Vitalik's new article: If a quantum attack comes tomorrow, how will Ethereum solve it?

Original Author: Vitalik Buterin

Translator: Azuma, Odaily Planet Daily

On March 9, Ethereum co-founder Vitalik Buterin published a short article titled "How to Rescue User Funds from Sudden Quantum Attacks through Hard Forks" on the Ethereum Research Forum (ethresear.ch).

In the article, Vitalik outlines how Ethereum can minimize user fund losses in an emergency situation if a quantum attack were to occur tomorrow, and what procedures should be followed to transition to a quantum-resistant state, thereby restoring normal operations.

Below is the full text by Vitalik, translated by Odaily Planet Daily.

Assuming quantum computers can be realized tomorrow, and malicious actors have somehow gained access to them and want to use them to steal user funds, what should we do?

The development of quantum-resistant technologies such as Winternitz signatures and STARKs is precisely to prevent such situations from occurring. Once account abstraction is ready, any user can randomly switch to a quantum-resistant signature scheme. But what if we don’t have that much time, and the arrival of a quantum attack is more sudden than anyone anticipated?

I believe that we currently have sufficient conditions to address this issue through a relatively simple recovery fork. With this solution, the Ethereum network would have to undergo a hard fork, and users would need to download new wallet software, but only a few users might lose their funds.

The main threat of quantum attacks is as follows. Ethereum addresses are derived through the computation keccak(privtopub(k))[ 12:], where k corresponds to the private key, and privtopub corresponds to an elliptic curve multiplication used to convert the private key into a public key.

Once quantum computing is realized, the aforementioned elliptic curve multiplication will become reversible (because it essentially solves the discrete logarithm problem), but hash operations will still be secure. If users have not conducted any transactions, only the address information is public, and in this case, they remain safe; however, as soon as a user has conducted even one transaction, the transaction signature will expose the public key, which poses a risk of exposing the private key in front of a quantum computer. Therefore, in this situation, most users will face risks.

However, we actually have ways to mitigate this threat, and the key point is that, in practice, most users' private keys are generated through a series of hash operations. For example, many private keys are generated using the BIP-32 standard, which is derived from a set of mnemonic phrases through a series of hash operations; many non-BIP-32 private key generation methods are quite similar. For instance, if a user is using a brain wallet, it is usually generated from a password that has undergone a series of hash operations (or a moderately difficult key derivation function).

This means that the solution to address sudden quantum attacks through a recovery fork will take the following steps:

• First, roll back all blocks after a large-scale attack occurs;
• Second, disable the traditional transaction model based on EOA addresses;
• Third, (if it has not been implemented by then) add a new transaction type to allow transactions through smart contract wallets (such as some content in RIP-7560);
• Fourth, add a new transaction type or opcode through which users can provide STARK proofs. If the proof is valid, the code of the user’s address will switch to a new verified code, after which users can use the new code address as a smart contract wallet.
• Fifth, for the sake of saving Gas, since the data volume of STARK proofs is large, we will support batch STARK proofs to conduct multiple STARK proofs of the aforementioned type simultaneously.

In principle, we can start developing the infrastructure needed to implement this recovery fork tomorrow, so that the Ethereum ecosystem can be prepared for sudden quantum attacks.