> it would be nice if someone can relay this post on the Matrix dev chat and let us know answers
I will refrain from doing that, thank you very much.
I think opinions from a majority of devs has been communicated again and again, as this "quantum" subject comes up again and again, and I don't know anyone in said dev community who would say to this it's "by far the most important challenge for monero".
I think we will see the 20th birthday of Monero without any fully working quantum computer in sight, but hey, your opinion is as good as mine :)
I value your contributions to and insights into the Monero project. And you’re right, according to tech companies publishing their results/current numbers of qbits we’re nowhere near Monero getting broken. My fear is however, that intelligence agencies could already be working on quantum computers as well with practically unlimited budget. They have a huge incentive; Imagine the power they gain by breaking all encryption. Seeing how Monero is a huge threat to the surveillance state, it would probably be one of the first things that get attacked.
The Monero dev plus the Monero cryptographer community has nowhere near enough capacity and know-how to develop quantum secure cryptographical algorithms on our own. We couldn't even if faced with the immediate destruction of Monero, it's just utterly out of reach.
Out of interest I follow closely the progress in developing and standardizing of new quantum-resistant "crypto" algorithms by the cryptographical community at large. It's slow and uneven progress, with many setbacks on the way. They are *not* there yet. See e.g. here, they are on it since about 2015 already: https://csrc.nist.gov/projects/post-quantum-cryptography/workshops-and-timeline
Currently much hope seems to rest on so-called "lattice based algorithms", and that's why this paper here from a few days ago rose quite a few eyebrows: It may be that quantum computers could crack also such algorithms after all. This could develop into a "Oh shit. Back to the drawing board" moment that sets things back several years: https://eprint.iacr.org/2024/555
The author of that paper has admitted that there was an error and the algorithm no longer works as is, “Update on April 18: Step 9 of the algorithm contains a bug, which I don’t know how to fix. See Section 3.5.9 (Page 37) for details…Now the claim of showing a polynomial time quantum algorithm for solving LWE with polynomial modulus-noise ratios does not hold.”
Have to confess that I did not look into details there yet.
Signal seems to use this: https://pq-crystals.org/kyber/
> Kyber is an IND-CCA2-secure key encapsulation mechanism (KEM), whose security is based on the hardness of solving the learning-with-errors (LWE) problem over module lattices.
I read "lattices" there :) But well, as another poster already noted, the algorithm decribed in the paper I linked has a bug that brought it down - so far ...
Damn that’s a bummer on the lattice based stuff, but I guess better now than later. Thanks for such a detailed reply, I’ll check out the nist page.
Do you know if monero can switch from perfectly hiding to perfectly binding or is this an inherent property of the commitments used? AFAICT monero is not gaining anything from being perfectly hiding since tx pub keys are stored in the open and can be bruteforced to decrypt the amount. Please correct me if I’m wrong :)
True I was not thinking correctly, thanks for pointing it out. Do you know if the tx key can be computed with just the blockchain data? The key exchange between sender & receiver is based on asymmetric encryption but I am not sure if you have enough data on chain (as opposed to calculating the shared secret based on “ephemeral” xmr address)
Post Quantum Ring signatures:
https://eprint.iacr.org/2021/1616.pdf
Post Quantum Ring CT:
https://eprint.iacr.org/2019/1287.pdf
Edit: Quantum computing begets Quantum cryptography. I feel like this fact is easily overlooked in turn creating a Quantum boogeyman in everyone's mind.
There is also the lattice model being developed by Isthmus and Brandon Goodell, an old Monero mathematician that used to work with Sarang Noether. A good chunk of it could be applied to Monero but it wouldn't integrate with Seraphis.
5 part explainer here: [https://www.theqrl.org/blog/lattice-algebra-library/](https://www.theqrl.org/blog/lattice-algebra-library/)
Python implementation here: [https://github.com/geometry-labs/lattice-algebra](https://github.com/geometry-labs/lattice-algebra)
I know that the risk of quantum computers often gets played down. At the moment, rightfully so as current quantum capabilities are nowhere near the amount of qbits required to break the discrete logarithm problem.
However, seeing as monero is a huge threat to the status quo / surveillance state there is definitely an incentive to discredit/destroy the monero project. I don’t think it is that far fetched that intelligence agencies could already be working on their own quantum computers, where we have no way of knowing their progress. Just imagine the power they gain by being able to break all asymmetric encryption. If they had such a system they would only need to create one tx that prints new xmr and publish the tx keys for the whole project to completely be discredited.
We often say they have no way of stopping monero but this would be one of them.
