GM. Timelocks are cool.
Liana Wallet
Liana Wallet
npub1ejky...expu
Liana is a simple Bitcoin wallet with built-in loss protection and inheritance. Developed by Wizard Sardine.
How quantum computing affects Bitcoiners, Part II
The second part of our summary of Chaincode Labs' excellent paper on Bitcoin and quantum resistance.
Migration strategies and the burn vs steal debate.
Bitcoins that are locked in addresses with publicly-revealed public keys are most vulnerable to theft from future quantum computers:
- Satoshi's coins
- Other early coins that may be lost
- Reused addresses
Researchers estimate that there are 6 million such vulnerable bitcoin
It's not just Satoshi's coins and coins with lost keys that are vulnerable
Some prominent examples of addresses with exposed public keys are yellow highlighted in this image from @Jameson Lopp 's article on quantum resistance:
Ideally, we come up with a way to make all coins safe from quantum attack
All quantum resistance proposals currently require that users send their coins to new, quantum resistant addresses
There are ~190 million UTXOs
The good folks at Chaincode Labs pulled together research on how long it might take to migrate everyone's bitcoin to quantum resistant addresses
Estimates vary between 140 and 560 days
This is one very strong reason to start working on this problem long before it becomes a problem
There are a number of proposals for how this migration could work:
But all of them first require a soft fork or hard fork to introduce new quantum resistant address types
Commit-Delay-Reveal (CDR) has users create a quantum-resistant tx with an op-return that references the public key of their vulnerable coins
A soft fork then enforces a time delay before the coins can be moved by a 2nd tx that is signed by the original key and the op-return key
Quantum Resistant Address Migration Protocol (QRAMP) proposes a hard fork that enforces a flag day beyond which coins in quantum vulnerable addresses can no longer be spent
QRAMP could be used in combination with proposed BIP 360: pay to quantum resistant hash addresses
Hourglass strategy
A soft fork enforces a new rule that only a certain number of txs spending from quantum vulnerable addresses may be included in any one block
This slows the rate at which such coins could be stolen (or spent)
Might also generate a lot of fees for miners
In addition to the question of how Bitcoin achieves quantum resistance, there is also this:
What happens to the coins to which nobody has the keys?
Some proposals permanently freeze them while others leave them up for quantum theft.
Burn or steal?
The burn argument goes like this: Sure we don't want to prevent anyone from spending their coins, but this is a clear vulnerability: coins that the protocol guarantees as safe can be stolen.
Therefore, permanently freezing the lost coins best maintains Bitcoin's rules
The steal argument goes like this: Bitcoin is built on enforcing the sovereignty of key-owners. Changing the protocol to freeze some coins violates this important value.
Bitcoin should never change its rules such that we risk preventing a user from spending their coins.
Where does this leave us?
Making Bitcoin quantum resistant requires
1. A soft fork
2. Migrating all coins to new addresses
3. Tough decisions about what to do with coins that can't migrate
Bitcoin has so many stakeholders at this point that such an undertaking will clearly be slow
Even if you think that quantum computing is far overhyped, we really should start moving on it.
The best thing you can do is educate yourself. Read Chaincode Labs' paper here:
.pdf
Huge props to Clara Shik and @deadmanoz for their work!
Cypherpunk Cogitations
Against Allowing Quantum Recovery of Bitcoin
An argument in favor of burning bitcoin in vulnerable addresses to prevent funds from being taken by those who win the quantum computing race.
Ideally, we come up with a way to make all coins safe from quantum attack
All quantum resistance proposals currently require that users send their coins to new, quantum resistant addresses
There are ~190 million UTXOs
The good folks at Chaincode Labs pulled together research on how long it might take to migrate everyone's bitcoin to quantum resistant addresses
Estimates vary between 140 and 560 days
This is one very strong reason to start working on this problem long before it becomes a problem
There are a number of proposals for how this migration could work:
But all of them first require a soft fork or hard fork to introduce new quantum resistant address types
Commit-Delay-Reveal (CDR) has users create a quantum-resistant tx with an op-return that references the public key of their vulnerable coins
A soft fork then enforces a time delay before the coins can be moved by a 2nd tx that is signed by the original key and the op-return key
Quantum Resistant Address Migration Protocol (QRAMP) proposes a hard fork that enforces a flag day beyond which coins in quantum vulnerable addresses can no longer be spent
QRAMP could be used in combination with proposed BIP 360: pay to quantum resistant hash addresses
Hourglass strategy
A soft fork enforces a new rule that only a certain number of txs spending from quantum vulnerable addresses may be included in any one block
This slows the rate at which such coins could be stolen (or spent)
Might also generate a lot of fees for miners
In addition to the question of how Bitcoin achieves quantum resistance, there is also this:
What happens to the coins to which nobody has the keys?
Some proposals permanently freeze them while others leave them up for quantum theft.
