Quantum Computer vs Bitcoin

[tisata]

I heard that Quantum Computer can destroy bitcoin.
Is it possible?

[1715614806]

1715614806

[DannyHamilton]

I heard that Quantum Computer can destroy bitcoin.
Is it possible?

<sarcasm>
Yes.

The word "quantum" is a synonym for "magic".  A quantum computer is a magic computer that can do anything you want it to do as fast as you want it to do it.
</sarcasm>

There is no reason to think that a quantum computer will destroy bitcoin.  Extraordinary claims require extraordinary evidence.

[aplistir]

I heard that Quantum Computer can destroy bitcoin.
Is it possible?

Yes and no.

Efficient quantum computer can get the private key from public key, which means it could empty wallets that have been spend from. A single send action from an address reveals the public key.

However. If you use bitcoin properly and do not re-use addresses, then you are safe from quantum computers, because they cannot break SHA256 hash.

Also if/when quantum computers would ever become big enough, bitcoins encryption is probably going to be changed to something quantum resistant.

How do we know when the time has come?
There are several addresses with over 1000000000$:s worth of bitcoins in them, that have send actions in them and they have published their public keys. When someone starts emptying them, then we know it is time to do something.... or hopefully long before that.

And it is not only quantum "magic" computers we need to worry. Maye someday some hacker will find a way to break bitcoin crypto even without quantum magic.

[trimulia]

and i heard too that quantum computer can destroy bitcoin system is just a myth

[M3TH0DM4DN3SS]

I'm probably wrong but here's my opinion on the subject. Others please feel free to correct me if I say something false.

So the whole structure of bitcoin is based on a p2p (peer to peer) network. Each wallet (full node) and miner that is has a copy of the blockchain verify the activity. The vulnerability that comes to mind when I think of a crazy super quantum computer's ability to attack bitcoin is this; what if the computer was able to create enough of it's own nodes to control over half of the network? Hopefully someone with more knowledge will elaborate on this. Because I don't think I understand how bitcoin works fully.

[yojodojo21]

Quantum computer is already existing but none of the issue that bitcoin will be destroyed by any super what kind is it done it. Creator can only destroy bitcoin. Nodes,block,codes etc. If this is copied in the original of it then it might happen. But the question is why going to destroy bitcoin if youll be able to use it and become millionaire.

[cr1776]

I'm probably wrong but here's my opinion on the subject. Others please feel free to correct me if I say something false.

So the whole structure of bitcoin is based on a p2p (peer to peer) network. Each wallet (full node) and miner that is has a copy of the blockchain verify the activity. The vulnerability that comes to mind when I think of a crazy super quantum computer's ability to attack bitcoin is this; what if the computer was able to create enough of it's own nodes to control over half of the network? Hopefully someone with more knowledge will elaborate on this. Because I don't think I understand how bitcoin works fully.

No.  The fear is that if could do something like get a private key from a public key, but the hash function should mitigate that risk unless you are reusing addresses.

You could spin up 10000 nodes right now pretty easily.

My main hope is that quantum computers revolutionize search since this has been discussed many times before. 😂

[haltingprobability]

I heard that Quantum Computer can destroy bitcoin.
Is it possible?

It's something that Bitcoin's designers need to keep in mind as a "tail risk".

Quantum computers reduce the effective security of our strongest cryptographic primitives (hashes, symmetric ciphers) by about half. That is, a 256-bit hash gives about 128 bits of effective security in a world where quantum computers are used for at-scale computation. 128 bits of security is pretty good security - searching 10³⁷ gives about a 10% chance of breaking a particular hash (finding the hash preimage). 10³⁷ is 10 quadrillion quadrillion quadrillion - that's more than a billion billion times the number of hashes performed by the combined hashpower of all Bitcoin miners in order to mine a block.

The hash address is only 160 bits but it still requires 256 bits of search to break, that is, address=RIPEMD160(SHA256(pubkey)) minus a few technical details. Once you get the pubkey, we typically assume that a quantum computer will easily recover the private key from the public key. However, quantum-resistant public key encryption is still possible. Because of its quadratic advantage (theoretical) over classical computers, we have to double the key space (note that this may more than double key size). IIRC, secp256k1 is 128-bits equivalent security which we have to cut in half in a quantum-computation world - effective security is 64-bits. While 64-bits is too small for securing a large asset (such as all bitcoins), note that each address is secured by 64-bits security. So the cost of breaking all addresses in the UTXO set is at least 64 * nUTXO where nUTXO is the number of unspent transaction outputs. In other words, even with a quantum computer, you still have to break each address separately, and there are a lot of addresses.

Finally, quantum computation will actually help Bitcoin more than it will hurt it. As QC's begin to approach sufficient complexity to be able to mount serious attack against Bitcoin's cryptographic primitives, they are going to force cryptographers to revise usage across many cryptographic applications - traditional banking, government communication and data-storage, military communications systems, and so on. Quantum cryptography offers the promise of new modes of communication that are not possible with classical communication channels. Perhaps you can secure your Bitcoin address with an entangled set of qubits such that only the holder of the originally entangled qubits can prove ownership of the address. So, Bitcoin should not be having FUD about QC.

[MisterPrada]

Security agencies and the US DoD have tech that is at least 30 years in advance of the stuff you buy on Amazon. Quantum was likely put into production for breaking RSA 2048 in the 1990's, which is why they stopped making such a big fuss. The fact that publicly available crypto is allowed to be freely shared should tell you it's all broken.

[ranochigo]

So the whole structure of bitcoin is based on a p2p (peer to peer) network. Each wallet (full node) and miner that is has a copy of the blockchain verify the activity. The vulnerability that comes to mind when I think of a crazy super quantum computer's ability to attack bitcoin is this; what if the computer was able to create enough of it's own nodes to control over half of the network? Hopefully someone with more knowledge will elaborate on this. Because I don't think I understand how bitcoin works fully.

As said, quantum computing isn't magical. It's really not difficult to create 5000 nodes right now, even.

While its true that Bitcoin nodes are the backbone of the network, you cannot technically destroy the whole network. The only thing sybil attack (the most damaging IMO) can achieve, is to isolate people from the network. This could potentially allow attackers to execute a double spend attack on them and tricking them to see confirmations that they don't actually have. That isn't easy either. You will need to generate valid blocks and also have thousands of IPs which a quantum computer has no advantage of.
Quantum computers can weaken ECDSA but that doesn't mean private keys can be cracked instantly and without cost.

[hasmukh_rawal]

Why do you think of the destruction of Bitcoin while you could have made the same thread for increasing the efficiency of Bitcoin through quantum computers. Quantum computers do exist right now but I don't think they will be able to destroy the efficiency of Bitcoin. The current quantum computers are obviously more developed than electronic/digital computers but are not so well developed that they can crack any private key. To destroy the functionality of BTC  not only a super quantum computer is need but also the algorithm to break the BTC's code. It will at least take a few decades to build such a super quantum computer to achieve this thing and by the time it is possible BTC would have been far more developed seeing it's growth right now.

May I ask the wise ones whether quantum computer can be used to increase the efficiency/development of BTC in some way ?

[lionelho]

Don't worry too much. Read more technical materials and you will see the quantum computing is not good at the decryption in the crypto currency.

[Borilla]

I heard that Quantum Computer can destroy bitcoin.
Is it possible?

Yes and no.

Efficient quantum computer can get the private key from public key, which means it could empty wallets that have been spend from. A single send action from an address reveals the public key.

However. If you use bitcoin properly and do not re-use addresses, then you are safe from quantum computers, because they cannot break SHA256 hash.

Also if/when quantum computers would ever become big enough, bitcoins encryption is probably going to be changed to something quantum resistant.

How do we know when the time has come?
There are several addresses with over 1000000000$:s worth of bitcoins in them, that have send actions in them and they have published their public keys. When someone starts emptying them, then we know it is time to do something.... or hopefully long before that.

And it is not only quantum "magic" computers we need to worry. Maye someday some hacker will find a way to break bitcoin crypto even without quantum magic.

good answer. I would add that a QC could  mine blocks way faster using something similar to Grover's algorithm

[Drnice]

I heard that Quantum Computer can destroy bitcoin.
Is it possible?

<sarcasm>
Yes.

The word "quantum" is a synonym for "magic".  A quantum computer is a magic computer that can do anything you want it to do as fast as you want it to do it.
</sarcasm>

There is no reason to think that a quantum computer will destroy bitcoin.  Extraordinary claims require extraordinary evidence.

If yes, that quantum computer can impose threat to bitcoin and other crypto currencies, it then means that not only with the shutting down of the internet will be the threat of crypto currencies.

[nc50lc]

I heard that Quantum Computer can destroy bitcoin.
Is it possible?

<sarcasm>
Yes.

The word "quantum" is a synonym for "magic".  A quantum computer is a magic computer that can do anything you want it to do as fast as you want it to do it.
</sarcasm>

There is no reason to think that a quantum computer will destroy bitcoin.  Extraordinary claims require extraordinary evidence.

Your sarcasm was straight to the point
Scientists nowadays are:
"Hey this should be researched, I need a lot of funds"

We're going back to "Earth as the center of the solar system" in the field of "Quantum" physics because of these kind of researchers.

OP: Looking at the current development in Qcomputing, Quantum computers will not be a threat to Bitcoin. There are more threaths than that to look after.

[haltingprobability]

If i'm right, Quantum Computer is best for solving exponential problem (2^x) while Bitcoin cryptography either based on polynomial (x^2) or/and Elliptic-curve/ECDSA (y^2=x^3+ax+b), so bitcoin security won't affect much by Quantum Computer. CMIIW.

There are a couple errors, here. First, 2^x (EXP) is way harder than x² (P) - a computer that could solve 2^x problems wouldn't even have to break a sweat to solve x² problems.

In theory, quantum computers (QC) can store information exponentially in the number of qubits - 20 qubits can store a megabit (2²⁰ classical bits) of information. But the exponential space advantage of QC does not necessarily translate to an exponential time advantage. QC has a quadratic time advantage for search problems vis-a-vis a classical computer.

[SpeedRacerF1]

If i'm right, Quantum Computer is best for solving exponential problem (2^x) while Bitcoin cryptography either based on polynomial (x^2) or/and Elliptic-curve/ECDSA (y^2=x^3+ax+b), so bitcoin security won't affect much by Quantum Computer. CMIIW.

There are a couple errors, here. First, 2^x (EXP) is way harder than x² (P) - a computer that could solve 2^x problems wouldn't even have to break a sweat to solve x² problems.

In theory, quantum computers (QC) can store information exponentially in the number of qubits - 20 qubits can store a megabit (2²⁰ classical bits) of information. But the exponential space advantage of QC does not necessarily translate to an exponential time advantage. QC has a quadratic time advantage for search problems vis-a-vis a classical computer.

Fools who think replacing science with math somehow makes for legitimate concepts...and after a google search followed by a link to wikipedia, we can rest assured you're all experts on quantum mysticism. haha

[haltingprobability]

I heard that Quantum Computer can destroy bitcoin.
Is it possible?

No. Quantum theory is fake "science" and does not exist, nor do "quantum computers".

Not fake at all. In fact, the computer you are using would not be able to operate without specifically quantum effects - the semiconductor effect (field effect) is itself a result of the quantum behavior of properly doped silicon. Without this quantum phenomenon, we would not have solid state electronics and our computers would all be running on vacuum tubes - a computer equivalent to a TI calculator would require megawatts of power to operate.

You can directly observe quantum phenomena for yourself with a helium discharge tube and a diffraction grating - you will see spectral lines (emission and absorption lines) which contradicts the classical theory of light. An even easier experiment is to layer a couple polarization filters and a polarity rotation filter to "erase" the effect of one of the filters using quantum erasure. It's a simple experiment that anyone can do and you will directly observe quantum erasure in a way that contradicts your intuition about the way that the filters should behave.

