Beware of quantum scams

Source: Liu Jiaolian official account
BTC just made a move to rise and left the 30-day moving average yesterday, and today it stepped back to the 30-day moving average (about around 104.9k).

Recently, many readers forwarded the FUD to Jiao Lian for quantum computing and the FUD that the big pancake will return to zero in the next few years (Jianglian note: a term in currency circle, which means to make the audience feel fear, doubt, and confusion to create panic).

Not to mention that there are quantum computing FUDs every year, it also needs to be launched every few years. But how to say it, almost all the people can see that the big cake will be reset to zero with quantum computing. One calculation and the other are all fools. If you take the opportunity to recommend a few so-called anti-quantum coins to you in the future, it can basically be considered a scam.

Anyone who has read the articles about quantum computing in Jiaolian or has carefully read the chapters about quantum computing in "History of Bitcoin", it should be easy to see through such deceptions and scams at a glance.

If you are just fooled, afraid of returning to zero and dare not hold the big cake, then you are just missing some opportunities for the big cake to rise in the future; but if you are deceived to spend money to buy some bullshit quantum coins, you will really suffer property losses.

Remember the following knowledge points:

First, how long does it take to go to reach a practical level of quantum computers? Very long. At least it is much longer than the 5-8 years in the mouth of those who come out to brag. Just like you often hear people who engage in AI brag that they can create so-called AGI (General Artificial Intelligence) before 203X, computers completely crush humans at the intelligence level. In fact, maybe it's just a trick to fool investors to burn money for them. Maybe there is no chance to be 10 years, 20 years, 50 years, even before war or natural disasters lead to the destruction of mankind.

Second, if quantum computers become practical quickly, maybe you should first worry about whether the money in your traditional bank account is still safe or not. All of these systems are easily compromised by practical quantum computing, much easier than big cakes. Dapian’s address is a layer of hash outside the signature algorithm. If you follow the principle of “using only once per address” mentioned by Teaching Chain in Xiaobai’s class, it is naturally resistant to quantum attacks. This is because the hash used in big cakes has strong quantum resistance.

Third, it is technically easy to replace the current signature algorithm with a quantum-resistant signature algorithm. Technicians are also actively paying attention to and studying the latest advances in quantum-resistant algorithms, and adopting preemptive strategies that ensure they are always ready for upgrades. As for why you don’t upgrade now? That's because the quantum- resistant algorithms proposed now are so bad. It’s not that they have no quantum resistance, but that their signature size is so large that it cannot meet the requirements of the big cake system at all.

After all, all problems must ultimately be implemented on the feasibility of the project. Chapter 9 of "Bitcoin History" introduces that Satoshi Nakamoto's focus on the selection of signature algorithms was the size factor. That's what he said back then:

Satoshi Nakamoto explained during his discussion on the Bitcoin Community Forum on January 29, May 20 and July 25, 2010, "Bitcoin uses the elliptic curve digital signature algorithm (EC-DSA). This algorithm can only be used for digital signatures, not for encryption. RSA can do both, but I did not adopt it because it is an order of magnitude larger, which is unrealistic." "It is not about the size of the executable program, but about the size of the data. If the blockchain, Bitcoin address, disk space, and bandwidth requirements are all one order of magnitude larger, it is not feasible."

So what about the size of the quantum-resistant algorithm we can see today, compared to ECC or RSA? The answer is hundreds to nearly a thousand times larger. For example, the SPHINCS+ algorithm, "the signature size of the SLH- DSA-SHA2-128s at lower security levels is about 8KB, while the SLH-DSA- SHA2-256f at higher security levels even reaches 50KB, which is much larger than traditional signature algorithms (such as RSA or ECC, which has only 64B) and is not suitable for scenarios with strict storage and bandwidth requirements."

Imagine the size of Dapian’s ledger soaring by a thousand times from less than 1TB to 1EB today? Anyone who advocates quantum resistant coins currently must use the existing quantum resistant algorithms on the market. The consequence is that the size is too large to be completely waste in engineering, unable to carry large throughput, and will seriously weaken the decentralization due to the large size of the ledger.

