The Quantum Threat to Bitcoin: Implications for Miners, Nodes, and Wallets

[vjudeu]

Another way to fight a difficulty attack could be an emergency difficulty adjustment.

You don't want to go that way. BCH did it, as well as some other altcoins, and the main result is that you don't need to even break SHA-256 to weaken their networks. All you need is just forming a minority, and pretending that it is the "true Bitcoin", and then you mine your blocks on a much lower difficulty, while pretending that nothing happened at all, and pretending that the problem of a 51% attack does not exist on your chain. But it didn't vanish, and by messing up with difficulty adjustments, you created a chain, that is wide open for next forks, like BSV.

because if I am mining and suddenly they pull the plug and say you no longer can use these miners because there was an attack, well what am I supposed to do now?

You are supposed to still keep your miner, because of rehashing. If we would have any upgrade, people would try to make it backward-compatible. Which means, the new consensus could require computing both "SHA-2 and SHA-3", or even some "hardened SHA-256", which means, your equipment could still do that better than some CPU. And even if initially you would have your ASIC for SHA-256 and CPU for SHA-3, in case of double-hashing-consensus, you will still need your equipment to compute the part that would be backward-compatible.

developers can't keep their wallets safe, how can they keep a giant network safe when it's under attack?

Why do you think that developers cannot keep their own wallets safe? Fully breaking SHA-256 on preimage level would mean, that everything would need to pass through some hardened SHA-256, or be double-hashed, for example by both SHA-2 and SHA-3. Which means, the whole history stored by full archival nodes will be preserved (because people have backups, and because some blockchain copies are stored offline; also because a lot of history is processed many times, and stored in many different forms, for example by block explorers; because there are databases, and so on; there are many reasons why a decades long chain reorganization will not be triggered that easily). Which means, in case of some huge attack, people will start re-hashing things, for example with SHA-3.

Also, you can read, what Satoshi wrote about breaking SHA-256.

SHA-256 is very strong.  It's not like the incremental step from MD5 to SHA1.  It can last several decades unless there's some massive breakthrough attack.

If SHA-256 became completely broken, I think we could come to some agreement about what the honest block chain was before the trouble started, lock that in and continue from there with a new hash function.

If the hash breakdown came gradually, we could transition to a new hash in an orderly way.  The software would be programmed to start using a new hash after a certain block number.  Everyone would have to upgrade by that time.  The software could save the new hash of all the old blocks to make sure a different block with the same old hash can't be used.

[1714635401]

1714635401

[philipma1957]

Another way to fight a difficulty attack could be an emergency difficulty adjustment.

You don't want to go that way. BCH did it, as well as some other altcoins, and the main result is that you don't need to even break SHA-256 to weaken their networks. All you need is just forming a minority, and pretending that it is the "true Bitcoin", and then you mine your blocks on a much lower difficulty, while pretending that nothing happened at all, and pretending that the problem of a 51% attack does not exist on your chain. But it didn't vanish, and by messing up with difficulty adjustments, you created a chain, that is wide open for next forks, like BSV.

because if I am mining and suddenly they pull the plug and say you no longer can use these miners because there was an attack, well what am I supposed to do now?

You are supposed to still keep your miner, because of rehashing. If we would have any upgrade, people would try to make it backward-compatible. Which means, the new consensus could require computing both "SHA-2 and SHA-3", or even some "hardened SHA-256", which means, your equipment could still do that better than some CPU. And even if initially you would have your ASIC for SHA-256 and CPU for SHA-3, in case of double-hashing-consensus, you will still need your equipment to compute the part that would be backward-compatible.

developers can't keep their wallets safe, how can they keep a giant network safe when it's under attack?

Why do you think that developers cannot keep their own wallets safe? Fully breaking SHA-256 on preimage level would mean, that everything would need to pass through some hardened SHA-256, or be double-hashed, for example by both SHA-2 and SHA-3. Which means, the whole history stored by full archival nodes will be preserved (because people have backups, and because some blockchain copies are stored offline; also because a lot of history is processed many times, and stored in many different forms, for example by block explorers; because there are databases, and so on; there are many reasons why a decades long chain reorganization will not be triggered that easily). Which means, in case of some huge attack, people will start re-hashing things, for example with SHA-3.

Also, you can read, what Satoshi wrote about breaking SHA-256.

SHA-256 is very strong.  It's not like the incremental step from MD5 to SHA1.  It can last several decades unless there's some massive breakthrough attack.

If SHA-256 became completely broken, I think we could come to some agreement about what the honest block chain was before the trouble started, lock that in and continue from there with a new hash function.

If the hash breakdown came gradually, we could transition to a new hash in an orderly way.  The software would be programmed to start using a new hash after a certain block number.  Everyone would have to upgrade by that time.  The software could save the new hash of all the old blocks to make sure a different block with the same old hash can't be used.

Yeah I always run two nodes on and off. so I always have 1 offline for 10 days.

So i always have a full chain backup off line which is 1 to 10 days old.

I cant be the only one that does this.

[WatChe]

Advancements in technology are never welcomed in the start. Not many are taking Quantum computing seriously at the moment. But Quantum computing is a reality though it may take time to arrive. Quantum is not only a threat to crypto but to many other technologies like blockchain, VPNs and more. The idea behind Quantum is that its targeting the hard problem behind cryptography like Integer Factorisation and once it solves the problem there is no point in increasing the key size.

[blu3baer]

lets say quantum computing comes slowly and a new algorithm is found that is secure against it. Then bitcoin would most likely change from sha256 to it. So all new wallets/addresses are secure by the new algorithm. What happens with the old ones? If sha256 is broken, you could get the private key from the public Key. Or am i wrong with that? So everyone would need to transfer their funds from their old addresses to new ones. Wouldnt that completly blow up the mempool and with that the transaction prices? Most people would lose a lot of their value just to transact to a safer address or they would leave their funds in the open for anyone with the algorithm to get them.

[digaran]

lets say quantum computing comes slowly and a new algorithm is found that is secure against it. Then bitcoin would most likely change from sha256 to it. So all new wallets/addresses are secure by the new algorithm. What happens with the old ones? If sha256 is broken, you could get the private key from the public Key. Or am i wrong with that? So everyone would need to transfer their funds from their old addresses to new ones. Wouldnt that completly blow up the mempool and with that the transaction prices? Most people would lose a lot of their value just to transact to a safer address or they would leave their funds in the open for anyone with the algorithm to get them.

Sha256 hash function is used in bitcoin signatures/transactions, mining and generating addresses, it has nothing to do with private keys and elliptic curve. They are different. Have you ever seen a quantum computer? It's like some sort of alien spaceship engine, I don't think those who can build one enough powerful would use it to target crypto.

If hash functions are compromised there is a chance to survive for  bitcoin, but with EC compromised, the whole concept of public key cryptography is doomed. So there will be no transferring of anything.😑

[WatChe]

Sha256 hash function is used in bitcoin signatures/transactions, mining and generating addresses, it has nothing to do with private keys and elliptic curve. They are different. Have you ever seen a quantum computer? It's like some sort of alien spaceship engine, I don't think those who can build one enough powerful would use it to target crypto.

If hash functions are compromised there is a chance to survive for  bitcoin, but with EC compromised, the whole concept of public key cryptography is doomed. So there will be no transferring of anything.😑

IBM last year launched 'IBM Osprey', a new 433-quantum bit (qubit) processor and this is quite a progress in development of Quantum Computers, in 2001 we have 7 qubit quantum computers. There is predictions from experts that 2500-4000 logical Qubits would break ECDSA (source). Bitcoin is composed of many technologies, SHA256 is used to encrypt blocks of Bitcoin and in case any technology get compromised we have problem.  

