Topic: The Quantum Threat to Bitcoin: Implications for Miners, Nodes, and Wallets (Read 642 times)

We don't. If you explore coinbase transactions from the past, you can notice that there is a field called "extraNonce". Because it is not resetted, it is incremented, and by looking at such numbers, you can conclude that if one block has extraNonce equal to 1035, and some next block has extraNonce equal to 1039, then you can guess that both blocks were mined by the same miner.

http://satoshiblocks.info/

See? Those blue lines are used to collect all such cases. Also, you can see some green lines, that are similar, and also can show you, which coins can be owned by another single miner. However, all of that is not a proof, that Satoshi is the person behind it. The only strong implication is that if you can identify such line, then you can guess, that all blocks on a single line, were mined by a single miner.

However, this is similar to checking, which mining pool mined which block. This is just something you can get from exploring coinbase transactions. This is not a 100% proof, but rather a guess. Because, guess what: you can also run some solo miner, and put "Mined by AntPool" string inside. And then, if you release such solo-mined block, with your own address in the coinbase output, then people would see that and think "so, it was mined by AntPool, right?". Maybe. Or maybe not. We don't know, we can only guess.

Not exactly. People think he mined those blocks from those blue lines. But if you think he mined every single block, then you are wrong. There are many green dots, and it can show you, that many blocks were mined by other people. Also, because the slope of some green lines is different, people concluded that those miners had different hashrates. You can re-mine some old, CPU-mined blocks, to confirm, what was the exact algorithm for mining some old blocks.

"We" don't know exactly, but there are some speculations stating that he mined the first 20,000 blocks, untouched to this day.

How do "we" know which coins are Satoshi's? 

Same thing was said about every new technology including Bitcoin.  


First 2-qubit quantum computer was demonstrated in 1998 and last year IBM rolled out there 400 Qubit-Plus Quantum Processor and Next-Generation IBM Quantum System Two (IBM). The pace may be slow but quantum computing is a reality.

Moreover US president has already signed quantum Computing Cyber security Preparedness Act in final days of 2022.

You are off several order of magnitudes. If they somehow make quantum error correction work, then it's more like 15000*4000 = 60M qubits.

For 256-bit ECDLP the lowest logical qubit count is around 2330, giving 35M physical qubits.

There is a big problem - one also needs 126G Toffoli gates.

Additionally, the algorithm has to perform 116G time steps. If the time step is 1ps, then there might be even a correct result! With 1ns we are looking at 116 seconds runtime, enough for decoherence. AFAIK right now the time step is several hundred nanoseconds. This is several hours runtime. No result possible.

Wait a moment!
Error correcting Toffoli gates needs additionally at least 15 logical qubits. This is 225K qubits per Toffoli gate.
All together 28.35 * 10¹⁵ qubits.

Even if the above is off by orders of magnitude, for now, all quantum hope is lost.

Quantum computing is not a new thing, quantum computing algorithms like Shor's algorithm [1] that solves discrete logarithm problems and integer factorization in a polynomial time are launched in 1994.
RSA is based in integer factorization while Diffie-Hellman Key Exchange is based on Discrete Log Problem. Quantum computing is targeting the unsolved problems (hard problems) on which these security protocols stand.
One we have quantum computers of 4000 Qubits, things will get tough for current security protocols.

[1]https://www.geeksforgeeks.org/shors-factorization-algorithm/

It's not. The Hashcash [1] Proof-of-Work system is. There are other PoW not based on hashing [2].

While you ponder about quantum attacks on SHA256, which are considered extremely unlikely, you overlook the fact that Bitcoin's PoW algorithm, namely Hashcash [1], is itself known to be vulnerable to quantum attack, independent of the choice of hash function in Hashcash (SHA256D in bitcoin).

Using Grover's algorithm [3] for quadratic speedup, a quantum computer can find a hash pre-image with 2*k leading 0s in (very) roughly the same amount of time that a classical computer needs to find one with only k leading 0s.

[1] https://en.wikipedia.org/wiki/Hashcash
[2] http://cryptorials.io/beyond-hashcash-proof-work-theres-mining-hashing/
[3] https://en.wikipedia.org/wiki/Grover%27s_algorithm

How could they do that?

Sounds like you're parroting information. The concern with quantum computers comes by solving the ECDLP in a polynomial time, which in theory can be done using Shor's algorithm and a functional quantum computer. The quantum resistant cryptographic primitives you mentioned do not apply to a broken SHA256, but to secp256k1.

