Post-Quantum Standard Contracts

[ryley-o]

🧐 Motivation
Even though preimage resistance of keccak256 is decades away from being compromised, we should be future-proofing immutable smart contract implementations wherever possible. This is especially true for standard implementations of things like ERC-721, which may have difficult migration paths due to on-chain metadata.

note: forgive me if I'm incorrect anywhere here, I'm a solidity dev, not a quantum security researcher 😅

📝 Details
Consider the ERC-721 _operatorApprovals:

mapping(address owner => mapping(address operator => bool)) private _operatorApprovals;

The mapping is stored in solidity at:

keccak256(abi.encode(operator, keccak256(abi.encode(owner, baseSlot))))

a quantum attacker could:

1 Find an input combination of (msg.sender, operator) that overwrites the mapping's storage slot
2. Use a crafted address to overwrite _operatorApprovals, granting them access to any NFT

One solution would be Instead of using a nested mapping, store explicit ownership metadata in storage:

struct ApprovalEntry {
    address owner;
    address operator;
    bool approved;
}
mapping(bytes32 => ApprovalEntry) private _operatorApprovals;

Additionally, when assigning new values to storage, we would have to check that either every slot to be written to is empty, or owner is indeed msg.sender and operator's slot and approved's slots are of the expected types (to prevent overflowing and overwriting a different operator).

I think this implementation remains secure even if keccak-256 is broken, assuming that the protocol implements some way of improving transaction signing.

Of course, it does add an additional SSTORE during operator approvals, as well as some SLOAD costs for storage validation prior to writing. However, we should be incentivizing this behavior, so maybe the protocol devs would want to figure out how to incentivize gas...

Thoughts on implementing as an option? I think similar strategies could be used on ERC-20/ERC-1155...