[HN Gopher] Quantum Resistance and the Signal Protocol
___________________________________________________________________
Quantum Resistance and the Signal Protocol
Author : dm
Score : 193 points
Date : 2023-09-19 16:02 UTC (6 hours ago)
(HTM) web link (signal.org)
(TXT) w3m dump (signal.org)
| sdeframond wrote:
| I am a bit puzzled: governments and big corp are pouring indecent
| amounts of money in developing quantum computers, which main
| application, afaict, is to break cryptography.
|
| ...and this is defeated by changing our algorithms ?
|
| Whats the use in developing quantum computers then?
| contact9879 wrote:
| The use is all the other applications of quantum computers that
| aren't breaking cryptosystems
| Boogie_Man wrote:
| Actively resisting _future_ attackers and hardware is an
| incredibly forward-thinking thing to do, bravo. _How long_ into
| the future is an achievable and desirable duration for encryption
| (barring any rapid, unforeseen paradigm shift)? If ten years is
| acceptable for declassification of standard documents in the US,
| is this a reasonable target for day to day signal chats?
| candiddevmike wrote:
| Maybe we need a statue of limitations for encrypted data to
| help with future proofing/make the collection useless in a
| court of law? If you go to lengths to encrypt your data, there
| should be some current and future expectation of privacy around
| it, even if someone can decrypt it.
| Boogie_Man wrote:
| To my understanding, despite variance from state to state, a
| general "rule of thumb" for the statute of limitations
| outside of "the big R" and "the big M" is ten years. This
| squares with the generic declassification timetable. I can't
| think of anything I'm genuinely upset about from more than a
| decade ago. I feel that I am an almost completely different
| person than I was a decade ago. If I found out someone robbed
| a bank ten years ago I'd be more inclined to think "That's
| wild, how did that go?" than I am "Oh no this guy is going to
| rob me".
| JanisErdmanis wrote:
| It is good that they kept the classical crypto along. However,
| the general tendency towards quantum-resistant cryptography
| leaves me puzzled. From my perspective as a physics PhD graduate,
| I firmly believe that a quantum computer capable of breaking
| public key crypto will never be built. This is because as you add
| more qubits, there's increased interference between them due to
| the additional connections required.
|
| It's similar to how FM radio works: there's a main frequency and
| several sidebands. When you adjust the tuner to pick up a
| station, you're essentially "interacting" with the corresponding
| station. But if there are too many stations, you may no longer be
| able to hear the music, and as a result, there would be only a
| static noise present.
|
| This leads me to a somewhat cynical conspiracy. Imagine the
| moment when a curios government agency realises that building a
| quantum computer for this purpose is a futile endeavor. Instead
| of admitting this, they could perpetuate the idea that its
| construction is just around the corner. Then, act as a wolf in
| sheep's skin and introduce everyone to quantum-resistant
| solutions, which are unfortunate to have secret hidden backdoors
| by having done more advanced research on them. Has anyone thought
| about this?
| coppsilgold wrote:
| AFAIK no one is transitioning to PQC algorithms by abandoning
| classical ones. They concatenate classical and PQC - so-called
| hybrid.
| JanisErdmanis wrote:
| I agree with this. My concern only applies if the classical
| crypt gets deprecated or new solutions use PQC exclusively
| using widespread hybrid use as an argument for trust.
| kickopotomus wrote:
| It seems that your primary concern is that the government
| (or some bad actor) will be able to install a backdoor into
| PQC algorithms. Is that right? Why would PQC be more
| exposed to this type of subversion than existing public-key
| cryptography?
|
| To your point about PQC being used exclusively, post-
| quantum encryption methods are designed to be resistant to
| both quantum and classical attacks. That is one of the key
| stated goals of the NIST post-quantum cryptography program.
| eigenket wrote:
| People have already said here most of what I want to say in
| this comment, but just to make it as explicit as possible:
|
| Essentially the only reason anyone thinks that useful quantum
| computation is possible is because of things called threshold
| theorems, which state that as long as the noise in each qubit
| is less than some small but non-zero error rate you can add
| more qubits and use quantum error correction to make your
| computation arbitrarily precise. In other words as long as
| you're below the threshold rate quantum computers scale well.
