Delivery-date: Thu, 12 Dec 2024 18:20:10 -0800 Received: from mail-yb1-f186.google.com ([209.85.219.186]) by mail.fairlystable.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.94.2) (envelope-from ) id 1tLvHl-0004mw-Hp for bitcoindev@gnusha.org; Thu, 12 Dec 2024 18:20:10 -0800 Received: by mail-yb1-f186.google.com with SMTP id 3f1490d57ef6-e3a0d165daesf1890606276.1 for ; Thu, 12 Dec 2024 18:20:09 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlegroups.com; s=20230601; t=1734056403; x=1734661203; darn=gnusha.org; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:x-original-sender:mime-version :subject:references:in-reply-to:message-id:to:from:date:sender:from :to:cc:subject:date:message-id:reply-to; bh=ZA3uDp0BBNvtkAZVvyh/Tpfv52f/XMX4Wgt2em3KsUs=; b=fUxePUwdFPnUr4s66CPtTTWK9qEcCATGA3Ep2Zl690DIvSpfEuNBsK0hffBmMAbMPE 3WeFrZZuY3W1HMoW+WlHFQlUVwY3YMDWyza7uEGdQfh3yKvL+JPcDoTqFxaUdRuFazPM mDk8DtfmeqqP/Z11PUslhpEYBTX0/18zpY2t9SriQi6CC6ftnF6OFdZxbZ3blJ1vIhFY u4PczWTTySV6/W58zvR04FOxeqTv9RbSXOBtuNTEvSf/dpfE/eziSzInRHoS01aK78zS An0vbv1hU9ft404bCO6gSi+lJ5lbkIGAf5CPkLCxbXY9Qur2OFiTM7sX2433rzceFexV hAlA== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1734056403; x=1734661203; darn=gnusha.org; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:x-original-sender:mime-version :subject:references:in-reply-to:message-id:to:from:date:from:to:cc :subject:date:message-id:reply-to; bh=ZA3uDp0BBNvtkAZVvyh/Tpfv52f/XMX4Wgt2em3KsUs=; b=L60n1Fb9OfLrJB1XzFnmaKFzw7mru+yqs/q2jvqWoIEI1dKqcQyMOdTL2kFpERJF5a 7k31H59hdRZKHbX+ZWpLb4Lxw4yMyZDNGJMRieTqreGTAJh8DIQES5lK+WtDR0glM6K9 nAg4Z1uBSTQrxceMyBYY5MR1SR2UTl97XOwokxG2HAJ3d4KD93UOTRzq+q6WVOwo/m3F stirn7Qq5scBsIf797SU3MFIg1+CWMgEWBGVKUO0SMmL1WF+KHWd+B2eebf+rbHKonnx VGdn466u/wlsQogkSeueb1u2Pgs7L15ZoNGQUu9i1uIy9JZbXVm92w7pMWElHURtNx50 jL8g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1734056403; x=1734661203; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:x-original-sender:mime-version :subject:references:in-reply-to:message-id:to:from:date:x-beenthere :x-gm-message-state:sender:from:to:cc:subject:date:message-id :reply-to; bh=ZA3uDp0BBNvtkAZVvyh/Tpfv52f/XMX4Wgt2em3KsUs=; b=eVv+6ejLMnj0vIsdlyxdyAFEw9TV/Wcf/UIwLg8y30tF/p3aaue1SZLG1Mdwezdszp h3j3pUapBGZzEwI8kYivfwCHTEyHOASf8IVO/1M23rgeRfVConk4myJ2fFO/iPDW0AAB gTU9ivl4ewCIdd32etQU+i41l+pbdBDsDLrvGu9OdxDLjM21TG2yg46Wldz3g53xccW3 vFymp+AIArXMuCi0fUjhMhX+jxFGcwLAALopD7auQx20Qa2gPHjEUIZdbzDddlMEKl65 9VIiSSkKlEbX20PiU7NCNsChycfEFKnXiJnR8mt/5F/ZoZTnkL33ljv/a0CrysZxRVzu zMqw== Sender: bitcoindev@googlegroups.com X-Forwarded-Encrypted: i=1; AJvYcCUkc7Na9JbHFDLMw1gCslfyZl3QHRXlYig8Ds3V4wnAxi40ToxxzV58DhkRoVgSIUlfU4KyA8yPs6hP@gnusha.org X-Gm-Message-State: AOJu0YwvBBCIs/ty0temPjqXu++GWcjABFuSNQrsFyybF8fyTg5Potc7 qTPsStEjliQEpj9uMpFGE1Crp4+j+2yikfoT3G92H3CtIm994/lk X-Google-Smtp-Source: AGHT+IErCLkFdTpKwl9clA9RjT5PkG+oYgrdaW3mHcnuH/jX/12x7K846FRWuH6wfNfCH/CdZrQIzA== X-Received: by 2002:a05:6902:2686:b0:e39:b0de:fed8 with SMTP id 3f1490d57ef6-e434a354f71mr822735276.17.1734056402898; Thu, 12 Dec 2024 18:20:02 -0800 (PST) X-BeenThere: bitcoindev@googlegroups.com Received: by 2002:a25:d004:0:b0:e35:de95:59d5 with SMTP id 3f1490d57ef6-e43b0c25f12ls154680276.1.-pod-prod-05-us; Thu, 12 Dec 2024 18:20:00 -0800 (PST) X-Received: by 2002:a05:690c:6303:b0:6ea:7b00:4aa5 with SMTP id 00721157ae682-6f279b88515mr8179577b3.33.1734056400281; Thu, 12 Dec 2024 18:20:00 -0800 (PST) Received: by 2002:a05:690c:fd3:b0:6ef:892f:89f3 with SMTP id 00721157ae682-6f278d02555ms7b3; Thu, 12 Dec 2024 18:07:29 -0800 (PST) X-Received: by 2002:a05:690c:67c7:b0:6ee:a89e:af3b with SMTP id 00721157ae682-6f279ad71e1mr11012217b3.9.1734055648889; Thu, 12 Dec 2024 18:07:28 -0800 (PST) Date: Thu, 12 Dec 2024 18:07:28 -0800 (PST) From: Ian Quantum To: Bitcoin Development Mailing List Message-Id: In-Reply-To: <07384dbd-4b98-43db-a71a-e19a1d04f849n@googlegroups.com> References: <07384dbd-4b98-43db-a71a-e19a1d04f849n@googlegroups.com> Subject: [bitcoindev] Re: Proposal for Quantum-Resistant Cryptography in Bitcoin - BIP Submission MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="----=_Part_63250_427599127.1734055648353" X-Original-Sender: ianquantum2027@gmail.com Precedence: list Mailing-list: list bitcoindev@googlegroups.com; contact bitcoindev+owners@googlegroups.com List-ID: X-Google-Group-Id: 786775582512 List-Post: , List-Help: , List-Archive: , List-Unsubscribe: , X-Spam-Score: -0.5 (/) ------=_Part_63250_427599127.1734055648353 Content-Type: multipart/alternative; boundary="----=_Part_63251_1681148483.1734055648353" ------=_Part_63251_1681148483.1734055648353 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Some contributions of my own to add to this conversation. FALCON wasn't approved by NIST because the security of the algorithm is=20 directly linked to the randomness of the input parameters. There was a=20 similar concern over RSA about 25 years ago, and the question of the=20 exponent related to the operation as a matter of security. They weren't=20 sure if the exponent should be high, random or irrelevant to the security.= =20 Turns out that it was irrelevant, so the cryptography community relaxed and= =20 selected the exponent 3 for RSA for performance reasons with no cost to=20 security. When a parameter is so relevant to the security of FALCON it is= =20 alarming, and the algorithm may be unsuitable for blockchain.=20 I would suggest NTRU Prime by Daniel Bernstein as a solid contender for=20 secure Lattice. Critically to a heterogenous environment, it is not=20 susceptible to side channel attacks so the keys cannot be stolen through=20 magnets next to a thumb drive. Daniel Bernstein managed to perform side=20 channel attacks 10 out of 10 times on multiple NIST PQ standards. A quantum network runs 45x faster than the same qubits assigned to a single= =20 machine. https://arxiv.org/abs/2211.15465 Quantum networks also require less wiring, and a 6000 node network of 1152= =20 qubit machines can crack bitcoin in 10 minutes on=20 average. https://arxiv.org/abs/2306.08585 The qubit count is expected to go= =20 down by at least 30% by 2027 due to general improvement in the algorithm.= =20 Litinski explained his algorithm at Crypto conference, and included further= =20 optimizations to lower the qubit count and increase=20 performance. https://www.youtube.com/watch?v=3DAumHpDRS5iI The scaling of some machines and algorithms is indeed=20 linear https://arxiv.org/abs/1808.02892 but this is not always true. With= =20 Active Volume, an 3x increase in nodes causes a 7x increase in performance. Due to Grover's it is critical that 256 bit addresses be used. 160 bits is= =20 simply too small to be future proof. With the advent of quantum networks, the hardware is more achievable. Mass= =20 production becomes the new paradigm, not IBM's flagship for gathering news= =20 attention. PSI Quantum has solved mass=20 production https://arxiv.org/html/2404.17570v1 and has completed the entire= =20 system end to end. https://www.youtube.com/watch?v=3DA1tD4VXzswU=20 A reasonable estimate would be PSI Quantum breaking secp256k1 in 2027.=20 Hopefully we will get a 'canary warning' by breaking ECC-32 but to increase= =20 scale to break ECC-256 would only be a 4x increase in total qubits. Other candidates for mass production are: Oxford Ionics, who produces 256 qubit machines that run at room=20 temperature. The trapped ion system is cooled and operates using lasers and= =20 magnets.=20 Riverlane, who produces rapid components but is mostly focused on high=20 performance. Targeting 1 mil qubits in 2027 is a reasonable extrapolation= =20 of their roadmap. (100k qubits in 2026 after 10k qubits in=20 2025.) https://www.riverlane.com/newsroom Intel, who produces electron spin wafers with an unknown but extremely=20 large number of qubits per wafer. These devices are produced fully=20 autonomously and without intervention. 