The Bitcoin developer community should stop waiting for a quantum computing timeline to be confirmed and focus on putting post-quantum signature schemes into production, Project Eleven CEO Alex Pruden said Wednesday at the CoinDesk Miami Consensus Conference.
Pruden said the asymmetry between acting now and waiting favors action.
“We’ve added some new cryptography, we’ve built in this optionality, and it turns out we don’t need it yet, but at least we have it,” he said, describing the worst-case scenario of moving ahead.
The late worst-case scenario is much worse: A sufficiently powerful quantum computer can derive a private key from any publicly available public key using Shor’s algorithm, a 1994 algorithm that remains a prime example of what quantum machines can do that classical machines cannot.
Pruden values the asset at about $2.3 trillion.
“In a very real sense, someone with a large enough and powerful quantum computer could have everyone’s digital assets or Bitcoin to have a public key that they could see,” Pruden said.
Pruden said the way forward is to introduce a new signature scheme in Bitcoin that does not rely on the classical mathematics of the Elliptic Curve Digital Signature Algorithm (ECDSA) currently used.
The National Institute of Standards and Technology has standardized post-quantum schemes based on hash functions and lattices, and discussions in the Bitcoin community have been trending toward hash-based options, he said. Last year’s proposed BIP-360 laid the groundwork for adding quantum-resistant Taproot output types, a hash-based signature scheme that Blockstream has deployed on its Liquid network.
“I think translating research into production is really what we need to focus on,” Pruden said. “Let’s focus on research and development.”
Pruden warned that migration will be much more difficult than a Taproot upgrade.
“Taproot took five years, but that’s not the full extent of the real challenge.” Taproot is opt-in and most users never bother to migrate, whereas every Bitcoin holder and every wallet, exchange and institution with exposure to the asset will need to participate in a post-quantum migration.
Pruden said the timing risk is serious: If a quantum computer arrives before users migrate, an attacker could run pending transactions ahead of schedule within a single block, paying a higher fee to obtain the funds for which the private keys were just derived.
Regarding the unresolved debate over what to do with Bitcoins in dormant, quantum-vulnerable addresses, Pruden urged the community to postpone the fight and focus on the migration itself. Harper believes the debate involves more than 5 million dormant coins, including those attributed to Satoshi Nakamoto through the so-called “Patoshi” pattern of early miner blocks.
“The issue of Satoshi’s coin is particularly thorny,” Pruden said, because it puts two philosophical commitments into tension: Bitcoin’s fixed-supply ethos and its commitment to digital property rights. When asked about his personal leanings, Pruden said dormant coins could be “recycled.”[d] Back to the end of the supply curve” to extend Bitcoin’s mining incentive runway after the block subsidy runs out.
“That’s what I might say if you put me in a difficult situation,” Pruden said. “So I think generally it’s the forfeiture aspect. But I think ultimately, the community is going to make the decision. The institutions and the market are going to make the decision.”
As for whether Bitcoin Core developers take the threat seriously, Pruden said the answer is complicated. “The core is not a single entity. So I think there’s certainly [some] Core is taking it seriously. I think there are some people who think “quantum computers are never going to come.” He points to the balance in the broader scientific community: “Most physicists, if you ask them that question, they’d say, yes, it’s going to be a thing. And by the way, a lot of them think the timeline is accelerating.”
The physics that make quantum computers a threat to existing cryptography could also give rise to next-generation cryptography primitives, he said, citing a key-exchange protocol that won a Turing Award last year and works based on quantum entanglement and certified randomness.