[nexus2k14]

I heard that Quantum Computer can destroy bitcoin.
Is it possible?

Yes it's possible but in fact is a very long process, it can not happen before year 2027/2028.  Bitcoin uses secp256k1 cryptography that can not be hacked today, and when this will be possible using Quantum computers I am sure Bitcoin will be ready and have the quantum fork for quantum resistance cryptography standard,
right now there is one proposal already now called qBitcoin.
https://spectrum.ieee.org/tech-talk/computing/networks/qbitcoin-making-bitcoin-quantumcomputer-proof

[shensu]

All cryptography will be threatened by this, not just bitcoin.

[hatshepsut93]

I've read on the Bitcoin wiki that Bitcoin private key is usually a 256 bit number, but it can also be between 128 to 512 bits. Does this mean that someone with a quantum computer can theoretically generate all 128 bit long private keys in 2^64 time using Grover's algorithm? Also, is there any way to check if an address corresponds to a key of certain length? So, if such attack is possible, how likely it is to be executed on practice (how likely early quantum computers will be able to break 64 bits of security) and what can be done to prevent it?

[nullius]

I've read on the Bitcoin wiki that Bitcoin private key is usually a 256 bit number, but it can also be between 128 to 512 bits.

Are you speaking of this page?  It is wrong (permalink to incorrect section in incorrect version).  I will apply for wiki editing privileges to correct it.  A Bitcoin private key is always exactly 256 bits, no more and no less.  I infer that the editor who wrote the incorect text was confusing private keys with HD seed values, or something of that nature.  On a brief glance, this page and this page seem correct.

Others on this thread have already explained the basic technical details of what a quantum computer could do.  The takeaway is that Bitcoin’s public-key crypto would be broken—however, public keys which have not yet been exposed would be safe.  There is no way to recover the public key from its hash, not even with a quantum computer.  For other hash properties, in a PQ world, a 256-bit hash should be considered to have today’s equivalent of a 128-bit security level; that’s adequate.

The more important point is that a practical, real-world quantum computer would shatter the banking system, as well as the security of the whole Internet.  Bitcoin would actually fare relatively well, due to its use of hashes in transaction outputs.  This is not really a Bitcoin issue.  Some people (not you) who ask about quantum computers in this context tend to imply that it’s a Bitcoin risk, whereas you should be (relatively) much more worried about your bank accounts.

[hatshepsut93]

Are you speaking of this page?  It is wrong (permalink to incorrect section in incorrect version).  I will apply for wiki editing rights to correct it.  A Bitcoin private key is always exactly 256 bits, no more and no less.  I infer that the editor who wrote the incorect text was confusing private keys with HD seed values, or something of that nature.  On a brief glance, this page and this page seem correct.

Yes, that's exactly what I was asking about, thanks!

Indeed, this part:

Code:

In Bitcoin, a private key is usually a 256-bit number (some newer wallets may use between 128 and 512 bits)

got me confused a bit, since I'm not very familiar with ECDSA.

But I think my question can be repeated for wallet seeds: how long would 128 bit seeds be secure against QC, and how do you think Bitcoin community will react if/when someone will start claiming coins from those wallets that were considered to be lost (I'm assuming that most holders will move their funds to new wallets before quantum brute force will become feasible). Of course it's a far smaller threat than the complete failure of public key cryptography, but still I'm curious.

[Noctis Connor]

I heard that Quantum Computer can destroy bitcoin.
Is it possible?

No. Quantum theory is fake "science" and does not exist, nor do "quantum computers".

You're mad bro, this thing exist. you need to read it here http://www.wired.co.uk/article/d-wave-2000q-quantum-computer Quantom does really exist but it cost a lot of fortune in it.

[hasmukh_rawal]

I heard that Quantum Computer can destroy bitcoin.
Is it possible?

No. Quantum theory is fake "science" and does not exist, nor do "quantum computers".

You must be tripping heavy to live in that imaginary world. The quantum theory as well as the quantum computer both are real and working.
D-Wave was the first company to officially build a quantum computer. You can read it out on Wikipedia here https://en.wikipedia.org/wiki/D-Wave_Systems . Also Google and NASA are joining hands to build a quantum computer which would be much powerful and can solve a problem 100 million times faster than a standard computer.
Take a read about it here : http://www.popularmechanics.com/technology/gadgets/a18475/google-nasa-d-wave-quantum-computer/

[nullius]

But I think my question can be repeated for wallet seeds: how long would 128 bit seeds be secure against QC, and how do you think Bitcoin community will react if/when someone will start claiming coins from those wallets that were considered to be lost (I'm assuming that most holders will move their funds to new wallets before quantum brute force will become feasible). Of course it's a far smaller threat than the complete failure of public key cryptography, but still I'm curious.

The seeds are run through a KDF (key derivation function) which uses iterated hashing.  I am not qualified to say definitively whether a quantum computer could efficiently attack those; and I should know better than to even hazard a guess, without really thinking about it for a very long time.  But my gut says this would probably not be a profitable attack.  Now, watch someone else show me up here...

No. Quantum theory is fake "science" and does not exist, nor do "quantum computers".

quantum mysticism. haha

You're mad bro, this thing exist. you need to read it here http://www.wired.co.uk/article/d-wave-2000q-quantum-computer Quantom does really exist but it cost a lot of fortune in it.

You must be tripping heavy to live in that imaginary world. The quantum theory as well as the quantum computer both are real and working.
D-Wave was the first company to officially build a quantum computer. You can read it out on Wikipedia here https://en.wikipedia.org/wiki/D-Wave_Systems . Also Google and NASA are joining hands to build a quantum computer which would be much powerful and can solve a problem 100 million times faster than a standard computer.
Take a read about it here : http://www.popularmechanics.com/technology/gadgets/a18475/google-nasa-d-wave-quantum-computer/

There is a pernicious little subcultural strain of arrogant doofuses who enjoy spouting “skepticism” of quantum mechanics.  Put that aside; of course, they’re morons—and all the moreso, when they make Internet posts using computers which could not be built without the practical application of quantum mechanics.  Rather like Flat Earthers who use GPS.

There is a huge difference between that, and skepticism of quantum computers.  A quantum computer is not a sure thing!

I should preface this by saying, I’m not endorsing the opinions of Scott Aaronson.  I’m only citing him as someone who is not a moron, and wrote a book on quantum computing (which I have not read).  I seem to recall some wager on his blog over the (im)possibility of quantum computing, but I can’t find it right now; anyway, D-Wave has a long history (2013) of drawing his ire (2017), to say the least.

See how he discusses skepticism of quantum computers:

What I did is to write out every skeptical argument against the possibility of quantum computing that I could think of. We'll just go through them, and make commentary along the way. Let me just start by saying that my point of view has always been rather simple: it's entirely conceivable that quantum computing is impossible for some fundamental reason. If so, then that's by far the most exciting thing that could happen for us. That would be much more interesting than if quantum computing were possible, because it changes our understanding of physics. To have a quantum computer capable of factoring 10000-digit integers is the relatively boring outcome -- the outcome that we'd expect based on the theories we already have.

Though he’s not a good speaker, an interesting lay-level talk is “What Quantum Computing Isn’t” (August 2017).  At 09:39, he notes, “The trouble is, if you want it to be useful, well, at some point you’ve got to observe your computer, you know, to read an answer out.  And if you just measure, you know, the superposition of all answers, not having done anything else, the laws of quantum mechanics say that what you’re going to see will be a random answer.  Okay?  Well, if you just wanted a random answer, then you could have picked one yourself, with a lot less trouble.  (Audience laughs.)”  Funnily enough, at 12:55, “QUANTUM BITCOIN” appears on the screen on a slide discussing Silicon Valley Startup “QUANTUM” buzzwords.  He does say of quantum computing that “it’s not science fiction” (13:15), when discussing Google’s 22-qubit chip; near the end (14:17), he says, “Already within a few years, we may achieve what I think of as the number-one application of quantum computing, which is just to disprove the people who say that it’s impossible.  (Audience laughs.)  Could it be impossible for some deep reason that nobody has figured out yet?  Well, of course.  But in some sense, that’s the more exciting possibility.  Because that’s the possibility that means we have to rewrite all the physics textbooks.”

Aside, just to cut through some more of the quantum hype:

djb derides the alleged physical security of quantum cryptography (PDF) (“Is the security of quantum cryptography guaranteed by the laws of physics?”  djb’s answer seems to be “hahaha!”).  (To be clear, quantum cryptography is a different matter than quantum computing.)  He has also attacked the motives of quantum computing and quantum cryptography researchers (“How quantum cryptographers are stealing a quarter of a billion Euros from the European Commission. #qkd #quantumcrypto #quantummanifesto”).  Hmmm.

As for myself, I account myself moderately skeptical of quantum computing; I’ll believe it when I see it, but meanwhile I think it’s a good idea to move to PQ crypto.  I would be more surprised if quantum cryptography can deliver on its promises.  I don’t like the hype around any of it, especially when it’s sometimes used to FUD Bitcoin.

[haltingprobability]

I account myself moderately skeptical of quantum computing

I recommend the following to anybody seriously interested in understanding QC:

- https://arxiv.org/abs/1312.4455 --> "The Universe as quantum computer" by Seth Lloyd, professor of mechanical engineering and physics at the Massachusetts Institute of Technology.
- https://www.youtube.com/watch?v=dEaecUuEqfc --> "The Quantum Conspiracy: What Popularizers of QM Don't Want You to Know" by Ron Garret

Lloyd argues that quantum physics tells us that the universe is indistinguishable from a quantum computation. This is a powerful meta-argument for the perennially fashionable idea that we're inside a computer - but Lloyd argues convincingly that it's a quantum computer.

Garret explains that a lot of the popular conceptions about quantum mechanics are not only incorrect, they are locked onto pernicious misconceptions that are simply false. He throws light on the phenomena of entanglement, quantum randomness, among others. In short, Garret's approach is to look at QM through the lens of QIT (Quantum Information Theory). Combined with Lloyd's thesis that we are inside a quantum computer, this gives a "post-Simulation Hypothesis" interpretation of QM. The behavior of quantum particles is only "weird", "strange" or "bizarre" because we're using the wrong metaphors (tiny billiard balls). Nobody expects the bits in a classical computer to behave like classical particles because, obviously, bits are not particles. But, if Lloyd is right, quantum particles are ontologically informational, just like classical bits.

Consider the question: Where are the bits that encode the letter between the single-quotes? ---> 'q'

This question has no correct answer. There is no "where". Copies of the letter exist in several locations, ephemerally scattered throughout the memory of your computer, the memory of the computer that served this webpage to you, and so on. Under Lloyd's thesis, this fact is related to the fact that we can end up getting nonsense when we ask a question like, "Where is the quantum particle that ____?" Garret convicts QM popularizes of contributing to mysticism in the public about the solid facts of quantum physics.

I don’t like the hype around any of it, especially when it’s sometimes used to FUD Bitcoin.

Yeah, most of the Bitcoin FUD is ridiculous but the quantum FUD is particularly hard to stomach.

[nullius]

I recommend the following to anybody seriously interested in understanding QC:

- https://arxiv.org/abs/1312.4455 --> "The Universe as quantum computer" by Seth Lloyd, professor of mechanical engineering and physics at the Massachusetts Institute of Technology.
- https://www.youtube.com/watch?v=dEaecUuEqfc --> "The Quantum Conspiracy: What Popularizers of QM Don't Want You to Know" by Ron Garret

Thanks for that.  It’s refreshing to read a post by somebody who knows more than I do about a subject.  Though I look forward to the video, I haven’t yet put an hour of dedicated focus to it; I appreciated your brief summary.  Garret’s thesis as you describe it is fascinating, as is Lloyd’s paper.

This seems to intersect; I presume that Garret was taking aim with his “post-Simulation Hypothesis”:  “Because you asked: the Simulation Hypothesis has not been falsified; remains unfalsifiable”.

Garret explains that a lot of the popular conceptions about quantum mechanics are not only incorrect, they are locked onto pernicious misconceptions that are simply false. [...] The behavior of quantum particles is only "weird", "strange" or "bizarre" because we're using the wrong metaphors (tiny billiard balls).

What evils have been wrought by the wrong metaphors!  (Pseudo)scientifically, and otherwise.  It is the twin sin of asking the wrong questions.

Garret convicts QM popularizes of contributing to mysticism in the public about the solid facts of quantum physics.

Whilst on the subject of pseudoscientific mysticisms woven under the rubric of “educating the public”, quantum talk seems somehow incomplete without mentioning its spacetime counterpart.  One section of one webpage (plus its companion) will suffice to burn away mountains of garbage from “science popularizers” about special relativity.  It’s not even necessary to work through the equations:  Simply look at the pretty pictures of a ruler on a rotating grid.  The light bulb goes on.  Rulers never change their lengths.  Clocks never tick at different rates.  There are no paradoxes.  Those are only illusions caused by three-dimensional thinking, lack of vector maths, and too many “science popularizers”.  Of course, you probably know this...

Granted, the popular explanations sell better.  They provide an instant psychological substitute for the theological paradoxes and impossibilities of popularly fading religions.  It’s not the first time in history that similar has occurred.

As for myself:  I don’t understand special relativity.  I don’t understand quantum mechanics.  I know just barely enough to know that I would need to dedicate years of intensive study to properly claim such understanding.  I’m disgusted by the culture of “popularizers”, and the mass pretense that anybody but a few elite scholars can understand such things; these eviscerate the meaning of the word “understand”.  Attainment of actual understanding in any scientific discipline or engineering endeavour requires both innate ability and hard work.  The same applies as for any art worthy of the word.

But hey, who am I to speak?  I heard that quantum mechanics proves we have entered the astrological Age of Aquarius.  Also, it explains psychic powers.  Thanks, popularizers!

Yeah, most of the Bitcoin FUD is ridiculous but the quantum FUD is particularly hard to stomach.

Quantum FUD®.  What a most excellent buzzword.

[haltingprobability]

One section of one webpage (plus its companion) will suffice to burn away mountains of garbage from “science popularizers” about special relativity. 

What a great resource - bookmarked. There are oodles of false conceptions about SR. If I had to identify one common theme to all of these errors (and the popular errors about QM), it is forgetting that science is about observation and experiment - the maths are just a tool for organizing observed phenomena and guiding further research in an efficient way that hopefully gives us some insight into the nature of physical causality. So, when the popularizers start saying things like, "Physicists have proved the existence of unobserved dark matter and dark energy" (to take one bit of popular science mumbo-jumbo, for example), they are just taking mathematical models and reifying their components as though those components have been actually observed! Instead, mathematical models of physics often use hypothetical components that are merely inferred from experimental data - such as dark matter/energy. At the end of the day, all these formulas describe what happens (or could happen) in a laboratory, in an observatory, and so on. Without that connection to empirical measurement, physics is just really crappy, hard-to-use math.

[bijansha]

I heard that Quantum Computer can destroy bitcoin.
Is it possible?

The difficulty level of bitcoin mining gets adjusted once every two weeks. the faster the processors, the higher the difficulty level. So no, they won't destroy cryptocurrencies (bitcoin might be destroyed by other things such as competition, however)

[KaliLinux]

I heard that Quantum Computer can destroy bitcoin.
Is it possible?

We just named it and created its features that it has quantum things to do. We are applying them in our real world.
Its not a true science like destroying and it is not possible to break bitcoin. May be quantum computer have advanced technology in it which will not destroy anything.
I don't know why are you thinking about destruction which we can feel only in dreams

[Oceat]

I heard that Quantum Computer can destroy bitcoin.
Is it possible?

We just named it and created its features that it has quantum things to do. We are applying them in our real world.
Its not a true science like destroying and it is not possible to break bitcoin. May be quantum computer have advanced technology in it which will not destroy anything.
I don't know why are you thinking about destruction which we can feel only in dreams

Quantum Computer could be a big help but it does not and can not destroy Bitcoin and it cost a lot money to buy a single Quantum Computer for yourself. It may be a big help if someone would have a Quantum Computer like NASA because it is too powerful to process any large memories of files into it. Anyway, how is this going to destroy Bitcoin, it doesn't makes sense at all.

[bakerlisa510]

I heard that Quantum Computer can destroy bitcoin.
Is it possible?

Yes, you are correct it can because it uses quantum-mechanical phenomena, such as superposition and entanglement, and after research I got to know that they are using AI for superposition in which it can choose both on and off (1 and 0) while computing and correct the errors and configure the private keys through public on its own!
I can see that most of people are talking about SHA-256 algorithm

SHA-256 algorithm generates an almost-unique, fixed size 256-bit hash

There might be a solution for this also I have heard about this Blockchain Security system http://blockshield.io/ which can block even AI.

[Vannie12]

No. I think it's false.
Bitcoin may not be perfect but surely it's vulnerability is not wholly. I have read that Satoshi knew the risks that bitcoin could face with such developed powerful computers that is why he built a protocol to avoid and withstand attacks. And I think bitcoin is safe against quantum computer but since there are more technological developments coming in the future, we will not know if something could come up to attack bitcoin.

[TonyMark]

such developed powerful computers that is why he built a protocol to avoid and withstand attacks. And I think bitcoin is safe against quantum computer but since there are more technological developments coming in the future, we will not know if something could come up to attack bitcoin.

and explain what that protocol is? is this the reason why people's BTC is getting stolen? Cause of this so called "Protocol"

There might be a solution for this also I have heard about this Blockchain Security system http://blockshield.io/ which can block even AI.

I checked the site I liked what they have done, Most of us are aware of the term 'Ransomware'; lately, it became a very popular term. It is a method by which cybercriminals make money. May be this one can help a little in this rather like movement against Cybercrime.

[Ucy]

Security agencies and the US DoD have tech that is at least 30 years in advance of the stuff you buy on Amazon. Quantum was likely put into production for breaking RSA 2048 in the 1990's, which is why they stopped making such a big fuss. The fact that publicly available crypto is allowed to be freely shared should tell you it's all broken.

I suspect stuff like this is going.

I think we are doomed if this is indeed true. Am sorry for guys who trust earthly government as we know it. You are creating monsters in the name of government.
Powerful entity keeping secrets is DANGEROUS.

One day you will all understand. May be too late by then.

[Rooster101]

It is said that quantum computer's massive calculating power can be able to break bitcoin security within a decade and there are report that the first quantum computer are currently under development. Some also suggest that the bitcoin protocol should be revised to make the system safer. Whether it is true or not, bitcoin must always be prepared to cope with the future's challenges to beef up its security.

[hopeAo]

I heard that Quantum Computer can destroy bitcoin.
Is it possible?

It can only pose an imminent threat to bitcoin security it can’t destroy bitcoin and moreover, bitcoin has overcome so many threats in the past.
Although, Quantum Computer will surpass the processing power of today’s classical computers, and if it does then it could break RSA (Rivest–Shamir–Adleman) encryption, a tool used to secure data transmission on the Internet. In a similar vein could also break the digital signatures used in Bitcoin and other cryptocurrencies. And the upshot of that is not good.
I believe that bitcoin will overcome this threat.

[gargavaar]

There are no quantum algorithms out there that really makes breaking hashes used by bitcoins easier.
Yet. The RSA crypto was belived to be unbreakable for some time until it was shown that a quantum computer strong enough would shred it.

Quantum computing is still quite young and the science is complicated on account of there's not really that much of quantum computers to run tests on.
When the quantum computers start to make their way out to the universities and governments, rest assured we'll see some crazy stuff, one of which might be cracks in the bitcoin integrity.
That being said, by that time, quantum encryption will be widespread and implemented in most major crypto currencies.

As it stands, the biggest threat quantum computers pose to bitcoin is the risk of rumors.
Even a false rumor can start a bank run. A widespread rumor about a bitcoin security breach could turn nasty really fast.

[quantumcat]

It is said that quantum computer's massive calculating power can be able to break bitcoin security within a decade and there are report that the first quantum computer are currently under development. Some also suggest that the bitcoin protocol should be revised to make the system safer. Whether it is true or not, bitcoin must always be prepared to cope with the future's challenges to beef up its security.

Precisely, the first quantum computers are under development and quantum computing has been a hot topic the last few months. There are some interesting developments in the area, for ex. recently Microsoft programming language called #Q -  https://www.forbes.com/sites/fredcampbell/2017/12/18/microsofts-quantum-computing-vaporware/

Edit: There are so many interesting news lately, that a fast google on 'quantum computers' shows a lot of good articles

[quantumcat]

I heard that Quantum Computer can destroy bitcoin.
Is it possible?

No. Quantum theory is fake "science" and does not exist, nor do "quantum computers".

They don´t exist until they exist. BTW there are some projects out there that can kill bitcoin without the need for quantum computing.

Intriguing, what are those projects that can kill bitcoin?

[hatshepsut93]

After learning a bit more about Bitcoin I have a new question about theoretical attacks with quantum computer.

Public keys are generally hashed, so attackers can't use Shor's algorithm against an address that wasn't sending any transactions, but public key is included in transaction, so it gets exposed as soon a transaction is broadcast. If public key cryptography could be broken in seconds, would attackers be able to attempt to steal coins from any unconfirmed transaction by cracking private keys and broadcasting new transactions from the same address?

[ranochigo]

If public key cryptography could be broken in seconds, would attackers be able to attempt to steal coins from any unconfirmed transaction by cracking private keys and broadcasting new transactions from the same address?

There isn't any credible evidence that ECDSA could be broken using quantum computing in seconds. Even if it could and there is a negligible cost, nodes will not accept transactions with its inputs already spent by another transaction in the mempool.

[nullius]

After learning a bit more about Bitcoin I have a new question about theoretical attacks with quantum computer.

Public keys are generally hashed, so attackers can't use Shor's algorithm against an address that wasn't sending any transactions, but public key is included in transaction, so it gets exposed as soon a transaction is broadcast. If public key cryptography could be broken in seconds, would attackers be able to attempt to steal coins from any unconfirmed transaction by cracking private keys and broadcasting new transactions from the same address?

That’s a huge “if”.  Even if a practical quantum computer existed, what makes you expect it to break public key cryptography “in seconds”?  Please remember that even today, a security level of (say) 80 bits is considered far too weak; and yet, it is not something you should consider “broken in seconds”.  (Try to do 2^80 work, if you don’t believe me.)

But arguendo, assuming your “if”:  Well, then, yes, an attacker could race you to double-spend, or even mine his own block to double-spend your coins.  (I assume that an attacker equipped to break PK crypto “in seconds” could also have a big advantage over other miners.)  In that case, I would be very worried about Bitcoin security.  I would likewise be worried about the security of the entire Internet, the banking system, and everything else which would be totally shattered (worse than Bitcoin) in your scenario.  What would I do about my PGP keys?  My TLS?  My SSH?  Everything else?  Bitcoin would be one of the only things left with even a little bit of security.

I see that earlier, haltingprobability wrote me an excellent reply.  I should get back to that....

[arjun21]

I heard that Quantum Computer can destroy bitcoin.
Is it possible here?

[hatshepsut93]

That’s a huge “if”.  Even if a practical quantum computer existed, what makes you expect it to break public key cryptography “in seconds”?  Please remember that even today, a security level of (say) 80 bits is considered far too weak; and yet, it is not something you should consider “broken in seconds”.  (Try to do 2^80 work, if you don’t believe me.)

But arguendo, assuming your “if”:  Well, then, yes, an attacker could race you to double-spend, or even mine his own block to double-spend your coins.  (I assume that an attacker equipped to break PK crypto “in seconds” could also have a big advantage over other miners.)  In that case, I would be very worried about Bitcoin security.  I would likewise be worried about the security of the entire Internet, the banking system, and everything else which would be totally shattered (worse than Bitcoin) in your scenario.  What would I do about my PGP keys?  My TLS?  My SSH?  Everything else?  Bitcoin would be one of the only things left with even a little bit of security.

I see that earlier, haltingprobability wrote me an excellent reply.  I should get back to that....

I know that quantum computers are still mostly theoretical/at very early stages, so I wasn't asking if Bitcoin is in practical danger (I've read this whole thread), I'm just curious how it could work in theory.

There isn't any credible evidence that ECDSA could be broken using quantum computing in seconds. Even if it could and there is a negligible cost, nodes will not accept transactions with its inputs already spent by another transaction in the mempool.

Can attacker try to spawn some virtual nodes to slow down the propagation of original transactions and increase the chance of his own transactions reaching the miners faster?

[ranochigo]

There isn't any credible evidence that ECDSA could be broken using quantum computing in seconds. Even if it could and there is a negligible cost, nodes will not accept transactions with its inputs already spent by another transaction in the mempool.

Can attacker try to spawn some virtual nodes to slow down the propagation of original transactions and increase the chance of his own transactions reaching the miners faster?

I think it would be more worth it for the attacker to attempt a sybil attack.

It is possible for the attacker to spawn nodes under his control to capture and slow down the propagation but it isn't easy by any standards. The reference client only connects to a node per IP block and it would require a tremendous amount of IPs for the chance to be significant. If any other node is connected to the victim, the propagation would be too fast. The amount of time it takes to crack a key is still way too slow.

[hodlcoinfan]

an answer close to the truth might be "we don't know yet" but its fun to speculate!

[gargavaar]

So the general consensus is somewhere along the lines of "if quantum computing cracks Bitcoin, there will be bigger and more serious problems to worry about"?

[haltingprobability]

Security agencies and the US DoD have tech that is at least 30 years in advance of the stuff you buy on Amazon. Quantum was likely put into production for breaking RSA 2048 in the 1990's, which is why they stopped making such a big fuss. The fact that publicly available crypto is allowed to be freely shared should tell you it's all broken.

I suspect stuff like this is going.

I think we are doomed if this is indeed true. Am sorry for guys who trust earthly government as we know it. You are creating monsters in the name of government.
Powerful entity keeping secrets is DANGEROUS.

One day you will all understand. May be too late by then.

Translation:

FUD and the FUD have FUD that is at least FUD years in advance of the stuff you buy on Amazon. FUD was likely put into production for breaking RSA FUD in the 19FUD's, which is why they stopped making such a big FUD. The fact that publicly available FUD is allowed to be freely FUD'd should tell you it's all FUDDDD!!!11

I suspect FUD like this is going FUD.

I think we are FUD if this is indeed true. Am sorry for guys who FUD earthly government as we know it. You are creating FUD in the name of FUD.
Powerful FUD keeping FUD is FUD.

One day you will all understand. May be too late by then.

FUD!!!!!

 

[Shamie1002]

I don't think that any quantum computers could destroy bitcoins. It's almost a decade and all that they can do is copy and enhance a specific feature to create new coin. If bitcoin can be destroyed, maybe it was done already and alts are never called as alts anymore.
My opinion it quite through objective and observation.

With some of what I have read and my understanding. Quantum computers are becoming huge ten years from now that would give higher risks to bitcoin. The elliptic curve signature scheme used by bitcoins can be broken or cracked by that time.
But as also said, bitcoin has another security feature called public key scheme wherein protocols itslef can be revised to safer usage though there is no such steo for it as we have seen.

There are no guarantees and future might bring us intense situations that is why we need resolutions as early as possible. I hope that we won't wait for that time to happen before taking an action. Just like today by slow transactions and high fees.

[haltingprobability]

So the general consensus is somewhere along the lines of "if quantum computing cracks Bitcoin, there will be bigger and more serious problems to worry about"?

Pretty close. Here are the facts:

1) Quantum computing (QC) is really hard. It's not just easy-in-theory-but-hard-in-practice, it's theoretically and practically hard. This is why there has been, to date, no definite demonstration of quantum speedup and this is why the quantum-skeptics in the thread are saying, "Quantum is a conspiracy, it's science made up by the government."

2) QC, when we do get it working, will not provide exponential speedup.

3) For certain kinds of problems, QC can provide quadratic speedup, which is a massive speedup. For symmetric ciphers, this probably just means you double your key size - where 128 bits of security used to be sufficient, now you need 256. No big deal. The real problem is with public-key encryption. But lay-people often forget that the quantum speedup blade cuts both ways. We can build encryption systems which take advantage of quantum speedup and make quantum cryptanalysis of PKE quadratically more difficult, mooting the theoretical advantage that cryptanalysts get from quantum speedup. In fact, this is why Bitcoin uses the public-key hash instead of the public-key itself and recommends against address-reuse; in the event of working, at-scale QC, your coins are still secured behind 128-bit-equivalent security as long as you don't reuse addresses or publish the public-keys for your addresses.

4) The most valuable uses of QC will not be for breaking encryption unless you're the military, in which case, you more or less don't care about civilian encrypted traffic. Even in the worst-case-conspiracy-scenario where the government has had quantum computers for decades, or whatever, it is highly unlikely that this immensely valuable equipment would be used to steal your $3,786 worth of Bitcoin. A civilian breakthrough in QC will result in a flurry of cryptographic updates to bring popular public-key encryption systems up-to-date. But even if a working QC with, say, 128 qubits were announced tomorrow, the initial applications of this QC would go to sciences like aerodynamic modeling (auto + aircraft fuel efficiency), traffic modeling (metropolitan commute + traffic efficiency), financial modeling (stock price predictions), medical research (drug development + protein-folding + cell modeling), and so on. Breaking HTTPS would be very far down on the list of priorities of anyone with enough disposable cash on hand to actually purchase and operate QC hardware. And we know that QC will be expensive because of point (1).

[haltingprobability]

I know that quantum computers are still mostly theoretical/at very early stages, so I wasn't asking if Bitcoin is in practical danger (I've read this whole thread), I'm just curious how it could work in theory.

Quantum computing could, in theory, make a 51% attack into a 25% attack, if you can find a way to use a QC to provide a quadratic speedup in mining. If this happens, the network difficulty will be adjusted accordingly and miners will be forced to transition to quantum mining equipment.

The main attack vector, however, is through public keys (address reuse). If you reuse a Bitcoin address, the public key for that address is published to the world and anyone can try to reconstruct your private key from your public key. With current computers, secp256k1 gives about 128-bits equivalent security, if I'm not mistaken. So, with a quantum computer, this becomes a 64-bits search space, which is small by modern standards (even though 2⁶⁴ is more than a billion billion, an enormous number). Every reused address is susceptible to key-search in about 2⁶⁴ time with a QC.

[nullius]

haltingprobability, thank you for your informative overview of the sitation.

A few nits:

In fact, this is why Bitcoin uses the public-key hash instead of the public-key itself and recommends against address-reuse; in the event of working, at-scale QC, your coins are still secured behind 128-bit-equivalent security as long as you don't reuse addresses or publish the public-keys for your addresses.

0. Actually, that would be 160-bit equivalent security, yes?

1. As a general point, I will worry about disclosing Bitcoin public keys at the same time I start to worry about disclosing my long-term PGP public key.  (For those in the peanut gallery:  The latter would be entirely useless without public disclosure.)

There are excellent reasons to avoid address reuse; but this is not one of them.  I say this as a paranoid security nut:  The security of publicly disclosed public keys is just fine.  That is why they are called public keys.  The only exception I would here make is if you have coins which you intend to potentially leave in cold storage for decades.  Then, yes, you will want the extra security margin of the key being unpublished.  That’s not only a concern about quantum computers:  Unexpected cryptanalytic techniques could develop over the course of many years.  For cryptography which really needs to stand the test of time, reducing your security requirements to a hash is simply good security hygiene.  (For the same reason, I want to switch from the trust anchoring of my “nullius” nym from Ed25519 to Lamport signatures; I simply need to find or build a readily available, reasonably usable, long-term stable implementation.)

[haltingprobability]

haltingprobability, thank you for your informative overview of the sitation.

A few nits:

In fact, this is why Bitcoin uses the public-key hash instead of the public-key itself and recommends against address-reuse; in the event of working, at-scale QC, your coins are still secured behind 128-bit-equivalent security as long as you don't reuse addresses or publish the public-keys for your addresses.

0. Actually, that would be 160-bit equivalent security, yes?

No, because the Bitcoin address is RIPEMD160(SHA256(pubkey)), with some additional protocol things tacked onto it. If you can find some reduction of SHA256 to RIPEMD160 such that you can recover any SHA256 preimage more or less for free from the RIPEMD160 preimage, then it would be 160-bit equivalent security. The 128-bit number comes from dividing 256 by two on the assumption that the best way to brute-force a Bitcoin address with a QC is to break the RIPEMD160 (I'm counting this as zero-cost) and then break the SHA256 (I'm counting this as 256-bit / 2 security = 128-bits security).

1. As a general point, I will worry about disclosing Bitcoin public keys at the same time I start to worry about disclosing my long-term PGP public key.  (For those in the peanut gallery:  The latter would be entirely useless without public disclosure.)

Mostly agreed. AFAIK, no one has ever shown any evidence that a PGP public key has ever been brute-forced to its private key. I would imagine that the NSA may have built equipment capable of doing that, among other things, if for no other reason than for research purposes, to probe the limits of what's possible (because, the Russians, of course).

There are excellent reasons to avoid address reuse; but this is not one of them.  I say this as a paranoid security nut:  The security of publicly disclosed public keys is just fine.  That is why they are called public keys.  The only exception I would here make is if you have coins which you intend to potentially leave in cold storage for decades.  Then, yes, you will want the extra security margin of the key being unpublished.

Bingo.

[nullius]

Translation:

FUD and the FUD have FUD that is at least FUD years in advance of the stuff you buy on Amazon. FUD was likely put into production for breaking RSA FUD in the 19FUD's, which is why they stopped making such a big FUD. The fact that publicly available FUD is allowed to be freely FUD'd should tell you it's all FUDDDD!!!11

You forgot the fearsome new technology of Quantum FUD®.  With Quantum FUD® technology, the quantum computer will use quantum tunnelling teleportation to sneak into your house, eat all the cookies you left out for Santa, spray-paint graffiti all over your walls, ravish your spouse, and then sit down at your computer and send all your bitcoins to 1BitcoinEaterAddressDontSendf59kuE.  But you will never even know it, because it will also use relativistic speed-of-light acceleration to compress you thinner than dollar bill, slow down your clocks, and produce a paradox where you become your own grandfather (“hello, Mom!”).

With Quantum FUD® technology, the quantum computer will rewrite the blockchain; and also, it will rewrite the history of the entire universe multiverse.

The quantum computer with Quantum FUD® technology is insidious and subtle.  It is dangerous and terrifying to behold.  It is also a rather interesting shade of mauve.

Now that I know the truth about Quantum FUD®, I am scared.  I will now stay away from Bitcoin.  Also, I will avoid computers, sunlight, and breathing.  Thank you for informing me about this horrific existential threat to the Bitcoin.

Yeah, most of the Bitcoin FUD is ridiculous but the quantum FUD is particularly hard to stomach.

Quantum FUD®.  What a most excellent buzzword.

[nullius]

In fact, this is why Bitcoin uses the public-key hash instead of the public-key itself and recommends against address-reuse; in the event of working, at-scale QC, your coins are still secured behind 128-bit-equivalent security as long as you don't reuse addresses or publish the public-keys for your addresses.

0. Actually, that would be 160-bit equivalent security, yes?

No, because the Bitcoin address is RIPEMD160(SHA256(pubkey)), with some additional protocol things tacked onto it. If you can find some reduction of SHA256 to RIPEMD160 such that you can recover any SHA256 preimage more or less for free from the RIPEMD160 preimage, then it would be 160-bit equivalent security. The 128-bit number comes from dividing 256 by two on the assumption that the best way to brute-force a Bitcoin address with a QC is to break the RIPEMD160 (I'm counting this as zero-cost) and then break the SHA256 (I'm counting this as 256-bit / 2 security = 128-bits security).

I think I see what you mean.  I got wrong what I said in my “nit”; but I now have another.  Please correct me if I messed up something else here; I think that breaking a keyhash found on blockchain would require the following steps, in this order:

0. It’s impossible to recover 256 bits of pseudorandom anything from 160 pigeonholes; so I will infer that to be, find any P0 of the many 256-bit preimages for a given RIPEMD160 hash.  With a quantum computer, consider that to be the equivalent of an 80-bit problem.  Not what I would call zero.

1. Then, find a string P1 which is a valid secp256k1 public key, and is a SHA256 preimage for the SHA256 image P0.  I will wave my hands around various factors which make the search easier by expanding the search set (compressed or uncompressed public keys double the possibilities—but only if the output is not for a Segwit address) or harder (need a valid secp256k1 pubkey, not an arbitrary bitstring).  For the reason you stated, count this as the equivalent of a 128-bit problem.

2. Wield the almighty Quantum Computer to break the public key—thus revealing a private key which can spend for a public key which SHA256 hashes to a bitstring which hashes to the RIPEMD160 hash specified in the Bitcoin output.  Breaking the public key would still not be free.  I don’t know how to quantify that in “bits of security”.

So—I see the equivalent of 208+x bits of quantum computer work.  Did I get it right here?

Mostly agreed. AFAIK, no one has ever shown any evidence that a PGP public key has ever been brute-forced to its private key. I would imagine that the NSA may have built equipment capable of doing that, among other things, if for no other reason than for research purposes, to probe the limits of what's possible (because, the Russians, of course).

Even if they could, why bother to ever apply the fruits of that hypothetical research?  Endpoint security is so awful, and rubber hoses/$5 wrenches/long prison sentences are readily available.

That’s another point which should be well remembered by the people worried about hypothetical future post-quantum attacks on Bitcoin:  Malware, kidnappings, and similar attacks are the biggest vulnerability for the average user today.  Do you even know how to properly secure a computer against even the stupidest commodity s’kiddie coin stealer?  Do you brag about th size of your coin stash on Internet forums, under the doubly false presumption that both Internet posts and bitcoins be “anonymous”?  Don’t worry so much about threats which do not currently exist and may perhaps never exist, when shoot your own foot off every day.

[haltingprobability]

No, because the Bitcoin address is RIPEMD160(SHA256(pubkey)), with some additional protocol things tacked onto it. If you can find some reduction of SHA256 to RIPEMD160 such that you can recover any SHA256 preimage more or less for free from the RIPEMD160 preimage, then it would be 160-bit equivalent security. The 128-bit number comes from dividing 256 by two on the assumption that the best way to brute-force a Bitcoin address with a QC is to break the RIPEMD160 (I'm counting this as zero-cost) and then break the SHA256 (I'm counting this as 256-bit / 2 security = 128-bits security).

I think I see what you mean.  I got wrong what I said in my “nit”; but I now have another.  Please correct me if I messed up something else here; I think that breaking a keyhash found on blockchain would require the following steps, in this order:

0. It’s impossible to recover 256 bits of pseudorandom anything from 160 pigeonholes; so I will infer that to be, find any P0 of the many 256-bit preimages for a given RIPEMD160 hash.  With a quantum computer, consider that to be the equivalent of an 80-bit problem.  Not what I would call zero.

Approximately 2⁹⁶ SHA256 outputs map to each RIPEMD160 output (by the pigeon-hole principle). But the attack complexity of recovering the SHA256 preimage (the pubkey) is still 2²⁵⁶ bits of security. In other words, the RIPEMD160 step does not reduce the security of the system against recovering the pubkey. However, it does reduce the complexity of substituting another pubkey in its place (second preimage security) since you "only" have to search an average of 2¹⁵⁹ pubkeys to find one whose SHA256 hash collides with the RIPEMD160 hash:

RIPEMD160(SHA256(my_key)) = RIPEMD160(SHA256(attackers_key)) <-- brute-forcing this "only" requires 2¹⁵⁹ attempts on average

Now, you can reduce the complexity further by only attempting public keys with valid private keys (2¹²⁸ or so):

RIPEMD160(SHA256(priv_to_pub(my_priv_key))) = RIPEMD160(SHA256(priv_to_pub(attackers_priv_key))) <-- brute-forcing this "only" requires 2¹²⁷ attempts on average, however, priv_to_pub() is a very computationally expensive operation.

2. Wield the almighty Quantum Computer to break the public key—thus revealing a private key which can spend for a public key which SHA256 hashes to a bitstring which hashes to the RIPEMD160 hash specified in the Bitcoin output.  Breaking the public key would still not be free.  I don’t know how to quantify that in “bits of security”.

So—I see the equivalent of 208+x bits of quantum computer work.  Did I get it right here?

I think it's still about 128 bits search space because there are about 2¹²⁸ valid secp256k1 private keys. However, since there are 2¹⁶⁰ possible addresses, we are not guaranteed to find a collision - it is possible that a given secp256k1 private key has no other colliding Bitcoin address. But since it is a (pseudo)-random mapping, there are surely collisions (birthday paradox). If a given private key and its associated address have no collisions, the search time (not average) is 2¹⁶⁰ (you must exhaust all addresses to be sure); if 1 collision the average search time to find it is 2¹⁵⁹; if 2 collisions, the average search time is greater than 2¹⁵⁸; if 4 it is 2¹⁵⁸, and so on. I'm sure this could be written out as a sum using sigma notation if a person was determined to do so.

Endpoint security is so awful

Don't get me started...

[hatshepsut93]

@nullius, @haltingprobability

Thank you guys for your posts, I find it much easier to learn about cryptography and comp science from examples and discussions rather than just raw theory, and this is exactly the kind of replies I wanted to see when I posted my question.

Now, I got more questions.

1. Would it be possible and would it make sense to add more digital signature algorithms and more hash functions with various key/hash sizes?

For example, shorter keys, signatures and hashes would result in addresses that have smaller transaction sizes, so people could optionally use them to save up on fees. Longer keys, signatures and hashes would provide some additional security for paranoid people, at costs of higher fees.

2. RIPEMD-160 is not the only hash function in Bitcoin's Script, there's also SHA256. Does this mean that even now we can create our own P2SH outputs with more bits of security than the standard addresses that useRIPEMD-160?

P.S. To clear any possible misunderstanding - I'm not scared of QC, my questions are purely theoretical and discussions like this are helping me to get a better understanding of Bitcoin in general.

[abutingting]

Quantum computers is definitely not a threat to Bitcoin. These computers cost millions of DOLLARS and undoubtedly be able to spread.

[haltingprobability]

@nullius, @haltingprobability

Thank you guys for your posts, I find it much easier to learn about cryptography and comp science from examples and discussions rather than just raw theory, and this is exactly the kind of replies I wanted to see when I posted my question.

Now, I got more questions.

1. Would it be possible and would it make sense to add more digital signature algorithms and more hash functions with various key/hash sizes?

For example, shorter keys, signatures and hashes would result in addresses that have smaller transaction sizes, so people could optionally use them to save up on fees. Longer keys, signatures and hashes would provide some additional security for paranoid people, at costs of higher fees.

These could be added to Script as new opcodes and you can use P2WSH to implement a smart-contract that uses them.

2. RIPEMD-160 is not the only hash function in Bitcoin's Script, there's also SHA256. Does this mean that even now we can create our own P2SH outputs with more bits of security than the standard addresses that useRIPEMD-160?

You can use a script to hash-lock a transaction multiple times over. This would not really add any security, however, it would just be a silly way to subsidize miners with needless transaction fees.

[Xylber]

Quantum computers is definitely not a threat to Bitcoin. These computers cost millions of DOLLARS and undoubtedly be able to spread.

Well, but goverments, Google, Microsoft, all of them can use quantum computers.

[haltingprobability]

Quantum computers is definitely not a threat to Bitcoin. These computers cost millions of DOLLARS and undoubtedly be able to spread.

Well, but goverments, Google, Microsoft, all of them can use quantum computers.

That's why abutingting's argument is a non sequitir. QC is not a direct threat to Bitcoin for a variety of reasons - the cost of quantum computing is a part of the reason that FUD about QC is ridiculous, but not because anyone is being "priced out" of quantum computing.

[Jean1948]

I just think that the relationship are directly proportional.  To be more specific, if Quantum Computers evolve to common use, the security encryption will also evolve to match.  The quantum computing technology is not one faceted, meaning it's not only for breaking encryptions, it can be used to create more sophisticated levels encryption.

[mlgblockchain]

I just read about Quantum Computer on google. But honestly, I didn't get a clear picture. Can anybody help me out here with some simple words? I read the replies on this thread as well. But everybody is using "fake science" or similar words. What is the reality here?

[haltingprobability]

I just read about Quantum Computer on google. But honestly, I didn't get a clear picture. Can anybody help me out here with some simple words? I read the replies on this thread as well. But everybody is using "fake science" or similar words. What is the reality here?

The word "computer" has been changed by the transistor, integrated circuits, personal computers and the Internet. 50 years ago, the word "computer" had a lot more mystique and referred to a much broader class of systems. Today, the word "computer" refers to a very definite kind of system, the kind you're using to view this post. Prior to the rise of the digital computer, there were many types of computers, including mechanical computers and analog electronic computers. Analog computers are very efficient for specialized problem solving.

Quantum computers are best thought of as a very noisy analog computer. On a digital computer, we ask a question just once, and it either calculates the answer or hangs. On an analog computer, we pose a problem within the computer's domain and then we set it solving. Usually, the analog computation proceeds "directly" to the solution, that is, with a minimum of wait time. But the results of the analog computation are subject to limits of precision imposed by physical measurement - to get more digits of accuracy, you require finer measurement and more lossless action within the mechanism or circuit. For a quantum computer, we have the same measurement problem as with analog computers, plus the solutions it gives do not have the property that digital computers have - either correct or it hangs. Rather, the quantum computer will return a "distribution" of answers over repeated computations that hopefully clusters tightly around an average value, which we take to be the solution.

Imagine you're a physicist running simulations on some difficult problem of physics. Your options:

- Build a digital simulation (requires a lot of programming). Once finished, set the simulator running and walk away. When you come back, either the simulator will have solved your problem (exactly) or it will have hung.

- Build an analog simulator. You have to build a new simulator for each problem domain you want to solve. It also requires high-precision parts and cannot perform simulations to the level of precision of a digital computer. But, once built, it's much faster than a digital computer.

- Build a quantum computer. This also requires a lot of programming but you don't have to build a new quantum simulator for each problem domain since quantum computers are "general-purpose". It requires high-precision parts and other exotic measures to prevent "decoherence" (a problem that other computers do not have). It can, in principle, perform simulations to the level of precision of a digital computer but each "run" of a quantum computer is random, meaning, you don't get "the answer" on any particular run of the computer, you must run the problem repeatedly and take the average on the output. This makes quantum computers quite different from either analog computers or digital computers.

[aimexlondon]

I heard that Quantum Computer can destroy bitcoin.
Is it possible?

No. Quantum theory is fake "science" and does not exist, nor do "quantum computers".

I couldn't agree more! no such thing!

[Accessence]

Quantum computers will actually compete with traditional transistor based computers as it turns out they'll be slower in certain aspects than their transistors based counterparts. This is based on my independent analysis of quantum computing but we'll just have to wait and watch when these devices start to roll out in the market, as far as bitcoin is concerned the worst possible scenario would be a hard fork to make it 'quantum-resistant'.

[haltingprobability]

I heard that Quantum Computer can destroy bitcoin.
Is it possible?

No. Quantum theory is fake "science" and does not exist, nor do "quantum computers".

I couldn't agree more! no such thing!

Um. Wuuut?

Reality is quantum ... try it for yourself. Also.

[aurigae]

I heard that Quantum Computer can destroy bitcoin.
Is it possible?

It's something that Bitcoin's designers need to keep in mind as a "tail risk".

Quantum computers reduce the effective security of our strongest cryptographic primitives (hashes, symmetric ciphers) by about half. That is, a 256-bit hash gives about 128 bits of effective security in a world where quantum computers are used for at-scale computation. 128 bits of security is pretty good security - searching 10³⁷ gives about a 10% chance of breaking a particular hash (finding the hash preimage). 10³⁷ is 10 quadrillion quadrillion quadrillion - that's more than a billion billion times the number of hashes performed by the combined hashpower of all Bitcoin miners in order to mine a block.

The hash address is only 160 bits but it still requires 256 bits of search to break, that is, address=RIPEMD160(SHA256(pubkey)) minus a few technical details. Once you get the pubkey, we typically assume that a quantum computer will easily recover the private key from the public key. However, quantum-resistant public key encryption is still possible. Because of its quadratic advantage (theoretical) over classical computers, we have to double the key space (note that this may more than double key size). IIRC, secp256k1 is 128-bits equivalent security which we have to cut in half in a quantum-computation world - effective security is 64-bits. While 64-bits is too small for securing a large asset (such as all bitcoins), note that each address is secured by 64-bits security. So the cost of breaking all addresses in the UTXO set is at least 64 * nUTXO where nUTXO is the number of unspent transaction outputs. In other words, even with a quantum computer, you still have to break each address separately, and there are a lot of addresses.

Finally, quantum computation will actually help Bitcoin more than it will hurt it. As QC's begin to approach sufficient complexity to be able to mount serious attack against Bitcoin's cryptographic primitives, they are going to force cryptographers to revise usage across many cryptographic applications - traditional banking, government communication and data-storage, military communications systems, and so on. Quantum cryptography offers the promise of new modes of communication that are not possible with classical communication channels. Perhaps you can secure your Bitcoin address with an entangled set of qubits such that only the holder of the originally entangled qubits can prove ownership of the address. So, Bitcoin should not be having FUD about QC.

Bitcoin also need to note an attacker maybe doesent need to brute the entire keyspace if shooting for one key ie rich wallet. What are the odds of hitting a key before the entire key space is bruteforced ?  

Then theres cluster bruteforce - obviously nobody did that in a really madass large scale, at least not publicly yet. Are there even bencharks wha twould be possible? For example a botnet of really large server, 30x raids in a huge cluster. Since one of those boxes costs 50K plus, yeah one has to be serious - for that to happen the loot just has to be big enough and somebody will try.

[haltingprobability]

Note that I made a mistake on the size of the secp256k1 key space - it is greater than 2²⁵⁵, not approximately 2¹²⁸.

Bitcoin also need to note an attacker maybe doesent need to brute the entire keyspace if shooting for one key ie rich wallet. What are the odds of hitting a key before the entire key space is bruteforced ?  

"entire key space is bruteforced" --> It's difficult to give a good metaphor for how huge the secp256k1 keyspace is... it's effectively infinite.

The birthday paradox tells us that the average time to collision for an n-bit hash function is 2^n/2, in our case, 2¹²⁸. Fortunately, 2¹²⁸ is large enough that it can also be treated as "effectively infinite". At this writing, the hash rate is 8.4x10¹⁸ hashes per second. The average time to collision if you could test public keys at this rate (you can't) would be 585 billion years.

Then theres cluster bruteforce - obviously nobody did that in a really madass large scale, at least not publicly yet. Are there even bencharks wha twould be possible?

See above. If you owned all the hashing equipment in the entire Bitcoin network and could somehow use that equipment to test keys at the same rate as the hashrate, it would take 585 billion years to brute force any key. Clusters are powerful systems for computation but their compute power only grows linearly with cluster-size - a cluster of 10,000 nodes is only 10x as powerful as a cluster of 1,000 nodes. The difficulty of breaking cryptosystems grows exponentially in the number of bits of security (assuming there are no mathematical breaks).

For example a botnet of really large server, 30x raids in a huge cluster. Since one of those boxes costs 50K plus, yeah one has to be serious - for that to happen the loot just has to be big enough and somebody will try.

I think your arithmetic is off by more than you realize.

[aurigae]

Thank you!

See above. If you owned all the hashing equipment in the entire Bitcoin network and could somehow use that equipment to test keys at the same rate as the hashrate, it would take 585 billion years to brute force any key.

Im just curious but not a professional obviously, that was the first post ive read which puts it in some context

[Alonzo C]

Short answer: No
Long answer: Bitcoin's proof of work algorithm is secure because they would have to use grovers algorithm to crack sha256 which would take O(2^sqrt(n)) time instead of O(2^n) which is a good speed up but still not enough to crack sha256 (it may give miners using quantum hardware an advantage). However elliptic curves are vulnerable to attack by shor's algorithm so a new signature function would be needed for example lamport signatures, however they will not protect people who have not moved to the new signature scheme before quantum computers are created. On the upside addresses which have not had their public keys revealed are safe₁ because of the hash function protects the key but this protection is not present in the early bitcoin accounts because they did not used hashed keys for example satoshi's coins and all other coins pre-2012 which have not been put in a quantum secure could be at risk.

1: but the coins cannot be moved without comprising them
PS: If quantum computers hit the world by surprise we have more to worry about than bitcoin

[Hamphser]

I heard that Quantum Computer can destroy bitcoin.
Is it possible?

Nope, Quantum Computer cant really easily decrypt cryptocurrencies and as being said its much harder to solve out 2x than on x2 which have been mentioned on previous pages of this thread which I do completely agree. This is why I don't really see that these computers would really be a big threat. If it can affect then it would not be on major thing for sure and besides this apparatus is costly.

[swogerino]

Quantum computers is definitely not a threat to Bitcoin. These computers cost millions of DOLLARS and undoubtedly be able to spread.

Well, but goverments, Google, Microsoft, all of them can use quantum computers.

You can choose to fight back with the little tools at our disposal. TAILS Linux operating system is an OS which has Electrum included and you can keep the seed in a safe place and restore it every time your run TAILS. This operating system doesn't leave any trace on your computer unless you want to, when it connects to the internet it only connects through TOR browser so government cannot do that much to stop anyone from using Bitcoin or be a threat to your Bitcoins.

Quantum computers are not build to be a threat to cryptocurrencies but to help aid NSA and other security agencies do their job better.

[Yabuy92]

I heard that Quantum Computer can destroy bitcoin.
Is it possible?

Quantum computers could crack Bitcoin, but fixes are available now,actually there is good news about this. its proof-of-work isn't as vulnerable to “quantum speedup” as people think, and the signature can be replaced with something more quantum-resistant before the day of reckoning.

[lemonmob]

Quantum computers are the best medium you can use in order for you to get and mine as much Bitcoins as you can. You need to understand that quantum computers are the best there is.

[Vigme86]

So the general consensus is somewhere along the lines of "if quantum computing cracks Bitcoin, there will be bigger and more serious problems to worry about"?

Pretty close. Here are the facts:

...

3) For certain kinds of problems, QC can provide quadratic speedup, which is a massive speedup. For symmetric ciphers, this probably just means you double your key size - where 128 bits of security used to be sufficient, now you need 256. No big deal. The real problem is with public-key encryption. But lay-people often forget that the quantum speedup blade cuts both ways. We can build encryption systems which take advantage of quantum speedup and make quantum cryptanalysis of PKE quadratically more difficult, mooting the theoretical advantage that cryptanalysts get from quantum speedup. In fact, this is why Bitcoin uses the public-key hash instead of the public-key itself and recommends against address-reuse; in the event of working, at-scale QC, your coins are still secured behind 128-bit-equivalent security as long as you don't reuse addresses or publish the public-keys for your addresses.

...

I'm sorry to short your message but I would know at the underlined sentence if I have good understood the point.
The fact that Public Key and Bitcoin Address are different is not a safeguard against Quantum computing, because when you sign a transaction you are revealing on the blockchain your Publickey, so that Adress can be exposed to QC attack, is that correct?

My doubt is when you speak about "address-reuse": what do you mean with that? I have a cold storage paper wallet ecrypted via BIP0038 where I periodically put some cash into that. I've never spent BTC on that but there is not a single but multiple input transactions, so there are multiple utxo transactions on the blockchain. Until I don't spend bitcoin is it still secured or not? Should I use a cold storage paper wallet for every transaction?

Thanks in advance

[nullius]

3) For certain kinds of problems, QC can provide quadratic speedup, which is a massive speedup. For symmetric ciphers, this probably just means you double your key size - where 128 bits of security used to be sufficient, now you need 256. No big deal. The real problem is with public-key encryption. But lay-people often forget that the quantum speedup blade cuts both ways. We can build encryption systems which take advantage of quantum speedup and make quantum cryptanalysis of PKE quadratically more difficult, mooting the theoretical advantage that cryptanalysts get from quantum speedup. In fact, this is why Bitcoin uses the public-key hash instead of the public-key itself and recommends against address-reuse; in the event of working, at-scale QC, your coins are still secured behind 128-bit-equivalent security as long as you don't reuse addresses or publish the public-keys for your addresses.

...

I'm sorry to short your message but I would know at the underlined sentence if I have good understood the point.
The fact that Public Key and Bitcoin Address are different is not a safeguard against Quantum computing, because when you sign a transaction you are revealing on the blockchain your Publickey, so that Adress can be exposed to QC attack, is that correct?

My doubt is when you speak about "address-reuse": what do you mean with that? I have a cold storage paper wallet ecrypted via BIP0038 where I periodically put some cash into that. I've never spent BTC on that but there is not a single but multiple input transactions, so there are multiple utxo transactions on the blockchain. Until I don't spend bitcoin is it still secured or not? Should I use a cold storage paper wallet for every transaction?

Thanks in advance

In this particular context (but see below), “address reuse” means reuse of an address from which you have spent.  Transactions to your address contain the public keys of whoever sent you the money—not your public key.  But the only information revealed in the blockchain when you receive money is the Hash160 (RIPEMD160 of SHA256) of your public key.  That is what haltingprobability referred to as the “public-key hash” in the portion you underlined.

(For the sake of simplicity, I here assume only P2PKH and P2WPKH addresses.  What do these stand for?  “Pay To (Witness) Public Key Hash”.)

But this discussion misses the point that the security of public keys is just fine.  It seems that you missed this upthread:

There are excellent reasons to avoid address reuse; but this is not one of them.  I say this as a paranoid security nut:  The security of publicly disclosed public keys is just fine.  That is why they are called public keys.  The only exception I would here make is if you have coins which you intend to potentially leave in cold storage for decades.  Then, yes, you will want the extra security margin of the key being unpublished.

Bingo.

Do you intend to leave the coins in cold storage for decades?  If so, then I recommend that you do what you said you’re doing:  Use the addresses for receiving only.  Not that I expect for secp256k1 to be broken:  If storing something for decades (or longer), I prefer some extra security margin “just in case”.

Otherwise, there is no reason to worry about revealing the public key.  secp256k1 is secure.  You may rely on it.

But there is another, very different reason to avoid reuse of addresses for both sending and receiving:  Privacy.  Blockchain analysis is already easy enough for experts.  Address reuse of all kinds makes it trivial.

To start with, for a bare modicum of privacy, use one HD wallet with the seed and keys generated (and backed up!) on an airgapped computer; and from that wallet, use a different address every time you receive money.  This recommendation has nothing to do with the security of your money against attacks on public keys.

[Vigme86]

...

...

In this particular context (but see below), “address reuse” means reuse of an address from which you have spent.  Transactions to your address contain the public keys of whoever sent you the money—not your public key.  But the only information revealed in the blockchain when you receive money is the Hash160 (RIPEMD160 of SHA256) of your public key.  That is what haltingprobability referred to as the “public-key hash” in the portion you underlined.

(For the sake of simplicity, I here assume only P2PKH and P2WPKH addresses.  What do these stand for?  “Pay To (Witness) Public Key Hash”.)

But this discussion misses the point that the security of public keys is just fine.  It seems that you missed this upthread:

There are excellent reasons to avoid address reuse; but this is not one of them.  I say this as a paranoid security nut:  The security of publicly disclosed public keys is just fine.  That is why they are called public keys.  The only exception I would here make is if you have coins which you intend to potentially leave in cold storage for decades.  Then, yes, you will want the extra security margin of the key being unpublished.

Bingo.

Do you intend to leave the coins in cold storage for decades?  If so, then I recommend that you do what you said you’re doing:  Use the addresses for receiving only.  Not that I expect for secp256k1 to be broken:  If storing something for decades (or longer), I prefer some extra security margin “just in case”.

Otherwise, there is no reason to worry about revealing the public key.  secp256k1 is secure.  You may rely on it.

But there is another, very different reason to avoid reuse of addresses for both sending and receiving:  Privacy.  Blockchain analysis is already easy enough for experts.  Address reuse of all kinds makes it trivial.

To start with, for a bare modicum of privacy, use one HD wallet with the seed and keys generated (and backed up!) on an airgapped computer; and from that wallet, use a different address every time you receive money.  This recommendation has nothing to do with the security of your money against attacks on public keys.

I had not seen the upthread, indeed, but I meant what I said, it's on a long-time basis (maybe not decades, let's say some years) and I'm currently storing my big savings in btc on a paper wallet generated on an offline computer and encrypted via BIP0038 (actually big for me , maybe for you guys could be a ridiculous sum).
I have always bought my mBTC on different exchanges and then sent to my Address, I've never verified what kind of transactions the exchanges have made, but I suppose it was a P2PKH (is there a way to know that ?). I do that because I've read on "Mastering Bitcoin" this is the way Antonopoulos stores 95% of its bitcoins.

HD Wallet? I've Electrum on my phone but it's just for some bucks I'm not able to move due high fees level of these days, anyway seed is backed up and I have downloaded BIP0032 program to found every private key from that one.

Anyway thanks again for your answer

[PEG-TOKEN]

The main thing here is the possibility and the way that quantum computers will work.

Computers today talk binary they can only be a 0 or a 1 at any time.
Quantum computers have the advantage of being able to be a  0 and a 1 at the same time.
or  0 and 0
or 1 and 1
or 0 and 1
ect ect ect

So this brings the possibility of code cracking to the extreme.
The first quantum computer to start attacking SHA we could be in trouble..

But chances are that will not be for a very long time dew to many complexities around not only the size but the functionality of quantum mechanics.

When we do reach the realm of quantum being the standard - 30-50 years away there will be new quantum security that will be developed.

[Victorheywhy]

Hmmn, I'm not too sure about that. Nothing is impossible, though. Is it really too safe to store our coins on a system for years?

[haltingprobability]

Nothing is impossible, though.

If nothing is impossible, then "everything is impossible" is possible, in which case, nothing is possible.

[nullius]

Nothing is impossible, though.

If nothing is impossible, then "everything is impossible" is possible, in which case, nothing is possible.

That paradox hit me faster than the speed of light; and my Quantum FUD® got entangled in the superposition of impossibilities.

(@Vigme86, I began writing you a reply earlier; may do later, time permitting.  Your setup sounds decent; good luck with your long-term holding.)

[Ramjan]

Quantum PCs will really contend with conventional transistor based PCs things being what they are they'll be slower in specific viewpoints than their transistors based partners. This depends on my free investigation of quantum processing yet we'll simply need to pause and watch when these gadgets begin to take off in the market, the extent that bitcoin is concerned the most exceedingly terrible conceivable situation would be a hard fork to make it 'quantum-safe'

[Kahhar]

Is it true that IOTA is the only crypto "quantum-proof"?
Just heard that in their bumph..
E

I think IOTA is only quantum resistant, quantum proof would be a whole level up (e.g., like the difference between products that are water resistant vs water proof).

QRL is another crypto that is quantum resistant; supposedly slightly more so than IOTA.

[thegamblingbay]

Nothing is impossible, though.

If nothing is impossible, then "everything is impossible" is possible, in which case, nothing is possible.

how is "everything impossible" if "nothing is impossible"

shouldn't it be "everything is possible" if "nothing is impossible"?

it's not a paradox really, is it ?


also you are forgetting, quantum computers will in fact speed the arithmetic operations like cracking SHA but it will also bring new age encryption methods with which you can *tell* if someone opened the stream or not .... with all that "until observed" sort of thing... so i wouldn't worry yet. besides we're at least a decade away from commercial quantum computers.

[Odlanyer]

Quantum computing is computing using quantum-mechanical phenomena, such as superposition and entanglement. A quantum computer is a device that performs quantum computing, it is already existing but none of the issue that bitcoin will be destroyed by any kind of it and ability to attack bitcoin,et the private key from public key. However if you use bitcoin properly you are safe from the quantum computers because it have a ability to destroy bitcoin.

[haltingprobability]

Nothing is impossible, though.

If nothing is impossible, then "everything is impossible" is possible, in which case, nothing is possible.

how is "everything impossible" if "nothing is impossible"

shouldn't it be "everything is possible" if "nothing is impossible"?

it's not a paradox really, is it ?

It's a self-contradiction. See here. Specifically:

"In classical modal logic, a proposition is said to be possible if and only if it is not necessarily false (regardless of whether it is actually true or actually false);"

From this definition, "everything is possible" means "everything is not necessarily false", which is false, since there are necessarily false statements (contradictions). Thus, "everything is possible" is a self-contradiction.

[sherlenekupo]

Yes it possible, as the technology keep evolving and changing. Currently quantum computing is still in the early stage but whos know, it might take some time to reaches the level that could possibly destroy bitcoin

[jafu]

I heard that Quantum Computer can destroy bitcoin.
Is it possible?

No, on the grounds that the difficulty will naturally increment to coordinate Quantum Computer level capacities. So it will level out The income sans work in Bitcoin was made on the grounds that the common movement in cost was to the upside. Since it can go both here and there, mining will be significantly more troublesome.

[gargavaar]

Is it true that IOTA is the only crypto "quantum-proof"?
Just heard that in their bumph..
E

I think IOTA is only quantum resistant, quantum proof would be a whole level up (e.g., like the difference between products that are water resistant vs water proof).

QRL is another crypto that is quantum resistant; supposedly slightly more so than IOTA.

Is there any crypto out there that is truly quantum proof yet. Is all software only systems vulnerable?

[Crypto Lion]

I haven't heard much news of a quantum computer taking out Bitcoin or stealing some of its currency yet. Which is a good thing, but once it does happen god save the Bitcoin. Cryptocurrencies need to continuously find ways to protect their base so that this issue doesn't happen or reduce the chances of it happening often.

[Jolyquinzel]

On contrary, firstly, Quantum computers exist already (military, aviation, NASA, etc) and nothing happened to us, although our governments could destroy this network for so many times. Secondly, I heard that Quantum computers will make mining much faster, though you won't be able to steal private keys with it.

[Aikidoka]

The title reminds me of Quantum Mechanics which is complicated and I fail yet to grasp it fully. I do believe that Quantum Computer is not real, and even if it does exist, it will not be sufficient to destroy bitcoin. The latter cannot cease to exist because many smart people are backing it up.

As a matter of fact, the only thing that can destroy bitcoin; either the internet gets shut down or people stops using bitcoin, thus its value will cease to exist. Apart from the mentioned, I believe nothing can destroy it.

[albypav]

I heard that Quantum Computer can destroy bitcoin.
Is it possible?

The current ones no but in future yes, if bitcoin doesn't change / upgrade.

[--DarkSecrets--]

I heard that Quantum Computer can destroy bitcoin.
Is it possible?

The current ones no but in future yes, if bitcoin doesn't change / upgrade.

I think bitcoin is now working for an innovation on how it can keep up with the new arising cryptocurrencies. We just have to put our trust to bitcoin because the deman is a factor of its price as well. In most remote countries that already have internet, there are just starting to learn about bitcoin and are interested in those.

[spiker777]

Currently, quantum computers such as Google's D-wave operates at 2000qb/s, which is impressive compared to its predecessor, but still nothing close to the power required to crack strong encryption algorithms.

Right now, quantum computer are in their infancy, however in future, once competition increases, and machine learning algorithms can be applied in non-vector calculations, we'll see a new generation in computing power.

[bismillahi]

Yes, it can, but maybe hundred years again, or maybe faster than that.
Quantum computer technology maybe can grow fast, but you know Bitcoin and other cryptocurrency is also technology that also always growing
Bitcoin will die, but a lot of cryptocurrency with modern technology will survive, new algo will created and Boom Bitcoin crown will replaced by more secured and featured cryptocurrency

[Mr.boombastick]

https://bitcointalk.org/index.php?topic=2791622.msg28577593#msg28577593 - this project found solution against quantum computer

[stefanotomakan]

Isn't Bitcoin (and Monero for that matter) already quantum-resistant?

[monkeydominicorobin]

I heard that Quantum Computer can destroy bitcoin.
Is it possible?

Again read the FAQ of the main Bitcoin site. Quantum computers will never ever destroy Bitcoin. Period.

[bestr17]

An international group of quantum boffins reckons Bitcoin could be broken by the year 2027.Right now Bitcoin actually has a little bit of quantum resistance built into it. As long as users are changing addresses with every new transaction -which is obviously recommended- then they mitigate the exposure their private keys to being cracked. The speed with which a quantum computer would need to break that key is insane for now as well. It would have to crack the key up between the time the transaction is signed and when it is packaged into a block. So dont worry about it in nearest couple years))

[Airdrop Manager]

I read that it took several thousand years for quantum computers to decrypt a private key btc.....

[rillater]

It could happen sooner than you think. Intel continues to develop quantum processors. During the Consumer Electronics Show in Las Vegas, Intel announced that it had designed, manufactured and delivered its first experimental quantum processor with 49 qubits.
Fortunately it will take five to seven years before the industry can deal with engineering problems and probably 1 million or more qubits will be needed to achieve commercial relevance.
But from what I read, it would only be necessary to reach the 400,000 qubits to decrypt all the Bitcoin private keys.
Luckily the Bitcoin world will not be stopped and is already working on qBitcoin (quantum Bitcoin) to take advantage of the power of these computers to preserve the system.

[Ghostsss]

According to scientists, the majority of modern cryptographic protocols that ensure the security of Internet transactions and financial transactions are potentially vulnerable to a sufficiently large quantum computer. To the services that are threatened by hacking, they also carried cryptocurrencies.

[NITCoinOfficial]

Quantum computer is not something you can build in your basement (for now). I am sure there are a few countries who already achieved this goal and probably have all the bitcoin private keys already. However, they are not telling anyone about this and never will. What's more important is that most cryptocurrencies are built on similar sha256 hashes, having all key-pairs is a job you need to do only once if you're using the same crypto-curve.

[georgiasus]

that's a moot point. I think in the middle of 2018 we will find out the answer to this question. just this momet is expected to update in the development of a quantum computer.

[Fantastic33]

Quantum computer is a technology which can be useful in the future in some ways such as solving advance optimization problems. But it can also pose problems on cryptocurrencies once it was successfully developed, because it could upend cryptography and security by cracking otherwise invincible codes. Since quantum computers are not yet existing, then we dont have to worry. Or if its possible that it can be created, i think that the bitcoin teachnology already  did a solution for that.

[xieqieshangu9]

It doesn't matter, the quantum computer has a monopoly on power, but it's just an account, it doesn't change the total amount of bitcoins and the annual output. And since 2040, the production of bitcoins has been very low. Miners have not made much money, and a centralized accounting quantum computer is well worth it!

