Grover’s is said and a few concerns had been mentioned right here on Stackexchange, too.
We might design a black field perform to interrupt each P2PKH and P2SH (and P2WSH, and so forth.) addresses in 2^80 single-threaded quantum laptop cycles. Assuming a clock pace on scale of GHz, this might take about 10 million years. Necessary to notice is that splitting the work and doing it in parallel is just not as helpful as with traditional computer systems as a result of it might supply solely a quadratic speedup (Fluhrer, S., Reassessing Grover’s Algorithm). In different phrases, doing the work in 1 yr would require constructing 100 trillion quantum computer systems as a result of sqrt(100T) == 10M. Due to this fact, we are able to say that breaking a 160-bit hash preimage is bodily attainable as a result of 10M years is a finite period of time and fewer than age of the universe. Nonetheless, it’s nonetheless infeasible.
If 2^80 is infeasible for a QC then 2^85 shall be infeasible, too, assuming BHT is proscribed by the identical sq. root scaling legislation.
The opposite implementation of Bitcoin produced some work on this, too. In Technical Bulletin – Bitcoin Money Pay-to-Script-Hash (P2SH): Previous, Current, and Future a few of this was mentioned. In 2023 BCH launched P2SH32 for a similar cause BTC launched P2WSH (collision resistance). It recommended P2SH48 as the answer, however didn’t suggest introducing it any time quickly since community cannot be shocked by 2^85 QC functionality out of the blue changing into out there, and it is questionable whether or not it’s going to ever be possible.
The vital factor right here is that functionality for a collision assault CAN NOT have an effect on addresses created earlier than the potential grew to become out there i.e. pre-existing P2SH addresses cannot be retroactively collision-attacked even as soon as the assault turns into possible, as a result of the assault requires a setup section the place each addresses are “rolled” by the attacker on the identical time and earlier than handing out one in every of them for some multi-party use.
Shor and Grover are an even bigger menace as these might be used to carry out non-interactive assaults on outdated addresses at relaxation. Profitable assaults would reveal existence of succesful sufficient QCs, after which perhaps networks would wish to think about 384-bit addresses.
The above bulletin means that sensible Grover’s implementation would have a price higher than the naked variety of cycles implies, and references a passage from Amy M. et. al. “Estimating the price of generic quantum pre-image assaults on SHA-2 and SHA-3” (2016):
We confirmed that attacking SHA-256 requires roughly 2^153.8 floor code cycles and that attacking SHA3-256 requires roughly 2^146.5 floor code cycles.
For each SHA-256 and SHA3-256 we discovered that the overall price when together with the classical processing will increase to roughly 2^166 fundamental operations.
Our estimates are under no circumstances a decrease certain, as they’re based mostly on a collection of assumptions.
