Thanks Nic for rounding out my list of untouchable Thanksgiving Day conversations. Quantum, Politics, Religion, A.I., and Crypto. My in laws won't know what hit them.
This is sensational stuff, I don’t think someone has bought together the various parallels of thoughts re QC and cryptography and BTC.
The implication outside of the BTC bounty is surely anything and everything today with an iota of dependency on classical cryptography should be avoided without being Q-Day ready. Furthermore, can’t help but be a bit worried that governments are only PQ prototype/standards ready post 2027 let alone implementation. The convex/exponential scenario says otherwise. Perhaps the shield can’t exist before the sword anyway?
Either way, I would even go as far to argue that the BTC bounty is appropriate reward and an excellent function at the cross section of capitalism and Darwin’s theory. Whoever cracks it deserves the bounty. What is the societal benefits of a few (hundred?) thousand people losing wealth to cracking QC? The real life train dilemma but with money.
I am actually inclined to agree with you. I think a one-time transfer of, say, 1m Bitcoin to whoever develops useful QC first is survivable for BTC. Whereas if Bitcoiners panic and there are competing hard forks aiming to immobilize the BTC, that might end up being worse overall.
Learned a lot, thanks Nic. And 100% agreed. Offering Satoshi’s coins as a one time reward for this levels of innovation is about as capitalist as you can get. Burning the coins or migrating to a new chain is the opposite. It’s the same as the filters argument. Who controls the filters and why should they be in charge? Who says who gets Satoshi’s coins? Answer: no one “should”. Let the free market decide.
OK so I'm super baffled about this address hygiene thing. Are there wallets that automate doing this correctly. Like, if you are using a Trezor or a Ledger to store your coins, are you following "good hygiene."
I confess this is where I get confused. I can't quite picture the BTC and private key relationship.
Say you buy some BTC on an exchange and send it to your hardware wallet. You send it to one address, right?
I know if generates a new one every time you receive, that seems clear.
But does it also make a new one every you send any? That's the part that I'm confused about.
Anyway, zoomed out, I'm convinced that this is a problem that bitcoiners should take seriously and I'm going to write something about it next week. But... that part about how to be hygienic has me scratching my head a little. I've run up against the limits of my comprehension there.
frankly, it's all a bit like rearranging the deck chairs on the titanic
the address hygiene stuff matters if you think a QC is going to attack out of nowhere before Bitcoin is ready. in that case, it doesn't really matter if you sanitized your addresses, because a) the attacker isn't after you anyway and b) Bitcoin just fell 95% in one hour.
realistically, bitcoin needs to move to PQ address types soon, and virtually everyone will have to migrate (because short range attacks are still a risk even with the "right" kind of addresses). there's no real other option.
How does multisig affect the ability of CRQR to attack public key addresses? Or, more generally, Multi-Party Computation (MPC) where private keys can be randomly distributed to multiple users?
Multisig addrs are "safe" on the micro level if they are in something like pay to script hash. But realistically, the value stored in those coins not safe if Bitcoin doesn't quickly adapt, because the price will suffer a lot if there's a break. Even if those specific addresses are secure.
For details on vulnerability by address see the section entitled "The creation of a CRQC would be bad for Bitcoin" (CTRL+F BIP360 for the table)
Thank you Nic! This topic so desperately needs attention and it’s fantastic to see heavyweights such as yourself finally shining much needed light on the path that lies ahead.
A solution that respects Bitcoin private key holders without leaving a honeypot for CRQCs:
1. Build, test, and deploy qBTC. It would need all the same consensus rules and be quantum-resistant. It should have a mirror and synced-up blockchain to BTC, and be at the same point in its scheduled mining of coins.
2. Allow current BTC holders to claim qBTC based on proof of BTC private keys. Don't allow direct purchase of qBTC.
3. Keep allowing these claims of qBTC until date X in the future—before Q-day if possible, or ASAP after Q-day if taken by surprise. At date X, the chain should be unsynced and purchases (trading) allowed.
