Bitcoin’s race to outrun the quantum computer

[thorRJ]

Don't worry about Bitcoin, a small niche. The world will have BIGGER problems to worry about with the arrival of quantum computers. Hahaha.

The world will be able to fix the quantum issue and implement a quantum secure mode through rewinding, freezing, correcting accounts. But Bitcoin can't and that will lead to forks.

I'm confident that the community will come into consensus to hard fork, if the threat of quantum computers will be the "death of Bitcoin". It will not be close to a debate.

i wouldn't be so sure about that!
we are talking about a major change with a hard fork and it is not like there is only one solution that everyone could jump on board. there is a ton of different things that will cause a ton of drama. for starters which algorithm to choose? and worst of all what to do with coins that won't move such as outputs that were made in early years such as 2009 (naively referred to as Satoshi's coins). should we burn them? you see there is a lot of room for debates.

What do mean satoshi coins ( Are BTC Test Coins) ?  Who has balance until 2009 the balance on the wallets were frozen?

[1714824282]

1714824282

[1714824282]

1714824282

[1714824282]

1714824282

[1714824282]

1714824282

[nc50lc]

What do mean satoshi coins ( Are BTC Test Coins) ?

It's not totally for testing but "to start Bitcoin network" since it need at least one miner to make transactions.
A bit off-topic but... those are the "block rewards" for the earliest blocks that allegedly mined by Satoshi (excluding genesis block),
so it's fair to assume that he had the private keys of those addresses so he can spend it whenever he wants.

To get this topic back on track, the coinbase transaction for those blocks have their public keys displayed.
And when you know the public key, you theoretically can brute-force the private key using a functional Magic Quantum Computer.

Ex.: Reward for block 10 - you can get the public key by getting the output script.

Code:

PUSHDATA(65)[04fcc2888ca91cf0103d8c5797c256bf976e81f280205d002d85b9b622ed1a6f820866c7b5fe12285cfa78c035355d752fc94a398b67597dc4fbb5b386816425dd] CHECKSIG

The hex inside "[]".

[figmentofmyass]

How can you even know if somehting is quantum resistant? Seems a computer that powerful will be able to crack anything you put in front of it.

it's difficult to speculate on but i don't think it would be fair to assume that once 1 quantum computing problem is solved, every other one magically evaporates. if the bar were set that low, google would have already broken bitcoin.

you bring up a good point though. it's more just a matter of time. (if quantum computing theories are correct, that is)

that's probably the most prudent way to approach this problem.


https://medium.com/@nopara73/stealing-satoshis-bitcoins-cc4d57919a2b

[figmentofmyass]

How can you even know if somehting is quantum resistant? Seems a computer that powerful will be able to crack anything you put in front of it.

Quantum Computer isn't miracle or magic which can solve any computational problem that exist. Try reading https://www.cs.virginia.edu/~robins/The_Limits_of_Quantum_Computers.pdf.

the spirit of what he's saying is important though. for example, there is an assumption often repeated that unspent P2PKH outputs are quantum resistant because they don't expose the public key. but as pieter wuille points out, this is based on little more than the hope that a hypothetical quantum computer is too slow to steal from unconfirmed transactions.

One often repeated argument in favor is quantum resistance. I believe this is besides the point. We have no idea what the characteristics of a hypothetical machine relying on yet to be invented technology will be. Given the degree of key reuse on the network (so there are addresses with known public keys), the existence of a system that can break ECDSA is likely a death blow to Bitcoin. A real solution to that is to prepare and have real quantum-resistant cryptography in place before it's too late. Relying on a weird hope that those hypothetical machines are somehow too slow to steal from unconfirmed transactions before they're mined is a red herring.

[pereira4]

How can you even know if somehting is quantum resistant? Seems a computer that powerful will be able to crack anything you put in front of it.

Quantum Computer isn't miracle or magic which can solve any computational problem that exist. Try reading https://www.cs.virginia.edu/~robins/The_Limits_of_Quantum_Computers.pdf.

the spirit of what he's saying is important though. for example, there is an assumption often repeated that unspent P2PKH outputs are quantum resistant because they don't expose the public key. but as pieter wuille points out, this is based on little more than the hope that a hypothetical quantum computer is too slow to steal from unconfirmed transactions.

