Author

Topic: Bitcoin’s race to outrun the quantum computer (Read 1534 times)

legendary
Activity: 1904
Merit: 1277
^^
Thanks, that looks like the sort of thing I was after. I'll have a read through it tomorrow. Not sure how I missed it.
Every other quantum thread on here is full of my own posts; rare to find one that isn't!
mda
member
Activity: 144
Merit: 13
I've been looking for later news on the web, but not found much. Presumably (hopefully) the discussion has moved on considerably since 2016. If anyone is familiar with the latest discussions on this topic, please respond in this thread!

I'm unsure if it counts as a considerable move but my imagination has stopped there.

https://bitcointalksearch.org/topic/m.52769870
legendary
Activity: 1904
Merit: 1277
Yes, sooner or later a QC will be developed that can run Shor to break public key cryptography. ECDSA is utterly insecure. Private keys can be derived from public keys. A solution is obviously needed in advance of such a QC becoming available. The problem here is that all coins will have to be moved to quantum-proof addresses. What happens to those coins that (for whatever reason) aren't moved? Do we leave them to be stolen by a QC, wreaking havoc and potentially destroying all of crypto? This is not hyperbole; it's a genuine threat. Or do we burn them before they can be stolen? It's a hugely contentious issue that goes right to the heart of bitcoin, cryptocurrencies, and decentralisation.

Theymos, ahead of the (elliptic) curve, posted about this back in 2016 (quote below). The thread that this triggered on bitcointalk was full of misunderstanding and outrage, and is perhaps indicative of the scale of opposition that such a move to QC-safe cryptography will face.

I've been looking for later news on the web, but not found much. Presumably (hopefully) the discussion has moved on considerably since 2016. If anyone is familiar with the latest discussions on this topic, please respond in this thread!

Quote
Edit: To be absolutely clear: I am not proposing (and would never propose) a policy that would have the goal of depriving anyone of his bitcoins. Satoshi's bitcoins (which number far below 1M, I think) rightfully belong to him, and he can do whatever he wants with them. Even if I wanted to destroy Satoshi's bitcoins in particular, it's not possible to identify which bitcoins are Satoshi's. I am talking about destroying presumably-lost coins that are going to be stolen, ideally just moments before the theft would occur.

This issue has been discussed for several years. I think that the very-rough consensus is that old coins should be destroyed before they are stolen to prevent disastrous monetary inflation. People joined Bitcoin with the understanding that coins would be permanently lost at some low rate, leading to long-term monetary deflation. Allowing lost coins to be recovered violates this assumption, and is a systemic security issue.

So if we somehow learn that people will be able to start breaking ECDSA-protected addresses in 5 years (for example), two softforks should be rolled out now:

One softfork, which would activate ASAP, would assign an OP_NOP to OP_LAMPORT (or whatever QC-resistant crypto will be used). Everyone would be urged to send all of their bitcoins to new OP_LAMPORT-protected addresses.

One softfork set to trigger in 5 years would convert OP_CHECKSIG to OP_RETURN, destroying all coins protected by OP_CHECKSIG. People would have until then to move their BTC to secure addresses. Anyone who fails to do so would almost certainly have lost their money due to the ECDSA failure anyway -- the number of people who lose additional BTC would be very low. (There might be a whitelist of UTXOs protected by one-time-use addresses, which would remain secure for a long time.)
https://www.reddit.com/r/Bitcoin/comments/4isxjr/petition_to_protect_satoshis_coins/d30we6f/
full member
Activity: 224
Merit: 120
Quantum chip solves ‘travelling salesman’ problem for 22 cities
https://www.electronicsweekly.com/news/research-news/quantum-chip-solves-travelling-salesman-problem-22-cities-2020-01/
'''According to the university, this is “something that would take about 1,200 years for a high-performance von Neumann CPU”, but the chip “can solve the travelling salesman problem for 22 cities instantly” until now using quantum processing it “has only been able to solve the travelling salesman problem involving a maximum of 16 cities”.
A quantum annealing computer is not a full-blown quantum computer, of the type that could crack encryption for example, which no one has yet made – or if they have, they are keeping quiet about it.'''

It's an interesting development, but yes, a quantum annealing computer can't be used to break cryptography, and will never threaten bitcoin. The annealing approach is more for problems where there are a huge number of possible solutions, and we're just looking for one that is sufficient out of that multitude of possibilities.

The biggest threat to bitcoin from quantum computing, as I've outlined previously, is the use of Shor's algorithm against re-used addresses:

My opinion:
Quantum computers will surprise the Bitcoin community..


My opinion is actually the exact opposite. I think that crypto developers, certainly for the big coins, and most definitely for bitcoin, are well aware of potential threats from quantum computers, and are actively developing safeguards.
We've covered previously and in considerable depth what QCs can and can't do. Asymmetric cryptography is massively vulnerable, but symmetric cryptography far less so -particularly AES256, as discussed above. It's a common misconception, perpetuated by mainstream media, that QCs instantly break all types of cryptography in all circumstances, when that is clearly not the case. QCs are great for certain specific types of problem, but it's technology, not magic, and it has limitations.

I am some random uninformed idiot posting opinions on a web forum, and even I am aware of what QCs can and can't do, and of the nature of their potential threat to cryptocurrencies in certain situations. People far smarter than me are developing these coins, and I'm absolutely certain that they are on top of the QC question. This is why I am convinced that the threat of QCs will not come as a surprise.
----------------------------
What exactly are the dangers of quantum computing today, which is not there now, but can be tomorrow?
It's very simple and consistent.
My answer is this.

I'll talk about global danger, the danger to most cases, not to one person.

All protection protocols, we will talk only about cryptographic methods of protection, built on a principle:
1. Asymmetric cryptography is the first step in any protocol to agree on a common session key for symmetric cryptography.
2. The second step is symmetric cryptography encryption, where secrets are encrypted securely (AES).

Why is a quantum computer dangerous today that will work far tomorrow?

Because all of our encrypted messages are stored.
Details:
- those encryptions that are very interesting - stored many times, it's communication between interesting and big people of our time;
- all other messages are also stored, just in case, they can be interesting, probably.

Now how quantum cheaters will work:
1) they will only crack the first stage of the encryption protocol - only asymmetric cryptography, where the shared session encryption key was encrypted. That's it.
2) They use the resulting key to quietly read the AES cipher, the second step of the encryption protocol.

And now, everything falls into place: AES-256, the symmetric system, is not cracked, and RSA (with any length of key) or ECC (with any length of key), the asymmetric system is cracked without a doubt, even by very weak, first quantum computers.

That's why everyone is so concerned, that's why post quantum asymmetric encryption systems are already needed.

Yes, not all people encrypt good messages, there are so many that lead two lives at once and one of those lives is very bad.
But the bad thing is to read and decide what's bad and what's good will be guys with the same questionable reputation as the first ones.

Here is the real vulnerability of all the key encryption methods: everything secret, sooner or later, becomes known and not secret.

This vulnerability is completely devoid of new keyless encryption systems.
legendary
Activity: 1904
Merit: 1277
Quantum chip solves ‘travelling salesman’ problem for 22 cities
https://www.electronicsweekly.com/news/research-news/quantum-chip-solves-travelling-salesman-problem-22-cities-2020-01/
'''According to the university, this is “something that would take about 1,200 years for a high-performance von Neumann CPU”, but the chip “can solve the travelling salesman problem for 22 cities instantly” until now using quantum processing it “has only been able to solve the travelling salesman problem involving a maximum of 16 cities”.
A quantum annealing computer is not a full-blown quantum computer, of the type that could crack encryption for example, which no one has yet made – or if they have, they are keeping quiet about it.'''

It's an interesting development, but yes, a quantum annealing computer can't be used to break cryptography, and will never threaten bitcoin. The annealing approach is more for problems where there are a huge number of possible solutions, and we're just looking for one that is sufficient out of that multitude of possibilities.

The biggest threat to bitcoin from quantum computing, as I've outlined previously, is the use of Shor's algorithm against re-used addresses:

My opinion:
Quantum computers will surprise the Bitcoin community..


My opinion is actually the exact opposite. I think that crypto developers, certainly for the big coins, and most definitely for bitcoin, are well aware of potential threats from quantum computers, and are actively developing safeguards.
We've covered previously and in considerable depth what QCs can and can't do. Asymmetric cryptography is massively vulnerable, but symmetric cryptography far less so -particularly AES256, as discussed above. It's a common misconception, perpetuated by mainstream media, that QCs instantly break all types of cryptography in all circumstances, when that is clearly not the case. QCs are great for certain specific types of problem, but it's technology, not magic, and it has limitations.

I am some random uninformed idiot posting opinions on a web forum, and even I am aware of what QCs can and can't do, and of the nature of their potential threat to cryptocurrencies in certain situations. People far smarter than me are developing these coins, and I'm absolutely certain that they are on top of the QC question. This is why I am convinced that the threat of QCs will not come as a surprise.
newbie
Activity: 18
Merit: 0
elon musks priority is public utility.
by this i mean space transport
human transport
goods transport
..
so i dont see elon getting in on the QC game..


VOLKSWAGEN CARRIED OUT THE WORLD'S FIRST PILOT PROJECT FOR TRAFFIC OPTIMIZATION WITH A QUANTUM COMPUTER
https://www.quantaneo.com/Volkswagen-carried-out-the-world-s-first-pilot-project-for-traffic-optimization-with-a-quantum-computer_a366.html

Ford and Microsoft pilot quantum-inspired routing to reduce congestion
https://www.intelligenttransport.com/transport-news/93711/ford-microsoft-pilot-quantum-inspired-routing-reduce-congestion/

Microsoft and Ford try using quantum-style computing to solve Seattle’s traffic problem
https://www.geekwire.com/2019/microsoft-ford-try-using-quantum-style-computing-solve-seattles-traffic-problems/


In the future: no optimized transportation without quantum computers
Re: Is Elon Musk developing a quantum computer?

Quantum chip solves ‘travelling salesman’ problem for 22 cities
https://www.electronicsweekly.com/news/research-news/quantum-chip-solves-travelling-salesman-problem-22-cities-2020-01/
'''According to the university, this is “something that would take about 1,200 years for a high-performance von Neumann CPU”, but the chip “can solve the travelling salesman problem for 22 cities instantly” until now using quantum processing it “has only been able to solve the travelling salesman problem involving a maximum of 16 cities”.
A quantum annealing computer is not a full-blown quantum computer, of the type that could crack encryption for example, which no one has yet made – or if they have, they are keeping quiet about it.'''


