Bitcoin Forum

Hello,

I've recently been reading Blockchain Programming in C# (NBitcoin) and came across this tidbit:

Elliptic Curve Cryptography, the cryptography used by your public key and private key) is
vulnerable to a modified Shor's algorithm for solving the discrete logarithm problem on
elliptic curves. In plain English, it means that, with a quantum computer, in theory, it is
possible in some distant future to retrieve a private key from a public key.
By publishing the public key only when the coin are spend, such attack is rendered
ineffective. (assuming addresses are not reused)

I'd like some clarification here: is the public key only exposed during a transaction because of the transaction signature? To my understanding a public key may be retrieved from an ECDSA signature. The public key cannot be derived from the script hash due to the hash being an irreversible operation.

If the above is true, then does that mean in the distant future, signing messages for the purpose of verification as well as holding funds on an address which has already been used may be compromised?

Thanks in advance for any clarification.

Yes.

Even now it is feasible if you have a true quantum computer with enough Qubits.

I hear the military is racing to find Quantum Proof encryption for this very reason.

More reading:
http://www.claymath.org/sites/default/files/pvsnp.pdf
http://blog.computationalcomplexity.org/2007/02/on-np-in-bqp.html
https://en.wikipedia.org/wiki/Grover%27s_algorithm

EDIT (more reading :) ):
https://eprint.iacr.org/2015/1018.pdf

Yes.

Signing a message with the private key for an address, or re-using an address that has sent bitcoins in the past will reveal the public key.

This is one of several reasons why it is a "best practice" to NEVER re-use an address.  You should always generate a new address for EVERY transaction output that you receive.