It could only be initiated by the users. The people who write the wallet software cannot just move other people's coins without a valid signature.

---

Now tell me. To which LLM did I respond?

If there were a successful quantum attack on SHA-256, which is the hashing algorithm used in Bitcoin, it would have significant implications for the Bitcoin network and its infrastructure. Here's how it might affect miners, mining hardware, Bitcoin wallets, and the need to migrate funds:

Miners and Mining Hardware:

Miners would be affected because the current Proof of Work (PoW) algorithm in Bitcoin relies heavily on SHA-256 for mining.
Quantum computers could potentially break the cryptographic primitives underpinning SHA-256, which would render the current mining hardware and strategies obsolete.
To maintain the security of the network, Bitcoin would need to transition to a quantum-resistant PoW algorithm, such as one based on quantum-resistant cryptographic primitives like lattice-based cryptography or hash-based signatures.
Miners would need to upgrade their hardware and software to adapt to the new algorithm, which might require significant investments.

Bitcoin Wallets:

Existing Bitcoin wallets that use classical public-key cryptography could become vulnerable to quantum attacks if a quantum computer becomes capable of breaking these algorithms.
Users might need to transition to quantum-resistant wallet software or generate new quantum-resistant addresses.
It's essential to note that not all wallets would be equally vulnerable; those that use post-quantum cryptographic techniques would be more secure.

Migration of Funds:


Depending on the severity of the quantum threat and the actions taken by the Bitcoin community, there might be a need to migrate funds from old addresses to new quantum-resistant addresses.
This migration process could be initiated by wallet software providers or done manually by users, depending on the circumstances and the transition strategy chosen by the Bitcoin developers and community.
The migration would involve creating new quantum-resistant keys and transferring Bitcoin holdings to these new addresses. Users would have to follow guidelines provided by wallet developers or the Bitcoin community to ensure a secure transition.


In summary, a successful quantum attack on SHA-256 would necessitate significant changes to the Bitcoin network, including a transition to a quantum-resistant PoW algorithm, upgrades to mining hardware and software, and a potential migration of funds to new quantum-resistant addresses. The specifics of these changes would depend on the nature and timing of the quantum threat, as well as the response of the Bitcoin community and developers. It's crucial for users to stay informed about developments in quantum computing and the Bitcoin ecosystem to take appropriate actions to protect their holdings.

This is always the case. Why? Because all algorithms are based on unsolved math problems, for example "elliptic curve discrete logarithm problem" (ECDLP). As long as it is unsolved, we can use elliptic curves in the same way as today. But once someone will find a mathematical solution, you need to find another problem, and build a new system around that. Also, for that reason, humans should never know the answer for every problem, because then you can no longer build any new crypto-based system.

Another important thing to note is that if the true owner of some coins can do something to move them, then it is technically possible to steal those coins, if someone else will repeat those steps. Which means, we are never at "it doesn't exist" stage, unless you send your coins to a Script, where nobody can move them, including yourself, for example OP_RETURN.

To this date, it is still true. For now, it comes gradually, because for example chainwork can show you, how far people are, when it comes to breaking SHA-256. For public keys, currently there is no provably fair puzzle, but you can make some assumptions, based on that famous centralized puzzle (it is centralized, because if you want to build it in a truly trustless way, then you need something like DLEQ, where the creator of the puzzle could not move the coins, without solving it).

As more informed members mentioned previously, there is no "one" solution, equation or algorithm that could have the answer to all the problems, meaning if POW is compromised, it would only work to generate blocks e.g, 10× faster than others with the same hash rate, so there will not be any all in one solution to manipulate everything.

If there hasn't been any exploitation of EC keys and hash functions, there are 2 reasons, 1- it doesn't exist, 2- it exist, we are not just ready to advance to that stage yet, as you know the universe has a God who controls everything, we just have to hope it comes gradually giving time for safe transition.  Humanity deserves financial decentralization, and that could only be achieved by having publicly available difficult to crack equations/algorithms.

Well, i don't think that it can remain a secret. If one entity has the resources and techniques to compromise the proof of work, then they should not remain in belief that none other can do it. What if they keep it a secret, in vision of owning everything , while the other party comes and takes away all.

By the way, once the POW is compromised, the price will automatically fall to Zero even before any party have any chance to sell.