My opinion:
Quantum computers will surprise the Bitcoin community..
full member
Activity: 224
Merit: 120
But the Vernam cipher method still needs that original authentication to start things off, right? I'll concede it may be me not understanding it properly, but the paper seems to skim over that a bit. If you have that initial 100% secure channel for authentication, then just use that for everything, you don't need anything else.
[/quote]
------------------
I think that as in the optical implementation of the OTP method, and just as in the QKD method, and just as in any other encryption method, there is always the issue of second party authentication. It is a question of verifying the other side of the communication.

But I do not think that the issue of authentication and the issue of having a closed, secret channel are the same thing.
Just the opposite, authentication must be done over an open channel in order to verify the originality of the conversation partner. If this confidence appears, then a closed channel based on encryption is established with the help of some kind of cryptography.

So, you're right, and the description of this method explicitly refers to the question of authenticating the conversation partner.

Now let's analyze what solutions we have now on this crucial issue.

We have numeric identifiers that are formed from either:
- A password that only the original interlocutor (Alice or Bob) presumably knows;
- biometrics, which ultimately always takes the form of a numeric code, a numeric identifier;
- keys that are not transmitted in the same pure form as a password or other, but as a numeric code obtained by a one-way cryptographic function;
- and so on.

And what in essence: - a constant digital code (one or more) digital code, digital identifier.

All these technological rudiments can be successfully used both in optical OTP, and in all advertised QKD.

All of them have the same drawback, from which neither quantum technology nor post quantum cryptography saves, it is a constant digital identifier.

Attacks are all similar as two drops of water, only come to us from different sides, always the same thing happens:
- stealing our digital identifiers;
- passwords;
- keys.

These attacks are only possible for one reason - because of the constant constants that identify us, identifying one user from the multitude of others.

Getting out of this enchanted circle, I see only one thing - variable numeric identifiers.
For example, your identifier has 256 bits of binary code.
If it changes all the time, but in such a way that only the party that has formed a closed channel with you knows about it (of course with normal encryption, not with quantum technological rudiments that are promoted and prepared for sale), it means it changes synchronously, then his stealing - it makes no sense.

And if your ID changes when you send each new packet of data, no one will ever even think about attacking your personal data.

I think that this kind of technology is possible, and the future belongs to it.
I call them: Keyless encryption and passwordless authentication technologies.
As an example of how to demonstrate the theoretical feasibility of such a communications channel and such technologies, I developed my own version, tested it, and came to the conclusion that it is not a utopia.
legendary
Activity: 1904
Merit: 1277
I thought you were in a hurry to jump to conclusions.
No, I read the article through a couple of times. It's an OTP approach, and I maintain that it is similar to BB84 QKD. It's a classical version of QKD.
I know it's not quantum cryptography, I'm saying it's a classical version of it. It's cleverly done, yes, but I think it has drawbacks...

This method excludes all the disadvantages of quantum cryptography, which in practice will have a function of key distribution for symmetric encryption systems.
But the Vernam cipher method still needs that original authentication to start things off, right? I'll concede it may be me not understanding it properly, but the paper seems to skim over that a bit. If you have that initial 100% secure channel for authentication, then just use that for everything, you don't need anything else.

Quantum cryptography is very slow, very capricious, very resource-intensive.
Quantum cryptography is early in development. Yes, there are some huge technical hurdles, and likely we are decades away from full implementation for everyday users. Which is why post-quantum cryptography is also important.

I remain skeptical of the OTP method though, for the reason given above.
full member
Activity: 224
Merit: 120
The entire security system today, these are key encryption systems and password authentication technologies.

Scammers, government, corporations are the ones on the other side, not ours. We're the victim to them, they're hunting us, we're defending ourselves against them. It's the real picture.

They're not hacking into cryptography, they take our keys and passwords and use them.

What was suggested above is encryption systems where the keys are variables, not stored, not used twice and not transmitted over any communication channels.
Option 1 is an almost keyless system:
https://www.nature.com/articles/s41467-019-13740-y.
Option 2 is a completely keyless system:
https://bitcointalksearch.org/topic/keyless-encryption-and-passwordless-authentication-5204368.

They have the future behind them.
And today:
Penetration and surveillance systems are evolving.
There is an accumulation of data on all users without exception.

Such exotic attack vectors are also used to capture information about passwords and keys:
- the level of power consumption;
- the sound of keystrokes (the information is taken remotely from window panes - by laser);
- electromagnetic background of the monitor, allowing at a distance (about 300 meters) to determine the area of the mouse movement on the screen or move the active items "menu" windows;
- modulation of electromagnetic radiation at the points of mechanical contacts of electrical connectors (for example, a 3.5 jack from a headset inserted into the device, modulates the useful signal to the frequency of radiation of the device processor and successfully demodulates at a distance);
- removing information from the LED light bulb to signal system access to the PC hard drive (via a hidden spyware pre-installed on the PC. This is what the Israeli security services did with the help of a drone helicopter, which captures information through a window from the LED winchester at speeds up to 6000 bits per second);
- a two-way communication channel established by means of ultrasound through conventional acoustic devices - speakers, a portable device or a personal computer.
Interestingly, a normal speaker, notebook, even a modern smartphone, is able to not only emit in the ultrasonic range (above 22 kHz), but also act as a microphone for such signals.

In general, the situation with our personal security is not only bad, but it is also deteriorating.

That's why, when developing keyless encryption technology, all possible attacks on third-party channels should be taken into account.
full member
Activity: 224
Merit: 120
I agree with all your comments.
Excellent! Finally our discussion across multiple threads reaches a consensus Smiley

Except for one, one.
Damn it.


There is reliable, absolutely reliable cryptography, in the absolute sense. It's Vernam's cipher.
It's the only cipher for which there's evidence of its 100% reliability [...]
The first cryptosystem I did not give a link to, here it is, I really like it:
https://www.nature.com/articles/s41467-019-13740-y

Aha, yes, one-time pad stuff... which brings us back to quantum cryptography and QKD.



It's an inventive approach, but I'm not convinced of how this is better than the quantum alternative, BB84 QKD. I don't think OTPs are the answer here. An OTP by itself and used properly is secure, but the key needs to be shared in a 100% safe way. And if you have a means to share the key 100% safely, then you just use that method and there is no need for the OTP. Quantum entanglement is the 100% safe method (sorry, I wanted to focus on PQC and not return to quantum cryptography again!).
But we still have vulnerabilities so long as we have external classical dependencies.


No modern cryptographic system has any proof of its crypto stability, and that proof cannot be, because the principles of encoding them - so to speak, are more cunning than reliable.
Yes, agreed. AES256 looks secure against a Grover attack, so is likely safe in the medium-term, but longer term, who knows? Longer term the solution I still contend is likely to use some quantum mechanical mechanism such as entanglement to create fundamental 100% security, the big caveat here being that our understanding of quantum mechanics may change, and new possibilities and challenges in physics may present themselves...

"I think I can safely say that nobody understands quantum mechanics." Richard Feynman knew what he was talking about. The maths is one thing, but it's an abstraction, it only helps us so far in understanding QM from a human perspective.


-----------------
I thought you were in a hurry to jump to conclusions. If you don't just study the scheme, but read the description of this method, let's call it OTP, it clearly says that it's not quantum cryptography at all (as I call it - "photonic bond"), on the contrary, it's the opposite of quantum cryptography.

This method excludes all the disadvantages of quantum cryptography, which in practice will have a function of key distribution for symmetric encryption systems.

For true cryptography, it is not suitable. It can be used as cryptography, but it's like going to rent a huge truck and carry a desktop computer on it. It's stupid. It looks ridiculous.

Quantum cryptography is very slow, very capricious, very resource-intensive.

And OTP completely eliminates these drawbacks, it's super fast, it works near light speed, it's super reliable, the only proven method in the history of cryptography, many orders of magnitude more reliable than AES with any key length.
In order to agree on a common key, the parties do not need to meet or transfer it over communication channels, or store it.

It is fantastic, it is real, it is the present future of modern cryptography, it is super-reliable, it has no drawbacks.

This isn't your "quantum key transmission", it's snail-speed. It's an old 1980s method. There were already successful experiments back then. But people thought back then, they could still think, not point their finger at the smartphone screen.

And vice versa, the OTP method is a modern method.
It's a technological way of developing cryptography.

But do not forget about the logical path of cryptography, because it is a program that everyone can put on your smartphone, with almost the same level of encryption reliability, but still get a plus:
- two-way, continuous, 100% accurate authentication;
- full match of the decrypted and encrypted message, up to 1 bit accuracy;
- alternative non-scalable blockchain;
- hiding the transmission or reception of information from an unauthorized observer;
- instant verification of any amount of information;
- many other things that no technological cryptographic method can do. 

No technological way of developing cryptography provides uninterrupted authentication. Only trust, or again, keys, passwords.

Our method has no keys and no passwords, no shortcomings.
 
legendary
Activity: 1904
Merit: 1277
I agree with all your comments.
Excellent! Finally our discussion across multiple threads reaches a consensus Smiley

Except for one, one.
Damn it.


There is reliable, absolutely reliable cryptography, in the absolute sense. It's Vernam's cipher.
It's the only cipher for which there's evidence of its 100% reliability [...]
The first cryptosystem I did not give a link to, here it is, I really like it:
https://www.nature.com/articles/s41467-019-13740-y

Aha, yes, one-time pad stuff... which brings us back to quantum cryptography and QKD.



It's an inventive approach, but I'm not convinced of how this is better than the quantum alternative, BB84 QKD. I don't think OTPs are the answer here. An OTP by itself and used properly is secure, but the key needs to be shared in a 100% safe way. And if you have a means to share the key 100% safely, then you just use that method and there is no need for the OTP. Quantum entanglement is the 100% safe method (sorry, I wanted to focus on PQC and not return to quantum cryptography again!).
But we still have vulnerabilities so long as we have external classical dependencies.


No modern cryptographic system has any proof of its crypto stability, and that proof cannot be, because the principles of encoding them - so to speak, are more cunning than reliable.
Yes, agreed. AES256 looks secure against a Grover attack, so is likely safe in the medium-term, but longer term, who knows? Longer term the solution I still contend is likely to use some quantum mechanical mechanism such as entanglement to create fundamental 100% security, the big caveat here being that our understanding of quantum mechanics may change, and new possibilities and challenges in physics may present themselves...

"I think I can safely say that nobody understands quantum mechanics." Richard Feynman knew what he was talking about. The maths is one thing, but it's an abstraction, it only helps us so far in understanding QM from a human perspective.

full member
Activity: 224
Merit: 120
I agree with all your comments.
Except for one, one.

There is reliable, absolutely reliable cryptography, in the absolute sense. It's Vernam's cipher.
It's the only cipher for which there's evidence of its 100% reliability, C.Shannon, 1945.

It has been used for over 120 years and (attention) is still used today.  The most secret diplomatic and other messages are still sent only by the Vernam code!

No AES with any length of key, about asymmetric systems I am silent at all, categorically forbidden.

The thing is that modern cryptography has appeared as an alternative to Vernam's cipher.

No modern cryptographic system has any proof of its crypto stability, and that proof cannot be, because the principles of encoding them - so to speak, are more cunning than reliable.

The 2 versions of cryptographic systems that I mentioned at the end of last post use Vernam's cipher. But they're not used anywhere yet. It's not time.

The first cryptosystem I did not give a link to, here it is, I really like it:
https://www.nature.com/articles/s41467-019-13740-y
legendary
Activity: 1904
Merit: 1277
What you call "quantum cryptography", and that's what everyone calls it, is only needed to agree on common encryption keys for common symmetric cryptography, such as AES-256.
I definitely agree that the accepted term 'quantum cryptography' is a bit of a misnomer. In general it refers to quantum key distribution, so it's less about cryptography and more about using the laws of quantum mechanics to establish secure communication.


It's a wordplay - it's not cryptography, it's a way to generate the same keys for 2 people.
Sure. It's a way to generate a shared key that due to the underlying laws of physics cannot be hacked.


But all asymmetric modern systems are unreliable [...] All modern asymmetric systems will collapse at any key length.
I absolutely agree. From a quantum attack perspective, classical asymmetric cryptography is hugely vulnerable to Shor's algorithm.
But classical symmetric cryptography is vulnerable to Grover. Not to the same extent, but still there is a vulnerability.


You're wrong about the "quantum internet" being afraid of the "man in the middle" attack. This attack is only dangerous when it can be conducted invisibly.
You can't do it inconspicuously on the quantum internet.
This is a huge advantage of this method.
It depends how it's implemented, and what the external dependencies are, for example how the quantum channel is itself established. Work is ongoing and suggests that QKD can be secure, but the standard implementation isn't necessarily so, as assumptions of security are made. A variant of Kak's 3 stage model looks like it might be secure, but this needs to be confirmed. My point about MITM is really that whilst a quantum approach can in theory be 100% secure in a way that a classical approach cannot, it is still dangerous to assume that there are no vulnerable external dependencies.


They use AES-256 because it cannot be cracked by any quantum computer.
True at the moment. Grover reduces the time to crack it, but not significantly.

Post-quantum cryptography is very important, I agree with you wholeheartedly on that. My basic point is that a purely cryptographic defence can never be as absolutely and fundamentally secure as a defence that is based on the laws of physics.

Given the huge technical obstacles to creating a workable quantum cryptography that can be used by everyone, I agree with you that in the short- and medium-term, PQC is definitely the answer.

Long-term though? I would argue that using a quantum mechanical defence may provide a better solution.
full member
Activity: 224
Merit: 120
Quantum cryptography is what?
The transmission of information through the use of quantum states of a particle of light, a photon - it's understandable.
This is a photon Internet, which is proudly called "quantum Internet", although it has nothing to do with "quantum" itself, as elementary particles.
And there is no quantum cryptography, no interaction with quanta, encryption with quanta.
And what's quantum cryptography? I can't figure it out.
There's only post quantum cryptography, math.

What's quantum cryptography?

Hello again! We've discussed this on another thread, so I won't go into it in depth again, but I'll mention China's Micius satellite as an example of quantum cryptography in action. Micius is already enabling a (small) quantum internet. A pair of entangled photons is generated using an interferometer, and one photon is sent to each party in the communication. The quantum entanglement is the vital part of the encryption, the use of the laws of quantum mechanics to create the exchange of information: Quantum Key Distribution.

I will concede that whilst QKD removes some classical vulnerabilities, it does not remove them all: man-in-the-middle as an example.
But Micius is only the start. Other variants of quantum cryptography are also being advanced. Kak's 3 stage protocol for example (a quantum version of double-lock), a multi-photon variant of which is being developed to protect precisely against man-in-the-middle.

I am certainly not saying that post-quantum cryptography (classical cryptography used as a defence against quantum attack) is useless, it's not, it's extremely important.
But quantum cryptography (using the laws of quantum mechanics to implement cryptography) is important too.

Here's a time-lapse photo of Micius in action. https://cosmosmagazine.com/technology/the-quantum-internet-is-already-being-built


--------------------
What you call "quantum cryptography", and that's what everyone calls it, is only needed to agree on common encryption keys for common symmetric cryptography, such as AES-256. They use AES-256 because it cannot be cracked by any quantum computer.
It will be a post quantum symmetric system, so NIST, USA, decided.

It's a wordplay - it's not cryptography, it's a way to generate the same keys for 2 people.
China has developed this topic so well that it is already used in practice for banks, nowadays.
Why did this technology start developing?
Because the asymmetric encryption system (RSA, ECC) was performing this function, namely the function of matching the common key over a public channel for a symmetric encryption system.
But all asymmetric modern systems are unreliable.
This was a very controversial and very closed question until the threat of quantum computing appeared.
Today, for specialists, it is no longer a controversial issue, but a fact.
All modern asymmetric systems will collapse at any key length.
In fact, they have long been considered "conditionally reliable", but this is not what we are talking about.
The whole world, for many years now, has been looking for a reliable post-quantum asymmetric system.
For what?
Only for the main purpose of agreeing on a shared encryption key for symmetric systems.
As such model, approved by NIST, is not yet offered, began to develop technologies of the last century (the first such successful experiments Americans made in 1980), on a new element base.
It's a photon transmission of the polarization direction of the photon.
It is expensive, not convenient and it is not for those who have a smartphone, computer, tablet and ordinary Internet wi-fi. It's for VIPs. In addition, the option of fiber optic is a very slow Internet. But it's not cryptography in its normal sense.

You're wrong about the "quantum internet" being afraid of the "man in the middle" attack. This attack is only dangerous when it can be conducted invisibly.
You can't do it inconspicuously on the quantum internet.
This is a huge advantage of this method.

But there are other solutions.

1.
Here is the technological direction, and fast and reliable, and in no comparison with "quantum transmission":

"Science...
The new, non-hackable security system created by researchers at the King Abdullah University of Science and Technology (KAUST), the University of St Andrews and the Center for Unconventional Science Processes (CUP Sciences) aims to revolutionize communications privacy.

The essence of it is that the optical chip communicates over the fiber Internet with another optical chip, both chips have their own chaos, based on the second law of thermodynamics, the law of entropy, exchange through an open channel photons, different photons with different physical characteristics, the common encryption key is output as a digitization of the superposition of photon states at the output with the photon at the input. Simple, elegant. But the reliability of this method is that this key is calculated at both ends of the communication channel - and the channel is never transmitted.
Not only is it long enough to make a module 2 addition with the message itself. And this gives the Vernam class cipher, the only cipher for which absolute reliability in the absolute sense has been proven.

This was invented in the century before last (!), proved in the middle of the last century (!), all old reliable technologies - return in a new quality.

This is the technological way of cryptography development. It requires new chips and fiber optic cable between subscribers. But it will bury "quantum internet."

 2.
Two, not technological, but software. It's not worth anything.
It's not known, it doesn't claim to be laurels, but it works well for individuals, quietly and smoothly.
Here it is:
https://bitcointalksearch.org/topic/keyless-encryption-and-passwordless-authentication-5204368.
legendary
Activity: 1904
Merit: 1277
Quantum cryptography is what?
The transmission of information through the use of quantum states of a particle of light, a photon - it's understandable.
This is a photon Internet, which is proudly called "quantum Internet", although it has nothing to do with "quantum" itself, as elementary particles.
And there is no quantum cryptography, no interaction with quanta, encryption with quanta.
And what's quantum cryptography? I can't figure it out.
There's only post quantum cryptography, math.

What's quantum cryptography?

Hello again! We've discussed this on another thread, so I won't go into it in depth again, but I'll mention China's Micius satellite as an example of quantum cryptography in action. Micius is already enabling a (small) quantum internet. A pair of entangled photons is generated using an interferometer, and one photon is sent to each party in the communication. The quantum entanglement is the vital part of the encryption, the use of the laws of quantum mechanics to create the exchange of information: Quantum Key Distribution.

I will concede that whilst QKD removes some classical vulnerabilities, it does not remove them all: man-in-the-middle as an example.
But Micius is only the start. Other variants of quantum cryptography are also being advanced. Kak's 3 stage protocol for example (a quantum version of double-lock), a multi-photon variant of which is being developed to protect precisely against man-in-the-middle.

I am certainly not saying that post-quantum cryptography (classical cryptography used as a defence against quantum attack) is useless, it's not, it's extremely important.
But quantum cryptography (using the laws of quantum mechanics to implement cryptography) is important too.

Here's a time-lapse photo of Micius in action. https://cosmosmagazine.com/technology/the-quantum-internet-is-already-being-built

member
Activity: 1218
Merit: 10
Excuse me a complete "Quack".. Thank you, thank you..
member
Activity: 1218
Merit: 10
I might sound like a complete "space cadet" but i think there actually could be a way to mine the rest of Bitcoin in one swoop. It would probably ruin alot of stuff but none the less it could probably be done.
full member
Activity: 224
Merit: 120
Quantum computers are not as far from life as we think. Look at Amazon's new services. Offer for commercial use. And why is everyone obsessed with these qubit calculators? Cryptography on elliptic curves has compromised itself for a long time, they just don’t write about it.
What new services offer quantum computers? I'm not sure what you're referring too, but Amazon does not offer anything even near the capabilities of a quantum computer. If the elliptic curves were compromised critically it would be a issue that would likely be put on top of the priority list. Elliptic curves to my knowledge, and many others has not been compromised.

You make some good posts regarding Bitcoin, but a lot of it is scaremongering similar to the scaremongering tactics used by news outlets. Maybe not intentionally, but suggesting that elliptic curves have been compromised, and then later stating they have weaknesses is inaccurate. They have not been compromised, but they do have strengths, and weaknesses just like any other cryptography.
----------------
Yes, indeed, I have read a lot about cryptography on elliptic curves.

1. I learned that those who know a lot, they work for different unpopular organizations, they are always silent, and information about this knowledge and about these people is lost ...

