所有2100万个比特币都面临着来自量子计算机的威胁

kim

Its widely believed that only about 25% to 30% of Bitcoin is at risk of being attacked in the future by quantum computers.

For example, Project 11s Bitcoin Risq List currently lists 6,887,180 Bitcoin worth more than $450 billion as at risk. It defines at risk as Bitcoin held in addresses with exposed public keys. Around 3-4 million of this is believed lost and cant be upgraded to quantum secure.

But thats not the whole story.

In fact, all 21 million Bitcoin barring lost coins in quantum secure addresses can theoretically be broken by sufficiently advanced quantum computers as soon as the coins are spent if nothing is done to move to post-quantum security.

Its just that the one in four Bitcoin held in the old address types are the easiest to attack and will be stolen first. A quantum computer could grind away for months if required to attack Satoshis coins, which have had their public keys exposed for the past 15 years.

But the remainder of the Bitcoin supply will still be vulnerable to more sophisticated attackers. Thats because when you spend Bitcoin, the public keys are exposed in the mempool for as long as it takes for the transaction to be processed.

Typically, that period lasts between 10 minutes and 60 minutes, depending on network usage, providing a brief window of time for an attack. As quantum computers scale up, its believed theyll one day be able to perform a just in time attack.

If you want to spend your Bitcoin, you have to reveal the public key, explains Yoon Auh, CEO of BOLTS, which is running a proof of concept for the Canton network with its QFlex technology that hotswaps quantum-proof signatures during a session.

You cant get around that. And the problem is that your bad actor will become a big Bitcoin miner and intercept that transaction from ever happening.

Charles Edwards from Capriole has been agitating to upgrade Bitcoin to post-quantum security and says a short-range attack is much more difficult.

The difference, I suppose, why that’s not probably discussed as much at the moment, is because the technical capability to do that is much more advanced. You have to be able to move and solve and decrypt very quickly to do what that is, which is to basically steal coins in the mempool, and effectively hack every single Bitcoin.”

He says that means the coins with public keys exposed for years will be attacked first.

“That’s kind of the easy money, then the next step is, as the technology progresses, is to just attack the entire chain. So every coin, if your time horizon is long enough, every coin will be taken long term.”

Read also Features Bitcoin: A Peer To Peer Online Poker Payment System by Satoshi Nakamoto Features How Activist Investors Could Change The Crypto Landscape
BIP-360 does not prevent short exposure attacks

The recently updated BIP-360 proposal outlines the danger explicitly. The proposal creates a new address type (output) called Pay To Merkle Root (P2MR) that should enable a considerable proportion of the at risk Bitcoin to be moved to quantum-resilient addresses.

However, the proposal specifically cautions that P2MR outputs are only resistant to long exposure attacks on elliptic curve cryptography; that is, attacks on keys exposed for time periods longer than needed to confirm a spending transaction.

Also read: Bitcoin may face hard fork over any attempt to freeze Satoshis coins

“Protection against more sophisticated quantum attacks, including protection against private key recovery from public keys exposed in the mempool while a transaction is waiting to be confirmed (a.k.a. short exposure attacks), may require the introduction of post-quantum signatures in Bitcoin.

BIP-360 co-author Ethan Heilman tells Magazine that long exposure attacks are the big threat that needs to be tackled first:

With short-exposure attacks, the attacker only learns the public key after the output is spent. This means the attacker is in a race to break the public key and double-spend the transaction, before the honest transaction is confirmed by a miner.

It is likely that the first quantum computers that are a threat to Bitcoin will take a very long time to break a public key. Imagine you have a quantum computer that takes 6 months to break a public key. It wouldn’t make sense to do short exposure attacks. However, a giant pile of coins in an output that exposes the public key would make sense.”

Is a short-range quantum attack on Bitcoin possible?

A short-range attack is possible in theory, but no one really knows how many years it will take before a cryptographically relevant quantum computer has enough physical qubits running fast enough to take advantage of that window of time.

Construction began on the first quantum computer facility with 1 million physical qubits in Chicago last week. Its targeting completion in 2027. PsiQuantum raised $1 billion from funds affiliated with BlackRock, so investors certainly believe the tech is close enough to spend large sums of money on.