There is currently in the region of 200,000,000 unspent UTXOs. With optimally somewhere around 10,000 outputs being spent per block, then we are looking at 20,000 blocks which is ~139 days of no other transactions to move everything to a quantum resistant algorithm, assuming all outputs were being moved to the new algorithm. If you want to move every coin to the new quantum proof address at once like this, then yes, that's a real concern.

There are a number of caveats to this, though, which mean in reality it won't be as bad as this. Assuming we will have plenty of time (in the order of several years) to move across to the new algorithm, then it easy for a large part of this to take place passively with no additional load on the mempool. That is to say, whenever in the next few days, weeks, months, or years, I plan to spend certain outputs, then I simply direct any change to a new quantum proof address instead of back to an old address. Any transactions which are going to be happening anyway, such as depositing coins to an exchange or paying a service, can similarly take up no additional block space once those exchanges and services move to the new algorithm. Indeed, given enough time, then the only coins we need to consider are dormant coins being held long term, since all coins being actively transacted will end up on the new algorithm anyway.

And even then there are proposals for other things we can do for those dormant coins to stop them being stolen should we run out of time. One such proposal is to lock any coins before they become vulnerable to theft, but provide a mechanism for the true owner to access them by proving a zero knowledge proof of (for example) the seed phrase or master chain code involved in the generation of these addresses.

Elliptic curves are independent, indeed. But, bitcoin isn't merely using elliptic curves. There are standards followed as the one I outlined, where to sign a message you hash your private key with your message to generate a pseudorandom k value, which will then be used to verify the signature.

Yes, but look at it in the other way: bitcoin is a continuous trouble for them. They strongly support the ability to manipulate the money supply, perhaps to the extent that causing the destruction of a few billion dollars is justifiable.

Agreed.

There is a vast thing in your favor - NIST has been working on the development of quantum resistant algorithms for several years, and their efforts are  not in vain. Some of those algos are already on the testing phase^[1].

The advances in quantum computing makes the subject matter to be a quite real thing that may happen in the nearest future ^[2].

AI-quantum would be a real threat^[3], IMHO.


*************************************************

[1]. NIST Announces First Four Quantum-Resistant Cryptographic Algorithms
[2]. Quantum-resistance in blockchain networks
[3]. "The Next Computing Revolution is with AI-Quantum" ft. Michio Kaku

I just don't understand why would any government attack bitcoin network, that would be a huge scandal because millions of people have savings in bitcoin, there are tons of bitcoin related businesses, there are lots of multi millionaires and billionaires in crypto world, they can't just ruin their life so easily.


First of all, such a rapid development and attack can't happen overnight. If technology advances to such extent, it will happen in a timeframe that will give us enough time to be ready and adapt to new changes and make quantum resistant bitcoin. If it happens otherwise and this technology comes out of nowhere, then not only bitcoin but whole world wide web will be destroyed because you have to think about not only bitcoin but other websites, absolutely every email/account will get hacked, every content management system will get hacked, it will be like the intense earthquake in virtual world.
So, that won't happen, relax and chill guys.

You can take it like that NSA developed SHA256 for security of data. They may have the algorithms to break the SHA256 but there is more profit in not revealing that they have algorithm to break SHA256.
If Quantum computing becomes a reality we have bigger things to worry about then security of our wallets since nothing will be spared by this new computing model.

I am not familiar with tech related stuff behind the scene of various block chain / hash functions, but I know they are separate from EC, while DSA depends on them.
IMO, if proof of work is compromised, it will remain secret because there is much greater benefits by both having a successful network and a backdoor to this network, so I doubt if anyone is stupid enough to try and attack when they can own everything.

In the case of mining operations, I had similar concerns until  vjudeu  replied and explained some solutions to some of the problems.
IMHO, nothing is more important than EC and safety of private keys, because that's supposed to be a safe vault inside user's houses, whatever happens to them, means someone broke in and stole from them, that kind of event has no turning back, but if way before that ever happens we could have plans and suggestions ( operational code ) in place as an upgrade, then people could be ready for anything.
It would be like when governments fortify their cash reserve vaults with new material and tech, it's a normal and expected change.

But again when you think about it, why would anyone interrupt the process of his own money printing machine if they can break EC?  As a conclusion, I doubt we see anything compromising crypto system any time soon because their profit depends on the safety of such systems.

