Follow @nxtchg

Author Topic: Quantum Computing  (Read 1533 times)

NxtChg

  • Overlord
  • *****
  • Posts: 1114
  • Respect: +61
    • View Profile
Quantum Computing
« on: January 06, 2016, 01:22:26 pm »
0
We probably have 5 to 10 years before quantum computing becomes a practical risk.

I am currently focused much more on actually finishing the first working version. Switching to QC-resistant algorithm will delay the project significantly.

Besides, there are no efficient QC-signature algorithms yet: the signature size is measured in kilobytes!

It will take at least a year from the first working version to "ready for users" state. If in that time an efficient QC-resistant algorithm appears we can switch to it before the launch.

I am also considering reserving 1 or 2 bits of ID to make switching to another signature scheme easier.
Tentacle Overlord, The Deranged Genius of The Abyss

NxtChg

  • Overlord
  • *****
  • Posts: 1114
  • Respect: +61
    • View Profile
Re: Quantum Computing
« Reply #1 on: January 06, 2016, 03:11:51 pm »
0
Actually, instead of reserving bits in ID, I think a better solution would be a clean split, where we setup a new system alongside the old one and allow cross-chain transfers.
Tentacle Overlord, The Deranged Genius of The Abyss

wizzardTim

  • Jr. Minion
  • **
  • Posts: 80
  • Respect: +5
    • View Profile
Re: Quantum Computing
« Reply #2 on: January 06, 2016, 05:47:20 pm »
0
Then all the coins should move to the new chain automatically in order to get the QC security? I guess it would be better if that is done for all SIMcoins, rather than having 2 different chains running simultaneously.

NxtChg

  • Overlord
  • *****
  • Posts: 1114
  • Respect: +61
    • View Profile
Re: Quantum Computing
« Reply #3 on: January 06, 2016, 07:20:52 pm »
0
No, you cannot move them automatically, obviously.
Tentacle Overlord, The Deranged Genius of The Abyss

wizzardTim

  • Jr. Minion
  • **
  • Posts: 80
  • Respect: +5
    • View Profile
Re: Quantum Computing
« Reply #4 on: January 06, 2016, 10:10:54 pm »
0
You're right, my question was silly. I am confused regarding QC attack types and what damage they could do. E.g. QC can brute force a private key or damage the whole chain (e.g. by a 51% mining attack in case of pow coins)?

I was just wondering whether the QC security could be automatically applied sometime in the future, in a  form of a security update or patch. I guess all users would like to have that patch (can't see a reason for a user to decline) without any action from their side. Could that be done with the bit reservation approach?

Also, regarding the crosschain approach: I was thinking about a hypothetical situation where one holder does not use SIM or check for updates in tech for years. In that case he might not switch to the new QC resistant chain early enough. Could that happen at all?




NxtChg

  • Overlord
  • *****
  • Posts: 1114
  • Respect: +61
    • View Profile
Re: Quantum Computing
« Reply #5 on: January 06, 2016, 11:13:45 pm »
0
QC can brute-force signatures, i.e. find your private key from the public key.

An attacker doesn't need 51%, he just needs to pick a few biggest accounts and empty them.

Also, regarding the crosschain approach: I was thinking about a hypothetical situation where one holder does not use SIM or check for updates in tech for years. In that case he might not switch to the new QC resistant chain early enough. Could that happen at all?

Yes, this could happen. Unfortunately, there is no solution for this. If signatures are broken - anyone can claim the money.

And we can't move coins automatically, because we cannot generate new accounts for owners without knowing new keys - this is something they must do themselves.
Tentacle Overlord, The Deranged Genius of The Abyss

draco

  • Minion
  • *
  • Posts: 25
  • Respect: +3
    • View Profile
Re: Quantum Computing
« Reply #6 on: January 07, 2016, 01:38:19 pm »
0
A Reddit comment said (I don't know if any of this information is correct) that hashes are at least to some degree QC-resistant. That would mean that Bitcoin should be partly QC-resistant if addresses are not reused and public keys are not revealed. Supposedly Satoshi's coins are QC-vulnerable if he doesn't move them because in the early days block rewards were paid to public keys instead of hashes.

Also in Nxt Account Control there is a planned feature where revealing a hash from a chain of hashes authorizes a transaction. This also seems to provide QC-resistance.

But this QC-stuff doesn't seem like something worth worrying about at the moment.

NxtChg

  • Overlord
  • *****
  • Posts: 1114
  • Respect: +61
    • View Profile
Re: Quantum Computing
« Reply #7 on: January 07, 2016, 01:51:23 pm »
0
Yes, hashes are safe. With Bitcoin there's still a risk if somebody intercepts your tx, then cracks the signature and sends the money to himself. Especially if RBF is still active.

I thought about adding AC feature that would require a hash, but there's a problem - anyone in transit will be able to intercept your tx and redirect funds to his own account. I don't know how NXT plans to solve this...

We could add QC-resistant signatures to AC later, but at that point it's probably better to just do the split.
Tentacle Overlord, The Deranged Genius of The Abyss

draco

  • Minion
  • *
  • Posts: 25
  • Respect: +3
    • View Profile
Re: Quantum Computing
« Reply #8 on: January 07, 2016, 02:06:53 pm »
0
I thought about adding AC feature that would require a hash, but there's a problem - anyone in transit will be able to intercept your tx and redirect funds to his own account. I don't know how NXT plans to solve this...

It seems to need both a signature and a hash to work. Anyway the motivation given for that feature is two-factor authentication, not QC-resistance.

NxtChg

  • Overlord
  • *****
  • Posts: 1114
  • Respect: +61
    • View Profile
Re: Quantum Computing
« Reply #9 on: January 07, 2016, 02:18:20 pm »
0
It seems to need both a signature and a hash to work. Anyway the motivation given for that feature is two-factor authentication, not QC-resistance.

Hm, if an attacker got your private key, he can, again, change the tx in transit, although it's a bit more difficult.

The best would be to require a secondary signature, that's how Simcoin AC provides 2-FA.

Maybe it makes sense to use hash of PK here too, to make it more difficult for QC attacks... Need to think more.
Tentacle Overlord, The Deranged Genius of The Abyss

draco

  • Minion
  • *
  • Posts: 25
  • Respect: +3
    • View Profile
Re: Quantum Computing
« Reply #10 on: January 07, 2016, 02:35:14 pm »
0
It seems to need both a signature and a hash to work. Anyway the motivation given for that feature is two-factor authentication, not QC-resistance.

Hm, if an attacker got your private key, he can, again, change the tx in transit, although it's a bit more difficult.

That's true, it doesn't seem to work that way. Although some users might prefer to have the 2-FA codes on a piece of paper, an extra device capable of signing seems to be required for it to work.

NxtChg

  • Overlord
  • *****
  • Posts: 1114
  • Respect: +61
    • View Profile
Re: Quantum Computing
« Reply #11 on: January 07, 2016, 02:47:17 pm »
0
That's true, it doesn't seem to work that way. Although some users might prefer to have the 2-FA codes on a piece of paper, an extra device capable of signing seems to be required for it to work.

You will have to sign the transaction anyway. But I agree, short codes are convenient.

Still, if I were an attacker with your private key, I would write a script to watch the network and as soon as your tx is announced try to outpace it. Or even run my own node for this kind of attacks.

Developers should add a PoW to slow down the attacker for a few minutes to be sure. We can add this feature too, because our txs are almost instant.

Maybe redeemable codes should be implemented this way instead... Again, need to think more :)
Tentacle Overlord, The Deranged Genius of The Abyss