Topic: address collision vs quantum attack (Read 313 times)

[citation needed]

That’s a mighty big claim you assert.  Excluding buggy software with bad PRNGs, keys specially calculated to be “found” by LBC or the like, and other non-random situations, address collision is as good as impossible.  I’d bet all my money on it—actually, I more or less am!  As a practical matter, you are free to take my money if you can find one of the approximately 2^96 colliding keys for one of my long-term storage addresses.

As for the rest of this thread:  Worry about quantum computers is ridiculous when quantum computers do not exist.  (Excluding toy research implementations—which don’t actually do anything useful, and may never.)  If you want to put coins in deep storage for the next few decades, then don’t reveal the public key—just in case.  If you are one of the few developers who deals with long-term planning, get up to speed on PQ crypto.  Otherwise, this is a total non-issue for present-day usage of Bitcoin.

hundreds if not thousands of years

Before RBF was introduced I did it myself (double spend) in order to push a transaction which was stuck because of a low fee. I think it was a couple years ago and it worked.

We will see how it plays out. Maybe, devs can introduce lamport signatures in protocol. So we will have legacy tx outputs with EC and new one with a hash based signatures. People who does not care about quantum computers can use legacy others can use new scheme.

I agree. I was just answering your question on how would a miner know which ones are signed by the adversary. Miners are usually (I think they had an agreement in the past) running Bitcoin Core so they might not just pick up the one with highest fee, but discard it as it came after the first one.
Of course you shouldn't count on this.


Now this is a prediction game. I can't really answer this as no one can. What is exactly near zero, that is the question.
Block subsidy might get near zero, depending on how near we are talking about here, but it will not be zero as long as there are any transactions that pay the fees.
If the subsidy is too low, then there will be less miners. It is a self-correcting mechanism.

But then again, who knows...
Many things will be very different from now by that time. Lower (or none) block reward, off chain transactions, high adoption (hopefully), etc.

I think for the next 10-15 years you are safe from the quantum attack. Address collision is possible and has happened in the past.

https://www.defcon.org/images/defcon-10/dc-10-presentations/dc10-daugherity-quantum.pdf

Quantum has been used as stated to attempt to break RSA keys which is documented above.

Bincoin is not Bitcoin core client it's a protocol. So if transaction is valid according the rules it's valid transaction. Even now you can submit a non-standard transaction to miners and it will be accepted into block.  

Blocks will be full in the future too. Even with level 2 solutions in place. If blocks would have empty space then on chain fees would be near zero. And how would miners get paid at this case when block subsidy become 0? So 10 min. it's for highest paying transactions only even in the future.

Here you are probably right. If it will be possible time constrains would not be matter.

Nodes don't accept double spend transactions, at least the Bitcoin Core ones don't. Instead the return an error saying there is a tx mempool conflict.
Nodes don't accept conflicting transactions and they do not replay them, so a second transaction would only be available to the nodes that came online after the first transaction was sent or discarded the first one due to it being unconfirmed for too long or something like that.


To me both of these ranges seem artificial and make no sense. On average block is mined every 10 minutes and if everything is working correctly in the future, optimally all transactions would be added in the very next block. So depending on when transaction was published compared to this this period between two blocks, it would likely be 5 minutes on average.


I am no quantum physicist, but I don't think that quantum computers work like that, not like classical ones. Completely different story.
As I understand, quantum computer will either do the job practically instantly or will not be able to do it at all if it is not big enough.

I think that a bigger quantum computer doesn't add to speed, just in capacity of how many bits you can put in this superposition state.
And the speed of every quantum computer is achieved by moving electrons exactly by speed of light, as it uses super cooled wires or whatever as super conductors.

All of this seems very unreal to me as well, but that is the universe for you. It makes no sense, but is apparently true.
Just like that it might be impossible to scale quantum computers due to the system stop being quantum if it becomes big enough.

Number of computations done by these machines should grow exponentially by adding new quantum bits, but the difficulty of building them grows exponentially as well for every bit added.

Very weird technology, no doubt.

.
I am afraid this is an endless quest that would result into pure waste of time because I don't see the practicability of any of the above happening at least not any time soon. On the issue of quantum computer the level of development to achieve that is something not even close to now following the stages of technological development. What gave me rest is the development of a technology that would take a quantum computer to defeat with the quantum computer itself.

On the address collision, I believe all desktop wallet already have the maximum address they can generate with their individual private keys which means the issue of address collision does not arise. It possible to export all of the private key in an Electrum wallet and their address used or not used.

