1

Other threads already answer very clearly that quantum comps could easily "break" /attack bitcoins chain.

Now: Are there any ideas among the bitcoin devs circulating out there, how to save bitcoin from future quantum attacks? its only a couple years away right?

What could be viable options to change and make btc quantum proof, changing hashing algorithm to which new algorithm?

Thanks!

__

johnsmiththelird
  • 837
  • 1
  • 7
  • 12
  • 1
    Possible duplicate of What effects would a scalable Quantum Computer have on Bitcoin? – chytrik Mar 04 '19 at 21:48
  • it is not a real duplicate. your referenced link talks about the effect. So it only partly answers my question (yes, bitcoin would break easily by quantum comps).

    But 2nd question is still valid: Are there currently any code changes discussed for the future by btc core devs? And how could solutions to this quantum problems look like, changing hashing algorithm to which new algorithm?

    or is this really too far away in the future? I think not

     – johnsmiththelird Mar 04 '19 at 22:54
  • 3
    The hashing algorithm is probably the most quantum-resistant piece of cryptography right now in Bitcoin. Barring any specific breaks, SHA256 and RIPEMD160 are as quantum-resistant as hash functions can be (there is an inevitable square-root speedup that applies to any hash function). Much more can be said about the quantum resistance of digital signatures. – Pieter Wuille Mar 05 '19 at 00:03
  • @PieterWuille hi thx. i did not know that sha256 is secure. makes sense, its symmetric

    -Then pls tell me, which precise parameters of bitcoins chain would be susceptible to quantum attacks (u said signatures, what else)?

    • And what could be ways to prevent future attacks on those parameters? Any ideas circulating among btc dev community on how to "adjust" those parameters? -

    Or is the current consensus rather to wait for the crypto community till they provide new crypto schemes which are quantum proof (waiting for the NIST Post-Quantum Crypto Competition ) ... thank u very much!

     – johnsmiththelird Mar 05 '19 at 16:54

1 Answers1

3

It is currently understood that quantum computers could theoretically offer a quadratic speed-up in cracking hash function preimages using Grover's algorithm, and cubic speed-up in finding hash collisions using Brassard-Høyer-Tapp algorithm. It is also understood that elliptic-curve cryptography would be the the first to go as it could be completely broken using Shor's algorithm. We summarize this in the table below:

Primitive Conventional Computing Security Level Quantum Computing Security Level
ECC-256 128 bits 0 bits
SHA-256 256 bits (preimage) / 128 bits (collision) 128 bits (preimage) / 85 bits (collision)
HASH-256 256 bits (preimage) / 128 bits (collision) 128 bits (preimage) / 85 bits (collision)
RIPEMD-160 160 bits (preimage) / 80 bits (collision) 80 bits (preimage) / 53 bits (collision)
HASH-160 160 bits (preimage) / 80 bits (collision) 80 bits (preimage) / 53 bits (collision)

From that we can say it is not so much about the algorithm - it is more about the hash function output size. Quantum computing doesn't break the algorithm but offers a speed-up for ANY algorithm, so all we'd need to do is pick one and increase the hash output size to 384 bits so we can maintain the 128 bits of security against collision attacks. BLAKE2 or SHA-3 would be good candidates. Even the SHA-2 familiy SHA-384 would be OK.

Actually implementing this in Bitcoin protocol would not be trivial, because a change of hash function would break a lot of software out there.

bca-0353f40e
  • 1,025
  • 2
  • 14