The Bitcoin developer community should stop waiting for certainty on quantum computing timelines and focus on getting a post-quantum signing system into production, Alex Pruden, CEO of Project Eleven, said Wednesday at CoinDesk’s Consensus conference in Miami.
Pruden said the asymmetry between acting now and waiting favors action.
“We added new crypto, we kind of built that in, it turns out we didn’t need it yet, but at least we have it,” he said, describing the worst-case scenario of an early move.
The worst case of late moving is much worse: a sufficiently efficient quantum computer could derive private keys from any exposed public key using Shor’s algorithm, the 1994 algorithm that remains the canonical example of what a quantum machine can do that a classical machine cannot.
Pruden valued the assets at stake at approximately $2.3 trillion.
“In a very real sense, someone with a sufficiently large and capable quantum computer owns everyone’s digital assets or bitcoins for the public key that they can see,” Pruden said.
The way forward, Pruden said, is to introduce a new signature scheme in Bitcoin that does not rely on the classical mathematics underlying the Elliptic Curve Digital Signature Algorithm, or ECDSA, that it uses today.
The National Institute of Standards and Technology has standardized post-quantum schemes based on hash functions and networks, he said, and discussions in the Bitcoin community have moved toward the hash-based option. BIP-360, proposed last year, laid the groundwork for adding a quantum-resistant Taproot output type, and Blockstream deployed a hash-based signature system on its Liquid network.
“Moving from just research to production is, I think, what we need to focus on,” Pruden said. “Let’s focus on the D of R&D.”
The migration will be much more difficult than upgrading Taproot, Pruden warned.
“Taproot took five years, but that’s not even the whole challenge it will be.” Where Taproot was opt-in and most users never bothered to migrate, every Bitcoin holder and every wallet, exchange, and institution that touches the asset will have to participate in a post-quantum migration.
Pruden said the timing risk is serious: If a quantum computer arrives before users have migrated, an attacker could execute pending transactions in a single block of time, paying higher fees to capture the funds whose private keys they just obtained.
Pressed by the unresolved debate over what to do with bitcoin stored in dormant, quantum-vulnerable addresses, Pruden urged the community to postpone that fight and focus on the migration itself. Harper presented this debate as involving more than 5 million dormant coins, including coins attributed to Satoshi Nakamoto via the so-called “Patoshi” model of early miner blocks.
“The issue of Satoshi coins in particular is a difficult one,” Pruden said, because it puts two philosophical commitments in tension: Bitcoin’s fixed supply philosophy and its commitment to digital property rights. Asked for his personal opinion, Pruden said that dormant parts could potentially be “recycled.”[d] return to the end of the supply curve” to extend the incentive runway for Bitcoin mining after the block subsidy runs out.
“If you put me on the spot, that’s probably what I would say,” Pruden said. “So I guess overall it’s going to be the confiscation aspect. But again, I think ultimately it’s the community that’s going to decide. The institutions and the market are going to decide.”
As for whether Bitcoin Core developers are taking the threat seriously, Pruden said the response is mixed. “Core is not a monolithic entity. So I think there are certainly [some] in Core who take it seriously. I think some people think quantum computers will never happen. He pointed to the broader scientific community as a counterbalance: “The majority of physicists, if you ask them that, they will say, yes, that will be a thing. And besides, many of them think that the deadlines are accelerating.”
The same physics that makes quantum computers a threat to existing cryptography could also give rise to the next generation of cryptographic primitives, he said, citing key exchange protocols based on quantum entanglement and certified random work that won the Turing Prize last year.
