Topic: The Quantum Threat to Bitcoin: Implications for Miners, Nodes, and Wallets - page 3. (Read 851 times)

I'm just thinking of the person who could be behind that. A crypto-hobbyist, with expertise in cryptography and the like. What would he feel first after that "eureka" moment? What should they do if they prioritized the collective benefit? Keeping it secret, and never exploiting it? Publishing it, and making every mining infrastructure worth zero? What would be the best approach for that person? Maybe they start searching for past suggestions on Internet boards.  

If they start mining, that will look weird, unless they mine blocks very rarely. Otherwise, if they were to set lots of times higher difficulty, then we'll notice an unknown group of miners suddenly acquiring vast amounts of hash rate without any ASIC being sold. That will start stinking fishy.

I am not a genius. But here we are in a "Development & Technical Discussion" board, so I can expect at least some basic knowledge about programming, because in other cases, those topics should land in some other, general discussion boards. Posting it here means that OP expects a technical response. And if you want to give any technical answer, then you have to know, how internally SHA-256 works. If you treat it like a black box, then that discussion will go nowhere.

You need at least a basic understanding of hash functions, if you want to talk seriously about it. You need to know at least how SHA-256 uses internal 32-bit values, and how they are mixed in each round. If you don't understand this pseudocode from Wikipedia, then sorry, but it is just an entry level to think seriously about any attacks on hash functions: https://en.wikipedia.org/wiki/SHA-2#Pseudocode

If you ask some technical question, and you receive an answer that is beyond your level of understanding, you should not be worried about it. When I started exploring hash functions, I knew nothing about them. Then, I read this pseudocode from Wikipedia. Then I wrote a simple program in C++ to produce a single hash. Then I experimented with it, started tweaking constants, changing parameters, and playing with all of that. And then, after many months, I wrote this topic: https://bitcointalksearch.org/topic/why-hash-functions-are-safe-5402178

As you can see, it took me many months of exploring the topic, to even think about writing something like that. And I am far from being genius or expert, because if you read, how many rounds can be broken on preimage or collision level, and if you read some PDFs, posted by mathematicians, then you will see, that my level of understanding is very basic, compared to them. I am still at round 20, when it comes to SHA-1 preimage. People went much, much further, and achieved much more than that, and I am still learning to get there later.

As I mentioned, you can overwrite the whole chain, without reaching even collision level of SHA-256. You don't need "to produce custom double hashes", because it is not a low-hanging-fruit. Even if you take "broken" hash functions like MD5 or SHA-1, you still cannot produce preimages for them, you can "only" find collisions. And if you can set a million times higher difficulty, that means you can also easily overwrite the whole chain.

It depends. Because as I said, it is not a "broken vs secure" game. If you can produce "a preimage", instead of "the preimage", then that kind of attack wouldn't work in some scenarios. For example, if SHA-256 is used to produce a deterministic R-value of a signature, and it is used to concatenate some private key with some message, then if you can produce "a preimage", then you would probably get a completely different (key,message) pair, and then you wouldn't know, what is the original private key, even if you can produce a valid signature for that.

Then they will be reversed, and those funds will be stolen. Later, they could be burned, or returned to the original owner, but any post-attack solution should be backward-compatible, and the chain should follow the heaviest Proof of Work.

Edit: Currently, you can even find websites, where you can explore SHA-256 round-by-round, step-by-step. So yes, we have that "knowledge at our fingertips", because anyone can visit https://sha256algorithm.com/ and play with SHA-256 in a browser.

Reading that article, clearly the journalist knows nothing to little about bitcoin, one could tell after reading he used private address instead of private key.

He also states what if someone mined 2016 blocks in 1 minute and left the scene? He says it would take 700+ years for difficulty readjustment, lol as if people would live their normal lives after seeing 2016 blocks in 1 min.  Of course in that case everything will change accordingly.

And if someone could mine 2016 blocks in 1 min, they could practically break sha256, so why bother announcing such capability to the world like that?

