The FAQQ (Frequently asked Quantum Questions)

Bitcoin will just softfork

This doesn’t fix the main problem.

One could wonder how the new signature scheme could run next to the old signature scheme. It can be done by using opcodes. This is what is proposed: “To enable the deployment of the transition scheme as a soft fork, i.e., without requiring a permanent split of the blockchain, we propose a scheme similar to that used in SegWit [41]. As such, the data witnessing the new rules are being obeyed is held in a segregated area, termed QRWitness, which new clients receive and check but old clients remain oblivious to. To make sure the witness structure is committed to by (the header of) the block it is contained in, the root of a Merkle Tree consisting of all QRWitness-es is inserted in the respective coinbase transaction. While the original transaction txid remains the same as before, a new qrtxid is defined as the double SHA256 hash over the traditional transaction format and the QRWitness. Thereby, a possible format for QRWitness could be the following: where oldPubkey denotes the non-quantum-resistant public key pk, pubkeyQR is the quantum-resistant public key pkQR, merklepath represents the path to the hash of the Tcommit transaction and signatureQR denotes the signature of the traditional transaction format using skQR. To achieve backward compatibility, the scriptSig field remains such that it satisfies the consensus rules of old clients, e.g., the non-quantum-resistant signature and the corresponding public key. This way, just like SegWit, our transition protocol can be deployed as a soft fork in Bitcoin. “ So implementing a quantum resistant signature scheme can be done through a soft fork.

But.. Soft forking BTC doesn’t result in a quantum resistant blockchain. In a soft fork, the old rules are still allowed to apply and an extra rule would be added. In this case, the rule to be added would be quantum resistant keypairs. But having a soft fork, means that the old keypairs are still working in that chain. But to be quantum resistant, the old signatures need to be rejected. If not, quantum resistance would just be an option. Having quantum resistance as an option is no option at all. You could make sure the old signature scheme is still working, but at the same time make sure all new transactions will end up in a new QR address. That way you would force people into using QR signature scheme. But then still, the quantum resistance of the total circulating supply would depend on every old coin being transferred and thus being moved to a QR address. Users would depend on the actions of other users.
Having a quantum resistant blockchain, is not about seperate transactions or protection of individual coins. It is about protecting the value of BTC. If you would have quantum resistant BTC coins mixed with non quantum resistant BTC, a hack of non quantum resistant coins would devalue the quantum resistant BTC just as much because they are all part of the same circulating supply. The bottom line will be: BTC got hacked with the obvious market reaction as a result. To have an actual quantum resistant blockchain, you need a hard fork, and remove the old signature scheme.

Other Assertions

Common Misconceptions

Have a question that's not addressed?

Alternatively, don't agree with something?

While we aim to address many of the questions people may have about quantum computing and how it relates to blockchain, it's possible things are missed or is incorrect.

If you feel something is missed or is otherwise incorrect, we would love for you to open an issue on our github repository.