP should be reading the mailing list and Delving Bitcoin. If he did, he'd know that it is being worked on and a proper understanding of Bitcoin would make him understand why this process has to be slow.

Yeah, this is exactly what i mean. Those communication usually use public key cryptography and it's public key could extracted either from TLS certificate or parse and extract from the traffic itself.

Great, as I said just be careful but unfortunately readers here will take such information and wrongfully share it in other sections such as Bitcoin Discussion. With readers I mostly mean signature spammers, but you get my point. 

Certain Crypto Currencies are claiming to have them already. When Bitcoin?

Certain "crypto currencies" are completely centralized scam projects, and as such doing something incredibly stupid and risky with them is an option. Bitcoin does not have the luxury to be fast, and that is a benefit.

Even if it's not obvious scam or highly centralized, it could be red flag if the team behind it emphasize QC-resistant cryptography as main way to attract investor.

We are going to see 2 major types of scams here:

• Shitcoins advertising themselves as "quantum secure", which is a completely meaningless functionality and metric similarly how in the earlier days they even used smart contracts as buzzwords in order to extract value from potential investors and retail.
• Satoshi coin recovery scams, there will be various entities that will scam investors out of money selling them idea that the unlocking of satoshi's coin is just within reach.

As always, many people do not learn their lessons and will fall for the charlatans.

[Wind_FURY]

Certain Crypto Currencies are claiming to have them already. When Bitcoin?

In fact, there are clear proposals for this, namely P2MR or pay-to-merk root addresses from BIP-360.

These addresses (bc1z) are expected to be Bitcoin's first step as a measure to protect against quantum computing.

This new type of address eliminates the disclosure of public-key spending, forcing all transactions to be carried out through a script. This is based on hash functions, which are much more resistant to quantum attacks, and never exposes the public key directly on the blockchain, although at the moment there is no imminent threat related to quantum computing.

And it's important to note BIP 360 itself isn't enough.

P2MR does not, by itself, protect against short exposure quantum attacks, but these attacks can be mitigated by future activation of post-quantum signatures.

Combined with P2MR, post-quantum signature schemes can provide comprehensive quantum resistance to P2MR outputs, including protection from short exposure attacks.

Who knows how long before developer choose suitable QC-resistant cryptography, partly because such cryptography are relative new and not really "battle tested".

Plus the main problem/elephant in the room - "Will a proposal get community consensus"?

  ¯\_(ツ)_/¯

I believe that it's going to be another "debate" like how it took YEARS of deliberation, an actual struggle, and the necessity of a UASF threat before the activation of SegWit.

[ABCbits]

--snip--

Plus the main problem/elephant in the room - "Will a proposal get community consensus"?

  ¯\_(ツ)_/¯

I believe that it's going to be another "debate" like how it took YEARS of deliberation, an actual struggle, and the necessity of a UASF threat before the activation of SegWit.

I doubt it'll be as bad as SegWit activation. But it definitely won't be as smooth as Taproot activation, because deciding which cryptography to use isn't straightforward with various trade-off such as size, verification time and it's security audit result.

The table is outdated and missing some alternatives (such as SHRMPS and SHRINCS), but it's enough to show there's no single "best" choice.

[Wind_FURY]

--snip--

Plus the main problem/elephant in the room - "Will a proposal get community consensus"?

  ¯\_(ツ)_/¯

I believe that it's going to be another "debate" like how it took YEARS of deliberation, an actual struggle, and the necessity of a UASF threat before the activation of SegWit.

I doubt it'll be as bad as SegWit activation. But it definitely won't be as smooth as Taproot activation, because deciding which cryptography to use isn't straightforward with various trade-off such as size, verification time and it's security audit result.

The table is outdated and missing some alternatives (such as SHRMPS and SHRINCS), but it's enough to show there's no single "best" choice.

Probably not as bad SegWit, BUT it will feel as bad when other networke upgrade their systems and we are left behind, still debating how to move forward.

Maybe Charlie Lee should set an example again like what he did with SegWit, and show us a possible path towards Quantum Resistance enhancement.

 

[Satofan44]

Probably not as bad SegWit, BUT it will feel as bad when other networke upgrade their systems and we are left behind, still debating how to move forward.

Maybe Charlie Lee should set an example again like what he did with SegWit, and show us a possible path towards Quantum Resistance enhancement.

 

It is makes us, a decentralized network that is extremely inexpensive to run, look bad that centralized networks are adopting inefficient solutions that make it extremely expensive to participate in said networks? Really, this is your fucking argument?  Do you even know the minimum requirements to run a Solana node? Of course you don't, the requirements are more than 100 times that of the requirements of Bitcoin. Yes, I am not exaggerating that is the lower number quick estimate based on my memory but the actual number is a bit worse.

Of course they can implement the shittiest and most inefficient quantum resistant keys, why would they care about its efficiency when they have never cared about that? The play field for Bitcoin is completely different. If we want to keep Bitcoin as it is today (including its TPS capacity) there are only two ways:

• Pick a scheme even if it is inefficient, and do a large block size increase. This will lead to a severe and negative impact on decentralization.
• Pick or wait for a very efficient scheme, with or without a very small block size increase (with whatever method, readers don't be picky about this). This will preserve both TPS and decentralization.

If we go with the first route, we might as well add smart contracts and whatever other shit is found in shitcoins.