---

Who says different addresses in the same wallet have no connection? Maybe you need to think about the reason as to why mixers exist. Sha256 is unrelated to privacy concerns about connecting addresses/ wallets.

And about transition to new algo/ network, I'm not an expert, so I don't know.

my question is less about how likely it is or if it would be fast. It's more about a possbile transition.
Lets say it get broken some distant time in the future (sha256 and EC), but slowly and the public is aware of it:
Now people would start migrating to stronger encryption all over the internet and also bitcoin would introduce an update with a more secure algorithm.
Now all coins on old addresses would possibly be in danger, because over time people could get access to it. At first it would take really long to do but it will get faster.

How could a possible transition look like? Or would it be the end of bitcoin.
Normally if you want your coins safe you would send them to a new wallet that has its sk/pk generated by the new algorithm. But everybody would need to do that and that would flood the mempool if every living owner of btc would suddenly try to move his coins.


right now you can have multiple addresses on one wallet without any connection between them. My question was if breaking sha256 would make it possible to connect them.

Actually, it's used in both private keys and elliptic curve. Modern wallet software uses SHA256 to calculate checksum of the mnemonic, and it is also used to calculate k value in signatures by following the RFC 6979 standard.

If SHA is compromised, then shit has hit the fan, to put it in laymen terms. It is used in every single corner of cryptography, but even if it wasn't, Bitcoin would still not survive, as Proof-of-Work is completely dependent on a secure hash algorithm. It's orders of magnitude worse than being able to work out a private key in a time span of a month.

You should read previous page to understand, but it's technical, sha256 proven to be strong enough at least so far, many experts work on breaking it, if one of them finds a weakness, the whole world will know about it and will have time to use a stronger hash function.

If a weakness is found in EC, it should be revealed for everyone, then if everyone wants to continue using crypto, they will have to use another type of curve, a different and stronger one. If it happens gradually bitcoin can survive, if it gets exploited in mass and suddenly, it would be difficult to restore things back to normal. These are speculations, not expert's opinions.

About wallet tracking, it is unrelated to this topic, but if you don't want anyone to connect your wallets to  certain transactions, use a mixer.

thank you for the explanation.
So an update to a new secure hash algorithm would be a problem from a mempool point of view, but a new EC would be?
Would comprimising sha256 be a privacy concern if it is used for generating addresses? Would it mean someone could connect all addresses from one wallet?

Computers used to fill an entire room, now better computers are in everyones pocket, so we never know how accessible quantum computing could get

IBM last year launched 'IBM Osprey', a new 433-quantum bit (qubit) processor and this is quite a progress in development of Quantum Computers, in 2001 we have 7 qubit quantum computers. There is predictions from experts that 2500-4000 logical Qubits would break ECDSA (source). Bitcoin is composed of many technologies, SHA256 is used to encrypt blocks of Bitcoin and in case any technology get compromised we have problem.  

Quantum computing is in its early stages and may take some years before getting launch. We cant deny it.

Sha256 hash function is used in bitcoin signatures/transactions, mining and generating addresses, it has nothing to do with private keys and elliptic curve. They are different. Have you ever seen a quantum computer? It's like some sort of alien spaceship engine, I don't think those who can build one enough powerful would use it to target crypto.

If hash functions are compromised there is a chance to survive for  bitcoin, but with EC compromised, the whole concept of public key cryptography is doomed. So there will be no transferring of anything.😑

lets say quantum computing comes slowly and a new algorithm is found that is secure against it. Then bitcoin would most likely change from sha256 to it. So all new wallets/addresses are secure by the new algorithm. What happens with the old ones? If sha256 is broken, you could get the private key from the public Key. Or am i wrong with that? So everyone would need to transfer their funds from their old addresses to new ones. Wouldnt that completly blow up the mempool and with that the transaction prices? Most people would lose a lot of their value just to transact to a safer address or they would leave their funds in the open for anyone with the algorithm to get them.

Advancements in technology are never welcomed in the start. Not many are taking Quantum computing seriously at the moment. But Quantum computing is a reality though it may take time to arrive. Quantum is not only a threat to crypto but to many other technologies like blockchain, VPNs and more. The idea behind Quantum is that its targeting the hard problem behind cryptography like Integer Factorisation and once it solves the problem there is no point in increasing the key size.

Yeah I always run two nodes on and off. so I always have 1 offline for 10 days.

So i always have a full chain backup off line which is 1 to 10 days old.

I cant be the only one that does this.

Bitcoin on it's own will survive any attack, even attacks such as rewriting the whole chain, because it's a distributed ledger, whatever happens people won't simply say Ok this experiment was fun, now that it's under serious attack lets just forget about hundreds of billions and move on to a new experiment, No there will be lots of bankruptcies and thousands of lives will be destroyed but it will rise from the ashes, because "decentralization" is what they signed up for, meaning no central crisis management organization (unit) will step in to handle the situation.

Problem is with mining machines, any new algo, solution should be based on one thing; whatever developers and manufacturers do, they need to make it compatible with current infrastructure in place, because if I am mining and suddenly they pull the plug and say you no longer can use these miners because there was an attack, well what am I supposed to do now?

Of course the usual answer is, "developers will fix it don't worry", developers can't keep their wallets safe, how can they keep a giant network safe when it's under attack?
(We knew these risks when we signed up for Bitcoin.)

 

we can argue quantum threat and the implications and one implication is

a quantum miner can increase the diff to 1000t vs the 55t it is now.

it is 2040 and btc diff has jumped to 1000t.

China has quantum mining in effect. as they developed a 200ph miner that uses 3000 watts.

just like they tore the top off btc rally in April 2021 they do it in 2040

they drop the diff down from 1000t to 100t the blockchain effectively freezes

and miners have to switch to a non quantum algo say scrypt with the ltc/doge stuff set up and ready.

Btc may not recover from that type of attack as it involves quantum only inlplace on the sha-256 mining Asic.

title of thread mean what effects can a quantum pc do to btc.

so a twofold attack would be trash btc sha256 and offer a replacement  algo scrypt

this is a two prong attack which needs quantum pc mining and a replacement algo

I suppose btc would need to alter its algo in an immediate move and the alternate would need to be an in place working algo. that has a lot of gear.

It would be a true mess.
Another way to fight a difficulty attack could be an emergency difficulty adjustment.

There is a topic about tail supply, good luck: https://bitcointalksearch.org/topic/surprisingly-tail-emission-is-not-inflationary-a-post-by-peter-todd-5405755
Also, there is another topic, which popped up more recently: https://bitcointalksearch.org/topic/can-tail-emmision-be-a-soft-fork-5466502
Which means, there are many better places to discuss it, than this topic.

What if diff is 200t it is the year 2040 and miners simply realize ltc/doge algo is far superior due to Doge never lowering its 10000 coin reward.

Doge is progressively lower % wise in inflation every year but always has a decent reward level for miners.


This threat above is greater than any other. Miners are the value bodyguards for a coin.  They will simply follow profits.  Much more threatening than a 'special' computer cracking address and taking fund out.

Has anyone ever thought that "quantum computing" (as we are being sold it, destroyer of worlds) might just be complete pseudo-science?

Should we sit around debating what will happen when the first mining farm discovers free energy?

You can easily find it out, if you see someone that is trying to break some altcoin. Or you can feel the same thing, if you try to solve security-related puzzles, like those ones: http://www.wechall.net/ (in general, we had many people on forums, who thought that someone successfully broke ECDSA, hash functions, and things like that; they were all wrong, but their feelings were probably genuine).

In case of altcoins, the right way of doing that, is full disclosure on forums. Inform anyone and everyone about a particular weakness, and create a situation, where a statistical CPU owner can mount a successful attack. And then, if developers are wise, they will fix it immediately, and everyone will be safe and happy again. But if they will try to ignore that constructive criticism, then such altcoin should be burned, and all attackers can just destroy it. I saw that many times on bitcointalk, there are whole groups that collect a lot of Bitcoins, just by finding and destroying half-baked altcoins, which are full of security holes.

This is bad idea. That means, someone else will just discover the same thing, and it will be worse, because the coin with that weakness will reach higher values, and more people will be harmed, when it will be destroyed in the future.

This is never the case. First, as vjudeu mentioned, it is not "secure vs broken" game. There is always some particular attack, and your defense will depend on that particular attack. Look at hardened SHA-1. Why it was created? Because of backward-compatibility. How it was created? Of course, based on the attack from 2017. If that would not happen, and if we would have a different attack in 2023, then hardened SHA-1 would use a completely different algorithm, designed specifically for that 2023 attack.

