So there's a number of posts going around again about Quantum (#1494159, #1494200), all of which are worth a read, and I could have posted this thought in one of those threads, but for visibility and discussion I wanted to make a standalone post about it.
So here's the thought:
A lot of the discussion around a quantum-attack on Bitcoin presupposes the sudden revelation of a Cryptographically Relevant Quantum Computer (CRQC). The idea is that we'll go suddenly from thinking Satoshi's keys are safe to all of a sudden, oops, they're cracked!
But here's why I don't think that'll happen, and why we'll get signals leading up to such an event, and thus the ecosystem will have more lead time than is generally assumed to make decisions regarding quantum security.
It's because: look at the behavior of all the major quantum labs. They jump at the chance to announce any small breakthrough and advancement. And it's totally rational for them to do this, because every new breakthrough triggers a wave of attention and investment and continues the funding cycle. I don't see why that would change leading up to a CRQC. Would labs really start hiding their progress when they start to get closer? I think the incentives to publicize their progress would be even higher. Thus, my thesis is that we'll get plenty of signal as to how close we're getting to CRQC, and we therefore won't be super surprised when it arrives.
The X-factor here is state actors, who may have more of an incentive to keep progress hidden. But for this to cause us to be surprised by the arrival of CRQC would require that the hidden progress of the state actor is significantly more advanced than the publicized progress of the private actors. It's not obvious to me that this would be the case. Moreover, if a state actor benefits from keeping their quantum progress hidden, would the incentive of cracking Bitcoin really be the pivotal factor that causes them to break their silence? Given the current world relevance of Bitcoin, that seems highly unlikely.
So, there are my thoughts in a nutshell. Does anyone want to stress test this idea with me?
For the record, I'm also not trying to say that quantum isn't a threat, or that we shouldn't start thinking about quantum security.
I'm merely saying that the signal density on how close we are to CRQC will be fairly high. Whether the community can actually reach consensus on what to do, and whether enough people are paying attention, is a different story.
Heh, I meant that bitcoin is not relevant, and therefore a state actor who's trying to hide their quantum progress isn't going to break that veil by attacking bitcoin.
Haha. I thought that you meant exactly that at first but then I figured "yeah but if it is irrelevant then it is a perfectly marginalized set of victims that can just be abused with impunity." The meme works both ways tho.
It's worse then that, they announce non-breakthroughs and no advancement. It's literally not real, there are only scams inferring it could be real.
you know, that actually weakens my thesis because it introduces noise to the signal
It's more of a point of order since there is no signal to begin with, its not just that breakthroughs are noised by non-breakthroughs, but that there are no breakthroughs at all.
I've been spending a couple of weeks going over xwing (
MLKEM768+X25519) for a hybrid KEM and even for a hybrid solution that is enforcing both the DH and the ML side, I still see some potential risks[1] with ideas that may or not have caveats we simply don't know about yet. These are sitting in the optimizations they're doing.So on the one hand we have massive, non-tangible FOMO and on the other, no immediate implementation path for serious encryption, and a standard-to-be that may weaken versus existing DH-based solutions. The risks coming with rushed decisions is high right now. If it's all a psyop... the risk is higher.
besides the issue that there is no good implementation path for either
crypto.subtleor webauthn at the moment. ↩So, as I see it, you're outlining these possible paths of action?
(a) competing labs keep announcing developments and "breakthroughs" and gradually build a tide toward CRQC such that we all gradually come to the realization that "it's happening" and we must take action.
(b) sneaky bad actor nation works covertly and does not announce developments and suddenly has a CRQC with which to do ill
(c) both things go on simultaneously, both public lab announcements and sneaky covert nations. This, I feel, is how it would actually go in the real world.
All told, it would be a case of what occurs first...
I think that's a good breakdown, though I wouldn't necessarily call the labs "good actors" -- just actors that are more incentivized to disclose progress.
It's a legitimate question of whether the incentive to hide progress gets larger the closer you actually get to CRQC.
Regardless, though, I think for a surprise attack to actually happen we'd need a few things to converge:
... Right?
US government takes $2 billion equity stake in nine quantum computing firms #1494389
Trump is a state capitalist- copying Chinas economic strategy.
Because China won the trade war.
Rare earths anyone?
One doesn't simply crack Bitcoin. Think about all the other dominos that'd fall when that time comes. Did you know that for all this push for passkeys, those aren't even Q- resistant?
Even though the standard is still in draft, you could use
ML-DSAwith a yubikey through Chrome/Firefox already. The biggest issue is with the OS built-ins on iOS/macOs/Android, and that the entire Apple ecosystem doesn't support the PRF extension from external devices at this time, so it's hard to work around too.So while the protocol is ready ever since IANA enumerated ML-DSA for COSE it's just that most of the "WebAuthn Relying Parties" don't implement it yet - standard changes during the draft period can be obstructive and there's not enough built into the OS' yet. If tomorrow Android and iOS also implement ML-DSA, it'll be out there in no time though. This is much further along.
Maybe a sexytum attack
While I agree with you on all points if Quantum Resistant BIP360 implemented on Bitcoin...I'd welcome it.
And what's more there's also a prediction market for 'when' on Predyx: https://beta.predyx.com/market/bip-360-quantum-resistant-upgrade-activated-on-bitcoin-by-1775250762?ref=PREDYX9ZWAIELT