The estimated number of physical qubits required to break encryption has dropped sharply in the past few years. In February, a preprint scientific paper called The Pinnacle Architecture suggested that 2048-bit RSA encryption could be broken in around one month with less than one hundred thousand physical qubits or in one day with 471,000 qubits.

Also read:Bitcoin faces 6 massive challenges to become quantum secure

The security of RSA encryption relies on how difficult it is to factor prime numbers, while Bitcoins elliptic curve cryptography does not, so the research isnt a precise guide but some believe ECC would be even easier to crack.

Quantum computing expert Professor Scott Aaronson said that RSA encryption uses 2048-bit keys while Bitcoins ECC uses 256-bit keys, making it easier to crack because Shors algorithm mostly just cares about the key size.

Read also Features Bitcoin: A Peer To Peer Online Poker Payment System by Satoshi Nakamoto Features How Activist Investors Could Change The Crypto Landscape
How long will it take to crack Bitcoin with a quantum computer?

According to Deloitte partner Marc Verdonks research report Quantum computers and the Bitcoin blockchain: Current scientific estimations predict that a quantum computer will take about 8 hours to break an RSA key, and some specific calculations predict that a Bitcoin signature could be hacked within 30 minutes.

Verdonk says that would still provide protection from a short-range attack but cautions the field is still in its infancy. “It is unclear how fast such a quantum computer will become in the future. If a quantum computer will ever get closer to the 10 minutes mark to derive a private key from its public key, then the Bitcoin blockchain will be inherently broken.”

There are also trenchant critics of the idea that quantum computers will ever be affordable and fast enough to even make long-range attacks feasible on the majority of at-risk addresses.

CoinShares Christopher Bendiksen put out a report recently arguing that only about 10,200 Bitcoin could realistically be stolen. He claims that most of the OG miners coins are in 32,607 individual addresses that would take “millenia to unlock even in the most outlandishly optimistic scenarios of technical progression in quantum computing.”

Bendiksen claims that to break Bitcoin within a day would require a quantum computer with 13 million physical qubits, and to do so within an hour would require a quantum computer thats 3 million times better than Google Willows 105 qubits.

Also read:Bitcoin may take 7 years to upgrade to post-quantum: BIP-360 co-author

The assertion is based on research from 2022, which does appear to be the most recent research looking at breaking Bitcoin specifically.

However, the dramatically lower estimates last month for breaking RSA with 100,000 qubits suggest this research may now be outdated. The 2022 paper itself stated that RSA-2048 is of a comparable difficulty to the EC encryption of Bitcoin.

The type of quantum computer matters

Ethereum researcher Justin Drake was asked about Bendiksens report on Unchained, and while he hadnt read it, he took issue with its timeframes.

Drake said the amount of time to crack a private key will depend on how research into different types of qubits progresses. Google is researching superconducting qubits while firms like PsiQuantum encode qubits in photons that enable rapid gate operations. Both types of qubits are very fast. Other research into trapped ions and neutral atoms prioritizes coherence over speed.

There’s different quantum computing modalities, Drake pointed out. You know, there’s the fast computers, the superconducting and photonics, and then the slow ones, the trapped ions and the neutral atoms. If you have the fast flavor, so for example, you have Google working on the superconducting stuff, then the estimate for the time it takes to crack a key is on the order of minutes, like roughly ten minutes.

Why a short-range attack may not be worth it anyway

Edwards says that while short-range attacks are theoretically possible, the economics probably wont justify them after the first long-range attacks on Bitcoin tank the price.

“Obviously, that wouldn’t happen in reality because once the capability got there, then probably no one would even hold Bitcoin or the value would be next to zero, so no one would bother.

That’s why we have to solve this, right? Like, if we want this network to thrive and go much higher, like we all would like to see, then we need to upgrade the network. Like, no action is just not an option at all anymore.”

Subscribe The most engaging reads in blockchain. Delivered once a week.
Email address

SUBSCRIBE
source: https://www.tradingview.com/news/cointelegraph:f8eb9443c094b:0-all-21-million-bitcoin-is-at-risk-from-quantum-computers/