Exactly the same, as with every other security issue. First, write to the developers, inform them, give them some time to fix it. And if nothing will happen, then reveal everything publicly on forum. If it is still not sufficient, then demonstrate a practical attack on some test network, if there is any. And then, if messed up testnet is ignored, attack the mainnet. Because you revealed everything, and reached every previous stage of "inform and wait for the fix", you can publicly, and openly attack and destroy everything, to bring all of us into a world, that is safer, and resistant to this particular attack. Because if you won't, then that coin will grow further, and collapse in a worse way in the future.

Those steps in the middle can vary a little bit, but the general approach is simple: contact with developers, give them some time, and then publish it in a full disclosure model. You can find a list of previous BTC issues, and see, how exactly they were submitted in the past, how they evolved, which of them are solved, and which of them are still wide open, and wait for the future solution: https://en.bitcoin.it/wiki/Common_Vulnerabilities_and_Exposures

Edit: https://www.youtube.com/watch?v=4k1GcX1cqMg

This scenario isn't particularly realistic as first powerful enough quantum computers will most probably be owned by governments or corporations not cybercriminals. So Bitcoin devs will have time to migrate to another more safe protocol which would withstand a quantum attack.

I'm just thinking of the person who could be behind that. A crypto-hobbyist, with expertise in cryptography and the like. What would he feel first after that "eureka" moment? What should they do if they prioritized the collective benefit? Keeping it secret, and never exploiting it? Publishing it, and making every mining infrastructure worth zero? What would be the best approach for that person? Maybe they start searching for past suggestions on Internet boards.  

If they start mining, that will look weird, unless they mine blocks very rarely. Otherwise, if they were to set lots of times higher difficulty, then we'll notice an unknown group of miners suddenly acquiring vast amounts of hash rate without any ASIC being sold. That will start stinking fishy.

I am not a genius. But here we are in a "Development & Technical Discussion" board, so I can expect at least some basic knowledge about programming, because in other cases, those topics should land in some other, general discussion boards. Posting it here means that OP expects a technical response. And if you want to give any technical answer, then you have to know, how internally SHA-256 works. If you treat it like a black box, then that discussion will go nowhere.

You need at least a basic understanding of hash functions, if you want to talk seriously about it. You need to know at least how SHA-256 uses internal 32-bit values, and how they are mixed in each round. If you don't understand this pseudocode from Wikipedia, then sorry, but it is just an entry level to think seriously about any attacks on hash functions: https://en.wikipedia.org/wiki/SHA-2#Pseudocode

If you ask some technical question, and you receive an answer that is beyond your level of understanding, you should not be worried about it. When I started exploring hash functions, I knew nothing about them. Then, I read this pseudocode from Wikipedia. Then I wrote a simple program in C++ to produce a single hash. Then I experimented with it, started tweaking constants, changing parameters, and playing with all of that. And then, after many months, I wrote this topic: https://bitcointalksearch.org/topic/why-hash-functions-are-safe-5402178

As you can see, it took me many months of exploring the topic, to even think about writing something like that. And I am far from being genius or expert, because if you read, how many rounds can be broken on preimage or collision level, and if you read some PDFs, posted by mathematicians, then you will see, that my level of understanding is very basic, compared to them. I am still at round 20, when it comes to SHA-1 preimage. People went much, much further, and achieved much more than that, and I am still learning to get there later.

As I mentioned, you can overwrite the whole chain, without reaching even collision level of SHA-256. You don't need "to produce custom double hashes", because it is not a low-hanging-fruit. Even if you take "broken" hash functions like MD5 or SHA-1, you still cannot produce preimages for them, you can "only" find collisions. And if you can set a million times higher difficulty, that means you can also easily overwrite the whole chain.

It depends. Because as I said, it is not a "broken vs secure" game. If you can produce "a preimage", instead of "the preimage", then that kind of attack wouldn't work in some scenarios. For example, if SHA-256 is used to produce a deterministic R-value of a signature, and it is used to concatenate some private key with some message, then if you can produce "a preimage", then you would probably get a completely different (key,message) pair, and then you wouldn't know, what is the original private key, even if you can produce a valid signature for that.

Then they will be reversed, and those funds will be stolen. Later, they could be burned, or returned to the original owner, but any post-attack solution should be backward-compatible, and the chain should follow the heaviest Proof of Work.

Edit: Currently, you can even find websites, where you can explore SHA-256 round-by-round, step-by-step. So yes, we have that "knowledge at our fingertips", because anyone can visit https://sha256algorithm.com/ and play with SHA-256 in a browser.

Reading that article, clearly the journalist knows nothing to little about bitcoin, one could tell after reading he used private address instead of private key.

He also states what if someone mined 2016 blocks in 1 minute and left the scene? He says it would take 700+ years for difficulty readjustment, lol as if people would live their normal lives after seeing 2016 blocks in 1 min.  Of course in that case everything will change accordingly.

And if someone could mine 2016 blocks in 1 min, they could practically break sha256, so why bother announcing such capability to the world like that?

About double spending by hijacking txs from the mempool, well there is a solution, when it happens then all miners will have to accept a fork which disables RBF, so when all miners refuse to process RBF txs, an attacker no longer has the ability to double spend, there could be some implementations to record first seen txs and any tx from that address with different recipient, fee would be invalid.

Of course if miners refuse such a fork, they should start looking for something else to use their ASICs for other than mining.

While all "experts" talk about quantum computers and qbits, ECC is breakable by math, their opinions is based on current useless DLP solving algorithms, while with the right algo, you no longer need a QC.

Although it is possible to break Bitcoin with quantum computers still it will take hundred or more years to do that
here is what I have read but still it will take time and maybe some of us will not be around
https://cybernews.com/crypto/bitcoin-in-danger-quantum-computing-advances/#:~:text=If%20a%20Quantum%20computer%20is,before%20the%20transaction%20is%20finalized.

I love it when you expect everyone else to be a genius like yourself, it's like we have the means and knowledge at our fingertips to do the things you suggest. If OP knew how to attack SHA256, he wouldn't be here asking questions about wallets.

This is one dangerous idea, thinking about it makes you wonder, what if they can use their ability to produce custom double hashes and start collecting all the mining rewards?  And when they figure out a way to break sha256, what if for years they keep it a secret and then have access to everything dependent on sha256 security?

What if they manage to reverse some transactions in the future?

If sha256 is broken, miners and ASIC manufacturers are doomed, because they will have to throw all their rigs into trashcan.
This is why independent research is extremely vital especially for bitcoin, because as we know, we are on our own, because we chose decentralization we need to keep this system safe, no government will come to rescue if something happens, they have done all they could think of to limit and restrict bitcoin adoption, if something happens, they will sit and watch with joy and smile on their face.
 

Just test it. For example, reduce SHA-256 into the first 16 rounds, and then try to attack your own, vulnerable nodes. Or split it into eight independent 32-bit chunks, and try to attack them, if you need some difficulty in your theoretical attacks. Or use SHA-256 eight times, and truncate it to 32-bit values, and then attack. There are many models that you can create, and then, you can see, that your question is not fully specified. It is not only in a binary state: broken vs secure. It is a spectrum, where a particular attack can harm some things, while not touching other issues. So, some attack, where you can get any value you want, just like in a modulo-as-a-hash-function model, is something entirely different, than when it would need for example 2^64 hashes to break anything.

If SHA-256 will be fully broken on preimage level, where you could say: "I want to get any message, that will hash into ", then all OP_CHECKSIG use cases will be affected, because internally, SHA-256 is used to produce z-value. And if you skip hashing in ECDSA, then it is wide open, and you can produce a fake signature, and then create a message, that will hash into your random z-value.

However, if you worry about SHA-256, then check the current chainwork. And note that instead of trying to compute any preimage (2^256 hashes with brute force) or collision (2^128 hashes with birthday attack), it is much more profitable to produce a higher chainwork, and just overwrite the whole chain. Also, using some additional power for mining, will not remain unnoticed. There are many possible attacks, where you can harm Bitcoin, while not breaking any rules at all. For example, it is possible to raise the difficulty into some insane levels, and then just stop mining. Then, no rules will be broken, but the chain will be effectively halted, if for example the difficulty would be one million times bigger than it should be.

So, if you want to get your answer, you should clarify, which particular attack you have in your mind. Because different attacks will cause different effects, and you can test each case individually, by using some simplified version of SHA-256, with a particular weakness that you want to test, and then check only that to see, how your nodes will react. Because all you need, is just cloning Bitcoin Core, and replacing SHA-256 implementation with something else, and then running some regtest nodes, unaware of the attack, and some attacker node, that can produce hashes faster in a particular way.