|
| Of course those threshold rates are very very small, and
| creating significiant numbers of qubits which are below the
| threshold rates is incredibly difficult, but theoretically it
| works.
| upofadown wrote:
| >...as long as you're below the threshold rate quantum
| computers scale well.
|
| Last I heard, getting below that threshold was going to take
| one or two orders of magnitude of noise improvement. That
| seems unlikely.
|
| Say you were at a VC presentation and the company said that
| they had this really great system and the only thing stopping
| their immense success was the requirement to reduce the noise
| by an order or two of magnitude. Oh, and by the way, we
| already have the system very close to absolute zero. So you
| ask them what they are planning to do and they tell you that
| they don't have the faintest idea. Noise is always the
| ultimate limit on the information that can be obtained from a
| system. The most reasonable interpretation of the situation
| is that a technology doesn't exist and that there is no
| reason to think it would ever exist.
|
| But when it comes to quantum computers the optimism is
| boundless. I am not sure why.
| krastanov wrote:
| Doesn't your argument apply to classical bits too? The more
| interconnected a classical bit is, the more parasitic coupling
| it will experience. That used to be an argument used against
| the feasibility of classical computers in the 40s (until von
| Neumann published work on fault tolerant classical computing).
|
| Both classical and quantum computers (1) can not "scale"
| without error correction because of analog noise (although it
| is less crucial on the classical side), but (2) can be build
| with error correction codes integrated in them to overcome that
| noise.
|
| Also, you do not need all-to-all connectivity between your
| qubits (or bits) to build a scalable quantum (or classical)
| computer.
|
| Edit: To add to your FM radio metaphor: you can have way more
| FM radio channels if each channel is on a separate coax cable
| (or in physics speak, if you multiplex not only by frequency
| but by spacial mode). No need to have all your qubits be
| controlled by the same optical or microwave mode, you can have
| physically separate control lines for each qubit and then
| eliminating cross-talk is as simple as inverting an n-by-n
| matrix.
| eigenket wrote:
| Yes. In fact the proofs that quantum error correction works
| as long as you're below a certain error rate (so-called
| "threshold theorems" are very, very similar to the same
| proofs that error correction works in classical computers.
| andyferris wrote:
| To add to the sibling comment, the reason our classical
| computers work is because the individual transistor errors in
| your CPU are basically zero.
|
| We do use "error correction" on storage (and do see bit
| errors creep into data stored on disk and in RAM over time)
| but not "fault tolerance" on the compute. In fact there is no
| such thing as fault-tolerant classical compute - the CPU only
| works if it "perfect" or "near perfect" (or if you had an
| ancillary computer that was perfect to implement the
| correction). Note that occasionally computers do crash due to
| a bit error in your CPU, or you get a "unstable" CPU that you
| need to replace.
|
| (We do create fault-tolerant distributed systems, where such
| faults can generally be modelled and remedied as network
| errors, not compute errors.)
|
| Quantum fault tolerance relies on the fact that you can do
| "perfect" classical computation - which I find kind of
| amusing!
| blueplanet200 wrote:
| It does not apply to classical bits in the same way. Quantum
| computers derive their computational power from the qubits
| being in a single quantum state across the qubits (an
| entangled one, to use physics jargon.)
|
| This is distinct from classical computers, where you can
| describe a bit without needing to describe the other bits in
| the computer. You cannot describe a qubit (in a way that's
| computationally useful, at least) without describing all of
| them.
| krastanov wrote:
| But the exponential cost (the need to describe the "whole")
| is there in the classical case too.
|
| To describe a set of classical bits completely, you need a
| probability distribution over the whole system (including
| possible classical correlations induced by the crosstalk
| that OP spoke about). That probability distribution is a
| stochastic vector that has 2^n real positive components if
| we have n bits.
|
| To describe a set of qubits completely, you need at least a
| "quantum probability distribution", i.e. a ket that has 2^n
| complex components (I am skipping the discussion of density
| matrices).
