The limitations of cryptographic agility in Bitcoin

The discussion initiates with a clarification regarding the security of secp256k1, a cryptographic algorithm integral to Bitcoin. It acknowledges a common understanding within the Bitcoin community that, while secp256k1 is considered secure, it is not impervious to threats, particularly from Cryptographically Relevant Quantum Computers (CRQC). This acknowledgment leads to a nuanced stance on the algorithm's security: secp256k1 is deemed secure under current conditions, predicated on the belief that should any risk of compromise arise, the incentive to develop, implement, and adopt an alternative would be significant.

The conversation further delves into the nature of security within cryptographic schemes. A scheme is labeled as "secure" when there exists no known "efficient" method—defined in terms of probabilistic and polynomial time (PPT)—capable of breaching it. By this definition, secp256k1 maintains its status as secure since no such PPT algorithm has yet been discovered to break it. The mention of a CRQC as a potential threat does not alter this classification because, at present, a CRQC does not constitute an "efficient" algorithm capable of undermining the algorithm's integrity.

Moreover, the discourse touches upon the broader implications for users, highlighting that the theoretical security of secp256k1 does not necessarily safeguard against practical vulnerabilities, such as the risks posed by storing coins with centralized custodians. This aspect underscores the complexity of defining security in the cryptocurrency domain, where theoretical robustness must be distinguished from practical vulnerabilities.