Thread explaining the future threat to #Bitcoin from #QuantumComputing -- How big a deal is it really? What is the timeline? And how do the Bitcoin devs plan to deal with it?
In a sentence, the threat is that quantum computers will eventually be able to break Bitcoin’s current digital signatures, which could render the network insecure & cause it to lose value.
Why isn’t the solution as trivial as simply upgrading the signatures? Decentralization. 2/
Why isn’t the solution as trivial as simply upgrading the signatures? Decentralization. 2/
How long until someone builds a quantum computer that can steal BTC by quickly deriving private keys from their associated public keys?
Serious estimates range from 5 to 30+ years, with the median expert opinion being around 15 years. 3/
Serious estimates range from 5 to 30+ years, with the median expert opinion being around 15 years. 3/
Banks/govts/etc. will soon upgrade to “quantum-resistant” cryptography to secure themselves going forward.
Bitcoin, however, with large financial incentives for attacking it & no central authority that can upgrade *for* users, faces a unique set of challenges. 4/
Bitcoin, however, with large financial incentives for attacking it & no central authority that can upgrade *for* users, faces a unique set of challenges. 4/
So let’s go over the major challenges & their solutions.
We can separate vulnerable BTC into three classes:
1) Lost coins (several million)
2) Non-lost coins held in reused/taproot/otherwise-vulnerable addresses
3) Coins in the mempool (i.e., being transacted) 5/
We can separate vulnerable BTC into three classes:
1) Lost coins (several million)
2) Non-lost coins held in reused/taproot/otherwise-vulnerable addresses
3) Coins in the mempool (i.e., being transacted) 5/
Starting with 1), why are lost coins an issue?
> Can steal a huge # all at once
> Selling them in bulk would tank the market
> If that seems imminent, the market could preemptively tank
> An attacker could profit immensely by provoking either of the above & shorting BTC. 6/
> Can steal a huge # all at once
> Selling them in bulk would tank the market
> If that seems imminent, the market could preemptively tank
> An attacker could profit immensely by provoking either of the above & shorting BTC. 6/
SOLUTION #1: preemptively burn lost coins via soft fork
How well this works will depend on:
>Are enough lost coins covered to prevent a liquidity crunch or market spook?
>Which coins get burned, who decides, & how difficult is it to reach consensus on these decisions? 7/
How well this works will depend on:
>Are enough lost coins covered to prevent a liquidity crunch or market spook?
>Which coins get burned, who decides, & how difficult is it to reach consensus on these decisions? 7/
Another potential way around the problem of millions of lost BTC is if a benevolent party were to steal & then altruistically burn them. Not clear how realistic this is, given the financial incentives involved & who the parties likely to have this capability would be. 8/
Moving on to 2), why are non-lost coins with vulnerable public keys an issue?
This is self-evident. The primary threat to the wealth of BTC holders is their BTC being stolen. And as w/ lost coins, a related threat is that the market starts to fear such an attack is possible. 9/
This is self-evident. The primary threat to the wealth of BTC holders is their BTC being stolen. And as w/ lost coins, a related threat is that the market starts to fear such an attack is possible. 9/
SOLUTION #2: Bitcoin adds a quantum-resistant signature & holders proactively migrate.
How well this works will depend on:
>How long is the time-window for safe migration? (It would ideally begin years in advance)
>How proactively & universally do BTC holders comply? 10/
How well this works will depend on:
>How long is the time-window for safe migration? (It would ideally begin years in advance)
>How proactively & universally do BTC holders comply? 10/
Finally, let’s look at 3), the vulnerability of coins in the mempool.
Two key points:
>it complicates migration to quantum-resistant addresses *after* large QCs are built.
>it greatly magnifies the threat posed by an unanticipated “black swan” advance in QC. 11/
Two key points:
>it complicates migration to quantum-resistant addresses *after* large QCs are built.
