THE NATURE OF THE PROBLEM

The most obvious explanation for the lack of clamor around this topic in the world of cryptocurrencies is an understandable ignorance that it is even worth discussing in the first place. However, for those investors, developers, and enthusiasts who have stumbled across mentions of quantum computing’s role in the future of cryptocurrency, the line of thinking may instead be something like, “Bitcoin’s developers have already thought about this and have a plan to take care of it when the time comes.” Is that really the case? Let’s see how the core developers themselves think about the subject.

A discussion on the Bitcoin dev forum titled ‘Transition to post-quantum’ began on February 15, 2017, with core developers Tristan Hoy and Tim Ruffing laying out the plans for what is known as a commit-delay-reveal transaction scheme [14]. Adam Back, renowned cryptographer and Blockstream CEO, has proposed a similar mechanism [15].

To understand what this entails, we must first appreciate the specific threat this method is meant to combat.

The essential problem is this. If Bitcoin changes nothing, then eventually, addresses with known public keys will have their private keys derived from those public keys by a quantum computer running Shor’s algorithm. This includes very old addresses (including Satoshi’s) as well as addresses that have sent a transaction, publishing their public keys to the blockchain. The owner of that quantum computer could then simply use the found private keys to send bitcoin from those addresses to themselves. A transition to a post-quantum digital signature algorithm does not solve this problem; an attacker could simply use the vulnerability to claim balances on the new chain using the old-format private keys. An alternative method of attack would be to short bitcoin and then make this vulnerability public, crashing the value of bitcoin and enriching themselves in the process.

The commit-delay-reveal scheme is meant to help Bitcoin address these challenges. It works as follows: a user can create a wallet secured by a post-quantum signature algorithm, then publish a transaction to the blockchain using a combination of their old private key, the new private key from that post-quantum address, and a predefined delay period (which the authors in [10] suggest should be approximately 6 months). The transaction would then go through after that period of time.

That is the most rigorous solution available. Unfortunately, it has several crucial flaws: first, not only do those become funds unusable for a long period of time, but the process significantly bloats the blockchain [14] and may be too technically challenging to be performed by less savvy holders of bitcoin. Second, whether a commit-delay-reveal scheme is implemented or not, bitcoin residing in vulnerable addresses with lost private keys will be stolen anyways. Ultimately, those funds can still be dumped on the market by an attacker who simultaneously shorts bitcoin, as enumerated above.

Bitcoin’s developers have also considered stopgap measures. A bitcoin-dev discussion from December 14th, 2018 [16] suggests including the capability of generating addresses based on higher-bit (e.g., 381-bit instead of 256-bit) elliptic curves, which would require about 150% as many qubits as the present curves to efficiently crack via Shor’s algorithm. Of course, these measures fail to solve the fundamental problem of relying on elliptic-curve digital signatures. Like the commit-delay-reveal scheme, these mechanisms also rely on individual users opting in to using the more secure signatures, leaving millions of bitcoins behind in vulnerable addresses.

This threat may end up being existential. It is also not limited to Bitcoin — indeed, it imperils the future of nearly every single cryptocurrency in existence today. In order to be immune to quantum computing attacks, a cryptocurrency must have utilized a post-quantum signature algorithm from its inception. Several examples already exist, and more will inevitably follow in the years to come. Heavily centralized altcoin projects may also have a fighting chance to make it over this hump.