4. Transact with, and operate qBTC as a chain independent from BTC.
This should protect current key holders while, unfortunately, creating a permanent loss for those who lost access to their keys and, inevitably, more lost coins on the new chain. Increasing the divisibility of a coin would help mitigate the loss of inert coins for the Bitcoin network as a whole.
Nic: thanks so much for the hard work you have no doubt put into this analysis. I'm so old that I remember when color television was considered unlikely. Your warnings are going to be taken seriously by many, and that is a wonderful service you've done.
This was wonderfully approachable piece that is a great service for bitcoin holders or people long the blockchain. Takeaways include: 1) There are about 1500-2000 logical quibits required to break the btc encryption, and we are some time from this but could be as soon as 2028 /2030 2) If you are a btc holder and you spent from the address you are not q safe 3) the most unsafe are the original coins from satoshi across thousands of addresses 4) this is $100B+ dollar of bug bounty to capture these coins 5) there are a lot of scenarios that could play out as this bounty is pursued and a version of the most damaging is really a fight of fiat vs. blockchain, where China could strike a significant blow against blockchain as a perpetuation of the fiat order 6) Nic is making a rallying cry to start planning now 7) this is truly an existential risk to not only a burgeoning industry but also an ideology that was pioneered by Satoshi himself
This is the best and most complete article on quantum risk in crypto that I have read. It still leaves out the quantum-resistant projects that already exist today. There are audited blockchains built in line with NIST guidelines from genesis, and those projects will not need to worry about PQ migration when Q-day arrives. Bitcoin could probably learn a thing or two from the work done in that corner of the space.
If this article resonated with you and you genuinely care about quantum resilience, I strongly recommend taking a serious look at Quantum Resistant Ledger ($QRL). It has been working on this exact problem since 2017. As always, do your own DD.
Thanks Nic for rounding out my list of untouchable Thanksgiving Day conversations. Quantum, Politics, Religion, A.I., and Crypto. My in laws won't know what hit them.
Nic fucking Carter always here for us plebs. thanks
Great writing, as ever. The thought of hardcoded satellites becoming vulnerable is some excellent sci-fi food for thought.
This is sensational stuff, I don’t think someone has bought together the various parallels of thoughts re QC and cryptography and BTC.
The implication outside of the BTC bounty is surely anything and everything today with an iota of dependency on classical cryptography should be avoided without being Q-Day ready. Furthermore, can’t help but be a bit worried that governments are only PQ prototype/standards ready post 2027 let alone implementation. The convex/exponential scenario says otherwise. Perhaps the shield can’t exist before the sword anyway?
Either way, I would even go as far to argue that the BTC bounty is appropriate reward and an excellent function at the cross section of capitalism and Darwin’s theory. Whoever cracks it deserves the bounty. What is the societal benefits of a few (hundred?) thousand people losing wealth to cracking QC? The real life train dilemma but with money.
Keen to read the next instalment!
I am actually inclined to agree with you. I think a one-time transfer of, say, 1m Bitcoin to whoever develops useful QC first is survivable for BTC. Whereas if Bitcoiners panic and there are competing hard forks aiming to immobilize the BTC, that might end up being worse overall.
Learned a lot, thanks Nic. And 100% agreed. Offering Satoshi’s coins as a one time reward for this levels of innovation is about as capitalist as you can get. Burning the coins or migrating to a new chain is the opposite. It’s the same as the filters argument. Who controls the filters and why should they be in charge? Who says who gets Satoshi’s coins? Answer: no one “should”. Let the free market decide.
OK so I'm super baffled about this address hygiene thing. Are there wallets that automate doing this correctly. Like, if you are using a Trezor or a Ledger to store your coins, are you following "good hygiene."
I confess this is where I get confused. I can't quite picture the BTC and private key relationship.
Say you buy some BTC on an exchange and send it to your hardware wallet. You send it to one address, right?
I know if generates a new one every time you receive, that seems clear.
But does it also make a new one every you send any? That's the part that I'm confused about.
