Why Quantum Computers Won't End Up Cracking Bitcoin Wallets

"Within a decade, quantum computers could be powerful enough to break the cryptographic security that protects cell phones, bank accounts, email addresses and — yes — bitcoin wallets," writes CNBC.

But fortunately, that would happen only if we do nothing in the meantime, they're told by Thorsten Groetker, former Utimaco CTO "and one of the top experts in the field of quantum computing." Crypto experts told CNBC they aren't all that worried about quantum hacking of bitcoin wallets for a couple of different reasons. Castle Island Ventures founding partner Nic Carter pointed out that quantum breaks would be gradual rather than sudden. "We would have plenty of forewarning if quantum computing was reaching the stage of maturity and sophistication at which it started to threaten our core cryptographic primitives," he said. "It wouldn't be something that happens overnight."

There is also the fact that the community knows that it is coming, and researchers are already in the process of building quantum-safe cryptography. "The National Institute of Science and Technology (NIST) has been working on a new standard for encryption for the future that's quantum-proof," said Fred Thiel, CEO of cryptocurrency mining specialist Marathon Digital Holdings. NIST is running that selection process now, picking the best candidates and standardizing them.

"It's a technical problem, and there's a technical solution for it," said Groetker. "There are new and secure algorithms for digital signatures. ... You will have years of time to migrate your funds from one account to another." Groetker said he expects the first standard quantum-safe crypto algorithm by 2024, which is still, as he put it, well before we'd see a quantum computer capable of breaking bitcoin's cryptography. Once a newly standardized post-quantum secure cryptography is built, Groetker said, the process of mass migration will begin. "Everyone who owns bitcoin or ethereum will transfer [their] funds from the digital identity that is secured with the old type of key, to a new wallet, or new account, that's secured with a new type of key, which is going to be secure," he said.
There will still be the problem of users who forget their password or died without sharing their key.

But in those scenarios, CNBC suggests, "an organization could lock down all accounts still using the old type of cryptography and give owners some way to access it."

Re:

[mamba-mamba]

I mean, that is cool but it is basically just a wordy meme. Got a citation or something?

Re:Not gonna happen

[Geoffrey.landis]

Worse, it is incorrect.

It talks about the thermodynamic energy-limit to computation, and says let's assume a supercomputer cooled to absolute zero.

But the thermodynamic energy limit for computation is ~kT per bit flip. If you cool the machine to absolute zero, the theoretical energy of computation is zero.

This is a photosnark meme written by somebody who didn't understand the science they were talking about. (Which is not unusual for photosnark memes).

--

Footnote: the thermodynamic limit is kT per bit flip for a non-reversable computation. Some theorists have suggested that you can make a reversable computer. This would mean in principle that you only pay the energy price for reading the output, the computation itself would be free. It would have a very odd operation: first, you expend energy to do the computation. Then, you do the computatation in reverse and generate that energy back!

Re:

[jythie]

Plus, isn't the picture really just talking about the cost of brute forcing it by checking ALL numbers in the space? The whole point of trying to develop various cracking algorithm (quantum or conventional) is figuring out ways to do it without simply checking every single number to see if it factors.

Re:

[thegreatemu]

I don't doubt that the story is bunk, but your footnote kind of makes your post moot. Quantum circuit gates are unitary and reversible.

Reversable: easy in theory, not so easy in reality

[Geoffrey.landis]

I don't doubt that the story is bunk, but your footnote kind of makes your post moot. Quantum circuit gates are unitary and reversible.

Everything in thermodynamics is reversable at the microscopic level. Everything in classical physics is reversable at the quantum level too, for that matter.

Actually making a computer that is capable of generating usable energy from the Gibbs free energy allowed by the fact that, in principle, you know the content of the information on the machine... now, that's a trick.

The reality of password cracking.

[geekmux]

(Bitcoin Fantasy Narrator) "Now imagine if you could keep that supercomputer cooled at roughly absolute zero..."

(Agent) "Hand me that $5 pipe wrench and shut the hell up already."

Re: The reality of password cracking.

[ArmoredDragon]

This is taking about breaking into a crypto wallet when you don't even know who its owner is, let alone have the ability to come anywhere close to them with a $5 wrench.

