pull down to refresh

Also published to SubStack where I will add edits if needed: https://open.substack.com/pub/antic/p/response-to-the-end-of-cryptocurrency
A friend of mine sent me this video, explaining why the Atom quantum cluster spells the end of cryptocurrency and bitcoin, which I hate to link because I don't want to drive traffic and engagement to FUD, but for context, here it is: https://www.tiktok.com/t/ZT8Sb4qC3/
This video in particular struck me because the author knows just enough about these topics to sound like he knows what he’s talking about and to convince people like my friend who don’t know the technical details enough to see why he’s wrong.
In this case, he's ignoring two very important things that I can hopefully explain without a lot of technical detail:
  1. There is a COST to running these quantum computers that must be lower than the profits gained from the attack
  2. There is a significant difference between simple public/private key encryption and the many ways payments can be secured on the bitcoin network (like P2SH/multisig)
He's right that some cryptocurrencies are going to be adversely affected by quantum compute. I won't argue for random cryptos that are most certainly broken, and some aspects of Bitcoin may need to upgraded eventually, but I can explain why he's completely off the mark on what he says about Bitcoin specifically.
If you are simply talking about public/private key encryption, sure there are ways that quantum poses a risk, and there are mitigations already being rolled out: https://cloud.google.com/blog/products/identity-security/why-google-now-uses-post-quantum-cryptography-for-internal-comms
There was a very old way of spending bitcoin called P2PK (pay to public key), which allows bitcoin to be sent to the public key itself, but current bitcoin addresses, in the worst cases, use P2PKH, or pay to public key hash, which does not expose the public key until the moment funds are sent FROM the address and only while they sit in the mempool for processing. If you do not reuse addresses, and you have never spent funds from a P2PKH address, the world does not know the public key. P2PKH is considered legacy, but there is still a TON of bitcoin on the ledger attached to these addresses, so let's dig into them a bit.
However, with bitcoin, you generally do not know the public key behind an address. Let's say you want to try to steal the 530 BTC that are currently sitting in this address: 1111111111111111111114oLvT2
Well, that looks like a really simple address to crack, right? Look at all those 1's! Let's explore that. First, this is not the public key, so you cannot just use Shor's algorithm with a sufficiently large quantum array to factor it to the private key because this isn't even the right number to factor. And once we get there, it's another huge task for quantum that requires significant qubits that don't currently exist on the market, about 2,330.
This bitcoin address is a ripemd160 hash of the sha256 hash of the public key. So if you want to use Shor's algorithm to crack it, you first have to use Grover's algorithm to break sha256, and ripemd160 in two other runs of your quantum cluster--more costly. But let's assume that you can break these things in a positive cost to benefit way and go over the steps of how the address was created and how you would have to attack it. And note, that bitcoin payment addresses are a little more complicated than just these hashings of the pub key but the other steps in P2PKH are simple enough not to require major compute: https://www.oreilly.com/library/view/mastering-bitcoin-2nd/9781491954379/ch04.html
This is (roughly) how the address was created (giving us some variable names so we can discuss this without using word soup).
shaPub = sha256(pubKey) address = ripemd160(shaPub)
So the steps to reverse this to find the pubKey look like this:
  1. Spin up your world's largest quantum compute datacenter to use Grover's algorithm to get the ripemd160 source of address (the value that you had to pass into ripemd160 hash in order to get a result of 1111111111111111111114oLvT2 -- this input value is shaPub.
  2. Use that same expensive cluster to then get the sha256 source of shaPub (what you have to pass into sha256 to return the value of shaPub), this will return the pubKey
  3. Use that cluster again with Shor's algorithm to factor pubKey to find privKey
  4. Use a regular computer to sign and issue a network transaction to steal the funds
  5. Hope that the owner of that address isn't programmatically watching the mempool for transactions using keys they own and that they don't have automation in place and miners setup to replace the transaction by fee and move their funds to a different address before your transaction can go through (they most certainly are watching and have this automation and are running their own miners because you are attacking a very large player).

