Breaking RSA Encryption with Quantum Computer

[AicecreaME]

Quantum computer is a threat to cyber security, because it could be use to something bad or good, like massive security breaches all over the globe. But if the technology evolves the security also evolves, NIST is the one who are preparing for PQC to avoid such things, it is called quantum-resistant cryptographic standards, that must be adopted to prevent everything that could be gone wrong.

[1715490834]

1715490834

[1715490834]

1715490834

[HomerF_48]

BTC is not quantum secure. IBM will have a QC of 4,000+ qubits by 2025 (in two years). It takes only 1556  qubits to break the ECDSA encryption used to correllate private to public keys. What this means is if you have an exposed (unhashed) public key - which if you ever used your wallet it leaves an unhashed copy of your public key out there on the network for anyone to have - a quantum computer of 1556 or more qubits can take that public key and reverse engineer out your private key. Game over. Bitcoin has no value other than as a way to Secure information - security is literally its only selling point - when that security breaks, as it will, it has no more usefulness and the value will crash to probably just a few dollars, propped up by die-hard dead-ender BTC maxis. If you want to get rich on bitcoin, short it by buying a short bitcoin etf (example is ticker BITI - not financial advice). Doing anything else will result in losing investment.

Google this / do your own research - this is not "FUD", this is just sober fact. Bitcoin public keys can fall with QC's of just 1556 qubits. (Source: https://security.stackexchange.com/questions/33069/why-is-ecc-more-vulnerable-than-rsa-in-a-post-quantum-world ). Misinformation you hear is that it takes many qubits to crack RSA hence bitcoin is safe - this only relates to the bitcoin mining algorithm not the ECDSA algorithm used to relate public/private keys which is more vulnerable. Again - in 2 years or so IBM will have QC strong enough to reverse engineer private key from unhashed public key. When this happens panic will spread and bitcoin will crash. This is as predictable as the housing bubble collapse of 2008 and just like then, there are people who will shout "FUD" at anyone showing the plain and simple facts. Don't be on the wrong side of this.

[Carlton Banks]

if you ever used your wallet it leaves an unhashed copy of your public key out there on the network for anyone to have - a quantum computer of 1556 or more qubits can take that public key and reverse engineer out your private key.

how fast will this quantum computer be able to factorize the public key into it's private key? it has to be faster than a miner can mine transactions transferring to a quantum resistant keypair.

also, don't forget that miners will want to continue to mine, so if a new keypair scheme is available, one can simply send (encrypted) transactions directly to a miner, transferring utxos to a new address using the new scheme, IBM cannot crack public keys they do not have access to.

what's that you say, the quantum resistant keypairs don't exist? well neither does IBM's 4000 qubit computer (and some kind of quantum resistant keypair cryptography does exist, although I have no idea how good it is, nor whether it's at all suitable for Bitcoin addresses/tx's)

did you say game over?

[BitcoinPanther]

Google this / do your own research - this is not "FUD", this is just sober fact. Bitcoin public keys can fall with QC's of just 1556 qubits. (Source: https://security.stackexchange.com/questions/33069/why-is-ecc-more-vulnerable-than-rsa-in-a-post-quantum-world ). Misinformation you hear is that it takes many qubits to crack RSA hence bitcoin is safe - this only relates to the bitcoin mining algorithm not the ECDSA algorithm used to relate public/private keys which is more vulnerable. Again - in 2 years or so IBM will have QC strong enough to reverse engineer private key from unhashed public key. When this happens panic will spread and bitcoin will crash. This is as predictable as the housing bubble collapse of 2008 and just like then, there are people who will shout "FUD" at anyone showing the plain and simple facts. Don't be on the wrong side of this.

Do not disregard that the developers are well aware of this scenario and I believe they will not get idle and just wait for these so called quantum computer to break the Bitcoin security.  Because before Bitcoin, I believe there are lots of low security that will be cracked first giving a hint that there is a need of an upgrade of security for Bitcoin  hence the possibility of your speculation or prediction might not happen.  