>it greatly magnifies the threat posed by an unanticipated “black swan” advance in QC. 11/
SOLUTION #3: A “commit-reveal” tx scheme can be used to migrate coins without mempool security.
This gets around the vulnerability of a user's old public key by adding an extra encryption/decryption step based on their new quantum-resistant key -- but w/ crucial limitations 12/
This gets around the vulnerability of a user's old public key by adding an extra encryption/decryption step based on their new quantum-resistant key -- but w/ crucial limitations 12/
Considerations w/ commit-reveal migration (1/2):
>It’s not foolproof unless a user starts with their coins stored in a non-vulnerable address, because attackers can steal any vulnerable coins simply by beating the original owner to the punch. 13/
>It’s not foolproof unless a user starts with their coins stored in a non-vulnerable address, because attackers can steal any vulnerable coins simply by beating the original owner to the punch. 13/
Considerations w/ commit-reveal migration (2/2):
>Commit transactions introduce technical hurdles (vs. regular txs) & increase the load on the network. Neither of these are insurmountable by any means, but they suggest that this method should not be relied upon too heavily. 14/
>Commit transactions introduce technical hurdles (vs. regular txs) & increase the load on the network. Neither of these are insurmountable by any means, but they suggest that this method should not be relied upon too heavily. 14/
How well the commit-reveal transaction type works will depend on:
>How much of a head start BTC holders get on migration before it becomes necessary
>The ability of the network to handle the increased tx data volume
>How practically accessible it is for users who need it. 15/
>How much of a head start BTC holders get on migration before it becomes necessary
>The ability of the network to handle the increased tx data volume
>How practically accessible it is for users who need it. 15/
One potential way around the network overhead & just plain hassle of commit-reveal migration would be if a highly efficient quantum-resistant zero-knowledge proof were discovered. Current QR ZK algos are far too large to use in Bitcoin, but that could change. Worth noting. 16/
SOLUTION #4: tank the attack & rebuild
Bitcoin's network effects are massive. It's hard to predict what the crypto ecosystem will look like in the future, but the potential economic disruption of BTC failing may incentivize extraordinary measures to save the network. 17/
Bitcoin's network effects are massive. It's hard to predict what the crypto ecosystem will look like in the future, but the potential economic disruption of BTC failing may incentivize extraordinary measures to save the network. 17/
Bitcoin’s ability to tank a quantum-computing-related market crash will depend on:
>is another chain is capable of replacing BTC as the main crypto store of value?
>can BTC avoid a mining “death spiral”?
>how far will stakeholders go to ensure the network survives & rebounds? 18/
>is another chain is capable of replacing BTC as the main crypto store of value?
>can BTC avoid a mining “death spiral”?
>how far will stakeholders go to ensure the network survives & rebounds? 18/
For individuals and institutions that hold BTC, some additional measures might include:
>purchasing insurance
>hedging BTC exposure with an asset that would be expected to increase in value in the case of an attack. 19/
>purchasing insurance
>hedging BTC exposure with an asset that would be expected to increase in value in the case of an attack. 19/
That sums up what I see as the main challenges & solutions for Bitcoin w/ regard to quantum computing.
This thread glossed over a lot, so def take it more as a jumping-off point than as the final word on any of the topics discussed therein. I hope you found it informative! 20/
This thread glossed over a lot, so def take it more as a jumping-off point than as the final word on any of the topics discussed therein. I hope you found it informative! 20/
APPENDIX: common points of confusion
> Quantum mining is not a threat.
> SHA-256 is already secure against QCs for all intents and purposes.
> QCs will not destroy the internet, cause nukes to be launched, etc.
> QCs are not going to destroy BTC in the next year or two.
> Quantum mining is not a threat.
> SHA-256 is already secure against QCs for all intents and purposes.
> QCs will not destroy the internet, cause nukes to be launched, etc.
> QCs are not going to destroy BTC in the next year or two.
• • •
Missing some Tweet in this thread? You can try to
force a refresh
