[glerk]

One thing that is not addressed: say this quantum attack happens tomorrow and everyone agrees it was an attack, what would prevent the community (miners, node operators, and users) to hard fork the chain at a snapshot before the attack, patch the protocol, and call that Bitcoin? There would be loss of value of course, but it is not unrecoverable.

It’s worth remembering that Ethereum forked for much less (not even a bug in the protocol, but a bug in a private application running on the protocol) and nobody seems too upset about it a decade later.

[EthanHeilman]

> fork the chain at a snapshot before the attack, patch the protocol, and call that Bitcoin?

It won't work. The only way to authenticate who ones what coins is with signatures. If the signature algorithm is broken, you can't tell who the original owner is to move the coins to a safe signature algorithm.

You need to more to safer signature algorithm before the break, after the break it is game over.

> It’s worth remembering that Ethereum forked for much less

Ethereum could simply return the coins to the original owners. If the signature scheme is insecure, returning the coins just means the attacker can steal them again.

[glerk]

> The only way to authenticate who owns what coins is with signatures

Maybe the only fully cryptographic absolutely zero-trust way? In practice there are very few bitcoin outputs that aren't linked to an offline identity and most users could easily produce a proof of ownership.

Of course, this is not ideal and everyone would prefer not to go down that route. But even if we prepare in time and Bitcoin provides a quantum-secure address scheme before "Q-day", what happens to all the wallets that didn't upgrade? Is it open season on them? Satoshi's wallet alone could crash Bitcoin's value as a currency if dumped on the open market. I think even with the upgrade plan in place, a hard-fork + recovery will be on the menu, with various degrees of community support.

[EthanHeilman]

> In practice there are very few bitcoin outputs that aren't linked to an offline identity and most users could easily produce a proof of ownership.

Any who is going to in charge of reading that proof of identity and moving the coins? A trusted centralized party? The point of Bitcoin is to avoid exactly that sort of trust relationship, otherwise use the banking system.

> Satoshi's wallet alone could crash Bitcoin's value as a currency if dumped on the open market.

No one knows, but the incentives are aligned with a softfork to burn Satoshi's coins.

[glerk]

> Any who is going to in charge of reading that proof of identity and moving the coins? A trusted centralized party?

Basically you'd have to relax the trust/decentralization guarantees, but you don't have to relax them all the way. Most likely a consortium of trusted actors (Blockstream, major miners, major exchanges, bitcoin-adjacent companies,...). Or something like a consensus mechanism with aligned incentives a la Kleros. I think "we" could come up with "something", even if it is not perfect, because the value of Bitcoin is ultimately in the community of people who use Bitcoin, not just the protocol.

"Hard-fork" might not be the right way to see this. It's more like starting a completely new protocol where people who held Bitcoin at a certain snapshot can redeem a one-time airdrop equivalent to the value they held, provided they can prove ownership. As that protocol's value overtakes the value of the original Bitcoin chain (which will eventually be completely dead), we can all agree to call it Bitcoin.

[realharo]

>The point of Bitcoin is to avoid exactly that sort of trust relationship, otherwise use the banking system.

Most participants don't care about this. For almost everyone, the point of Bitcoin is to go up. As long as they can find enough buyers that also believe it will go up, the rest is optional. Especially if it's temporary, for a one-time migration.

[realharo]

In practice, what you really need is consensus. As long as enough of the important participants agree, that's how it will be.

And since there are millions of identical copies of the entire pre-attack ledger out there, this should not be that difficult.

Potential future buyers might reevaluate whether this whole thing has any monetary value, but that's a separate concern. Bitcoin's market value was never about the technical details.

[rcbdev]

I'm not sure you fully grasped what was said in the parent comment. It literally does not matter anymore if we can all agree on the previous blocks, it would be impossible to identify who owns which wallet anymore. The seed phrase would be useless.

[realharo]

Ah, then yeah, in that case, it'd be basically over.

Maybe large exchanges would try to step in to make a fresh chain based on their combined account data, and just drop the people relying on self-custody. But I doubt the market would go for it - the uncertainty would crash it hard enough that it would never recover.

[throw0101d]

> It won't work. The only way to authenticate who ones what coins is with signatures. If the signature algorithm is broken, you can't tell who the original owner is to move the coins to a safe signature algorithm.

If you publish/take a snapshot of the ledger at (say) 23:59 UTC everyday, and publish it with a SHA2/3 hash, people will know what the state of ownership was at that time. Then if a break occurs at any later point you cannot trust any transaction afterwards, but some portion of folks can attest to their ownership.

There will be some portion of folks that did some legitimate transactions that could come into question, but at least it's not necessarily everyone.

[EthanHeilman]

> but some portion of folks can attest to their ownership.

How? Alice pay's Bob 1 BTC at random address 0x1234. Someone shows up and says, I own that address and here is signature proving it. But the signature scheme is broken so anyone can do that. So you ask for documentation they own that address, well they have screencap of a message asking for payment from Alice. Is that real? Maybe you find the email of that user and ask them, but they could be lying. Now if you paid from coinbase, coinbase could vouch for you.

So you need some sort of court that sits in judgement over who owns what. That is going to be very expensive. While you are doing this, no one can move funds. What is the most likely outcome of such a system, well there is not CEO of Bitcoin, so you would probably end up with multiple courts producing conflicting rulings that no one would respect.

The whole notion of ownership courts is anathema to Bitcoin's philosophy and would completely undermine the social trust that makes Bitcoin valuable. If we are going to save Bitcoin from a CRQC we must act before a CRQC recovers everyone's private key.

