The Quantum Resistance of Monero in Relation to Privacy

Hello Monero People,

Let me start by saying I'm a huge fan of Monero. Monero is one of the only truly fungible and truly private coins. It does a phenomenal job of obfuscating transactions and therefore is probably one of the most import cryptos in the game.

The only problem is that there is a lot of bad or incomplete information out there when it comes to Monero's quantum resistance. I recently saw a video on TikTok claiming that Monero is one of the only quantum resistant cryptocurrencies and I don't believe that is true.

I am looking for feedback on this and the goal of this post is to get the facts on Monero and it's quantum resistance or lack of quantum resistance. I am under the impression that with Monero your address is actually a raw public key generated through elliptic curve cryptography, specifically ed25519. This signature scheme is vulnerable to quantum computing. Bitcoin uses something called P2PKH for addresses where your address is not actually a raw public key, it's simply a hash of the public key. This means that with Bitcoin, an attacker doesn't have the public key so they can't run Shor's algorithm until after you create a transaction which reveals the public key. With Monero, I believe that as soon as someone knows your address, they can begin running Shor's algorithm and potentially derive your private key therefore de-anonymizing and unlocking your funds.

I know that Monero uses 2 elements for privacy, RingCTs and Stealth Addresses. Also, I believe RingsCTs can be broken up into 2 parts: Multilayered Linkable Spontaneous Anonymous Group (MLSAG) ring signatures, and Confidential Transactions (CTs). A lot of this information I learned before Bulletproofs were implemented though. Maybe Bulletproofs change some of these mechanics.

Now my impression is that the advantage of ZCash over Monero is that ZCash's PRIVACY is actually quantum resistant. I remember reading somewhere that using a stealth address in ZCash makes the sender and amount 100% un-derivable through Shor's algorithm. This means that ZCash has quantum resistant "Hiding" but not quantum resistant "Binding." If someone were to attack the ZK-SNARK scheme used by ZCash with a quantum computer running Shor's algorithm, the worst they could do would be mint coins out of thin air exploiting an inflation bug. ZCash would no longer retain its value but all of it's transaction senders and values would still be hidden.

I guess what I would most like feedback on is whether or not Monero is quantum resistant at "Hiding." It is important to me that privacy centered coins are quantum resistant in terms of their ability to remain anonymous. I remember reading that before Monero switched to Bulletproofs it used the "Penderson Commitment" for stealth address which I believe in is quantum resistant in terms of hiding and not binding. I learned about this through Beam coin which actually uses Penderson Commitments and has a "switch" to change the scheme to "El Gamal" when meaningful quantum supremacy is achieved.

Recently I also read that Monero's Bulletproofs use something called "non-interactive zero-knowledge proof (NIZKP)" to replace something called "Borromean ring signatures" in the range proof version of RingCT. I am not sure if these "non-interactive zero-knowledge proofs (NIZKP)" are resistant to Shor's algorithm in terms of hiding.

Can someone please fill me in on exactly how quantum resistant Monero is especially in terms of privacy?

submitted by /u/warpanomaly
[link] [comments]

Leave a Reply

Your email address will not be published. Required fields are marked *