| ▲ | glerk 12 hours ago |
| One thing that is not addressed: say this quantum attack happens tomorrow and everyone agrees it was an attack, what would prevent the community (miners, node operators, and users) to hard fork the chain at a snapshot before the attack, patch the protocol, and call that Bitcoin? There would be loss of value of course, but it is not unrecoverable. It’s worth remembering that Ethereum forked for much less (not even a bug in the protocol, but a bug in a private application running on the protocol) and nobody seems too upset about it a decade later. |
|
| ▲ | Retr0id 12 hours ago | parent | next [-] |
| A hard fork implies a difference in consensus rules, and what do you propose that difference be? Existing wallets need to actively commit to some PQ signature mechanism, prior to Q-day. |
| |
| ▲ | glerk 11 hours ago | parent [-] | | Even if Q-day means there is a way to deterministically retrieve any private key from a public key (is that what it means? or is the blast radius of q-day contained? This is a bit above my level of cryptography), I’m sure we could come up with something to minimize the damage. In the worst case, it might involve a claim process with an authority or consensus mechanism to prove who the rightful owner of the funds is and revert the unauthorized transactions on the new chain. Yes, this is not ideal! But if the wallet conversion requires active participation, preemptive measures are also not ideal. | | |
| ▲ | Retr0id 11 hours ago | parent | next [-] | | > Q-day means there is a way to deterministically retrieve any private key from a public key That's exactly what it means. (Note also that under ECDSA you can retrieve a public key from a valid signature). How do you prove anything, after the key material is compromised? | |
| ▲ | glerk 11 hours ago | parent | prev [-] | | > How do you prove anything, after the key material is compromised? It’s a blockchain, so the simplest would be chain of custody until the chain points undeniably at you. This is not a pure cryptographic device, some social intervention might be needed here. |
|
|
|
| ▲ | EthanHeilman 11 hours ago | parent | prev | next [-] |
| > fork the chain at a snapshot before the attack, patch the protocol, and call that Bitcoin? It won't work. The only way to authenticate who ones what coins is with signatures. If the signature algorithm is broken, you can't tell who the original owner is to move the coins to a safe signature algorithm. You need to more to safer signature algorithm before the break, after the break it is game over. > It’s worth remembering that Ethereum forked for much less Ethereum could simply return the coins to the original owners. If the signature scheme is insecure, returning the coins just means the attacker can steal them again. |
| |
| ▲ | realharo an hour ago | parent | next [-] | | In practice, what you really need is consensus. As long as enough of the important participants agree, that's how it will be. And since there are millions of identical copies of the entire pre-attack ledger out there, this should not be that difficult. Potential future buyers might reevaluate whether this whole thing has any monetary value, but that's a separate concern. Bitcoin's market value was never about the technical details. | | |
| ▲ | rcbdev an hour ago | parent [-] | | I'm not sure you fully grasped what was said in the parent comment. It literally does not matter anymore if we can all agree on the previous blocks, it would be impossible to identify who owns which wallet anymore. The seed phrase would be useless. | | |
| ▲ | realharo an hour ago | parent [-] | | Ah, then yeah, in that case, it'd be basically over. Maybe large exchanges would try to step in to make a fresh chain based on their combined account data, and just drop the people relying on self-custody. But I doubt the market would go for it - the uncertainty would crash it hard enough that it would never recover. |
|
| |
| ▲ | glerk 9 hours ago | parent | prev [-] | | > The only way to authenticate who owns what coins is with signatures Maybe the only fully cryptographic absolutely zero-trust way? In practice there are very few bitcoin outputs that aren't linked to an offline identity and most users could easily produce a proof of ownership. Of course, this is not ideal and everyone would prefer not to go down that route. But even if we prepare in time and Bitcoin provides a quantum-secure address scheme before "Q-day", what happens to all the wallets that didn't upgrade? Is it open season on them? Satoshi's wallet alone could crash Bitcoin's value as a currency if dumped on the open market. I think even with the upgrade plan in place, a hard-fork + recovery will be on the menu, with various degrees of community support. | | |