15 wafers are produced per day, per= =20 manufacturing and testing device. More devices will probably be produced=20 soon, and they could potentially produce billions of qubits per week with= =20 20 machines. They do not have any reports of algorithm on chip, networking,= =20 or complete computing capabilities at this=20 time. https://www.intc.com/news-events/press-releases/detail/1693/intel-tak= es-next-step-toward-building-scalable=20 I hope that we can make significant progress in getting Bitcoin quantum=20 safe. Ian Smith @IanSmith_HSA On Tuesday, October 22, 2024 at 12:38:44=E2=80=AFAM UTC+9 Jon Atack wrote: > Hi Agustin, > > Good to see! > > Have you seen the work-in-progress BIP draft at=20 > https://github.com/bitcoin/bips/pull/1670? It may be good to review each= =20 > other (and possibly collaborate). > > Discussions/references to that draft: > * https://groups.google.com/g/bitcoindev/c/Aee8xKuIC2s/m/cu6xej1mBQAJ (Ma= iling=20 > list discussion) > * https://delvingbitcoin.org/t/proposing-a-p2qrh-bip-towards-a-quantum- > resistant-soft-fork/956?u=3Dcryptoquick (Delving Bitcoin discussion) > * https://bitcoinops.org/en/newsletters/2024/06/14/ (Bitcoin Optech=20 > newsletter) > * https://bitcoinops.org/en/podcast > /2024/06/18/#draft-bip-for-quantum-safe-address-format (Bitcoin Optech=20 > discussion transcript) > > Best regards, > Jon > > On Thursday, October 17, 2024 at 5:06:34=E2=80=AFPM UTC-6 Agustin Cruz wr= ote: > > Dear Bitcoin Developers,=20 > I would like to propose a Bitcoin Improvement Proposal (BIP) that aims to= =20 > introduce quantum-resistant cryptography to the Bitcoin protocol. With th= e=20 > rapid advancement in quantum computing, this proposal outlines the=20 > integration of post-quantum cryptographic algorithms (SPHINCS+ and=20 > Dilithium) to safeguard Bitcoin=E2=80=99s long-term security. > =20 > The key points of the proposal are:=20 > - Introduction of quantum-resistant signature algorithms (SPHINCS+ and=20 > Dilithium).=20 > - New Bech32-based address formats for quantum-resistant addresses.=20 > - Modifications to transaction structures and script opcodes to support= =20 > larger signature sizes.=20 > - A transition mechanism through a soft fork to ensure backward=20 > compatibility with existing Bitcoin addresses and transactions.=20 > > The full BIP draft is available here=20 > https://github.com/chucrut/bips/blob/master/bip-xxxx.md for your review= =20 > and feedback. I look forward to the community's input and am open to=20 > suggestions on how to improve the proposal.=20 > > Best regards, > Agust=C3=ADn Cruz > > --=20 You received this message because you are subscribed to the Google Groups "= Bitcoin Development Mailing List" group. To unsubscribe from this group and stop receiving emails from it, send an e= mail to bitcoindev+unsubscribe@googlegroups.com. To view this discussion visit https://groups.google.com/d/msgid/bitcoindev/= d142e67b-a0b1-49a0-9593-82053d55e3a5n%40googlegroups.com. ------=_Part_63251_1681148483.1734055648353 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Some contributions of my own to add to this conversation.
FALCON wasn't= approved by NIST because the security of the=C2=A0 algorithm is directly l= inked to the randomness of the input parameters. There was a similar concer= n over RSA about 25 years ago, and the question of the exponent related to = the operation as a matter of security. They weren't sure if the exponent sh= ould be high, random or irrelevant to the security. Turns out that it was i= rrelevant, so the cryptography community relaxed and selected the exponent = 3 for RSA for performance reasons with no cost to security. When a paramete= r is so relevant to the security of FALCON it is alarming, and the algorith= m may be unsuitable for blockchain.=C2=A0

