Topic: Can Quantum Computer's destroy Blockchain and Bitcoins[SHA-256 specifically] (Read 1532 times)

Researching for months but didn't somehow come across this?


...

Thirdly, there's no HD standard. Most wallet software have adopted BIP39, Electrum & Armory have their own (AFAIK), etc. But the protocol recognizes no deterministic keys; that's something the Bitcoin community - and specifically some developers - have invented unofficially and nonconsensually. Therefore, such change is beneficial subjectively, because you can't include all wallet software's HD rules nor there is a "neutral" list of those software.

And even if there was such list, you're burdening full node's cost, because it now has to verify computationally expensive functions such as PBKDF2 and HMAC-SHA256, that can be deliberately abused to establish an attack successfully. For example, I can provide a zero-knowledge proof of my HD wallet in which I used millions of PBKDF2 rounds to generate.

Interesting. I wonder how would this be done technically, is this mechanism described anywhere? My doubt is about how "the blockchain" (i.e. the Bitcoin client in combination with the blockchain data) can know about HD seed phrases / master public keys. All what is stored on the blockchain (from my knowledge) are signatures, public key hashes and (in the case of P2PK) public keys, can you derive information about the HD "master key" from one of these elements?

Are there any puzzle or Crypto vendors for your Bitcoin Crypto Grafix.
You believe you won't take any keys and you'll catch them at another party?
So think we are far behind and your attacks will be successful, think about it .

That's not entirely true. It would be possible to lock some coins in a way in which the original owner could move them but a quantum attacker reversing the ECDLP could not steal them. This would be done by requiring some proof, ideally a zero knowledge proof, of possession of the seed phrase or master private key which was used to derive the relevant private key. The true owner who had derived the private key in an HD wallet would be able to provide this proof, while a quantum attacker who had obtained the private key from the public key would not.

The downside to this approach is two-fold, though. Firstly, it only protects reused HD addresses, and does nothing for the 1.73 million BTC in P2PK addresses. Secondly, there is no way of knowing which addresses were generated in an HD manner and which were not, which would mean some coins being locked forever and being irrecoverable by anyone, the true owner included.

exactly.

I think that Satoshi thought about it and made the same decission like you described it here. Let them move 

If they're "lost", i.e. nobody has access to them anymore, there would be no way to protect them with the exception of harsh methods like the blocking of these addresses/utxos (something similar Ethereum did when TheDAO was exploited).

I personally would be against this - I'd rather be ok if they're "stolen" and dumped, even if this meant a sudden price crash. Distribution afterwards would probably be better, and I expect only short term price turbulences. Take into account that if these coins were mined by a single entity (most likely Satoshi) then there is always the danger that they're suddenly moved and be sold, either because Satoshi himself is selling them, or because his computer was hacked (he should have had some knowledge how to secure his data, but nothing is impossible). This danger would then be gone forever, so I expect a quick price recovery. (Anyway, quantum computers would have to solve each address separately, and at first they would be rather slow with that task. So the dumping process could be pretty long - at least if the "dumpers" wanted to maximize profit - and maybe thus the amounts would be too low to generate much panic)

What will we make with early mined coins that haven't been moved since ~2010, eg. Satoshi's coins?

Just wanted to add a thought I had some days ago (have thought about it and I see no drawback until now).

Like garlonicon wrote in this post, most of we'd need to make Bitcoin "quantum-resistant" is to extend Bitcoin Script with mechanisms to handle other public key cryptosystems than ECDSA.

While there's surely a long way to go to get this implemented in the Bitcoin protocol, one could imagine an extension protocol for tokens based on the OP_RETURN mechanism, like OmniLayer, supporting interesting quantum-resistant cryptosystem candidates first, which would be possible much faster (they could simply copy/paste parts of the algo of this shitcoin which was promoted in this thread by a certain FUDster ). You could then not only create Tether-like centralized tokens which are quantum resistant, but also in theory an 1:1 pegged Bitcoin stablecoin - the easiest way would be using a proof-of-burn scheme, where each bitcoin burnt would entitle its owner to create one unit of the quantum-resistant Bitcoin stablecoin (we could call it QBitcoin).

If the threat becomes real at some point and Bitcoin extends its Script language to support a quantum-secure algorithm, then it should be possible to "merge" the QBitcoin with the "old" upgraded Bitcoin. This would be a way to ensure QBitcoin's peg with Bitcoin holds, although maybe not absolutely necessary.

I write this mostly because if someone is really worried about quantum computers then this could be possibly a straightforward path for Bitcoin to achieve quantum resistance step by step, without having to wait for a complete, thoroughly-tested implementation - and no shitcoin is really needed.

