The case of a black swan event where unexpectedly fast, an entity will appear to have a quantum computer of critical level.
In the unrealistic, best case scenario where a blockchain would be able to implement a post-quantum cryptography in a small amount of time, all coins should still be migrated to quantum resistant addresses. But even the migration of coins at that time, is then already is vulnerable through hijacking of transactions. Hijacking of transactions during or pre transaction will be explained in the next article.
So if a project postpones implementation until after quantum computers reach that critical level, it might be to late for that particular project altogether. If we talk about a blockchain that has full public keys published, all keys are open and all funds is at risk right away because quantum computers can derive the private key from the public key. But if it’s a blockchain where the public keys are only published in hashed form, the funds is safe as long as it isn’t transferred. (Remember, not even a quantum computer can derive the original public key from the hash of that public key.) The funds will be stuck. You can’t spend it safely, but you can’t transfer it to a safe address either, because during the transaction of sending funds from an old, non-quantum resistant wallet with an old keypair, the transaction can be hijacked.
The only safe solution to transfer funds at a time like that, is proposed in this paper. It is the proof of knowledge option where a period of 6 months locked funds is proposed.
What is proposed is this: A quantum resistant signature scheme is implemented. A user creates a quantum resistant wallet and as a result he has a quantum resistant keypair. Then he publishes a commitment where he publishes the hash of both his old public key and his new quantum resistant public key and the amount he wants to send to this new quantum resistant key. Since this is published in hashed form, no one can read the info of this commitment. Any further attempted use of this keypair without pointing to the published commit, would fail in accordance with the new protocol rules. Now after he has done this, in a future spending, he can point in his transaction to the earlier published commitment and proof he is the owner of the funds because only he could have published this hash of the committed transaction from old public key to new public key. After all the old public key was only known to him. Now to make sure no one can hijack the second transaction, and reorganize blocks in such a way that he can forge a published commitment. In the paper it’s calculated that the feasibility of block reorganization attacks, such as 51% attacks or selfish mining attacks requiring a smaller fraction of the overall computational power, is significantly increased for quantumcapable adversaries. So to prevent the block reorganization, there has to be a delay phase. So after the commitment is published, you would have to wait for a certain period before you can safely spend your funds to prevent the possibility of block reorganization. This period is calculated to be 6 months. Yeah … that is a period of six months. Now that period could be reduced, but any period of locked funds will create a huge downside for any blockchain.
Conclusion: The switch to a quantum resistant signature scheme will come with some challenges that should not be underestimated. Implementing a quantum resistant signature scheme from the beginning of launch, so from genesis block like QRL has done, would obviously make these challenges non existent. For existing blockchains, fully quantum-protecting their current circulating supply is going to be impossible.
In part 6 I will describe why BTC is not quantum resistant, not even if you never re-use addresses. Also I will describe why it will be vulnerable sooner than expected.