Avoiding An Unnecessary Quantum Freeze

[hmbdofficial]

wouldn't a Quantum Computer still crack those wallets?

It could crack the private keys, but not the seeds.

Thats practically saying it could just crack one address since it can’t crack the seed, the effect might be minimal I think. Since it’s only the seed phrase that can generate the extended private key.

[Wind_FURY]

wouldn't a Quantum Computer still crack those wallets?

It could crack the private keys, but not the seeds.

Then doesn't that mean the "you need ECDSA, and a Quantum Signature to move it" scheme is irrelevant from the viewpoint of the attacker?

wouldn't a Quantum Computer still crack those wallets?

It could crack the private keys, but not the seeds.

Thats practically saying it could just crack one address since it can’t crack the seed, the effect might be minimal I think. Since it’s only the seed phrase that can generate the extended private key.

If it could crack one address derived from the seed, then it could crack all addresses derived from that seed.

   ¯\_(ツ)_/¯

[stwenhao]

Then doesn't that mean the "you need ECDSA, and a Quantum Signature to move it" scheme is irrelevant from the viewpoint of the attacker?

It is relevant, because the attacker would be able to break only ECDSA, but not the quantum part, which could require for example knowing the seed.

If it could crack one address derived from the seed, then it could crack all addresses derived from that seed.

Of course. But the attacker still wouldn't know the seed. And if it will be required in that "quantum part", then only the real owner would be able to make it.

Think about it for a moment: if the real owner knows the seed, and the attacker cannot get it, without breaking hash functions behind it (which is different case than breaking elliptic curves), then it can be used to check, if a given signature is made by the attacker, or by the real owner.

Thats practically saying it could just crack one address

No, because if committing to the seed will be part of the "quantum path", then only the real owner would be able to do that.

In general, the main downside of using that approach, is that not all public keys are derived from seeds, some of them are just randomly generated, if some user is not using any kind of HD wallet. If not that, then it would be much easier to reach consensus here, and simply require committing to the seed for all old addresses. But because there are non-HD keys in use, that approach would make them unspendable (or rather: as hard to spend as "bitcoin eater", and similar addresses: it would simply require breaking the cryptography behind converting seeds to keys).

[watashi-kokoto]

It has been long known that postquantum signatures could be nested below ECDSA as in ECDSAKEYGEN(PQKEYGEN())

Think about it for a moment: if the real owner knows the seed, and the attacker cannot get it, without breaking hash functions behind it (which is different case than breaking elliptic curves), then it can be used to check, if a given signature is made by the attacker, or by the real owner.

Exactly. You can nest a efficient PQ OTS hash based scheme such as haircomb with small signature size (~320 bytes, variable) below ecdsa.

Or any other existing NIST selected scheme, most of which aren't hash based and can end up broken over time.

The question is only WHICH scheme gets picked.

The way bitcoin is designed itself makes that clear as well. Nakamoto vote.

(everyone votes with their money)

Then the dominant schemes will get embedded into core at quantum hack time.

[PrivacyG]

If it could crack one address derived from the seed, then it could crack all addresses derived from that seed.

I was confused first but I think I got it.  Stwenhao is talking about a way you can only spend Bitcoin if you prove you own the Seed.  Not only the Address.  So if you 'break' an Address as in a Private Key, it is useless because Private Keys would not be enough.

-----

if the real owner knows the seed, and the attacker cannot get it, without breaking hash functions behind it (which is different case than breaking elliptic curves), then it can be used to check, if a given signature is made by the attacker, or by the real owner.

I have a curiosity.

A single Seed can generate so many Addresses.  As far as I know, HD wallets can do about four BILLION.  Now the chance of any of my four billion Addresses derived from my Seed colliding with one of your four billion Addresses is still small enough to consider it pretty much a zero.

But if a Quantum Computer can break a Private Key then I will assume it can also generate a LOT more Seeds than any powerful computer of these days can.  Which in the HD wallet situation where each Seed equals about four billion Addresses, it means it may be able to generate a very large multiple of four billion Addresses.

How successful would a Quantum Computer attack be if they broke a Private Key of their choice and then started 'brute forcing' it as in generating significant amounts of Seeds and trying each signature until one is finally valid?  If a Private Key leads to a single Address and a Seed can get you four billion, I imagine the chance is significantly higher that a valid signature is found?

[BlackHatCoiner]

How successful would a Quantum Computer attack be if they broke a Private Key of their choice and then started 'brute forcing' it as in generating significant amounts of Seeds and trying each signature until one is finally valid?

A quantum computer does not suddenly render all hash functions and cryptographic layers meaningless. What it can do is run an algorithm that finds the private key, given a public key, that a classical computer cannot run.

It does not brute force private keys the same way it would brute force seed phrases. Brute forcing seed phrases is an orders of magnitude more computationally expensive process.

[stwenhao]

But if a Quantum Computer can break a Private Key then I will assume it can also generate a LOT more Seeds than any powerful computer of these days can.

There are two different things: elliptic curves like secp256k1, and hash functions like SHA-256. If you break only elliptic curves, then the network can move to a different algorithm, while still using SHA-256 as usual. However, if you break SHA-256, then you can break everything, including mining, and then, it is a completely different situation. Breaking SHA-256 will also break secp256k1, if you would be able to generate any preimages, because then, you could start from any known public key, generate (r,s,z) values randomly, which would match it, and then generate a transaction, which would hash into that random z-value.

Also, even finding collisions for SHA-256 would be harmful, because then, you could create colliding merkle tree branches, where one transaction would send coins from Alice to Bob, and another transaction would do that from Alice to Charlie, and both would hash to the same value, which would hash to the same merkle root.

When you create a private or public key from the seed, then hashing is used in-between, specifically for example HMAC-SHA512 from BIP-32, where SHA-512 is used.

So if you 'break' an Address as in a Private Key, it is useless because Private Keys would not be enough.

Yes. And it has a drawback, that should be clearly stated: if a given key is not coming from any HD wallet, but is just generated randomly, for example by OpenSSL, like it was done in early days. In these cases, if committing to the seed would be always required, then these coins would be as hard to access, as coins from "bitcoin eater": because it would then require finding a seed, where none is known. Which is why that kind of solutions are technically possible, but it is hard to reach consensus, if there is a risk of blocking someone's coins, if that person didn't use any seed at all.