Bitcoin Q&A: “Quantum supremacy” video here.
Some thoughts on the statements made in this video:
To start things off, Antonopoulos downplays the milestone of quantum supremacy. As if this is nothing special and just a marketing trick. But many have been skeptical about this milestone to be reached at all. Crossing this milestone is a huge scientific accomplishment and it proves that using a quantum computer, you can perform a specific task that no existing classical (super) computer can (in any realistic and useful timeframe). It emphasizes the progress of quantum computing development. Nobody states that quantum computers can break current cryptography at this point of time, but crossing this milestone is a big deal in it’s developments curve.
“If QC’s can break todays cryptography, the rest of the internet should change cryptography too.”
This doesn’t mean that blockchain is safe. It is presented as an argument to downplay the discussion and ignore the fact that a milestone in QC development has been passed. Development continues and if quantum computers reach critical levels, BTC and all current blockchains that do not use quantum resistant signature schemes should upgrade. Pointing at the rest of the internet is a smokescreen in several ways:
1. If your house is on fire, will you point at your neighbours house instead of putting out the fire at your own house?
2. The idea that others are as dismissive as the average blockchain dev is not realistic. Big companies are already experimenting with quantum resistant cryptography.
- Take Google for example, they have been experimenting with quantum resistant cryptography since 2016. Here the Google Online Security Blogabout their experiment with the New-Hope system in their Chrome browser. And here Cloudflare — Google Chrome.
- ABN Amro bank’s efforts on quantum resistant security. (They won’t be the only one researching and preparing)
- Huawei is also starting efforts for adding quantum resistant communication systems to their network.
3. The comparison is off. Upgrading centralized systems is very different from upgrading decentralized systems. You can’t compare the upgrading process of blockchain with the rest of the internet. Banks, websites etc. are centralized systems. They will face challenges, but decentralized systems like blockchain will face some extra challenges that won’t apply for centralized systems. If we ever get to the point where time is of the essence, decentralized systems will have the disadvantage of extra (time consuming) challenges.
- Updating the signature scheme will need consensus in the sense that all nodes need to update after implementation of a quantum resistant signature scheme. Consensus on the result (quantum resistance) is at some point a given, but consensus on the method (which signature scheme and the method of implementation) will be up for debate.
- Users of blockchain will personally need to move their funds from old addresses to new quantum resistant addresses. Millions of people will need to fulfill this task before BTC is actually safe from quantum hacks. (The same goes for other blockchains) In the case of banks, users won’t need to move their bank funds. The process will be done automatically behind user interface.
- Lost addresses where people lost access to their funds will never be moved and stay vulnerable to quantum hacks.
These are all issues specific for blockchain and not for banks or websites or any other centralized system. Full analysis here.
Signature schemes can be upgraded.
Yes, but in the light of this discussion we should not focus on only a small part of the solution, but on the complete version of the story. It is a huge simplification to say one could easily upgrade the BTC signature scheme and become quantum resistant. There are several time-consuming phases that need to be completed. (Some discussed above)
- Choice of the signature scheme. QR crypto will influence performance.
2. There is no drop in replacement and implementation will demand more than just copy paste.
(If we look at Schnorr we see that phase 1 and 2 have been an ongoing process for over 3 years.)
3. Consensus will need to be reached on which of the proposals to implement AND when to implement. There is a lot of scepticism on the time frame of quantum computing development. This will delay consensus.
4. User migration. After an upgrade, all existing coins are still not quantum resistant. They are still accessible through the old insecure signature scheme. All coins must be migrated to new quantum resistant addresses for full protection. If vulnerable coins get hacked, these events will influence the price of all coins, including the coins that have moved towards quantum resistant addresses.
5. Lost addresses. Coins that are on addresses with lost private keys can never be moved and will stay vulnerable to quantum hacks for ever. A choice should be made to either set a deadline, or to leave these coins vulnerable for hacks.