Re:

[Lanthanide]

No one is worried about brute-force attacks.

Re:

[arglebargle_xiv]

Yeah, but they are worried about science fiction attacks by imginary quantum computers.

There was a great paper published a year or so back that talked about time-travel-resistant cryptography. It was basically a "quantum computers" paper with the word "time travel" substituted, and was just as realistic as the quantum version.

Re:Not gonna happen

[Sneftel]

Is that actually your mental model of quantum computation? You think it's just a system that can sequentially enumerate and test possibilities really really fast?

That's.... not an accurate model.

Re:

[zekica]

Correct, but Shor's algorithm works only for finite field math (RSA and EC, also for DH and ECDH), not for AES or ChaCha or SHA2/3, so symmetric keys and hashes should be "safe" (which Bitcoin uses in the blockchain).

Re:Not gonna happen

[Entrope]

To elaborate, Grover's algorithm [wikipedia.org] is the quantum search algorithm that speeds up attacks on traditional hah functions and symmetric key cryptography. But it only reduces the effort by the square root -- a 128-bit cipher becomes breakable, but a 256-bit one remains safe.

The concern for Shor's algorithm in cryptocurrency is that it allows attackers to forge signatures on transactions, and then they drain wallets.

The major drawback of post-quantum signature schemes [wikipedia.org] is that they substantially increase public key and/or signature sizes -- the current state of the art is roughly 2 KB for each, versus 32/65 bytes for elliptic curve signatures. Needing 32x the space and bandwidth is not as trivial as the cryptocurrency people imply.

Re:

[Joce640k]

But it only reduces the effort by the square root -- a 128-bit cipher becomes breakable

A 128-bit cipher only becomes breakable in theory.

In practice? Quantum decoherence will kick in long before you've performed 2^64 iterations.

https://en.wikipedia.org/wiki/... [wikipedia.org]

Re:

[swillden]

In practice? Quantum decoherence will kick in long before you've performed 2^64 iterations.

Unless that problem is solved. Betting that problems will not be solved is not a good strategy. It's better to use 256-bit keys and 512-bit hashes.

Re:

[Joce640k]

Laws of physics apply to this particular problem.

Schrodinger's cat cannot be observed.

Re:

[cfalcon]

There's no reason to assume that a "128 bit cipher becomes breakable". You're using the fact that 64-bit ciphers are not considered great because they seem to be within the power to brute force by state actors- that's far from "breakable", and you don't just stable "quantum" to the side of a 3 gigahertz chip and have that power. The algo in question does halve the key search space, but a 64 bit key is fully secured if your brute force solution is one multibillion dollar machine at 10 hertz, or even whatev

Re:

[Areyoukiddingme]

The major drawback of post-quantum signature schemes is that they substantially increase public key and/or signature sizes -- the current state of the art is roughly 2 KB for each, versus 32/65 bytes for elliptic curve signatures. Needing 32x the space and bandwidth is not as trivial as the cryptocurrency people imply.

The continued existence of YouTube is all the argument ever needed to counter storage space complaints, and bandwidth is only a problem in the US, for political reasons, not technical.

I know the relative stagnation in CPU core performance for much of the last decade has made it feel like there's been no progress in computing in that time, but that specific problem conceals advances elsewhere. In 2009, when Bitcoin was released to the world, the largest hard drive you could buy, for any money, was 2 TB. To

Re:

[allcoolnameswheretak]

And still, my primitive ape-mind thinks that if I randomly enter passphrases into certain wallet apps, I might come across some big or abandoned wallet jackpot.

Ape-mind be strong.

Re:

[cfalcon]

Ape mind is correct. If you are entering passwords, then you have the advantage of sharing an immense amount of information with the mind that created said password. This is why the few things that have allowed user entered passwords to be converted to private keys are looked at in a sketchy fashion, because of this incredible insecurity.

Re:

[allcoolnameswheretak]

Not sure. Most wallets use 16 word passphrases. For a 256 private key, that is 16-bit per word. So if you use 65536 different words and map those to values 0 to 65535, you can map the entire 256 bits with the 16 words.
According to Google, there are 170K English words in use, so that sounds a very doable approach.

Do they know what decentralised means?

[Lanthanide]

> But in those scenarios, CNBC suggests, "an organization could lock down all accounts still using the old type of cryptography and give owners some way to access it."

