Topic: Can Quantum Computer's destroy Blockchain and Bitcoins[SHA-256 specifically] - page 3. (Read 1534 times)

In my opinion, that's the (only) reason:
So, even if we used a stronger algorithm today, it wouldn't last long 'til it was also considered unsafe in the long term. I don't know when will it be relevant, but it should definitely take a long time until someone solves the discrete logarithm problem within 10 minutes.

Let alone, it'd make the system less efficient.

If Quantum MIGHT become a threat to Bitcoin and it IS possible to create an algorithm resistant to Quantum Computing, is there a reason we do not make Bitcoin stronger yet?  I have seen answers in this thread.  Most say the resources and time better be spent on something we need now rather than a decade from now.  But if there is a way to make Bitcoin stronger NOW, why not do it?  As in.  Why continue using today's algorithm when there may be or already is a better one behind the curtains?

-
Regards,
PrivacyG

*** Q-DOOMSDAY IS ARRIVING FAST ***

1M qubit quantum chip by 2024. All these fallacies "we are decades away" should be put to rest very soon enough

Wafer Scale Quantum Chip Prototype Delivers 1M Qubits by 2024
By Francisco Pires published about 13 hours ago

It is a quantum renaissance for fabrication industries from a 2-qubit computer in 1998 to 1 million by 2024.

https://www.tomshardware.com/news/wafer-scale-quantum-chip-prototype-delivers-1m-qubits-by-2024

There are already good already out there who are tackle this issue. Make your choice. In the brave new world of post quantum, old unsafe blockchains/coins are garbage:

-Tidecoin (TDC)
-Arielcoin
-QRL
-QANX
etc

Even if you will "do nothing", then the question is: who will get those coins and what that person will do next? Burn them? Just keep them untouched on a new address? Just lock that in time for N blocks? Or maybe lock in time, but splitted incrementally, into small portions? Because if millions of BTC will be moved from P2PK to some new addresses, then the question is: what will happen next?

Of course, the heaviest Proof of Work could be used in normal circumstances to handle that, but not in this case. Why? Because if you will ever see 128 or more leading zero bits in block hashes, then it would mean SHA-256 is probably no longer collision-resistant, when it comes to the birthday attack. And then, there could be no consensus about the next hash function.

As a practical experiment, you can modify Bitcoin Core and replace 64-round SHA-256 with 16-round SHA-256. Then, you can try some attacks and see what could happen. Or you can cast 32-bit values into 8-bit values and make it four-step hash function (to get the same size), then you can try another kind of attacks.

If SHA-256 will be too weak, then we could need some slower hash function (especially if we would like to make it backward-compatible and prove everywhere that SHA-256 is really broken). The new hash function could be bootstrapped from scratch, but then is it still the Bitcoin we know? By reusing zero bits in SHA-256, we could prove that our change is really needed. For example:

Not a new blockchain, but a new address. If P2PK or reused P2PKH addresses become vulnerable to quantum attacks, then coins on such addresses will need to be moved to new addresses or be stolen.

Large parts of the internet.

A consensus on this issue will be very hard to achieve. I am firmly of the opinion that we should do nothing, and if dormant coins are stolen then they are stolen. The community shouldn't get to make a decision to deprive people of their coins, even if we think those coins are lost. If you do that, bitcoin is no longer decentralized.

bigger things than bitcoin? yeah like what?

If a new Hash Algorithm comes for sure it will be implemented in the current blockchain as a soft fork, that way users don't need to move to a new blockchain.

This Quantum Computer's topic has been discussed in the past, and we shouldn't be worried about it. If SHA-256 gets vulned there are bigger things to worry about than bitcoin.

Yes. Breaking SHA-256 means that it will be possible to find another transaction for a given z-value. That means, you could start from random ECDSA signature, matching some random z, and then use SHA-256 preimage to find some transaction that can be hashed into this value.

It depends if our "protection" will burn the coins or not. In case of no protection at all, if that coins will be taken by some good guy, then that person could timelock them incrementally with no keys and split into smaller amounts, then it will be the same as soft-forking coin distribution schedule.

It will slow down the transactions, you can see that on CPU-mineable coins, when they use a different algorithm than SHA-256 for building their merkle tree.

When it comes to the blockchain size, there is no need for that, because breaking SHA-256 would mean that getting some hash with more leading zeroes will be easier. So, the new hash function could require getting a lot of leading zero bits in a known way (or even getting all zeroes if possible), then the new hash could be placed in the same field (and replaced with zero bytes to be backward-compatible with old nodes if needed). The new hash function could be just SHA-3(SHA-3(x)||SHA-256(x)) instead of SHA-256(x), where SHA-256(x) is required to be zero (or to be below some old target).

