coindesk.com
Bitcoin’s developer community should stop waiting for certainty about quantum-computing timelines and focus on getting a post-quantum signature scheme into production, Alex Pruden, CEO of Project Eleven, told CoinDesk’s Consensus Miami conference on Wednesday.
Pruden said the asymmetry between acting now and waiting favors action.
“We added some new cryptography, we kind of built in this optionality, it turns out we didn’t need quite yet, but at least we have it,” he said, describing the worst case of moving early.
The worst case of moving late is far worse: a sufficiently capable quantum computer could derive private keys from any exposed public key using Shor’s algorithm, the 1994 algorithm that remains the canonical example of what a quantum machine can do that a classical one cannot.
Pruden valued the asset at stake at roughly $2.3 trillion.
“In a very real sense, someone with a sufficiently large and capable quantum computer kind of owns everyone’s digital assets or bitcoin for the public key that they can see,” Pruden said.
The path forward, Pruden said, is to introduce a new signature scheme into Bitcoin that does not rely on the classical math underlying the elliptic-curve digital signature algorithm, or ECDSA, it uses today.
The National Institute of Standards and Technology has standardized post-quantum schemes based on hash functions and lattices, he said, and Bitcoin community discussion has trended toward the hash-based option. BIP-360, proposed last year, laid groundwork for adding a quantum-resistant Taproot output type, and Blockstream has deployed a hash-based signature scheme on its Liquid Network.
“Moving stuff out of just research into production is, I think, actually what we need to focus on,” Pruden said. “Let’s focus on the D of R&D.”
The migration will be substantially harder than the Taproot upgrade, Pruden warned.
“Taproot took five years, but that’s not even really the entire challenge that this will take.” Where Taproot was opt-in and most users never bothered migrating, every bitcoin holder and every wallet, exchange and institution that touches the asset will need to participate in a post-quantum migration.
Pruden said the timing risk is severe: if a quantum computer arrives before users have migrated, an attacker could front-run pending transactions within a single block time, paying a higher fee to capture funds whose private keys it has just derived.
Pressed on the unresolved debate over what to do with bitcoin sitting in dormant, quantum-vulnerable addresses, Pruden urged the community to defer that fight and focus on the migration itself. Harper framed that debate as involving upward of 5 million dormant coins, including coins attributed to Satoshi Nakamoto via the so-called “Patoshi” pattern of early miner blocks.
“The question of the Satoshi coins in particular is a hard one,” Pruden said, because it puts two philosophical commitments in tension: Bitcoin’s fixed-supply ethos and its commitment to digital property rights. Asked for his personal lean, Pruden said the dormant coins could potentially be “recycle[d] back into the end of the supply curve” to extend Bitcoin’s mining-incentive runway after the block subsidy runs out.
“If you put me on the hot seat, that’s probably what I would say,” Pruden said. “So I guess overall would be the confiscation side. But again, I think ultimately, the community is going to decide. The institutions and the market are going to decide.”
On whether Bitcoin Core developers are taking the threat seriously, Pruden said the answer is mixed. “Core is not a monolithic entity. So I think there are definitely [some] in Core that are taking it seriously. I think there are some people that have the opinion” that quantum computers will never arrive. He pointed to the broader scientific community as a counterweight: “The majority of physicists out there, if you ask them this, they’ll say, yes, it will be a thing. And by the way, many of them believe that the timelines are accelerating.”
The same physics that makes quantum computers a threat to existing cryptography may also seed the next generation of cryptographic primitives, he said, citing key-exchange protocols based on quantum entanglement and certified-randomness work that won the Turing Award last year.