QC would break secp256k1, but you don't get the public key to target on chain, you get the hash of it. QC doesn't help there. You could attack TX in the mempool as the spender reveals his public key(s), but you have very limited time to crack them.
If QC are ever built - and that is a big if, not a foregone conclusion - then these networks will react long before the quantum computers are powerful enough to attack.
I think that changes with Taproot though, otherwise native mutisig would not work. I suppose the mitigation would be to keep high value wallets on hashed public key addresses.
>I think that changes with Taproot though, otherwise native mutisig would not work
Can you elaborate on this? AFAIK taproot only makes it so you don't have to divulge the non-executed branches of code, but everything still uses hashes/ecdsa signatures so the threat model stays the same.
Yes, but none of them have been able to do anything faster than a classical computer can so far. It is not clear it will ever be possible to build a QC that is.
Quoting the article, this was on a "highly specific task, one that was specifically designed to give a competitive edge to a quantum computer like Sycamore."
The chose an inherently quantum problem that's difficult for classic computers (including supercomputers) to simulate but matches what the quantum hardware does natively; now we're approaching the stage where quantum hardware can do something more than simulations of quantum hardware. However, that's far from effective 'general purpose' quantum processors that would be capable of executing the quantum algorithms that have interesting implications on cryptography and other fields.
For example, factoring primes - we can brute force e.g. 256bit prime numbers on classical hardware and can't really brute force 1024 bit numbers. That can be done with a quantum computer with 2*n fully entangled, long-term coherent qubits, so a 512-qubit computer (unlike 53-qubit Sycamore) for doing what we can do already and 2048 qubit computer for actually breaking something (or, more realistically 4096 qubit computer for 2048-bit RSA).
secp256k1 is vulnerable under a QC model, though. Discrete log is solvable with Shor's algorithm. Current known quantum computers haven't gotten further than 21 yet, AFAIK.
The sycamore is really on the border of what current classical methods can simulate. You also need to consider that the funding used for building sycamore was probably orders of magnitudes larger than the funding used to build classical competitors.
But needing the development of quantum error correction actually invalidates one of the points the article makes:
> Nic Carter pointed out that quantum breaks would be gradual rather than sudden.
It's likely cracking quantum error correction won't be a gradual process. Instead one day it won't work, and the next day it will be possible to build very big quantum computers.
I don't think that means QC will be a major problem for crypto. It's not like there aren't fixes already, and they've proved themselves to be collectively very adept at changing protocols and algorithms. Hell one of the changes they made to bitcoin is to add flag bits and a voting protocol that made future changes easier.
Bitcoin addresses are not public keys, they are the hash of the public key. Therefore you can not use a QC to derive the private key from the address alone (since the hash function is QC safe)
The public key is only written to the blockchain when you spend coin from that address, so at that point a QC can attack the key. Thus it's important to never re-use an address once you've spent from it and always spend the entire amount by using a newly generated change address.
> The public key is only written to the blockchain when you spend coin from that address
As Canada points out[1], there is a window when it's revealed to the mempool but not yet committed to the blockchain. During that time, even a single-use address is not QC safe.
It’s possible to skip the mempool, by including it directly in a block, giving no time to a QC attacker. Not worth it right now, but if QC was known to exist it could be done.
Is there a way to guarantee that this block doesn't become orphaned? A transaction isn't truly committed to the blockchain until it has several confirmations.
There’s no way to guarantee absolutely, but you could wait to announce until you got lucky with a couple consecutive blocks if you had a lot of hashpower (pool operators).
It would be an expensive endeavor since it involves throwing away solved blocks, but could of course package many QC safe(r) transactions so probably a profitable service in a QC compromised era.
Well, not necessarily yourself, but through an entity that would not gossip the pending transaction. If it paid well any pool or mining farm could include it. A high standard transaction fee would not help.
Yup that is correct but that window is reduced to a minimum. Your adversary will need to crack your PK in 10 mins and submit a replacement transaction which may or may not be accepted.
