Quantum Computing and Bitcoin private key

[BitcoinGirl.Club]

So they are working heavily in quantum computing from 2017. There is s race between China and USA to show who is bigger. So far China seems ahead in quantum computing.

tl;dr;
With quantum computing the current email security will break, anything even the banking sector that is secured by current encryption methods will be broken. USA is not issuing their cbdc yet because they are working on quantum computing proof encryption. Banks are will move to the new technology too.

Are we preparing to protect Bitcoin from quantum computing era?

[1714252126]

1714252126

[1714252126]

1714252126

[ranochigo]

Quantum computing will not cripple Bitcoin, at least not in the immediate future. The whole fear about Quantum Computing is with the fact that Shor's algorithm can break Asymmetric Crypto algorithms, which is basically used by everything. Note that this doesn't provide enough speedup for symmetric ones, SHA256 and RIPEMD160 for example. Now, not everything with Bitcoin would be broken, just that it'll be possible to get a speedup on cracking the public key to get the private key.

However, the breaking of the keys are not instantaneous. Time is needed to run and the only time that the public key gets exposed when used in a P2PKH, P2WPKH, etc transaction is when a transaction gets sent. So long as you are not reusing your addresses, I don't see this to be an immediate problem that we have to solve. Waiting to evaluate and slowly transitioning will be the best. Currently, I think the amount of qubits is still nowhere near. Probably would need more than 2K with a fairly reliable one to be able to do it.

Bitcoin would probably be the least of the target; If governments were to have exclusive access, they would be too busy trying to break the hordes of data rather than trying to get some Bitcoins.

[LoyceV]

USA is not issuing their cbdc yet because they are working on quantum computing proof encryption.

Do you have a source for this? I can think of many more reasons to delay their CBDC plans, and I can also think of many more worries concerning the rest of the banking system than just CBDC.

Bitcoin would probably be the least of the target; If governments were to have exclusive access, they would be too busy trying to break the hordes of data rather than trying to get some Bitcoins.

Once more than one actor has access to enough computing power to steal Bitcoins, Bitcoin becomes worthless to them (and anyone else). Let's say someone steals 10,000 Bitcoins using quantum computing. Then he wants to use it, and makes a transaction. Now someone else steals the Bitcoins, after which the process repeats itself. This won't lead to stolen Bitcoins, it will destroy Bitcoin.
Unless, of course, the protocol gets an update long before this scenario becomes a reality (in the distant future).

[ranochigo]

Once more than one actor has access to enough computing power to steal Bitcoins, Bitcoin becomes worthless to them (and anyone else). Let's say someone steals 10,000 Bitcoins using quantum computing. Then he wants to use it, and makes a transaction. Now someone else steals the Bitcoins, after which the process repeats itself. This won't lead to stolen Bitcoins, it will destroy Bitcoin.
Unless, of course, the protocol gets an update long before this scenario becomes a reality (in the distant future).

Yep, that is one of the main concerns. I see only a way to go with this: Introduce new transaction formats and I'm fairly sure proof of ownership for P2PK outputs are difficult or close to impossible, so there is a dilemma: Either you burn them, or you let the adversary take it. Either ways, not particularly ethical. Had several discussions on this, and I think that there are pros and cons to both, just the lesser of both evils.

[LoyceV]

Yep, that is one of the main concerns. I see only a way to go with this: Introduce new transaction formats and I'm fairly sure proof of ownership for P2PK outputs are difficult or close to impossible, so there is a dilemma: Either you burn them, or you let the adversary take it. Either ways, not particularly ethical. Had several discussions on this, and I think that there are pros and cons to both, just the lesser of both evils.

A (partial) solution would be to require moving all coins to a new encryption long before Bitcoin is at risk, and burning anything else after a certain amount of time. But it goes against everything Bitcoin stands for.

[BitcoinGirl.Club]

USA is not issuing their cbdc yet because they are working on quantum computing proof encryption.

Do you have a source for this? I can think of many more reasons to delay their CBDC plans, and I can also think of many more worries concerning the rest of the banking system than just CBDC.

I can't remember the source, I read it somewhere however I agree that there could be many other reason.

A (partial) solution would be to require moving all coins to a new encryption long before Bitcoin is at risk, and burning anything else after a certain amount of time. But it goes against everything Bitcoin stands for.

Ultimately we will need a hard fork. From history we saw fork did not work well. Bitcoin never will be the same Bitcoin it is now.

[ranochigo]

Ultimately we will need a hard fork. From history we saw fork did not work well. Bitcoin never will be the same Bitcoin it is now.

Actually only two hard forks have happened in Bitcoin, and both of which are a direct result of vulnerabilities that were discovered in Bitcoin. They were done without any resistance because they were especially critical in the circumstances.

I’d argue for Bitcoin to undergo a hard fork in the future, solely because it is necessary for its survival. I don’t think Bitcoin has to remain the same nor maintain the status quo. Resistance against QC is probably one of the key issues that the community has to be accepting of.

[apogio]

Quantum computing will not cripple Bitcoin, at least not in the immediate future. The whole fear about Quantum Computing is with the fact that Shor's algorithm can break Asymmetric Crypto algorithms, which is basically used by everything. Note that this doesn't provide enough speedup for symmetric ones, SHA256 and RIPEMD160 for example.

Just for the sake of accuracy, let me ask the following to clarify whether my thoughts are correct.
I thought that the classification in symmetric and asymmetric algorithms only applies to encoding/decoding and encryption algothims.
SHA256 and RIPEMD160 are not encoding/decoding algorithms, nor encryption algorithms. They are one-way functions that always produce the same result (digest) for a given input.
There isn't an encryption key, in SHA256, nor in RIPEMD160 so they can't be classified as symmetric or asymmetric.
Am I wrong?

[BlackHatCoiner]

Yep, that is one of the main concerns. I see only a way to go with this: Introduce new transaction formats and I'm fairly sure proof of ownership for P2PK outputs are difficult or close to impossible

How can you prove ownership of P2PK outputs beyond by having the signature? Modern wallet software which use BIP39 etc., and has an extra layer above key pairs, like seed, can work like proof of ownership. For example, an attacker can work out the private key of a public key, but the true owner knows the seed that derives every key.

Either you burn them, or you let the adversary take it.

What is the argument that supports burning coins? Sounds very anti-Bitcoin to me. If the owner has lost access to their bitcoin, then they're already "burned" for them. Why does the network have to speak for them?

[ranochigo]

Just for the sake of accuracy, let me ask the following to clarify whether my thoughts are correct.
I thought that the classification in symmetric and asymmetric algorithms only applies to encoding/decoding and encryption algothims.
SHA256 and RIPEMD160 are not encoding/decoding algorithms, nor encryption algorithms. They are one-way functions that always produce the same result (digest) for a given input.
There isn't an encryption key, in SHA256, nor in RIPEMD160 so they can't be classified as symmetric or asymmetric.
Am I wrong?

I stand corrected. Moe specifically, they should be under the umbrella of hash functions.

How can you prove ownership of P2PK outputs beyond by having the signature? Modern wallet software which use BIP39 etc., and has an extra layer above key pairs, like seed, can work like proof of ownership. For example, an attacker can work out the private key of a public key, but the true owner knows the seed that derives every key.

You can't. That's why I said it would be impossible to prove P2PK ownership, or P2PKH ownership for that matter. Using seed as a filtering criteria can be very unfair and doesn't exactly allow all of the rightful owner to gain access to their coin.

What is the argument that supports burning coins? Sounds very anti-Bitcoin to me. If the owner has lost access to their bitcoin, then they're already "burned" for them. Why does the network have to speak for them?

If you allow all of them to be stolen, when QC becomes widely accessible and cheap enough, then you have close to 1 to 2 million Bitcoins being stolen. This is fairly bad if you consider that this would be around 10% of the entire circulation of Bitcoin. This will crash Bitcoin's economy and destabilize a currency that I presume would be somewhat stable by the time this happens.

Conversely, if you lock them, then this doesn't happen and giving them 10 years or even 20 years notice would be fairly sufficient. Of course this is anti-Bitcoin, but I suspect that lots of people, specifically businesses and larger coin owners would be in support of this. Personally, I'm on the fence and my opinion is that this would depend on what happens in the future.

[BlackHatCoiner]

You can't. That's why I said it would be impossible to prove P2PK ownership, or P2PKH ownership for that matter. Using seed as a filtering criteria can be very unfair and doesn't exactly allow all of the rightful owner to gain access to their coin.

