Quantum Migration BIP #1895
Quantum Migration BIP #1895
Conversation
bip-post-quantum-migration.mediawiki
Outdated
| | 3 years after BIP-360 implementation. | ||
| |- | ||
| | B | ||
| | At a predetermined block height, nodes reject transactions that rely on ECDSA/Schnorr keys. |
There was a problem hiding this comment.
I'd be interested an expanded rationale for the approach of rejecting transactions that rely on ECDSA/Schnorr keys vs freezing quantum vulnerable outputs.
Bitcoin's current signatures (ECDSA/Schnorr) will be a tantalizing target: any UTXO that has ever exposed its public key on-chain (roughly 25 % of all bitcoin) could be stolen by a cryptographically relevant quantum computer.
The approach you propose would definitely prevent more thief long term. What is the delta between this and freezing all quantum vulnerable outputs in terms of vulnerable bitcoins?
Is the mechanism to determine if a transaction is reject, if OP_CHECKSIG appears in the script?
If someone did a Schnorr CHECKSIG and a PQ signature CHECKSIG_ML, would that be rejected? Probably right, that would be the more simple check.
There was a problem hiding this comment.
Added more details to say reject any of the checksig opcodes. I suppose the logic could be "reject all checksig opcodes unless there is also a checksig_ml opcode" if we felt like someone might footgun their funds.
There was a problem hiding this comment.
That's a good approach since you can still have Schnorr OP_CHECKSIG tapscripts in tapleafs without breaking OP_CHECKSIG_ML tapscripts.
This would break OP_CAT based covenants since they use OP_CHECKSIG in a quantum safe way to verify the txhash of the transaction on the stack. This suggests that if we want OP_CAT, we probably also want OP_PUSH_TXHASH so that people don't use OP_CHECKSIG for covenants.
Not necessarily. Operating quantum computers costs a lot. For example no one will run computations if it costs 100M to break 50M worth UTXO. Of course with technological and algorithmic improvements the cost of breaking a key will go down. But as costs go down each quantum-computer owner is faced with dillema, they:
Due to game-theory we can expect quantum-computer-owners to go for option 1. They won't go for option 2, because they don't know if other players will also go for option 2. It introduces race-to-the-bottom dynamics between competing players in which cost-to-break-UTXO approaches value-of-the-UTXO. Does it seem similar to something? Yeah, bitcoin mining in which average-cost-to-mine-one-bitcoin approaches value-of-one-bitcoin. Quantum UTXO hacking can be framed as another parallel process of proof-of-work mining, but with the quantum-computers instead of SHA hashing chips. And as such I don't think it is something to deem negative. |
If the threat were real (super-positional whether it is or not), that is the incentive. Forced movement is a non-starter, ones desire to quantum-proof their key does not impart a responsibility on anyone else. |
|
No one can be forced to move their coins to quantum safe signature schemes. On the flip side, no one can be forced to accept coins from quantum vulnerable signature schemes. |
|
|
||
| If true, the corollary is: | ||
|
|
||
| "Quantum recovered coins only make everyone else's coins worth less. Think of it as a theft from everyone." |
There was a problem hiding this comment.
Quantum recovered coins only make everyone else's coins worth less. Think of it as a theft from everyone.
This is an opinionated framing of the situation. I believe I provided another framing of it as "additional proof-of-work mining along SHA-pow-mining" (see #1895 (comment) ).
I suggest we keep the BIP as neutral as possible without inserting arbitrary framing that conveys some specific opinion whether something is positive or negative.
There was a problem hiding this comment.
That framing is unfounded, because miners are paid to publish updates to Bitcoin’s blockchain, while there is no direct benefit to the Bitcoin ecosystem to incentivize quantum computer development by allowing quantum computer operators to misappropriate funds.
If you receive abandoned coins that you suspect were stolen by QC, you can burn them. No one is forced to honor them. You're not afraid people will be forced to accept coins, but that they will happily accept them. This undermines your previous argument. This is not a technical BIP, it's a vanity one trying to impose a view on the market.
A functional QC would effectively be a winner-take-all coins, candidates in the running to have it already have access to a material number of coins (Google, Microsoft have countless passwords emails 2FA to custodial platforms and password managers containing seeds, backdoored OS's, softkeyboards... etc). A QC could also sign for any software distribution as it could bitcoin keys, enabling untold new backdoors into systems. There's no change to Bitcoin that can protect Bitcoin from a QC threat (hoax) because Bitcoin is not the only link in the chain. |
Quantum sweeping does not generate consensus, it only funds quantum. Quantum computing isn't bad in itself, it will advance material science far beyond what can be done with classical supercomputers. But it's a mess for everyone if it ends up crashing crypto in the process, so it's better to close as much of the surface of attack as possible to make sure we don't end up with wicked incentives. |
There is no way to know, those transactions are indistinguishable from legit ones, the attacker is literally signing with your private key.
A functional CRQC will be expensive ($1B-$10B) and only break a finite number of keys per year, it's not infinitely powerful which means that their use will be driven by incentives. The Bitcoin community must decide if they want to be the exit liquidity of quantum computing companies. This BIP proposes a way to reduce the surface of attack as much as possible.
A lot of links in the chain have started upgrading. |
|
I read about your BIP on CoinDesk. It's mind-blowing and thank you for leading the way. Post-quantum migration should be pro-active rather than reactive. |
This comment was marked as off-topic.
This comment was marked as off-topic.
Sorry, something went wrong.
|
Please keep the comments focused on technical review -- thank you. |
There was a problem hiding this comment.
'''Phase A''': Disallows sending of any funds to quantum-vulnerable locking scripts…
'''Phase B''': Renders ECDSA/Schnorr spends invalid, preventing all spending of funds in quantum-vulnerable UTXOs.
