Nobody knows if quantum secure cryptography will even work

Why upgrade if PQ signatures are not yet proven?

The dirty secret of efforts to upgrade blockchains to post-quantum cryptography is that no one is sure if any of them work.

None of the signatures being considered by major blockchains as quantum-resistant upgrades have been 100% proven to work. Until a quantum computer is invented, we won’t know for certain if they can successfully protect against an attack. Some may fall to an attack even before Q Day using existing computer technology.

The National Institute of Standards and Technology tested 69 post-quantum candidate algorithms, and two of them — Rainbow and SIKE — were broken with classical computers during testing.

The three digital signature schemes it recommends are its best guess as to which ones are most likely to survive a quantum attack. It selected the lattice-based CRYSTALS-Dilithium (ML-DSA) as the primary scheme, another lattice-based scheme called Falcon (FN-DSA) for use cases that demand smaller signatures and the hash based SPHINCS+ (SLH-DSA) as the final candidate.

“If something looks good, they’re going to say: ‘OK, try it. We’ll let you know when something fails.’ And then we expect you to change,” explains Yoon Auh from post-quantum tech provider BOLTS.

He adds that existing cryptography, like RSA, ECC and AES, have only been proven to be secure by the passage of time. Other algorithms did not survive.

“Cryptographers and applied cryptographers don’t like to point this out,” he chuckles. “In the entire history of modern cryptography, there’s only ever been one provably secure cipher mathematically. One. And that’s called a one-time pad. And it is virtually useless for digital commerce.”

“Everything we’ve been using: AES, RSA, ECC. Everything that’s coming out in the PQC [post quantum computer] universe with all its variants are unprovable secure. You can’t prove it. That is the reason why there’s so many PQC variants coming out of standards agencies like NIST. They can’t tell you which one’s going to be secure definitively and mathematically.” 

“Over time, we’re going to do a systematic weeding out. But, the only way you’re going to do that is you’re going to have people actually trying to research and attack this thing, and whatever variants are being used.”

Why upgrade if PQ signatures are not yet 100% proven?

For some Bitcoiners, that’s reason enough to hold off on upgrading Bitcoin to post-quantum for now. Coinshares analyst Christopher Bendiksen argued in a recent report that even upgrades like BIP-360, which is a new type of quantum-resistant output or address, are pointless for now.

“Introducing new address formats before the cryptography underpinning them is fully understood and proven is extremely risky and not advisable,” argued Coinshares analyst Christopher Bendiksen in a recent report.

“Before practical quantum computers exist, we cannot know whether quantum resistant cryptography provably works…. We risk spending scarce development resources on implementing solutions that turn out to be inefficient at best, and rapidly obsolete or outright faulty at worst.”

Unfortunately, blockchains don’t have the luxury to wait around for proven quantum resistance before upgrading. Quantum computing experts believe there’s a live possibility a cryptographically relevant quantum computer could emerge in the next five to ten years. Construction of PsiQuantum’s 1 million qubit array has already begun in Chicago.

One idea that Bitcoin and Ethereum devs are considering is to upgrade in a way that allows for multiple signature types — so that if one breaks, another can be used in its place.

BOLTS is working on a pilot program for the CANTON network that enables banks and institutions to use different signatures complying with standards in different parts of the world. Its QFlex technology allows for dynamic switching between different classical and post-quantum algorithms, enabling users to hot swap signatures as frequently as they’d like. QFlex received an SBIR Phase 1 Award from NIST, but it’s a commercial technology that needs to be licensed, meaning it’s unlikely to be embraced by the open source blockchain community.

Ethereum has three main areas to upgrade to post-quantum

Ethereum has three main areas it needs to upgrade: the secp256k1 elliptic curve signatures on the execution layer, the BLS…