|
| Both the classical and quantum description of the bits
| requires exponentially many real numbers. This exponential
| behavior on its own is not enough to the explain "quantum
| computational advantage". The exponential behavior is well
| known in plenty of classical contexts (e.g. under the name
| "curse of dimensionality") and classically solved with
| Monte Carlo modeling.
|
| Scott Aaronson's lecture notes cover that quite well.
|
| At the end, the issue of crosstalk is modeled in a very
| similar way in the quantum and classical case, and if it
| forbids the existence of a quantum computer, it should
| forbid the existence of classical ones as well. In both
| cases it is the use of linear binary (or stabilizer) codes
| that solves that issue.
| comboy wrote:
| > I firmly believe that a quantum computer capable of breaking
| public key crypto will never be built. This is because as you
| add more qubits, there's increased interference between them
| due to the additional connections required.
|
| Seems weird to be assuming what's possible based on current
| technical obstruction. If you trace CPUs development, or many
| other technologies, many people with deep technical knowledge
| were certain about some thresholds which we have long passed.
| This bias even had some name which I forgot.
| api wrote:
| I tend to take "it's impossible" statements from scientists
| seriously only when the reasoning can be _firmly_ tied to an
| extremely well established physical law with no "wiggle
| room."
|
| For example I accept that faster than light travel and
| inertialess propulsion are both impossible. If either of
| these things were shown to be possible, it would mean that
| there are huge errors or oversights in the most well
| established areas of physics.
|
| I also accept the conditional impossibility of things that
| are just provably beyond our current ability for fundamental
| reasons, like a Dyson sphere. I don't know of any physics
| that says you could not build one, but for us it'd be like
| dust mites building the international space station.
|
| For everything else I leave the door open. People have
| historically underestimated creativity.
|
| For the first types of things, taking preparatory steps would
| be irrational. We don't need to plan for the arrival of FTL
| travel because we have no reason to think it will ever
| arrive.
|
| For the latter types of things, preparing does make some
| sense as long as it's not unreasonably expensive. We do have
| reason to believe that a large quantum computer _might_ be
| possible, so mucking around with a bit of code to defend our
| security against a surprise seems rational.
| Obscurity4340 wrote:
| Can you explain how qubits are physically implemented in a
| real-world computer? I just cannot wrap my mind around what
| they're made of and how they operate in the physical reality.
| woodruffw wrote:
| To a first approximation, the US government uses the same
| cryptography that US consumers do -- AES, SHA-2, the NIST P
| curves, ECDSA, etc. are all categorized for various levels of
| data integrity and confidentiality within the government.
|
| The same will be true of PQ signing schemes, meaning that a
| backdoor would be predicated on the USG believing that they
| have some _truly_ remarkable NOBUS breakthrough in PQC. That
| feels unlikely to me; NSA interventions in cryptographic design
| have historically gone in the opposite direction[1].
|
| (This is separate from the actual design question. I don't know
| as much about stateless PQ signing schemes, but the stateful
| ones are mostly "boring" hash-based cryptography that's well
| understood to be strong in both settings.)
|
| [1]:
| https://en.wikipedia.org/wiki/Data_Encryption_Standard#NSA's...
| simcop2387 wrote:
| > NSA interventions in cryptographic design have historically
| gone in the opposite direction[1].
|
| I'm not sure I'd say that given that there are some other
| designs and things that have gone on[1][2]. Particularly the
| Dual EC debacle. They have a history of helping make suspect
| or down right compromised crypto if they think they can get
| away with it. That said it does look like they avoid doing it
| to anything that gets USA GOV approval for use internally but
| it's difficult to say to what level they would actually go to
| for getting a backdoor out into the world that would let them
| look at other secrets.
|
| [1] https://en.wikipedia.org/wiki/Export_of_cryptography_from
| _th... [2] https://en.wikipedia.org/wiki/Dual_EC_DRBG
| woodruffw wrote:
| That's fair. Maybe this is too fine of a hair to split, but
| I would categorize the Dual_EC fracas as less an
| intervention and more of a ham-fisted attempt to
| standardize something that mainstream cryptography was
| immediately suspicious of. But I suppose you could argue
| that there was similar suspicion around DES from the very
| beginning.
