Beware of quantum-resistant scams

Source: Liu Jiaolian WeChat Account
BTC just tried to pull up and break away from the 30-day moving average yesterday, and today it stepped back to the 30-day moving average (around 104.9k).

Recently, many readers have forwarded to Jiaolian the FUD about quantum computing and Bitcoin going to zero in the next few years (Note from Jiaolian: a term in the currency circle, meaning to make the audience feel fear, doubt, and confusion in order to create panic).

Quantum computing FUD is not something that happens every year, but it happens every few years. But how can I say that almost all the people who can see it say that Bitcoin is going to zero with quantum computing are all scams; if they take the opportunity to recommend you a few so-called anti-quantum coins later, then it can basically be considered a scam.

Anyone who has read the articles on quantum computing in Jiaolian, or has carefully read the chapters on quantum computing in The History of Bitcoin, should be able to easily see through this kind of deception and scam at a glance.

If you are just fooled and are afraid of going to zero and dare not hold Bitcoin, then you will just miss some opportunities for Bitcoin to rise in the future; but if you are deceived into spending money to buy some shitty anti-quantum coins, then you will really suffer financial losses.

Remember the following knowledge points:

First, how long will it take for quantum computers to reach practical levels? Very long. At least much longer than the 5 or 8 years mentioned by those who come out to brag. Just like you often hear AI people bragging that they will be able to create so-called AGI (general artificial intelligence) before 203X, and that computers will completely crush humans in terms of intelligence. In fact, it may just be a rhetoric to fool investors into spending money on them. Maybe it will take 10 years, 20 years, 50 years, or even before war or natural disasters lead to the destruction of mankind.

Second, if quantum computers are soon put into practical use, maybe you should first worry about whether the money in your traditional bank account is still safe. All of these systems are easily broken by practical quantum computing, much easier than big cookies. Big cookies' addresses are a layer of hash outside the signature algorithm. If you follow the principle of "each address is used only once" that Jiaolian talked about in the Xiaobai class, then it is naturally resistant to quantum attacks. This is because the hash used by big cookies has strong quantum resistance.

Third, it is technically easy for big cookies to replace the current signature algorithm with a quantum-resistant signature algorithm. Technicians are also actively paying attention to and studying the latest developments in quantum-resistant algorithms, and adopting a preemptive strategy to ensure that they are always ready for upgrades. As for why we don't upgrade now? That's because the quantum-resistant algorithms proposed now are too bad. It's not that they are not quantum-resistant, but their signature sizes are too large, so large that they can't meet the requirements of the Bitcoin system at all.

After all, all problems ultimately come down to engineering feasibility. Chapter 3, Episode 9 of "The History of Bitcoin" introduced that the key consideration for Satoshi Nakamoto in choosing the signature algorithm was the size factor. This is what he said back then:

Satoshi Nakamoto explained in three Bitcoin community forum discussions on January 29, May 20, and July 25, 2010: "Bitcoin uses the Elliptic Curve Digital Signature Algorithm (EC-DSA). This algorithm can only be used for digital signatures, not encryption. RSA can do both, but I didn't use it because it is an order of magnitude larger, which is impractical." "It's not about the size of the executable program, but the size of the data. If the blockchain, Bitcoin address, disk space, and bandwidth requirements are all an order of magnitude larger, this is not feasible."

So how about the size of the quantum-resistant algorithms we can see today compared to ECC or RSA? The answer is hundreds to nearly a thousand times larger. For example, the SPHINCS+ algorithm, "the signature size of the lower security level SLH-DSA-SHA2-128s is about 8KB, while the higher security level SLH-DSA-SHA2-256f is even 50KB, which is much larger than the traditional signature algorithm (such as RSA or ECC, the latter is only 64B), and is not suitable for scenarios with strict storage and bandwidth requirements."

Imagine what would happen if the size of the Bitcoin ledger increased a thousand times from less than 1TB today to 1EB? Anyone who is currently advocating for anti-quantum coins must use the anti-quantum algorithms currently available on the market. The consequence is that the size is so large that it is completely useless in engineering, unable to carry large throughput, and will seriously weaken decentralization due to the large size of the ledger.

