量子计算机和比特币

谷歌有关量子计算技术进步的消息引起了人们对其对比特币影响的大量质疑。虽然谷歌的新 Willow 芯片还需要几年时间

Google's recent announcement regarding an advancement in quantum computing has sparked concerns within the cryptocurrency community about its potential impact on Bitcoin. While Google's Willow chip is still years, if not decades, away from posing a threat to Bitcoin, it raises a valid question: how will quantum computing affect Bitcoin?

谷歌最近宣布在量子计算方面取得进展，引发了加密货币社区对其对比特币潜在影响的担忧。虽然谷歌的 Willow 芯片距离对比特币构成威胁还需要数年甚至数十年的时间，但它提出了一个有效的问题：量子计算将如何影响比特币？

The short answer is that Bitcoin will adapt.

简而言之，比特币将会适应。

Quantum computing will not arrive overnight; it will take time. Research is already underway to explore methods of addressing quantum computing in Bitcoin.

量子计算不会一蹴而就；这需要时间。探索解决比特币量子计算问题的方法的研究已经在进行中。

Signatures

签名

It's important to note that security in Bitcoin operates on two levels: within transactions and between transactions. Within transactions, digital signatures safeguard the locking and unlocking of coins, serving as the first line of defense. Bitcoin's digital signature algorithm mandates a signature for any user to spend their Bitcoins. All nodes on the network can verify that the user has this signature, without knowing what that signature is.

值得注意的是，比特币的安全性在两个层面上运作：交易内和交易之间。在交易中，数字签名保护硬币的锁定和解锁，作为第一道防线。比特币的数字签名算法要求任何用户使用比特币时都必须签名。网络上的所有节点都可以验证用户是否拥有此签名，而无需知道该签名是什么。

Historically, Bitcoin has utilized ECDSA, but following Taproot (Bitcoin's last major upgrade in 2021), Bitcoin now employs Schnorr signatures, which leverage hash functions and are conceptually simpler and more private than ECDSA.

从历史上看，比特币一直使用 ECDSA，但在 Taproot（比特币 2021 年最后一次重大升级）之后，比特币现在采用 Schnorr 签名，它利用哈希函数，在概念上比 ECDSA 更简单、更私密。

While Schnorr signatures are not quantum resistant, their rollout demonstrated a path forward for updating signatures. Taproot was implemented as a soft fork, essentially a backward-compatible upgrade. Any Bitcoin user can choose to use a pay-to-Taproot (p2tr) address instead of the older public key hash or SegWit addresses.

虽然 Schnorr 签名不具有量子抗性，但它们的推出展示了更新签名的前进道路。 Taproot 作为软分叉实现，本质上是向后兼容的升级。任何比特币用户都可以选择使用付费 Taproot (p2tr) 地址，而不是旧的公钥哈希或 SegWit 地址。

If a quantum computer were to eventually succeed in breaking these Schnorr signatures, I believe the Core developers would adopt a quantum-resistant signature scheme and deploy it as a soft fork within Bitcoin Core.

如果量子计算机最终成功破解这些 Schnorr 签名，我相信 Core 开发人员将采用抗量子签名方案并将其部署为 Bitcoin Core 中的软分叉。

Such quantum-resistant schemes are already feasible. Juan Garay, a cryptographer at Texas A&M and a colleague of mine, is currently exploring the integration of Lamport signatures into Bitcoin. Once this new quantum-resistant signature becomes part of a soft fork, all existing Bitcoin users would simply transfer their bitcoins from their existing address into a new quantum-proof address.

这种抗量子方案已经可行。 Juan Garay 是德克萨斯 A&M 的密码学家，也是我的同事，目前正在探索将 Lamport 签名集成到比特币中。一旦这个新的抗量子签名成为软分叉的一部分，所有现有的比特币用户只需将他们的比特币从现有地址转移到新的抗量子地址即可。

The only potential complication in this plan arises with addresses that are no longer active. The largest such address belongs to Satoshi Nakamoto, whose 1 million bitcoins have remained unmoved since they were mined in the early years of Bitcoin.

该计划中唯一潜在的复杂情况是地址不再活跃。最大的此类地址属于中本聪（Satoshi Nakamoto），他的 100 万比特币自比特币早期被开采以来一直保持不变。

Bitcoin Core developers would face a choice in how to handle Satoshi's coins. One option would be to disallow them from the blockchain, although this might trigger a hard fork. Hard forks are highly undesirable, but there are perhaps a handful of instances in Bitcoin's history when they would be necessary. This would be one of them, along with the timestamp issue (which I will discuss separately).