| hannob wrote:
| I've heard physicists raise opinions like yours (i.e. QC will
| never be built for practical reasons), but I also hear ones
| that say the opposite. I'd err on the side of caution.
|
| As for your conspiracy: The conclusion of that would be to
| continue using hybrid constructions.
|
| Though, and I know crypto more than physics, I'd consider it as
| highly unlikely. Creating backdoors that others won't find is
| next to impossible. Why do I say that? Because we have some
| historic evidence how "NSA wants to plant a backdoor into an
| algorithm" works. Usually they've been discovered quickly. They
| can still be successful, because as we have seen with dual ec
| drbg, it was discovered quickly, yet nobody really cared and
| industry still used the algorithm.
|
| But something like that won't happen in a transparent process.
| You can be sure that every expert in the field had a look at
| crystals-kyber. If anything about it was suspicious, we would
| know.
| JanisErdmanis wrote:
| The transparency of the process in an essential way depends
| on a number of people who can understand what is being
| proposed. It seems from the outside that the lattice-based
| cryptography is significantly more complex. The question is,
| would anyone notice and how far-reaching are the proofs made
| on their security? On what basis can one prove that a
| computer with a novel algorithm could not break it?
|
| > As for your conspiracy: The conclusion of that would be to
| continue using hybrid constructions.
|
| As long as ordinary crypto does not get deprecated.
|
| Anyway, the number of responses made me curious about this
| new novel crystals-kyber. Do you have any recommendations on
| the best introductory text that explains it from the bird's
| view?
| ghost751 wrote:
| > As long as ordinary crypto does not get deprecated.
|
| On that note, just this month Tutanota emailed customers
| that their Secure Connect product is being turned off at
| the end of next month in order to focus developers on
| quantum-secure encryption solutions.
|
| This occurs in a time when there appear to be a stark few
| hosted E2EE webform-submission options that don't involve
| either a) bigtech or b) fly-by-night operations. Tutanota
| was a happy medium, and is getting out of that market,
| apparently.
|
| It can make one wonder what kind of pressure might exist to
| turn off a quite good, working solution to an actual
| problem. If one didn't know better, it could seem that
| blaming the need for quantum is just a distraction.
|
| The GP is not the first to make the observation in a
| natural line of inquiry. HN guidelines ask to assume good
| faith, and surely we know to try to.
| nullc wrote:
| It's perhaps telling that NSA has been rather aggressively
| against the use of hybrid systems, even though they have
| almost no marginal cost (an extra 56 bytes on top of 1.2kb of
| PQ exchange) and are the obvious move esp while the PQ
| systems are very new.
| adgjlsfhk1 wrote:
| The good news is that if you're willing to take a 2x slowdown
| for asymmetric encryption (which basically everyone is) you can
| get the best of both worlds by wrapping your quantum resistant
| crypto in regular crypto.
| tptacek wrote:
| CRYSTALS-Kyber was designed by an academic team, not a
| government (though a government standards body refereed the
| competition that selected it; that competition, in turn, was
| driven by technical feedback that came predominantly from
| academic cryptography teams around the world). In general, with
| some exceptions (like curve isogenies), the "math" behind PQ
| crypto is pretty well established; it was just less attractive
| than curves were for performance reasons, but is now more
| attractive if you presume curves will be broken in 20 years by
| QC.
| keurrr wrote:
| So you are claiming the protocol that Signal has adopted is
| already backdoored by the government. Extraordinary claims
| require extraordinary evidence. You need to provide some kind
| of evidence of this. We are talking 20+ years of open and
| public research on post-quantum cryptography.
| WhitneyLand wrote:
| I assume you're not proposing some kind of interference limit
| in principle?
|
| Are you suggesting that limiting interference will be a
| practical dead end that is prevents advancement?
|
| Either way that would be a pretty significant claim. There are
| lots of research directions being pursued and plenty of smart
| people think it's worth trying.
| JanisErdmanis wrote:
| > Are you suggesting that limiting interference will be a
| practical dead end that is prevents advancement?