Back then, Satoshi Nakamoto abandoned RSA simply because the RSA signature size was "an order of magnitude larger" than ECC, and bluntly pointed out that "this is unrealistic." As you can imagine, all the quantum-resistant algorithms today have signature sizes three or four orders of magnitude larger than the current algorithms. Anyone who says this stuff is better than the current Bitcoin is either stupid or evil.

A few days ago, Adam Back, a cryptographer and founder of Blockstream, who was also cited by Satoshi Nakamoto in the Bitcoin white paper reference, sent some tweets to explain his views on the current quantum-resistant algorithms and quantum computing FUD.

What is he talking about?

He said: "FIPS 205: SLH-DSA. I think it is the best candidate for post-quantum secure signatures at present. The signature size is slightly larger, but if you want to prevent premature quantum panic (FUD), you can design a new address format: combining Schnorr Taproot and SLH-DSA Tapleaf. Proof (QED). Future work: Using STARKs to achieve SLH-DSA signature aggregation."

Of course, as a cryptography expert, he used a lot of terms in his words, making it difficult for ordinary people to understand quickly. Simply put, he believes that the SLH-DSA algorithm (numbered FIPS 205) standardized by the National Institute of Standards and Technology (NIST) of the United States is currently the best. This SLH-DSA algorithm is actually the SPHINCS+ algorithm mentioned by Jiaolian above.

Technically speaking, the advantages of the SLH-DSA algorithm are stateless design and high security (relying only on hash functions), but the signature size is significantly larger than traditional schemes (such as RSA or ML-DSA).

He then followed up with some additional explanation:

“You can gradually migrate to a new address format in the next few years or decades, which can use Schnorr signatures for transactions without the space and cost of SLH-DSA signatures now. But if a quantum computer with cryptographic threats appears in the future, you are ready to deal with it.  

I like SLH-DSA because it is based on SPHINCS+, which is itself an improvement on the 1982 Winternitz signature, which in turn originated from the 1979 Winternitz signature. The Lamport signature of Taproot relies on simple and robust mathematical assumptions. In contrast, most other NIST candidate signature schemes are based on new mathematical assumptions that have not been fully verified and are at higher risk. The Taproot address is essentially an unhashed Schnorr public key, but can be tweaked to reveal a Tapleaf (containing SLH-DSA or other opcodes). Taproot proactively designed the Tapleaf adjustment mechanism to be quantum-resistant from the beginning, replacing the hash public key scheme with a better engineering wisdom. "According to the design standards of BIP 341, the adjustment of Tapleaf (tagged_hash("TapLeaf", ...)) uses quantum-resistant hashes (such as SHA-256) to ensure that the script path is still secure even with the advent of quantum computers.

He further explained:

"Bitcoin (should be) prepared for quantum computing so that we don't get Bitcoin price fluctuations due to information asymmetry confusion - excessive reporting of incremental improvements in early quantum computing physics and algorithms - after all, it will likely take decades for quantum computing to reach cryptographically relevant levels.

In my opinion, the most likely outcome is that SLH-DSA will never be used in practice, because it will be replaced by more compact or signature aggregation-enabled schemes many years before cryptographically meaningful quantum computers are built. But we have to get beyond this stupid short-term panic. And this preparation itself has incremental practical value."

Some netizens also asked him what to do with the early mining addresses that hold large amounts of BTC that are suspected to belong to Satoshi Nakamoto. In this regard, he gave his personal guess: "I guess we will eventually know whether Satoshi Nakamoto is still alive and whether he will transfer those bitcoins decades after the quantum-resistant address is enabled but before the emergence of quantum supercomputers with cryptographic threats. If a quantum computer with cryptographic threats does eventually appear, we will know whether Satoshi Nakamoto is still alive and transfers these coins. My guess is that for those bitcoins that have not been moved by then, the ECDSA and Schnorr signature schemes will be abandoned."