How quantum computing affects Bitcoiners 🧵
Summarizing Chaincode Labs' excellent recent paper on the topic
tl;dr
😅 Quantum computers do not pose a threat to Bitcoin today
😰 But many researchers agree they will in the next 5 - 10 years
🧐️ Bitcoiners should start working on mitigations
Here's how quantum computers could threaten Bitcoin:
An everyday computer can derive a public key from a Bitcoin private key in a few microseconds
But the reverse is much more difficult:
Today's supercomputers would take ~100 quadrillion years to find the private key for a known public key
Quantum computers could theoretically derive a Bitcoin private key from a known public key in just a few hours
So the primary risk quantum computing poses to Bitcoiners is for situations where the public key to your coins has been exposed
How might that have happened?
Long-range quantum attacks:
Some address types expose their public key:
Pay to public key
Pay to multisig
Pay to Taproot
Since these public keys are exposed as soon as the address receives coins, quantum computers may be used to derive their private keys and steal the coins
Short-range quantum attacks:
When you spend bitcoin, you reveal the public key for the coins in your transaction
A quantum computer may be used to derive their private key and spend them in a new transaction with a higher fee before your transaction is included in a block
Address reuse:
Coins that reuse an address from which other coins have already been spent may also be vulnerable to theft because the previous spends revealed the address's public key
A quantum computer may be used to derive private keys to any coins still at a reused address
Exposed xpubs:
Many services request that Bitcoiners provide an extended public key (xpub) used to generate addresses
If such an xpub is leaked, all addresses generated by that xpub may become vulnerable to having their private keys derived by a quantum computer
Advances in quantum computing could also affect mining:
Quantum computers may slightly weaken the security of the SHA256 hash function used in mining, but it is unlikely they could break it
This means Proof of Work is probably still reliable in a quantum computing future
However, quantum miners may be subject to much stronger centralization pressures:
the best quantum hardware "would gain a disproportionate speedup, eliminating the incentive for less powerful quantum miners - as well as those who lack quantum computers - to participate"
Quantum resistance
Fortunately, there are a number of feasible proposals for how Bitcoin could become resistant to quantum attacks
Unfortunately, most of them involve using much larger signatures (read: quantum resistant spending might mean you pay a lot more in mining fees)
Tomorrow, we'll look at the second half of Chaincode's paper: Migration strategies and the big question facing Bitcoiners: burn or steal?
Read the full Chaincode report at: https://chaincode.com/bitcoin-post-quantum.pdf
And be sure to follow the report's authors: Clara Shik & ozdeadman
Summarizing Chaincode Labs' excellent recent paper on the topic
tl;dr
😅 Quantum computers do not pose a threat to Bitcoin today
😰 But many researchers agree they will in the next 5 - 10 years
🧐️ Bitcoiners should start working on mitigations
Here's how quantum computers could threaten Bitcoin:
An everyday computer can derive a public key from a Bitcoin private key in a few microseconds
But the reverse is much more difficult:
Today's supercomputers would take ~100 quadrillion years to find the private key for a known public key
Quantum computers could theoretically derive a Bitcoin private key from a known public key in just a few hours
So the primary risk quantum computing poses to Bitcoiners is for situations where the public key to your coins has been exposed
How might that have happened?
Long-range quantum attacks:
Some address types expose their public key:
Pay to public key
Pay to multisig
Pay to Taproot
Since these public keys are exposed as soon as the address receives coins, quantum computers may be used to derive their private keys and steal the coins
Short-range quantum attacks:
When you spend bitcoin, you reveal the public key for the coins in your transaction
A quantum computer may be used to derive their private key and spend them in a new transaction with a higher fee before your transaction is included in a block
Address reuse:
Coins that reuse an address from which other coins have already been spent may also be vulnerable to theft because the previous spends revealed the address's public key
A quantum computer may be used to derive private keys to any coins still at a reused address
Exposed xpubs:
Many services request that Bitcoiners provide an extended public key (xpub) used to generate addresses
If such an xpub is leaked, all addresses generated by that xpub may become vulnerable to having their private keys derived by a quantum computer
Advances in quantum computing could also affect mining:
Quantum computers may slightly weaken the security of the SHA256 hash function used in mining, but it is unlikely they could break it
This means Proof of Work is probably still reliable in a quantum computing future
However, quantum miners may be subject to much stronger centralization pressures:
the best quantum hardware "would gain a disproportionate speedup, eliminating the incentive for less powerful quantum miners - as well as those who lack quantum computers - to participate"
Quantum resistance
Fortunately, there are a number of feasible proposals for how Bitcoin could become resistant to quantum attacks
Unfortunately, most of them involve using much larger signatures (read: quantum resistant spending might mean you pay a lot more in mining fees)
Tomorrow, we'll look at the second half of Chaincode's paper: Migration strategies and the big question facing Bitcoiners: burn or steal?
Read the full Chaincode report at: https://chaincode.com/bitcoin-post-quantum.pdf
And be sure to follow the report's authors: Clara Shik & ozdeadman