I think it is never too early to start a discussion in the community on a roadmap to make Nano quantum-proof. Unfortunately Ed25519 is not quantum-proof so the search is on to nominate a new post-quantum signature scheme that is:
- Fast, particularly in verification (this is important to keep the consensus fast)
- Offers small signature size (we don't want to inflate the block)
- Has relatively small public and private keys (same as above)
Among the third round finalists of the NIST Post-Quantum Cryptography Standardization Process, only Rainbow has relatively small signature size (66 bytes) but the keys are huge (100-150kB!). Falcon-512 looks promising with 897byte/666byte public key and signature sizes, respectively.
Could such a post-quantum "upgrade" be done at all? Or would it be a totally new ledger where each account balance should be migrated somehow?
It would have to be a migration yea, since the account numbers in the new signature scheme won't be derived from the account numbers in the old scheme.
Currently, account numbers are communicated in each block also so we would need a way to efficiently exchange these large keys. Perhaps the account field could be a hash of the public key and the full key is only communicated on open blocks. This would weigh in favor of open blocks having a higher pow floor.
Yes, I was thinking along the same lines. Perhaps it would be elegant to introduce the new accounts (keys/signature) parallel to the current account-chains. People could transfer amounts between the new and old accounts. This is just another reason why we need the "receive" blocks in the protocol (it was a pretty future-proof decision on your part) so that debate can be closed.
Having a special 'open' block is a good idea, but in that case we must keep the open blocks in the pruned account-chains.
Yea we'd have to think if we want the ability to go back. If the future move is away from ecc keys because of a post-quantum world, there's no reason to go back to it, they could only shoot themselves in the foot.
I think if we just built up a hash -> full key table we would be able to prune almost everything. Even that lookup table could be pruned in a worst-case with a table scan I think.
Definitely interesting to see what comes out of this NIST competition; it's imperative that the signing algorithm get a lot of scrutiny academically before being considered for production.
Yes, an upgrade can be done, if the whole network agrees to it. There are still some issues with Quantum computing which aren't solved yet. So, it probably takes some time until we see practical capabilities for breaking common crypto algorithms. If it really is going to look like they will be able to break most crypto algos, Nano will probably be not the biggest concern on this planet. There are more critical areas which endanger humans life on this planet. At that point money is probably not the biggest concern anymore.
You might be interested in https://github.com/nanocurrency/nano-node/issues/2027 , which would provide a way of transitioning to a post-quantum scheme, even in an emergency.
Very interesting, thanks! I like your proposal.