The Cost

So this attack requires running several operations on large quantum compute clusters, which are NOT free to run, nor are they entirely stable yet. The current cost of running quantum compute is non-trivial. And there are major differences between physical and logical qubits, quantum annealing, etc--you need to really research this stuff if you want to plan an attack. If you think you can run the world's largest quantum computer cluster at a cost below the reward of what you are attacking, you might want to rethink your plans. You could spend millions of dollars trying to hack this key and not get to the result. But maybe a bigger address is vulnerable like 12ib7dApVFvg82TXKycWBNpN8kFyiAN1dr, which has $1,078,252,625 worth of bitcoin in it as of this writing—surely you could spend less than $1B to run this attack, right? They are also relying on the simple P2PKH security method, so the process is the same. The owner of this billion dollars worth of bitcoin clearly doesn't think that the cost-to-benefit ratio exists yet for quantum to be a threat to these addresses--and you will absolutely see that as quantum grows, balances will move out of P2PKH that exceed the cost of attack.
But not everyone will or even can move their bitcoin from P2PKH--Satoshi mined a LOT of bitcoin to addresses early on and very likely Satoshi is not around, has lost those keys, or never saved them to disk because the mining was experimental and the payment addresses may have been programmatically generated and thrown away.
The video author makes the argument that attackers are going to steal just a little bit of bitcoin from people's wallets (not enough to be noticed). How absurd is that? Bitcoin isn't 49 cents worth of pennies floating in your pocket that you won't notice turned into 48 pennies, or a rounding error bug in your bank account stealing fractions of a cent. Bitcoin owners watch the contents of their wallets programmatically. They will know as soon as any amount of satoshis are moved from their wallets. This idea of an attack assumes that the cost of quantum compute is free and that nobody will notice the security is compromised and it's somehow worth it to just take a little bit. That's absurd.
Why would you try to steal a tiny bit of someone's bitcoin, when you could crack Satoshi's keys and sign messages to the internet AS SATOSHI? You would effectively be the CEO of a $648B company. Additionally, nobody would be able to contest you on the rights to the funds because nobody else has these keys. You could target 1NSPqTZae3bCdiCNWSbkE4qBxfqjybA93S, one of the early block reward addresses (P2PKH) and then just sign messages to the internet saying things about bitcoin or other cryptocurrencies or about satoshi that would MOVE MARKETS. You would be immensely powerful. Stealing pocket change not only would be noticed as soon as you did it, it would be the most absurd usage of spending the resources to break P2PKH.
Additionally, there are about 4 million bitcoin that are currently assigned to public keys or to P2PKH sources that have been used multiple times. These are the easiest target for quantum to attack since you don't need to do the multiple Grover's steps and only need to use Shor's to factor the public key into the private key. When the cost of running this attack becomes a positive equation, we will see these funds move. These are the canary in the trillion dollar bitcoin mine.
In theory, and attacker could also try to skip the Grover's steps and only use Shor's by attacking transactions as they wait in the mempool, but this would require running the quantum attack during the window where funds wait to be processed. In order to achieve this rapidly, you need a MASSIVE quantum compute cluster. This would take 317 × 10^6 physical qubits (or 317,000,000 qubits, far more than Atom’s 1,000+ cluster) to break the encryption within one hour. See Webber et al