2. I also learned that specially all modern cryptography is divided into 2 parts:
1) Household cryptography, those encryption systems that we know. They are allowed to be used by us, ordinary people; in unclassified matters;
2) State cryptography, the one that we are not allowed to use, and the government is obliged.

And I asked myself, why so?
More precisely, what is wrong with our everyday cryptography?

3. It is not clear why the NSA (USA) first ordered a study for British mathematicians, then hid all the materials for this study, and immediately banned the use of cryptography on elliptic curves in state secrets.
And this is despite the fact that only yesterday the NSA actively implemented ECC, despite the fact that not so long ago, the NSA bought all the patents for this system from 2 mathematicians.

4. Why are we assured of the reliability of asymmetric mathematical encryption systems without providing evidence of this reliability (evidence of the inability to solve the problem of discrete logarithm in fields of elliptic curves with a finite order of the field of numbers, which means discrete, point elliptic curves).

But I understand that if they know the secret, the weak point of this cryptography, then it is very beneficial for some that all ordinary people use and trust this cryptography.

And further, new questions ..

5. Why NIST does not even want to hear about ECC with an increased key length as a candidate for a post-quantum system.
Let me remind you that a key with a length of 521 bits ECC is equal to a reliability of 256 bits AES. But AES-256 remains a post-quantum system of the future, because no quantum computer will be able to completely enumerate a number of 256 bits.
But in ECC as much as 521 bits !!!
So, ECC breaks down not only with brute force attack, but also somehow, and that means mathematically !!!

Moreover, to increase the key length by 2 times in the ECC encryption paradigm is not a problem and a burden on modern processors.
However, they do not.
Moreover, they claim that this system (including RSA) breaks with any key length, if it breaks with a standard key length. This is not what I say, but people, professors in cryptography, people with a name, authorities in the world of encryption.

What does it mean?
Only one thing - these household systems are broken mathematically, by cryptanalysis.

6. I also learned (from a lecture by a respected mathematician-cryptographer) the following:
- some classes of elliptic curves are weak; - if you look at the standard NIST curves, you can see that they are verifiable random;
- if you read the Wikipedia page about the principle "there is nothing in the sleeves", you will notice that:
1) random numbers for MD5 are obtained from the sine of integers.
2) random numbers for Blowfish are obtained from the first numbers $ \ pi $.
3) random numbers for RC5 are obtained from $ e $ and the golden ratio.
These numbers are random because their numbers are evenly distributed. And they do not cause suspicion, because they have a justification.

Now the following question arises: where do the random generating values for the NIST curves come from?
Answer: unfortunately, we do not know.
These values have no justification.

Is it possible that NIST discovered a “significantly large” class of weak elliptic curves, tried various possible variants of generating values, and found a vulnerable curve? I can not answer this question, but it is a logical and important question.

What is the reason for this distrust of such a respected organization?
But on what:
“We know that NIST has at least successfully standardized a vulnerable random number generator (a generator that, oddly enough, is based on elliptic curves).

Perhaps he has successfully standardized many weak elliptic curves as well? How to check it? No way.

It is important to understand that “verifiable random” and “protected” are not synonyms. It doesn’t matter how complicated the logarithm task is or how long the keys are - if the algorithms are hacked, then there is nothing we can do.

In this regard, the RSA wins because it does not require special domain parameters that can be exploited. RSA (like other modular arithmetic systems) can be a good alternative if we cannot trust the authorities and if we cannot create our own parameters for the definition domain.

And if you're curious: yes, TLS can use NIST curves. If you check in google, you will see that when connecting, ECDHE and ECDSA are used with a certificate based on prime256v1 (aka secp256p1).

I am not a cryptographer and not a mathematician, not a scientist or a university teacher. No one is interested in my opinion and I have no authority.

But I do not consider myself an idiot and do not really trust the universal approved opinion of the herd. I try to draw conclusions.

If you are not tired of this topic, here are the arguments in my favor, the second post for December 4:
https://bitcointalk.org/index.php?topic=5204368.40
full member
Activity: 224
Merit: 120
One thing I don’t understand in the whole discussion; if RSA or ECC are compromised in the future, we can upgrade existing systems of course (and we’ll have to ... whole PKI will come tumbling down), but won’t this make dormant wallets vulnerable? How are we going to prevent someone stealing the funds from there? Otherwise that will cause a huge drop in the value of Bitcoin. We can’t put a wrapper or something around those wallets, right?

I am a tech guy, not an economist, so not sure if my reasoning makes sense!
------------------
It makes sense to be afraid, and this is a well-thought-out opinion of cryptography experts.
Not only that, it is openly spoken about by people who hold responsible positions in very well-known companies.

The situation here is complicated, because the cryptography itself on elliptic curves, on which the digital signature in Blockchain and Bitcoin is based, is weak and dangerous.
Read more about it here (second post of December 4):
https://bitcointalksearch.org/topic/keyless-encryption-and-passwordless-authentication-5204368

But the second part - SHA256 remains reliable even when attacked by a quantum computer.
Because no computer will make a full search of all possible variants of binary number 256 bits long.

But, smart people have already invented and released a currency based on post quantum encryption methods.
I don't want to advertise it, but if the quantum computer starts working (although there are other, more serious concerns about cryptanalysis), the price of this crypt will rise quickly.
full member
Activity: 224
Merit: 120
Quantum computers are not as far from life as we think. Look at Amazon's new services. Offer for commercial use. And why is everyone obsessed with these qubit calculators? Cryptography on elliptic curves has compromised itself for a long time, they just don’t write about it.
What new services offer quantum computers? I'm not sure what you're referring too, but Amazon does not offer anything even near the capabilities of a quantum computer. If the elliptic curves were compromised critically it would be a issue that would likely be put on top of the priority list. Elliptic curves to my knowledge, and many others has not been compromised.

You make some good posts regarding Bitcoin, but a lot of it is scaremongering similar to the scaremongering tactics used by news outlets. Maybe not intentionally, but suggesting that elliptic curves have been compromised, and then later stating they have weaknesses is inaccurate. They have not been compromised, but they do have strengths, and weaknesses just like any other cryptography.
------------------
Quantum cryptography is what?
The transmission of information through the use of quantum states of a particle of light, a photon - it's understandable.
This is a photon Internet, which is proudly called "quantum Internet", although it has nothing to do with "quantum" itself, as elementary particles.
Photon networks do not allow to take information not noticeably.
That's it.
From the very theft of information - they do not protect.
It's safe to use them just because the theft is noticeable.
And they are only planned to be used to agree on a shared key for conventional symmetric encryption systems such as AES-256. This system is not being broken by any quantum computer, not even in the distant future.

Now the problem is that no modern asymmetric systems (rather than symmetric ones) can resist quantum computers. And these systems are needed only to coordinate the common secret key for symmetric encryption systems.
Without asymmetric systems, we all need to meet in person in order to send an encrypted message.
And if there will be no asymmetric systems, the old photonic Internet, which today was called quantum (!), offers as an alternative. And successful transmission in this way was long ago, 50 years ago. These are old technologies on new equipment.

And there is no quantum cryptography, no interaction with quanta, encryption with quanta.

The foreseeable future lies only in mathematical, logical encryption methods that work on ordinary computers. They're being looked for. There's a competition. They're called post quantum cryptography. By the way, AES-256 is already among the winners in the category of symmetric encryption systems. This system is not afraid of future quantum computers, it's not even afraid of computers from another planet where the most advanced civilization lives.

Why not? Because this system works with all the values of the key. And that means, if there are no mathematical methods of cracking, and there are none, you have to do a full search of binary code 256 bits long. And it's not possible, there's no such number of particles in the whole universe.
Besides, this algorithm doesn't load the processor.
That's why it's not a problem to make a key 512 bits long.

And how many times 512 bits are more than 256 bits?
No, not twice, and I don't know what time. It's a mystically large number.
But 257 bits more than 256 bits - exactly twice as many.
You do the math from here.

Cryptography on elliptical curves can't just increase the length of the key and become post quantum. Why not?
Because such unreliable systems (asymmetric) break down mathematically by cryptanalysis. So they're not used in serious cases. But this system is used in blockchain and bitcoin.

And what's quantum cryptography? I can't figure it out.
There's only post quantum cryptography, math.
legendary
Activity: 1652
Merit: 1483
One thing I don’t understand in the whole discussion; if RSA or ECC are compromised in the future, we can upgrade existing systems of course (and we’ll have to ... whole PKI will come tumbling down), but won’t this make dormant wallets vulnerable? How are we going to prevent someone stealing the funds from there?

yes, this is one of 2 reasons why a post-quantum fork is contentious. (the second one being that all known post-QC signatures are extremely large and therefore will bloat the blockchain)

the solution that's primarily been suggested is to destroy all ECDSA-secured outputs after a certain date (eg 5 years after the post-quantum fork occurs) to give people ample time to secure their coins while also preventing massive theft by QC.

unfortunately, this solution is extremely unpopular since many users believe it's wrong to ever destroy/steal someone else's outputs. so we're at an impasse and i dunno how it will be resolved. https://www.reddit.com/r/Bitcoin/comments/4isxjr/petition_to_protect_satoshis_coins/d30we6f/
newbie
Activity: 17
Merit: 2
One thing I don’t understand in the whole discussion; if RSA or ECC are compromised in the future, we can upgrade existing systems of course (and we’ll have to ... whole PKI will come tumbling down), but won’t this make dormant wallets vulnerable? How are we going to prevent someone stealing the funds from there? Otherwise that will cause a huge drop in the value of Bitcoin. We can’t put a wrapper or something around those wallets, right?

I am a tech guy, not an economist, so not sure if my reasoning makes sense!
staff
Activity: 3332
Merit: 4117
Quantum computers are not as far from life as we think. Look at Amazon's new services. Offer for commercial use. And why is everyone obsessed with these qubit calculators? Cryptography on elliptic curves has compromised itself for a long time, they just don’t write about it.
What new services offer quantum computers? I'm not sure what you're referring too, but Amazon does not offer anything even near the capabilities of a quantum computer. If the elliptic curves were compromised critically it would be a issue that would likely be put on top of the priority list. Elliptic curves to my knowledge, and many others has not been compromised.

You make some good posts regarding Bitcoin, but a lot of it is scaremongering similar to the scaremongering tactics used by news outlets. Maybe not intentionally, but suggesting that elliptic curves have been compromised, and then later stating they have weaknesses is inaccurate. They have not been compromised, but they do have strengths, and weaknesses just like any other cryptography.
legendary
Activity: 2464
Merit: 1387
Computing, security, encryption, and hacking has always been and will likely always be a cat and mouse game.  It's not like we all woke up one day and found all of our security that was based on SHA-1 encryption was hosed by every hacker on the planet, it was a gradual shift.  As computers get faster, encryption will need to become stronger, and it's the faster computers that will enable stronger encryption.