I think as the quantum computer progress and develop, securities also evolve and develop.  So it is a race and not just a one sided race where QC are the only one progressing.

[Carlton Banks]

before Bitcoin, I believe there are lots of low security that will be cracked first giving a hint that there is a need of an upgrade of security for Bitcoin  hence the possibility of your speculation or prediction might not happen.

or look at this way: anyone producing a sufficiently powerful quantum computer probably has big interest from the "local military" so to speak.

because that kind of equipment has military implications; whichever political faction who obtained such a tool first could use it to:

• outright attack enemies
• blackmail them instead

it would be a world changing event, if it came out of a clear blue sky (i.e. unexpectedly). One could pwn everything and everyone with such tech, a whole new era would begin rather abruptly

guess what though? everyone to which any of this is relevant already knows, and is preparing accordingly. Bitcoin devs are only one out of many who are aware, and they don't even have any (known) military connections

[o_e_l_e_o]

how fast will this quantum computer be able to factorize the public key into it's private key? it has to be faster than a miner can mine transactions transferring to a quantum resistant keypair.

That is something which is suspiciously missing from the paper linked to by OP as well. It's all well and good saying "We have a xxx qubit computer which can solve the ECDLP for 256 bit private keys", but if you have to run your xxx qubit computer for ten years to find a single private key, then it isn't going to pose much of a risk to bitcoin.

well neither does IBM's 4000 qubit computer (and some kind of quantum resistant keypair cryptography does exist, although I have no idea how good it is, nor whether it's at all suitable for Bitcoin addresses/tx's)

There are quite a few in development: https://en.wikipedia.org/wiki/Post-quantum_cryptography

The last discussion regarding quantum computers on the mailing list I am aware of is from April last year: https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2022-April/020209.html
This discussion focuses on NTRU, which is a lattice-based algorithm: https://en.wikipedia.org/wiki/NTRU

Picking one now, when the threat from quantum computers is very likely still decades away, seems very premature though. There is a good chance that whatever we picked today would be at best outdated and at worst insecure by the time it actually mattered.

[Carlton Banks]

Picking one now, when the threat from quantum computers is very likely still decades away, seems very premature though. There is a good chance that whatever we picked today would be at best outdated and at worst insecure by the time it actually mattered.

for Bitcoin, yes. For protocols that involve encrypting network packets using public keys, it might make sense to pick now (and I believe this is the reason OpenSSH did so). I do not know why it doesn't make more sense to extend/redesign the protocol to encrypt using negotiated ephemeral encryption keys, but maybe that's something specific the protocol.

[NotATether]

Picking one now, when the threat from quantum computers is very likely still decades away, seems very premature though. There is a good chance that whatever we picked today would be at best outdated and at worst insecure by the time it actually mattered.

for Bitcoin, yes. For protocols that involve encrypting network packets using public keys, it might make sense to pick now (and I believe this is the reason OpenSSH did so). I do not know why it doesn't make more sense to extend/redesign the protocol to encrypt using negotiated ephemeral encryption keys, but maybe that's something specific the protocol.

I still can't believe why the bitcoin protocol isn't using end-to-end encryption between nodes using self-signed certificates. That would prevent information leak that someone would harvest and attempt to break a specific ECDSA key.

[Blawpaw]

https://news.bitcoin.com/chinese-researchers-claim-success-in-breaking-rsa-encryption-with-quantum-computer-experts-debate-veracity-of-discovery/

Is this true? A Quantum computer could break RSA encryption now? I thought it should take another 10 years at least

Quantum computing is still years behind, so it is still an unique way computation that cannot interact withthe current computational model. This means that it still cannot be used to break any sort of encription used in tje current computation plane. Therefore, I believe the article is just plain and simple FUD. Nevertheless, it doesnt. Mean that we should stay unwoorried. On the contrary,  quantum computing is evolving and will soon get there, but as someone already mentioned, when that so happens, encryption will also evolve to cope with it. At least I hope so!

[Blawpaw]

https://news.bitcoin.com/chinese-researchers-claim-success-in-breaking-rsa-encryption-with-quantum-computer-experts-debate-veracity-of-discovery/

Is this true? A Quantum computer could break RSA encryption now? I thought it should take another 10 years at least

Quantum computing is still years behind, so it is still an unique way computation that cannot interact withthe current computational model. This means that it still cannot be used to break any sort of encription used in tje current computation plane. Therefore, I believe the article is just plain and simple FUD. Nevertheless, it doesnt. Mean that we should stay unwoorried. On the contrary,  quantum computing is evolving and will soon get there, but as someone already mentioned, when that so happens, encryption will also evolve to cope with it. At least I hope so!

[Carlton Banks]

I still can't believe why the bitcoin protocol isn't using end-to-end encryption between nodes using self-signed certificates. That would prevent information leak that someone would harvest and attempt to break a specific ECDSA key.

that's on the table with BIP324 (except without the certificates part, any authentication has been left easy to add, but not actually specified)

but I'm not convinced that would help, transactions are propagated to all nodes, so the attack is really the same: start a node, listen for transactions to get valid public keys, crazily try to factorize the private key out of any pubkey from the instant you receive it

even directly connecting to a miner IP with bitcoind set to refuse anything but a BIP324 connection wouldn't work for the same reason; the miner would broadcast your transaction to it's peers, then onto the rest of the bitcoin network.

[franky1]

quantum computers cant reverse engineer public-> private in seconds.
its still going to be a several hours-days(compared to thousands of millenia) thing even with the high qubit rate this topic link mentions

so the fear of someone grabbing a zero-confirm tx at relay. engineer the privkey then RBF the utxo to a new destination, before the original tx confirms.. . is not a concern for a network that confirms much sooner
(still be cautious but dont be fearful. its more super luck, if they manage to engineer a RBF in the average 10min confirm window)

the real concern is leaving valuable amounts/data on a exposed key
EG hoarding on a re-used key.
EG putting valuable data into a message on an app where you dont want anyone reading it later after the fact. but have your encrypted messages stored somewhere to be interrogated later

also those owning a large expensive multibillion dollar system are not going to waste hours on one process that wont net them break even/profit

[justdimin]

Quantum computing is still years behind, so it is still an unique way computation that cannot interact withthe current computational model. This means that it still cannot be used to break any sort of encription used in tje current computation plane. Therefore, I believe the article is just plain and simple FUD. Nevertheless, it doesnt. Mean that we should stay unwoorried. On the contrary,  quantum computing is evolving and will soon get there, but as someone already mentioned, when that so happens, encryption will also evolve to cope with it. At least I hope so!

It may be years to go, but it doesn't solve the problem neither. We have to handle the issue first that such a trouble is out there upcoming one day and we do not have a solution to it. Well, we do but not implemented yet, we need to make sure that we could implement such a change if we could and that will definitely be a lot better for our ease of mind.

I am not saying that it's going to be a trouble forever, but it's going to end up being something we could handle in the long run if we are ready for it. This is why quantum computing is a risk even when it's not there yet, even when it's just worked on, maybe there is some time to go, but that is just the reality.

[franky1]

here is another thing to think about in relation to the topics fear mongering..

RSA has already been "broke" by conventional binary computing at 256, 512 and 786.. from as early as 2000-2010
https://link.springer.com/chapter/10.1007/3-540-45539-6_1
https://eprint.iacr.org/2010/006.pdf
(using 1500 cpu hours)

so by knowing the secret methodology.. ofcourse speeding up that reverse engineering method to break 1024, 2048 4096 just becomes a time factor
also the fact is.. RSA is not one-way cryptography. RSA is made to be decrypted. because its encryption. used for messages. not one way signing proofs

ECDSA is different and stronger. thus able to withstand a brute attack at 256(EC) which would take longer than grains of sand in the universe(eons).. vs 1500years of CPU time of 768bit RSA