So bitcoin is not going to be decentralized if there's a single company who has custody of your wallet and you have to prove your identity to them (how?) in order to get access to your coins.

Sure.

Re:

[Noobsa44]

I think you miss the "real" purpose for bitcoin. I admit this is only my own interpretation of a real purpose, but if you look at books like "American Nations: A History of the Eleven Rival Regional Cultures of North America" you will discover that second sons of our ancestor's economic system have a need to generate wealth and cannot do so in their existing system. To detail this out a bit, many of our founding fathers were from wealthy families that directly or indirectly came from the 2nd+ sons in the fa

Re:

[Oligonicella]

second sons of our ancestor's economic system have a need to generate wealth and cannot do so in their existing system.

Too many rags to riches stories for that to be true.

Re:

[Type44Q]

Except for specific times and places, those are outliers.

Re:

[jythie]

Yeah.. pretty much every nation, economic system, and time period had examples of 'dirt farming peasant grows up to be grand lord of something' , but that does not mean there is economic mobility for 'the population'.

Simple: There will be much more profitable uses

[drolli]

Imagine that QC required on the order of magnitude to crack encryption would work, the we probably could use these to:

Cure cancer on an person by person basis in the early stages by individually developed antibodies/vaccinations.

Other individualized medicine

Develop materials - how much would a Room temperature room pressure superconductor be worth?

Re:

[Lanthanide]

You realise that making bespoke drugs involves more than just some maths calculations on a computer, right? You actually have to synthesize the drugs somehow. It's all very well calculating the precise molecule that could cure someone's cancer, but without a way to produce that molecule, that's mostly useless.

Re:

[cusco]

Labs are building molecules now atom by atom on an experimental basis, but the time QC is ready for prime time it's likely that the molecular assemblers will be as well.

Re:

[cusco]

Those would be reasonable searches, but we all know that the first applications will be to crack Satoshi Nakamoto's wallet.

Re:

[Junta]

While they may not be able to mess with a transaction, I think they could derive your private ECDSA key and make new transactions that look valid. They would need to replace ECDSA in a hypothetical future with capable quantum computing.

It would still be messy

[vadim_t]

If it happened, even with a warning, it'd still be chaos.

There are lost or unused wallets with enormous balances, like Satoshi's 1.1 million BTC. Just the possibility of somebody being able to get control of that much BTC would cause a panic.

And of course anybody with the resources to crack a wallet would try going for the big hoards first, so after Satoshi I'd expect the next targets to be very long term users, exchanges and other large businesses dealing with BTC.

Re:It would still be messy

[fph il quozientatore]

Where "chaos" means "Bitcoin crashes, people who invested heavily in dangerously volatile cryptocurrency lose their money, everything else goes on normally"?

Re:

[cfalcon]

> There are lost or unused wallets with enormous balances, like Satoshi's 1.1 million BTC. Just the possibility of somebody being able to get control of that much BTC would cause a panic.

Bitcoin miners would do whatever they could to make this the patented "Good For Bitcoin". Here's I'll give you a hypothetical future.

Step 1: "Oh noes we suspect $ORGANIZATION_OR_COUNTRY will soon be able to write arbitrary transactions given an input public key, and we suspect that they have every public key that ever

It won't happen overnight

[Rosco P. Coltrane]

But that doesn't mean it's reassuring.

The problem is, the NSA and other 3-letter-acronym sumbitches with enough free taxpayer's money to stay well ahead of the curve will do it secretly for years before the man on the street starts hearing that the conventional crypto they rely on might not be up to scratch anymore. They already do now...

Re:

[hey!]

In other words, while it certainly won't *happen* overnight, we might very well *find out about it* overnight.

Re:

[Aighearach]

If you're so ignorant of science news that you think that the NSA is doing some sort of basic research and prototyping cutting edge machines that requires hiring top, high profile academic physicists, then yeah, you'll probably hear about it "overnight" regardless of where the discovery comes from.

This is one of those, "if you're ignorant not to be sure, then the reality will be the same as if it was true" situations.