Good points, well they sound logical to me as a non technical person anyway.
The OP quote elludes to the point that QC can be used for both good and bad.
As computing gets faster and faster so too will technologies move to incorporate
and protect against the speed.

"Quantum-resistant techniques
Quantum computing can be just as effective for cryptographers as it is for hackers. Unobserved, superpositioned particles exist in multiple states, but when detected, they “collapse” to one point in space-time. Quantum cryptography has the same properties; because the protons that make up an encoded transaction shift upon observation, a successful attacker would have to break the laws of physics to intercept it."
legendary
Activity: 1232
Merit: 1080
Quantum computing wont be a problem for Bitcoin anytime soon. Advancements will make quantum obsolete as well.
-----------------
Bitcoins steal without the help of a quantum computer. Anonymity of bitcoin owners is eliminated without quantum helpers.

In new public key cryptographic systems that claim to be post quantum, they find vulnerabilities without the help of a quantum computer and without guessing the key.

The fear of the quantum computer is similar to the fear of the monkey, the new big monkey.

Our main danger is people using their intelligence to cheat, not a stick and brute force.

So I agree that our security won't suffer much from quantum computing.

I am not certain what you mean by Bitcoins steal without the help of a quantum computer but the anonymity of Bitcoin owners is not eliminated without the help of quantum computing. Bitcoin is not a very good currency for maintaining anonymity and there are probably better options out there if that is a concern. Everything is displayed on the Blockchain for a reason and that goes directly against privacy of funds. As soon as you post an address online to receive a payment you are tied to that address. There are ways to use Bitcoin to maintain privacy a little better but at its core Bitcoin does not compare to Monero for privacy.

The fear of quantum computers is real. Although it is blown out of the world by the media outlets of this world and they try to sell the idea that in a couple of years we are all doomed because of these super computers which are capable of destroying all technology which we all know to be completely false. it is theoretically possible for a quantum computer to break Bitcoins algorithm in its current state however the argument against this is it will be a very long time until a quantum computer is capable and by the time that happens Bitcoin would have probably adopted a quantum computer resistant protocol.
full member
Activity: 224
Merit: 120
Quantum computing wont be a problem for Bitcoin anytime soon. Advancements will make quantum obsolete as well.
-----------------
Bitcoins steal without the help of a quantum computer. Anonymity of bitcoin owners is eliminated without quantum helpers.

In new public key cryptographic systems that claim to be post quantum, they find vulnerabilities without the help of a quantum computer and without guessing the key.

The fear of the quantum computer is similar to the fear of the monkey, the new big monkey.

Our main danger is people using their intelligence to cheat, not a stick and brute force.

So I agree that our security won't suffer much from quantum computing.
full member
Activity: 224
Merit: 120
Quantum computers are not as far from life as we think. Look at Amazon's new services. Offer for commercial use. And why is everyone obsessed with these qubit calculators? Cryptography on elliptic curves has compromised itself for a long time, they just don’t write about it.

Those who believe that ESDSA can only be destroyed by brute force attacks are mistaken. This is a common misconception that is supported by most.
And I will allow myself to object.

A long time ago, not full-time employees of GCHQ (a division of the British special services) made public, but the mathematicians of the CESG unit, which is responsible for national ciphers and the protection of government communications systems in the UK. The close interaction between the GCHQ and the NSA is taking place primarily along the lines of joint intelligence activities. In other words, since the NSA also has its own IAD (Information Assurance Directorate) department specializing in the development of cryptographic algorithms and information protection, the discovery of British colleagues was a complete surprise for the mathematicians of this unit. And for the first time they learned about it from their fellow spies who closely interact with the British ...

So, when the Americans learned what the British found, they immediately abandoned cryptography on elliptical curves. And the situation is beneficial for them when the public does not refuse this encryption system. This is their jackpot!

Blockchain is hanging by a thread. The blockchain is saved by the non-compromised hashing function and its massive use.

The danger of cryptography on elliptic curves lies in the elliptic curves themselves. They have weaknesses. That is why, back in 2015, the NSA (USA) opposed this type of cryptography, despite the fact that earlier it conducted a campaign only for this cryptography. And after 2015, she again returned to the old RCA system. And this despite the very large key length relative to ECC keys.

We do not know the answer to the question of how many classes of weak elliptic curves were found by NIST.

I also have no answer to this question, but this is a logical and important question. We know that NIST, at least, has successfully standardized a vulnerable random number generator (a generator that is based on the same elliptic curves).

I do not want to repeat here a very large text, described this in my post on December 04 (there are 2 posts, written on December 4), read the second, topic:
--------------------
This material answers important 2 questions:
1. Is cryptography on elliptic curves as secure as we think?
2. Are quantum computing really dangerous for modern public key cryptosystems?
..............................
Link: https://bitcointalk.org/index.php?topic=5204368.40

I do not know more convincing evidence than those written there.
newbie
Activity: 4
Merit: 0
Blockchain latest news: a state-owned quantum computer could break blockchains in as little as three years  https://www.computing.co.uk/ctg/news/3033006/state-owned-quantum-computer-break-blockchains-three-years 'A commercially viable quantum computer is still probably a decade away but the first rudimentary, state-owned device capable of breaking common one-way encryption algorithms like AES and elliptic curve cryptography could be with us much sooner.'
'Whoever achieves it first - and it could be within as little as three years according to Cheng - don't expect to learn about it in the news.'

Post quantum we will have lots of forks. But the quantum upgraded original chain with all the mined coins will be the strongest. Anyone who has the privatekey of an old address can now move their coins and they will be quantum secure. Otherwise they are 'shalecoins' and have no owner and will be 'fracked'. These coins are the reward of their 'frackers'. If some think that the 'shalecoins' should be locked/destroyed, they can use the fork with excluded 'shalecoins'. They are already discussing such things: Fork and Destroy Satoshi's 1 million Bitcoin? https://bitcointalksearch.org/topic/fork-and-destroy-satoshis-1-million-bitcoin-5131393

No matter what, a decade is not such a long time. We should be discussing this stuff today.
Yes, squatter.
Quantum computers will surprise the Bitcoin community. The 'shalecoins' will be moved and will become active. Thereafter BTC owners will decide, which fork they want to use.

I have no idea and I just learned it from this thread. Those coins in Satoshi's wallet will then be activated which sooner there might not have forgotten coins after all. I guess we can all say Bitcoin will live on to be 21M in total. Nothings wasted and SAtoshi has really thought all of these will happen one day.
legendary
Activity: 2562
Merit: 1441


Maybe this competition is intended to create encryption standards utilized by the entire world that have backdoors or vulnerabilities specifically engineered into them?

It could be a decent security practice to avoid whatever encryption standards are produced as a result of this?

If you are paranoid about the outcome of this US sponsored competition to come up with encryption standards, then you should be paranoid about Bitcoin's SHA256, Tor or anything else that came out of US related activity.



BTW for anyone who thinks caution on NIST building backdoors into encryption standards is "paranoia" the following is an interesting read.

Quote
NSA Backdoors and Bitcoin

Many cryptographic standards widely used in commercial applications were developed by the U.S. Government’s National Institute of Standards and Technology (NIST). Normally government involvement in developing ciphers for public use would throw up red flags, however all of the algorithms are part of the public domain and have been analyzed and vetted by professional cryptographers who know what they’re doing. Unless the government has access to some highly advanced math not known to academia, these ciphers should be secure.

We now know, however, that this isn’t the case. Back in 2007, Bruce Schneier reported on a backdoor found in NIST’s Dual_EC_DRBG random number generator:

But today there’s an even bigger stink brewing around Dual_EC_DRBG. In an informal presentation(.pdf) at the CRYPTO 2007 conference in August, Dan Shumow and Niels Ferguson showed that the algorithm contains a weakness that can only be described as a backdoor.

This is how it works: There are a bunch of constants — fixed numbers — in the standard used to define the algorithm’s elliptic curve. These constants are listed in Appendix A of the NIST publication, but nowhere is it explained where they came from.

What Shumow and Ferguson showed is that these numbers have a relationship with a second, secret set of numbers that can act as a kind of skeleton key. If you know the secret numbers, you can predict the output of the random-number generator after collecting just 32 bytes of its output. To put that in real terms, you only need to monitor one TLS internet encryption connection in order to crack the security of that protocol. If you know the secret numbers, you can completely break any instantiation of Dual_EC_DRBG.


This is important because random number generators are widely used in cryptographic protocols. If the random number generator is compromised, so are the ciphers that use it.

Thanks to the heroic work of Edward Snowden we now know that Dual_EC_DRBG was developed by the NSA, with the backdoor, and given to NIST to disseminate. The scary part is that RSA Security, a company that develops widely used commercial encryption applications, continued use of Dual_EC_DRBG all the way up to the Snowden revelations despite the known flaws. Not surprising this brought a lot of heat on RSA which denies they intentionally created a honeypot for the NSA.

UPDATE: RSA was paid $10 million by the NSA to keep the backdoor in there.

All of this has been known for several months. What I didn’t know until reading Vitalik Buterin’s recent article Satoshi’s Genius: Unexpected Ways in which Bitcoin Dodged Some Crytographic Bullets, is that a variant of an algorithm used in Bitcoin likely also contains a NSA backdoor, but miraculously Bitcoin dodged the bullet.

Bitcoin uses the Elliptic Curve Digital Signature Algorithm (ECDSA) for signing transactions. This is how you use your private key to “prove” you own the bitcoins associated with your address. ECDSA keys are derived from elliptic curves that themselves are generated using certain parameters. NIST has been actively recommending that everyone use the secp256r1 parameters because they “are the most secure”. However, there appears to be some funny business with secp256r1 that is eerily similar to the backdoor in Dual_EC_DRBG.

Secp256r1 is supposed to use a random number in generating the curves. The way it allegedly creates this random number is by using a one-way hash function of a “seed” to produce a nothing up my sleeve number. The seed need not be random since the output of the hash function is not predictable. Instead of using a relatively innocuous seed like, say, the number 15, secp256r1 uses the very suspicious looking seed: c49d360886e704936a6678e1139d26b7819f7e90. And like Dual_EC_DRBG, it provides no documentation for how or why this number was chosen.

