Author: Lloyd Fournier 2021-03-15 23:46:05
Published on: 2021-03-15T23:46:05+00:00
The bitcoin-dev mailing list has been discussing the potential vulnerability of Taproot to quantum computing (QC). While this is not a new topic, it has become more prominent recently, with some members calling for the wider community to be made aware of the issue. The current consensus seems to be that while existing addresses are vulnerable to QC and would require a hardfork to fix, once a QC-resistant spending procedure has been developed, it could be added as a backup spending policy as a new tapleaf version. If QC gets to the point where it can break ECC, then key-path spends could be disabled via softfork. It is unlikely that everyone will move their coins to Taproot addresses with a QC-resistant tapleaf backup, so it may be necessary to hard fork to stop old addresses from being spent without a quantum-resistant ZKP. The introduction of a new quantum-resistant segwit version may also be required if QC degrades SHA256 sufficiently. Some members of the mailing list have argued that the tradeoffs associated with Taproot and QC are not worth it, and any QC issues in Bitcoin need to be solved in another way. However, others have pointed out that there is an important distinction between using hashes and naked pubkeys, as an attacker has to race against the spending transaction confirming with the former, whereas with the latter, they do not have to wait for a spend to occur, drastically increasing the available time to attack.Mark's post on the subject suggests that QC progress is currently exponential and will continue to be, meaning that "months" could turn into "days" and into "minutes" in a short period. Since QC progress is exponential and the speedup that ECC quantum algorithms offer is also exponential, it is possible to go from ten thousand years to break ECC to a few seconds within a year. Therefore, it may be wise to enter a QC world with Taproot enabled and most people using it, so that QC-resistant backup spend paths can be introduced without hardforks before they become practical.
Updated on: 2023-06-14T19:34:17.378966+00:00