Quantum computers arn't magic

[Viol8]

And cryptographic key sizes can be increased very cheaply , far cheaper than the quantum bits required to crack them. SHA 256 vulnerable? So use SHA65535 or similar. Once a quantum computer has run out of q-bits to use it has to run sequencially like a normal computer - AFAIA, correct me if I'm wrong - so if it has to crack a key size of 65535 bits it won't be much help if it tops out if its q-bits top out at 256 bits. As soon as a machine is powerful enough to crack larger keys simply make the keys larger.

Re:

[Lanthanide]

All bitcoin mining is based on SHA256. If you're changing to SHA65535 you have to do a protocol upgrade and get all the miners to agree - all of the miners need to agree to throw away the expensive ASICs they've invested in and replace them with new ones.

How likely is it that miners are going to do this without proof that SHA256 is cracked? What if the proof of SHA256 being cracked is an attack on bitcoin - definitely a high profile target for a grey or black hat whole had access / control of the quantum co

Re:

[Viol8]

Personally I'd be overjoyed if bitcoin was cracked and the whole shysters edifice crumbled, but I was talking in general terms.

Re:Quantum computers arn't magic

[Viol8]

Yeah, I'm broken up over it. Now run along little boy, mummy has your dinner ready.

Re:

[Entrope]

SHA256 is not significantly vulnerable to quantum computers. Plain SHA256 also does not involve any keys.

Re:

[Viol8]

How do you think block ciphers work?

Re:

[Entrope]

How do you think quantum computers work? (Pro tip: Read the subject text.)

We were not discussing block ciphers, but message authentication codes. And anyway, traditional (symmetric-key) block ciphers using 256-bit keys are typically not any more susceptible to quantum attacks than SHA256 is.

Re:

[Viol8]

SHA-265 uses block ciphers which require a key. That was my point.

Re:

[Entrope]

SHA-256 does not require a key. The Davies-Meyer construction you are talking about uses the blocks of a message to be hashed as the key (of a block cipher used within SHA-256). None of that means quantum computers help any more than I said in the first place.

Re:

[oh_my_080980980]

"to be hashed as the key "

Yes, yes it does. More importantly

"We would have plenty of forewarning if quantum computing was reaching the stage of maturity and sophistication at which it started to threaten our core cryptographic primitives"

So apparently Thorsten Groetke thinks this can happen.

Re:

[Entrope]

Your "yes it does" is missing any kind of point.

As someone else pointed out, Thorsten Groetker is not well-known in the crypto world. I don't know what he thinks "plenty of warning" means, or how much warning he thinks is necessary. His bare assertion about that is not convincing.

Adopting a new signature scheme for Bitcoin transactions requires a hard fork, after picking a new scheme and implementing it. That kind of transition has taken a long time in the past -- notably for MD5 to SHA-1 and now to SHA-2

Re:

[Aighearach]

I don't know what he thinks "plenty of warning" means

It means, for example, they'll be building machines that have n cubits years before they'll be building machines with 2n cubits, and they'll be cracking m bit algorithms years before 2m bit algorithms.

is not well-known in the crypto world

Luckily, we've known for thousands of years that argument from authority is a fallacy.

Re:

[Junta]

SHA256 isn't a block cipher. It's a hash algorithm. The parent post is correct that Quantum doesn't help SHA256.

Block ciphers are weakened, but not badly. It effectively halves the keylength. 128 bit is considered *plenty* and 256 bit keys are commonly used.

Asymmetric algorithms are where the trouble is. Bitcoin uses ECDSA, so that would be the problem that needs addressing.

Re:

[Viol8]

"SHA256 isn't a block cipher. It's a hash algorithm"

*sigh*

https://en.wikipedia.org/wiki/... [wikipedia.org]

"They are built using the Merkleâ"DamgÃ¥rd construction, from a one-way compression function itself built using the Daviesâ"Meyer structure from a specialized block cipher"

Re: Quantum computers arn't magic

[PPH]

I'd be happy if QC could just crack Slashdot's mojibake.

(I got a lameness filter error just for cutting/pasting Slashdot's own garble. How lame is that?)

Re:

[Junta]

So to the extent that 'block cipher' applies in theory to SHA-256, I can't speak to.

