Post Quantum Lightning: Layer by Layer \ stacker news

pull down to refresh

Post Quantum Lightning: Layer by Layer delvingbitcoin.org/t/post-quantum-lightning-layer-by-layer/2479

3062 sats \ 1 comment \ @0xbitcoiner 5 May lightning

roasbeef

Hi y’all,

Over the past few weeks I’ve received some direct and indirect questions asking how the rise of quantum computers may affect the Lightning Network. I searched and didn’t see anything concrete written on the topic, so I figured that I’d write something up!

To answer the question of how quantum computers may affect the design of Lightning, a useful starting point is recognizing that any layer that uses cryptography that rests on classical security assumptions requires modifications.

So what we can do is pick out the BIPs that directly rely on EC crypto, then walk backwards from there to see how we might replace them with post-quantum primitives.

If we look at the BOLTs, these documents jump out as they each have direct EC cryptography use:

...read more at delvingbitcoin.org

view all related items

68 sats \ 0 replies \ @Scoresby 5 May

This is interesting:

Unfortunately, in Post Quantum land, the same truth doesn’t hold, as primitives like hash chains/trees and noisy lattices don’t inherit the mathematical symmetry and structure that EC groups give us.

One implication of this is that there isn’t any one post-quantum cryptosystem that can give us everything we need in terms of functionality. As a result, it’s likely the case that we’ll end up shipping not one, not two, but likely three different cryptosystems to just achieve even the base line functionality that we have today with ECC (ML-KEM for transport, ML-DSA for off-chain signatures, and SLH-DSA for on-chain signatures).

Seems like Bitcoin cryptography has been on easy mode.

Also, there is this about combining post quantum cryptography with classical:

Instead of switching over whole sale to PQC, we can actually hedge a bit instead. Hybrid Post Quantum cryptography combines classical and post quantum cryptography in a way that if either of the schemes are secure the final scheme is still secure. As after all, maybe the PQ schemes are the ones that are broken in the future. Alternatively perhaps the classical schemes fall not due to a quantum computer, but some other cryptanalysis innovation.

As we’ll see below, other than for onion routing, the other areas can be hybridized in a gradual manner with new TLVs or existing version extension fields. We could add these hybrid keys as optional TLVs today, validate them as normal, then only in the future would we reject messages that didn’t include the PQ capsules/signatures.