If you have read part 3 of the series “Quantum resistant blockchain and cryptocurrency, the full analysis in seven parts.”, you could decide to skip the first part of this article and go straight to the header:
“To make a complete and realistic estimate of the expected timeline for upgrading and migration we use Mosca’s theorem of risk determination.”
Because I feel the Bitcoin Wiki page on quantum computing is missing some crucial information, I decided to add some balance.
If you want some information about the advancement and expectations in quantum computing development, it’s not a bad idea to take a look at some statements of the companies that do the actual development. Reading those, we see a huge speedup in development is expected.
- “It should be about 5 years to 1000 qubit chips with superconducting technology. It should be about 10 years to million qubit chips.” (Jim Clarke, Intels Quantum hardware director. (Full interview here)
- “And a million-physical-qubit system, whose general computing applications are still difficult to even fathom? It’s conceivable, says Neven, “on the inside of 10 years.” (That is Harmut Neven of Google’s quantum computing effort)
- IBM believes quantum computers will be mainstream in 5 years.(Meaning outside of research labs, but not necessarily in living rooms of the average Joe. And no amount of qubits mentioned though)
- “Five years from now, we will have a commercial quantum computer,” Says Microsoft’s Holmdahl.
- And those are just the commercial companies. [The Pentagon sees quantum computing as the next arms race. China is about to pump $10 Billion in a research center. They won’t be open about their developments as Google etc. It’s not a bad idea to start looking for solutions and new opportunities in blockchain.
- This paper estimates ECDSA could be at risk as soon as 2027.
Besides the development of quantum computers themselves, we shouldn’t forget about other advancements that will bring the breaking of current signature schemes closer. There are algorithms developed that are less sensitive to error rates. And existing algorithms are reinvented and/ or improved and new ways of deployment are discovered. For example this optimized version of Shor’s algorithm for prime factoring. That factors 2048 bit RSA integers in 8 hours using 20 million noisy qubits. The previous method was about 100 times slower. This shows the importance of these kinds of developments since these also advances a critical timeline.
Reviewing the above doesn’t mean that ECDSA will be broken in a few years, but reading the statement on the BitcoinWikipage that ECDSA keys will quite likely be safe until at least 2030–2040, kind of hints at a certain degree of bias in the writing of that Wiki article. As it is written now, it implies that any action or discussion on the subject is unnecessary at this point in time.
But if we look at the statements on the heaviest weight entities on security, we see that all of them are stating that the critical date is impossible to be predicted. It is impossible to exclude and dismiss a sudden advancement in development and neither is it possible to guarantee decades slow development. At the same time is acknowledged by all that the realization of this critical level in quantum computing would have catastrophic implications and the time in which the realization of a quantum resistant upgrade is fulfilled is of such uncertain length, that action should not be postponed.
The National Academy of Sciences (NAS) 2018:
- “Even if a quantum computer that can decrypt current cryptographic ciphers is more than a decade off, the hazard of such a machine is high enough — and the time frame for transitioning to a new security protocol is sufficiently long and uncertain — that prioritization of the development, standardization, and deployment of post-quantum cryptography is critical for minimizing the chance of a potential security and privacy disaster.”
The NAS, also in their report on quantum computing:
- “No information regarding any nation-state’s classified activities was made available to the committee. As a result, while the committee believes its assessment to be accurate, it recognizes that the assessment is necessarily based upon incomplete information, and it does not preclude the possibility that knowledge of research outside the arena of open science (either privately [red commercially] held or classified by a nation-state) might have altered its assessment.”
National Security Agency (NSA) 2015:
- NSA announced that it is planning to transition “in the not too distant future” (statement of 2015) to a new cipher suite that is resistant to quantum attacks.
- “Unfortunately, the growth of elliptic curve use has bumped up against the fact of continued progress in the research on quantum computing, necessitating a re-evaluation of our cryptographic strategy.”
- “For those partners and vendors that have not yet made the transition to Suite B algorithms, we recommend not making a significant expenditure to do so at this point but instead to prepare for the upcoming quantum resistant algorithm transition.”
Federal Register (The daily journal of the United States Government) 2016:
- “In particular, quantum computers would completely break many public-key cryptosystems, including those standardized in FIPS 186–4”
And as you know, ECDSA is used by BTC as a signature scheme. ECDSA is a FIPS 186–4 standard: NIST; ECDSA FIPS 186–4.
2016: The National Institute of Standards and Technology (NIST)
- “it appears that a transition to post-quantum cryptography will not be simple as there is unlikely to be a simple “drop-in” replacement for our current public-key cryptographic algorithms. A significant effort will be required in order to develop, standardize, and deploy new post-quantum cryptosystems. In addition, this transition needs to take place well before any large-scale quantum computers are built, so that any information that is later compromised by quantum cryptanalysis is no longer sensitive when that compromise occurs. Therefore, it is desirable to plan for this transition early.”
In the next part I explain about the reason why they advise starting to seriously prioritize the development, standardization, and deployment of post-quantum cryptography. And how this can be applied to cryptocurrency.