- Time factor. All this takes time. “We’ll just upgrade once they get close” is a fallacy. This discussion and process needs to start way ahead of any form of a threat. See for an analysis of a plausible timeframe: “Going quantum resistant in blockchain: a plausible timeframe?”
Hashed public keys give protection against quantum computers.
The idea that this gives you protection when QC’s can break ECDSA is incorrect.
1. “So the only time the public key is shown, is when even if you exploit it, you get nothing because there is no money in it anymore.” This is contradicting to what Antonopoulos says a few seconds later. As he confirms: the public key is exposed before that point. As soon as you send a transaction, your published key is published in full. This opens up attack vectors. BTC transactions are not instant: as he mentions the 10 minute blocktime as a window of opportunity. So before the public key is registered on the blockchain, it is already made public. The weakness lays in the moment that the full public key is exposed, so even before the 10 minute blocktime starts ticking. It happens as soon as a transaction is sent from a users device. When QC’s can derive private keys from public keys, this opens up a series of attack vectors. The most serious being MITM attacks, which in combination with blocking of the intercepted transaction, opens a window that can be way bigger than 10 minutes. See explained here.
2. Adding to that, and maybe even more important: you are not alone. The value of your BTC is obviously linked with the rest of all BTC. Keeping your personal BTC safe (if there would be an actual safe option to do so), only guarantees your personal amount of BTC, not the value of that BTC. If other BTC gets hacked, you have protected your amount of BTC while it has plummited in value just like the rest of BTC. Lately, Pieter Wuille, BTC dev, acknowledged this on twitter, here and here. This is also acknowledged by Andrew Poelstra in this interview. (40:00 and further)
We are nowhere near the level of quantum computing needed.
The thing is that there is no way of knowing this. The estimations are all over the place. We do not know the timeframe we still have left. Neither do we have any substantiated timeframe we need to get Bitcoin to a fully quantum resistant form. (Or any timeframe for other blockchains that still need to upgrade.) Posting another video and stating we don’t have anything to worry about isn’t getting us any closer to any concrete plan. The hazard and the security disaster it would create when we get the timeframe wrong, is of such significance that one can’t afford to take any gambles.
How about the nuke codes?
The idea that these type of keys are not quantum resistant yet is quite unlikely. The NSA has been announcing since 2015 that they worry about QC’s breaking current cryptography. In August 2015, NSA announced that it is planning to transition “in the not too distant future” to a new cipher suite that is resistant to quantum attacks. If you think that changing this type of high level security data is not happening anytime soon or has not happened yet, you miss a certain level of realizm. The nuke code mention is just an unrealistic attempt to de-FUD.
”Eventually everyone can use quantum computing on their laptop or moblie device”.
No. Not very likely. And no, we don’t need quantum computers for protection. There are quantum resistant signature schemes available today. Working just fine on todays hardware and in blockchain. XMSS is pretty much approved by NIST.
The threat only exists if very few people have quantum computers.
Once it is proven that an existing quantum computer can break ECDSA, it will not be considered safe anymore to store any valuable data on systems that still use ECDSA. Even if that is just one single known quantum computer. If Bitcoin will be using ECDSA at that point of time, it won’t be a very positive factor for its popularity in the near future. And even in the unrealistic circumstances where just anyone has access to quantum computing, BTC would need to change its signature scheme.
Let’s be realistic and acknowledge quantum computing has the potential to become a serious issue for Bitcoin and other existing blockchains. Either you are convinced quantum computing won’t be a threat within the next 20/ 30 years, or you acknowledges the possibility of a faster development curve. If the first option is your position, smokescreen arguments are not necessary. You simply wouldn’t need to address the issue for the next 5 years at all. But if the second option is your position, drop the de-FUDding. Smokescreen arguments actually hurt any serious form of discussion, are misleading and stand in the way of people taking the issue serious. It delays a real solution to be developed, supported and implemented.