|
| This is a hunch I have. Regarding the "plenty of smart people
| think it's worth trying", I can only provide an analogy of
| the 15-14th puzzle known as the Boss puzzle at that time, for
| which a substantial prize was promised for the first one who
| could solve it. A lesser-known proof that it is impossible
| came to surface decades later. There is a lot of inertia in
| academia along those lines, where grants depend on your
| ability to make a convincing argument that your path will
| solve the problem. This sets up PhDs to know only to advance
| but not to question as the latter does not give the prize.
| miles_matthias wrote:
| Appreciate how well-written and approachable this post was!
| wolverine876 wrote:
| That is very well-written, as someone else pointed out, though
| this common explanation for laypeople needs work (I'm not blaming
| Signal's blogger, who wrote it more carefully than most):
|
| _" Instead of bits as in a classical computer, quantum computers
| operate on qubits. Rather than 0 or 1, qubits can exist in a
| superposition of states, in some sense allowing them to be both
| values at once."_
|
| 'Instead of beads as in a classical abacus, our Quabacus operates
| on Quabeads! Rather than positions 0 or 1, quabeads can be in
| both positions at once!'
|
| Beads that are simultaneously in both positions sounds like a
| f$@!#g annoying glitch and not a feature - how does that help
| anyone record or calculate numbers? ('Would someone take a look a
| this broken Quabacus-abacus and resolve these g#$%!m glitching
| quabeads?!!!') It mocks the non-technical reader, who assumes
| they must have been given enough information to understand why
| it's faster and possibly how it works, but can't figure it out.
|
| They have not been given enough. Does anyone who perhaps
| understands it better than I do want to take a stab at a new
| commonplace explanation, one that connects the dots between
| quantum superposition and performance (for certain calculations)?
| varjag wrote:
| There isn't really a great way of explaining quantum behavior
| using everyday (classical) terms. Any analogy you come up with
| will be deeply flawed yet unsatisfactory opaque to the reader.
|
| The only way is to gear up on math to the level where you can
| if not reason within the theory then to at least make sense of
| its presented conclusions.
| sebzim4500 wrote:
| I don't really understand your objection, that description
| seems like about as well as you can do when trying to summarize
| quantum mechanics in one sentence.
| wolverine876 wrote:
| It summarizes quantum mechanics, but not how it helps to
| store numbers and perform certain kinds of calculations.
| s17n wrote:
| Given that Signal's main innovation (compared to traditional end
| to end encryption) was to safeguard its users against future
| compromises via the ratchet protocol, this actually seems like a
| logical move for them to make.
| tjrgergw wrote:
| Now explain why you had to add bitcoin to signal.
| contact9879 wrote:
| There is no Bitcoin in Signal. Much has been written about
| MobileCoin that you can find on other threads.
| macawfish wrote:
| Why not use something like backchannel? That way we wouldn't need
| phone numbers either...
|
| The initial shared private key exchange could be done with more
| expensive, quantum resistant cryptography but the actual
| communication could be done through symmetric encryption.
|
| https://www.inkandswitch.com/backchannel/
|
| For the key exchange itself ("PAKE") maybe something like this:
| https://journal-home.s3.ap-northeast-2.amazonaws.com/site/ic...
|
| And for the symmetric encryption:
| https://github.com/Steppenwolfe65/eAES
| awestroke wrote:
| Super cool.
|
| If current quantum computers were scaled up to more qubits, could
| they break modern crypto? Or would we need both more qubits and a
| new quantum computer architecture?
| rjmunro wrote:
| 15 was factorised on a 7 qbit computer by IBM, so yes, they
| could break RSA if scaled up. I'm not sure about elliptic
| curve. That was over 20 years ago:
| https://research.ibm.com/blog/factor-15-shors-algorithm
|
| I wonder how possible it is that IBM could have already gone
| further and are already cracking modern crypto in secret, e.g.
| funded by the NSA. Is that a crazy conspiracy idea, or actually
| a possibility?
| kevvok wrote:
| Algorithms using elliptic curves can also be broken using
| Shor's algorithm
| 0xDEF wrote:
| It would be interesting to guesstimate what the NSA might be
| doing by analyzing the skills they're looking for in their
| job postings and the kind of open source projects they have
| released.