I woul= d suggest NTRU Prime by Daniel Bernstein as a solid contender for secure La= ttice. Critically to a heterogenous environment, it is not susceptible to s= ide channel attacks so the keys cannot be stolen through magnets next to a = thumb drive. Daniel Bernstein managed to perform side channel attacks 10 ou= t of 10 times on multiple NIST PQ standards.

A q= uantum network runs 45x faster than the same qubits assigned to a single ma= chine. https://arxiv.org/abs/2211.15465
Quantum networks also req= uire less wiring, and a 6000 node network of 1152 qubit machines can crack = bitcoin in 10 minutes on average.=C2=A0https://arxiv.org/abs/2306.08585 The= qubit count is expected to go down by at least 30% by 2027 due to general = improvement in the algorithm. Litinski explained his algorithm at Crypto co= nference, and included further optimizations to lower the qubit count and i= ncrease performance.=C2=A0https://www.youtube.com/watch?v=3DAumHpDRS5iI

The scaling of some machines and algorithms is inde= ed linear=C2=A0https://arxiv.org/abs/1808.02892 but this is not always true= . With Active Volume, an 3x increase in nodes causes a 7x increase in perfo= rmance.

Due to Grover's it is critical that 256 = bit addresses be used. 160 bits is simply too small to be future proof.

With the advent of quantum networks, the hardware i= s more achievable. Mass production becomes the new paradigm, not IBM's flag= ship for gathering news attention. PSI Quantum has solved mass production= =C2=A0https://arxiv.org/html/2404.17570v1 and has completed the entire syst= em end to end.=C2=A0https://www.youtube.com/watch?v=3DA1tD4VXzswU=C2=A0

A reasonable estimate would be PSI Quantum breaking secp256k1 in 20= 27. Hopefully we will get a 'canary warning' by breaking ECC-32 but to incr= ease scale to break ECC-256 would only be a 4x increase in total qubits.