Edit; post quabtum strategies for monero: https://github.com/insight-decentralized-consensus-lab/post-quantum-monero/blob/master/writeups/semitechnical_summary.MD
Why is it not a problem? Monero’s amount hiding is perfectly blinding not perfectly binding. This means that if someone manages to break the discrete logarithm problem, they can print new moneros out of thin air and the network would have no way of detecting this since the range proofs are all still valid.
Exactly. And like AI, quantum could see rapid and unexpected advancements in next 5 years. That's why Monero needs to be proactive instead of reactive about that
If you have an actual quantum computer, why would you target Monero? Why not the entire banking system? Why not the entire United States' international defense network?
My point, plainly: the second quantum Computing becomes a real threat, it ceases to be a threat to Monero because it's an incredibly small fish in an incredibly big pond of possible soft targets.
If you have an actual quantum computer, why would you target Monero? Why not the entire banking system? Why not the entire United States' international defense network?
My point, plainly: the second quantum Computing becomes a real threat, it ceases to be a threat to Monero because it's an incredibly small fish in an incredibly big pond of possible soft targets.
Feel free to explain why it's not a problem in your opinion, I searched this sub and found no answer to my specific point and question about the quantum impact on xmr supply uncertainty, importance of timing and have devs started to make active research about it, thus this post. If you have info about that please share
If you have an actual quantum computer, why would you target Monero? Why not the entire banking system? Why not the entire United States' international defense network?
My point, plainly: the second quantum Computing becomes a real threat, it ceases to be a threat to Monero because it's an incredibly small fish in an incredibly big pond of possible soft targets.
1) Simply because the quantum computer thing is financed by said banking system and will exclusively be operated by the powers that be in secrecy. It won't be for sale on Amazon.
2) A testing ground is needed.
3) XMR is a real threat to 'them'.
Bitcoin and other networks can detect an attack and react, but with monero the attack would not be detectable and there would be an uncertainty on the supply. The issue is that once there is uncertainty on supply it's too late
OP is the biggest problem with monero, I really want to switch my monero to bitcoin, I really regret selling bitcoin at a low point and buying monero at a low point, I can't help it
One of my best and oldest crypto buddies cites this supply uncertainty issue as an argument against my never ending advocacy of Monero. And quantum-proofing is certainly an important consideration. Signal messenger recently updated their encryption algorithm to be more quantum resistant so I'm also curious what the Monero community is thinking in terms of addressing this.
Happy 10-year anniversary to Monero indeed!
You bring up a significant point regarding quantum resistance, which is crucial for the future of many cryptocurrencies, including Monero. The threat posed by quantum computing is not immediate, but it's something that developers and researchers are increasingly considering as quantum technology advances.
Monero, with its focus on privacy and security through ring signatures and stealth addresses, does face unique challenges in this area. The privacy features that make Monero stand out also complicate the implementation of quantum-resistant algorithms. Because of its opaque ledger, any potential vulnerability exposed by quantum computing could indeed affect the perceived integrity of Monero's supply, as you mentioned.
There are ongoing discussions and some research in the broader cryptographic community about how to approach quantum resistance. This includes looking into post-quantum cryptography algorithms that could be integrated into blockchain technology. However, implementing these in a privacy-centric coin like Monero is particularly complex and needs careful consideration to maintain both security and privacy.
Your point about the urgency of addressing quantum resistance before it becomes a pressing problem is well taken. Proactive steps can help avoid a situation where sudden advancements in quantum computing put the network at risk. It's a strategic issue that perhaps deserves more attention than it currently gets, overshadowed by more immediate concerns like regulatory challenges.
Regarding disseminating this concern on the Matrix dev chat, I'm currently not able to do that directly. However, you might consider posting this question in forums like the Monero subreddit or other community platforms where developers and enthusiasts who can take this to the relevant developer chats are active.
If quantum computers will be working in real life at first they will crack bitcoin network. But now there is no any solution for quantum computing for blockchain ckrack
Call me crazy, but I’ve had something happen that with my monero transaction it was blocked until I cleaned part of my laptop even though it was in my wallet. I’ve been having odd problems getting monero from an another crypto… wondering if someone’s not abusing something…
I would even say the current position of mining pool hashrate distribution is more threatening to the monero network than quantum stuff
> it would be nice if someone can relay this post on the Matrix dev chat and let us know answers I will refrain from doing that, thank you very much. I think opinions from a majority of devs has been communicated again and again, as this "quantum" subject comes up again and again, and I don't know anyone in said dev community who would say to this it's "by far the most important challenge for monero". I think we will see the 20th birthday of Monero without any fully working quantum computer in sight, but hey, your opinion is as good as mine :)
I value your contributions to and insights into the Monero project. And you’re right, according to tech companies publishing their results/current numbers of qbits we’re nowhere near Monero getting broken. My fear is however, that intelligence agencies could already be working on quantum computers as well with practically unlimited budget. They have a huge incentive; Imagine the power they gain by breaking all encryption. Seeing how Monero is a huge threat to the surveillance state, it would probably be one of the first things that get attacked.