Now as Vitalik pointed out, even if the NSA knew of a specific elliptic curve with vulnerabilities, it still should have been near impossible for them rig the system due to the fact that brute-forcing a hash function is not feasible. However, if they discovered a flaw that occurred in say, one curve in every billion, then they only need to test one billion numbers to find the exploit.

However, the kicker in all this is that the parameters for secp256r1 were developed by the head of elliptic curve research at the NSA!

The unbelievable thing is that rather than using secp256r1 like nearly all other applications, Bitcoin uses secp256k1 which uses Koblitz curves instead of pseudorandom curves and is still believed to be secure. Now the decision to use secp256k1 instead of secp256r1 was made by Satoshi. It’s a mystery why he chose these parameters instead of the parameters used by everyone else (the core devs even considered changing it!). Dan Brown, Chairman of the Standards for Efficient Cryptography Group, had this to say about it:

I did not know that BitCoin is using secp256k1. Indeed, I am surprised to see anybody use secp256k1 instead of secp256r1.

Just wow! This was either random luck or pure genius on the part of Satoshi. Either way, Bitcoin dodged a huge bullet and now almost seems destined to go on to great things.

https://chrispacia.wordpress.com/2013/10/30/nsa-backdoors-and-bitcoin/
legendary
Activity: 1610
Merit: 1183
How can you even know if somehting is quantum resistant? Seems a computer that powerful will be able to crack anything you put in front of it.

Quantum Computer isn't miracle or magic which can solve any computational problem that exist. Try reading https://www.cs.virginia.edu/~robins/The_Limits_of_Quantum_Computers.pdf.

the spirit of what he's saying is important though. for example, there is an assumption often repeated that unspent P2PKH outputs are quantum resistant because they don't expose the public key. but as pieter wuille points out, this is based on little more than the hope that a hypothetical quantum computer is too slow to steal from unconfirmed transactions.
Quote
One often repeated argument in favor is quantum resistance. I believe this is besides the point. We have no idea what the characteristics of a hypothetical machine relying on yet to be invented technology will be. Given the degree of key reuse on the network (so there are addresses with known public keys), the existence of a system that can break ECDSA is likely a death blow to Bitcoin. A real solution to that is to prepare and have real quantum-resistant cryptography in place before it's too late. Relying on a weird hope that those hypothetical machines are somehow too slow to steal from unconfirmed transactions before they're mined is a red herring.

The main problem here is getting everyone on board for a preventive hardfork. What Peter Wiulle says is common sense, however it has been tested throughout history how common sense doesn't apply when big groups of people are trying to come up with an agreement. Consider that we cannot even reach a consensus on if climate change is going to ruin our entire species or not. A big variety of arguments on a wide scale exists from "the poles are melting soon" to "it's just a hoax". Similarly, I see a similar fate with this: "quantum computers are coming, let's fork now", "quantum computers are useless and cannot get anything of relevancy done, forking Bitcoin is too much of a risk".

My take is that there will be no moves being made only AFTER an actual quantum computer does something that leaves all of us scared shitless, such as moving satoshis coins into your nearest exchanger. Even then, there will be people discussing which is best to move at. I guess the forks will be made and it will be decided through hashrate, hodlers support dumping on each other, services listing one or another fork... until only one survives. This ruling out that one of the forks chooses an alternative to ECDSA/sha-256 that has a bug/exploit and it ends up badly. I would be too unlikely that at least one doesn't survive.
legendary
Activity: 1652
Merit: 1483
How can you even know if somehting is quantum resistant? Seems a computer that powerful will be able to crack anything you put in front of it.

Quantum Computer isn't miracle or magic which can solve any computational problem that exist. Try reading https://www.cs.virginia.edu/~robins/The_Limits_of_Quantum_Computers.pdf.

the spirit of what he's saying is important though. for example, there is an assumption often repeated that unspent P2PKH outputs are quantum resistant because they don't expose the public key. but as pieter wuille points out, this is based on little more than the hope that a hypothetical quantum computer is too slow to steal from unconfirmed transactions.
Quote
One often repeated argument in favor is quantum resistance. I believe this is besides the point. We have no idea what the characteristics of a hypothetical machine relying on yet to be invented technology will be. Given the degree of key reuse on the network (so there are addresses with known public keys), the existence of a system that can break ECDSA is likely a death blow to Bitcoin. A real solution to that is to prepare and have real quantum-resistant cryptography in place before it's too late. Relying on a weird hope that those hypothetical machines are somehow too slow to steal from unconfirmed transactions before they're mined is a red herring.
legendary
Activity: 1652
Merit: 1483
How can you even know if somehting is quantum resistant? Seems a computer that powerful will be able to crack anything you put in front of it.

it's difficult to speculate on but i don't think it would be fair to assume that once 1 quantum computing problem is solved, every other one magically evaporates. if the bar were set that low, google would have already broken bitcoin.

you bring up a good point though. it's more just a matter of time. (if quantum computing theories are correct, that is)

that's probably the most prudent way to approach this problem.


https://medium.com/@nopara73/stealing-satoshis-bitcoins-cc4d57919a2b
legendary
Activity: 2646
Merit: 6681
Self-proclaimed Genius
What do mean satoshi coins ( Are BTC Test Coins) ?
It's not totally for testing but "to start Bitcoin network" since it need at least one miner to make transactions.
A bit off-topic but... those are the "block rewards" for the earliest blocks that allegedly mined by Satoshi (excluding genesis block),
so it's fair to assume that he had the private keys of those addresses so he can spend it whenever he wants.

To get this topic back on track, the coinbase transaction for those blocks have their public keys displayed.
And when you know the public key, you theoretically can brute-force the private key using a functional Magic Quantum Computer.

Ex.: Reward for block 10 - you can get the public key by getting the output script.
Code:
PUSHDATA(65)[04fcc2888ca91cf0103d8c5797c256bf976e81f280205d002d85b9b622ed1a6f820866c7b5fe12285cfa78c035355d752fc94a398b67597dc4fbb5b386816425dd] CHECKSIG
The hex inside "[]".
full member
Activity: 784
Merit: 100
Don't worry about Bitcoin, a small niche. The world will have BIGGER problems to worry about with the arrival of quantum computers. Hahaha.

The world will be able to fix the quantum issue and implement a quantum secure mode through rewinding, freezing, correcting accounts. But Bitcoin can't and that will lead to forks.


I'm confident that the community will come into consensus to hard fork, if the threat of quantum computers will be the "death of Bitcoin". It will not be close to a debate.

i wouldn't be so sure about that!
we are talking about a major change with a hard fork and it is not like there is only one solution that everyone could jump on board. there is a ton of different things that will cause a ton of drama. for starters which algorithm to choose? and worst of all what to do with coins that won't move such as outputs that were made in early years such as 2009 (naively referred to as Satoshi's coins). should we burn them? you see there is a lot of room for debates.

What do mean satoshi coins ( Are BTC Test Coins) ?  Who has balance until 2009 the balance on the wallets were frozen?
legendary
Activity: 3472
Merit: 10611
~
But it's "fork or die". This isn't a mere "scaling debate", in which Jihan Wu, his cartel of miners, and Silbert's cartel of merchants can play their games. They their play games, then all of us lose.

actually it is more like "don't-fork or die" for those who you named here. we are discussing a switch to a different algorithm to "outrun quantum computers", that includes hash algorithm and consequently the mining algorithm that will effectively brick SHA256-ASICs and make the producing companies obsolete even if for a short period of time until they create NEW-ASICs. they would have more cause to delay it.
legendary
Activity: 2898
Merit: 1823
Don't worry about Bitcoin, a small niche. The world will have BIGGER problems to worry about with the arrival of quantum computers. Hahaha.

The world will be able to fix the quantum issue and implement a quantum secure mode through rewinding, freezing, correcting accounts. But Bitcoin can't and that will lead to forks.


I'm confident that the community will come into consensus to hard fork, if the threat of quantum computers will be the "death of Bitcoin". It will not be close to a debate.

i wouldn't be so sure about that!
we are talking about a major change with a hard fork and it is not like there is only one solution that everyone could jump on board. there is a ton of different things that will cause a ton of drama. for starters which algorithm to choose? and worst of all what to do with coins that won't move such as outputs that were made in early years such as 2009 (naively referred to as Satoshi's coins). should we burn them? you see there is a lot of room for debates.


But it's "fork or die". This isn't a mere "scaling debate", in which Jihan Wu, his cartel of miners, and Silbert's cartel of merchants can play their games. They their play games, then all of us lose.
copper member
Activity: 2338
Merit: 4543
Join the world-leading crypto sportsbook NOW!
1. what happens to quantum-vulnerable outputs? like p2pk and spent addresses that still hold coins. the answer dictates whether lost coins are actually a donation to bitcoin holders as satoshi said. if we do nothing, then he was obviously wrong about that.

I'm afraid I don't have the answer and even if I did, someone else is likely to disagree with it.  Like pooya87 opined, that's likely to be a political melodrama for the ages.


2. the logistics of a fork. take lamport signatures for example. wouldn't it be optimal to do it years before it's a real concern = less people reusing keys as the threat approaches?

Would single use keys make unspent transactions any less vulnerable?  I'm not sure.  Unless all ASIC miners upgrade to quantum ASICs and vast amounts of storage become super cheap and fast, Lamport Signatures are way too cumbersome for the blockchain as we know it today.  But keep in mind that's almost 40 year-old tech.  Long cumbersome algos can be couple with compression/decompression to increase their practical applications.
legendary
Activity: 3472
Merit: 10611
Don't worry about Bitcoin, a small niche. The world will have BIGGER problems to worry about with the arrival of quantum computers. Hahaha.

The world will be able to fix the quantum issue and implement a quantum secure mode through rewinding, freezing, correcting accounts. But Bitcoin can't and that will lead to forks.


I'm confident that the community will come into consensus to hard fork, if the threat of quantum computers will be the "death of Bitcoin". It will not be close to a debate.

i wouldn't be so sure about that!
we are talking about a major change with a hard fork and it is not like there is only one solution that everyone could jump on board. there is a ton of different things that will cause a ton of drama. for starters which algorithm to choose? and worst of all what to do with coins that won't move such as outputs that were made in early years such as 2009 (naively referred to as Satoshi's coins). should we burn them? you see there is a lot of room for debates.
legendary
Activity: 2646
Merit: 6681
Self-proclaimed Genius
This is worth reading:
Quote
-snip-Quantum-resistant techniques
Quantum computing can be just as effective for cryptographers as it is for hackers. Unobserved, superpositioned particles exist in multiple states, but when detected, they “collapse” to one point in space-time. Quantum cryptography has the same properties; because the protons that make up an encoded transaction shift upon observation, a successful attacker would have to break the laws of physics to intercept it.-snip-
So, this "quantum computing" thing was based on string theory which is mathematically credible but still "not science".
Basically, you need to break the laws of physics to hack a system that breaks the law of physics... hmm, it's not wrong.
A classic supercomputer that can break secp256k1 which can lead to stolen UTXO with "exposed public key" like the #1 in figmentofmyass' list
is more of a reality and maybe just a few years away.

legendary
Activity: 2898
Merit: 1823
Don't worry about Bitcoin, a small niche. The world will have BIGGER problems to worry about with the arrival of quantum computers. Hahaha.