Sure, I'd be very against on any such protocol. It is practically infeasible and pointless.

This is fairly bad if you consider that this would be around 10% of the entire circulation of Bitcoin.

This is 10% of the entire circulation. They are not provably lost. We should consider that they can potentially enter the market at any time. In fact, I do consider it probable that Satoshi and the rest of the early miners will transfer them to quantum safe addresses when the time comes. Whether the lawful owners of these coins or attackers bring them into circulation, it will be equally bad for the Bitcoin economy.

[apogio]

In fact, I do consider it probable that Satoshi and the rest of the early miners will transfer them to quantum safe addresses when the time comes.

I have never thought about it, but it sounds very reasonable. That's of course possible, if we take for granted that satoshi is still out there, or that their keys are safe in someone else's hands.

[ranochigo]

This is 10% of the entire circulation. They are not provably lost. We should consider that they can potentially enter the market at any time. In fact, I do consider it probable that Satoshi and the rest of the early miners will transfer them to quantum safe addresses when the time comes. Whether the lawful owners of these coins or attackers bring them into circulation, it is equally bad for the Bitcoin economy.

Correct, it is a non-zero chance. However, they are definitely not equally bad for the economy. If the lawful owner appears and moves the coin, I don’t think users would have an issue with them, since it is still rightfully theirs.

However, if we don’t have any answer for it, then it would be an issue as the impending QC doom comes. Firstly, there would be tons of FUD and the price would fall as a result. After the coins are moved, then there would be even more repercussions, since attackers are feasibly stealing coins from the addresses and essentially inducing a supply side shock to the market. I’d think it is a clear decision to just let them steal if its a small percentage, but if more than 10% (consider that people who has lost their private keys will increase until far in the future), then I have doubts that the market would function as per normal and a good proportion would move to another altcoin that is QC resistant from the start, and thereby having no such issues.

Now, I’m not advocating for, or against burning these coins. I think that more has to be considered before we make the decision as a community, and even then, I’m sure both camps will split the chain when the time comes. I’m just not particularly convinced that either of them would be the clear choice down the road.

[BlackHatCoiner]

I have never thought about it, but it sounds very reasonable. That's of course possible, if we take for granted that satoshi is still out there, or that their keys are safe in someone else's hands.

I never understood why we treat Satoshi's coins as "unofficially lost". Just because they haven't moved since 2009-2010 doesn't mean he is dead or has lost the keys. To both these scenarios there's an equally probable scenario (as far as we're aware) where Satoshi notices his coins are likely to be stolen, and chooses to either burn them or transfer them to quantum safe addresses.

Also, there are posts like this one that demonstrate there exist miners (or Satoshi maybe) who haven't spent their early coinbase rewards but possess the private keys. I take it as granted that they will protect them from quantum computers.

[ABCbits]

tl;dr;
With quantum computing the current email security will break, anything even the banking sector that is secured by current encryption methods will be broken. USA is not issuing their cbdc yet because they are working on quantum computing proof encryption. Banks are will move to the new technology too.

FWIW some popular encryption cryptography (such as AES-256) is deemed secure enough against quantum computing.

Are we preparing to protect Bitcoin from quantum computing era?

You might want to read this old article, https://en.bitcoin.it/wiki/Quantum_computing_and_Bitcoin.

What is the argument that supports burning coins? Sounds very anti-Bitcoin to me. If the owner has lost access to their bitcoin, then they're already "burned" for them. Why does the network have to speak for them?

If you allow all of them to be stolen, when QC becomes widely accessible and cheap enough, then you have close to 1 to 2 million Bitcoins being stolen. This is fairly bad if you consider that this would be around 10% of the entire circulation of Bitcoin. This will crash Bitcoin's economy and destabilize a currency that I presume would be somewhat stable by the time this happens.

Conversely, if you lock them, then this doesn't happen and giving them 10 years or even 20 years notice would be fairly sufficient. Of course this is anti-Bitcoin, but I suspect that lots of people, specifically businesses and larger coin owners would be in support of this. Personally, I'm on the fence and my opinion is that this would depend on what happens in the future.

But aside from few government or elite, who dares to steal Bitcoin (which assumed to be mined by Satoshi) and able either to exchange or use it without legal problem?

