Everyone got sidetracked with the fun game of cracking
keys that were purposely created to be insecure. Nobody answered the essential substance of OP’s questions.
From an inexpert position, Phillwilk politely and intelligently some important questions about Bitcoin’s security. He is completely
incorrect in some of his basic assumptions; his questions should be answered!
The summary version:
- Securely generated public keys that are exposed on the blockchain are not vulnerable to being broken. Not even by Pollard’s kangaroos.
- The exposed public keys being broken in the challenge thread are from a restricted keyspace. They were purposely generated to be insecure. That is why they can be broken.
- The reason to avoid address reuse is not security, but privacy. Exposing your public keys does not make them vulnerable to cracking. Whereas reusing addresses is sort of like publishing your bank statements to the whole world. It reveals information about how much money you have, and where that money is. That can make you vulnerable to attacks by hackers or armed robbers. But it does not make your keys vulnerable to cracking, whether by Pollard’s kangaroos or otherwise.
The whole purpose of a “public key” is that it is safe to make public. If a public key that gets revealed is vulnerable to cracking, then the cryptographic algorithm is totally insecure! Whereas Bitcoin uses the secp256k1 algorithm,
which is quite secure.
Bitcoin’s public-key crypto uses 256-bit keys but is deemed to have a 128-bit security level.
[...]
Bitcoin’s public-key security is humanly impossible to break now and for the foreseeable future.
[...]
Bitcoin’s public keys are plenty strong enough to protect the monetary value equivalent of hundreds of billions of dollars. Or trillions. Or all the money on Earth.
Sorry if this should be elsewhere but the level of technical detail in the main pollard kangaroo method thread is far beyond my level of technical understanding.
I just want to check my understanding and see where I might not have a good grap of the basics before proceeding. My assumptions are below;
* The pollard kangaroo method can drastically reduce the amount of work required to obtain the private key from the public key but requires the public key as an input to do this.
Define “drastically”.
In nontechnical terms, think of it as if Bitcoin’s public-key security were a mountain. Pollard’s kangaroos hop in with some dump trucks, and they remove some dump-truck loads of rocks from the top of the mountain. The mountain is still huge! Taking a bunch of rocks off the top does not make a meaningful difference.
The challenge keys that are being cracked are purposely created not to be a mountain, but rather, to be a pile of rocks the size of a house. Pollard’s kangaroos hop in with their dump trucks... It doesn’t take them very long to haul away all of the rocks.
The problem with this metaphor is that Bitcoin’s security is not the size of a mountain; it is more like the size of a planet.* Once an address has spent some of it's funds that address public key is revealed in the spend transaction.
Yes. However, this causes no meaningful loss of security.
The notion of some security benefit to hiding keys behind hashes is a pernicious myth in Bitcoin. It is based on ignorance about cryptography. People who make such claims do not know what they are talking about.
The purpose of a public-key cryptosystem is that the public key can be made public. If a public-key algorithm loses security upon publication of the
public key, then the algorithm is broken, and it should never be used for any purpose whatsoever.
Ethereum reuses known public keys. PGP uses known public keys. The TLS certificates that authenticate HTTPS in your web browser use known public keys. It is secure to do this.
* The funds which are not spent are returned to a change address leaving a balance of 0.
In proper usage, yes. But this is for reasons of privacy, not security. Re-using addresses makes blockchain analysis so easy that it’s like publishing your bank statements on the Internet, where they can be read anonymously by hackers, scammers, stalkers, robbers, etc.
* The address should not be reused as a malicious actor can start generating the private keys from the moment the spend transaction is confirmed.
This is
not the reason to avoid address reuse.
Feel free to correct any of the above points but if the above is correct; can anyone answer the following;
* Address reuse was extremely common in the early days and there are several addresses with 1000+ BTC balances with outgoing transactions revealing the public key.
Why has this not been used to steal the funds?
Smart question. The answer:
Revealing the public key causes no meaningful loss of security.I'm sure there is a limiting factor to this method but I could do with it being spelled out in layman's terms.
The limiting factor is Pollard’s kangaroos will need to jump around for trillions of years to crack a securely generated key. Pollard’s kangaroos are “fast” insofar as they are
faster than other methods, which would take even longer.
Last year, on this forum, Pollard’s kangaroos cracked a key restricted to a 115-bit keyspace. Securely generated public keys are generated uniformly at random within a 256-bit keyspace. And the difference is not linear: A secure Bitcoin key is
not 2.2x (256/115) harder to break than a 115-bit key, but rather, about
ten thousand million trillion (10
21) times harder to break.
My maths here are back-of-the-envelope, but should be approximately correct within a few orders of magnitude; and the numbers here are so astronomically huge that any error makes no practical difference. If someone wants to quantify this more precisely, that would be interesting.Cheers.
Thanks for asking your questions courteously and intelligently.