The mining infrastructure won't be vulnerable. It's the security of the secp256k1 elliptic curve Bitcoin uses, that will need to change. And there will probably be a quantum safe hard fork which will come with a quantum safe algorithm.

The developers will warn you to send your coins to quantum safe addresses. By the time that it will be trivial to work out a private key by a quantum computer within a reasonable time frame, any coins sitting on quantum unsafe addresses will be waiting to be claimed by the attacker.

yeah all of the above about slow deliberate attacks against the early blocks makes sense if the attacker was a business trying to make money.

If the attacker is a government looking to wipe out BTC and 256bit  crypto safety.  They would do a few of satoshi's just to see how fast it takes them to do a single address.

Only need do a few.

Then do nothing except crack all of satoshi's addresses. Once they do that simply pull out every coin on them in under an hour.  This would crash BTC out and terrify all companies using 256 bit encryption.

If I live long enough to see this happen I would be very surprised as I think this is 50 years away at best.

256 bit encryption would be wise to to stay ahead of this by becoming 512 bit.

I also think it would happen until we develop cold fusion which would enable  easy power for a very big pc.

Bitcoin's PoW scheme is the least likely component to be affected by quantum computing. Assuming quantum computers ever become more efficient at computing SHA-256 hashes than ASICs the worst thing that could happen is that quantum computers would get used for mining.

What could become problematic at one point is quantum computing enabling the derivation of the private key of an address from its public key. That scenario affects old addresses that have their public key exposed due to outgoing legacy P2PK transactions; assuming they still contain a balance due to address reuse. While that may involve potentially a tidy sum, the impact of such an attack would still be rather limited except for bringing old coins back into circulation (i.e. it seems to be likely that any coins potentially exposed in such a manner have been lost by their owner a long time ago). Correcting myself because I misremembered: That scenario affects old P2PK address that provide the public key directly and modern addresses after the public key has been exposed by an outgoing transaction. While critical, this would follow a slow timeline as described by d5000, especially since the step between cracking P2PK addresses and modern addresses -- on-the-fly, outside of address reusage -- is huge.

FTFY. SHA-256 isn't especially vulnerable to quantum computers afaik (it's more vulnerable to extremely fast traditional Von Neumann computers). It's the public key algorithm (ECDSA) which could generate some headaches in some decades.

But the attack will be slow and gradual. Let's say that a malicious entity has access _now_ to a quantum computer capable of running Shor's algorithm to break ECDSA, with a couple of thousands qubits.

-  First, they'll try to attack old P2PK transactions, as they provide the public key. Satoshi's coins are the prime example for that. We will thus see slowly Satoshi's money moving (be it because Satoshi himself moves them with P2[W]PKH/P2TR txes, or because the quantum hacker moves them). An attacker will need years for that step alone, so they'll be focusing on coins where it's unlikely that thay'll be moved.
- Second, they'll attack transactions with reused keys. These are more likely to be moved. First old ones, then newer ones. I think at least in this phase people will become increasingly aware of the danger, and devs will have probably created a new quantum-secure public key infrastructure for the addresses.
- And only in a third step they'll be able to attack non-P2PK keys while people are transacting. They have less than 10 minutes, as they need the public key, i.e. they have to wait until you spend the funds and then attack instantly.

(by the way: shouldn't we make one of the old threads on that topic sticky so the question doesn't pop up every couple of weeks?)

What you imagine does not make much sense, because today's quantum computers are far from being able to be a threat to Bitcoin in any way - and therefore the scenario you are talking about cannot just happen overnight. In other words, there is enough time for Bitcoin to adapt to this threat, and there are dozens of discussions on the forum where you can find a lot of useful information about the quantum threat.

For those who want to know more, interesting reading -> https://www.schneier.com/blog/archives/2015/08/nsa_plans_for_a.html

This will not affect mining or nodes or bitcoin wallets. Only what that will happen is for bitcoin developers to develop quantum computer resistant one which may require an update nodes, miners and wallets.

Before bitcoin will not be able to be resistant against quantum computing, bitcoin developers would have created quantum resistant one.

Suppose that that there is a successful quantum attack on SHA-256. That it happened so quickly that Bitcoin has to move infrastructure with the nodes is transitioned to a quantum resistant software. What do you think would happen to the miners, the computation of the nonce, including all the mining hardware?  And by extension how would this affect Bitcoin wallets. Do you think we would need to get new wallets and migrate our funds from our old addresses?