Ergo and post-quantum crypto?

We talk about “long-term” survivability of Ergo without considering potential development in quantum computers.

How will Ergo adapt as quantum computers evolve?

Probably we should start thinking about sigma protocol to replace proveDlog with some quantum-secure mechanisms (like lattices/LWE/etc), and a mechanism to switch to it when the need arises.

1 Like

There are some post-quantum sigma-protocols AFAIK, at least for lattices. However. there are certain problems with LBC (and most of other PQ schemes): they usually got broken after some investigation, security parameters values for real-world usage not very well known , no standards etc.


What are the barriers to implementing a Picnic scheme on Ergo?

Most important papers are here:

The primitives are simple and the hardness assumptions are more reasonable than many lattice-based imo.

Any thoughts, @kushti / @scalahub ?


oh I’ve forgotten about this, thanks for the link! From abstracts it looks nice, need to check constructions and concrete numbers for efficiency and sizes.

So as a possible solution we maybe have a good candidate now it seems.