One often repeated argument in favor is quantum resistance. I believe this is besides the point. We have no idea what the characteristics of a hypothetical machine relying on yet to be invented technology will be. Given the degree of key reuse on the network (so there are addresses with known public keys), the existence of a system that can break ECDSA is likely a death blow to Bitcoin. A real solution to that is to prepare and have real quantum-resistant cryptography in place before it's too late. Relying on a weird hope that those hypothetical machines are somehow too slow to steal from unconfirmed transactions before they're mined is a red herring.

The main problem here is getting everyone on board for a preventive hardfork. What Peter Wiulle says is common sense, however it has been tested throughout history how common sense doesn't apply when big groups of people are trying to come up with an agreement. Consider that we cannot even reach a consensus on if climate change is going to ruin our entire species or not. A big variety of arguments on a wide scale exists from "the poles are melting soon" to "it's just a hoax". Similarly, I see a similar fate with this: "quantum computers are coming, let's fork now", "quantum computers are useless and cannot get anything of relevancy done, forking Bitcoin is too much of a risk".

My take is that there will be no moves being made only AFTER an actual quantum computer does something that leaves all of us scared shitless, such as moving satoshis coins into your nearest exchanger. Even then, there will be people discussing which is best to move at. I guess the forks will be made and it will be decided through hashrate, hodlers support dumping on each other, services listing one or another fork... until only one survives. This ruling out that one of the forks chooses an alternative to ECDSA/sha-256 that has a bug/exploit and it ends up badly. I would be too unlikely that at least one doesn't survive.

[Hydrogen]

Maybe this competition is intended to create encryption standards utilized by the entire world that have backdoors or vulnerabilities specifically engineered into them?

It could be a decent security practice to avoid whatever encryption standards are produced as a result of this?

If you are paranoid about the outcome of this US sponsored competition to come up with encryption standards, then you should be paranoid about Bitcoin's SHA256, Tor or anything else that came out of US related activity.

BTW for anyone who thinks caution on NIST building backdoors into encryption standards is "paranoia" the following is an interesting read.

NSA Backdoors and Bitcoin

Many cryptographic standards widely used in commercial applications were developed by the U.S. Government’s National Institute of Standards and Technology (NIST). Normally government involvement in developing ciphers for public use would throw up red flags, however all of the algorithms are part of the public domain and have been analyzed and vetted by professional cryptographers who know what they’re doing. Unless the government has access to some highly advanced math not known to academia, these ciphers should be secure.

We now know, however, that this isn’t the case. Back in 2007, Bruce Schneier reported on a backdoor found in NIST’s Dual_EC_DRBG random number generator:

But today there’s an even bigger stink brewing around Dual_EC_DRBG. In an informal presentation(.pdf) at the CRYPTO 2007 conference in August, Dan Shumow and Niels Ferguson showed that the algorithm contains a weakness that can only be described as a backdoor.

This is how it works: There are a bunch of constants — fixed numbers — in the standard used to define the algorithm’s elliptic curve. These constants are listed in Appendix A of the NIST publication, but nowhere is it explained where they came from.

What Shumow and Ferguson showed is that these numbers have a relationship with a second, secret set of numbers that can act as a kind of skeleton key. If you know the secret numbers, you can predict the output of the random-number generator after collecting just 32 bytes of its output. To put that in real terms, you only need to monitor one TLS internet encryption connection in order to crack the security of that protocol. If you know the secret numbers, you can completely break any instantiation of Dual_EC_DRBG.


This is important because random number generators are widely used in cryptographic protocols. If the random number generator is compromised, so are the ciphers that use it.

Thanks to the heroic work of Edward Snowden we now know that Dual_EC_DRBG was developed by the NSA, with the backdoor, and given to NIST to disseminate. The scary part is that RSA Security, a company that develops widely used commercial encryption applications, continued use of Dual_EC_DRBG all the way up to the Snowden revelations despite the known flaws. Not surprising this brought a lot of heat on RSA which denies they intentionally created a honeypot for the NSA.

UPDATE: RSA was paid $10 million by the NSA to keep the backdoor in there.

All of this has been known for several months. What I didn’t know until reading Vitalik Buterin’s recent article Satoshi’s Genius: Unexpected Ways in which Bitcoin Dodged Some Crytographic Bullets, is that a variant of an algorithm used in Bitcoin likely also contains a NSA backdoor, but miraculously Bitcoin dodged the bullet.

