Quantum computers and Bitcoin

[furrycoat]

I was just reading the news this morning and came across an article talking about the recent leaps in quantum computing.

I then started thinking of Bitcoin and the potential issues it could have with the program.

Since quantum computers go at an incredible fast speed I imagine they can double spend, making Bitcoin useless. I know very little about the technicalities of Bitcoin, and I hope im wrong, but will Quantum computing destroy Bitcoin?

http://news.yahoo.com/computer-bridges-classical-quantum-computing-175759146.html

[DannyHamilton]

. . . I know very little about the technicalities of Bitcoin . . .

Clearly.

. . . will Quantum computing destroy Bitcoin? . . .

No.

http://lmgtfy.com/?q=quantum+site%3Abitcointalk.org

[imanikin]

This should be in all stickys and faq's! Seems like every week lately we have a thread on this same old topic. I know the search engine is very bad on this forum, but i think most of the noisemakers are just too lazy to even use it.

I think at least this video from the summit should be compulsory to watch before being able to post on this forum.

[hardcore-fs]

I was just reading the news this morning and came across an article talking about the recent leaps in quantum computing.

I then started thinking of Bitcoin and the potential issues it could have with the program.

Since quantum computers go at an incredible fast speed I imagine they can double spend, making Bitcoin useless. I know very little about the technicalities of Bitcoin, and I hope im wrong, but will Quantum computing destroy Bitcoin?

http://news.yahoo.com/computer-bridges-classical-quantum-computing-175759146.html

It depends on which universe it is operating in and if they are anti-bitcoins.

[MoonShadow]

will Quantum computing destroy Bitcoin?

Nope.  This is a known threat, and not a particularly high risk, either.  Even if it turns out that a quantum computer can rapidly outpace traditional hardware with regards to SHA-256; the bitcoin reference code includes 'hooks' to permit an orderly transition to another, more quantum resistant, algorithem.

[furrycoat]

. . . I know very little about the technicalities of Bitcoin . . .

Clearly.

. . . will Quantum computing destroy Bitcoin? . . .

No.

http://lmgtfy.com/?q=quantum+site%3Abitcointalk.org

In a bad mood?

Thanks for the responses.

[etotheipi]

This should be in all stickys and faq's! Seems like every week lately we have a thread on this same old topic. I know the search engine is very bad on this forum, but i think most of the noisemakers are just too lazy to even use it.

I think at least this video from the summit should be compulsory to watch before being able to post on this forum.

...except that the speaker got the question about quantum computing wrong.  I was in the audience, but I was too much of a pussy to stand up and correct him in front of everyone.  Apparently, I should have done so (since he has now been cited by someone), but I'm shy like that -- especially because I was in the back and no one had any idea who I was.  Oh well.

The speaker says that ECDSA is not susceptible to QCs -- that's just wrong.  ECDSA is most definitely broken by QC's, as well as just most asymmetric crypto algorithms on which internet security relies.  But Bitcoin is better prepared to deal with QCs than most other crypto systems: (1) if you never reuse addresses, then no one knows your public keys and thus there's nothing for a QC to solve.  By the time someone gets your public keys, you've already spent the funds, (2) the crypto algorithms in Bitcoin can be changed to quantum-resistant ones.  Given that we'll probably have two decades advance notice before QCs with enough qubits exist to even threaten Bitcoin, we'll have plenty of time to make the switch.

[MatthewLM]

Computer science has progressed so fast in the past, twenty years notice could have already passed us. I was looking at quantum resistant cryptography before. At the moment the cryptosystems which are supposedly quantum resistant seem to need some work before they could be safely distributed. NTRU was an interesting one but has some issues such as being able to determine private keys from multiple different signatures.

[hardcore-fs]

What really really makes me cry.. is the fact that all these internet hotshot MOFO's seem incapable of using the internet for research.

Lov K. Grover
http://arxiv.org/abs/quant-ph/9605043

Read it understand it, basically SHAn  CAN be compromised by Quantum computing, 160 would be blown wide open, 256 would be reduced down to about 80bits.
If you are really interested follow the current research papers, same way you would go see a real doctor for advice, instead of listening to  the local street corner crack addict.

[etotheipi]

What really really makes me cry.. is the fact that all these internet hotshot MOFO's seem incapable of using the internet for research.

Lov K. Grover
http://arxiv.org/abs/quant-ph/9605043

Read it understand it, basically SHAn  CAN be compromised by Quantum computing, 160 would be blown wide open, 256 would be reduced down to about 80bits.
If you are really interested follow the current research papers, same way you would go see a real doctor for advice, instead of listening to  the local street corner crack addict.