This BIP is hostile for the Bitcoin community and the entire Bitcoin network because it is saying that you can't spend in the future non-quantum compatible funds.
I think @jlopp also need a disclamer, see: https://qb.tc/team
Simultaneously, this BIP is hostile for quantum capable adversaries because it is saying that you can't steal bitcoin with your fancy computer.
When I wrote my initial essay 4 months ago I was not collaborating with anyone. This BIP is a continuation of those same ideas I came up with independently. |
NOTE: As a miner starting in November of 2013 who has invested more into the ecosystem than most... When I invested in the QBTC team (Great team all Bitcoiners by the way) it was because we agreed with Lopp essay and we reached out to collaborate. Q-day is coming sir and Lopp proposal is the best I have seen and should be supported. |
|
Openly saying that we can't spend in the future non-quantum compatible funds, is hostile for the Bitcoin community and the Bitcoin network! If I have Bitcoin from 2011, I will not able to spend it in the future or receive Bitcoin to my address? |
|
I've attempted to remove the ad hominem and replies to it. @1BitcoinBoWP1FZ4xwTNkq6XksKidmgYYw, there's no need to repeat the same argument. Let's keep discussion here focused on technical review of the BIP itself. |
|
@jonatack he proposed nothing technical in nature. He just want us to not able to spend our Bitcoins in the future. I find not a single technical proposal in this BIP draft. |
False. In the event that quantum computers become a reasonable threat, I want people not to be able to spend their coins in a manner that is indistinguishable from quantum theft. As such, I want spending restricted so that it requires a quantum safe cryptographic proof accompanying it. |
|
You don't have to restrict any spending! That is just absurd. You should instead just propose hybrid addresses that are quantum resistant and also backwards compatible with ECDSA. I also don't understand what is this rush. You seem like someone who very much would like to enforce on us the "spending restriction". Quantum computers would need ≥ 1 million physical qubits and this must be logical qubits (error-corrected). We are very-very far from any quantum computer that would pose a threat to Bitcoin. Estimates suggest this kind of quantum computers would exist after the year of 2040. So don't need to rush and block transactions now just because you're afraid of imaginary quantum computers. |
This BIP has no intention of addressing the separate issue of what post quantum cryptographic scheme to implement.
This BIP has no intention of addressing the separate issue of when to implement a post quantum cryptographic scheme. This BIP only addresses the migration and incentives issues that arrive AFTER those questions have been resolved. In short, it sounds like you have not comprehended the actual timeline and preconditions of activating this BIP. |
This comment was marked as off-topic.
This comment was marked as off-topic.
|
You're free to propose a BIP to compete with BIP-360 and then we'd evaluate how it would affect the need for this BIP. |
|
I strongly consider it. |
|
@jlopp Will send it now to the mailing list before opening a new PR. |
|
@jlopp The mailing list is not showing our email, even though we’re members of the group. Would it be acceptable to proceed with a PR directly, or is mailing list discussion still required? |
|
Let me see if I've got this straight. After a multitude of comments claiming that restricting spending and freezing funds is absolutely unconscionable and unnecessary because there are other solutions, your proposal is effectively a slightly modified rewrite of my proposal that still restricts spending and ultimately freezes funds? Whatever happened to
I struggle to justify spending any more time on this conversation as I simply can't take it seriously. |
|
There is a significant difference between your BIP and our BIP. Your BIP proposal states:
In contrast, our BIP allows the spending of classical UTXOs for up to 8 years after activation. (After the first 5 years, users receive error prompts when sending from classical UTXOs, but the funds remain spendable.) In other words, you propose to immediately block all spending/receiving from classical UTXOs upon activation—which is an unreasonable approach. |
|
@1BitcoinBoWP1FZ4xwTNkq6XksKidmgYYw: Thank you for taking the time to compile your own variant of @jlopp’s proposal. It appears to have helped you better understand the approach taken in this proposal. Skimming your draft, the main difference appears to be a slightly altered timeline, as your proposal aims to start restricting spending of non-PQ output types after eight years from an undetermined time zero, and @jlopp’s proposal proposes to do so 3 years after PQ signatures have been deployed without guessing at the timeline for this prior work. Discussing the timeline of this proposal and making alternative suggestions is well within the scope of review for this proposal, so it is unclear what benefit opening a duplicate proposal would provide at this time. As the Bitcoin Developer mailing list is moderated, it might take a moment for your email to go through. Please feel free to open a pull request, if the discussion on the mailing list results in an evolution of your proposal that significantly differs from this proposal to a point where other mailing list participants encourage you to put it up for consideration separately. |
This is word salad, the point of distinguishing physical qubits from the logical ones is that they are not the same. It takes 2500 logical qubits to break 256-bit ECDLP, this translates in about 40k to 900k physical qubits. All roadmaps hit that milestone around 2029-2031.
You're making up numbers, this is worthless. |
This comment was marked as off-topic.
This comment was marked as off-topic.
This comment was marked as off-topic.
This comment was marked as off-topic.
|
@1BitcoinBoWP1FZ4xwTNkq6XksKidmgYYw and @pldallairedemers: The scheme you are discussing is orthogonal to this proposal. In this PR, please focus on technical review of the document proposed here. |
This comment was marked as off-topic.
This comment was marked as off-topic.
|
Banned @1BitcoinBoWP1FZ4xwTNkq6XksKidmgYYw for 7 days for continuing to be off-topic after warning. In this PR, please contribute technical review for this proposal. Whether the proposal should be adopted by the community is a separate conversation that is not on-topic here. |
Initial draft of a proposal for how to incentivize migration to post quantum cryptography and safeguard the ecosystem from unnecessary inflation of the circulating supply and the economic turmoil likely to accompany such an event.