I remember that Satoshi Nakamoto abandoned RSA just because the size of the RSA signature is "order of magnitude larger than ECC" and pointed out bluntly that "this is unrealistic." It can be imagined that all quantum-resistant algorithms today are three or four orders of magnitude larger than the current algorithm's signature size. Anyone who says this kind of thing is better than the current big cake is either stupid or bad.

A few days ago, cryptographer and founder of Blockstream Adam Back, who was also a person cited by Satoshi Nakamoto in the reference materials of the Bitcoin white paper, posted some tweets to explain his views on current quantum-resistant algorithms and quantum computing FUD.

What was he talking about?

"FIPS 205: SLH-DSA. Currently I think the best post-quantum security signature candidate. The signature size is slightly larger, but if you want to stop premature quantum panic (FUD), you can design a new address format: combining Schnorr Taproot and SLH-DSA Tapleaf. Qualification (QED). Future work: utilizing STARKs to achieve signature aggregation of SLH-DSA."

Of course, as a cryptography expert, he uses a lot of terms in his words, which makes it difficult for ordinary people to understand quickly. Simply put, he believes that the SLH-DSA algorithm (numbered FIPS 205) standardized by the U.S. National Standards Agency (NIST) is the best at present. This SLH- DSA algorithm is actually the SPHINCS+ algorithm mentioned above by Zhilian.

Technically, the advantages of the SLH-DSA algorithm are stateless design and high security (rely relying on hash functions), but the signature size is significantly larger than traditional solutions (such as RSA or ML-DSA).

Then he gave some additional explanations to Tui:

"You can gradually migrate to a new address format in the next few years or decades, which can be traded with Schnorr signatures without the current space and expenses of SLH-DSA signatures. But if there is a quantum computer with cryptographic threats in the future, you are ready to deal with it."

I prefer SLH-DSA because it is based on SPHINCS+—a algorithm itself an improvement on the 1982 Winternitz signature, which in turn originated from the 1979 Lamport signature and relies on simple and robust mathematical assumptions. In contrast, most other NIST candidate signature schemes are based on new, unproven mathematical assumptions and are at higher risk.

The Taproot address is essentially an unhashed Schnorr public key, but can be tweaked to reveal a Tapleaf (including SLH-DSA or other opcodes). At the beginning of design, Taproot has prospectively designed the adjustment mechanism of Tapleaf to be quantum-safe, which replaces hash public key solutions, reflecting better engineering wisdom. "

According to the design standards of Big Pie BIP 341, Tapleaf's adjustment (tagged_hash("TapLeaf", ...)) uses quantum hashing resistance (such as SHA-256) to ensure that the script path is still safe even if the quantum computer appears.

He further explained:

“Bitcoin should be prepared for quantum computing so that we do not cause bitcoin price fluctuations due to the mess of information asymmetry—those overreporting of progressive improvements in early quantum computing physics and algorithms—that will likely take decades to reach cryptography-related levels.

The most likely result in my opinion is that SLH-DSA will never be actually used, because many years before the cryptographic quantum computer was built, it would be replaced by a more compact or supportive signature aggregation scheme. But we have to go beyond this stupid short-term panic. Moreover, this preparation itself has gradual practical value. "

Some netizens also asked him how to deal with early mining addresses that were suspected to belong to Satoshi Nakamoto holding a large amount of BTC. In this regard, he gave his personal guess:

"I guess we will eventually know if Satoshi is still there and whether he will transfer those bitcoins for decades after the quantum address is enabled, but before the cryptographic threat appears.

If there is a quantum computer with cryptographic threats in the end, we can know whether Satoshi Nakamoto is still alive and transfers these coins. My guess is: for those bitcoins that have not moved by then, the ECDSA and Schnorr signature schemes will be deprecated. "