Concern About Quantum Resistance and the Longevity of the ICP Protocol

Concern About Quantum Resistance and the Longevity of the ICP Protocol

Dfinity Team

In light of recent advances in quantum computing, such as Google’s quantum chip, I would like to raise some important concerns about the long-term security and viability of the ICP protocol. While I understand that these developments do not yet pose an immediate threat to modern cryptography, it seems logical to assume that within the next five years, they could become a significant challenge.

Given this potential, I believe it is crucial to openly discuss and communicate a solid plan to ensure that ICP is quantum-resistant. The lack of clarity on this topic could create uncertainty among the community and potential investors who consider ICP as a long-term project.

Although I trust that the protocol is technically capable of adapting to such challenges (and I welcome corrections if I am mistaken), my main concern is the risk of losing the competitive advantage that ICP currently enjoys over other networks. This could happen if competitors or new entrants develop protocols explicitly designed to be quantum-resistant from the outset, much like Dfinity did with ICP when it began development in 2016.

For this reason, I believe it is essential to start adapting the protocol now, as waiting until the threat is imminent could jeopardize market share and the progress made so far. Additionally, critical algorithms for ICP, such as Distributed Key Generation (DKG), threshold signatures, and threshold relay, will likely require significant redesigns, as Jens Groth suggested in 2021 in his proposal on quantum resistance.

Below, I outline some key questions that may help address this challenge:

1. What is Dfinity’s plan to upgrade the network and make it quantum-resistant?

2. When is it expected that these measures will begin to take effect?

3. Which current algorithms and schemes in ICP are reusable and will not require updates or modifications?

4. Which team will be responsible for developing and implementing these new algorithms?

5. Will these new algorithms affect the system’s scalability? Is it correct to assume that the protocol may require a significant redesign?

I strongly believe in ICP’s potential, but I also think that early preparation is key to maintaining its competitive edge in such a dynamic industry. I sincerely appreciate your time and any response or clarification you can provide on this critical topic.

Thanks.

@bjoern @dominicwilliams @Jan @PaulLiu @Manu @bjoernek @Severin @nikola-milosa

I saw david derler has background on post quantum primitives, maybe he could help too.

@derlerd-dfinity1

Dear Jdcv97,

Thanks for sharing your concerns.

I firmly believe that a quantum computer powerful enough to break the public key cryptography currently used by ICP will exist one day—and that day might be sooner than we think, though not within the next five years. The chip that Google has publicized is still many orders of magnitude away from meeting the necessary requirements. This is because many physical qubits are needed to implement a single logical qubit, due to the necessity of error correction. Additionally, as quantum computers grow larger, even more error correction will be required to address interference not only between qubits themselves but also with their surrounding environment.

The algorithms in question used by ICP are all discrete logarithm signature schemes (BLS, ECDSA, EdDSA, and Schnorr) and a discrete logarithms based VRF (BLS).

At Dfinity, we are fortunate to have team members with significant expertise in post-quantum cryptography. For example, I founded the post-quantum group at IBM Research Zurich, which won the NIST competition.

Notably, ICP was designed with the flexibility to replace cryptographic schemes easily if needed (this is often called crypto agility). The most significant inconvenience when swapping the cryptographic algorithms will be that the public key of the Internet Computer will change (having said that, changing public keys is a normal procedure in key management).

We are, and have always been, closely monitoring the situation and will propose replacements for these algorithms to the NNS at the appropriate time.

Thank you so much jan, this gives a bit of clarity and calm, anyway I would love to keep seeing updates about this topic. Also In my opinion this is a perfect situation to take advantage on, so we can claim once again “ICP IS AHEAD OF THE GAME” due to its quantum resistance cryptography.

Thank you Jan! Quick follow up questions out of curiosity:

1. Woud crypto agility be a one time thing? Meaning changing public key once provides permanent quantum resistance. Or would it be something else?
2. What is the effort involved with this process in terms of resources, time, money, etc?

Cryptoagility refers to designing/coding such that one can easily switch out cryptographic algorithms. It has its root when replacing MD5 by SHA proved to be difficult because the hashing algorithm was often hardcoded. So the idea is that one needs to be able to change algorithms used (and if there is releated keys, these as well) very easily at any time and repeatedly if necessary.

Just to be clear, currently ICP is not quantum resistant. It is designed in a way so that it can be made quantum resistant by switching the used algorithms at the appropriate time. Now is not the appropriate time as quantum computers are still far out and resources are better used for other things rather than responding to google marketing campaigns.