Fees are low? Make your coins more private and (almost) quantum safe!

[btcltcdigger]

To be honest i've considered this, but then again, if i got my moolah on a ledger that's not really exposed anywhere, why bother? Usually when i use funds, i filter them through an exchange and that way traces are more or less gone. Especially if you want to cash out (OTC), they usually ask for binance transfer of usdt/USDC

[d5000]

So, the question is: do you think it's worth taking advantage of low fee times to do this even if it means losing a few satoshis? How advanced can quantum computing be? The funds will be there until the end of the year at the latest.

It's not that urgent, I think ... The most optimistic (from quantum computing point of view) estimations talk about the early 2030s, but most think quantum computers which are able to break ECDSA 256 bit with Shor's algorithm are at least a decade away (they need millions of qubits, current QCs have hundreds). So an address which is only used until the end of the year should not be in danger. And if I'm wrong with that, then we're doomed anyway because in this case QC is evolving much faster than expected and much more severe attacks are possible than an attack on Bitcoin ...

What does it mean precisely? Why people would be more supposed to not spend Bitcoins earned from bounty campaigns than BTC they've bought onto an exchange, I don't get it. If you are taking part in a bounty campaign it means you are a crypto user and not just an investor, so you like using cryptos, spending them and exchanging them in my opinion.

In this sentence I was referring to those people that participate in a bounty campaign but do not spend the received funds for a while, for example if they want to HODL these BTC. Of course most people spend the rewards from time to time, and those would benefit from sending the coins to an unused address as I wrote in the OP.

But I see two problems.  First of all, if no solution is found by the time an evil Quantum Computer is activated then a lot of people would start losing their Bitcoin which would in turn completely destroy the trust a lot of people had into Bitcoin.  It would lead to WAY bigger trouble than just having a reused address stolen.

Of course. However, the lower the number of re-used addresses, the lower the "evil QC attackers" can steal. It is likely that the "evil QC attackers" will first concentrate on Satoshi's coins and other unspent block rewards from 2009/2010. But eventually they could try to break re-used addresses once QCs become faster.

But if the problem begins to appear on the horizon, for example if the first million-qubit QC is built by the Pentagon (but private attackers are still years away), then I expect many people to rush to spend their Bitcoins to unused addresses. This would lead to a high fee level. The more people doing this kind of "consolidation" now, the less high the fees would get in this phase.

Second of all, is it safe to assume that Quantum Computers able to compute a private key from a public key may be able to do much worse anyway and if Bitcoin and the internet is not ready by that time then it may be doomed?

Correct. But that's why there's so much research going on about post-quantum cryptography, because otherwise online banking and basically everything depending on encrypted data is doomed. And also Bitcoin eventually probably will include the option to switch to "quantum safe" addresses.

[Lucius]

~snip~
Correct. But that's why there's so much research going on about post-quantum cryptography, because otherwise online banking and basically everything depending on encrypted data is doomed. And also Bitcoin eventually probably will include the option to switch to "quantum safe" addresses.

I wonder if it makes sense to wait for the "danger" to approach in order to act in the sense that the developers should perhaps think seriously about it today? I'm not at all technically savvy enough to say how complicated something like that would be, but I'm always one of those who will say "don't put off until tomorrow what you can do today".

Given that there are still people using legacy addresses today, even if we get solutions for quantum computers today, I wonder if people would use them. In addition, I would never trust publicly available information about the stage of development of quantum computers, secret programs exist precisely for the reason that things remain secret.

[d5000]

I wonder if it makes sense to wait for the "danger" to approach in order to act in the sense that the developers should perhaps think seriously about it today?

There are discussions in the mailing list already. Matt Corallo recently proposed adding a state of the art post-quantum algorithm like SPHINCS+ to Tapscript. He thinks that it would make sense to add such a feature around a decade before the problem becomes urgent, to give people time to migrate.

However there seems to be uncertainty if the complexity this adds (it would require at least two softforks to work as expected, because Taproot itself would also to have be changed to prevent the attacker spending via the key-path which would continue to be ECDSA as far as I understand) would be worth it considering the feature would probably not being used much today.

In theory one could even add post quantum cryptography via a Bitcoin-pegged token on the Bitcoin chain (using an OP_RETURN based technique like Counterparty or ... erm ... Runes ) without "Core developer approval". There may be other techniques like BitVM. But an "official" PQC algorithm would of course be much better. And for today, the approach described in the OP, simply sending coins to an unused address, is definitely enough for those who have a lot of coins sitting on re-used or P2PK addresses/UTXOs.

[ZeroVinsonN]

~snip~
Correct. But that's why there's so much research going on about post-quantum cryptography, because otherwise online banking and basically everything depending on encrypted data is doomed. And also Bitcoin eventually probably will include the option to switch to "quantum safe" addresses.