Clearly you don't understand that paper -- which describes the most basic, and widely-known QC algorithm out there.  "Grover's Algorithm" is the first thing you learn in a class about QC, and is the most basic and widely known algorithm out there.  All it does is cut the effective number of bits in half for brute force searching.  If you are trying to guess a 160-bit password, it'll be like an 80-bit password on a QC.  If you are trying to guess a 256-bit value, it will take 128 bits.  

For reference, the Bitcoin network has performed approximately 2^68 hashes in the entire 4 years it's been operating.   A long ways off of 2^80 to "guess" a 160-bit password. The bit sizes of the chosen algorithms are big enough that even one half the number of bits is still considered secure.  And when QCs come around, we only have to double the number of bits in our key sizes and the attackers are back to where they started.  Hardly "blown open".

[kjj]

Also, there are practical difficulties involved with implementing Grover's.  As far as I know, it has never been done, even in the most trivial way.  By contrast, Shor's (the other quantum algorithm) has been done, giving correct factorizations of both 15 and 21 in a statistically significant fraction of attempts.

I'll personally start worrying about quantum attacks on SHA when either A) someone demonstrates a version of Grover's that doesn't require a "circuit", or B) when we develop the technology to start imagining how to begin thinking about ways to implement SHA as a "circuit".  Either way, I suspect that our grandkids will have had plenty of time to ponder the suggestions that we leave in our memoirs on how to deal with the impending crisis.

[halftimepad]

There are two parts in the security of Bitcoin which could be affected by quantum computers.

One is the security of the elliptic curve cryptography system used when signing transactions. A quantum computer could deduce the private key (and take the funds) if it knows the public key. The private key can be computed solving the discrete logarithm problem, which is efficient in a quantum computer. It would just need a variation of Shor's factoring algorithm:

http://www.math.uwaterloo.ca/~amchilds/teaching/w08/l03.pdf

But, as Etotheipi says, if you only use your address except for spending, the public key is only used once, when you use the funds. The hashing will mask your public key and protect the secret one. There might be a problem if some node see your public key and tries to outrun you and send other transactions and the public keys already in the blockchain would be vulnerable, but I doubt a quantum computer will appear overnight. The system would have time to change to something else.

The second thing is the hash. Grover's algorithm could be used, with some problems, but it is not necessarily the best you can do. There are bounds you can apply directly to collision finding (finding two sequences which hash to the same value). Collision finding (necessary to replace blocks) is not efficient in quantum computers:

http://arxiv.org/abs/quant-ph/0111102

You could reduce difficulty, but not so much (at most is like having one fifth of the bits). The impact for a long chain seems small. The model is not completely general, but gives a good taste of what to expect. As far as I know, hash collisions have been studied a lot and this is the best result.

In any case, I think it would be easier to pull a 51% attack amassing a lot of computer power than building a scalable quantum computer, at least in the short/medium term.

Notice that, anyway, the discrete logarithm problem and finding collisions for SHA256 are only SUPPOSED to be hard for classical computers. There is no guarantee that there isn't algorithm that could break elliptic curve cryptography, factor large numbers or find collisions (there could be trapdoor in SHA256). Of course, a lot of people have been trying without success and I think they are probably safe.

[Carlton Banks]

Forgive me if I'm wrong, but in a world where quantum computing becomes actually prevalent, as opposed to just plainly possible in a laboratory setting, there is nothing to stop Bitcoin from leveraging QC for it's encryption. This would kind of ruins the argument of ever more sophisticated QC cracking current cryptography; the new cryptographic possibilities that QC could achieve will eventually be available to the Bitcoin dev team, as well as the general public.

[MatthewLM]

You want a classical cryptosystem to deal with quantum computing, since you cannot expect everyone to suddenly switch to quantum computers at the same time.

[MoonShadow]

You want a classical cryptosystem to deal with quantum computing, since you cannot expect everyone to suddenly switch to quantum computers at the same time.

Maybe, but Bitcoin's code provides 'hooks' for two secure hashing algos to be used together.  At the moment, we just use SHA-256 twice in a row, but simply changing one of them to a quantum hardened algo would solve the problem fine.

Long story short, quantum computing is not a near term threat to bitcoin, and may never be a significant threat.  Even if, for a time, someone with a very expensive quantum computer (and willing to comit it to hashing bitcoins) can effectively hash at several orders of magnitude faster than everyone else combined; that isn't going to break Bitcoin.

[halftimepad]

Forgive me if I'm wrong, but in a world where quantum computing becomes actually prevalent, as opposed to just plainly possible in a laboratory setting, there is nothing to stop Bitcoin from leveraging QC for it's encryption. This would kind of ruins the argument of ever more sophisticated QC cracking current cryptography; the new cryptographic possibilities that QC could achieve will eventually be available to the Bitcoin dev team, as well as the general public.

I'm not so sure about that. In Bitcoin you need a public key cryptosystem. In elliptic curve cryptography, the trick is that the direct problem (computing the public key or the signature) is easy if you know the private key. However, if you have the public key there is no known efficient method to deduce the private key (with a classical computer).

If everyone had quantum computers, both problems would become easy. You cannot simply scale the numbers as you would with hashing. You need asymmetry.

There are a few alternatives under study:
http://en.wikipedia.org/wiki/Post-quantum_cryptography

The important point is that, as opposed to symmetric systems, where you can just scale everything, you need some asymmetric problem. With quantum computers there are less available problems like that.

[Carlton Banks]

Forgive me if I'm wrong, but in a world where quantum computing becomes actually prevalent, as opposed to just plainly possible in a laboratory setting, there is nothing to stop Bitcoin from leveraging QC for it's encryption. This would kind of ruins the argument of ever more sophisticated QC cracking current cryptography; the new cryptographic possibilities that QC could achieve will eventually be available to the Bitcoin dev team, as well as the general public.

I'm not so sure about that. In Bitcoin you need a public key cryptosystem. In elliptic curve cryptography, the trick is that the direct problem (computing the public key or the signature) is easy if you know the private key. However, if you have the public key there is no known efficient method to deduce the private key (with a classical computer).

If everyone had quantum computers, both problems would become easy. You cannot simply scale the numbers as you would with hashing. You need asymmetry.

There are a few alternatives under study:
http://en.wikipedia.org/wiki/Post-quantum_cryptography

The important point is that, as opposed to symmetric systems, where you can just scale everything, you need some asymmetric problem. With quantum computers there are less available problems like that.

Yes, I see what you mean. I read up on the maths behind cryptographic key pairs quite some time ago, and the (infinitely parallel?) nature of QC would blow that paradigm away. I guess that's what I'm driving at then: there must be some way of using quantum computers to create openly exchanged secrets that are inpenetrable to QC cracking methods. If not, then I guess all bets are truly off with just about every form of encryption that exists, even if there was some new discovery in cryptographic maths.

[MoonShadow]

Forgive me if I'm wrong, but in a world where quantum computing becomes actually prevalent, as opposed to just plainly possible in a laboratory setting, there is nothing to stop Bitcoin from leveraging QC for it's encryption. This would kind of ruins the argument of ever more sophisticated QC cracking current cryptography; the new cryptographic possibilities that QC could achieve will eventually be available to the Bitcoin dev team, as well as the general public.

I'm not so sure about that. In Bitcoin you need a public key cryptosystem. In elliptic curve cryptography, the trick is that the direct problem (computing the public key or the signature) is easy if you know the private key. However, if you have the public key there is no known efficient method to deduce the private key (with a classical computer).

If everyone had quantum computers, both problems would become easy. You cannot simply scale the numbers as you would with hashing. You need asymmetry.

There are a few alternatives under study:
http://en.wikipedia.org/wiki/Post-quantum_cryptography

The important point is that, as opposed to symmetric systems, where you can just scale everything, you need some asymmetric problem. With quantum computers there are less available problems like that.

Yes, I see what you mean. I read up on the maths behind cryptographic key pairs quite some time ago, and the (infinitely parallel?) nature of QC would blow that paradigm away. I guess that's what I'm driving at then: there must be some way of using quantum computers to create openly exchanged secrets that are inpenetrable to QC cracking methods. If not, then I guess all bets are truly off with just about every form of encryption that exists, even if there was some new discovery in cryptographic maths.

Well, even that isn't entirely true with how Bitcoin uses public key encryption.  Simply publishing a single bitcoin address doesn't actually publish the private key, it publishes a structured hash of the public key.  The actual public key isn't published until the first time funds are spent from that address.  If SHA-256 is subject to being brute forced into collisions by a quantum computer, a different hashing algo may not be, and that could be used instead.  If you use a new address for each transaction, which is how bitcoin does it by default and really is a best practice, it would be very difficult for a quantum breaker to steal your coins.

[Carlton Banks]

Forgive me if I'm wrong, but in a world where quantum computing becomes actually prevalent, as opposed to just plainly possible in a laboratory setting, there is nothing to stop Bitcoin from leveraging QC for it's encryption. This would kind of ruins the argument of ever more sophisticated QC cracking current cryptography; the new cryptographic possibilities that QC could achieve will eventually be available to the Bitcoin dev team, as well as the general public.

I'm not so sure about that. In Bitcoin you need a public key cryptosystem. In elliptic curve cryptography, the trick is that the direct problem (computing the public key or the signature) is easy if you know the private key. However, if you have the public key there is no known efficient method to deduce the private key (with a classical computer).

If everyone had quantum computers, both problems would become easy. You cannot simply scale the numbers as you would with hashing. You need asymmetry.

There are a few alternatives under study:
http://en.wikipedia.org/wiki/Post-quantum_cryptography

The important point is that, as opposed to symmetric systems, where you can just scale everything, you need some asymmetric problem. With quantum computers there are less available problems like that.

Yes, I see what you mean. I read up on the maths behind cryptographic key pairs quite some time ago, and the (infinitely parallel?) nature of QC would blow that paradigm away. I guess that's what I'm driving at then: there must be some way of using quantum computers to create openly exchanged secrets that are inpenetrable to QC cracking methods. If not, then I guess all bets are truly off with just about every form of encryption that exists, even if there was some new discovery in cryptographic maths.

Well, even that isn't entirely true with how Bitcoin uses public key encryption.  Simply publishing a single bitcoin address doesn't actually publish the private key, it publishes a structured hash of the public key.  The actual public key isn't published until the first time funds are spent from that address.  If SHA-256 is subject to being brute forced into collisions by a quantum computer, a different hashing algo may not be, and that could be used instead.  If you use a new address for each transaction, which is how bitcoin does it by default and really is a best practice, it would be very difficult for a quantum breaker to steal your coins.

I apologize if I wasn't being clear with my post, I am aware that private keys cannot be computed from public keys (and the, er, *ahem* obvious security hole that would represent, lol). I imagine it would be possible to use the high level of parallel processing that a QC could be scaled up to to simply brute force private keys directly using the blockchain database. This would presumably take a QC with a high qubit count, but it's clearly the most common sense approach to hacking Bitcoin with quantum computing. It'd have to have a half decent rate of key discovery though, as the chances of finding a private key with alot of money in it's addresses could be pretty slim (this is an impression, I don't know any hard stats offhand, but I suspect the vast majority of keys have <10 BTC contained)

[DeathAndTaxes]

Forgive me if I'm wrong, but in a world where quantum computing becomes actually prevalent, as opposed to just plainly possible in a laboratory setting, there is nothing to stop Bitcoin from leveraging QC for it's encryption. This would kind of ruins the argument of ever more sophisticated QC cracking current cryptography; the new cryptographic possibilities that QC could achieve will eventually be available to the Bitcoin dev team, as well as the general public.

I'm not so sure about that. In Bitcoin you need a public key cryptosystem. In elliptic curve cryptography, the trick is that the direct problem (computing the public key or the signature) is easy if you know the private key. However, if you have the public key there is no known efficient method to deduce the private key (with a classical computer).

If everyone had quantum computers, both problems would become easy. You cannot simply scale the numbers as you would with hashing. You need asymmetry.

There are a few alternatives under study:
http://en.wikipedia.org/wiki/Post-quantum_cryptography

The important point is that, as opposed to symmetric systems, where you can just scale everything, you need some asymmetric problem. With quantum computers there are less available problems like that.

Yes, I see what you mean. I read up on the maths behind cryptographic key pairs quite some time ago, and the (infinitely parallel?) nature of QC would blow that paradigm away. I guess that's what I'm driving at then: there must be some way of using quantum computers to create openly exchanged secrets that are inpenetrable to QC cracking methods. If not, then I guess all bets are truly off with just about every form of encryption that exists, even if there was some new discovery in cryptographic maths.

Well, even that isn't entirely true with how Bitcoin uses public key encryption.  Simply publishing a single bitcoin address doesn't actually publish the private key, it publishes a structured hash of the public key.  The actual public key isn't published until the first time funds are spent from that address.  If SHA-256 is subject to being brute forced into collisions by a quantum computer, a different hashing algo may not be, and that could be used instead.  If you use a new address for each transaction, which is how bitcoin does it by default and really is a best practice, it would be very difficult for a quantum breaker to steal your coins.

I apologize if I wasn't being clear with my post, I am aware that private keys cannot be computed from public keys (and the, er, *ahem* obvious security hole that would represent, lol). I imagine it would be possible to use the high level of parallel processing that a QC could be scaled up to to simply brute force private keys directly using the blockchain database. This would presumably take a QC with a high qubit count, but it's clearly the most common sense approach to hacking Bitcoin with quantum computing. It'd have to have a half decent rate of key discovery though, as the chances of finding a private key with alot of money in it's addresses could be pretty slim (this is an impression, I don't know any hard stats offhand, but I suspect the vast majority of keys have <10 BTC contained)

I don't think you understand his point.  Yes QC could (in theory) be used to determine the private key FROM the public key.  However with Bitcoin the address isn't the public key it is a structured hash of the public key.   The public key isn't known until the first time Bitcoins are spent from a given address.