You can read the first part here. (Development timeline and advice from the NSA, NIST, the NAS, Federal Register)
The reason they advise starting to seriously prioritize the development, standardization, and deployment of post-quantum cryptography is threefold:
1. The hazard and the security disaster it would create is of such significance that one can’t afford to take any gambles.
2. Public and universal analysis of a possible critical date can only be done while reviewing public information. And because there are huge interests at stake (commercially and strategically), not all developments will be shared publicly. So, assessing the risk, you should assume the possibility of a blind spot. This means that in assessing the risk, you must seriously consider the idea that an estimate should be adjusted to an earlier timeline if you would have had all the information at your disposal in your analysis of the development curve.
3. An implementation period of new cryptography takes time. While the needed timeframe depends on the system, an analysis of this timeframe should be made. If this isn’t carefully done, there is no way to make a total risk analysis where you reflect the expected timeframe against the expected time the risk will materialize.
If We Apply This To Blockchain And Cryptocurrency:
1. A passive attitude could, if the timing is wrong, similarly result in a disaster where coins lose close to 100% of value due to security risks and possible hacks.
Bitcoin Wiki acknowledges this.
2. The same uncertainty on developments applies, which means a suitable margin should be taken in timeline estimation.
Considering the information above, where companies predict huge speed up in development and the named organizations mention the uncertainty of ay timeline, the point of view from BitcoinWiki that ECDSA keys are safe until at least 2030–2040 could be argued.
3. A serious estimation of the implementation period should be made.
Aside from any discussion within what period the threat might materialize, if you want to be able to make any sort of risk assessment, then we absolutely need an estimation on the implementation period. This is missing in the bitcoin wiki page.
To even begin to look at estimating this period, we should have more clarity on the method of upgrading BTC (or any other existing blockchain). BitcoinWiki mentions a soft fork and that everyone should send their BTC to the new available address type. This is presented as an easy fix, but leaves out the hard parts:
Even though they do acknowledge there is no plug and play replacement for current signature schemes, the emphasis on the undertaking of implementation of any of the existing quantum resistant algorithms is missing. This is an important time factor.
Besides the preparation period, which will take time (the process of researching the options, redesigning, proposal of different options), three important issues are not mentioned:
1. The need for consensus. Even though consensus will be easily reached on the result: a quantum resistant Bitcoin, the choice in method (the type of signature and method of implementation) will result in several options and might still be cause for the difficulty to reach consensus. Even though Lamport signatures are mentioned now as a favorite, this doesn’t mean there is a guarantee on consensus, since there is no information on how this will affect the performance and how mining(rigs) will need to adjust. Another important factor to reach consensus is the moment of implementation. Many might feel an early implementation will be premature. This means the risk grows that time might be short once the risk is imminent. The following two factors will show that an additional period after implementation might be crucial.
2. As acknowledged in the bitcoin wiki page, the human factor plays a part in the upgrade of the blockchain: after the blockchain upgraded, all coins must be migrated to new quantum resistant addresses by users personally. The emphasize that the failure of a part of the users to migrate their coins, will result in a risk in value decline due to possible hacks is missing though. The bigger the percentage of coins on an old vulnerable address, the bigger the security risk. The MtGox hack of 2011 caused an immediate drop of 49% and a 5 months drop of 93%. That was 2k stolen BTC (0.04% circ suppl back then) hacked from an exchange. Not BTC itself. In this case, it will be the blockchain that is hacked. The migrated coins will be safe in number, but not in value, since a hack of other coins will result in a negative market reaction as any blockchain hack will. It’s an important point because this means that for you as a user, to secure your valuables, you depend on the action of all other users. Which is at this point of time estimated to be around 7 million users. Which includes about 700.000 addresses that hold more than 1 Bitcoin. This means that, as a user, security-wise, you depend on the need for an enormous group of other people to pay attention to developments, understand the necessity, understand the need for personal action after BTC itself has already upgraded to quantum resistance, behave responsibly, proactive and fast.
3. What's totally missing is the issue with lost addresses. (Users who lost keys can’t access the coins anymore, which means that those coins can never be moved to quantum resistant addresses and can therefore never be protected and will stay vulnerable to quantum hacks forever). Combining the human factor and the issue with lost addresses means we can conclude that it is impossible for existing blockchains to upgrade and successfully protect 100% of their current circulating supply due to the fact that not all coins will be migrated to safe quantum resistant addresses. Technically you could burn those coins, but since it is impossible to determine with certainty that stagnant coins are lost coins and not long term holders, burning would be a risk since it could mean that peoples actual funds would be burnt with it. This either means that a huge % will be vulnerable forever, or that risk needs to be taken to burn those coins. If the decision would be taken to burn any leftover coins, legally a fixed period would need to be set as a deadline, which would add time to the possibly already tight timeline. This period should be long enough to be sustainable in court if any coins might be burned that should not have been burned and the owners sue the devs responsible.
If we take into account that 36% of the circulating supply is on addresses with exposed public keys, and that about 20% of BTC is on lost addresses (Second source here), another research came to the same conclusion: Chainalysis concluded that between 17% (low estimate) and 23% (high estimate) of BTC was lost at the time of publishing.
Those lost addresses include the Satoshi addresses (with P2PK UTXOs: these are the older addresses from the period that public keys were not hashed, but published in full.
We can only conclude that this is a huge % of BTC that is vulnerable to a hack and that that is a huge elephant in the room that BitcoinWiki chooses to ignore.
So those are the factors we need to take into account to make any form of a serious estimate on the timeframe we should think about when we want BTC to go from vulnerable to quantum hacks, to fully quantum secure.
In the next part, we apply this information to Mosca’s theorem of risk determination.