There could be more than one idea to solve that problem. Some people could think that coins should be frozen, other group could think they should be taken by the first attacker, whoever it will be, and we should build on top of that (as Ethereum Classic did); another group can propose moving the coins in a special way to affect coin distribution by splitting coins and freezing in nothing except the time. I don't know which conception will win and how many altcoins will be needed to solve that, if there will be no consensus about it.

I am just curious... if a upgrade is done to a new hashing algorithm that are quantum resistant, will everyone need to transfer their tokens to another address to enable this protection? If they do.... will this not force Satoshi Nakamoto to shift the tokens he/she/they own too?

Some people also said that a stronger hash will slow down the transactions and also inflate the Blockchain size? Will that be the sacrifice that we will have to make to protect our tokens from a Quantum attack?

you really have to love the amount of wishful thinking regarding quantum computer and its threats to btc & al.
the attitude I read here is like knowing a tsunami alert was raised, the ocean is retreating and still beachgoers are standing watching and want to see the first big wave before running for their lives  

to each his own exit strategy ...

Such risk could be significantly reduced with proper cryptography and implementation audit. Besides, Bitcoin is quite conservative where new feature took very long time of testing.


Cryptography has always been "game of cat and mouse". There's good reason why cryptography software (such as pgp) generate key with expiration date.

Well, it's not just that. Another problem is these Post Quantum algorithms aren't really vetted in the sense like AES encryption is or say Elliptic Curve is. They dont have decades of trying to crack them so they might even be vulnerable to a normal computer to say nothing of a Quantum Computer. Bitcoin might be better off sticking to what it has than going with a shiny new object that ends up being cracked by a pentium 4 laptop running for a weekend or two. There's nothing magic about post quantum crypto it's still a game of cat and mouse. No one can prove anything... As long as they keep trying to rely on complexity, they're in trouble. Complexity should be in quotation marks that is.

With recent Taproot update, actually it's 4x effort. Native SegWit have prefix bc1q while Taproot have prefix bc1p.


Alternatively don't store private key without coin.

Sure, but I'm just pointing out how infeasible this would all be. Compression would save some time, but I also glossed over that for each and every key you would also need to perform an elliptic curve multiplication, four hash functions, and a hex to Base58 conversion, all just for the legacy addresses. And then of course you would need to look the address up against a full node to see if it contains any coins. And even if you someone managed to compress a billion private keys in to the space usually occupied by a single private key (32 bytes), you're still looking at needing an entire galaxy filled with Dyson spheres to have the energy to do something like this.

Plus: You would need to find a way to transfer information unbelievably fast. Even if one planet in one of those galaxies found a collision, they had to somehow share it with others. Good luck on that too! 

BTW, that's just for one type of addresses. If you wanted both Legacy (1) and SegWit (3, bc1) you'd have to triple the effort.

You could find ways to compress all this, though. For instance, private key 1 doesn't need to take 32 bytes.

2²⁵⁶ private keys * 32 bytes each = 3.7*10⁵⁴ yottabytes.

Current estimates for the amount of data ever created in the entire world are less than 0.2 yottabytes.

So even if there were 1 billion galaxies, each with 1 billion planet Earths, and each Earth produced a billion times more data than us, and each Earth had been churning out this much data for a billion years, you still need a computer which can handle a billion billion times more data than that all at once.

Good luck.

What I was imagining was a computer that tried all possible outcome for private keys in one run.

At once. No queue.

QC is actually a way for brands like Microsoft to get funds from investors. Quantum computer cannot exist in the first place because of the number of qubits required to solve a cryptographic problem is much and they are fragile too. The qubits cannot stay in some environments. It depends on weather conditions.

Even ignoring that it will be decades before there is a quantum computer which can solve the ECDLP, it will be many more years between one can that solve the ECDLP over a period of weeks and one which can solve the ECDLP in less than the 10 minutes required to attempt to double spend an unconfirmed transaction.

I don't think we should intervene here. We have absolutely no way of knowing which coins are simply being held long term by their owners and which coins are lost or otherwise inaccessible. The network and the community absolutely shouldn't be taking decisions to deprive the rightful owners access to their coins, even if the inaction of these owners to move their coins to a quantum resistant address will result in their coins being stolen.

the problem here is not sha256
The problem is that the private key of the pubkey entering sha256 is broken.
if ECDLP of secp256k1 is decrypted.
then we can talk about this apocalypse.
In this case, the blockchain and all values are 0 and cannot be moved.
If we want to move the values, we can do it according to the priv key, but we can't because it breaks. I think new blockchain movable with losses. bitcoin can suffer serious damage from this. Unclaimed coins can be used.