|
| For example their Accumulo OSS suggests they're capturing and
| storing a lot of data to analyze later. The Ghidra OSS being
| a best in class reverse engineering tool also suggests that
| alot of their work revolves around finding zero day
| vulnerabilities.
| zie wrote:
| I bet at the very least, the US govt and other large govts
| have some way of knowing whatever is actually possible TODAY
| and have plans in place to make sure whenever it is
| practical, they get the very first useful ones built.
|
| I would guess they probably don't have any actually useful
| and in production right now, but they probably have a few
| secreted away in development, so they will be ready to put
| them to use if/when they do become useful.
| bob1029 wrote:
| > Is that a crazy conspiracy idea, or actually a possibility?
|
| I am investing in IBM under the assumption that this is an
| actual possibility. Their public QC roadmap actually looks
| like a realistic journey now.
|
| I strongly believe that the NSA, et. al. _currently_ have
| access to a very powerful quantum computer - likely
| constructed by IBM under contract.
|
| The game theory around this is such that it is impossible for
| me to accept that there are zero secret quantum computers in
| existence by now. There is too much to lose by not playing
| that game as hard as you can.
| eigenket wrote:
| Speaking as a researcher in quantum computing (albiet
| completely on the theory side, with no practical knowledge
| of experiments). It seems that actually making a quantum
| computer which is useful (i.e. has error rate below the
| threshold you need for error correction to work) is
| incredibly difficult. I wouldn't be surprised if various
| secret agencies (specifically in the USA and China) have
| tried, but I would be quite surprised if they had succeded.
|
| (I deleted my previous edit because I had misread part of
| what you wrote.)
| abdullahkhalids wrote:
| You are probably mistaken. The number of people with the
| right expertise to build QCs is very limited - only a few
| hundred people with world class PhDs in quantum computing
| are produced every year across the world. A small fraction
| are truly innovative - the ones who can act as leaders to
| build something real.
|
| The challenge of building QCs - as evidenced by billions of
| dollars worth of research in them - is many orders of
| magnitude more difficult than say the Manhattan project.
| The latter put together the best of the best on the
| project. You are suggesting a scenario where a tiny
| fraction of the best of the best are secreted away, with
| many of their past collaborators unaware of their doings,
| and have successfully built a QC.
|
| While the many brilliant best of the best who are working
| publicly, with many billions of dollars of research funding
| are currently only making very slow progress. It simply
| does not square.
| contact9879 wrote:
| Reminds me of how everyone who knew anything about the
| physics academia scene in the 30s/40s knew what was going
| on at Los Alamos. Second-order effects are extremely hard
| to obscure.
| archgoon wrote:
| > If current quantum computers were scaled up to more qubits
|
| That depends on what you mean by "scaled up". There is a
| concept of "Quantum Volume" that exists, which basically means
| the depth of the longest qubit circuit you can pull off.
|
| https://en.wikipedia.org/wiki/Quantum_volume
|
| 'Simply' (it's never simple ;) ) adding qubits to a machine
| does not necessarily increase its Quantum Volume. Decreasing
| the noise typically will.
|
| However, there is a threshold at which point you can scale up
| mostly indefinitely. This is what the whole Quantum Error
| Correction is all about.
|
| https://en.wikipedia.org/wiki/Quantum_error_correction
|
| There is a paper
|
| https://arxiv.org/abs/1905.09749
|
| That goes into a clear discussion of how to build a quantum
| computer and the associated thresholds that would allow you to
| do so. There is a minimum number of qubits needed (that work
| perfectly), but the paper analyzes how many qubits you'd need
| under realistic assumptions about how many noisy qubits you'd
| need to get error correcting qubits at the needed reliability.
| eigenket wrote:
| For anyone looking for a "headline figure" from the linked
| arxiv manuscript, their estimate for breaking 2048 bit RSA is
| around the order of magnitude of a billion qubits.
| archgoon wrote:
| [dead]
| sigmar wrote:
| Whitepaper says:
|
| >PQXDH provides post-quantum forward secrecy and a form of
| cryptographic deniability but still relies on the hardness of the
| discrete log problem for mutual authentication in this revision
| of the protocol.