Quantum computing is in its early stages and may take some years before getting launch. We cant deny it.

[blu3baer]

...

Sha256 hash function is used in bitcoin signatures/transactions, mining and generating addresses, it has nothing to do with private keys and elliptic curve. They are different. Have you ever seen a quantum computer? It's like some sort of alien spaceship engine, I don't think those who can build one enough powerful would use it to target crypto.

If hash functions are compromised there is a chance to survive for  bitcoin, but with EC compromised, the whole concept of public key cryptography is doomed. So there will be no transferring of anything.😑

thank you for the explanation.
So an update to a new secure hash algorithm would be a problem from a mempool point of view, but a new EC would be?
Would comprimising sha256 be a privacy concern if it is used for generating addresses? Would it mean someone could connect all addresses from one wallet?

Computers used to fill an entire room, now better computers are in everyones pocket, so we never know how accessible quantum computing could get

[digaran]

thank you for the explanation.
So an update to a new secure hash algorithm would be a problem from a mempool point of view, but a new EC would be?
Would comprimising sha256 be a privacy concern if it is used for generating addresses? Would it mean someone could connect all addresses from one wallet?

Computers used to fill an entire room, now better computers are in everyones pocket, so we never know how accessible quantum computing could get

You should read previous page to understand, but it's technical, sha256 proven to be strong enough at least so far, many experts work on breaking it, if one of them finds a weakness, the whole world will know about it and will have time to use a stronger hash function.

If a weakness is found in EC, it should be revealed for everyone, then if everyone wants to continue using crypto, they will have to use another type of curve, a different and stronger one. If it happens gradually bitcoin can survive, if it gets exploited in mass and suddenly, it would be difficult to restore things back to normal. These are speculations, not expert's opinions.

About wallet tracking, it is unrelated to this topic, but if you don't want anyone to connect your wallets to  certain transactions, use a mixer.

[BlackHatCoiner]

Sha256 hash function is used in bitcoin signatures/transactions, mining and generating addresses, it has nothing to do with private keys and elliptic curve.

Actually, it's used in both private keys and elliptic curve. Modern wallet software uses SHA256 to calculate checksum of the mnemonic, and it is also used to calculate k value in signatures by following the RFC 6979 standard.

If hash functions are compromised there is a chance to survive for  bitcoin, but with EC compromised, the whole concept of public key cryptography is doomed. So there will be no transferring of anything.😑

If SHA is compromised, then shit has hit the fan, to put it in laymen terms. It is used in every single corner of cryptography, but even if it wasn't, Bitcoin would still not survive, as Proof-of-Work is completely dependent on a secure hash algorithm. It's orders of magnitude worse than being able to work out a private key in a time span of a month.

[blu3baer]

You should read previous page to understand, but it's technical, sha256 proven to be strong enough at least so far, many experts work on breaking it, if one of them finds a weakness, the whole world will know about it and will have time to use a stronger hash function.

If a weakness is found in EC, it should be revealed for everyone, then if everyone wants to continue using crypto, they will have to use another type of curve, a different and stronger one. If it happens gradually bitcoin can survive, if it gets exploited in mass and suddenly, it would be difficult to restore things back to normal. These are speculations, not expert's opinions.

my question is less about how likely it is or if it would be fast. It's more about a possbile transition.
Lets say it get broken some distant time in the future (sha256 and EC), but slowly and the public is aware of it:
Now people would start migrating to stronger encryption all over the internet and also bitcoin would introduce an update with a more secure algorithm.
Now all coins on old addresses would possibly be in danger, because over time people could get access to it. At first it would take really long to do but it will get faster.

How could a possible transition look like? Or would it be the end of bitcoin.
Normally if you want your coins safe you would send them to a new wallet that has its sk/pk generated by the new algorithm. But everybody would need to do that and that would flood the mempool if every living owner of btc would suddenly try to move his coins.

About wallet tracking, it is unrelated to this topic, but if you don't want anyone to connect your wallets to  certain transactions, use a mixer.

right now you can have multiple addresses on one wallet without any connection between them. My question was if breaking sha256 would make it possible to connect them.

[digaran]

If SHA is compromised, then shit has hit the fan, to put it in laymen terms. It is used in every single corner of cryptography, but even if it wasn't, Bitcoin would still not survive, as Proof-of-Work is completely dependent on a secure hash algorithm. It's orders of magnitude worse than being able to work out a private key in a time span of a month.

I am not familiar with tech related stuff behind the scene of various block chain / hash functions, but I know they are separate from EC, while DSA depends on them.
IMO, if proof of work is compromised, it will remain secret because there is much greater benefits by both having a successful network and a backdoor to this network, so I doubt if anyone is stupid enough to try and attack when they can own everything.

In the case of mining operations, I had similar concerns until  vjudeu  replied and explained some solutions to some of the problems.
IMHO, nothing is more important than EC and safety of private keys, because that's supposed to be a safe vault inside user's houses, whatever happens to them, means someone broke in and stole from them, that kind of event has no turning back, but if way before that ever happens we could have plans and suggestions ( operational code ) in place as an upgrade, then people could be ready for anything.
It would be like when governments fortify their cash reserve vaults with new material and tech, it's a normal and expected change.

But again when you think about it, why would anyone interrupt the process of his own money printing machine if they can break EC?  As a conclusion, I doubt we see anything compromising crypto system any time soon because their profit depends on the safety of such systems.

right now you can have multiple addresses on one wallet without any connection between them. My question was if breaking sha256 would make it possible to connect them.

Who says different addresses in the same wallet have no connection? Maybe you need to think about the reason as to why mixers exist. Sha256 is unrelated to privacy concerns about connecting addresses/ wallets.

And about transition to new algo/ network, I'm not an expert, so I don't know.

[WatChe]

IMO, if proof of work is compromised, it will remain secret because there is much greater benefits by both having a successful network and a backdoor to this network, so I doubt if anyone is stupid enough to try and attack when they can own everything.

You can take it like that NSA developed SHA256 for security of data. They may have the algorithms to break the SHA256 but there is more profit in not revealing that they have algorithm to break SHA256.
If Quantum computing becomes a reality we have bigger things to worry about then security of our wallets since nothing will be spared by this new computing model.

[Synchronice]

If the attacker is a government looking to wipe out BTC and 256bit  crypto safety.  They would do a few of satoshi's just to see how fast it takes them to do a single address.

Only need do a few.

Then do nothing except crack all of satoshi's addresses. Once they do that simply pull out every coin on them in under an hour.  This would crash BTC out and terrify all companies using 256 bit encryption.

I just don't understand why would any government attack bitcoin network, that would be a huge scandal because millions of people have savings in bitcoin, there are tons of bitcoin related businesses, there are lots of multi millionaires and billionaires in crypto world, they can't just ruin their life so easily.

This is one dangerous idea, thinking about it makes you wonder, what if they can use their ability to produce custom double hashes and start collecting all the mining rewards?  And when they figure out a way to break sha256, what if for years they keep it a secret and then have access to everything dependent on sha256 security?

What if they manage to reverse some transactions in the future?

First of all, such a rapid development and attack can't happen overnight. If technology advances to such extent, it will happen in a timeframe that will give us enough time to be ready and adapt to new changes and make quantum resistant bitcoin. If it happens otherwise and this technology comes out of nowhere, then not only bitcoin but whole world wide web will be destroyed because you have to think about not only bitcoin but other websites, absolutely every email/account will get hacked, every content management system will get hacked, it will be like the intense earthquake in virtual world.
So, that won't happen, relax and chill guys.