>Thus it's important to never re-use an address once you've spent from it and always spend the entire amount by using a newly generated change address.
How does that work? Anytime you spend coins from an address you hope you spend the exact correct amount that was already there? You pay 2x transaction fees to have to transfers - payment as one and remainder as the other and hope they both pop in the same block?
Bitcoin transactions always spend 100% of your coins, however they can have multiple outputs.
So to pay for something while still retaining the change, you can have one output going towards the merchant with the required amount and one output going straight back to your own wallet with the remaining coins. Only one fee is needed and everything is within one transaction.
You can also send the change to a new address instead, which is how single use wallets work. You generate a new wallet, send the change to the new wallet and replace usage of the old wallet with the new one.
If you have one wallet with 17 addresses, doesn't this defeat the whole "your entire bitcoin cache can be protected by memorizing one 12 word phrase" aspect.
Sorry for the late response. Yes, there is certainly a trade off which must be made for the increased security.
Another possible way would be to use a rotatable key derivation algorithm, where you can provide the 12 word phrase plus a number n, and it will provide you a different wallet for each value of n. Of course the key derivation algorithm must be quantam secure for the security benefit to apply in this context.
In the early days of Bitcoin, P2PK was used, where the public key is exposed instead of a hash of it. At least a million coins are covered by that. I would expect someone yielding a theoretical QC to attack those first.
Yes, quite possibly. As the article notes though, it's more of an engineering and social challenge than a fatal flaw. As soon as it is clear it will be actually practical in the near future to attack ECDSA, then the protocol will move to a quantum-resistant cryptosystem and you'll have to sign a transaction with your old ECDSA key to transfer it to the new one. Your paper wallet might become a rather thick paper listing, though.
As long as most of us do this before the attacks are practical and widespread, no problem. But when do we stop accepting transactions with ECDSA keys? I suppose at some point someone will try move 500,000 BTC from addresses that have been dead since 2010. Hopefully we'll have a consensus by then.
As to the surprise attack scenario, I find it uncompelling. The only ones who could fund that in the near future are nations, and one thinks they'd have better things to do with a top secret trump card like that, than to attempt to very publicly steal money with it.
>But when do we stop accepting transactions with ECDSA keys? I suppose at some point someone will try move 500,000 BTC from addresses that have been dead since 2010. Hopefully we'll have a consensus by then.
Why would you bother?
The outcome is the same, either the user gets locked out of their coin or hackers gain access to the coin, meaning the user is locked out of the coin. There isn't a solution that doesn't resolve in one of those and if you aren't able to protect the user by doing it, why spend the effort?
Because if someone gains the ability to resurrect lost coins, it will massively increase the circulating supply of bitcoin overnight, causing the value of everyone’s bitcoin to crash. This effect will get worse the farther we go in the future. Some people might not be happy about this.
> But when do we stop accepting transactions with ECDSA keys? I suppose at some point someone will try move 500,000 BTC from addresses that have been dead since 2010. Hopefully we'll have a consensus by then.
It shouldn't be too hard to come up with a consensus right? All the stakeholders would benefit old coins being lost forever (because the value of their holdings would go up), and there's no point in opposing it when you can just shuffle your old coins to using post-quantum signatures.
There would be a period when both systems are active. It will likely require more bytes to log a quantum-secure transaction. With no other protocol changes, this would incentivize people to keep using ECDSA keys. And the increase in transaction size, would cause reduced transactions per second.
No inherent problem. The protocol could have a built-in discount. Maybe the block cap should be increased to compensate. Questions like that are not so easy to get consensus on.
>Your paper wallet might become a rather thick paper listing, though.
Why? Are you saying you'll need a bunch of new addresses? I think you'll only need 1 new address. Are you saying the addresses or stored private keys will be gigantic? I don't think that needs to be the case. Current addresses are just hashes, they can stay hashes and thus be small. Private keys don't need to be stored, only a seed needed to generate a private key needs to be stored.