[ranochigo]

But aside from few government or elite, who dares to steal Bitcoin (which assumed to be mined by Satoshi) and able either to exchange or use it without legal problem?

This isn't some petty theft, and definitely not just FTX scamming customer of their funds. Stealing over 2 million Bitcoins is a big deal and I'm sure that there would be a way to launder it and ensure that these can be cleaned in the future. I'm guessing that the attack would likely be state-sponsored if it ever happens though, for the fact that they would have first-movers advantage.

There is a whole other issue about fungibility as well. Should we still allow hackers access to those Bitcoin, or condemn governments for attempting to censor it? This would be like Ethereum V Ethereum Classic again and hopefully we won't have to reach that stage.

[BitcoinGirl.Club]

But aside from few government or elite, who dares to steal Bitcoin (which assumed to be mined by Satoshi) and able either to exchange or use it without legal problem?

This isn't some petty theft, and definitely not just FTX scamming customer of their funds. Stealing over 2 million Bitcoins is a big deal and I'm sure that there would be a way to launder it and ensure that these can be cleaned in the future. I'm guessing that the attack would likely be state-sponsored if it ever happens though, for the fact that they would have first-movers advantage.

Quantum computers are not going to be cheap that average people are going to have one for each. I doubt even millionaires [at-least for the first few decades] will have one for each. It's going to be highly expensive that only government funded agencies can afford it. So when a coin will move, they will not tell it stealing, they will call it breaking bitcoin's security.

There is a whole other issue about fungibility as well. Should we still allow hackers access to those Bitcoin, or condemn governments for attempting to censor it? This would be like Ethereum V Ethereum Classic again and hopefully we won't have to reach that stage.

We can not ignore the fact that it's not going to happen too.

Bitcoin already has some built-in quantum resistance. If you only use Bitcoin addresses one time, which has always been the recommended practice, then your ECDSA public key is only ever revealed at the one time that you spend bitcoins sent to each address. A quantum computer would need to be able to break your key in the short time between when your transaction is first sent and when it gets into a block. It will likely be decades after a quantum computer first breaks a Bitcoin key before quantum computers become this fast

Quoting for highlighting from https://en.bitcoin.it/wiki/Quantum_computing_and_Bitcoin

[ranochigo]

Quantum computers are not going to be cheap that average people are going to have one for each. I doubt even millionaires [at-least for the first few decades] will have one for each. It's going to be highly expensive that only government funded agencies can afford it. So when a coin will move, they will not tell it stealing, they will call it breaking bitcoin's security.

Depends, we've seen loads of stuff happening on the computing clusters of quite a few university as well. Cost is only going to get cheaper, until the point where someone with malicious intentions have access to it. Besides, it would be a matter of time, and that is unless you think Bitcoin won't survive for that long.

Government sponsored attacks are not uncommon, just look at the APTs out there for example, and I wouldn't have a doubt that these gets stolen by a semi-big country to evade sanctions.

We can not ignore the fact that it's not going to happen too.

Bitcoin already has some built-in quantum resistance. If you only use Bitcoin addresses one time, which has always been the recommended practice, then your ECDSA public key is only ever revealed at the one time that you spend bitcoins sent to each address. A quantum computer would need to be able to break your key in the short time between when your transaction is first sent and when it gets into a block. It will likely be decades after a quantum computer first breaks a Bitcoin key before quantum computers become this fast

This is accurate. However, we aren't talking about these Bitcoin addresses in this scenario. Change address is quite commonly used now but P2PK and address reuse was quite prominent previously.  Counting P2PK keys and address reuse, we are looking at more than a million or two Bitcoins, and they aren't necessarily going to be moved before this happens.

[LoyceV]

Quantum computers are not going to be cheap that average people are going to have one for each. I doubt even millionaires [at-least for the first few decades] will have one for each.

Who's talking about owning one? Quantum computing in the cloud will be the future! Perfect for researchers, and perfect for anyone else. Scalable, just select how many qubits you need, and pay per hour

[BitcoinGirl.Club]

Change address is quite commonly used now

People are now more aware about coin controlling and coins privacy than before. I do it always but never had this Quantum Computing awareness before when using change address.

Scalable, just select how many qubits you need, and pay per hour

Absolutely correct observation. It did not cross my mind. Good thing is perhaps we are looking at it after a few decades, I am confident that not when I am alive LOL