There are three workable schemes:

* For public keys that in hashed addresses such as P2PKH (Pay-to-Public-Key-Hash) et al., if the public key is not known, then you could produce a ZKP that you know the public key (proof of pre-image). The main problem with this approach is that it only protects hashed addresses where the public key has not been leaked or exposed on-chain. It doesn't have enough coverage.

* You can do commit-reveal schemes, this makes miners far more trusted and again only helps with hashed addresses that haven't exposed the public key.

* You can do ZKP proof of HD Seeds, from most modern wallets have HD seeds. AFAICT You'd have to use STARKs but STARKs for HD seeds are too big for on-chain proofs. Not all HD seeds are protected and not all addresses have HD seeds. Just today Laolu published this demo for doing this, the proofs at 1.7 mbs https://groups.google.com/g/bitcoindev/c/Q06piCEJhkI

[littlecranky67]

You have to consider the network-level forwarding, not only the crypto. The noderunners could role out a new version that uses whatever heuristics to identify transactions that are likely from an attacker. If transaction aren't forwarded, they don't end up in the mempool and thus not in the blockchain. And yes, then the attacker might try to manipulate those heuristics and filter etc. It would become a cat-and-mouse game, but as long as the "good guys" act faster than the attack adapts, there is a good chance a big number of coins can be secured. It is not an all-or-nothing game.

[nehan]

The point is you can't distinguish transactions that are from an "attacker" when the underlying signature scheme is broken. The Bitcoin P2P network has some metrics to disconnect from nodes that might be trying to DoS you, but if a transaction has enough fees, is spending unspent coins, and has a valid signature, it's valid.

[littlecranky67]

I did say heuristics, not valid/invalid. You can do all sorts of analytics upon receiving a transaction, and then decide to forward or drop the transaction based on that heuristics. Valid/Invalid could become the minimum requirement for a transaction to be forwarded.

[nehan]

I can't think of heuristics available on the Bitcoin P2P network that would be helpful for this, but I'm curious if you have any in mind.

[Retr0id]

A hard fork implies a difference in consensus rules, and what do you propose that difference be?

Existing wallets need to actively commit to some PQ signature mechanism, prior to Q-day.

[glerk]

Even if Q-day means there is a way to deterministically retrieve any private key from a public key (is that what it means? or is the blast radius of q-day contained? This is a bit above my level of cryptography), I’m sure we could come up with something to minimize the damage. In the worst case, it might involve a claim process with an authority or consensus mechanism to prove who the rightful owner of the funds is and revert the unauthorized transactions on the new chain.

Yes, this is not ideal! But if the wallet conversion requires active participation, preemptive measures are also not ideal.

[Retr0id]

> Q-day means there is a way to deterministically retrieve any private key from a public key

That's exactly what it means. (Note also that under ECDSA you can retrieve a public key from a valid signature).

How do you prove anything, after the key material is compromised?

[glerk]

> How do you prove anything, after the key material is compromised?

It’s a blockchain, so the simplest would be chain of custody until the chain points undeniably at you. This is not a pure cryptographic device, some social intervention might be needed here.

[wmf]

In theory nothing prevents that but it would be so contentious that the backlash (e.g. 90% drawdown) may be even worse than just letting the hacks stand.

[pants2]

The Bitcoin “value overflow incident” on August 15, 2010 is probably the closest thing and that didn't affect the price much (though one BTC was around 8c at the time)

[weakened_malloc]

This time you'll have hundreds of billions of BTC that will be hacked by someone who will probably instantly unload it. In that scenario it's hard to see the price of it not dropping >90%, so you'd have to think people would prefer a roll back.

That said, I don't know how you could even do a roll back, you're not rolling back to a 'safe' state since the keys aren't safe at that point.

[pants2]

Very good point on the roll-back.

However in terms of the hack, Bitcoin is slow - most exchanges require a few confirmations so it's 30+ minutes to land a deposit in Coinbase/Binance at minimum, and a transfer that huge would instantly set off alarms. Seems unlikely that they would be able to unload that much.

[wmf]

Coinbase would definitely go into buy-only mode during a major crash but that just means people would scream while they watch futures/perps go to zero.

"If you're first out the door, that's not called panicking."

[extraduder_ire]

"Instantly" being at least ten minutes (average) in this case.

[glerk]

Letting the hack stand means the chain comes to a halt and all value is destroyed? Even if you’re a staunch bitcoin purist, I don’t think that’s the path you want to go on.

[wmf]

The chain wouldn't halt because mining won't be affected by quantum. If you see hacks happening you could race to move your coins into a PQ wallet before the hackers do. I'm assuming that PQ software will be available before the hacks. I agree that this is a very bad scenario.

[block_dagger]

I'd argue there may be an increase in value over time if the community handles the fork well.

[avazhi]

And you’d get laughed at for that argument.

[ciupicri]

In my humble opinion (because I'm not a "crypto investor"), Ethereum lost all credibility with that fork. You can't trust a system/currency that changes the rules like that.

[latchkey]

I believe actions speak louder than words. Their continued execution, including successfully switching engines mid-flight (The Merge), has earned them a bit of reprieve in your view.

[ciupicri]

Speaking of actions and words, what good is a contract if it can't be enforced? So I find hard to trust Ethereum.

All that new stuff could change the point of view if it were some ordinary software, but since we're talking about a currency, trust is very hard to regain. How can someone be sure that they won't change their mind again?

I haven't followed the evolution of Dogecoin, but even that sounds more reliable and at least it doesn't pretend to be taken seriously.

[tuckwat]

BTC thrives on hype and hope that others will buy in. A successful quantum attack would obliterate the value and future value.