About double spending by hijacking txs from the mempool, well there is a solution, when it happens then all miners will have to accept a fork which disables RBF, so when all miners refuse to process RBF txs, an attacker no longer has the ability to double spend, there could be some implementations to record first seen txs and any tx from that address with different recipient, fee would be invalid.

Of course if miners refuse such a fork, they should start looking for something else to use their ASICs for other than mining.

While all "experts" talk about quantum computers and qbits, ECC is breakable by math, their opinions is based on current useless DLP solving algorithms, while with the right algo, you no longer need a QC.

Although it is possible to break Bitcoin with quantum computers still it will take hundred or more years to do that
here is what I have read but still it will take time and maybe some of us will not be around
https://cybernews.com/crypto/bitcoin-in-danger-quantum-computing-advances/#:~:text=If%20a%20Quantum%20computer%20is,before%20the%20transaction%20is%20finalized.

I love it when you expect everyone else to be a genius like yourself, it's like we have the means and knowledge at our fingertips to do the things you suggest. If OP knew how to attack SHA256, he wouldn't be here asking questions about wallets.

This is one dangerous idea, thinking about it makes you wonder, what if they can use their ability to produce custom double hashes and start collecting all the mining rewards?  And when they figure out a way to break sha256, what if for years they keep it a secret and then have access to everything dependent on sha256 security?

What if they manage to reverse some transactions in the future?

If sha256 is broken, miners and ASIC manufacturers are doomed, because they will have to throw all their rigs into trashcan.
This is why independent research is extremely vital especially for bitcoin, because as we know, we are on our own, because we chose decentralization we need to keep this system safe, no government will come to rescue if something happens, they have done all they could think of to limit and restrict bitcoin adoption, if something happens, they will sit and watch with joy and smile on their face.
 

Just test it. For example, reduce SHA-256 into the first 16 rounds, and then try to attack your own, vulnerable nodes. Or split it into eight independent 32-bit chunks, and try to attack them, if you need some difficulty in your theoretical attacks. Or use SHA-256 eight times, and truncate it to 32-bit values, and then attack. There are many models that you can create, and then, you can see, that your question is not fully specified. It is not only in a binary state: broken vs secure. It is a spectrum, where a particular attack can harm some things, while not touching other issues. So, some attack, where you can get any value you want, just like in a modulo-as-a-hash-function model, is something entirely different, than when it would need for example 2^64 hashes to break anything.

If SHA-256 will be fully broken on preimage level, where you could say: "I want to get any message, that will hash into ", then all OP_CHECKSIG use cases will be affected, because internally, SHA-256 is used to produce z-value. And if you skip hashing in ECDSA, then it is wide open, and you can produce a fake signature, and then create a message, that will hash into your random z-value.

However, if you worry about SHA-256, then check the current chainwork. And note that instead of trying to compute any preimage (2^256 hashes with brute force) or collision (2^128 hashes with birthday attack), it is much more profitable to produce a higher chainwork, and just overwrite the whole chain. Also, using some additional power for mining, will not remain unnoticed. There are many possible attacks, where you can harm Bitcoin, while not breaking any rules at all. For example, it is possible to raise the difficulty into some insane levels, and then just stop mining. Then, no rules will be broken, but the chain will be effectively halted, if for example the difficulty would be one million times bigger than it should be.

So, if you want to get your answer, you should clarify, which particular attack you have in your mind. Because different attacks will cause different effects, and you can test each case individually, by using some simplified version of SHA-256, with a particular weakness that you want to test, and then check only that to see, how your nodes will react. Because all you need, is just cloning Bitcoin Core, and replacing SHA-256 implementation with something else, and then running some regtest nodes, unaware of the attack, and some attacker node, that can produce hashes faster in a particular way.

The mining infrastructure won't be vulnerable. It's the security of the secp256k1 elliptic curve Bitcoin uses, that will need to change. And there will probably be a quantum safe hard fork which will come with a quantum safe algorithm.

The developers will warn you to send your coins to quantum safe addresses. By the time that it will be trivial to work out a private key by a quantum computer within a reasonable time frame, any coins sitting on quantum unsafe addresses will be waiting to be claimed by the attacker.

yeah all of the above about slow deliberate attacks against the early blocks makes sense if the attacker was a business trying to make money.

