Bitcoin Forum

You don't need to worry if you don't expose public keys (address reuse). Even if the network shuts down for a while your coins will be safe and developers eventually will figure a solution.

I fail to understand how programming can mitigate this risk.

By changing the encryption to quantum-proof cryptography. There are several sources to learn about how we can face this, just take a little bit time to read (eg: https://en.bitcoin.it/wiki/Quantum_computing_and_Bitcoin).

You don't need to worry if you don't expose public keys (address reuse).

Nuclear lock codes anyone?  :) ;) ;)

- A quantum computer capable of cracking Bitcoin's encryption could be just two years away.

Nuclear lock codes anyone?  :) ;) ;)

Probably closer to 20 years than to 2 years. At least if we're talking about the kind of computation power that would enable double-spend attacks as described by PrimeNumber7. Question being how long it will take for QC to break ECDSA within minutes instead of days once it becomes practically possible at all. We're likely to hear a lot more news about leaps in QC long before that though so we should get a bit of a heads up.

I believe, most likely we don’t know the true current state of QC technology and won’t know when QC can break ECDSA. QC being used to double spend bitcoin transactions would make it obvious that the technology exists.

[...]

I might hypothesize that some major governments have bitcoin stored in addresses whose public keys have been exposed to serve as a canary in the coal mine so they would know not to use EDSCA anymore. Similarly, a government with technology to calculate the private key based on the public key to prevent the canary from being set off.   

I guess the biggest canary in the coalmine are actually the earliest Coinbase transactions that were still P2PK. At least I find it hard to believe that anyone with the technology to crack ECDSA and the intention to double-spend bitcoins will be able to resist giving the early dormant block rewards a whirl as soon as they are able to. Emphasis being "the intention to double-spend bitcoins" because for all we know there might be larger goals at stake other than mere wealth accumulation, assuming such technical progress would indeed be successfully kept secret.

How long is the world away until the "Quantum Computing will crack ALL non-QC encryption algorithms!" setting? It can't permanently be FUD, can it?

Asking for a friend.

I read an article recently again claiming that within a few years, quantum computers will be easily able to crack BTC encryption: https://decrypt.co/28560/quantum-computers-could-crack-bitcoins-encryption-by-2022

Any thoughts on the above?

so that article that says 2-3 years is wrong ?

there is nothing called bitcoin encryption, but sha-256 or aes encryption, used by bitcoin core wallets to encrypt your keys.

so that article that says 2-3 years is wrong ?

also, if and when QC becomes more easily available, wouldn't bitcoin devs consider 'upgrading' the encryption to QC proof, or is that already completely set in stone for BTC ?

so that article that says 2-3 years is wrong ?

also, if and when QC becomes more easily available, wouldn't bitcoin devs consider 'upgrading' the encryption to QC proof, or is that already completely set in stone for BTC ?

If QC with big qubits will be available within next 2-3 years, everyone in software department will be in panic how to migrate their legacy code to use quantum resistant cryptography or make sure their customer update their software within 2-3 years.

Definitely.
Don't trust random online articles.

Quantum computers won't be a threat for the next decade.

...

Any thoughts on the above?

If Bitcoin encryption is ever broken, all other systems will also be broken together,
because all institutions use similar encrypton.

Mining can potentially be much quicker with QCs.
The current PoW difficulty system can be exploited by a Quantum Computer using Grover’s algorithm (https://en.wikipedia.org/wiki/Grover%27s_algorithm) to drastically reduce the number of computational steps required to solve the problem. The theorised advantage that a quantum computer (or parallelised QCs) have over classical computers is a couple of orders of magnitude, so ~x100 easier to mine. This isn’t necessarily a game-changer, as this QC speed advantage is likely to be some years away, by which time classical computers will surely have increased speed to reduce the QC advantage significantly. It is worth remembering that QCs aren’t going up against run-of-the-mill standard equipment here, but rather against the very fast ASICs that have been set up specifically for mining.

Re-used BTC addresses are 100% vulnerable to QCs.
Address Re-Use. Simply, any address that is re-used is 100% vulnerable because a QC can use Shor’s algorithm (https://en.wikipedia.org/wiki/Shor%27s_algorithm) to break public-key cryptography. This is a quantum algorithm designed specifically to solve for prime factors. As with Grover’s algorithm, the key is in dramatically reducing the number of computational steps required to solve the problem. The upshot is that for any known public key, a QC can use Shor’s approach to derive the private key. The vulnerability cannot be overstated here. Any re-used address is utterly insecure.

Processed (accepted) transactions are theoretically somewhat vulnerable to QCs.
Theoretically possible because the QC can derive private keys from used addresses. In practice however processed transactions are likely to be quite secure as QCs would need to out-hash the network to double spend.

Unprocessed (pending) transactions are extremely vulnerable to QCs.
As above, a QC can derive a private key from a public key. So for any unprocessed transaction, a QC attacker can obtain the private key and then create their own transaction whilst offering a much higher fee, so that the attacker’s transaction gets onto the blockchain first, ahead of the genuine transaction. So block interval and QC speed are both crucial here – it all depends on whether or not the a QC can hack the key more quickly than the block is processed.


Possible defences...

Defences using classical computers.

• Modify the PoW system such that QCs don’t have any advantage over classical computers. Defending PoW is not as important as defending signatures (as above), because PoW is less vulnerable. However various approaches that can protect PoW against QCs are under development, such as Cuckoo Cycle (https://hackernoon.com/wtf-is-cuckoo-cycle-pow-algorithm-that-attract-projects-like-cortex-and-grin-ad1ff96effa9), Momentum (http://www.hashcash.org/papers/momentum.pdf) and Equihash (https://en.wikipedia.org/wiki/Equihash).
• Modify the signature system to prevent easy derivation of private keys. Again, various approaches are under development, which use some pretty esoteric maths. There are hash-based approaches such as XMSS and SPHINCS (https://cryptoservices.github.io/quantum/2015/12/08/XMSS-and-SPHINCS.html), but more promising (as far as I can tell) are the lattice-based (https://en.wikipedia.org/wiki/Lattice-based_cryptography) approaches such as Dilithium (https://pq-crystals.org/dilithium/), which I think is already used by Komodo.
  

Defences using quantum computers.
As I’ve said a few times, I’m more of a bumbling enthusiast than an expert, but exploiting quantum properties to defend against QC attack seems to me a very good idea. In theory properties such as entanglement (https://en.wikipedia.org/wiki/Quantum_entanglement) and the uncertainty principle (https://en.wikipedia.org/wiki/Uncertainty_principle) can offer an unbreakable defence. Again, people are busy researching this area. There are some quite astonishing ideas out there, such as this one (https://phys.org/news/2018-04-quantum-blockchain-blockchains-future.html).

Thank you all very much for the informative replies. Truly educational!

If I had more sendable merit, I'd be spreading it around this thread.

Thank you all very much for the informative replies. Truly educational!

If I had more sendable merit, I'd be spreading it around this thread.