Why upgrade if PQ signatures are not yet proven? The dirty secret of efforts to upgrade blockchains to post-quantum cryptography is that no one is sure if any of them work. None of the signatures being considered by major blockchains as quantum-resistant upgrades have been 100% proven to work. Until a quantum computer is invented, we won’t know for certain if they can successfully protect against an attack. Some may fall to an attack even before Q Day using existing computer technology. The National Institute of Standards and Technology tested 69 post-quantum candidate algorithms, and two of them — Rainbow and SIKE — were broken with classical computers during testing. The three digital signature schemes it recommends are its best guess as to which ones are most likely to survive a quantum attack. It selected the lattice-based CRYSTALS-Dilithium (ML-DSA) as the primary scheme, another lattice-based scheme called Falcon (FN-DSA) for use cases that demand smaller signatures an...
A controversial hard fork of Bitcoin may be needed to resolve an impossible choice between freezing the BTC in addresses owned by Satoshi Nakamoto and the early miners, or seeing them stolen and dumped in a potential quantum attack.
That’s according to Bitcoin Core developer and Blockstream co-founder Matt Corallo, who said recently the outcome of such a fork is pre-ordained.
The Sophie’s Choice style dilemma is caused by the fact that around 1.72 million coins in these early pay-to-public-key (P2PK) mining addresses are quantum vulnerable and have been dormant for 15 years or more. Chainalysis estimates that a further 1.1 million-2.1 million Bitcoin has been permanently lost. A large percentage of that is in addresses with exposed public keys.
The only way to make Bitcoin post-quantum secure is for the owners of the private keys to move it to secure addresses themselves. So even after BIP-360 is activated and after a post-quantum signature scheme is eventually added, between 13% and 18% of the total Bitcoin supply will remain in vulnerable addresses. That would potentially leave a honeypot for quantum attackers worth up to $270 billion.
The theft and sale of even a fraction of that amount would destroy the price and strike a heavy blow to Bitcoin’s reputation as immutable hard money. For those who bought Bitcoin based on its hard cap supply and low inflation, 4 million coins is the equivalent of adding the past decade’s worth of Bitcoin mining block rewards to the circulating supply.
Some Bitcoiners argue it’ll never happen. Others say that when quantum computers are invented, it will be too expensive and take too long to crack all the affected addresses. But does the community want to take that risk?
Burn the lost Bitcoin to prevent quantum theft
The obvious solution is to make these coins non-transferable, so they can’t be stolen. Jameson Lopp co-authored QBIP, which would prevent coins from being sent to quantum-vulnerable addresses after a deadline of three years after BIP-360’s activation. Five years after that, funds in those addresses would no longer be able to be spent.
“If we don’t do anything, we’re kind of killing the hard-money, fixed-supply ethos of Bitcoin because we’re unlocking 20%-30% supply for hackers. That is going to kill trust,” says Charles Edwards, founder of Capriole.
However, zeroing out the value of millions of dormant coins, including those mined by Bitcoin’s creator, is vehemently opposed by a sizable contingent of Bitcoiners, who believe it undermines the immutable private property rights that Bitcoin offers.
Read also
Features
Crypto kids fight Facebook for the soul of the Metaverse
Features
Blockchain Startups Think Justice Can Be Decentralized, but the Jury Is Still Out
But Edwards says a carefully planned migration is the “lesser of two evils.” He believes 99.9% of active Bitcoin owners would migrate. Only the outliers, such as people stuck in prison, would be unable to move coins.
“We’re worrying about coins which are never going to be recovered because they’re in landfills and tips where people lost their keys five, 10 years ago. Satoshi is probably dead, et cetera. So, I don’t think we’re, we’d be impacting many people at all on that, if any, and the net benefit to everyone would be substantial.”
Despite this, he’s resigned to the status quo prevailing. “I think the most probable outcome is nothing will happen on that topic because it’s too hard to discuss and to get any agreement on. So, the probable outcome is to do nothing,” he says.
What would Satoshi do about the quantum issue?
A social media poll by Cointelegraph found that roughly two-thirds of respondents favor freezing these coins, while a third are opposed. (Social media polls aren’t scientific, and the poll wasn’t of Bitcoiners exclusively.)