Higher Security

So we've shown how to reverse a P2PKH into a pubKey and hope that you can afford to Shor's algorithm your way to the private key, but this method is not so easy when you use other methods of security like P2SH (script addresses that start with a 3), P2TR (taproot, starting with bc1p). These newer systems offer multiple layers of security that require a lot more than simply identifying a single public key and factoring the private key to match. All you really need to do to not be eaten by the bear is to run faster than all the people who are lazily eating a picnic behind you. Proper self-custody of bitcoin and key management is hard. It’s not for everyone.
There are several valid ways to add even more security if you are concerned about quantum attacks:
  1. The simplest: don't assign large balances to a single address (don't be a valid cost-to-attack target). With an HD wallet, you can create as many addresses as you want and keep all of them below 1 BTC. The cost to attack you will not be worth it vs attacking someone else for the foreseeable future.
  2. Use multisig, requiring the signature from multiple private keys to spend funds--now they have to identify multiple keys that go with each other in order to move the funds, which turns this into an astronomical problem.
  3. Watch the large addresses and see where the money flows. You can be sure that major companies like Coinbase and Binance are smarter about this than you are and if you are storing your bitcoin in the same way they are but with smaller address balances (not in the 1000+ per address range), you are probably safu with your self-custody in terms of quantum risk (you may have other problems).
  4. Not typically recommended (and I’ll probably get destroyed in the comments by the hardcore folks), but if you really don’t think you can keep up with the security requirements of having sovereign control of your finances, maybe just put your bitcoin in Coinbase or CashApp and let them worry about quantum resistance—maybe it’s too soon in the adoption curve for you to worry about this.
There is a COST to running these quantum computers that must be lower than the profits gained from the attack
Assuming that powerful enough QCs actually work, with low enough error rate, this actually makes a lot of shitcoins safe as nobody will care to attack them.
There was a very old way of spending bitcoin called P2PK (pay to public key), which allows bitcoin to be sent to the public key itself, but current bitcoin addresses, in the worst cases, use P2PKH, or pay to public key hash, which does not expose the public key until the moment funds are sent FROM the address and only while they sit in the mempool for processing. If you do not reuse addresses, and you have never spent funds from a P2PKH address, the world does not know the public key. P2PKH is considered legacy, but there is still a TON of bitcoin on the ledger attached to these addresses, so let's dig into them a bit.
Note that Taproot (P2TR) addresses does not use hashing, it's pay to public key again.
reply
I haven’t used taproot addresses yet myself but my understanding is that bech32m, just like bech32, uses sha256 and ripemd160 hashing steps on the public key as well: https://en.bitcoin.it/wiki/Bech32
reply
Bech32m is the address format used to encode the output script of Pay to Taproot outputs on the user layer. Addresses don’t appear on the blockchain, in transactions, or in output scripts.
The output script for P2TR outputs consists only of the witness version and the witness program, and the witness program is an x-only secp256k1 pubkey. When a P2TR output is spent via the keypath, the witness stack only needs a signature. So no, most P2TR outputs would not protected by hashes, just as @kristapsk already stated above.
The exception would be if you made the keypath unusable, because spending via the scriptpath requires a control block that commits to the leafscript via a Merkle branch in the scriptree since the Merkle tree involves hashing.
reply
Address types and encoding are different things. First you create data to encode, then you encode it.
P2PKH (1...) and P2SH (3...) are different address types, but both use Base58Check encoding. For SegWit v0 (bc1q...) addresses bech32 encoding is used, but P2WPKH and P2WSH uses different hashing algos before doing bech32 encoding (SHA256+RIPEMD160 vs just SHA256, that's why different length of addresses). For SegWit v1 (bc1p...) currently only address type is P2TR and there just Schnorr (not ECDSA) pubkey is encoded using bech32m.
Using Schnorr signatures and not hashing pubkey is what allows to do these various Taproot tricks like having complicated smart contracts that look on a blockchain just like plain single pubkey.
reply
The pubkeys don’t change between ECDSA or Schnorr, they are just curve points on secp256k1 in either case. Just the signature is different, and the respective output type requires one or the other in the witness stack for spending.
reply
Yes, you are correct here.
reply
The question is whether or not the requirements for an attack change/simplify if you only know the bc1 address.
reply
Clearly I’m going to have to dig into taproot more :) thanks for the extra info.
reply
What about bc1q (native SegWit) addresses? Are they safe?
reply
Native segwit still uses the same hashing steps mixed with some other easier to reverse steps: https://en.bitcoin.it/wiki/Bech32
reply
I would not say pay to pubkey isn't safe at least currently too, but, yes, bc1q is either P2WPKH (pay to witness public key hash) or P2WSH (pay to witness script hash), so has the same security as 1... (P2PKH) and 3... (P2SH) addresses.
reply
clearly pay to pubkey is still currently safe or there would be 4 million bitcoin getting stolen out from those vulnerable addresses :)
The cost to attack vs the value of the target is the most important metric. If the shitcoins have enough swappable value, they will be attacked as well--and actually maybe easier targets because most people won't care if some random crypto gets hacked--the bitcoin crowd won't necessarily think we've hit a point where these attacks are possible, so if I were an attacker, I'd probably start liquidating alts before hitting bitcoin.
reply
That's an interesting point--and I think why a lot of people use things like DOGE and LTC when bitcoin is hot--it's more below the radar for attacks and scrutiny.
reply
Great post!
reply
Thanks, and of course, my nocoiner buddy responded to me with:
omg dude…i barely cared about that. I just sent it because i thought you would find it interesting. now you have a whole article about it lol jesus dude anyway i figured you wold disagree you are definitely a bitcoin evangelist
reply
your nocoiner friends needs to uninstall TikTok spyware and come to SN so we convert him
reply
Let me guess, he's never sent you any links to bullish articles on Bitcoin before.
A great example of confirmation bias (and if my premise is wrong, this comment becomes an excellent example of confirmation bias :P). I wonder if he's ever considered that his friend who can write an 1800+ word article on Bitcoin cryptography might know something about Bitcoin that he doesn't. Ego is a bitch.
It sounds like you've tried to orange-pill him in the past. What happened? Is there enough material for another article? :D
reply
I told him to buy bitcoin. He bought it, then watched it go sideways and thought it wasn't performing as well as his vanguard managed fund so he sold it. I don't tell people to buy bitcoin anymore; I tell them to learn about it--and about how fiat currency is devalued over time.
reply
That says a lot though, that he was actually open-minded enough to listen to you.
I've only been through one bull-bear cycle, and now I am much more careful about exactly what I tell people. I once was so certain that BTC would never dip below $30k again. How stupid that was!
reply
That's why I told him to dollar cost average--you can only time and predict the market cycles with vague ideas and pseudo-science astrology for finance nerds. Slowly accumulating is the only way to be sure.
reply
😂😂😂
reply
reply
reply
I've heard quantum computing doesn't reduce time complexity from exponential to polynomial, it merely reduces the degree of the polynomial.
reply
I thought your article was supposed to debunk the stuff, but now it got me worried instead :D
Are there already potential upgrade ideas for the network so that even old coins can't be attacked?
reply