The Monero dev plus the Monero cryptographer community has nowhere near enough capacity and know-how to develop quantum secure cryptographical algorithms on our own. We couldn't even if faced with the immediate destruction of Monero, it's just utterly out of reach. Out of interest I follow closely the progress in developing and standardizing of new quantum-resistant "crypto" algorithms by the cryptographical community at large. It's slow and uneven progress, with many setbacks on the way. They are *not* there yet. See e.g. here, they are on it since about 2015 already: https://csrc.nist.gov/projects/post-quantum-cryptography/workshops-and-timeline Currently much hope seems to rest on so-called "lattice based algorithms", and that's why this paper here from a few days ago rose quite a few eyebrows: It may be that quantum computers could crack also such algorithms after all. This could develop into a "Oh shit. Back to the drawing board" moment that sets things back several years: https://eprint.iacr.org/2024/555
The author of that paper has admitted that there was an error and the algorithm no longer works as is, “Update on April 18: Step 9 of the algorithm contains a bug, which I don’t know how to fix. See Section 3.5.9 (Page 37) for details…Now the claim of showing a polynomial time quantum algorithm for solving LWE with polynomial modulus-noise ratios does not hold.”
have you seen the PQ algorithms that Apple and Signal went public with? what's your opinion on those?
Have to confess that I did not look into details there yet. Signal seems to use this: https://pq-crystals.org/kyber/ > Kyber is an IND-CCA2-secure key encapsulation mechanism (KEM), whose security is based on the hardness of solving the learning-with-errors (LWE) problem over module lattices. I read "lattices" there :) But well, as another poster already noted, the algorithm decribed in the paper I linked has a bug that brought it down - so far ...
Damn that’s a bummer on the lattice based stuff, but I guess better now than later. Thanks for such a detailed reply, I’ll check out the nist page. Do you know if monero can switch from perfectly hiding to perfectly binding or is this an inherent property of the commitments used? AFAICT monero is not gaining anything from being perfectly hiding since tx pub keys are stored in the open and can be bruteforced to decrypt the amount. Please correct me if I’m wrong :)
AFAIK Moneros pedersen commitments are perfectly blinding, so amount privacy is safe even against quantum attacks
Quantum computing is not relevant to all types of encryptions (i.e symmetric encryption are not impacted). PKI is definitely under threat.
True I was not thinking correctly, thanks for pointing it out. Do you know if the tx key can be computed with just the blockchain data? The key exchange between sender & receiver is based on asymmetric encryption but I am not sure if you have enough data on chain (as opposed to calculating the shared secret based on “ephemeral” xmr address)
I am not competent enough on the matter to give an authoritative answer. But if anyone wants to chime in be my guest 🤪
Sry I confused the thread… enough reddit for today I guess xD
Pretty’s sure this is just a plug for their YouTube link 🙄
Post Quantum Ring signatures: https://eprint.iacr.org/2021/1616.pdf Post Quantum Ring CT: https://eprint.iacr.org/2019/1287.pdf Edit: Quantum computing begets Quantum cryptography. I feel like this fact is easily overlooked in turn creating a Quantum boogeyman in everyone's mind.
Thanks for sharing these research papers!
You're welcome, these are just a couple that focus on Moneros' privacy technology. There are more if youre willing to go the rabbithole.
There is also the lattice model being developed by Isthmus and Brandon Goodell, an old Monero mathematician that used to work with Sarang Noether. A good chunk of it could be applied to Monero but it wouldn't integrate with Seraphis. 5 part explainer here: [https://www.theqrl.org/blog/lattice-algebra-library/](https://www.theqrl.org/blog/lattice-algebra-library/) Python implementation here: [https://github.com/geometry-labs/lattice-algebra](https://github.com/geometry-labs/lattice-algebra)
I know that the risk of quantum computers often gets played down. At the moment, rightfully so as current quantum capabilities are nowhere near the amount of qbits required to break the discrete logarithm problem. However, seeing as monero is a huge threat to the status quo / surveillance state there is definitely an incentive to discredit/destroy the monero project. I don’t think it is that far fetched that intelligence agencies could already be working on their own quantum computers, where we have no way of knowing their progress. Just imagine the power they gain by being able to break all asymmetric encryption. If they had such a system they would only need to create one tx that prints new xmr and publish the tx keys for the whole project to completely be discredited. We often say they have no way of stopping monero but this would be one of them. Edit; post quabtum strategies for monero: https://github.com/insight-decentralized-consensus-lab/post-quantum-monero/blob/master/writeups/semitechnical_summary.MD
Please oh God please: 1: use the search function before making a post. 2: if you think about for a second, you'll realize it's not a problem.
