What if Ethereum falls victim to a quantum attack? Vitalik: No need to worry

Vitalik posted on the Ethereum Research forum discussing "How Ethereum should use a hard fork to protect user assets in the event of a quantum computer attack," advocating for a hard fork to roll back transactions and immediately upgrade the signature mechanism to effectively protect user assets. Link to the post.

What If Quantum Attacks Happen Tomorrow?

Vitalik Buterin assumes that if quantum computers are maliciously controlled tomorrow, attackers could use them to steal users' funds.

Preventing such a scenario is the goal of quantum-resistant cryptography. Once the account abstraction technology is in place, any user can switch to using quantum-resistant signature schemes at their discretion. But what if there isn't enough time?

Although the blockchain will have to hard fork to roll back transactions, users will need to download new wallet software to enhance signature strength, but few users are likely to lose funds as a result.

The Frontline Confrontation between Blockchain and Quantum Computers: Private Key Acquisition

Which Part of Quantum Computing Breaks

Ethereum addresses are defined as:

keccak priv_to_pubk taking the last 20 bytes

where k is the private key, priv_to_pub is the elliptic curve multiplication used to convert the private key to a public key, and keccak is the hash function. The process of generating an Ethereum address is:

1. Generate the private key from a random source.
2. Generate the public key from the elliptic curve and private key.
3. Generate the address from the Keccak-256 hash function.

With quantum computing, elliptic curve multiplication will become reversible as it is a discrete logarithm problem, but the hash function remains secure.

This means that if only the address is public, it is difficult to derive the public key and private key; however, if the public key is public, obtaining the private key under quantum computation will be very easy.

If a user has not conducted any transactions with their account, only the address is publicly visible, making their wallet secure even in the presence of quantum computing.

But if a user has ever made a transaction, the signature of that transaction will reveal the public key, which in the post-quantum world will expose the private key, making most users vulnerable to attacks.

How to Respond to Quantum Attacks

Vitalik Buterin notes that most users' private keys are essentially a series of hash calculations. Many keys are generated using BIP-32, which generates each address through a series of hash values starting from a master seed phrase. The working principle of many non-BIP-32 key generation methods is similar: for example, if a user has a brain wallet, it is usually a series of hash values applied to certain passwords or a moderately difficult KDF.

This means that the natural structure of EIP can be recovered from a quantum emergency through a hard fork chain. The forking process would involve:

1. Recovering all blocks after the first one where large-scale theft occurred.
2. Disabling traditional EOA-based transactions.
3. Introducing new transaction types to allow transactions from smart contract wallets, such as part of RIP-7560.
4. If the third step is technically unavailable: adding new EVM transaction types or opcodes to provide STARK proofs to introduce private preimage, hash function IDs from approved hashes, and public addresses. If the proof passes, the user's account code will switch to a new verification code, which can be used as a smart contract wallet.

For fuel efficiency, considering STARK proofs' large capacity, STARK can be batched to prove N types of STARK at once. Each proof must be an STARK-of-STARK, rather than directly proving multiple statements, as each user's information needs to be kept confidential by the aggregator.

In principle, the infrastructure to implement such a hard fork can begin construction immediately to prepare the Ethereum ecosystem adequately in case a quantum emergency indeed occurs.