Grover’s is said and a few issues had been mentioned right here on Stackexchange, too.
We might design a black field perform to interrupt each P2PKH and P2SH (and P2WSH, and so on.) addresses in 2^80 single-threaded quantum laptop cycles. Assuming a clock pace on scale of GHz, this might take about 10 million years. Essential to notice is that splitting the work and doing it in parallel isn’t as helpful as with traditional computer systems as a result of it will supply solely a quadratic speedup (Fluhrer, S., Reassessing Grover’s Algorithm). In different phrases, doing the work in 1 yr would require constructing 100 trillion quantum computer systems as a result of sqrt(100T) == 10M. Due to this fact, we are able to say that breaking a 160-bit hash preimage is bodily doable as a result of 10M years is a finite period of time and fewer than age of the universe. Nonetheless, it’s nonetheless infeasible.
If 2^80 is infeasible for a QC then 2^85 will likely be infeasible, too, assuming BHT is proscribed by the identical sq. root scaling regulation.
The opposite implementation of Bitcoin produced some work on this, too. In Technical Bulletin – Bitcoin Money Pay-to-Script-Hash (P2SH): Previous, Current, and Future a few of this was mentioned. In 2023 BCH launched P2SH32 for a similar cause BTC launched P2WSH (collision resistance). It recommended P2SH48 as the answer, however didn’t suggest introducing it any time quickly since community cannot be stunned by 2^85 QC functionality immediately turning into out there, and it is questionable whether or not it can ever be possible.
The necessary factor right here is that functionality for a collision assault CAN NOT have an effect on addresses created earlier than the aptitude grew to become out there i.e. pre-existing P2SH addresses cannot be retroactively collision-attacked even as soon as the assault turns into possible, as a result of the assault requires a setup section the place each addresses are “rolled” by the attacker on the identical time and earlier than handing out considered one of them for some multi-party use.
Shor and Grover are a much bigger menace as these could possibly be used to carry out non-interactive assaults on outdated addresses at relaxation. Profitable assaults would reveal existence of succesful sufficient QCs, after which possibly networks would wish to contemplate 384-bit addresses.
The above bulletin means that sensible Grover’s implementation would have a value better than the naked variety of cycles implies, and references a passage from Amy M. et. al. “Estimating the price of generic quantum pre-image assaults on SHA-2 and SHA-3” (2016):
We confirmed that attacking SHA-256 requires roughly 2^153.8 floor code cycles and that attacking SHA3-256 requires roughly 2^146.5 floor code cycles.
For each SHA-256 and SHA3-256 we discovered that the overall price when together with the classical processing will increase to roughly 2^166 fundamental operations.
Our estimates are under no circumstances a decrease sure, as they’re based mostly on a sequence of assumptions.