I wonder if it makes sense to wait for the "danger" to approach in order to act in the sense that the developers should perhaps think seriously about it today? I'm not at all technically savvy enough to say how complicated something like that would be, but I'm always one of those who will say "don't put off until tomorrow what you can do today".

Given that there are still people using legacy addresses today, even if we get solutions for quantum computers today, I wonder if people would use them. In addition, I would never trust publicly available information about the stage of development of quantum computers, secret programs exist precisely for the reason that things remain secret.

True, as far as we are concerned, these computers might already be available for use and the information being footed to the public might not necessarily be true, I definitely won't develop something in secret and then tell the world about it, what's been made in secret will be used in secret

[GazetaBitcoin]

Hello d5000!

Please be aware that AOBT started working on translating your thread in various languages. I hope this is good news

And a First translation is already done: Portuguese translation, made by r_victory.

I would also suggest you, if you like the idea, to list the translations and the translators' names at the bottom of your topic. You can find here an example of how authors listed our translations.

[Darker45]

I agree that not reusing the Bitcoin address will help with privacy and security?, too, in case quantum computing ever becomes real. But wide spreading too much can cause a burden on fees in the future because we never know how the fee situation will be. So it's better if we consolidate them once in a while to new address to tackle the fee market while also maintaining the privacy.

Yeah, you get double results with one effort. Moving your funds from a reused address to a fresh address wouldn't only give you privacy, it also saves you fees when the time comes when you have to spend them. You're not only protecting your funds from quantum possibilities, you're also consolidating UTXOs, making your next transaction smaller in size.

However, I think it's important to note that it might actually be better if you spread your Bitcoin holdings in different fresh addresses. Dividing your Bitcoin into smaller amounts is actually good for your privacy and security. Surely, you don't want to be paying somebody while divulging how much Bitcoin you have.

[d5000]

Please be aware that AOBT started working on translating your thread in various languages. I hope this is good news

And a First translation is already done: Portuguese translation, made by r_victory.

Thank you! I'll be linking the translations in the OP.

However, I think it's important to note that it might actually be better if you spread your Bitcoin holdings in different fresh addresses. Dividing your Bitcoin into smaller amounts is actually good for your privacy and security.

I think consolidating amounts into a single unused address is recommendable if one of these conditions apply:

1) the amount isn't too large (e.g. consolidating several small outputs),
2) you explicitly want the fortune to be on one address, e.g. to store it in some cold-walled solution (metal, paper etc.),
3) the addresses already are connected in some way, so chain analysis companies already identify them as a single wallet, e.g. if you got different payments from a single exchange, service etc. on all of them, or if you use them without additional protections in a single Electrum wallet for example.

In all other cases I agree with you that it's better to store the coins on several addresses.

[dkbit98]

Low fees of 1 or 2 satoshis per vByte are an excellent opportunity to make your coins more safe and private. You can even make them almost quantum-safe - in 2025!

I do agree that having good address management in wallets is very important, but I don't see how doing this can make coins more safe or more private.
Anyone can easily check the history of newly generated addresses and find all previous transactions with connection to old addresses.
As for being more quantum safe, we should probably get some kind of fork in future with new type of address.

[d5000]

I do agree that having good address management in wallets is very important, but I don't see how doing this can make coins more safe or more private.
Anyone can easily check the history of newly generated addresses and find all previous transactions with connection to old addresses.

I think you mean the "history of addresses appearing first in transactions" (because address which haven't been used, can't be detected observing the blockchain).
It is of course correct that this can be checked.

But if you transact from your old, reused address A to a new address B, then nobody knows for sure if B is yours, from the fact alone that there was a transaction from A. It looks like any other payment.

Chain analysis companies need other elements to assign a higher probability that B is yours. Such elements can be:

- Transactions from B to another address which can be linked to you, for example a CEX deposit address, or another address you also used with A.
- Transacting in a short timeframe, or in a single transaction, to several addresses including B.
- Various transactions from A to B - so don't use your newly created addresses twice!
- Transacting at approximately the same time of the day to several addresses including B, however you could also be making payments typically at this hour of the day, so they can't assign a too high probability to this.
- Perhaps also too "round" amounts, e.g. if you tend to transact always 0.01 BTC to other addresses (like B).
- And of course, if you send any coins on B back to A, then a perfect circle will be detected and B being linked to the same identity as A.
- Some wallets like Electrum "leak" addresses which are part of the same wallet to the servers when querying data about transactions. Thus, even when using Tor, if chain analysis companies happen to operate such a server, they can link these addresses together. For best privacy, don't use this kind of wallet, or use one wallet per address you want to separate.

These practices should thus be also avoided.

If you want to make your coins even more private, more steps are possible, like sending first a relatively big amount from A to B, then a smaller amount to an address C, and so on. The more it looks like "random payments from random addresses", the better.

I wanted to stay the OP relatively short so I didn't mention these details, often I think my posts are considered "too long to read" I've linked this post in the OP.

