Ninjastic
PostEdited versionsQuotes to this post
Post
Topic
Board Development & Technical Discussion
Merits 1 from 1 user
Re: Bitcoin must upgrade or fall victim to quantum computing in 5 years
by
d5000
on 17/06/2025, 02:36:28 UTC
⭐ Merited by vapourminer (1)
Quote from: Btcalysis on June 14, 2025, 05:50:03 PM
What are bitcoin developers doing about it?
I agree with most others that we're much farther away but I've recently started a thread exactly about that topic (a possible BIP to integrate post-quantum cryptography) so I'm trying to answer that ...

As far as I have interpreted the discussion in the Bitcoin mailing list about that possible BIP, the problem is that there are currently several competing post-quantum cryptography schemes, and some of them like FALCON look relatively convenient to integrate now into Bitcoin already, but some devs suspect these schemes could become obsolete quite fast, and then another transition to another scheme would be necessary.

Other algorithms like SPHINCS+ are seen as possibly more future-proof, but they require enormous signatures, which would make Bitcoin transactions require 20 or more times more space than now.

Thus for now it is unlikely that any action would be taken by the Bitcoin devs in that direction, until it becomes clearer which post-quantum algorithm is really secure and future-proof enough.

The guy who proposed "BIP 360" suggested to integrate more than one possible algorithm, so people can choose freely. But there's this argument against that also was mentioned by @achow101 (a highly knowledgeable developer) in the other thread: if even one of these algorithms is broken, then a lot of damage could happen if many users had used that scheme and several wallets are "emptied". It's better if cryptographers choose a scheme when it is considered secure.

So basically, the problem for now is that post-quantum cryptography seems to be still too immature to already commit to one scheme in 2025. Perhaps in 2-3 years this could change. But in 2025 the best advice is simply to not re-use addresses.


To those with a bit more knowledge, I got just a shower thought: what if you commit, in addition to an ECDSA public key, to a long secret phrase in a P2(W)SH transaction, like in a HTLC? Would this approach also be vulnerable to quantum computing or improve the security? It could be an option for cold wallets if it works. But I probably am missing something because that would be a quite low hanging fruit ...