The world will be able to fix the quantum issue and implement a quantum secure mode through rewinding, freezing, correcting accounts. But Bitcoin can't and that will lead to forks.


I'm confident that the community will come into consensus to hard fork, if the threat of quantum computers will be the "death of Bitcoin". It will not be close to a debate.

legendary
Activity: 1652
Merit: 1483
Computing, security, encryption, and hacking has always been and will likely always be a cat and mouse game.  It's not like we all woke up one day and found all of our security that was based on SHA-1 encryption was hosed by every hacker on the planet, it was a gradual shift.  As computers get faster, encryption will need to become stronger, and it's the faster computers that will enable stronger encryption.

there seems to be a consensus that we'll switch to a quantum-resistant signature scheme (and eventually a quantum-resistant hashing algorithm) but that's just common sense. there are 2 more pressing questions to my mind.

1. what happens to quantum-vulnerable outputs? like p2pk and spent addresses that still hold coins. the answer dictates whether lost coins are actually a donation to bitcoin holders as satoshi said. if we do nothing, then he was obviously wrong about that.

2. the logistics of a fork. take lamport signatures for example. wouldn't it be optimal to do it years before it's a real concern = less people reusing keys as the threat approaches?
copper member
Activity: 2338
Merit: 4543
Join the world-leading crypto sportsbook NOW!
Computing, security, encryption, and hacking has always been and will likely always be a cat and mouse game.  It's not like we all woke up one day and found all of our security that was based on SHA-1 encryption was hosed by every hacker on the planet, it was a gradual shift.  As computers get faster, encryption will need to become stronger, and it's the faster computers that will enable stronger encryption.
jr. member
Activity: 33
Merit: 1
Don't worry about Bitcoin, a small niche. The world will have BIGGER problems to worry about with the arrival of quantum computers. Hahaha.

The world will be able to fix the quantum issue and implement a quantum secure mode through rewinding, freezing, correcting accounts. But Bitcoin can't and that will lead to forks. We already have two main post quantum 'forks':

1. The original chain with all the coins. The 'shalecoins', https://bitcointalksearch.org/topic/bitcoin-as-shalecoin-5134441 coins with no owner, will have new owners as it will be able to move these coins.
The original chain will remain the strongest chain. If some groups can reproduce the privatekeys of 'shalecoins', coins with no owner https://bitcointalksearch.org/topic/bitcoin-as-shalecoin-5134441, it's their reward. They are trying to build a computer in the near future, that wouldn't be built so fast without that incentive. That opportunity accelerates the technology. If there are still some BTC owners -incl. Satoshi- with old addresses and remove their coins now, they will be secure. So it's a fair game. And nobody can change that game: Bitcoin rewards the best technology.

The Bitcoin network is a pure competition network. Only the best technology will be successful here and make it secure. A Bitcoin fork without the old coins would be like another s**tcoin, because it would avoid real competition.

2. A fork without old coins which could be transferred by quantum computers.
(For example: Burn Satoshis coins to end the threat of prices crashing - Paxful Founder https://bitcointalksearch.org/topic/burn-satoshis-coins-to-end-the-threat-of-prices-crashing-paxful-founder-5177563)

Both chains will be upgraded to quantum secure.

edited
legendary
Activity: 2898
Merit: 1823
Don't worry about Bitcoin, a small niche. The world will have BIGGER problems to worry about with the arrival of quantum computers. Hahaha.
legendary
Activity: 3472
Merit: 10611
~
I  agree that it is stupid right now because you would be doubling the storage requirements when they are not even needed yet. In the future SHA512 will be an option however I think that there's already more promising solutions than SHA152 but concerning the storage issues that you mention because of the way technology is evolving at an exponential rate we can estimate that storage issues will not be an issue even for people with low budget within the next 5-10 years.

you are thinking one dimensionally. you should think of it as a choosing SHA512 from a group of hash algorithms, a group that contains better options at lower cost which makes choosing this one not the best choice. so as long as we can achieve a high security with a 256-bit digest we should stick to that and avoid unnecessary size increase even if storage was of no concern.
legendary
Activity: 1232
Merit: 1080
I'm not sure if this article has been lost in translation when communicating with the "top" cryptographers but a lot of the information quoted here is just false. Its already been mentioned that the private key of Bitcoin is no where near the 16 characters mentioned above. The fact that they speak about finding a solution to quantum computers without acknowledging that there is already quantum resistant algorithms out there is absurd.

Quantum computing is not currently a threat and has technology advances we will see technology change including the algorithm which Bitcoin and other cryptocurrencies use. This is just how we evolve and stay ahead of the game. There's unlimited funding against quantum computers because if quantum computers were readily available and able to break algorithms like predicted with a 4000 qbit quantum computer you are looking at several industries being put at threat and not just Bitcoin or cryptocurrencies. Banks and governments also use algorithms and encryption which is not quantum resistant at this very moment.

I have seen this US run competition circle around a lot and it looks like its being used to scare monger those invested in cryptocurrencies. "The US government funding quantum computers" yet they have funded similar projects before without any malicious actions. The US government is not always out to get you they funded the Tor Project which was originally a US Navy program to allow them to communicate with more privacy yet that hasn't been used maliciously has it? Tor Browser has probably made it harder for US government to reprimand certain people. I think that Edward Snowden used Tor Browser to send files anonymously.  

not only switching to SHA512 is unlikely, i would say it is stupid.
for starters it would make everything twice as big and that is while we are trying so hard to compress everything and make them smaller to keep it manageable (for storage and scaling).
on top of that you can't just stop there, you have to change the curve too. with a 256 bit curve it is not useful to use a 512 bit hash function. you have to also switch to a 512+ bit curve like secp521r1. i am also sure that switch to SHA512 would break 90% of bitcoin implementations because they either don't have the functionality to calculate "e" during ECDSA since they never needed it or they have a false one in place.

I  agree that it is stupid right now because you would be doubling the storage requirements when they are not even needed yet. In the future SHA512 will be an option however I think that there's already more promising solutions than SHA152 but concerning the storage issues that you mention because of the way technology is evolving at an exponential rate we can estimate that storage issues will not be an issue even for people with low budget within the next 5-10 years.
legendary
Activity: 3472
Merit: 10611
Well, I think the solution is already out there in the form of SHA512.  Roll Eyes  Most processors today can handle SHA512 much easier today, so it is not unlikely that they would switch to SHA512 in the future.  Huh  They are obviously not just doing this to protect Crypto currencies, because most secure sites and even some Banking services use SHA256 today.  Cheesy

Will the change from SHA256 to SHA512 necessitate a whole Bitcoin fork or can this just be done with a normal node update? I am not a developer, so I might be asking a stupid question... sorry.  Roll Eyes

not only switching to SHA512 is unlikely, i would say it is stupid.
for starters it would make everything twice as big and that is while we are trying so hard to compress everything and make them smaller to keep it manageable (for storage and scaling).
on top of that you can't just stop there, you have to change the curve too. with a 256 bit curve it is not useful to use a 512 bit hash function. you have to also switch to a 512+ bit curve like secp521r1. i am also sure that switch to SHA512 would break 90% of bitcoin implementations because they either don't have the functionality to calculate "e" during ECDSA since they never needed it or they have a false one in place.

and finally as i have said before, unlike SHA1 versus SHA256 where the algorithms are different, in SHA512 versus SHA256 the algorithm is exactly the same (hence the switch being stupid). when a hash function becomes obsolete/weak like SHA1 it is not because of the size of it (160 bit) it is because a vulnerability in the algorithm was found, again like SHA1 which leads to attacks becoming easier (decreasing complexity from from 280 down to 263.1).
if such switch some day happens it will be to a different 256-bit algorithm such as Keccak-256, Blak2b-256,...
legendary
Activity: 3010
Merit: 3724
Join the world-leading crypto sportsbook NOW!
Will the change from SHA256 to SHA512 necessitate a whole Bitcoin fork or can this just be done with a normal node update? I am not a developer, so I might be asking a stupid question... sorry.  Roll Eyes

Was a separate discussion I saw just days ago about SHA512 and it would seem to be that changing the hash function isn't as drastic as changing the algorithm itself (which I'm certain needs the hard fork). It seems to me it's still consensus that's required though, so if there were resistance...

On the other hand, if I understood that discussion well enough, there's simply not enough justification for sha512, not enough benefit.

Neither am I (a developer!) so I don't know the right answer to this, but now you ask, I wonder if I should look up how and when forks are needed...
legendary
Activity: 3542
Merit: 1966
Leading Crypto Sports Betting & Casino Platform
Well, I think the solution is already out there in the form of SHA512.  Roll Eyes  Most processors today can handle SHA512 much easier today, so it is not unlikely that they would switch to SHA512 in the future.  Huh  They are obviously not just doing this to protect Crypto currencies, because most secure sites and even some Banking services use SHA256 today.  Cheesy

Will the change from SHA256 to SHA512 necessitate a whole Bitcoin fork or can this just be done with a normal node update? I am not a developer, so I might be asking a stupid question... sorry.  Roll Eyes
legendary
Activity: 2562
Merit: 1441
If you are paranoid about the outcome of this US sponsored competition to come up with encryption standards, then you should be paranoid about Bitcoin's SHA256, Tor or anything else that came out of US related activity.

In any case there's no real reason to worry about any of this, quantum computing as it is today it's just a meme. I would stick to SHA256 and plan for a NIST alternative in the future if necessary.. and non-US stuff doesn't necessarily mean safer anyway. It just has to be peer reviewed by as many independent and widespread people as possible.

Satoshi most likely did the right thing at not using something more exotic, it could have backfired, SHA256 was the most widespread with hardware support and timetested, peer-reviewed by cryptographers.