As for being more quantum safe, we should probably get some kind of fork in future with new type of address.

As long as quantum computers aren't able to crack ECDSA keys in 10 minutes (during the transaction phase, while the public key is exposed), addresses which never were use are safe, from today's science point of view. Even trying to crack an address in 10 minutes is risky if the block time can be 2 or even 1 minute if they're unlucky.

QCs will first take a lot of time to crack keys, so re-used addresses and of course P2PK users are those most at risk.

[GazetaBitcoin]

Hey d5000, please be aware that 1 more translation was made for your topic by AOBT:

Ukrainian translation, made by DrBeer

Cheers!

[GazetaBitcoin]

I am coming back to this thread for announcing one more translation made by AOBT:

German translation, made by cygan

Later edit: make that two more translations I also translated this thread in Romanian.

[GazetaBitcoin]

Hey d5000, please be aware that a Polish translation has been done by cygan for your topic.

And this is not all, since an Urdu translation was made by Adiljutt156.

Cheers!

[GazetaBitcoin]

I am coming back to this thread to announce that AOBT made one more translation:

Indonesian translation, made by Husna QA.

[cygan]

for all those who are very interested in this topic, i have uploaded some slides that illustrate the complex qc topic and show us all how the whole processes could be accelerated by quantum computers
and according to this report from ChaincodeLabs, 50% of all Bitcoins could be at risk once qcs hit the market


https://twitter.com/Bitcoin_Devs

[d5000]

@GazetaBitcoin: Thanks, added all translations!

@cygan: Nice slides. However, I quite do not like the penultimate one, which tries to oversimplify a bit much when it says that quantum computers would take "hours to days". According to what I've read about this topic, this depends largely on the qubit capacity of the quantum computer. Thus a small QC which is "just" capable to crack an ECDSA key could take months instead, and this would be probably what we'd to expect at first. Basically this slide is assuming a quantum computer with millions of qubits, and omits that information.

A source for this (quite obvious) dependency on the number of qubits is here: according to Craig Gidney, a 20 million qubit QC would take 8 hours for RSA-2048, while a 1 million qubit QC would take a week. While this seems to confirm the "hours to days" claim (and is probably the source of the slide), if QCs advance we will probably first see some with tens or hundreds of thousands of qubits, which would take months to years. As of now, the largest quantum computers have around 1000 qubits; while there are annealers with higher qubit numbers like the D-Wave devices, they aren't capable to run Shor's algorithm.

[cygan]

✂️
@cygan: Nice slides. However, I quite do not like the penultimate one, which tries to oversimplify a bit much when it says that quantum computers would take "hours to days". According to what I've read about this topic, this depends largely on the qubit capacity of the quantum computer. Thus a small QC which is "just" capable to crack an ECDSA key could take months instead, and this would be probably what we'd to expect at first. Basically this slide is assuming a quantum computer with millions of qubits, and omits that information.
✂️

yes, you're absolutely right
i think the slide was only meant to show the technical difference in computing power, how powerful the new qc will be (of course, it all depends on the processors that will be built into them and will certainly also come onto the market in different computing powers in this sector)


a summit will be held in san francisco on july 17 and 18 on the topic of quantum computing and Bitcoin.
leading researchers and experts from both fields have been invited to promote productive and thought-provoking discussions on this ever-growing topic


https://pbquantum.com/

[cygan]

now i will present you more slides on this topic today
here i will go into more detail about the quantum computer technology in relation to the security of Bitcoin and what the differences are between the so-called long-range and short-range attacks
here we go:







https://twitter.com/Bitcoin_Devs

[d5000]

Thanks for the slides. However imo the presentation has a problem: it omits that short range (or short exposure) attacks are much, much more unlikely than long "range" attacks. Even a quantum computer with millions of qubits would take several days to calculate a private key from a public key.

Also the time window is unpredictable. If the quantum attacker is pointing his expensive hardware with billions of qubits taking ~10 min per key to a transaction, and the block gets mined in 2 or 5 minutes instead, the attacker has wasted his effort for nothing. Thus there would be always risk involved for the attacker.

So is very much the final stage of quantum computer development, when QCs became very fast and ubiquitous. Before that happens, all addresses with re-used keys and P2PK/P2MS keys will have been emptied already. If Bitcoin is not "quantum safe" at that moment, then BTC will probably also not be worth anything anymore.

There's a proposed BIP 360 (still not official) which would allow to send Bitcoins to quantum-resistant addresses in a new P2QRH output type. It's interesting if this will get accepted as an official BIP and how the discussion goes ...

[GazetaBitcoin]

Hey d5000, please allow me to let you know that AOBT made a new translation for your topic:

Russian translation, made by zasad@.

Also, please do not forget to add to OP also the Indonesian translation, which I mentioned above

As of now, AOBT made 9 translations for your topic, so at least 1 more should be expected.