In practice, SHA-256 does not involve a key. Anyone in the world can freely calculate the SHA-256 of any known piece of data without a key. It is used as a hash to verify well-known data (where it is normally signed, e.g. in Bitcoin using ECDSA) or in an HMAC where parties have a shared secret (most often an ephemeral session shared secret, because HMAC with shared secret is faster than an asymettric approach, though AES-GC

What worries me is satoshi's coins

[bspus]

If he really is dead or the coins are inaccessible in general for now, the incentive to crack those specific legacy accounts will be huge.
Eventually they will succeed and flood the market with a massive amount of coins.
It might be years before the price recovers then, with whatever other permanent damage it does to its (already bad) reputation as a volatile asset.
I know it's not technically cracking bitcoin but still..

Access Request

[waynemcdougall]

Hi, my name is Satoshi Nakamoto. I seem to have lost the key to my old, insecure wallet. Please assist me in transferring my Bitcoins to a new secure wallet.

Obligatory XKCD

[sTERNKERN]

https://xkcd.com/538/ [xkcd.com]

This is cringe...

[Anonymous Coward]

I work in the area of quantum security (meaning, intersection of quantum computing and cryptography, PhD) and the story I've just read made me cringe.

First of all, I beg you please, please to not start the usual discussion "QC will never be real". I am tired of arguing with you. Let's just set this aside for a moment, OK?

Reasons to cringe:

1. "Thorsten Groetker, [...] one of the top experts in the field of quantum computing" never heard of this guy before. I have only found one with a similar name on DBLP and has no publications related to quantum physics whatsoever.
2. "We would have plenty of forewarning if quantum computing was reaching the stage of maturity" ahahahah. No.
3. "It wouldn't be something that happens overnight." OK, let me explain why this a dangerous and probably wrong assumption, because it's actually not something many people know. The reason is Quantum Error-Correcting Codes. The TL;DR is that progress on expanding the power of quantum computing has so far been limited to small steps at a time, but there is a theoretical threshold that, if reached (and we're getting closer and closer), would allow to scale up the quantum memory very fast. We would see huge progress in the timespan of months if not weeks.
4. "There are new and secure algorithms for digital signatures" yeah, good luck with that. I'm not saying that's not true, but the process of migrating wallets and certificates to quantum-resistant crypto will be a painfully slow one, as any new standard adoption in security. Furthermore, even the most promising NIST quantum-resistant schemes have overhead (signature/key size, speed etc) that are currently not competitive with traditional crypto used in Bitcoin. There is ongoing work to design quantum-resistant blockchains and related application, it's certainly feasible, but it's not as straightforward as the guy puts it.

The real reason why (most) of Bitcoin transactions are not (much) threatened by quantum computers is that in modern Bitcoin addresses the public key connected to the wallet is not actually exposed (so, not really public), only the hash of it, which limits a lot the capabilities of an attacker. However, there are still many old wallets out there with the old address format, which does expose the public key. Those funds are at at risk until they are moved to a new format address.

Re:

[h33t l4x0r]

Don't be old-wallet-shaming us bro. My dad climbed up and down Mt Gox to get this wallet. Uphill. Both ways.

Does the key get exposed during a transaction?

[Myria]

I've never used Bitcoin before. Does the public key associated with a wallet get exposed during a transaction so that it can be authorized?

how & why could it / would it?

[FudRucker]

a methodical and/or dictionary style of attack at cracking it
vs..
a randomized quantum attack at cracking it

its just two different methods of not producing results

The best thing we can do as IT professionals

[thegarbz]

is jump onboard this "bitcoin is broken and insecure" bandwagon and help bring about an end to this human display of mental retardation. Bonus point: we'd be doing something positive for climate change as well.

In related news...

[bradley13]

...fusion energy is only 10 years away.

Seriously, so far the results of quantum computing are exactly nowhere. Few qubits, poor repeatability, and the only problems "solved" better than digital computers are contrived.

What an enigma

[Anonymous Coward]

They say it wouldn't happen overnight, but what if it happened and they didn't realise - that's the real risk. Happened to Germany!

Top experts?

[FST]

Thorsten Groetker, former Utimaco CTO "and one of the top experts in the field of quantum computing."

This dude has one scientific publication since 1998 -- at a mediocre venue -- and less than 10 total. He probably couldn't get a PhD with that track record, let alone the title of "top expert".

