Topic: Quantum computers and Bitcoin (Read 17990 times)

Quantum technology is far different than digital technology, so i highly doubt anyone will take the time to bring down quantum technology to a digital level, it just wouldn't be worth the ROI.

Quantum technology is still another 50 years away from being inter-mingled with digital tech.

Well, that sounds like pretty good news for Bitcoin then, it's going to take a change in the manufacturing process/transistor substrate before Moores law can carry on down past 10nm. So, in practical terms, Quantum Computing may never be able to brute force valid private keys, and an efficient transistor based solution needs at least a decades worth of more node process shrnikage as well as an economically viable new manufacturing technique. Go Bitcoin!

If you are talking about using a QC to simply brute force key 'collisions' in order to take the coins from random accounts, then  QC is almost certainly not going to be the best way to do this.  Moore's Law, assuming it holds up, would create a greater threat to the current algo first; IMHO.

How strange, this is turning into a cascade of misunderstanding! I think what happened was: he interpreted what I initially said (and it was pretty loosely defined to be fair) in a way that he felt to make his point, whereupon I told him the detail of what I was actually suggesting. Sorry if I've confused you too, it really wasn't my intention!

I don't think you understand his point.  Yes QC could (in theory) be used to determine the private key FROM the public key.  However with Bitcoin the address isn't the public key it is a structured hash of the public key.   The public key isn't known until the first time Bitcoins are spent from a given address.

I apologize if I wasn't being clear with my post, I am aware that private keys cannot be computed from public keys (and the, er, *ahem* obvious security hole that would represent, lol). I imagine it would be possible to use the high level of parallel processing that a QC could be scaled up to to simply brute force private keys directly using the blockchain database. This would presumably take a QC with a high qubit count, but it's clearly the most common sense approach to hacking Bitcoin with quantum computing. It'd have to have a half decent rate of key discovery though, as the chances of finding a private key with alot of money in it's addresses could be pretty slim (this is an impression, I don't know any hard stats offhand, but I suspect the vast majority of keys have <10 BTC contained)

Well, even that isn't entirely true with how Bitcoin uses public key encryption.  Simply publishing a single bitcoin address doesn't actually publish the private key, it publishes a structured hash of the public key.  The actual public key isn't published until the first time funds are spent from that address.  If SHA-256 is subject to being brute forced into collisions by a quantum computer, a different hashing algo may not be, and that could be used instead.  If you use a new address for each transaction, which is how bitcoin does it by default and really is a best practice, it would be very difficult for a quantum breaker to steal your coins.

Yes, I see what you mean. I read up on the maths behind cryptographic key pairs quite some time ago, and the (infinitely parallel?) nature of QC would blow that paradigm away. I guess that's what I'm driving at then: there must be some way of using quantum computers to create openly exchanged secrets that are inpenetrable to QC cracking methods. If not, then I guess all bets are truly off with just about every form of encryption that exists, even if there was some new discovery in cryptographic maths.

I'm not so sure about that. In Bitcoin you need a public key cryptosystem. In elliptic curve cryptography, the trick is that the direct problem (computing the public key or the signature) is easy if you know the private key. However, if you have the public key there is no known efficient method to deduce the private key (with a classical computer).

If everyone had quantum computers, both problems would become easy. You cannot simply scale the numbers as you would with hashing. You need asymmetry.

There are a few alternatives under study:
http://en.wikipedia.org/wiki/Post-quantum_cryptography

The important point is that, as opposed to symmetric systems, where you can just scale everything, you need some asymmetric problem. With quantum computers there are less available problems like that.

Maybe, but Bitcoin's code provides 'hooks' for two secure hashing algos to be used together.  At the moment, we just use SHA-256 twice in a row, but simply changing one of them to a quantum hardened algo would solve the problem fine.

Long story short, quantum computing is not a near term threat to bitcoin, and may never be a significant threat.  Even if, for a time, someone with a very expensive quantum computer (and willing to comit it to hashing bitcoins) can effectively hash at several orders of magnitude faster than everyone else combined; that isn't going to break Bitcoin.

You want a classical cryptosystem to deal with quantum computing, since you cannot expect everyone to suddenly switch to quantum computers at the same time.

Forgive me if I'm wrong, but in a world where quantum computing becomes actually prevalent, as opposed to just plainly possible in a laboratory setting, there is nothing to stop Bitcoin from leveraging QC for it's encryption. This would kind of ruins the argument of ever more sophisticated QC cracking current cryptography; the new cryptographic possibilities that QC could achieve will eventually be available to the Bitcoin dev team, as well as the general public.

There are two parts in the security of Bitcoin which could be affected by quantum computers.

