Topic: Quantum Computer vs Bitcoin - page 3. (Read 2486 times)

If nothing is impossible, then "everything is impossible" is possible, in which case, nothing is possible.

Is it true that IOTA is the only crypto "quantum-proof"?
Just heard that in their bumph..
E

If nothing is impossible, then "everything is impossible" is possible, in which case, nothing is possible.

Nothing is impossible, though.

In this particular context (but see below), “address reuse” means reuse of an address from which you have spent.  Transactions to your address contain the public keys of whoever sent you the money—not your public key.  But the only information revealed in the blockchain when you receive money is the Hash160 (RIPEMD160 of SHA256) of your public key.  That is what haltingprobability referred to as the “public-key hash” in the portion you underlined.

(For the sake of simplicity, I here assume only P2PKH and P2WPKH addresses.  What do these stand for?  “Pay To (Witness) Public Key Hash”.)

But this discussion misses the point that the security of public keys is just fine.  It seems that you missed this upthread:


Do you intend to leave the coins in cold storage for decades?  If so, then I recommend that you do what you said you’re doing:  Use the addresses for receiving only.  Not that I expect for secp256k1 to be broken:  If storing something for decades (or longer), I prefer some extra security margin “just in case”.

Otherwise, there is no reason to worry about revealing the public key.  secp256k1 is secure.  You may rely on it.

But there is another, very different reason to avoid reuse of addresses for both sending and receiving:  Privacy.  Blockchain analysis is already easy enough for experts.  Address reuse of all kinds makes it trivial.

To start with, for a bare modicum of privacy, use one HD wallet with the seed and keys generated (and backed up!) on an airgapped computer; and from that wallet, use a different address every time you receive money.  This recommendation has nothing to do with the security of your money against attacks on public keys.

I'm sorry to short your message but I would know at the underlined sentence if I have good understood the point.
The fact that Public Key and Bitcoin Address are different is not a safeguard against Quantum computing, because when you sign a transaction you are revealing on the blockchain your Publickey, so that Adress can be exposed to QC attack, is that correct?

My doubt is when you speak about "address-reuse": what do you mean with that? I have a cold storage paper wallet ecrypted via BIP0038 where I periodically put some cash into that. I've never spent BTC on that but there is not a single but multiple input transactions, so there are multiple utxo transactions on the blockchain. Until I don't spend bitcoin is it still secured or not? Should I use a cold storage paper wallet for every transaction?

Thanks in advance

Bingo.

Pretty close. Here are the facts:

...

3) For certain kinds of problems, QC can provide quadratic speedup, which is a massive speedup. For symmetric ciphers, this probably just means you double your key size - where 128 bits of security used to be sufficient, now you need 256. No big deal. The real problem is with public-key encryption. But lay-people often forget that the quantum speedup blade cuts both ways. We can build encryption systems which take advantage of quantum speedup and make quantum cryptanalysis of PKE quadratically more difficult, mooting the theoretical advantage that cryptanalysts get from quantum speedup. In fact, this is why Bitcoin uses the public-key hash instead of the public-key itself and recommends against address-reuse; in the event of working, at-scale QC, your coins are still secured behind 128-bit-equivalent security as long as you don't reuse addresses or publish the public-keys for your addresses.

...

I heard that Quantum Computer can destroy bitcoin.
Is it possible?

Well, but goverments, Google, Microsoft, all of them can use quantum computers.

I heard that Quantum Computer can destroy bitcoin.
Is it possible?

See above. If you owned all the hashing equipment in the entire Bitcoin network and could somehow use that equipment to test keys at the same rate as the hashrate, it would take 585 billion years to brute force any key.

Bitcoin also need to note an attacker maybe doesent need to brute the entire keyspace if shooting for one key ie rich wallet. What are the odds of hitting a key before the entire key space is bruteforced ?  

Then theres cluster bruteforce - obviously nobody did that in a really madass large scale, at least not publicly yet. Are there even bencharks wha twould be possible?

For example a botnet of really large server, 30x raids in a huge cluster. Since one of those boxes costs 50K plus, yeah one has to be serious - for that to happen the loot just has to be big enough and somebody will try.

It's something that Bitcoin's designers need to keep in mind as a "tail risk".

Quantum computers reduce the effective security of our strongest cryptographic primitives (hashes, symmetric ciphers) by about half. That is, a 256-bit hash gives about 128 bits of effective security in a world where quantum computers are used for at-scale computation. 128 bits of security is pretty good security - searching 10³⁷ gives about a 10% chance of breaking a particular hash (finding the hash preimage). 10³⁷ is 10 quadrillion quadrillion quadrillion - that's more than a billion billion times the number of hashes performed by the combined hashpower of all Bitcoin miners in order to mine a block.

The hash address is only 160 bits but it still requires 256 bits of search to break, that is, address=RIPEMD160(SHA256(pubkey)) minus a few technical details. Once you get the pubkey, we typically assume that a quantum computer will easily recover the private key from the public key. However, quantum-resistant public key encryption is still possible. Because of its quadratic advantage (theoretical) over classical computers, we have to double the key space (note that this may more than double key size). IIRC, secp256k1 is 128-bits equivalent security which we have to cut in half in a quantum-computation world - effective security is 64-bits. While 64-bits is too small for securing a large asset (such as all bitcoins), note that each address is secured by 64-bits security. So the cost of breaking all addresses in the UTXO set is at least 64 * nUTXO where nUTXO is the number of unspent transaction outputs. In other words, even with a quantum computer, you still have to break each address separately, and there are a lot of addresses.

Finally, quantum computation will actually help Bitcoin more than it will hurt it. As QC's begin to approach sufficient complexity to be able to mount serious attack against Bitcoin's cryptographic primitives, they are going to force cryptographers to revise usage across many cryptographic applications - traditional banking, government communication and data-storage, military communications systems, and so on. Quantum cryptography offers the promise of new modes of communication that are not possible with classical communication channels. Perhaps you can secure your Bitcoin address with an entangled set of qubits such that only the holder of the originally entangled qubits can prove ownership of the address. So, Bitcoin should not be having FUD about QC.

I couldn't agree more! no such thing!