Other candidates for mass production are:
Oxford Ionics, who produces 256 qubit machines that run at room temperatu= re. The trapped ion system is cooled and operates using lasers and magnets.= =C2=A0
Riverlane, who produces rapid components but is mostly foc= used on high performance. Targeting 1 mil qubits in 2027 is a reasonable ex= trapolation of their roadmap. (100k qubits in 2026 after 10k qubits in 2025= .)=C2=A0https://www.riverlane.com/newsroom
Intel, who produces el= ectron spin wafers with an unknown but extremely large number of qubits per= wafer. These devices are produced fully autonomously and without intervent= ion. 15 wafers are produced per day, per manufacturing and testing device. = More devices will probably be produced soon, and they could potentially pro= duce billions of qubits per week with 20 machines. They do not have any rep= orts of algorithm on chip, networking, or complete computing capabilities a= t this time.=C2=A0https://www.intc.com/news-events/press-releases/detail/16= 93/intel-takes-next-step-toward-building-scalable=C2=A0

I hope that we can make significant progress in getting Bitcoin qua= ntum safe.

Ian Smith
@IanSmith_HSA


On Tuesday, October 22, 2024 at 12:38:44=E2=80=AFAM UTC+9 J= on Atack wrote:
Hi Agustin,

Good to see!
Have you seen the work-in-progress BIP draft at https://github.com/bitcoin/bips= /pull/1670?=C2=A0 It may be good to review each other (and possibly col= laborate).

Discussions/references to that draf= t:
* https://groups.google.com= /g/bitcoindev/c/Aee8xKu= IC2s/m/cu6xej1mBQAJ (Mailing list discussion)
<= span>* https://delvingbitcoin.org/t/proposing-a-p2qrh-bip-towards-a-quantum-resistant-soft-fork/956?u=3Dcryptoquick (Delvin= g Bitcoin discussion
)
<= span> * https://bitcoinops.org/en/= newsletters/2024/06/14/ (Bitcoin Optech newsletter)=

Best regards,
Jon

On Thurs= day, October 17, 2024 at 5:06:34=E2=80=AFPM UTC-6 Agustin Cruz wrote:
Dear Bitcoin Developers,= =C2=A0
I would like to propose a Bitcoin Improvement Proposal (BIP) tha= t aims to introduce quantum-resistant cryptography to the Bitcoin protocol.= With the rapid advancement in quantum computing, this proposal outlines th= e integration of post-quantum cryptographic algorithms (SPHINCS+ and Dilith= ium) to safeguard Bitcoin=E2=80=99s long-term security.
=C2=A0
The key points of the proposal are:=C2=A0
- Introduction = of quantum-resistant signature algorithms (SPHINCS+ and Dilithium).=C2=A0
- New Bech32-based address formats for quantum-resistant addresses= .=C2=A0
- Modifications to transaction structures and script opco= des to support larger signature sizes.=C2=A0
- A transition mecha= nism through a soft fork to ensure backward compatibility with existing Bit= coin addresses and transactions.=C2=A0

The full BI= P draft is available here=C2=A0https://github.com/chucrut/bips/= blob/master/bip-xxxx.md=C2=A0for your review and feedback. I look forwa= rd to the community's input and am open to suggestions on how to improv= e the proposal.=C2=A0

Best regards,
= Agust=C3=ADn Cruz

--
You received this message because you are subscribed to the Google Groups &= quot;Bitcoin Development Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an e= mail to bitcoind= ev+unsubscribe@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/bitcoind= ev/d142e67b-a0b1-49a0-9593-82053d55e3a5n%40googlegroups.com.
------=_Part_63251_1681148483.1734055648353-- ------=_Part_63250_427599127.1734055648353--