[satscraper]

This will not affect mining or nodes or bitcoin wallets. Only what that will happen is for bitcoin developers to develop quantum computer resistant one which may require an update nodes, miners and wallets.

Before bitcoin will not be able to be resistant against quantum computing, bitcoin developers would have created quantum resistant one.

Agreed.

There is a vast thing in your favor - NIST has been working on the development of quantum resistant algorithms for several years, and their efforts are  not in vain. Some of those algos are already on the testing phase^[1].

The advances in quantum computing makes the subject matter to be a quite real thing that may happen in the nearest future ^[2].

AI-quantum would be a real threat^[3], IMHO.


*************************************************

[1]. NIST Announces First Four Quantum-Resistant Cryptographic Algorithms
[2]. Quantum-resistance in blockchain networks
[3]. "The Next Computing Revolution is with AI-Quantum" ft. Michio Kaku

[BlackHatCoiner]

I know they are separate from EC, while DSA depends on them.

Elliptic curves are independent, indeed. But, bitcoin isn't merely using elliptic curves. There are standards followed as the one I outlined, where to sign a message you hash your private key with your message to generate a pseudorandom k value, which will then be used to verify the signature.

It would be like when governments fortify their cash reserve vaults with new material and tech, it's a normal and expected change.

Yes, but look at it in the other way: bitcoin is a continuous trouble for them. They strongly support the ability to manipulate the money supply, perhaps to the extent that causing the destruction of a few billion dollars is justifiable.

[o_e_l_e_o]

Normally if you want your coins safe you would send them to a new wallet that has its sk/pk generated by the new algorithm. But everybody would need to do that and that would flood the mempool if every living owner of btc would suddenly try to move his coins.

There is currently in the region of 200,000,000 unspent UTXOs. With optimally somewhere around 10,000 outputs being spent per block, then we are looking at 20,000 blocks which is ~139 days of no other transactions to move everything to a quantum resistant algorithm, assuming all outputs were being moved to the new algorithm. If you want to move every coin to the new quantum proof address at once like this, then yes, that's a real concern.

There are a number of caveats to this, though, which mean in reality it won't be as bad as this. Assuming we will have plenty of time (in the order of several years) to move across to the new algorithm, then it easy for a large part of this to take place passively with no additional load on the mempool. That is to say, whenever in the next few days, weeks, months, or years, I plan to spend certain outputs, then I simply direct any change to a new quantum proof address instead of back to an old address. Any transactions which are going to be happening anyway, such as depositing coins to an exchange or paying a service, can similarly take up no additional block space once those exchanges and services move to the new algorithm. Indeed, given enough time, then the only coins we need to consider are dormant coins being held long term, since all coins being actively transacted will end up on the new algorithm anyway.

And even then there are proposals for other things we can do for those dormant coins to stop them being stolen should we run out of time. One such proposal is to lock any coins before they become vulnerable to theft, but provide a mechanism for the true owner to access them by proving a zero knowledge proof of (for example) the seed phrase or master chain code involved in the generation of these addresses.

[virasog]

IMO, if proof of work is compromised, it will remain secret because there is much greater benefits by both having a successful network and a backdoor to this network, so I doubt if anyone is stupid enough to try and attack when they can own everything.

Well, i don't think that it can remain a secret. If one entity has the resources and techniques to compromise the proof of work, then they should not remain in belief that none other can do it. What if they keep it a secret, in vision of owning everything , while the other party comes and takes away all.

By the way, once the POW is compromised, the price will automatically fall to Zero even before any party have any chance to sell.

[digaran]

Well, i don't think that it can remain a secret. If one entity has the resources and techniques to compromise the proof of work, then they should not remain in belief that none other can do it. What if they keep it a secret, in vision of owning everything , while the other party comes and takes away all.

By the way, once the POW is compromised, the price will automatically fall to Zero even before any party have any chance to sell.