Of course all this discussion is purely theoretical at this point.
I myself have doubts  that such computer is possible. However, I have to disagree with you on these points:
It's to emotional. How would miner know which transaction is signed by you and which is signed be adversary? Miner will pick up highest paying transaction.
At the moment 10-30 minutes sounds as a bad joke. 2-3 days is more reasonable time-frame.
If it is doable in a long amount of time, it definitely would be double in a short amount of time just more expensive.

The 'window of opportunity' is between ~10-30 minutes.
In these 10-30 mins the basic to-do list would be:

• Scrape/gather the public key as soon a transaction gets pushed
• Crack the private key with the public key known
• Create + broadcast a double-spend transaction
• Pray to god an unhonest miner discards the original transaction for your malicious one in his mempool
• Pray to god this one unhonest miner mines a block containing your TX before anyone else mines a block containing the original one

This is not doable in such a short amount of time. Even quantum computers are no magic machines... even tho quite a few people believe they are..
1) There are no algorithms to *crack* the ECDSA of bitcoin. Neither normal algorithms, nor qantum algorithms.
2) Even if there already were quantum computers working perfectly and if there were algorithms made for breaking ECDSA.. this would still not be possible in such a short amount of time.

Additionally you have to consider that it takes decades to create qantum computers + algorithms to approach such a 'crack' of BTC.
In these decades there is more than enough room for soft-/hardforks to stay quantum resistent for another 100+ years.

However, as I mentioned your public key becomes public knowledge then you submit your transaction. And there is a window of opportunity before you actual spend it (tx is included in block).

P.S. don't know anything about IOTA.

Yes, but i was refering to the possible threat of IOTA, lisk,.. when storing coins on an address which already has been spent from.
This does not apply to bitcoin.


1) No, that doesn't work like this. Quantum computer because:
a) They dont even exist yet because the whole superposition states are unstable yet and the error rate is way too high.
b) There are a lot of resarches done breaking RSA (prime factorization) with quantum alogrithms, but no researches are done about how to break elliptic curve multiplication.

2) Bitcoin is quantum resistant 'by design'. Until you spend from an address the public key is not known and therefore its not possible to attempt to crack the ECDSA (https://de.wikipedia.org/wiki/Elliptic_Curve_DSA).
If ECDSA will get crackable (which takes a quite long timespan; this doesnt happen over night):
i) there still will be forks (probably consensus) to prevent BTC from being crackable, and
ii) this would put BTC at the same 'security level' as IOTA, since until your public key is known, such an attempted attack is not possible.

Why does not it apply to bitcoin? Sooner or later you submit transaction and your public key is revealed. I get you private key with quantum computer and reroute the money to my address with higher fee. If I can do it before next block comes I get your money.

The reason for Lisk, IOTA, etc.. being unsecured when laying on an address which already was spent from is because the whole network gets to know the public key.
This public key then can be used to 'crack' the private key (considering the algorithm makes it possible). This applies to iota, lisk, ... but does not apply to BTC.
But this has nothing to do with address collision. Address collision is a term to describe the phenomenon of 2 people randomly generating the same priv-/public- keypair.

Is it valid for Lisk? because they suggest spending to avoid address collision risk

This is wrong. There is no benefit in security by spending your coins from an address. Address collision risk is equal whether your public key was published or wasn't before. If there are two public keys that hash to a same address they will both be able to spend those coins at any time, no matter if the coins were already spent from that address before using the other key. Bitcoin protocol doesn't care about the history of the address, just about the history of the transaction chain that spends those coins and if they were valid on each step.

LOL. No need to worry.
There are so many possible addresses, that address collision is extremely improbable.
It makes no difference if you do or do not have a spend action from your address. The probability of address collision is still the same. 

From those 2 threats I would say that quantum attack is more probable, because it could actually happen in about 20-50 years, or never, who knows. 

How many bitcoins do you have in your address? Because if quantum attack ever becomes possible there probably are much more interesting addresses to attack than yours.
Currently there are several addresses, that have published their public keys and that also contain more than 1000000000$ in them. Just think about it. Would a thief select your address or one of them? And also, if they can trust the current cryptography with that kind of sums, maybe you should too.

I think you are doing wisely in not re-using your addresses and keeping your coins in unspent addresses. That is the way to make sure that you are safe from quantum computers, if they ever become big enough.

 

Not to reveal my public key, against quantum attacks, I am storing my coins in unspent address but it creates address collision risk, to avoid this I need to make a transaction to broadcast my public key to the network then my wallet is vulnerable to quantum attacks so I need to choose one of these, which one is more likely to happen? quantum attack or address collision