“`html
Approximately a fourth of all Bitcoin is vulnerable to the threat of a quantum assault, associated with public keys that have been disclosed on the blockchain. However, if such a large portion of the supply is at risk, it prompts a more profound question: is the confidence in Bitcoin’s overall security framework compromised?
Picture waking up, checking your device, and discovering your bitcoin balance stands at zero. Not just your cold storage, but also your exchange balances. Vanished. Within a night, countless UTXOs depleted in a discreet, synchronized assault.
It may seem drastic, yet this kind of occurrence would be more than straightforward theft. It would constitute a direct strike on Bitcoin’s value, a public indication that its fundamental cryptography is no longer reliable. A state-sponsored entity might attempt something like this, not solely to misappropriate coins, but to erode trust and willfully instigate turmoil.
Not every assailant would act so conspicuously. A more self-motivated one might adopt the opposite strategy. With access to a quantum computer, they could discreetly focus on older UTXOs, siphoning coins from neglected or dormant wallets. Their objective would be to extract as much as feasible before the remainder of the world becomes aware.
Nonetheless, whether the attack is overt or subtle, rapid or gradual, the ultimate outcome is largely equivalent. The premises that secure Bitcoin are no longer valid in a post-quantum reality. The mathematics that safeguarded Bitcoin from its inception could be compromised at any moment, by a machine none of us have witnessed yet, but we recognize is theoretically achievable.
What Quantum Computers Actually Compromise
A quantum computer is not merely a speedier iteration of the computers we possess today. It represents a fundamentally different class of machine. For the majority of tasks, it wouldn’t outpace a conventional computer by much. However, for very particular issues, it would possess sufficient power to dismantle many.
Bitcoin’s digital signatures today, encompassing Schnorr and ECDSA, depend on what is referred to as the discrete logarithm problem. You can visualize it as a type of mathematical one-way street. Traveling one way is straightforward, but reversing course is exceedingly challenging. You can take a private key and create a public key or signature, but executing the reverse—deriving the private key from the public key—is virtually unfeasible. This is why sharing your public key on the blockchain is secure, as it is impractical for anyone to backtrack and unveil your corresponding private key.
Yet with a sufficiently powerful quantum computer, that assumption collapses. Utilizing Shor’s algorithm, a quantum assailant could resolve the discrete logarithm issue. And that “one-wayness” ceases to hold. Given any public key on the blockchain, an attacker can deduce its associated private key.
Difficult Decisions, Significant Trade-offs
There are no flawless solutions in this scenario. Any strategy to shield Bitcoin from these quantum strikes entails considerable trade-offs. Some are technical. Others are societal. All of them are challenging.
One possibility is to implement a new genre of output type that utilizes only post-quantum signatures. Instead of depending on discrete logarithms, which quantum computers can undermine, you would secure coins by employing quantum-safe signature frameworks from the outset. Anyone sending funds to that address realizes they are opting for stronger, future-proof security.
A significant trade-off here is size. Most post-quantum signatures are vast, often quantified in kilobytes rather than bytes. This implies post-quantum signatures can be 40-600 times larger than current Bitcoin signatures. If an ECDSA/Schnorr signature fits within a text message, a post-quantum signature could amount to the size of a small digital image. They incur greater broadcasting costs and more to store on the blockchain. HD wallets, multisig arrangements, and even basic key management become more complicated or may not even function at all. Executing threshold signatures with post-quantum signatures remains an open research issue.
A related suggestion for transitioning fully to post-quantum comes from Jameson Lopp, who proposed a fixed four-year migration period. Following the introduction of post-quantum signatures, provide the Bitcoin ecosystem several years to shift to quantum-safe outputs. After that, coins that haven’t been transacted would be regarded as lost. An assertive approach, yet it establishes a clear deadline and offers the network time to adapt before any crisis occurs.
Until the menace becomes more tangible, we’d prefer to depend on the cryptography we currently trust. But if we all concur that Bitcoin necessitates a plan, what will it be?
No one desires to hastily experiment with Bitcoin based on unverified assumptions. Rather than imposing something entirely novel, Bitcoin may already contain a built-in starting point. Taproot!
Taproot’s Concealed Post-Quantum Security
Taproot, introduced in 2021, is primarily recognized for enhancing privacy and efficiency. What many users fail to realize is that it could also serve as the foundation for a smoother transition into a post-quantum milieu.
Each Taproot output encompasses an initially concealed set of alternative spending terms. These alternative script routes are never disclosed unless activated. Currently, most Taproot coins are transacted using Schnorr signatures, but those hidden routes can be utilized for nearly anything. That includes post-quantum (PQ) signature checks.
The notion that Taproot’s internal structure could withstand quantum assaults dates back to Matt Corallo, who initially spread it. Recently, Tim Ruffing of Blockstream Research published a paper indicating that this method is indeed secure: fallback paths within Taproot can remain trusted, even if Schnorr and ECDSA are compromised.
This paves the way for a straightforward yet potent upgrade pathway.
Step 1: Introduce Post-Quantum Opcodes
The first step is to integrate support for post-quantum signatures in Bitcoin Script. This could be accomplished by incorporating new opcodes that enable Taproot scripts to validate PQ signatures, utilizing algorithms currently undergoing standardization and assessment.
This way, users could commence creating Taproot outputs with two spending pathways:
- The key-path would still utilize rapid, efficient Schnorr signatures for regular use.
- The script-path would include a post-quantum fallback, exclusively revealed when necessary.
Nothing alters in the short term. Coins function the same. But if a quantum threat emerges, the fallback is already established.
Step 2: Activate the Kill Switch
Later, if a substantial quantum computer is constructed and the risk materializes, Bitcoin could deactivate Schnorr and ECDSA spending.
This kill switch would safeguard the network by preventing coins in compromised outputs from being misappropriated. As long as users have transferred their coins to upgraded Taproot outputs that feature post-quantum fallbacks, those coins would remain secure and spendable.
The transition will inevitably induce some friction, yet hopefully, it would be less disruptive than a last-minute rush. And thanks to Taproot’s concealed script paths, most of this work could take place quietly in advance.
Preparing Without Panic
There is no countdown to the quantum menace. We are unaware of when this breakthrough in quantum computing will transpire. It could be a decade away, or significantly closer. No one knows.
None of this is straightforward. There are still unresolved queries regarding which post-quantum algorithms we should employ, how to ensure they are efficient enough for Bitcoin, and how to maintain core features like threshold multisig and key derivation. But the most critical aspect is to initiate action. Ideally not after the first cryptographically relevant quantum computer has been constructed, but now, while the system remains secure and upgrade routes are still viable.
By enabling post-quantum signature support within Bitcoin Script today, we afford users time to prepare. Education can occur gradually, without urgency. And users can begin to transition coins at their own rhythm. If we delay too long, we forfeit that luxury. Upgrades executed under stress seldom proceed smoothly.
Tim Ruffing’s research outlines a potential path ahead. A strategy that utilizes tools Bitcoin already possesses. Read his full paper to understand the details of this approach.
This is a guest post by Kiara Bickers from Blockstream. The views expressed are entirely their own and do not necessarily reflect those of BTC Inc or Bitcoin Magazine.
Source link
“`