On the “Pleb Underground” podcast, BIP-360 co-author Hunter Beast raised the intriguing possibility that Satoshi may have actually intended for the early coins to be returned to the supply. He noted that the original Bitcoin client in 2009 had two address types to receive payments and defaulted to one that exposed the public keys for mining rewards.
Satoshi would likely have been aware of Shor’s algorithm, which was invented 15 years earlier and can theoretically reverse engineer private keys from public keys via a quantum computer.
Beast called it an “interesting choice in hindsight” to default to that address type for “people who might have lost their keys early on and not have realized the value of what they were doing.”
“It could mean that maybe Satoshi intended for that supply to be returned to circulation. Maybe that was his intention in that design choice.”
Bitcoiner Pierre Rochard told the “Lumen Podcast” he was fine with the coins being stolen.
“Personally, my view is that they should just be up for grabs, so people will do quantum mining on old coins, and it is what it is. Will they sell those Bitcoin right away or not? That’s up to them. Right? That’s the freedom of Bitcoin.”
Bitcoin Core dev suggests a fork may be inevitable
Long-time Bitcoin Core dev Corallo recently told “Unchained” the issue may end up being decided by a hard fork — one fork of Bitcoin will freeze the coins, and the other will keep them.
“Once someone proposes the fork, I think it’s very clear which one the market is going to prefer. There’s either the fork with insecure spend paths disabled, or there’s the fork with, as you note, several million additional coins on the market,” he says.
Also read: Bitcoin faces 6 massive challenges to become quantum secure
Corallo believes the fork with the lower supply will have a big advantage in becoming the dominant fork.
“The market is going to prefer the one that disables the coin. So, I don’t think, while there is some discussion of it in Bitcoin, it’s not really ambiguous as to what the outcome of that will be and what will happen there.”
A compromise proposal called Hourglass
However, there is a proposal that attempts to broker a compromise between the two sides.
Beast’s Hourglass V2 proposal attempts to mitigate the damage by allowing P2PK coins (the OG output type) to be stolen by a quantum attacker, but to reenter circulation in a steady and predictable manner of 1 BTC per block, which is roughly 144 Bitcoin per day.
The proposal states:
“Without a spending constraint, over 6,000 P2PK transactions could be executed in each block — potentially releasing more than 300,000 coins per block to the market. At this rate, all P2PK coins could be spent in just a few hours if no mitigations are activated.”
However, it would not apply to other output types with exposed public keys.
Can we freeze the coins but let the rightful owner reclaim them?
Another partial solution is to freeze the quantum vulnerable coins and then design a mechanism for the genuine owner to retrieve them.
Ethereum’s post-quantum team has been working on a solution that involves the owner of frozen coins proving ownership of the seed phrase using zero-knowledge proofs. They could then move the coins to a safe address.
Read also
Features
Crypto kids fight Facebook for the soul of the Metaverse
Features
Blockchain Startups Think Justice Can Be Decentralized, but the Jury Is Still Out
BitMEX Research has outlined a very similar method for Bitcoin using ZK proofs. While this could help for coins lost in the past 10 years, it won’t work for the considerable number of OG coins in addresses that predate seed phrases.
For those addresses, the owners would need to “pre-commit” prior to Q Day, which is a non-starter for lost coins.
BitMEX Research concluded that none of the available options was appealing:
“These possible post-quantum freeze recovery systems are not without their downsides. For example they may be complicated, involve significant softfork protocol upgrades and be burdensome on node operators, including new possible DoS vulnerabilities. However, if we are going to do a freeze, they may at least be something worth considering. At least it is an interesting thought experiment.”
The best solution for Satoshi’s coins is also the simplest. Satoshi should move them out of harm’s way.
“I’m really happy about it,” says Antonio Sanso from Ethereum’s post-quantum team.
“We’ll probably discover if Satoshi Nakamoto is either alive or gave the seed to someone!”
Also read: Bitcoin may take 7 years to upgrade to post-quantum: BIP-360 co-author
- Get link
- X
- Other Apps
- Get link
- X
- Other Apps
Comments
Post a Comment