By the way, I wonder if Simplicity, if it gets included into Bitcoin, could provide the necessary functions for "quantum resistant addresses"? In the whitepaper it's mentioned that it's "expressive enough to represent any finitary function", so wouldn't "quantum computer resistant cryptography" be a possible use case?

I started this thread a few months ago to understand what others think of the same question. I, myself have been around this specific question for a long time and I think technology itself has a solution to this particular problem, Technology cannot destroy technology itself unless they both have an understanding conscious that thrives being "ON TOP".

In that case, it is going to be a long marathon[which might be never ending] in the case of: Quantum Computers --> (running for) Bitcoin.

I think this is what gets to fork bitcoin and improve it for the larger mass to adopt it [It is particularly a slow process]. Exactly how the internet was Born and raised.

I know it exists on Bitcoin blockchain. I thought about similar challenges in the context of this altcoin, quantum computers and instant break. Because without any "in between" step, it looks like bogosort way of sorting.

See https://bitcointalksearch.org/topic/bitcoin-challenge-transaction-1000-btc-total-bounty-to-solvers-updated-5218972

I wonder if there is any puzzle-like challenge for breaking Bitcoin cryptography on your chain. Are there any "in between" steps or do you believe that one day you will break no keys and another day you will catch them all? Because if there is any such challenge, then it may be possible to see, how far we are from that, and also check, how successful are your attacks (and check if they are real or not).

This is a very common misconception that people do when talking about the security threat of quantum computers to btc & co. The main issue is not about the encryption algorithm, but instead of signature algorithm as it was mentionned in the link.

If a paper says the threat is non existent or is centuries away, feel free to believe them. But ask the authors how much money they will bet on their timeline and I am happy to bet against them

This doesn't say much, just that:
Where did you conclude that once SHA256 is broken, we'll upgrade to SHA384? If SHA256 becomes broken, which is a doomsday scenario, we shouldn't use neither SHA384 nor SHA512 as they all belong to SHA-2.

There's also a paper that explains why quantum computing isn't a problem for bitcoin, let me put it right here: https://arxiv.org/pdf/1710.10377.pdf.
Also, this thread: I don't believe Quantum Computing will ever threaten Bitcoin.

Some educative information from QRL THE QUANTUM RESISTANT LEDGER. Follow the links:

It's going to affect Bitcoin

Bitcoin's developers have already planned for this

Bitcoin will just hard/softfork

If they can break SHA_256, we’ll upgrade to SHA_384

But if you don’t reuse addresses, you’re safe because BTC only exposes the hash of your public key if you have never transferred BTC from that address

Quantum computing is a long ways away, there's no need to bother

If ECDSA will be broken, banks and the whole internet is broken. Blockchain is the least we’ll need to worry about then.

More info here.

Aha, so tell me, how to create N-of-N multisig without knowing any public key. Of course, you can combine OP_CHECKSIGADD with OP_HASH160 or OP_HASH256, but it will take much more space and will be much less private. You will not get a single Schnorr signature in this way. You will have to at least reveal all public keys. Also, spending by key can be locked in Taproot and we can force TapScript in a future soft-fork when needed. Another way is introducing new SIGHASHes.

That progress is gradual. You will not fully break SHA-256 tomorrow if you don't even know how to make MD5 preimage. And you will not break 256-bit regular keys without breaking easier 120-bit keys first. For now, 64-bit key is not yet touched, and it is still possible to grab 0.64 BTC by checking 2^64 private keys. Also, we can observe SHA-256 resistance just by watching block hashes. If quantum computers would be real, the attacker could silently mine new blocks and get more coins than breaking any keys.

In the past, the whole progress was gradual. What makes you think that it would be totally different this time?

Edit: one more thing: if you know how to do things in the right way, you can propose a BIP for that, right? Because for now, I can see no BIPs related to quantum-resistance that are ready to be implemented. So, you have two choices: you can complain about things on forums or you can fix it (or switch to a coin that fixed it if BTC will not adopt your solution), so why don't you fix that?

yeah sure, we are 100 billions years away from quantum computers ... no worry
and by the way, thanks to Taproot, little effort is required to know address public key, but I guess you did not pay any attention to that 'detail'!

So rather good luck to you, you will need it much more than I do ...
And feel FREE to keep betting against science and technology progress. You will indeniably end up on the WRONG side of history

Good luck. First, try to find 120-bit private key from transaction puzzle (or 64-bit private key with unknown public key and known address). There are many challenges that are far easier than regular 256-bit keys, and you will quickly see, how far we are from quantum computers if you try to break any of them.

why waste time mining BTC when you can do much better with a quantum computer?

that's a very poor use case ... Instead, I will aim to hack all big wallets, starting with Satoshi wallet (980, 000 BTC) and other big wallets, then start dumping them asap ...