[george888055]

Because it is significant to understand the limitations and threats of a crypto system. In a couple of years down the road, QCs will be able to break current bitcoin's crypto

[sort_cirkit]

Quantum computers could crack Bitcoin, but fixes are available now said  www.theregister.co.uk https://www.theregister.co.uk/2017/11/09/quantum_computers_could_crack_bitcoin/

Bitcoin is an important feature of its security. Bitcoin has two important security features that prevent them from stolen or copied. Both are based on cryptographic protocols which are hard to crack. In other words, they distort the mathematical function, such as factiveness, which is easy at one hand but is harder for others - at least one common classical computer.

[Spendulus]

Because it is significant to understand the limitations and threats of a crypto system. In a couple of years down the road, QCs will be able to break current bitcoin's crypto

Long before any of "bitcoin's crypto" was "broken," every password of less than 12 digits is broken. Then every password of 16 digits, then 20, whatever...far down that line is bitcoin with >50 digits.

If every password of less than n digits is broken where (n < 25% of length of bitcoin private key) then certainly some of those passwords would be to the likes of coinbase.

But that dodges the question, doesn't it?

[vanslyien]

Where do you heard this? The possibilities raised was, if quantum computer can destroy bitcoin. In making an act, specifically a criminal act especially this one which may be categorized into cyber crime but just to be clear if there is no law punishing it there is no crime which lead to another question. Is there a penalty if a person violated the rules and guidelines in Bitcoin? I believed there is, I will read further on this query I've raised.  . Back into executing an act, there is three elements. 1. Motive - What possible motive a person will drive him to destroy bitcoin if he posses a quantum computer wherein in fact there are numerous advantages he can get if he use one in the arena of virtual currency, 2. Instrument - the quantum computer itself, 3. Opportunity - there are lots of opportunities in the world of cyberspace.

"It Always Seems Impossible Until It Is Done" - Nelson Mandela.

[diwataluna]

This is an interesting topic. I have only been familiar with quantum computing for a month. Reading all the responses and links shared, it looks like quantum computers won't break bitcoin anytime soon. And the technology will catch up soon to resist such attacks. There is already an awareness of the threat from the start.

[melamiras]

This is an interesting topic. I have only been familiar with quantum computing for a month. Reading all the responses and links shared, it looks like quantum computers won't break bitcoin anytime soon. And the technology will catch up soon to resist such attacks. There is already an awareness of the threat from the start.

There are a million things that could potentially kill bitcoin before quantum computing becomes a reallity. I think that BTC will be dead in 4 years if not less, no need for supercomputing.

[imjustagirl]

It is possible. Let's say I have access to all computers and servers in the world and can use at least 10 % of their power to generate all bitcoin wallets and I have a big enough storage drive to get the results. It would take a few years, but I will have all those keypairs. Invent a better algorithm for generation, speed it up and maybe it will take even less time. Index the database and there you have it. The other reason as to why you will never know about it, is because nobody who would do such a thing would tell anyone about it. Why would they? Drop the bitcoin price? Set a world panic? Destroy bitcoin? Why would you, if you have access to all bitcoins? Why would you even take more than you need? Why not just empty the long lost wallets, and nobody would even notice. There are far better purposes for quantum computers than to generate bitcoin keypairs, let's do some calculations to get us further into space, move to Mars, improve statistics, make science breakthroughs, etc.

[DannyHamilton]

Let's say I have access to all computers and servers in the world and can use at least 10 % of their power to generate all bitcoin wallets and I have a big enough storage drive to get the results. It would take a few years,

You might want to double check your maths...

There are 2¹⁶⁰ different addresses.
2¹⁶⁰ = 1461501637330902918203684832716283019655932542976

There are approximately 7.4 BILLION people on earth.

If we give EVERY ONE OF THEM (infants, elderly, etc) 1 MILLION computers, AND each of those computers are able to generate 1 BILLION addresses per second, AND we used 100% of that power to do nothing else other than generate all bitcoin wallets continuously without interruption, then we'd generate approximately:
7,400,000,000 people X 1,000,000 computers X 1,000,000,000 addresses per sec = 7400000000000000000000000 addresses per second.

At that rate, it would take:
1461501637330902918203684832716283019655932542976 addresses / 7400000000000000000000000 addresses per second =
197500221260932826784282 seconds to generate all bitcoin wallets.

There are approximately 31557600 seconds in a year.
197500221260932826784282 seconds / 31557600 seconds per year = 6,258,404,354,606,587 years

That's more than 6.2 QUADRILLION years!

The entire universe since the Big Bang has only existed for about 13.8 BILLION years.  That means you'd have to continue this process from the beginning of the Big Bang until today, and then repeat that 453,508 more times!

THAT SOUNDS LIKE A LOT MORE THAN "a few years" TO ME! (and with a lot more computing power than you were suggesting).

[Kingigolo]

A quantum computer cannot destroy bitcoins, of course it'll have superior processing ability and greater storage capacity but it'll not be able to destroy bitcoins.

[zhangxie29152784]

I heard that Quantum Computer can destroy bitcoin.
Is it possible?

According to the latest research by security experts, the power of quantum computers will be able to break the security of bitcoin within 10 years, and security is one of the foundations of bitcoin as a virtual token.

An important feature of bitcoin is its security. Bitcoin has two important security features to prevent them from being stolen or copied. Both features are based on unbreakable cryptographic protocols.

But quantum computers can easily solve these problems, according to a team of Dave garwal. And the world's big tech giants are already working on their first quantum computers.

[bertak]

I heard that Quantum Computer can destroy bitcoin.
Is it possible?

According to the latest research by security experts, the power of quantum computers will be able to break the security of bitcoin within 10 years, and security is one of the foundations of bitcoin as a virtual token.

An important feature of bitcoin is its security. Bitcoin has two important security features to prevent them from being stolen or copied. Both features are based on unbreakable cryptographic protocols.

But quantum computers can easily solve these problems, according to a team of Dave garwal. And the world's big tech giants are already working on their first quantum computers.

10 years is a long time. During this time, bitcoin will lose its leadership and will be replaced by a more functional cryptocurrency that will support quantum computers. I have heard that some projects are already beginning to study this area.

[Austin Alexis]

I think social issues are way more of a threat to the future of cryptocurrency. I'd love to see the point where quantum computers are launching attacks because this is probably still years away

[OpenPoll]

I heard that Quantum Computer can destroy bitcoin.
Is it possible?

According to the latest research by security experts, the power of quantum computers will be able to break the security of bitcoin within 10 years, and security is one of the foundations of bitcoin as a virtual token.

An important feature of bitcoin is its security. Bitcoin has two important security features to prevent them from being stolen or copied. Both features are based on unbreakable cryptographic protocols.

But quantum computers can easily solve these problems, according to a team of Dave garwal. And the world's big tech giants are already working on their first quantum computers.

Bitcoin will not be destroyed if quantum computers become powerful enough to solve ECDSA keys due to masked addresses (which Gover's algorithm only provides a quadratic speedup to reverse addresses to the corresponding public key). However, it will be severely impacted and public perception of bitcoin will likely tank causing a market crash.

[LienTHETRADER]

I will help the computeres to do that if they cant do it by yourselves because i want to end this so called Btc ecosystem to save the world

[rausvi11]

Let's say I have access to all computers and servers in the world and can use at least 10 % of their power to generate all bitcoin wallets and I have a big enough storage drive to get the results. It would take a few years,

You might want to double check your maths...

There are 2¹⁶⁰ different addresses.
2¹⁶⁰ = 1461501637330902918203684832716283019655932542976

There are approximately 7.4 BILLION people on earth.

If we give EVERY ONE OF THEM (infants, elderly, etc) 1 MILLION computers, AND each of those computers are able to generate 1 BILLION addresses per second, AND we used 100% of that power to do nothing else other than generate all bitcoin wallets continuously without interruption, then we'd generate approximately:
7,400,000,000 people X 1,000,000 computers X 1,000,000,000 addresses per sec = 7400000000000000000000000 addresses per second.

At that rate, it would take:
1461501637330902918203684832716283019655932542976 addresses / 7400000000000000000000000 addresses per second =
197500221260932826784282 seconds to generate all bitcoin wallets.

There are approximately 31557600 seconds in a year.
197500221260932826784282 seconds / 31557600 seconds per year = 6,258,404,354,606,587 years

That's more than 6.2 QUADRILLION years!

The entire universe since the Big Bang has only existed for about 13.8 BILLION years.  That means you'd have to continue this process from the beginning of the Big Bang until today, and then repeat that 453,508 more times!

THAT SOUNDS LIKE A LOT MORE THAN "a few years" TO ME! (and with a lot more computing power than you were suggesting).

nice one 
we don`t have to worry ... but there is a way if someday... someone.... create some ASIC kind of computer to generate 1PentaBillion addresses/second ?? ((

[khelan]

it is possible but still there is no such technology available.. so relax.. also developers are working on antiquatum hacking blockachain hope it will be ready soon

[nullius]

It is possible. Let's say I have access to all computers and servers in the world and can use at least 10 % of their power to generate all bitcoin wallets and I have a big enough storage drive to get the results. It would take a few years, but I will have all those keypairs. Invent a better algorithm for generation, speed it up and maybe it will take even less time. Index the database and there you have it. The other reason as to why you will never know about it, is because nobody who would do such a thing would tell anyone about it. Why would they? Drop the bitcoin price? Set a world panic? Destroy bitcoin? Why would you, if you have access to all bitcoins? Why would you even take more than you need? Why not just empty the long lost wallets, and nobody would even notice. There are far better purposes for quantum computers than to generate bitcoin keypairs, let's do some calculations to get us further into space, move to Mars, improve statistics, make science breakthroughs, etc.

Translation:  Ill-informed idiot who whines that merit should be awarded by bots (!) is fishing for merit by posting innumerate nonsense in Development & Technical Discussion.

If you don’t know, then say you don’t know.  I admit, the set of things I do not know is infinite.  But don’t make stuff up and post it in an authoritative-sounding manner.  Nobody is buying what you’re selling.

I even dont know what these quantum computers are because I am a newbie here in this ecosystem. Help me out of this threat

Try reading the thread.  Many intelligent answers were given back in December.

This is officially the spam megathread of Development & Technology Discussion.

Let's say I have access to all computers and servers in the world and can use at least 10 % of their power to generate all bitcoin wallets and I have a big enough storage drive to get the results. It would take a few years,

You might want to double check your maths...

There are 2¹⁶⁰ different addresses.
2¹⁶⁰ = 1461501637330902918203684832716283019655932542976

[...correct maths...]

The entire universe since the Big Bang has only existed for about 13.8 BILLION years.  That means you'd have to continue this process from the beginning of the Big Bang until today, and then repeat that 453,508 more times!

THAT SOUNDS LIKE A LOT MORE THAN "a few years" TO ME! (and with a lot more computing power than you were suggesting).

nice one 
we don`t have to worry ... but there is a way if someday... someone.... create some ASIC kind of computer to generate 1PentaBillion addresses/second ?? ((

“1PentaBillion” = 5 billion addresses.  What did you think it meant?

Although your “consumer-grade” laptop won’t be able to, there are already many computers which can generate that many addresses in a second.  Easily.  But it makes no difference.  Compared to 2¹⁶⁰, the difference between 1 million and 5 billion is not so impressive.

ASICs are not magical.  They are simply Application-Specific Integrated Circuits, highly optimized to run one specific program which is literally cast in silicon.  They cannot defy the laws of physics, much less the laws of mathematics.  There is still a limit on how fast they can perform computations.  Also, importantly:  They need energy.

2¹²⁸ is an infinitesimal fraction of 2¹⁶⁰; and a 2¹²⁸ security level is already what I call “boil the oceans security”, because the energy required for 2¹²⁸ computations would boil the oceans (and more...).  It is humanly impossible to perform such vast amounts of computation, and it will always be humanly impossible.

You just do not get how big these numbers are.