This is the third piece BitMex Research has published on quantum computing and Bitcoin. It does a very nice job of discussing some of the options we might use to deal with coins that are vulnerable to quantum attack.
Quantum computers still need a public keyQuantum computers still need a public key
The primary concern Bitcoiners have with advances in quantum computing is that a quantum computer may be developed which is capable of finding the private key to an exposed public key.
Such a quantum computer would pose a risk to:
- coins that use old address types that exposed the public key,
- coins that have reused addresses,
- some coins held in Taproot addresses,
- most coins during the time between when they're included in a broadcasted transaction and that transaction being included in a valid block.
If Bitcoiners adopt quantum resistant signatures before such a quantum computer is developed, mitigating the threat mostly becomes an issue of everyone sending their coins to the new safe address type.
However, if we are surprised by the advent of such a quantum computer or if people have not already sent their coins to this hypothetical quantum-safe address type, Bitcoiners could still buy some time by freezing coins in addresses vulnerable to quantum attack.
This would necessarily be a soft fork where we adopt new rules that say all old address types can no longer be spent, unless certain conditions are met.
This BitMex Research article examines some different schemes by which we could use this technique of "freezing" coins to allow the true owners of such coins to safely spend them despite the presence of a quantum attacker capable of discovering private keys from exposed public keys.
Commitment Recovery MethodCommitment Recovery Method
This could apply to a standard P2PKH output, which has avoided address re-use. This setup involves two transactions, with the second transaction directly putting the private key onchain in plain text.
This method relies on users creating a setup transaction with an OP_Return that contains a hash which is later referenced by a spending transaction and waiting for a predetermined length of time. It seems like a pretty complicated system.
Seed Phrase Commitment MethodSeed Phrase Commitment Method
The idea is that since the step in getting from 12 words to the master private key is quantum safe, you could put those 12 words onchain to spend in a quantum safe way, this would involve two steps, a set-up transaction and a recovery transaction. This method can be used even if the public key is already available onchain, for instance because of address re-use or Taproot outputs.
If you use a set of BIP 39 seed words for your wallet, it is possible that you could use the fact that going from seed words to private key involves hashing to make a commitment transaction. Like the normal commitment recovery method, you would broadcast a setup transaction, but this time it includes a hash of your BIP 39 seed words. Then when you broadcast your spending transaction it is only valid if it references the previously broadcast hash of your BIP 39 words and those match the private key in the signature of the spending transaction.
Pre QDay Commitment MethodPre QDay Commitment Method
The trick here is that the set-up transaction goes onchain prior to QDay. Therefore, we can assume that only the legitimate owner of the funds had the private key at that date. This recovery scheme seems pretty pointless, since unlike the other recovery systems we have discussed above, it requires action to be taken before QDay and if action can be taken prior to QDay, the funds could alternatively have just been swept up to a quantum safe output anyway.
This doesn't seem like such a great plan, as it still requires people to make a "commitment" transaction before a known quantum attacker is present.
Zero Knowledge Proof Seed Phrase MethodZero Knowledge Proof Seed Phrase Method
The ZKP approach only works for the seed phrase, not a private key, because the quantum vulnerable signature still needs to go onchain for the transaction to be valid and therefore the private key could be calculated by a quantum computer.
In this method, Bitcoiners would include a zero-knowledge proof of their BIP 39 seed phrase in an op-return in a transaction spending their quantum-vulnerable coins. It would only be accepted as a valid spend if the proof contained a BIP 39 seed phrase that corresponded to the private key used in the signature of the transaction.
BitMex > Nic CarterBitMex > Nic Carter
All in all, BitMex does a great job going through these. I highly recommend reading their whole series on quantum computing and Bitcoin. It is a nice balance to the things that you might hear from Nic Carter.
Have they covered BIP360 so far?
To me that seems like cleanest, least effort, least impact proposal.
Effectively it creates a new type of taproot address that is quantum resistant. Then its left up to every individual whether or not to use it....requires minimal mods to bitcoin (basically new address type and thats it).
The benefit of this approach is we technically become "quantum safe" (even if no one chooses to use it), but we tick that box from a marketing perspective so gullible but loud people on twitter can finally shut up.
Nah, they'll keep fretting over satoshi's coins.
Also, people on Twitter aren't there to shut up. Gullible or not. The circus will find a way to keep going.
100%
Probably no one would use it, because the signatures are 100x larger. --> Therefore higher fees.
Also this quantum FUD is ridiculously overblown.
KISS keep it simple stupid. Quantum is probably best opt-in. Then everyone can choose what and when to do it.