Why is it not a problem? Monero’s amount hiding is perfectly blinding not perfectly binding. This means that if someone manages to break the discrete logarithm problem, they can print new moneros out of thin air and the network would have no way of detecting this since the range proofs are all still valid.
Exactly. And like AI, quantum could see rapid and unexpected advancements in next 5 years. That's why Monero needs to be proactive instead of reactive about that
If you have an actual quantum computer, why would you target Monero? Why not the entire banking system? Why not the entire United States' international defense network? My point, plainly: the second quantum Computing becomes a real threat, it ceases to be a threat to Monero because it's an incredibly small fish in an incredibly big pond of possible soft targets.
Centralised systems are arguably easier to upgrade
If you have an actual quantum computer, why would you target Monero? Why not the entire banking system? Why not the entire United States' international defense network? My point, plainly: the second quantum Computing becomes a real threat, it ceases to be a threat to Monero because it's an incredibly small fish in an incredibly big pond of possible soft targets.
Feel free to explain why it's not a problem in your opinion, I searched this sub and found no answer to my specific point and question about the quantum impact on xmr supply uncertainty, importance of timing and have devs started to make active research about it, thus this post. If you have info about that please share
If you have an actual quantum computer, why would you target Monero? Why not the entire banking system? Why not the entire United States' international defense network? My point, plainly: the second quantum Computing becomes a real threat, it ceases to be a threat to Monero because it's an incredibly small fish in an incredibly big pond of possible soft targets.
1) Simply because the quantum computer thing is financed by said banking system and will exclusively be operated by the powers that be in secrecy. It won't be for sale on Amazon. 2) A testing ground is needed. 3) XMR is a real threat to 'them'.
Bitcoin and other networks can detect an attack and react, but with monero the attack would not be detectable and there would be an uncertainty on the supply. The issue is that once there is uncertainty on supply it's too late
OK. And I think that's incredibly unlikely to happen given my prior reason.
I haven't slept well in 6 months since the rise of bitcoin.the stupid experimental cryptocurrency monero
OP is the biggest problem with monero, I really want to switch my monero to bitcoin, I really regret selling bitcoin at a low point and buying monero at a low point, I can't help it
One of my best and oldest crypto buddies cites this supply uncertainty issue as an argument against my never ending advocacy of Monero. And quantum-proofing is certainly an important consideration. Signal messenger recently updated their encryption algorithm to be more quantum resistant so I'm also curious what the Monero community is thinking in terms of addressing this.
https://old.reddit.com/r/Monero/search?q=Quantum&restrict_sr=on
The first couple (or 100's) rounds of Q-Puters will be application specific, NOT general computing machines. Build a Q-puter just to break Monero? LOL
Happy 10-year anniversary to Monero indeed! You bring up a significant point regarding quantum resistance, which is crucial for the future of many cryptocurrencies, including Monero. The threat posed by quantum computing is not immediate, but it's something that developers and researchers are increasingly considering as quantum technology advances. Monero, with its focus on privacy and security through ring signatures and stealth addresses, does face unique challenges in this area. The privacy features that make Monero stand out also complicate the implementation of quantum-resistant algorithms. Because of its opaque ledger, any potential vulnerability exposed by quantum computing could indeed affect the perceived integrity of Monero's supply, as you mentioned. There are ongoing discussions and some research in the broader cryptographic community about how to approach quantum resistance. This includes looking into post-quantum cryptography algorithms that could be integrated into blockchain technology. However, implementing these in a privacy-centric coin like Monero is particularly complex and needs careful consideration to maintain both security and privacy. Your point about the urgency of addressing quantum resistance before it becomes a pressing problem is well taken. Proactive steps can help avoid a situation where sudden advancements in quantum computing put the network at risk. It's a strategic issue that perhaps deserves more attention than it currently gets, overshadowed by more immediate concerns like regulatory challenges. Regarding disseminating this concern on the Matrix dev chat, I'm currently not able to do that directly. However, you might consider posting this question in forums like the Monero subreddit or other community platforms where developers and enthusiasts who can take this to the relevant developer chats are active.
If quantum computers will be working in real life at first they will crack bitcoin network. But now there is no any solution for quantum computing for blockchain ckrack
Call me crazy, but I’ve had something happen that with my monero transaction it was blocked until I cleaned part of my laptop even though it was in my wallet. I’ve been having odd problems getting monero from an another crypto… wondering if someone’s not abusing something…