An addition to “Can Bitcoin Survive Quantum Computers?”

In most articles and interviews on the subject of quantum computing -vs- blockchain, I noticed that these meant to be informational pieces need some additions and corrections. So here we go.

Additions to “Can Bitcoin Survive Quantum Computers?”

• Note on “optional feature” in ETH upgrade:

As long as it is an option, and not all coins are stored on a quantum resistant address, the blockchain can still be hacked through those vulnerable coins. This will affect the price and thus the users that stored their coins on quantum resistant addresses are still victim of the hack. They’ll still have the same amount of coins, but will it still be worth something?

• “Since quantum algorithms require a digital signature to crack an address, your funds should be safe as long as you use each address only once.” (If you follow the link they provided, please see my addition to The Bitcoin Wiki Page On Quantum Computing)

As explained in the addition to the bitcoin wiki page, the remark on using addresses only once is incorrect. And so is the first part of the sentence. Shor’s requires public keys, not a signature to crack an address. Current BTC addresses initially have the public keys are hashed, and thus not available in original form. Which means there is no direct hack possible. Still, the coins on those addresses are not safe in value. Same as with the ETH optional security: coins can devalue since unsafe stored coins can still be hacked. (Close to 40% of BTC is stored on addresses with a published full public key) The fact that hashed public keys is a false sense of security was lately acknowledged by Pieter Wuille, BTC dev, acknowledged this on twitter, here and here.

This is also acknowledged by Andrew Poelstra in this interview. (40:00 and further) He even goes as far as explaining how public keys are exposed in several other ways besides sending transactions to such an extent that “basically all the public keys are exposed.” “If everybody else bitcoins are lost, then […] you have retained all these tokens that are worthless.” Which is an acknowledgment of the risk of value decline due to hacks of the percentage of BTC that is not on addresses with hashed public keys?

44:00 “It was never intended as quantum protection. It doesn’t function as quantum protection. There’s sort of this idea out there that it does, but it doesn’t. And even if it did, by the way, it’s very unclear how you would spend your coins again, because you have to reveal the public key to spend the coins.”

Elaborating on the last comment where is mentioned that you have to reveal you public key to make a transaction, I wrote an article on all attack vectors in that scenario here: https://medium.com/altcoin-magazine/quantum-resistant-blockchain-and-cryptocurrency-the-full-analysis-in-seven-parts-part-6-769973d3decf

• As to the quantum resistant blockchains mentioned in the article:

QRL, uses XMSS. Addresses are reusable. XMSS is a mathematically provable quantum resistant signature scheme that will be approved by NIST this year or the next. This approval will include the note that it will only be recommended for specific applications that can safely keep state. Blockchain has that capability, but if it will be specifically mentioned by NIST isn’t a given.

Hcash, has indeed the option of quantum resistant security, but also supports current signature schemes, which means this is another project that only gives an option and therefore is not quantum resistant.

IOTA: uses WOTS, which means that addresses can only be used once. (At this point of time)

• “Even though quantum-resistant schemes are hard to break, they’re not hard to put in place.”

This is not true. There are no drop-in replacements for current signature schemes. It’s no simple task to implement. In blockchain, there are also several challenges and impossibilities that make it for example impossible to protect 100% of it’s current circulating supply. Existing blockchains also needs the compliance of 100% of it’s users to fully protect their circulating supply. (Which means that as a user, you depend for your security on the actions of millions of other users.) Fully explained in this series: https://medium.com/altcoin-magazine/quantum-resistant-blockchain-and-cryptocurrency-the-full-analysis-in-seven-parts-part-3-f9193634ecc5

• “ractical limitations can also prevent attackers from wreaking havoc on cryptocurrencies.”

The point that hackers might not be able to use quantum computers or that quantum computer use will be highly regulated is an assumption. You could ask yourself if any system is still trusted once a quantum computer has been developed that can break ECDSA. If that level is reached, I doubt anyone would still be comfortable holding value in systems that are not quantum resistant.

• “On top of everything else, cryptocurrencies have time to prepare for quantum threats.”

Will certain cryptocurrencies start implementing these measures in time? That is the question. To answer that question you’d need to have a credible estimate on when quantum computers will be able to break ECDSA. Then you’d need to fill out Mosca’s theorem, adjusted for blockchain as explained here: https://medium.com/altcoin-magazine/an-addition-to-the-bitcoin-wiki-page-on-quantum-computing-and-moscas-theorem-of-risk-f2345e504bb4 (See header in the middle of the article: “To make a complete and realistic estimate of the expected timeline for upgrading and migration we use Mosca’s theorem of risk determination.”

The dismissiveness of most devs on the subject at this point of time, isn’t very promising though.

For the full analysis: I wrote a seven part series on the subject.