Burn or steal?
The burn argument goes like this: Sure we don't want to prevent anyone from spending their coins, but this is a clear vulnerability: coins that the protocol guarantees as safe can be stolen.
Therefore, permanently freezing the lost coins best maintains Bitcoin's rules
The steal argument goes like this: Bitcoin is built on enforcing the sovereignty of key-owners. Changing the protocol to freeze some coins violates this important value.
Bitcoin should never change its rules such that we risk preventing a user from spending their coins.
Where does this leave us?
Making Bitcoin quantum resistant requires
1. A soft fork
2. Migrating all coins to new addresses
3. Tough decisions about what to do with coins that can't migrate
Bitcoin has so many stakeholders at this point that such an undertaking will clearly be slow
Even if you think that quantum computing is far overhyped, we really should start moving on it.
The best thing you can do is educate yourself. Read Chaincode Labs' paper here:
.pdf
Huge props to Clara Shik and @deadmanoz for their work!
GM. Ask somebody to pay you in Bitcoin today.
How quantum computing affects Bitcoiners ๐งต
Summarizing Chaincode Labs' excellent recent paper on the topic
tl;dr
๐
Quantum computers do not pose a threat to Bitcoin today
๐ฐ But many researchers agree they will in the next 5 - 10 years
๐ง๏ธ Bitcoiners should start working on mitigations
Here's how quantum computers could threaten Bitcoin:
An everyday computer can derive a public key from a Bitcoin private key in a few microseconds
But the reverse is much more difficult:
Today's supercomputers would take ~100 quadrillion years to find the private key for a known public key
Quantum computers could theoretically derive a Bitcoin private key from a known public key in just a few hours
So the primary risk quantum computing poses to Bitcoiners is for situations where the public key to your coins has been exposed
How might that have happened?
Long-range quantum attacks:
Some address types expose their public key:
Pay to public key
Pay to multisig
Pay to Taproot
Since these public keys are exposed as soon as the address receives coins, quantum computers may be used to derive their private keys and steal the coins
Short-range quantum attacks:
When you spend bitcoin, you reveal the public key for the coins in your transaction
A quantum computer may be used to derive their private key and spend them in a new transaction with a higher fee before your transaction is included in a block
Address reuse:
Coins that reuse an address from which other coins have already been spent may also be vulnerable to theft because the previous spends revealed the address's public key
A quantum computer may be used to derive private keys to any coins still at a reused address
Exposed xpubs:
Many services request that Bitcoiners provide an extended public key (xpub) used to generate addresses
If such an xpub is leaked, all addresses generated by that xpub may become vulnerable to having their private keys derived by a quantum computer
Advances in quantum computing could also affect mining:
Quantum computers may slightly weaken the security of the SHA256 hash function used in mining, but it is unlikely they could break it
This means Proof of Work is probably still reliable in a quantum computing future
However, quantum miners may be subject to much stronger centralization pressures:
the best quantum hardware "would gain a disproportionate speedup, eliminating the incentive for less powerful quantum miners - as well as those who lack quantum computers - to participate"
Quantum resistance
Fortunately, there are a number of feasible proposals for how Bitcoin could become resistant to quantum attacks
Unfortunately, most of them involve using much larger signatures (read: quantum resistant spending might mean you pay a lot more in mining fees)
Tomorrow, we'll look at the second half of Chaincode's paper: Migration strategies and the big question facing Bitcoiners: burn or steal?
Read the full Chaincode report at: .pdf
And be sure to follow the report's authors: Clara Shik & ozdeadman
GM. Tired of pizza? How about nachos...
Nacho Bitcoin (the music video) feat. Blackrock, Coinbase & Friends
GM. Your money is headed for extinction. Learn how to use money that isn't: #Bitcoin
GM. You can start holding your own #Bitcoin keys with just a few dollars worth of bitcoin.
Liana Wallet is looking for 10 Bitcoiners who are willing to hop on a call with our head of product to tell us what they find most frustrating about Bitcoin self-custody. We want to know what is the biggest source of anxiety in your cold storage setup.
- you do not have to be a Liana Wallet user
- you don't have to be technical
In exchange for your time, we're happy to offer a security audit of your current setup, if you'd like a high-level sanity check to make sure you haven't overlooked any serious flaws.
If you're interested in helping us out, head on over to the link below and pick a convenient date/time:
Calendly
Bitcoin Custody for Organizations โ Research Interview - Manuel Gatti
We're exploring new ways to improve Bitcoin key management for organizations. This short call is part of early product research to better understan...
Not today, little do-gooder hobbit!
Use timelocked recovery keys for your coins and prevent destructive halflings from ruining your day.
If you've been looking for a step-by-step guide to set up Liana Wallet with
- timelocked inheritance keys
- multiple hardware signers
- custom multisig
You should definitely check out this @BTC Sessions tutorial: