Will GRIN survive a quantum computer 51% attack?

Fast forward 3-X year’s into the future


  • Do we have measurements in place which will protect us from Quantum Computers taking over GRIN ?

Source: BIP: 141 - Layer: Consensus (soft fork) from Bitcoin

Examples of new script system include Schnorr signatures which reduce the size of multisig transactions dramatically, Lamport signature which is quantum computing resistance, and Merklized abstract syntax trees which allow very compact witness for conditional scripts with extreme complexity.

Bitcoin is additionally preparing to protect itself from these kind of threats.

I just watched a video, which is explaining if quantum computers at the moment, are a threat to Bitcoin and co. Sorry, but the thumbnail is not at the first glance GRIN related but a GRIN logo will appear during the video.




A large scale quantum computer would not do a “51% attack” to rewrite history, because

  1. Grin’s PoW is quantum proof
  2. it would not need to

Instead, it would simply break Pedersen commitments to create arbitrary amounts of Grin out of thin air.


Switch commitments are relevant for quantum computers and Grin. Long story short, if quantum computers that could break ECC are ever going to exist, we need to “flip a switch” before they are built. If we do this, we reveal the amounts of the output commitments, but we are safe from inflation exploitation.


Hopefully by the time such a reliable quantum computer is available (if ever) someone will design a quantum-safe Pedersen commitment we could fork into.

1 Like

It must also be homomorphic so that we can still take the difference between sum of output and sum of input commitments, which is the basis of MW.

1 Like

Interesting, found a thread about it

and a book chapter


maybe someday I’ll have time to read it :sweat_smile:


For me the possibility that future technology could probably break Pedersen commitments is one of my biggest concerns about grin. Are there other use-cases of Pedersen commitments away from Mimblewimble, that sid in the same boat? Can I assume, that Pedersen commitments are more likely to break than elliptic curve encryption?

Pedersen commitment is a point on the elliptic curve. Even if someone came up with a way to break the discrete log, they could inflate money, but they couldn’t know how much was inside the Pedersen commitment because in theory you can open it for any value. The hardness of finding a discrete log for other values is what makes it a commitment to a single value.


Worth checking section 4 “Extensions and Future Research”, sub-section “Quantum Resistance” in Andrew Poelstra’s version of the Mimblewimble whitepaper where some relevant potential solutions are listed. I also noticed there was an old thread on quantum resistance.