| ▲ | EthanHeilman 6 hours ago | parent [-] | | > In practice there are very few bitcoin outputs that aren't linked to an offline identity and most users could easily produce a proof of ownership. Any who is going to in charge of reading that proof of identity and moving the coins? A trusted centralized party? The point of Bitcoin is to avoid exactly that sort of trust relationship, otherwise use the banking system. > Satoshi's wallet alone could crash Bitcoin's value as a currency if dumped on the open market. No one knows, but the incentives are aligned with a softfork to burn Satoshi's coins. | | |
| ▲ | realharo an hour ago | parent | next [-] | | >The point of Bitcoin is to avoid exactly that sort of trust relationship, otherwise use the banking system. Most participants don't care about this. For almost everyone, the point of Bitcoin is to go up. As long as they can find enough buyers that also believe it will go up, the rest is optional. Especially if it's temporary, for a one-time migration. | |
| ▲ | glerk 5 hours ago | parent | prev [-] | | > Any who is going to in charge of reading that proof of identity and moving the coins? A trusted centralized party? Basically you'd have to relax the trust/decentralization guarantees, but you don't have to relax them all the way. Most likely a consortium of trusted actors (Blockstream, major miners, major exchanges, bitcoin-adjacent companies,...). Or something like a consensus mechanism with aligned incentives a la Kleros. I think "we" could come up with "something", even if it is not perfect, because the value of Bitcoin is ultimately in the community of people who use Bitcoin, not just the protocol. "Hard-fork" might not be the right way to see this. It's more like starting a completely new protocol where people who held Bitcoin at a certain snapshot can redeem a one-time airdrop equivalent to the value they held, provided they can prove ownership. As that protocol's value overtakes the value of the original Bitcoin chain (which will eventually be completely dead), we can all agree to call it Bitcoin. |
|
|
|
|
| ▲ | wmf 12 hours ago | parent | prev | next [-] |
| In theory nothing prevents that but it would be so contentious that the backlash (e.g. 90% drawdown) may be even worse than just letting the hacks stand. |
| |
| ▲ | pants2 11 hours ago | parent | next [-] | | The Bitcoin “value overflow incident” on August 15, 2010 is probably the closest thing and that didn't affect the price much (though one BTC was around 8c at the time) | | |
| ▲ | weakened_malloc 7 hours ago | parent [-] | | This time you'll have hundreds of billions of BTC that will be hacked by someone who will probably instantly unload it. In that scenario it's hard to see the price of it not dropping >90%, so you'd have to think people would prefer a roll back. That said, I don't know how you could even do a roll back, you're not rolling back to a 'safe' state since the keys aren't safe at that point. | | |
| ▲ | pants2 7 hours ago | parent [-] | | Very good point on the roll-back. However in terms of the hack, Bitcoin is slow - most exchanges require a few confirmations so it's 30+ minutes to land a deposit in Coinbase/Binance at minimum, and a transfer that huge would instantly set off alarms. Seems unlikely that they would be able to unload that much. | | |
| ▲ | wmf 5 hours ago | parent [-] | | Coinbase would definitely go into buy-only mode during a major crash but that just means people would scream while they watch futures/perps go to zero. "If you're first out the door, that's not called panicking." |
|
|
| |
| ▲ | glerk 11 hours ago | parent | prev [-] | | Letting the hack stand means the chain comes to a halt and all value is destroyed? Even if you’re a staunch bitcoin purist, I don’t think that’s the path you want to go on. | | |
| ▲ | wmf 11 hours ago | parent [-] | | The chain wouldn't halt because mining won't be affected by quantum. If you see hacks happening you could race to move your coins into a PQ wallet before the hackers do. I'm assuming that PQ software will be available before the hacks. I agree that this is a very bad scenario. |
|
|
|
| ▲ | block_dagger 11 hours ago | parent | prev | next [-] |
| I'd argue there may be an increase in value over time if the community handles the fork well. |
| |
|
| ▲ | tuckwat 11 hours ago | parent | prev | next [-] |
| BTC thrives on hype and hope that others will buy in. A successful quantum attack would obliterate the value and future value. |
|
| ▲ | Hasslequest 12 hours ago | parent | prev [-] |
| [dead] |