One is the security of the elliptic curve cryptography system used when signing transactions. A quantum computer could deduce the private key (and take the funds) if it knows the public key. The private key can be computed solving the discrete logarithm problem, which is efficient in a quantum computer. It would just need a variation of Shor's factoring algorithm:

http://www.math.uwaterloo.ca/~amchilds/teaching/w08/l03.pdf

But, as Etotheipi says, if you only use your address except for spending, the public key is only used once, when you use the funds. The hashing will mask your public key and protect the secret one. There might be a problem if some node see your public key and tries to outrun you and send other transactions and the public keys already in the blockchain would be vulnerable, but I doubt a quantum computer will appear overnight. The system would have time to change to something else.

The second thing is the hash. Grover's algorithm could be used, with some problems, but it is not necessarily the best you can do. There are bounds you can apply directly to collision finding (finding two sequences which hash to the same value). Collision finding (necessary to replace blocks) is not efficient in quantum computers:

http://arxiv.org/abs/quant-ph/0111102

You could reduce difficulty, but not so much (at most is like having one fifth of the bits). The impact for a long chain seems small. The model is not completely general, but gives a good taste of what to expect. As far as I know, hash collisions have been studied a lot and this is the best result.

In any case, I think it would be easier to pull a 51% attack amassing a lot of computer power than building a scalable quantum computer, at least in the short/medium term.

Notice that, anyway, the discrete logarithm problem and finding collisions for SHA256 are only SUPPOSED to be hard for classical computers. There is no guarantee that there isn't algorithm that could break elliptic curve cryptography, factor large numbers or find collisions (there could be trapdoor in SHA256). Of course, a lot of people have been trying without success and I think they are probably safe.

Also, there are practical difficulties involved with implementing Grover's.  As far as I know, it has never been done, even in the most trivial way.  By contrast, Shor's (the other quantum algorithm) has been done, giving correct factorizations of both 15 and 21 in a statistically significant fraction of attempts.

I'll personally start worrying about quantum attacks on SHA when either A) someone demonstrates a version of Grover's that doesn't require a "circuit", or B) when we develop the technology to start imagining how to begin thinking about ways to implement SHA as a "circuit".  Either way, I suspect that our grandkids will have had plenty of time to ponder the suggestions that we leave in our memoirs on how to deal with the impending crisis.

Clearly you don't understand that paper -- which describes the most basic, and widely-known QC algorithm out there.  "Grover's Algorithm" is the first thing you learn in a class about QC, and is the most basic and widely known algorithm out there.  All it does is cut the effective number of bits in half for brute force searching.  If you are trying to guess a 160-bit password, it'll be like an 80-bit password on a QC.  If you are trying to guess a 256-bit value, it will take 128 bits.  

For reference, the Bitcoin network has performed approximately 2^68 hashes in the entire 4 years it's been operating.   A long ways off of 2^80 to "guess" a 160-bit password. The bit sizes of the chosen algorithms are big enough that even one half the number of bits is still considered secure.  And when QCs come around, we only have to double the number of bits in our key sizes and the attackers are back to where they started.  Hardly "blown open".

What really really makes me cry.. is the fact that all these internet hotshot MOFO's seem incapable of using the internet for research.

Lov K. Grover
http://arxiv.org/abs/quant-ph/9605043

Read it understand it, basically SHAn  CAN be compromised by Quantum computing, 160 would be blown wide open, 256 would be reduced down to about 80bits.
If you are really interested follow the current research papers, same way you would go see a real doctor for advice, instead of listening to  the local street corner crack addict.

Computer science has progressed so fast in the past, twenty years notice could have already passed us. I was looking at quantum resistant cryptography before. At the moment the cryptosystems which are supposedly quantum resistant seem to need some work before they could be safely distributed. NTRU was an interesting one but has some issues such as being able to determine private keys from multiple different signatures.

...except that the speaker got the question about quantum computing wrong.  I was in the audience, but I was too much of a pussy to stand up and correct him in front of everyone.  Apparently, I should have done so (since he has now been cited by someone), but I'm shy like that -- especially because I was in the back and no one had any idea who I was.  Oh well.

The speaker says that ECDSA is not susceptible to QCs -- that's just wrong.  ECDSA is most definitely broken by QC's, as well as just most asymmetric crypto algorithms on which internet security relies.  But Bitcoin is better prepared to deal with QCs than most other crypto systems: (1) if you never reuse addresses, then no one knows your public keys and thus there's nothing for a QC to solve.  By the time someone gets your public keys, you've already spent the funds, (2) the crypto algorithms in Bitcoin can be changed to quantum-resistant ones.  Given that we'll probably have two decades advance notice before QCs with enough qubits exist to even threaten Bitcoin, we'll have plenty of time to make the switch.

In a bad mood?

Thanks for the responses.

Nope.  This is a known threat, and not a particularly high risk, either.  Even if it turns out that a quantum computer can rapidly outpace traditional hardware with regards to SHA-256; the bitcoin reference code includes 'hooks' to permit an orderly transition to another, more quantum resistant, algorithem.