Bitcoin uses the Elliptic Curve Digital Signature Algorithm (ECDSA) for signing transactions. This is how you use your private key to “prove” you own the bitcoins associated with your address. ECDSA keys are derived from elliptic curves that themselves are generated using certain parameters. NIST has been actively recommending that everyone use the secp256r1 parameters because they “are the most secure”. However, there appears to be some funny business with secp256r1 that is eerily similar to the backdoor in Dual_EC_DRBG.

Secp256r1 is supposed to use a random number in generating the curves. The way it allegedly creates this random number is by using a one-way hash function of a “seed” to produce a nothing up my sleeve number. The seed need not be random since the output of the hash function is not predictable. Instead of using a relatively innocuous seed like, say, the number 15, secp256r1 uses the very suspicious looking seed: c49d360886e704936a6678e1139d26b7819f7e90. And like Dual_EC_DRBG, it provides no documentation for how or why this number was chosen.

Now as Vitalik pointed out, even if the NSA knew of a specific elliptic curve with vulnerabilities, it still should have been near impossible for them rig the system due to the fact that brute-forcing a hash function is not feasible. However, if they discovered a flaw that occurred in say, one curve in every billion, then they only need to test one billion numbers to find the exploit.

However, the kicker in all this is that the parameters for secp256r1 were developed by the head of elliptic curve research at the NSA!

The unbelievable thing is that rather than using secp256r1 like nearly all other applications, Bitcoin uses secp256k1 which uses Koblitz curves instead of pseudorandom curves and is still believed to be secure. Now the decision to use secp256k1 instead of secp256r1 was made by Satoshi. It’s a mystery why he chose these parameters instead of the parameters used by everyone else (the core devs even considered changing it!). Dan Brown, Chairman of the Standards for Efficient Cryptography Group, had this to say about it:

I did not know that BitCoin is using secp256k1. Indeed, I am surprised to see anybody use secp256k1 instead of secp256r1.

Just wow! This was either random luck or pure genius on the part of Satoshi. Either way, Bitcoin dodged a huge bullet and now almost seems destined to go on to great things.

https://chrispacia.wordpress.com/2013/10/30/nsa-backdoors-and-bitcoin/

[goodblockchain]

Blockchain latest news: a state-owned quantum computer could break blockchains in as little as three years  https://www.computing.co.uk/ctg/news/3033006/state-owned-quantum-computer-break-blockchains-three-years 'A commercially viable quantum computer is still probably a decade away but the first rudimentary, state-owned device capable of breaking common one-way encryption algorithms like AES and elliptic curve cryptography could be with us much sooner.'
'Whoever achieves it first - and it could be within as little as three years according to Cheng - don't expect to learn about it in the news.'

Post quantum we will have lots of forks. But the quantum upgraded original chain with all the mined coins will be the strongest. Anyone who has the privatekey of an old address can now move their coins and they will be quantum secure. Otherwise they are 'shalecoins' and have no owner and will be 'fracked'. These coins are the reward of their 'frackers'. If some think that the 'shalecoins' should be locked/destroyed, they can use the fork with excluded 'shalecoins'. They are already discussing such things: Fork and Destroy Satoshi's 1 million Bitcoin? https://bitcointalk.org/index.php?topic=5131393.0

No matter what, a decade is not such a long time. We should be discussing this stuff today.

Yes, squatter.
Quantum computers will surprise the Bitcoin community. The 'shalecoins' will be moved and will become active. Thereafter BTC owners will decide, which fork they want to use.

I have no idea and I just learned it from this thread. Those coins in Satoshi's wallet will then be activated which sooner there might not have forgotten coins after all. I guess we can all say Bitcoin will live on to be 21M in total. Nothings wasted and SAtoshi has really thought all of these will happen one day.

[Voland.V]

Quantum computers are not as far from life as we think. Look at Amazon's new services. Offer for commercial use. And why is everyone obsessed with these qubit calculators? Cryptography on elliptic curves has compromised itself for a long time, they just don’t write about it.

Those who believe that ESDSA can only be destroyed by brute force attacks are mistaken. This is a common misconception that is supported by most.
And I will allow myself to object.

A long time ago, not full-time employees of GCHQ (a division of the British special services) made public, but the mathematicians of the CESG unit, which is responsible for national ciphers and the protection of government communications systems in the UK. The close interaction between the GCHQ and the NSA is taking place primarily along the lines of joint intelligence activities. In other words, since the NSA also has its own IAD (Information Assurance Directorate) department specializing in the development of cryptographic algorithms and information protection, the discovery of British colleagues was a complete surprise for the mathematicians of this unit. And for the first time they learned about it from their fellow spies who closely interact with the British ...