|
| So that's why active mitm with a contemporary quantum computer is
| a concern mentioned in the blog post. Of course it isn't of any
| concern currently (since no one has the hardware to exploit
| this), but I'm curious why they couldn't fit the crystals-kyber
| method for mutual auth in this hybridized implementation?
| performance concerns?
| swamp40 wrote:
| There are 20 bitcoin wallets worth more than a billion dollars
| each.
|
| I think it will be pretty obvious when someone gets a quantum
| computer working.
| nabla9 wrote:
| Bitcoin is already quantum attack resistant, unless you use un-
| hashed public keys or reuse Bitcoin addresses (as some do).
|
| If Bitcoin would become vulnerable, its value would collapse to
| zero overnight once it's known. There is limited amount of
| money anyone could extract before the value collapses.
| kevincox wrote:
| Bitcoin wouldn't "become vulnerable". Someone would discover
| the vulnerability. If this person put it to use before making
| it widely known the could definitely extract a large amount
| of money before the bitcoin network before the public at
| large noticed (at which point the price would start to
| plummet)
| nabla9 wrote:
| That has nothing to do with quantum resistance.
| nullc wrote:
| > Bitcoin is already quantum attack resistant
|
| That is a misleading claim. First: Any quantum key cracker
| would need to be fast since the operations would all have to
| be performed within the coherence time, so an attacker could
| race coins as they were spent or perform small reorgs to
| steal coins even if they lost the race. Secondly: The
| majority of all circulating coins are stored in addresses
| which have been reused. Thirdly: the common hashing scheme
| you mention is 160 bits, so in the presence of quantum
| computers would only have 80 bits of security against second
| preimages just by using grover's algorithim and perhaps worse
| with more specializatio (and, in fact, somewhat less
| considering multi target attacks) which wouldn't and
| shouldn't be regarded as secure.
|
| > If Bitcoin would become vulnerable, its value would
| collapse to zero overnight once it's known. There is limited
| amount of money anyone could extract before the value
| collapses.
|
| Once its known. There have been insecure altcoins where
| hackers skimmed them for many months without being noticed.
| It is indeed technically finite, sure, but large.
| xur17 wrote:
| My understanding is that bitcoin addresses are quantum safe as
| long as you do not reuse an address after spending funds sent
| to it [0]. Per the linked article, this is standard practice,
| so I would assume the majority of addresses are actually
| quantum safe.
|
| And for more context: with p2pkh addresses, you are sending to
| the hash of the address, and hashes are quantum safe.
|
| [0]
| https://www2.deloitte.com/nl/nl/pages/innovatie/artikelen/qu...
| sneak wrote:
| It's worth way more than $20B USD to have a working quantum
| computer that nobody knows about. You don't burn a weapon like
| that by inducing everyone to update immediately.
| keurrr wrote:
| I don't think these incentives make sense at all. Government
| organizations suspected to be developing quantum computers
| probably have larger annual budgets than 20 billion. The
| ability to undermine virtually all cryptographic systems is
| unquantifiably large.
|
| Once the cat is out of the bag, everyone will rush to post-
| quantum cryptography and all that value will be lost in a
| relatively short period. Indeed, we already witnessed this in
| the 2010s following the Snowden revelations when big tech, in a
| concerted effort, adopted HTTPS. Now that is the standard.
|
| For example, "The Fiscal Year 2022 budget appropriation
| included $65.7 billion for the National Intelligence Program,
| and $24.1 billion for the Military Intelligence Program."
|
| Source: https://irp.fas.org/budget/index.html
| baq wrote:
| Not accounting for slippage. You'd be lucky to get 5% of their
| marked value if you stole them.
| rosywoozlechan wrote:
| This is a myopic take, the attacker could not spend the
| bitcoins because of the public ledger and the value of bitcoin
| would drop to nothing once it is realized that wallets are not
| secure. They'd burn bitcoin for no gain, for a loss even,
| because they would reveal their capabilities and maybe even who
| they are.
___________________________________________________________________
(page generated 2023-09-19 23:00 UTC)