This being the anniversary of the september 11th World Trade Center attacks. It should be remembered that the official report attributing the destruction of buildings to office fires was drawn up by NIST (National Institute of Science and Technology). The 9/11 report NIST released was NOT open to peer review by architects, structural engineers or anyone with the academic or professional credentials who might normally peer review that type of report.

Not only does NIST have a history of publishing controversial findings as their initial 9/11 publishing containing "pancake theory" was wholly debunked by engineers across the globe. They also have a history of producing work that is completely closed to peer review or any form of accountability process.

Quantum computing is pseudoscience imo. There is no real quantum computing threat or crisis aside from media gaslighting and sensationalism. What we're witnessing is the typical process by which crisis is artificially manufactured to push agendas.
legendary
Activity: 3472
Merit: 10611
Quote
victim’s 16-character public key

in what world is a bitcoin public key a 16-character string? even if you encode it with smallest encodings used in bitcoin you wouldn't make it to 16 characters. even encoding the RIPEMD160 hash of the SHA256 hash of the public key is going to give you 20 bytes that would encode to 26 characters minimum Cheesy

Quote
Maybe this competition is intended to create encryption standards utilized by the entire world that have backdoors or vulnerabilities specifically engineered into them?
NIST standards are not for the "entire" world and the entire world has never been using their standards anyways. for example SHA256 is theirs, other countries sometimes have their own standards which they use. SM3 is the Chinese equivalent of SHA256. Streebog is the Russian equivalent.
legendary
Activity: 1652
Merit: 1483
okay, so we're maybe 8-30 years out from quantum computers breaking ECDSA. what's the plan? how far ahead should we integrate a quantum resistant signature scheme?

In any case there's no real reason to worry about any of this, quantum computing as it is today it's just a meme. I would stick to SHA256 and plan for a NIST alternative in the future if necessary.. and non-US stuff doesn't necessarily mean safer anyway. It just has to be peer reviewed by as many independent and widespread people as possible.

my understanding is that ECDSA will eventually be vulnerable to quantum computers. SHA-256 not so much.
legendary
Activity: 1610
Merit: 1183


Maybe this competition is intended to create encryption standards utilized by the entire world that have backdoors or vulnerabilities specifically engineered into them?

It could be a decent security practice to avoid whatever encryption standards are produced as a result of this?

If you are paranoid about the outcome of this US sponsored competition to come up with encryption standards, then you should be paranoid about Bitcoin's SHA256, Tor or anything else that came out of US related activity.

In any case there's no real reason to worry about any of this, quantum computing as it is today it's just a meme. I would stick to SHA256 and plan for a NIST alternative in the future if necessary.. and non-US stuff doesn't necessarily mean safer anyway. It just has to be peer reviewed by as many independent and widespread people as possible.

Satoshi most likely did the right thing at not using something more exotic, it could have backfired, SHA256 was the most widespread with hardware support and timetested, peer-reviewed by cryptographers.
legendary
Activity: 2562
Merit: 1441
Quote
The world’s best cryptographers meet this week to compete in a U.S.-sponsored challenge to create a quantum-resistant standard.

Want to steal some Bitcoin? All you need to do is find your victim’s 16-character public key and calculate their private key by solving something called an “elliptic curve discrete logarithm problem.” No sweat! With a regular computer, that’ll take you around 50 million times the amount of time the universe itself has left—around 0.65 billion billion years.

Ah, but with the right quantum computer, able to process information at speeds exponentially faster than today’s supercomputers? Suddenly, what seems uncrackable becomes child’s play, able to be broken in under 10 minutes.

The quantum-computing problem is nothing new to crypto, and many experts believe we have at least a decade or more to come up with quantum-resistant cryptography. However, some observers say that recent and unexpectedly fast advances are causing the time horizon to dramatically shrink. The most aggressive estimate says that bitcoin will be hackable by 2027, according to Fact Based Insights.

“We moved the state of the art more in the last two years than it has progressed in the last 15 or 20,” says Stewart Allen, Chief Operating Officer at IonQ, a company that claims to make some of the most powerful quantum computers in the world, in an interview with Decrypt.

On Thursday, top cryptographers will meet in Santa Barbara at the University of California for the National Institute of Standards and Technology (NIST) Post Quantum Cryptography semi finals. The finalists of the NIST competition will be announced in the months after the conference, though it might take years before the winner is annointed. Cryptographers say the standards that result represent blockchain’s best hope for resisting the rapidly encroaching power of quantum computers.

”If someone cracked your key, they could do anything they wanted,” Rob Campbell, President at Baltimore,Maryland-based Med Cybersecurity, told Decrypt. Anyone with sensitive information on the blockchain—cash, personal data, medical records—is at risk. With that sort of information, quantum hackers could “forge your name, take your assets,” and, if there’s medical data to be found, maliciously “triple your dose,” said Campbell. “It’s an open door.”

Take the Bitcoin blockchain: an unencrypted public key is sent along with every bitcoin transaction, and left unencrypted during the time it takes for the network to confirm the block, around ten minutes. That’s theoretically more than enough time for a quantum-equipped hacker to calculate a private key from the public key and replace the recipient’s address with his own.

Que Quantum?  

Transistors in conventional computers capture data in terms of 1s and 0s. Is the sky blue today? If it is, 1. If not, 0. Computing is essentially combinations of these calculations: have enough transistors, you can compute almost anything.

With quantum computers, it’s possible for the same input, called a qubit, to represent both 0 and 1 at the same time, a non-binary state known as “quantum superposition”—think Schrödinger's dead-and-alive cat. This makes quantum computers exponentially more powerful; one lone, superpositioned qubit can handle the processing load of at least two full-sized transistors on a regular computer.

Using modified versions of “Shor’s algorithm,” a quantum algorithm that rapidly turns large numbers into prime factors, hackers could reverse the process that makes private keys so difficult to crack.

But at the moment, the best quantum computer is probably Google's Bristlecone quantum computer, which has 72 qubits. Miruna Rosca, a PhD student in post-quantum cryptography, tells Decrypt you’d probably need around 4000 qubits to break current cryptographic algorithms.

So how long do we have?
IonQ’s Allan, who creates quantum computers for a living, speculates it’ll take about a decade for post-quantum cryptography to become an issue. By then, he reckons, someone will probably have developed a quantum-resistant blockchain. Danny Ryan, a core researcher at Ethereum, thinks the same: “This isn't really a meaningful problem in the next 10 years and likely not for 20 to 30. That said, we tend to be bad at estimating things like this so we should be ready to transition sooner rather than later.”

But others say the problem requires immediate attention, and that—beyond the threat to Bitcoin—quantum computing could pose a major cybersecurity threat. Med Cybersecurity’s Rob Campbell says that a government armed with quantum decryption software could read all the world’s secrets.

A U.S. Navy signal officer by training, Campbell’s time in the classified research and development world has taught him that secret government technologies often outpace commercially available technology. “We were decades ahead of the commercial world,” he said. “We didn’t want any potential adversaries to know what our capabilities are.”

Even if Campbell’s claims seem ambitious, he points out that if an enemy security agency scrape all of your encrypted data today—which they certainly could—they’ll be able to decrypt all that data once they’ve built a powerful enough quantum computer. That’s enough to make developing quantum-resistant cryptographic techniques an issue of national security.

In any case, the arms race for quantum supremacy is well underway: China just spent $10 billion on a research center for quantum computers, and the U.S. has pumped hundreds of millions of dollars into the field.

Quantum-resistant techniques
Quantum computing can be just as effective for cryptographers as it is for hackers. Unobserved, superpositioned particles exist in multiple states, but when detected, they “collapse” to one point in space-time. Quantum cryptography has the same properties; because the protons that make up an encoded transaction shift upon observation, a successful attacker would have to break the laws of physics to intercept it.

This makes information encoded at the quantum level resistant to, among other things, so-called “man in the middle attacks,” where attackers intercept the transmission itself without having to decrypt the key.

A few blockchains claim to apply quantum-resistant techniques to ensure signatures and hashes remain encrypted, including QRL, IOTA, HyperCash, and Starkware. But with quantum computing still in its formative years, it’s difficult to determine the strength of these claims.

Until a quantum-resistant algorithm is tested and accepted by the wider academic community, there’s no assurance that any of these blockchains will be resilient enough against quantum computers. Scientists like Campbell are waiting on the results of next week’s NIST competition at UCAL-Santa Barbara; the final winners might not be announced for a few years, however. NIST tentatively expects drafts for standardisation will be completed around 2022.

“These winners are considered to be the best candidates on Earth and will likely go on to be standard cryptography and will be used by most of the planet,” says Campbell.

But developing the algorithm might not be the difficult part for large blockchains like Ethereum or Bitcoin. Whereas owners of centralized protocols can update the system as they please, blockchains, democratic by nature, require broad consensus among many thousands of miners to pass an upgrade.

In the case of an upgrade, all wallets that aren’t quantum-resistant become vulnerable to attack. That includes the 1 million bitcoins mined by Bitcoin’s pseudonymous inventor, Satoshi Nakamoto—if those aren’t migrated to a new, quantum-resistant wallet, they’re treasure for the first person with a powerful enough quantum computer.

“If high powered quantum computers appeared tomorrow,” said Ethereum’s Ryan, “we'd have many more problems than just the security of our blockchains.”

A 2019 National Academy of Sciences report concludes that, even if quantum computing is about a decade off, prioritising research is necessary to minimize “the chance of a potential security and privacy disaster.” Best get cracking, then.

https://decrypt.co/8498/bitcoins-race-to-outrun-the-quantum-computer

....


Many aspects of this initiative would appear to be political and agenda based rather than technologically or scientifically motivated. Like artificial intelligence, recent breakthroughs in brute forcing have come mainly from innovation associated with smaller nanoscale fabrication process of semiconductors.

We've witnessed many calls from political figures for corporations like apple to explicitly build backdoors into encryption standards used by iphones. Governments around the world would appear to unanimously support wholesale decryption defeating backdoors built into products ranging from smart phones to routers to operating systems.

In that the spirit of this competition would appear to run contrary to the status quo.

The excerpt below raises interesting questions.

Quote
Scientists like Campbell are waiting on the results of next week’s NIST competition at UCAL-Santa Barbara; the final winners might not be announced for a few years, however. NIST tentatively expects drafts for standardisation will be completed around 2022.

These winners are considered to be the best candidates on Earth and will likely go on to be standard cryptography and will be used by most of the planet,” says Campbell.

Maybe this competition is intended to create encryption standards utilized by the entire world that have backdoors or vulnerabilities specifically engineered into them?

It could be a decent security practice to avoid whatever encryption standards are produced as a result of this?
Jump to: