An ignored part of the current quantum computer fud^H^H debate, because it's a counterfactual: back in 2015-17 a lot of people got very excited about a proposal from Greg Maxwell to do "confidential transactions" on bitcoin. I was very much in the group of people both fascinated and excited about the prospect and went very deep down the rabbit hole on it, learning a lot about cryptography along the way.
But the energy to even suggest a fork to include it slowly dissipated; my own personal reason for rejecting it was *not* the obvious "the range proofs are too large" (see: Bulletproofs, work that was heavily inspired by that scaling problem, though it ended up being far more significant w.r.t. "folding"). It was "pedersen commitments are only computationally binding" [1], to put it another way an EC break means we get unbounded, invisible inflation. At the time it was fun to predict that Zcash had this failure mode and indeed it was borne out (look up their history if you don't know). It felt weird justifying this to people sometimes: "I don't want a bitcoin where amounts are not visible because the total might not add up" sounds Luddite ... I remember being asked on a panel by Giulia Fanti "are you scared that P=NP or something?" ... it was not felt to be a quite logical thing to worry about this, since we rely on EC in Bitcoin anyway ... and if we trust EC, the math of homomorphic commitments *guarantees* it adds up!
But a computational bound on that is not OK. i.e. i don't want *any* computer to be able to break it! not just normal computers! - and that's exactly where a quantum computer comes in. I am FAR more worried about breaking bitcoin's fixed supply than about a million old P2PK coins getting stolen. Stealing is not minting.
[1] A counterpoint is that ElGamal commitments exist, at the cost of even more space. But hey, it's still less space, by a huge margin, than current post quantum signature schemes! Something worth considering?
#cryptography #bitcoin
But the energy to even suggest a fork to include it slowly dissipated; my own personal reason for rejecting it was *not* the obvious "the range proofs are too large" (see: Bulletproofs, work that was heavily inspired by that scaling problem, though it ended up being far more significant w.r.t. "folding"). It was "pedersen commitments are only computationally binding" [1], to put it another way an EC break means we get unbounded, invisible inflation. At the time it was fun to predict that Zcash had this failure mode and indeed it was borne out (look up their history if you don't know). It felt weird justifying this to people sometimes: "I don't want a bitcoin where amounts are not visible because the total might not add up" sounds Luddite ... I remember being asked on a panel by Giulia Fanti "are you scared that P=NP or something?" ... it was not felt to be a quite logical thing to worry about this, since we rely on EC in Bitcoin anyway ... and if we trust EC, the math of homomorphic commitments *guarantees* it adds up!
But a computational bound on that is not OK. i.e. i don't want *any* computer to be able to break it! not just normal computers! - and that's exactly where a quantum computer comes in. I am FAR more worried about breaking bitcoin's fixed supply than about a million old P2PK coins getting stolen. Stealing is not minting.
[1] A counterpoint is that ElGamal commitments exist, at the cost of even more space. But hey, it's still less space, by a huge margin, than current post quantum signature schemes! Something worth considering?
#cryptography #bitcoin