Understanding the Quantum Attack Vectors

All right, guys, I'm super excited to be here for us to explore the super fun topic of the quantum vulnerability space. My name is Isabel Foxen Duke. I'm the coauthor of BIP 360 for Bitcoin quantum mitigation, and also the host of the Bitcoin Rails podcast. I'm excited to have a little fun right now. Would you guys really quickly get us started by introducing yourselves and what your position is in the quantum space, however you define that?

​

Sure. I'm Brandon Black. I'm skeptical of the quantum vector for attacks, which does not mean I'm skeptical of post-quantum cryptography or anything. I do Bitcoin consulting, so I pay attention to what's happening in Bitcoin to make sure I'm ready for it.

​

I'm a quantum scientist. I think quantum is getting extremely close, and it's time to upgrade to post-quantum cryptography. These days I mostly do post-quantum privacy research.

​

I'm Clara, and I authored, with Anthony Milton, a report that overviewed the state of preparedness for quantum computing and the path forward. We also have a break-the-glass emergency plan waiting in GitHub. My view is: don't panic, but have a plan.

​

Before we get into the proper panel, we're going to be exploring all the different ways this issue could potentially challenge Bitcoin. This is a super complex topic, so there's a lot to explore just in understanding the vulnerabilities here. But before we do, I've tapped Brandon to explain the basics, the core problem that people are concerned about, just so we can get that out of the way, and then we're going to dive deeper into the implications of this problem. Would you go ahead and take it from here?

​

The potential issue here is that Bitcoin, and many cryptosystems in the world, rely on the hardness of reversing what's called the discrete log problem. In Bitcoin in particular, it's the elliptic curve discrete log problem. The point is that this is a mathematically difficult problem for classical computers to solve. If there were a sufficiently large quantum computer, it could solve that problem in much less time, potentially down to just a minute or less over the long term.

​

That problem is what makes it hard to make fake Bitcoin signatures. If a quantum computer could solve the elliptic curve discrete log problem, it could make fake signatures on Bitcoin. That's what we're worried about. That doesn't affect Bitcoin mining. Quantum computers are much less effective at breaking hash functions like our use of hash functions in Bitcoin mining. So that's the space that we're sitting in.

​

Now that we've defined the core problem, how worried should we be that a cryptographically relevant quantum computer will arrive anytime soon? How worried about this problem should we be? Feel free to answer that question creatively. Brandon, we can start with you and go down the line.

​

I would say we shouldn't be worried at all, really. Quantum computers to date are still working on a handful of logical qubits. It's difficult to keep logical qubits working for more than a couple of microseconds at a time. There's really nothing to worry about at this point. Now, that could change. There was that scare over the weekend; maybe it changed, but it didn't actually change. As of now, there's absolutely nothing to worry about.

​

From the milestones of quantum computers, they are getting very close. The small demonstrations of logical qubits are the basic ingredients that you need to reach cryptanalysis. The main problem is that there isn't much other warning. There will be long-lived logical qubits, then small keys, then big keys, and there's no other application that we will see before cryptanalysis.

​

The reaction time will likely be months or years, maybe a few years. But the migration of Bitcoin, building consensus around the new type of cryptography that must be deployed, deploying the new cryptography, getting people to migrate, and deciding what to do with stale assets is what takes time. It's not like the case of harvest now, decrypt later, where you're worried about people reading your email in some time. The issue is building the consensus for the upgrade before attacks happen.

​

We're seeing quantum, but there's also AI. We're not guaranteed that classical computers won't catch up to quantum. If it keeps happening, at some point they will cross elliptic curve cryptography. We're also not guaranteed that there won't be super AI in 2029 or 2031 that will come along and break security cryptography classically, which would be a much worse situation than just quantum.

​

I agree with Pierre in general. It's like asking how worried you should be about your plane crashing. You shouldn't be very worried, but you need an emergency exit. In that sense, how worried should we be about quantum? Not too worried, but we should have a plan, and we should be working on this plan because it could happen, maybe sooner, maybe later. It's completely irresponsible to completely relax and not do anything. But don't panic.

​

I want to drill down on Brandon a little bit further. Why exactly are you not worried? What is your argument here? It sounds like, if I'm understanding Pierre correctly, there is some possibility that this could happen in months to years, even if we call it five years or less. It would probably take that amount of time for us to activate around a really sophisticated mitigation strategy. So I'm curious why you are not concerned.

​

Trying to be very brief, there are really two things. One, we've been researching quantum computing for close to 50 years now, and we have not yet made any progress against solving real mathematical problems with quantum computers. The fact that in 50 years of research we haven't solved a single actual difficult problem with it suggests that it's a very hard thing to do.

​

The second thing is I think a lot of folks elsewhere in the quantum industry look at the problem of going from the first long-lived qubit to many long-lived qubits as almost a done deal once you get that first qubit. But the reality is that when you're building physical things, adding that next one is going to be hard. Adding the next two is going to be hard. Each one we have to add is going to be a hard-fought battle, and I think there's good evidence for that in how quantum has gone to date.

​

I don't think there's any reason to believe that we'll go from one logical qubit to 2,000 overnight. It'll be 10 years, it'll be 20 years. Even once we get those long-lived qubits, we're going to have a decade or two to work on solving it in Bitcoin. Plenty of time.

​

Do either of you have a response to that?

​

I don't completely agree. First of all, assuming that it's going to take another decade or another two decades is very difficult. It's very difficult to predict the future. Even if it's an event of a small probability, if you calculate the expectation of the disaster that can happen, it's irresponsible not to do something. I don't say panic and change to whatever cryptography is available now, because there are a lot of things to worry about with modern post-quantum cryptography just because it's very new. But it doesn't make sense to assume, "Oh, we have another decade or two." Why should we take this risk if we can avoid it?

​

It's a very compounding technology. I get Brandon's point of view that we don't see progress on the yardsticks of, say, breaking small keys or factoring small numbers. But the physical resources of quantum computers are a bit counterintuitive in the sense that once you have the substrate, once you have the ability to essentially amplify the quality of the qubits up to an arbitrary degree, when you have fault-tolerant machines, to break keys you need only a polynomial amount of work from that point on.

​

If errors increase exponentially with the size of the qubits, it would be over. But that effect has not been seen. People have been looking for that effect, but it's not there. If you add qubits, noise stays local, which means that you get error correction. The small regime has been achieved, and it's the substrate for which cryptanalysis becomes a polynomial problem. We're already there, and that will create a very sharp transition.

​

One of the arguments I hear frequently is this idea that, even if it's a very, very small chance that quantum is coming anytime soon, we should be prepared just in case because of the potentially catastrophic implications. But I do think it's important for us to think about the tradeoffs of premature mitigation. There could be negative downstream effects in terms of how Bitcoin functionally works after we implement post-quantum signatures and other post-quantum mitigation strategies. Do you each want to give a point of view about the risks associated with jumping the gun or acting too early?

​

One of the things we need to be really conscious of as Bitcoiners is that, while I agree with Clara that we should have a plan, we don't have any suitable post-quantum crypto that actually works well in Bitcoin yet. The state of the art in post-quantum crypto would make transactions 100 times larger than they are today. It would make verification 10 times more costly for those transactions. It would make key generation, I think, 100 times more costly.

​

There are really major problems with any of the post-quantum crypto options that are out there. We need to continue investing heavily in being ready for that. As of now, there simply isn't a good plan. There are things we could do that would be a barely tenable stopgap, and we should keep trying to build toward that great plan. I strongly support that work.

​

It's a difficult problem, mostly because people want battle-tested cryptography to be deployed on Bitcoin. But that battle testing takes time. If you want something that's been there for 20 years now, it's cryptography that was done in 2005. There are lattices, there is hash-based cryptography, and they come with tradeoffs.

​

On the other side, it is difficult. But there's a bright side in that quantum attacks won't be cheap. It will probably cost millions of dollars for the first quantum attacks per key. Most people are not greatly affected, but large holders must get ways to secure their assets in the near term. In my opinion, it's better to deploy more conservative hash-based cryptography in the near term, allow large exchanges to migrate, and allow more time to optimize the cryptographic methods to keep the user experience that Bitcoiners are used to.

​

I also agree we should not change the signatures we're using right now. This is a very dangerous game, and the technology is getting better and better. With lattices, things are broken from time to time, so we don't want to be on the receiving side of that. But we can write code. We can prepare something so that if we understand that this is happening in six months or happening in two years, we can mostly push the button. We have something prepared so we can take action. We don't need to start from scratch if we realize this is coming soon. I think that's what we should do. I don't think there is anybody advocating right now to change the whole cryptography. Correct me if I'm wrong.

​

All of it, no. But deploying hash-based, I would urge rather fast. Hash-based is actually much older than elliptic curve cryptography. The first Lamport signatures are from 1979, and it's information-theoretically secure up to breaking hashes. So it's as secure, or more secure, than mining.

​

But it's so inefficient. Lamport signatures?

​

Yeah, it's inefficient. But if you have a pot of $10 billion, it's probably worth it. You don't need to deploy it for everyone. I don't think it's reasonable to deploy for everyone.

​

I actually want to tap on that, because I think it's really important and people miss it. The size of your UTXO affects how affected by quantum you might be. Even if quantum computers come along, they'll start out expensive. If you have $500, who's going to use a quantum computer to break that? Not for a very, very long time. But if you have Strategy's holdings, it's a very different story. There's a huge range of how affected you are, and how soon, in this quantum attack theory.

​

Brandon, is that an argument for UTXO splitting? Don't we usually try to get people to use a limited number of UTXOs as possible?

​

There's always a balance. We tell people to use around a million sats per UTXO, and I think that kind of holds. It's going to be a pretty long time before your million-sat UTXO is threatened by quantum. But if you put 10 coin in a UTXO, you might be threatened sooner.

​

That's a good segue into the Satoshi's coins conversation, where you have several 50 Bitcoin UTXOs just hanging out in quantum-vulnerable addresses. This is arguably potentially the biggest vulnerability, according to some. It's not necessarily the post-quantum signatures, but the fact that not all of these coins will migrate to post-quantum signatures. Probably Satoshi's coins will not migrate. What do you do about that? How should we handle that situation? What do we do with quantum-vulnerable abandoned coins?

​

It may not be the biggest. Coinbase has around a million Bitcoin, and BlackRock has Bitcoin. They're probably the biggest target at first.

​

And they reuse addresses.

​

If you have a quantum computer, it takes a while to burn through it. But psychologically, it's extremely damaging if Satoshi's coins move without expecting it. There are not that many solutions. Either we accept the move, or if we expect it would create too much volatility, they can be frozen or put back into circulation. There are pretty much only those solutions. Likely there are going to be forks. People will view them as airdrops, and big markets will choose. I prefer markets to be able to choose freely.

​

I beg to differ, because there are middle solutions. I think the hourglass, where you say, "Okay, we are now aware that there is a CRQC out there. Any movement that could be defeated by a quantum attacker is allowed to spend at most one bitcoin per block." Maybe you found your grandfather's private key buried somewhere; the money is not lost, but you don't get to cash it in immediately. You need to drip it slowly. There's a plethora of solutions that need to be discussed. I think both freezing the funds or just letting the market decide are not the only options.

​

Basically what I'm hearing is freeze, liquidate, or rate limit.

​

Yeah, I think rate limit is the way to go.

​

Surprisingly, on this one, I completely agree with everything Luke said. I don't think the market will decide. I think we should expect there to be forks. I did a whole talk at Bitcoin++ about fork maximalism. Basically, we should accept chain splits and forks. We're going to have to as these things progress.

​

As a balance, if you freeze or do an hourglass, it will absorb some of the volatility. Effectively, the number of forks increases, but once the volatility has passed, it's going to be like Bitcoin Cash. It will converge back to one called Bitcoin. There will be a period of volatility. If post-quantum signatures are deployed, the dynamics of the system will stabilize at some point.

​

Also, saying "the market will decide" is almost an empty saying because the market can always fork Bitcoin. The market always decides. But if we have an idea that we discussed, maybe we can experience a bit less volatility.

​

Does it stand to reason that when you say the market will decide, it seems pretty clear what the market will decide? Wouldn't it stand to reason that it would decide whatever has the lowest supply cap for Bitcoin, whatever isn't flushing 2 million coins into the market all at once and bumping up supply? You don't think so?

​

I don't think so. Bitcoin has the longstanding value of the rules being hard to change. If we do a soft fork against Satoshi's coins or some other quantum-vulnerable coins, we're fundamentally changing the contract of Bitcoin in a way that, at least to me, would make it close to worthless. I know I'm probably not alone on that. I could very easily see the opposite being the case: despite the dumping of Satoshi's coins on one side, the market would choose the other side because that preserves the original qualities of Bitcoin.

​

The market of pleb Bitcoin maximalists versus the market of ETFs and institutional asset holders?

​

I think the ETFs are the same thing. To them, the value of Bitcoin is its hardness to change. You can talk to some of them about that stuff.

​

Hot take.

​

When it comes to values, "not your keys, not your money" means, "yes your keys, yes your money." It's also a value. I don't see rate limiting as philosophically against what Bitcoin is.

​

You don't? Say that again.

​

I don't, because I think part of the values of Bitcoin is that if you have your private key and you kept it safe, nobody is supposed to take your money.

​

I'm curious if you think this is the first time that we have institutional players really getting into the Bitcoin governance conversation, and really starting to have an opinion about technical decisions in Bitcoin. Historically, that's not been the case. We're also new to having major institutional asset holders in the first place. Do you see this as a good thing, a bad thing, an inevitable thing? What's your take on corporate players being more invested in this conversation than they have been in previous technical conversations in Bitcoin?

​

It's part of the adoption. The current wave of adoption is the risk managers at those institutions. At some point, Bitcoin will make its way into retirement funds and bigger pools of money. That's part of the adoption story. Those people are part of the ecosystem.

​

I think it's inevitable, and also in some ways potentially beneficial, because Bitcoin needs better attackers. Having them out there almost pushes Bitcoin to be better.

​

To be honest, it eventually would have happened anyway. I don't think these big players have a lot of say. They don't finance developers. They don't tell developers what to do. They're just enjoying the fruits of the developers' labor.

​

I'm curious if you have opinions about indirect vulnerabilities to Bitcoin that are just from the FUD associated with quantum. If quantum never arises but we're having these conversations for the next 20 years, is that fundamentally better than us not having the conversations because at least we're prepared for something that could potentially happen? Are there downstream effects related to the FUD on adoption? Is that potentially a reason in and of itself to fix the problem? Just the fact that all this FUD is happening and it could be affecting adoption, is that a legitimate reason to move forward with mitigation strategies?

​

I echo what Pierre said earlier. There are other things that could break Bitcoin's cryptography. It's not only a possible quantum computer. We should absolutely be continuing to do this research on better cryptosystems for Bitcoin and new cryptosystems for Bitcoin. In the long run, the FUD is helpful in pushing that forward. Short term, it might suppress the price a little bit, but that's a short-term concern, not a long-term concern.

​

I'm glad we're doing the research. BIP 360 that you worked on is a great example of a thing we can start doing right now that's an obviously good change for Bitcoin. I want us to pursue all of the obviously good changes, whether it's for post-quantum or post-classical or whatever.

​

The upgrade is an interesting exercise because consensus building on a decentralized system to upgrade the public has never been done. We don't know if it's possible, but if it's possible, I think it's through some process of consensus building that it's going to be achieved. I don't think the FUD is counterproductive here. It's tempering Bitcoin in the forge.

​

I mostly would like people to stop asking, "But what about quantum?" I could point them here and then continue with the conversation.

​

Final fire round. Any quantum vulnerabilities, anything that you think could come up around this topic that people aren't thinking about, a vulnerability that people are underestimating, or something we should be considering in this conversation that you're not hearing enough about?

​

We didn't talk about the risk of post-quantum crypto introducing a new vulnerability into Bitcoin's code. Some of these things are a lot of code to add. Think about that as well.

​

On the side of stateful signatures, like hash-based signatures, it will introduce some social attacks. If you sign a message and the opposite of the message, you're leaking your key. Social attacks could happen through that. It must be thought about very carefully.

​

I think for wallets and other supporting things in the ecosystem, people might panic and mistakes can arise there because they'll feel, "Oh my God, we have to do this really quickly." This is where problems arise. Suddenly the problem is before you even get to the blockchain, it's one step before, and it's all gone anyway.

​

All right. That's all we got. Thank you guys so much. This was awesome.