比特币核心开发人员将面临如何处理中本聪硬币的选择。一种选择是禁止它们进入区块链，尽管这可能会引发硬分叉。硬分叉是非常不可取的，但在比特币的历史上可能有少数几次硬分叉是必要的。这将是其中之一，还有时间戳问题（我将单独讨论）。

Hash Functions

哈希函数

Another possibility for a quantum computer would be to break SHA-256, the hash algorithm used extensively in Bitcoin. Not only is this used within some Bitcoin addresses, like pay-to-public-key hash (p2pkh), and even within Schnorr signatures, but it also forms the foundation of the blockchain's security.

量子计算机的另一种可能性是破解 SHA-256，这是比特币中广泛使用的哈希算法。这不仅用在一些比特币地址中，比如支付公钥哈希 (p2pkh)，甚至用在 Schnorr 签名中，而且它还构成了区块链安全的基础。

Breaking SHA-256 would entail finding hash collisions, and in the best case, making the hash function invertible. The quantum computer could then perform a 51% attack on the blockchain, which, in the best case, would allow the double-spending of coins. However, to obtain access to those funds within the Bitcoin addresses, the quantum computer would still need to break the signature algorithm.

破坏 SHA-256 需要发现哈希冲突，并且在最好的情况下，使哈希函数可逆。然后，量子计算机可以对区块链执行 51% 攻击，在最好的情况下，这将允许硬币的双花。然而，为了获取比特币地址中的这些资金，量子计算机仍然需要破解签名算法。

Bitcoin Core developers could then integrate this quantum-resistant hash function in place of SHA-256 throughout Bitcoin Core. Subsequently, all new blocks would be mined using this quantum-resistant hash function.

然后，比特币核心开发人员可以在整个比特币核心中集成这种抗量子哈希函数来代替 SHA-256。随后，所有新区块都将使用这种抗量子哈希函数来开采。

If a quantum computer could indeed break SHA-256, the highest and best use of this technology would be to mine bitcoin, not to perform a double-spend attack. A double-spend attack would be easily detectable and would ultimately diminish the value of the bitcoins that were double-spent. Instead, a quantum miner would simply use this new quantum computer to mine all remaining bitcoin, which it would be able to do if it could tailor the transactions and blocks in a way that would generate a sufficiently small number to win the mining lottery every 10 minutes. This would be possible if the quantum computer could invert the SHA-256 hash operation.

如果量子计算机确实可以破解 SHA-256，那么该技术的最高和最佳用途将是开采比特币，而不是执行双花攻击。双花攻击很容易被发现，并最终会降低双花比特币的价值。相反，量子矿工只需使用这台新的量子计算机来开采所有剩余的比特币，如果它能够以每 10 次生成足够小的数量来赢得采矿彩票的方式定制交易和区块，那么它就能够做到这一点分钟。如果量子计算机可以反转 SHA-256 哈希运算，这将是可能的。

In this scenario, mining would cease to be a globally competitive industry and would instead become an oligopoly, limited to those entities with access to the quantum computer. Assuming that more than one entity had access to this computer, bitcoin mining could continue as an industry, even if it were a duopoly between, say, Nvidia and Google.

在这种情况下，采矿将不再是一个全球竞争的行业，而是成为寡头垄断，仅限于那些能够使用量子计算机的实体。假设不止一个实体可以访问这台计算机，比特币挖矿就可以继续作为一个行业，即使它是英伟达和谷歌之间的双头垄断。

To avert this scenario, the simplest solution would be to install a quantum-resistant hash function in place of SHA-256. This is not out of the question, since Schnorr signatures themselves utilize hash functions. Therefore, a quantum-resistant signature scheme would need to be immune to hash functions.

为了避免这种情况，最简单的解决方案是安装抗量子哈希函数来代替 SHA-256。这并不是不可能的，因为 Schnorr 签名本身使用哈希函数。因此，抗量子签名方案需要不受哈希函数的影响。

This problem is still a long way off, and with more and more economic value being tied to bitcoin, the

这个问题还有很长的路要走，随着越来越多的经济价值与比特币联系在一起，