Keys for some quantum-secure crypto systems are pretty big - the Wikipedia article has a chart of proposed ones: https://en.wikipedia.org/wiki/Post-quantum_cryptography#Comp... They range from about 10 to 100x as large as the EDCSA keys used in Bitcoin. This poses its own problems with transaction sizes and the block size cap and total throughput, though it's not a fatal flaw to the protocol.
True, but you don't actually print out your private key on a paper wallet -- you print out a seed phrase, from which the key material is derived. So you might even be able to keep using the same seed phrase! (Don't quote me on that, though.)
A 12 words BIP39 phrase is 128 bits of entropy. Is this enough? Depends on the algorithm.
In either case, you'd absolutely not want to reuse the phrase. AFAIK BIP-32 does not have security guarantees such that you can't find the seed from a set of private keys.
Bitcoin would be least of our worries right? All current internet communication is effectively http not https with this. You don’t know if the server you are talking to is the real deal!
That requires a MITM. A typical cybercriminal isn't in a position to MITM me. But every cybercriminal on the internet is in a position to steal my bitcoins (if they can break bitcoin crypto).
There's active research going on into "post-quantum" cryptography to protect the need for secure communications if/when quantum computers become powerful enough to pose a serious threat to the status quo.
Yes, at present Bitcoin is a trinket in the global scheme of things, a small toy compared to most other major economic items. Facebook is worth more than Bitcoin.
One of the things frequently intentionally neglected in Bitcoin discussions, is that it will die. It is guaranteed to die. It's a human invented digital technology, there is no long-term scenario where we don't kill it off through replacement and or competition. We'll be constantly inventing new cryptos, that process will never stop. The odds of Bitcoin maintaining its crown long-term are not good, for all sorts of reasons (not least of which are vast dilution through competition and regulation; eg nations heavily restricting foreign/external cryptos and only allowing official national fake crypto currencies (digital currencies), as China is speeding toward). We can and will replace Bitcoin with something better. And then we'll replace that too.
People that are irrationally, emotionally bound up in Bitcoin will fight you to the death to deny that. Bitcoin is not a forever technology, it's transitory. But who gives a shit about Bitcoin per Bitcoin, click, click, no more Bitcoin, I just moved my Bitcoin over to X blah coin that is better. The coins don't matter unto themselves, they're merely vessels for holding or moving value, nothing more. A crypto investor should always be prepared to abandon ship for something superior and maintain a rational independence from becoming emotionally biased toward a given coin. It's no different than understanding to not fall in love, so to speak, with stocks (or commodities, and so on).
The tragedy of Bitcoin is that as it fades away and gets replaced, it'll leave a giant environmental blackhole in its wake. There will be a question as to whether it was a mistake (was there a better alternative beginning technology for cryptos), or whether it was absolutely necessary to learn from to spark the field (and if so, was it necessary to go so far with it before abandoning it).
Besides the replacement factor, there is no scenario where major world governments allow Bitcoin to replace central bank controlled fiat currencies. Give up a huge source of their power, give up the ability to free-spend, 'print,' steal & paper over fiscal mistakes via inflation? Ha, yeah right. It's hilariously trivial for major governments to dictate financial matters within their own borders. Outlaw Bitcoin and throw a bunch of people into prison for using it and they'll instantly see 99%+ compliance, that's how easy it is to relegate Bitcoin to the fringe. All the largest economies are already priming their moves to squeeze crypto via intensifying regulation, to make sure it stays in the corner where they're willing to tolerate it.
Actually bitcoin is more dead now than it was in 2013 - if your metric is real world use of the protocol. For example buying coffee with bitcoin. Or using it somewhere where it isn’t just turned immediately back into fiat by a 3rd party providing effectively a convenient “sell the bitcoin on Coinbase then pay with fiat” service.
Bitcoin is a speculative bubble and not much else.
The only hope it has is to be adopted as a reserve currency (not just legal tender) by many countries, and thus cement its value and then people will really be using it as a currency albeit on secondary layers, most likely provided by a number of centralised “PayPal-like” entities.