If the attacker is a government looking to wipe out BTC and 256bit  crypto safety.  They would do a few of satoshi's just to see how fast it takes them to do a single address.

Only need do a few.

Then do nothing except crack all of satoshi's addresses. Once they do that simply pull out every coin on them in under an hour.  This would crash BTC out and terrify all companies using 256 bit encryption.

If I live long enough to see this happen I would be very surprised as I think this is 50 years away at best.

256 bit encryption would be wise to to stay ahead of this by becoming 512 bit.

I also think it would happen until we develop cold fusion which would enable  easy power for a very big pc.

Bitcoin's PoW scheme is the least likely component to be affected by quantum computing. Assuming quantum computers ever become more efficient at computing SHA-256 hashes than ASICs the worst thing that could happen is that quantum computers would get used for mining.

What could become problematic at one point is quantum computing enabling the derivation of the private key of an address from its public key. That scenario affects old addresses that have their public key exposed due to outgoing legacy P2PK transactions; assuming they still contain a balance due to address reuse. While that may involve potentially a tidy sum, the impact of such an attack would still be rather limited except for bringing old coins back into circulation (i.e. it seems to be likely that any coins potentially exposed in such a manner have been lost by their owner a long time ago). Correcting myself because I misremembered: That scenario affects old P2PK address that provide the public key directly and modern addresses after the public key has been exposed by an outgoing transaction. While critical, this would follow a slow timeline as described by d5000, especially since the step between cracking P2PK addresses and modern addresses -- on-the-fly, outside of address reusage -- is huge.

FTFY. SHA-256 isn't especially vulnerable to quantum computers afaik (it's more vulnerable to extremely fast traditional Von Neumann computers). It's the public key algorithm (ECDSA) which could generate some headaches in some decades.

But the attack will be slow and gradual. Let's say that a malicious entity has access _now_ to a quantum computer capable of running Shor's algorithm to break ECDSA, with a couple of thousands qubits.

-  First, they'll try to attack old P2PK transactions, as they provide the public key. Satoshi's coins are the prime example for that. We will thus see slowly Satoshi's money moving (be it because Satoshi himself moves them with P2[W]PKH/P2TR txes, or because the quantum hacker moves them). An attacker will need years for that step alone, so they'll be focusing on coins where it's unlikely that thay'll be moved.
- Second, they'll attack transactions with reused keys. These are more likely to be moved. First old ones, then newer ones. I think at least in this phase people will become increasingly aware of the danger, and devs will have probably created a new quantum-secure public key infrastructure for the addresses.
- And only in a third step they'll be able to attack non-P2PK keys while people are transacting. They have less than 10 minutes, as they need the public key, i.e. they have to wait until you spend the funds and then attack instantly.

(by the way: shouldn't we make one of the old threads on that topic sticky so the question doesn't pop up every couple of weeks?)

What you imagine does not make much sense, because today's quantum computers are far from being able to be a threat to Bitcoin in any way - and therefore the scenario you are talking about cannot just happen overnight. In other words, there is enough time for Bitcoin to adapt to this threat, and there are dozens of discussions on the forum where you can find a lot of useful information about the quantum threat.

For those who want to know more, interesting reading -> https://www.schneier.com/blog/archives/2015/08/nsa_plans_for_a.html

This will not affect mining or nodes or bitcoin wallets. Only what that will happen is for bitcoin developers to develop quantum computer resistant one which may require an update nodes, miners and wallets.

Before bitcoin will not be able to be resistant against quantum computing, bitcoin developers would have created quantum resistant one.

Suppose that that there is a successful quantum attack on SHA-256. That it happened so quickly that Bitcoin has to move infrastructure with the nodes is transitioned to a quantum resistant software. What do you think would happen to the miners, the computation of the nonce, including all the mining hardware?  And by extension how would this affect Bitcoin wallets. Do you think we would need to get new wallets and migrate our funds from our old addresses?