So, when the Americans learned what the British found, they immediately abandoned cryptography on elliptical curves. And the situation is beneficial for them when the public does not refuse this encryption system. This is their jackpot!

Blockchain is hanging by a thread. The blockchain is saved by the non-compromised hashing function and its massive use.

The danger of cryptography on elliptic curves lies in the elliptic curves themselves. They have weaknesses. That is why, back in 2015, the NSA (USA) opposed this type of cryptography, despite the fact that earlier it conducted a campaign only for this cryptography. And after 2015, she again returned to the old RCA system. And this despite the very large key length relative to ECC keys.

We do not know the answer to the question of how many classes of weak elliptic curves were found by NIST.

I also have no answer to this question, but this is a logical and important question. We know that NIST, at least, has successfully standardized a vulnerable random number generator (a generator that is based on the same elliptic curves).

I do not want to repeat here a very large text, described this in my post on December 04 (there are 2 posts, written on December 4), read the second, topic:
--------------------
This material answers important 2 questions:
1. Is cryptography on elliptic curves as secure as we think?
2. Are quantum computing really dangerous for modern public key cryptosystems?
..............................
Link: https://bitcointalk.org/index.php?topic=5204368.40

I do not know more convincing evidence than those written there.

[Voland.V]

Quantum computing wont be a problem for Bitcoin anytime soon. Advancements will make quantum obsolete as well.

-----------------
Bitcoins steal without the help of a quantum computer. Anonymity of bitcoin owners is eliminated without quantum helpers.

In new public key cryptographic systems that claim to be post quantum, they find vulnerabilities without the help of a quantum computer and without guessing the key.

The fear of the quantum computer is similar to the fear of the monkey, the new big monkey.

Our main danger is people using their intelligence to cheat, not a stick and brute force.

So I agree that our security won't suffer much from quantum computing.

[AverageGlabella]

Quantum computing wont be a problem for Bitcoin anytime soon. Advancements will make quantum obsolete as well.

-----------------
Bitcoins steal without the help of a quantum computer. Anonymity of bitcoin owners is eliminated without quantum helpers.

In new public key cryptographic systems that claim to be post quantum, they find vulnerabilities without the help of a quantum computer and without guessing the key.

The fear of the quantum computer is similar to the fear of the monkey, the new big monkey.

Our main danger is people using their intelligence to cheat, not a stick and brute force.

So I agree that our security won't suffer much from quantum computing.

I am not certain what you mean by Bitcoins steal without the help of a quantum computer but the anonymity of Bitcoin owners is not eliminated without the help of quantum computing. Bitcoin is not a very good currency for maintaining anonymity and there are probably better options out there if that is a concern. Everything is displayed on the Blockchain for a reason and that goes directly against privacy of funds. As soon as you post an address online to receive a payment you are tied to that address. There are ways to use Bitcoin to maintain privacy a little better but at its core Bitcoin does not compare to Monero for privacy.

The fear of quantum computers is real. Although it is blown out of the world by the media outlets of this world and they try to sell the idea that in a couple of years we are all doomed because of these super computers which are capable of destroying all technology which we all know to be completely false. it is theoretically possible for a quantum computer to break Bitcoins algorithm in its current state however the argument against this is it will be a very long time until a quantum computer is capable and by the time that happens Bitcoin would have probably adopted a quantum computer resistant protocol.

[aoluain]

Computing, security, encryption, and hacking has always been and will likely always be a cat and mouse game.  It's not like we all woke up one day and found all of our security that was based on SHA-1 encryption was hosed by every hacker on the planet, it was a gradual shift.  As computers get faster, encryption will need to become stronger, and it's the faster computers that will enable stronger encryption.

Good points, well they sound logical to me as a non technical person anyway.
The OP quote elludes to the point that QC can be used for both good and bad.
As computing gets faster and faster so too will technologies move to incorporate
and protect against the speed.

"Quantum-resistant techniques
Quantum computing can be just as effective for cryptographers as it is for hackers. Unobserved, superpositioned particles exist in multiple states, but when detected, they “collapse” to one point in space-time. Quantum cryptography has the same properties; because the protons that make up an encoded transaction shift upon observation, a successful attacker would have to break the laws of physics to intercept it."

[Welsh]

Quantum computers are not as far from life as we think. Look at Amazon's new services. Offer for commercial use. And why is everyone obsessed with these qubit calculators? Cryptography on elliptic curves has compromised itself for a long time, they just don’t write about it.

What new services offer quantum computers? I'm not sure what you're referring too, but Amazon does not offer anything even near the capabilities of a quantum computer. If the elliptic curves were compromised critically it would be a issue that would likely be put on top of the priority list. Elliptic curves to my knowledge, and many others has not been compromised.

You make some good posts regarding Bitcoin, but a lot of it is scaremongering similar to the scaremongering tactics used by news outlets. Maybe not intentionally, but suggesting that elliptic curves have been compromised, and then later stating they have weaknesses is inaccurate. They have not been compromised, but they do have strengths, and weaknesses just like any other cryptography.

[johant123]

One thing I don’t understand in the whole discussion; if RSA or ECC are compromised in the future, we can upgrade existing systems of course (and we’ll have to ... whole PKI will come tumbling down), but won’t this make dormant wallets vulnerable? How are we going to prevent someone stealing the funds from there? Otherwise that will cause a huge drop in the value of Bitcoin. We can’t put a wrapper or something around those wallets, right?

I am a tech guy, not an economist, so not sure if my reasoning makes sense!

[figmentofmyass]

One thing I don’t understand in the whole discussion; if RSA or ECC are compromised in the future, we can upgrade existing systems of course (and we’ll have to ... whole PKI will come tumbling down), but won’t this make dormant wallets vulnerable? How are we going to prevent someone stealing the funds from there?

yes, this is one of 2 reasons why a post-quantum fork is contentious. (the second one being that all known post-QC signatures are extremely large and therefore will bloat the blockchain)

the solution that's primarily been suggested is to destroy all ECDSA-secured outputs after a certain date (eg 5 years after the post-quantum fork occurs) to give people ample time to secure their coins while also preventing massive theft by QC.

unfortunately, this solution is extremely unpopular since many users believe it's wrong to ever destroy/steal someone else's outputs. so we're at an impasse and i dunno how it will be resolved. https://www.reddit.com/r/Bitcoin/comments/4isxjr/petition_to_protect_satoshis_coins/d30we6f/

[Voland.V]

Quantum computers are not as far from life as we think. Look at Amazon's new services. Offer for commercial use. And why is everyone obsessed with these qubit calculators? Cryptography on elliptic curves has compromised itself for a long time, they just don’t write about it.

What new services offer quantum computers? I'm not sure what you're referring too, but Amazon does not offer anything even near the capabilities of a quantum computer. If the elliptic curves were compromised critically it would be a issue that would likely be put on top of the priority list. Elliptic curves to my knowledge, and many others has not been compromised.

You make some good posts regarding Bitcoin, but a lot of it is scaremongering similar to the scaremongering tactics used by news outlets. Maybe not intentionally, but suggesting that elliptic curves have been compromised, and then later stating they have weaknesses is inaccurate. They have not been compromised, but they do have strengths, and weaknesses just like any other cryptography.

------------------
Quantum cryptography is what?
The transmission of information through the use of quantum states of a particle of light, a photon - it's understandable.
This is a photon Internet, which is proudly called "quantum Internet", although it has nothing to do with "quantum" itself, as elementary particles.
Photon networks do not allow to take information not noticeably.
That's it.
From the very theft of information - they do not protect.
It's safe to use them just because the theft is noticeable.
And they are only planned to be used to agree on a shared key for conventional symmetric encryption systems such as AES-256. This system is not being broken by any quantum computer, not even in the distant future.

Now the problem is that no modern asymmetric systems (rather than symmetric ones) can resist quantum computers. And these systems are needed only to coordinate the common secret key for symmetric encryption systems.
Without asymmetric systems, we all need to meet in person in order to send an encrypted message.
And if there will be no asymmetric systems, the old photonic Internet, which today was called quantum (!), offers as an alternative. And successful transmission in this way was long ago, 50 years ago. These are old technologies on new equipment.

And there is no quantum cryptography, no interaction with quanta, encryption with quanta.

The foreseeable future lies only in mathematical, logical encryption methods that work on ordinary computers. They're being looked for. There's a competition. They're called post quantum cryptography. By the way, AES-256 is already among the winners in the category of symmetric encryption systems. This system is not afraid of future quantum computers, it's not even afraid of computers from another planet where the most advanced civilization lives.