Anyway, zoomed out, I'm convinced that this is a problem that bitcoiners should take seriously and I'm going to write something about it next week. But... that part about how to be hygienic has me scratching my head a little. I've run up against the limits of my comprehension there.
frankly, it's all a bit like rearranging the deck chairs on the titanic
the address hygiene stuff matters if you think a QC is going to attack out of nowhere before Bitcoin is ready. in that case, it doesn't really matter if you sanitized your addresses, because a) the attacker isn't after you anyway and b) Bitcoin just fell 95% in one hour.
realistically, bitcoin needs to move to PQ address types soon, and virtually everyone will have to migrate (because short range attacks are still a risk even with the "right" kind of addresses). there's no real other option.
How does multisig affect the ability of CRQR to attack public key addresses? Or, more generally, Multi-Party Computation (MPC) where private keys can be randomly distributed to multiple users?
Multisig addrs are "safe" on the micro level if they are in something like pay to script hash. But realistically, the value stored in those coins not safe if Bitcoin doesn't quickly adapt, because the price will suffer a lot if there's a break. Even if those specific addresses are secure.
For details on vulnerability by address see the section entitled "The creation of a CRQC would be bad for Bitcoin" (CTRL+F BIP360 for the table)
Nic - thank you for writing this piece. Clearly dozens of hours of research and synthesizing. Looking forward to next installment
Well done, thank you for your service
That was some some pre-tg reading
THIS..."Quantum is a statue waiting to be freed from a block of marble; AI is a new lifeform being cultivated inside a petri dish."
Thank you Nic! This topic so desperately needs attention and it’s fantastic to see heavyweights such as yourself finally shining much needed light on the path that lies ahead.
A solution that respects Bitcoin private key holders without leaving a honeypot for CRQCs:
1. Build, test, and deploy qBTC. It would need all the same consensus rules and be quantum-resistant. It should have a mirror and synced-up blockchain to BTC, and be at the same point in its scheduled mining of coins.
2. Allow current BTC holders to claim qBTC based on proof of BTC private keys. Don't allow direct purchase of qBTC.
3. Keep allowing these claims of qBTC until date X in the future—before Q-day if possible, or ASAP after Q-day if taken by surprise. At date X, the chain should be unsynced and purchases (trading) allowed.
4. Transact with, and operate qBTC as a chain independent from BTC.
This should protect current key holders while, unfortunately, creating a permanent loss for those who lost access to their keys and, inevitably, more lost coins on the new chain. Increasing the divisibility of a coin would help mitigate the loss of inert coins for the Bitcoin network as a whole.
Nic: thanks so much for the hard work you have no doubt put into this analysis. I'm so old that I remember when color television was considered unlikely. Your warnings are going to be taken seriously by many, and that is a wonderful service you've done.
This was wonderfully approachable piece that is a great service for bitcoin holders or people long the blockchain. Takeaways include: 1) There are about 1500-2000 logical quibits required to break the btc encryption, and we are some time from this but could be as soon as 2028 /2030 2) If you are a btc holder and you spent from the address you are not q safe 3) the most unsafe are the original coins from satoshi across thousands of addresses 4) this is $100B+ dollar of bug bounty to capture these coins 5) there are a lot of scenarios that could play out as this bounty is pursued and a version of the most damaging is really a fight of fiat vs. blockchain, where China could strike a significant blow against blockchain as a perpetuation of the fiat order 6) Nic is making a rallying cry to start planning now 7) this is truly an existential risk to not only a burgeoning industry but also an ideology that was pioneered by Satoshi himself
Great article, Nic—thanks for taking the time to share your insights.
Great article Nic! Congrats
$QRL (Quantum Resistant Ledger) is currently the best “pure play” in quantum-secure cryptocurrency, imo.
This is the best and most complete article on quantum risk in crypto that I have read. It still leaves out the quantum-resistant projects that already exist today. There are audited blockchains built in line with NIST guidelines from genesis, and those projects will not need to worry about PQ migration when Q-day arrives. Bitcoin could probably learn a thing or two from the work done in that corner of the space.
If this article resonated with you and you genuinely care about quantum resilience, I strongly recommend taking a serious look at Quantum Resistant Ledger ($QRL). It has been working on this exact problem since 2017. As always, do your own DD.