Algorithms used in Bitcoin are expected to be strong until at least 2030

[_act_]

Few days ago when I was on this forum, I saw this:

According to NIST and ECRYPT II, the cryptographic algorithms used in Bitcoin are expected to be strong until at least 2030. (After that, it will not be too difficult to transition to different algorithms.)

You know that there is no forum ad again, but sometimes you can see meaningful information there to read and I saw it.

Is it true that cryptographic algorithm that bitcoin is using will likely no more be safe by 2030? What are bitcoin developers doing to make bitcoin safer?

[Faisal2202]

I am not an expert but i have read many times that when the quantum computer will be available like current computing power sources then people with bad mindset will try to break BTC encryption algorithms and which are easily breakable by such huge powering computers.

Maybe you might heard such topics here before. Because i came to know about Quantum computing's side effects on BTC here in this forum. I think developers will come up with something unquie and more secure then current encryption algorithms.

[n0nce]

Few days ago when I was on this forum, I saw this:

According to NIST and ECRYPT II, the cryptographic algorithms used in Bitcoin are expected to be strong until at least 2030. (After that, it will not be too difficult to transition to different algorithms.)

You know that there is no forum ad again, but sometimes you can see meaningful information there to read and I saw it.

Is it true that cryptographic algorithm that bitcoin is using will likely no more be safe by 2030? What are bitcoin developers doing to make bitcoin safer?

The answer to your question lies in the text you quoted. The algorithms are good enough 'at least' until 2030. That does not mean that they will instantly be insecure from 2030.

'Definitely secure before 2030' ⇏ 'Definitely insecure after 2030'
But: 'Definitely secure before 2030' ⇒ 'No definitive judgement starting from 2030'

Basically, the authors don't yet want to definitively state whether they think Bitcoin's crypto algorithms will still be secure enough in the year 2030. Nothing more.

[Z-tight]

Is it true that cryptographic algorithm that bitcoin is using will likely no more be safe by 2030? What are bitcoin developers doing to make bitcoin safer?

I believe the threat they are referring to is about Quantum computers, it will surely not be a threat to BTC's security in 2030, which is just 7 years away, it will take a very long time from now before quantum computers become a problem or a threat that can solve ECDSA. BTC developers don't have to do anything now because there is no existing threat, but as quantum computers develop, the network will also develop and work on moving to an algorithm that is resistant to the threat of quantum computers.

[pooya87]

SEC estimated these years based on a simple extrapolation and haven't updated the document ever since

The extrapolations are also loosely based on a simple assumption similar to Moore’s law:
computing power will grow by a factor of about 2¹⁶ every decade. Therefore, the minimum adequate
security level must increase by 16 bits every 10 years. Future revisions of this standard may
amend this.

This is why the table 3 in Standard for Efficient Cryptography v2 states that ECC with 128-bit security level (256-bit key size) protects until year 2040 (2030 is for ECC-224).
https://www.secg.org/sec1-v2.pdf

I believe the number is also based on MIPS years, that is the estimated amount of work performed in one year by a computer operating at the rate of one million operations per second. The values in SEC.1 v2 are from 2009.

[un_rank]

Alright, I am clear on the security aspect. It is sort of how products have a best before date when they should be consumed, but taking it after then is not immediately hazardous, but we cannot imagine that FUD about bitcoin being unsafe will not becomes very popular very quickly if there is any suggestion that it is not as safe as it used to be.

Can anyone explain the final bit about transitioning to a new algorithm not being too difficult?

You know that there is no forum ad again, but sometimes you can see meaningful information there to read and I saw it.

True, some of the factoids^[1] contain witty and educative messages.

[1] https://bitcointalk.org/adrotate.php?adinfo

- Jay -

[ertil]

Can anyone explain the final bit about transitioning to a new algorithm not being too difficult?

If ECDSA will be broken (and only that), then we can just create a new address type, and move all coins there. In case of Taproot, all that is needed, is probably just disabling spend-by-key.

For SHA-256, the situation is more difficult, but in that case, we will be alerted in advance. If you ever see block headers with 128 leading zero bits for SHA-256, that would mean reaching the collision level, and transitioning to something else. I wonder if that process will start even faster, when chainwork will reach 2^128, just to be 100% sure.

Protecting SHA-256 is harder, but still possible. It requires rehashing everything with some new algorithm, maybe even in some backward-compatible way, where you could have some 512-bit hash, with the first 256-bits being always identical to SHA-256, and the next 256-bits being generated by some other hash function. I also expect the same kind of stuff that happened with SHA-1: you have the real SHA-1, and some hardened version, that can protect you just from some discovered attacks, and nothing else.

[ranochigo]

Alright, I am clear on the security aspect. It is sort of how products have a best before date when they should be consumed, but taking it after then is not immediately hazardous, but we cannot imagine that FUD about bitcoin being unsafe will not becomes very popular very quickly if there is any suggestion that it is not as safe as it used to be.

Can anyone explain the final bit about transitioning to a new algorithm not being too difficult?

The closest thing that would be feasibly broken would be ECDSA, which is pretty impactful since it results in any ECDSA private key to be feasibly obtained from it's corresponding public key by the use of Shor's algorithm. SHA256, or other symmetric crypto are not vulnerable to this and are not affected by Shor's algorithm, and Grover's algorithm doesn't provide for a sufficiently high speedup.

Collision and pre-image resistance for SHA256 will be weakened gradually, but I have my doubts that they would happen overnight or within a decade.

Transition for ECDSA is actually quite difficult. You face the conundrum of securing the older Bitcoin addresses, where they are vulnerable with P2PK or even those with the public key exposed. Quantum resistant algorithms are in the works now, but even if it broken the economics of it wouldn't make Bitcoin any more attractive than government secrets.

[ertil]

Transition for ECDSA is actually quite difficult. You face the conundrum of securing the older Bitcoin addresses, where they are vulnerable with P2PK or even those with the public key exposed. Quantum resistant algorithms are in the works now, but even if it broken the economics of it wouldn't make Bitcoin any more attractive than government secrets.

It was discussed in other topics, but in general, when it comes to ECDSA, you don't have that many options:
1. You can just introduce new address type, and do nothing with old addresses. This is what would probably happen, because it is also compatible with all other options.
2. You can burn old coins after some time. To make it compatible, you can use "do nothing" option, and make some huge pool for cracking and burning coins, that will be stronger than any single attacker.
3. You can redistribute old coins into miners. In case of any successful attack, miners will probably be powerful enough to take coins from any attackers, it is a similar case as with SHA-1 puzzle, where in practice only miners can safely claim those rewards.

Because it is hard to know in advance, what would happen, I guess people will keep status quo, as long as they can, so there will be option number one, and then if any solution will be needed, it will be just compatible with "do nothing" model.

Also note that speculating about the solutions now, can easily lead to totally wrong results. Would you expect things like "hardened SHA-1", before it was broken? Not really, people thought it will be replaced with a different hash function. But that was not the case, for example Git still uses SHA-1, instead of switching to SHA-2 or anything else. The world is simply unupgradeable, and relies on soft-forks everywhere, if something is "legacy". So, in general, I think no matter what will be broken, the actual "fix" will handle only this particular attack, nothing more, nothing less.

If SHA-1 was turned into "hardened SHA-1", then I expect secp256k1 could be also replaced with "hardened secp256k1". Even if private keys will be reached by the attackers, there are still many options, like "a proof that some key is a part of some HD wallet". The same with signatures: if they will be broken, then you can force using deterministic ones. The fix will be highly dependent on the attack, for that reason we don't know right now, how exactly it will be fixed (because today we don't know how the attack would look like).

[ranochigo]

It was discussed in other topics, but in general, when it comes to ECDSA, you don't have that many options:
-snip-

Because it is hard to know in advance, what would happen, I guess people will keep status quo, as long as they can, so there will be option number one, and then if any solution will be needed, it will be just compatible with "do nothing" model.

Essentially. That is contingent on the fact with the community as a collective being agreeable with any of the proposed option. More likely than not, we will see people splitting into different camps just with the block size debates. Even more so given how it concerns the economics of the network and a core feature. Hard to tell what it would be without it actually happening.

Also note that speculating about the solutions now, can easily lead to totally wrong results. Would you expect things like "hardened SHA-1", before it was broken? Not really, people thought it will be replaced with a different hash function. But that was not the case, for example Git still uses SHA-1, instead of switching to SHA-2 or anything else. The world is simply unupgradeable, and relies on soft-forks everywhere, if something is "legacy". So, in general, I think no matter what will be broken, the actual "fix" will handle only this particular attack, nothing more, nothing less.

It depends on the security issue. I would assume something that is especially important as Bitcoin wouldn't be able to be replaced so easily. The algorithm that hardened SHA1 uses doesn't defend against all collisions and any sign of weakness of an algorithm would be a good reason for Bitcoin to move onto another completely. There are no redundancies to the network, especially for something worth more than 500 billion USD.

If SHA-1 was turned into "hardened SHA-1", then I expect secp256k1 could be also replaced with "hardened secp256k1". Even if private keys will be reached by the attackers, there are still many options, like "a proof that some key is a part of some HD wallet". The same with signatures: if they will be broken, then you can force using deterministic ones. The fix will be highly dependent on the attack, for that reason we don't know right now, how exactly it will be fixed (because today we don't know how the attack would look like).

Attacks are known and they have been proven with the caveat of having a sufficiently powerful computer. None of the asymmetric algorithms that we commonly use right now are safe, nor can they be hardened because they operate on the basis of hardness of factorization. The only fix would be a shift to a quantum resistant algorithm.

[ABCbits]

3. You can redistribute old coins into miners. In case of any successful attack, miners will probably be powerful enough to take coins from any attackers, it is a similar case as with SHA-1 puzzle, where in practice only miners can safely claim those rewards.

But don't forget the competition still exist between miner/pool. There's always possibility miner/pool would do something to increase their chance to claim coin from attacker and other miner/pool, such as create block which only contain two TX, coinbase and TX which send old coin to address by owned miner/pool.

[o_e_l_e_o]

Essentially. That is contingent on the fact with the community as a collective being agreeable with any of the proposed option. More likely than not, we will see people splitting into different camps just with the block size debates.

Even more likely, then, that we will proceed with the "do nothing" option, since that is what we will default to if we cannot reach some sort of consensus on what should happen to these vulnerable coins. And as I've argued previously, this is definitely the preferred option over allowing a small group of users to unilaterally decide that other people's coins should be locked, burned, or redistributed.

Even if private keys will be reached by the attackers, there are still many options, like "a proof that some key is a part of some HD wallet".

I've spoken about this before as well, and while it seems appealing, it is far from perfect. It provides no protection for any keys which are not part of an HD wallet (which likely includes all P2PK addresses as well as many regular P2PKH/P2SH/P2WPKH addresses), and by locking all such addresses pending a proof which cannot be provided, you will undeniably be depriving some users of their coins against their will, which is unforgivable as far as I am concerned.

But don't forget the competition still exist between miner/pool. There's always possibility miner/pool would do something to increase their chance to claim coin from attacker and other miner/pool, such as create block which only contain two TX, coinbase and TX which send old coin to address by owned miner/pool.

Or simply just attempt to reorg out any block which claims a sizeable reward for another miner.

[ranochigo]

Even more likely, then, that we will proceed with the "do nothing" option, since that is what we will default to if we cannot reach some sort of consensus on what should happen to these vulnerable coins. And as I've argued previously, this is definitely the preferred option over allowing a small group of users to unilaterally decide that other people's coins should be locked, burned, or redistributed.

Same as the rest of the community, I believe that there will be more versions of Bitcoin, ones with the old P2PK being burned and the ones that are not. I believe that there are merits to both sides of the camp, but I personally stand on burning them. I can understand the dilemma behind this and what your POV is. It'll be quite interesting to how it pans out, pros and cons for both directions.

By the time ECDSA actually gets broken, there might be more than a few million Bitcoins that are vulnerable still (forgotten or lost used P2PKH, just normal P2PK, etc) . A sufficiently long time for transition would be required, though arguably you're right in a sense that it does rob people of what is rightfully theirs. In the worst case scenario, an adversary gets access to the majority of the Bitcoins and wreck havoc in the markets. While in the best case, they get access to only around 1-2 million, ie. 5% of total possible circulation, not accounting for burned ones.

Regardless, we had this conversation quite a while back: https://bitcointalk.org/index.php?topic=5335069.msg56971465#msg56971465. Recalled it from the top of my head, I guess our position on this issue hasn't changed very much throughout the years.

[Flexystar]

First I thought it was some sort of breakthrough that they are actually planning. Imagine reading this news itself SEC and CBDC would have been so happy since after this they might have thought they would get a chance to spread negativity about the Bitcoin and thus publish the FedNow system more promptly.

Good to know (after reading rest discussion) it’s not really possible to break the code until it really happens. It also made me think that Satoshi did not make it so easy as his plan is for hundreds of years until 2140 by when the last Bitcoin would be mined.

It’s seems it will get more stronger with the time as the complexity of network keeps increasing.

[digaran]

Good to know (after reading rest discussion) it’s not really possible to break the code until it really happens. It also made me think that Satoshi did not make it so easy as his plan is for hundreds of years until 2140 by when the last Bitcoin would be mined.

It’s seems it will get more stronger with the time as the complexity of network keeps increasing.

By 2140? Lol, it has nothing to do with "network complexity" whatever that means.

Simple and pure mathematics is what keeps the coins safe, in order to make it harder for quantum computers we just need more complex math/equations.

Enigma in WW2, was the ultimate crypto/math problem, but the first computer invented managed to break the encryption, now it's the other way around, we need to invent an equation so the new computer generation can't break it.

Satoshi just chose one of the strongest curves at that time, even he knew 20 years later people will have to change the key to their safe.😉

[BlackHatCoiner]

By the time ECDSA actually gets broken, there might be more than a few million Bitcoins that are vulnerable still (forgotten or lost used P2PKH, just normal P2PK, etc) . A sufficiently long time for transition would be required, though arguably you're right in a sense that it does rob people of what is rightfully theirs.

There are going to be coins robbed, no doubt. However, I wouldn't take it for granted there will be millions. Sure, there are millions in P2PK, but perhaps they get spent until then; especially after the cryptographic community accepts some quantum safe alternative.

Simple and pure mathematics is what keeps the coins safe

I'm genuinely curious to which math you're referring to. Those I know, which are discrete math and cryptographic-inclusive math, are certainly not pure and simple! 

[ranochigo]

There are going to be coins robbed, no doubt. However, I wouldn't take it for granted there will be millions. Sure, there are millions in P2PK, but perhaps they get spent until then; especially after the cryptographic community accepts some quantum safe alternative.

Most of which are lost, because people couldn't be bothered to have a backup for them. Satoshi is known to have a million Bitcoins at least, and there is probably more than that in terms of non-Satoshi but lost coins. In addition, there are also coins in exposed P2PKH addresses. These could add up to a few millions when the time comes. Of course, these are just vague estimations but that is more than likely to be the case.

[o_e_l_e_o]

Satoshi just chose one of the strongest curves at that time, even he knew 20 years later people will have to change the key to their safe.😉

A relevant quote:

True, if it happened suddenly.  If it happens gradually, we can still transition to something stronger.  When you run the upgraded software for the first time, it would re-sign all your money with the new stronger signature algorithm.  (by creating a transaction sending the money to yourself with the stronger sig)

Obviously it won't quite be as simple as everyone automatically upgrading when they run the new version of Bitcoin Core for the first time, given the number of different wallets in use these days, but the principle still stands.

There are going to be coins robbed, no doubt.

Absolutely, but I will continue to argue it is preferable for some lost coins to be stolen and we all take a short term hit on the price than it would be to compromise one of the core principles of bitcoin by unilaterally deciding to freeze or seize some coins.

Satoshi is known to have a million Bitcoins at least

This is conjecture, not proven. But even if the total number of coins at risk does add up to several million, I maintain my stance above.

[NotATether]

Satoshi just chose one of the strongest curves at that time, even he knew 20 years later people will have to change the key to their safe.😉

A relevant quote:

True, if it happened suddenly.  If it happens gradually, we can still transition to something stronger.  When you run the upgraded software for the first time, it would re-sign all your money with the new stronger signature algorithm.  (by creating a transaction sending the money to yourself with the stronger sig)

That's going to have to involve sending your coins to a completely different set of HDKeys because if the curve is also broken in addition to ECDSA, then just signing all local transactions with the new signature algorithm won't be enough. Most people don't have local unsigned transactions anyway, just old coins.

There are going to be coins robbed, no doubt.

Absolutely, but I will continue to argue it is preferable for some lost coins to be stolen and we all take a short term hit on the price than it would be to compromise one of the core principles of bitcoin by unilaterally deciding to freeze or seize some coins.

There's no reason to agree to such a thing anyway - We are not Tether or Bitcoin SV.

[o_e_l_e_o]

That's going to have to involve sending your coins to a completely different set of HDKeys because if the curve is also broken in addition to ECDSA, then just signing all local transactions with the new signature algorithm won't be enough.

I'm pretty sure that's what Satoshi was saying in that quote - the software would automatically send all your money to the new address type we end up with. As ranochigo points out above, I don't think it is possible to leave coins on current addresses but transition to some form of "hardened ECDSA".