[chadhutchins10]

I wish this were talked about more. Quantum computing is the biggest long-term threat to crypto imo. What's the plan once elliptic curve cryptography can be broken?

There will be a point in time where there are just a few quantum computers that can break everything before the general public has access to quantum computing. Can crypto work in that scenario? Normal computers wouldn't be able to work with the beastly algorithms a quantum computer could handle.

[eigenvalue]

The first entities that are likely to achieve practical quantum computers will either be governments or big tech companies like Google. And it will be a big deal, so there would likely be several years of warning before it could be at the point where it would make sense to use it to steal someone's bitcoins (I guess the original Satoshi coin address would be the biggest bounty). And in the time period between when the big development is first announced and before it's practical, Bitcoin and other cryptocurrency projects can do a fork to a new digital signature scheme that is quantum proof (such as LegRoast) so that anyone who is concerned can move their coins to a new secure address. So while it would certainly be disruptive, it wouldn't necessarily spell the doom of Bitcoin.

[only_as_i_fall]

Depends on the incentives. If the only interest in quantum computing is to break classically hard encryption then I think the time between poc and widespread availability could be relatively short.

[G3rn0ti]

> What's the plan once elliptic curve cryptography can be broken?

A likely drop-in replacement for elliptic curve cryptography (ECC) currently used by Bitcoin could be

https://en.wikipedia.org/wiki/Supersingular_isogeny_key_exch...

I am not a Mathematician, but what I understood, it's basically an extension of ECC using multiple elliptic curves, allows to re-use the Diffie–Hellman key exchange protocol (private keys kept secret, public keys exchanged) and memory requirements are small. So it would be a perfect replacement in wallets and validation nodes. But I can not explain why it is safe against an attack using quantum computers.

[EnigmaCurry]

Just don't re-use addresses. Bitcoin does not expose your public key until you spend from it.

[DennisP]

If the QC can crack your private key within a few minutes, it would still have a decent chance to steal your money.

[nannal]

> Bitcoin does not expose your public key until you spend from it.

Are you sure, what about when someone sends to it?

[DennisP]

They're correct. The blockchain just records that the funds were sent to your address. To spend the funds you have to show the public key which hashes to that address, in another transaction signed by the private key.

If the sender wanted to send you a private message, they would need your public key, but that's not what transactions do.

[nannal]

Fair enough, thank you.

[shoghicp]

Sending to an address means sending it to a "hash" of a public key (or a more complex script) on all modern formats. Then such script and data is revealed on spend.

[21eleven]

While not implemented I think there are "lattice based" forms of cryptography that are believed to QC resistant that blockchains could migrate over to if QCs begin to show signs of increased fault tolerance and size.

[runeks]

We already have a solution (https://en.wikipedia.org/wiki/Lamport_signature) but there’s no reason to deploy it yet since it reduces scalability.

[oblio]

The problem with "yet", in security, is that by the time you realize that "yet" is here, it's already too late.

[leishman]

> I wish this were talked about more.

This is talked about all the time in Bitcoin dev circles.

[exdsq]

There's a lot of research and practical work on quantum-proof cryptography which is already in use in some cryptocurrencies - 'just' need to hardfork and update it when it's ready for Bitcoin

[anonporridge]

No need for a hard fork. A soft fork like Taproot is doing this year would be sufficient.

[21eleven]

What cryptocurrencies are currently using post-quantum cryptography?

[DennisP]

Only one I'm aware of is QRL ("quantum-resistant ledger").

https://www.theqrl.org/