As more informed members mentioned previously, there is no "one" solution, equation or algorithm that could have the answer to all the problems, meaning if POW is compromised, it would only work to generate blocks e.g, 10× faster than others with the same hash rate, so there will not be any all in one solution to manipulate everything.

If there hasn't been any exploitation of EC keys and hash functions, there are 2 reasons, 1- it doesn't exist, 2- it exist, we are not just ready to advance to that stage yet, as you know the universe has a God who controls everything, we just have to hope it comes gradually giving time for safe transition.  Humanity deserves financial decentralization, and that could only be achieved by having publicly available difficult to crack equations/algorithms.

[vjudeu]

it exist, we are not just ready to advance to that stage yet

This is always the case. Why? Because all algorithms are based on unsolved math problems, for example "elliptic curve discrete logarithm problem" (ECDLP). As long as it is unsolved, we can use elliptic curves in the same way as today. But once someone will find a mathematical solution, you need to find another problem, and build a new system around that. Also, for that reason, humans should never know the answer for every problem, because then you can no longer build any new crypto-based system.

Another important thing to note is that if the true owner of some coins can do something to move them, then it is technically possible to steal those coins, if someone else will repeat those steps. Which means, we are never at "it doesn't exist" stage, unless you send your coins to a Script, where nobody can move them, including yourself, for example OP_RETURN.

we just have to hope it comes gradually giving time for safe transition

To this date, it is still true. For now, it comes gradually, because for example chainwork can show you, how far people are, when it comes to breaking SHA-256. For public keys, currently there is no provably fair puzzle, but you can make some assumptions, based on that famous centralized puzzle (it is centralized, because if you want to build it in a truly trustless way, then you need something like DLEQ, where the creator of the puzzle could not move the coins, without solving it).

[CreepyUncleJoe]

If there were a successful quantum attack on SHA-256, which is the hashing algorithm used in Bitcoin, it would have significant implications for the Bitcoin network and its infrastructure. Here's how it might affect miners, mining hardware, Bitcoin wallets, and the need to migrate funds:

Miners and Mining Hardware:

Miners would be affected because the current Proof of Work (PoW) algorithm in Bitcoin relies heavily on SHA-256 for mining.
Quantum computers could potentially break the cryptographic primitives underpinning SHA-256, which would render the current mining hardware and strategies obsolete.
To maintain the security of the network, Bitcoin would need to transition to a quantum-resistant PoW algorithm, such as one based on quantum-resistant cryptographic primitives like lattice-based cryptography or hash-based signatures.
Miners would need to upgrade their hardware and software to adapt to the new algorithm, which might require significant investments.

Bitcoin Wallets:

Existing Bitcoin wallets that use classical public-key cryptography could become vulnerable to quantum attacks if a quantum computer becomes capable of breaking these algorithms.
Users might need to transition to quantum-resistant wallet software or generate new quantum-resistant addresses.
It's essential to note that not all wallets would be equally vulnerable; those that use post-quantum cryptographic techniques would be more secure.

Migration of Funds:


Depending on the severity of the quantum threat and the actions taken by the Bitcoin community, there might be a need to migrate funds from old addresses to new quantum-resistant addresses.
This migration process could be initiated by wallet software providers or done manually by users, depending on the circumstances and the transition strategy chosen by the Bitcoin developers and community.
The migration would involve creating new quantum-resistant keys and transferring Bitcoin holdings to these new addresses. Users would have to follow guidelines provided by wallet developers or the Bitcoin community to ensure a secure transition.


In summary, a successful quantum attack on SHA-256 would necessitate significant changes to the Bitcoin network, including a transition to a quantum-resistant PoW algorithm, upgrades to mining hardware and software, and a potential migration of funds to new quantum-resistant addresses. The specifics of these changes would depend on the nature and timing of the quantum threat, as well as the response of the Bitcoin community and developers. It's crucial for users to stay informed about developments in quantum computing and the Bitcoin ecosystem to take appropriate actions to protect their holdings.