Why not? Because this system works with all the values of the key. And that means, if there are no mathematical methods of cracking, and there are none, you have to do a full search of binary code 256 bits long. And it's not possible, there's no such number of particles in the whole universe.
Besides, this algorithm doesn't load the processor.
That's why it's not a problem to make a key 512 bits long.

And how many times 512 bits are more than 256 bits?
No, not twice, and I don't know what time. It's a mystically large number.
But 257 bits more than 256 bits - exactly twice as many.
You do the math from here.

Cryptography on elliptical curves can't just increase the length of the key and become post quantum. Why not?
Because such unreliable systems (asymmetric) break down mathematically by cryptanalysis. So they're not used in serious cases. But this system is used in blockchain and bitcoin.

And what's quantum cryptography? I can't figure it out.
There's only post quantum cryptography, math.

[Voland.V]

One thing I don’t understand in the whole discussion; if RSA or ECC are compromised in the future, we can upgrade existing systems of course (and we’ll have to ... whole PKI will come tumbling down), but won’t this make dormant wallets vulnerable? How are we going to prevent someone stealing the funds from there? Otherwise that will cause a huge drop in the value of Bitcoin. We can’t put a wrapper or something around those wallets, right?

I am a tech guy, not an economist, so not sure if my reasoning makes sense!

------------------
It makes sense to be afraid, and this is a well-thought-out opinion of cryptography experts.
Not only that, it is openly spoken about by people who hold responsible positions in very well-known companies.

The situation here is complicated, because the cryptography itself on elliptic curves, on which the digital signature in Blockchain and Bitcoin is based, is weak and dangerous.
Read more about it here (second post of December 4):
https://bitcointalk.org/index.php?topic=5204368.0

But the second part - SHA256 remains reliable even when attacked by a quantum computer.
Because no computer will make a full search of all possible variants of binary number 256 bits long.

But, smart people have already invented and released a currency based on post quantum encryption methods.
I don't want to advertise it, but if the quantum computer starts working (although there are other, more serious concerns about cryptanalysis), the price of this crypt will rise quickly.

[Voland.V]

Quantum computers are not as far from life as we think. Look at Amazon's new services. Offer for commercial use. And why is everyone obsessed with these qubit calculators? Cryptography on elliptic curves has compromised itself for a long time, they just don’t write about it.

What new services offer quantum computers? I'm not sure what you're referring too, but Amazon does not offer anything even near the capabilities of a quantum computer. If the elliptic curves were compromised critically it would be a issue that would likely be put on top of the priority list. Elliptic curves to my knowledge, and many others has not been compromised.

You make some good posts regarding Bitcoin, but a lot of it is scaremongering similar to the scaremongering tactics used by news outlets. Maybe not intentionally, but suggesting that elliptic curves have been compromised, and then later stating they have weaknesses is inaccurate. They have not been compromised, but they do have strengths, and weaknesses just like any other cryptography.

----------------
Yes, indeed, I have read a lot about cryptography on elliptic curves.

1. I learned that those who know a lot, they work for different unpopular organizations, they are always silent, and information about this knowledge and about these people is lost ...

2. I also learned that specially all modern cryptography is divided into 2 parts:
1) Household cryptography, those encryption systems that we know. They are allowed to be used by us, ordinary people; in unclassified matters;
2) State cryptography, the one that we are not allowed to use, and the government is obliged.

And I asked myself, why so?
More precisely, what is wrong with our everyday cryptography?

3. It is not clear why the NSA (USA) first ordered a study for British mathematicians, then hid all the materials for this study, and immediately banned the use of cryptography on elliptic curves in state secrets.
And this is despite the fact that only yesterday the NSA actively implemented ECC, despite the fact that not so long ago, the NSA bought all the patents for this system from 2 mathematicians.

4. Why are we assured of the reliability of asymmetric mathematical encryption systems without providing evidence of this reliability (evidence of the inability to solve the problem of discrete logarithm in fields of elliptic curves with a finite order of the field of numbers, which means discrete, point elliptic curves).

But I understand that if they know the secret, the weak point of this cryptography, then it is very beneficial for some that all ordinary people use and trust this cryptography.

And further, new questions ..

5. Why NIST does not even want to hear about ECC with an increased key length as a candidate for a post-quantum system.
Let me remind you that a key with a length of 521 bits ECC is equal to a reliability of 256 bits AES. But AES-256 remains a post-quantum system of the future, because no quantum computer will be able to completely enumerate a number of 256 bits.
But in ECC as much as 521 bits !!!
So, ECC breaks down not only with brute force attack, but also somehow, and that means mathematically !!!

