Neha Narula, a researcher at the MIT Media Lab specializing in cryptocurrencies, published this April 20 a roadmap to protect Bitcoin from quantum computers. Its central argument is that we must act immediately with the available solutions, without waiting for answers to all the problems of the future.
Narula’s proposal comes in the middle of a debate that has gained traction in the community. In the last year multiple initiatives have been presented: from Adam Back’s suggestion to integrate the SLH-DSA signature scheme into Taproot addresses, to a proposal by researcher Avihu Levy to protect transactions without the need for a soft fork. More aggressive proposals are included, such as that of Jameson Lopp, who proposes a migration through which Satoshi Nakamoto’s coins would be frozen, since he could not migrate them.
In the midst of this generation of proposals, Narula assures that the relevant question is not how much work is being done, but what’s left to do and if you move fast enough. With this criterion, the researcher proposes implementing a new type of secure post-quantum output for Bitcoin, although the most complex questions have not been resolved.
Narula proposes three concrete steps:
- Design and activate a soft fork that introduces that new type of output.
- Coordinate wallet and application developers to support it.
- Communicate to users why they should migrate their coins.
What is at stake if no one migrates
The technical solution that Narula proposes as a main candidate is P2MR (BIP 360), which eliminates public exposure of the cryptographic key, combined with a new post-quantum signature opcode and support for multiple cryptographic schemes.
With this combination, according to the researcher, a user could move their coins to a format resistant to a quantum computer. And as long as that threat is not imminent, continue using current firms to move your funds.
The developer also points out that the problem is not just individual, because if a high percentage of coins are exposed, it could generate instability throughout the network when the threat arrives. The researcher does not estimate how many coins will remain unmigrated if this mechanism is implemented, but assures that the adoption of the new format could be measured on chain in real time.
Regarding Satoshi coins, whose public key is already visible on the chain and which represent more than 2.9% of the total circulation, Narula acknowledges that he does not have a defined position. According to his approach, That decision does not need to be made now in order to move forward with what is available..
The debate oscillates between the technical and the political.
From a technical point of view, Narula identifies that implementing post-quantum signatures implies a cost in the size of the transaction, which impacts both the cost per transaction as well as the demand for block space. Hence, I consider that the most promising scheme is OP_CHECKSHRINCS, another technological solution designed to protect Bitcoin against future quantum threats and which would generate signatures about five times larger than the current ones.
Given this possibility, the researcher suggests that an increase in the size of Bitcoin blocks would be necessary and estimates that an increase of between 2x and 8x would be acceptable from a decentralization point of view.
The researcher also includes the main objections to her proposal: there are those who consider that P2MR will be difficult to implement correctly due to the large number of wallets; and others who believe that, if few users migrate, it is advisable to concentrate efforts on more drastic measures for when the threat is imminent.
In response to these objections, the researcher responds that None of these arguments justify not moving forward.: The sooner a post-quantum output is available, the more time users will have to migrate.
Narula acknowledges that there are unanswered questions and difficult decisions ahead, such as the fate of currencies that are never migrated. But his position is that waiting to have everything figured out before acting is, in itself, a risk. The researcher reiterates that the first step, giving users a safe option, does not require solving the rest.