Re:

[jmccue]

This dude has one scientific publication since 1998 -- at a mediocre venue -- and less than 10 total

That is on the normal WEB, he has hundreds of papers published on the Quantum WEB. If I tell you how to access it, the Quantum WEB will disappear

lol @ bitcoin && quantum computers

[Anonymous Coward]

Bitcoin Enthusiasts: "Nobody can change the algorithm, so nobody, not even the government, can just decide to print money at a faster rate.
Quantum Computer Enthusiasts: "What if our computer becomes faster than a regular computer?"
Bitcoin Enthusiasts: "They will just change the algorithm."

I'll believe it when it happens

[OneHundredAndTen]

Unless a big breakthrough takes place in the meantime, given the slow progress in the number of effective qubits added every year in ten years time quantum computers will still be solving highly ad-hoc problems without any practical applications, toy ones, and very little else.

Moronic Post - missed the biggest mitigation

[FeelGood314]

Your wallet is safe even from a quantum computer that could crack your private key from your public key if you only use it once because your public key is not on the block chain until you spend. Your wallet is a 256 bit hash of your public key. A quantum computer can make finding you public key an order 2^128 computations but that is still secure till the end of time. So the attack against your private key can only really begin once you spend money from your wallet. As long as you always spend all the money in your wallet you are safe. This is true for almost all crypto currencies today.

Just spend all the money you own all at once!

[Geoffrey.landis]

Interesting!

I'm not sure that "your money is secure if every time you buy something you spend all the money you own" is a good system.

I assume the solution is that you need a separate wallet for every purchase. Seems like this is going to proliferate the number of wallets radically. Is this a problem?

Re:

[FeelGood314]

A wallet is just a big number. There is no issue with having the unspent portion of one wallet go into a new wallet. It is actually a requirement of some cryptocurrencies (Monero).

Re:

[Anonymous Coward]

Was it a raid on the hackers' money laundering organ?

Some have speculated that since pretty much any gang-related ransom demands are pretty much always at some level sanctioned by the Putin's government (or at least with its knowledge), once they stepped into that pile of dog poop that was the pipeline attack, garnering international attention, the culprits were told "take that money, and transfer it immediately to this other wallet the FBI has setup, lest you want to end up sleeping with the fishes."

So likely no "hack" or raid at all, just internal politica

Buy now!!!

[byromaniac]

Yes, the asset has no inherent value and will evaporate in the not too distant future, but prices can only go up!!
It could only be better if they had called it tulip-coin.

Wouldn't the attacker need to keep it a secret?

[lamer01]

If the attack is discovered, it will crater the value of bitcoin thus making the attacker lose a significant portion of their gains. The attacker would need to somehow drain funds and convert to FIAT without disrupting the value of BTC.

Already insecure

[TJHook3r]

There are already cases where Bitcoin has been linked to users and enabled takedowns of darknet sites. I guess the costs are not justified for every offence but surely bitcoin users do not expect that it is completely anonymous? If nothing else, the taxman would be very interested in hitting those who have made millions in capital gains - or simply stake out Lamborghini showrooms!

Always idiots...

[AcidFnTonic]

I recall all the heated conversation around cracking MD5 when everyone kept saying "BUT IT REQUIRES MORE ENERGY THAN THE NUMBER OF ATOMS IN THE UNIVERSE TO CRACK!!!!"

Then it was cracked. Same for this.

Are there any functioning Quantum Computers?

[zkiwi34]

As in, are there any that actually do stuff. Maybe massive scientific calculations, maybe database stuff? Anything?

New wallets are a solvable problem

[viperidaenz]

What about cracking the hashing of blocks?
If you could rewrite part of a block in the chain while still making the following block valid, the entire blockchain is comprised and all your Bitcoins are worthless.
Obviously attacking a crypto currency by this means can't be financially motivated.
As the technology becomes more adopted by nations, it becomes political.

Good

[fantas]

It is logical that the smarter and more advanced computer technologies become, the more complex security systems become. While the current systems cope with all the complexities, I actively use the crypt on this site [nolimitcasino.com] . I also doubt this, because if there are computers that can do this, then the economy will collapse.

Curious comparison...

[martinfb]

How much electricity does the would-be crypto-cracking quantum computer use - compared to, say, bitcoin miners?