I don’t have faith in Lightning Network. Spend $50 to lock up $5000 where someone else can close you down and cost you $50 and you run around trying to find peers and be your own bank? No thanks.
So Bitcoin is a call option on this “hyperbitcoinisation” and anything less means it’s completely dead or just an occasional decentralised ponzi.
Cryptocurrencies have zero intrinsic value. If only one person owned all the bitcoins and refused to part with any of it, the world wouldn’t accept its use, and would just create another currency with similar properties. Ditto for every altcoin.
This is why altcoins haven’t displaced Bitcoin: touting technological advancements over and above the benchmark set by Bitcoin is more or less irrelevant, except to the extent the narrative underlying it produces a network effect to compete with Bitcoin’s. But there’s no logical reason why Bitcoin’s network effect should ever be exceeded — Bitcoin has the first-mover advantage, and is the most widely recognized cryptocurrency, with the safest and simplest technical implementation which is clearly capable of meeting the needs of cryptocurrency users. Speculative value storage is the only real world use case of cryptocurrency, and Bitcoin does it better.
I don't like downvotes because they don't convey very much information. There are many reasons to downvote something and no way to tell what that reason is. However, in this case, I think the reason is that the comment is both obvious and irrelevant to the conversation about security.
Mike Crawford invested $6000USD in Bitcoin and then died. I assume his wallet was on his Macbook and nobody knew his password. It was supposed to be a life insurance policy like investment because he could not get life insurance because of his mental illness. Someone got the Macbook for sure, but I'm not sure if anyone got the wallet and password to work.
By the time we realize that this is about to be reality, it will already be too late. I really do hope that Bitcoin Core devs and the community make a collective effort to approach this while it's still not necessary any time soon, than be caught with our pants down and leaving users too little time to react. Negotiation for a solution will be years, rollout on the mainnet should also be a year or two, and there should be a gap of several years after activation of whatever new signature scheme until it becomes necessary.
So if we're being risk-averse and having the worst-case in mind, it's time to get the ball rolling now.
Serious question: If I have a proposal regarding a relatively simple quantum experiment where the successful result would be $20M or more (nothing illegal like stealing funds from someone), but not the technical expertise to carry out the experiment, who would be a good person to get in touch with?
Serious answer: Come up with a concrete logical proposal and reach out to academics with expertise in the area you're trying to show results for. They'll either tear you to shreds or consider the experiment.
You know that we can just barely (maybe) demonstrate quantum supremacy at this point right? Anything below this mark can be done on some rental AWS time and anything beyond that mark will be a serious challenge worthy of Google or Baidu's teams.
I guess what I'm saying is that I don't think you have what you think you have.
Sure, quantum computing may break BTC encryption. Accepting that premise, it will also break every other secure form of encryption we currently have. In that scenario, there are much, much more important things to worry about than your little Bitcoin wallet.
You do not understand the situation. Breaking ECDSA would mean everyone gains access to everyone else's private keys. There is no recovery after that, because even if the network is updated to use a quantum-resistant scheme, how do you prove you're the owner of that BTC? And without a central party, who decides you're the rightful owner of your BTC, if 10's of other people insist they own it?
If the quantum resistant scheme is set up long before it is necessary, people could have plenty of time to transfer their coins from quantum-vulnerable addresses to quantum-resistant addresses,
And then the community could decide “if you didn’t update your addresses before quantum computer attacks were viable, even though you had 5 years to do it with strong evidence that it would be necessary eventually, and lost your coins as a result, then sucks to be you”
Yeah, I'm unclear on this also - there would have to be a flag day before which you can prove ownership and then move your coins to a new system. It doesn't work if QC that can easily break the keys arrives first, without warning.
Using Shor's algorithm at this scale requires entanglement of so many qubits that it will never be feasible, and definitely not on this earth which is vibrating so much!
If QC are ever built - and that is a big if, not a foregone conclusion - then these networks will react long before the quantum computers are powerful enough to attack.