Moreover, to increase the key length by 2 times in the ECC encryption paradigm is not a problem and a burden on modern processors.
However, they do not.
Moreover, they claim that this system (including RSA) breaks with any key length, if it breaks with a standard key length. This is not what I say, but people, professors in cryptography, people with a name, authorities in the world of encryption.

What does it mean?
Only one thing - these household systems are broken mathematically, by cryptanalysis.

6. I also learned (from a lecture by a respected mathematician-cryptographer) the following:
- some classes of elliptic curves are weak; - if you look at the standard NIST curves, you can see that they are verifiable random;
- if you read the Wikipedia page about the principle "there is nothing in the sleeves", you will notice that:
1) random numbers for MD5 are obtained from the sine of integers.
2) random numbers for Blowfish are obtained from the first numbers $ \ pi $.
3) random numbers for RC5 are obtained from $ e $ and the golden ratio.
These numbers are random because their numbers are evenly distributed. And they do not cause suspicion, because they have a justification.

Now the following question arises: where do the random generating values for the NIST curves come from?
Answer: unfortunately, we do not know.
These values have no justification.

Is it possible that NIST discovered a “significantly large” class of weak elliptic curves, tried various possible variants of generating values, and found a vulnerable curve? I can not answer this question, but it is a logical and important question.

What is the reason for this distrust of such a respected organization?
But on what:
“We know that NIST has at least successfully standardized a vulnerable random number generator (a generator that, oddly enough, is based on elliptic curves).

Perhaps he has successfully standardized many weak elliptic curves as well? How to check it? No way.

It is important to understand that “verifiable random” and “protected” are not synonyms. It doesn’t matter how complicated the logarithm task is or how long the keys are - if the algorithms are hacked, then there is nothing we can do.

In this regard, the RSA wins because it does not require special domain parameters that can be exploited. RSA (like other modular arithmetic systems) can be a good alternative if we cannot trust the authorities and if we cannot create our own parameters for the definition domain.

And if you're curious: yes, TLS can use NIST curves. If you check in google, you will see that when connecting, ECDHE and ECDSA are used with a certificate based on prime256v1 (aka secp256p1).

I am not a cryptographer and not a mathematician, not a scientist or a university teacher. No one is interested in my opinion and I have no authority.

But I do not consider myself an idiot and do not really trust the universal approved opinion of the herd. I try to draw conclusions.

If you are not tired of this topic, here are the arguments in my favor, the second post for December 4:
https://bitcointalk.org/index.php?topic=5204368.40

[mrquackquack]

I might sound like a complete "space cadet" but i think there actually could be a way to mine the rest of Bitcoin in one swoop. It would probably ruin alot of stuff but none the less it could probably be done.

[mrquackquack]

Excuse me a complete "Quack".. Thank you, thank you..

[Cnut237]

Quantum cryptography is what?
The transmission of information through the use of quantum states of a particle of light, a photon - it's understandable.
This is a photon Internet, which is proudly called "quantum Internet", although it has nothing to do with "quantum" itself, as elementary particles.
And there is no quantum cryptography, no interaction with quanta, encryption with quanta.

And what's quantum cryptography? I can't figure it out.
There's only post quantum cryptography, math.

What's quantum cryptography?

Hello again! We've discussed this on another thread, so I won't go into it in depth again, but I'll mention China's Micius satellite as an example of quantum cryptography in action. Micius is already enabling a (small) quantum internet. A pair of entangled photons is generated using an interferometer, and one photon is sent to each party in the communication. The quantum entanglement is the vital part of the encryption, the use of the laws of quantum mechanics to create the exchange of information: Quantum Key Distribution.

I will concede that whilst QKD removes some classical vulnerabilities, it does not remove them all: man-in-the-middle as an example.
But Micius is only the start. Other variants of quantum cryptography are also being advanced. Kak's 3 stage protocol for example (a quantum version of double-lock), a multi-photon variant of which is being developed to protect precisely against man-in-the-middle.

I am certainly not saying that post-quantum cryptography (classical cryptography used as a defence against quantum attack) is useless, it's not, it's extremely important.
But quantum cryptography (using the laws of quantum mechanics to implement cryptography) is important too.

Here's a time-lapse photo of Micius in action. https://cosmosmagazine.com/technology/the-quantum-internet-is-already-being-built