[AUDIENCE] My question is about security. I’ve listened
to one of your talks about quantum computing.
You said that we can assume the NSA has quantum computing currently.
My question is, how can we safeguard Bitcoin against quantum computing?
Once a threshold is reached,
they will be able to break into wallets.
[ANDREAS] That is a very good question.
Quantum computing isn’t an on / off thing… That is a double-pun, actually. [Laughter] It is not that you either have quantum
computing or you don’t have quantum computing. The [real] question is, how many qubits of
quantum computing [power] do you have?
The number of qubits you would need to break [the current cryptographic algorithms in Bitcoin]… and most blockchains], is greater than the wildest
speculation of what intelligence agencies might have.
That doesn’t mean it doesn’t exist, but I am not worried about the NSA having quantum computing. A very basic concept in security: if you have a very powerful weapon, you do not
use it until you have a very good reason to use it.
One [illustrative example] is what happened in [the city of] Coventry when the British had broken Enigma. The most important secret was the fact that [Polish forces] had broken Enigma; otherwise, [the Germans] would change [the encipherment key settings]. To keep that secret, they had to do parallel construction.
If they found out [someplace would be] bombed, they would capture a German soldier who
knew about it and then say he told them, so that they would have a different [source of
knowledge than the deciphered messages].
When they didn’t have a different [source], they let the Germans bomb Coventry. Thousands of people died. To protect the secret [of Enigma being broken]. If the NSA has a quantum computer,
they really don’t want people to know.
The quantum computer could also break the encryption
keys on all the nukes and nuclear submarines, communication keys in the military intelligence
networks, and all of the commercial networks.
I don’t think they will use it to break Bitcoin, if you know
what I mean. [Laughter] That is small fish to them. The real problem becomes when you have broad commercial availability of quantum computing, but not broad enough that all of us
can use it in [securing] our wallets. That interim period [will be] a bit awkward.
During that interim period, Bitcoin needs to [upgrade] its [cryptographic] algorithms. An interesting thing that [will] happen: while you can change the [cryptographic] algorithms
inactive wallets, some wallets have lost keys… or the people who had those keys are dead. They can’t change the signing algorithm, which means those wallets will be captured by quantum computers. We will know quantum computing [has reached the threshold] when Satoshi’s coins move. [Laughter]
[AUDIENCE] Thank you.
[ANDREAS] That is one of the reasons they [might] move. Eventually they will move… because someone will be able to break the keys. For the rest of [us in] the ecosystem, we can
migrate quite easily to another algorithm. It is not really as big of a threat as people think it is.
The next question comes from JJ:
“Satoshi’s one million coins and quantum computing.” “If the protocol [must] be upgraded to resist quantum [computing attacks], will such an upgrade likely… require manually moving funds to a new type of address?” “Would this mean everyone — including Satoshi with a million coins — would be forced to move their funds?” “If they can’t move [their funds], might they be claimed by a quantum computer, along with all funds [controlled by] lost keys, by essentially cracking those keys?” “Does quantum computing mean that, at some
point [in time], all lost coins could be reclaimed… because they can’t be moved to an upgraded address?” Yes, that is the case. First of all, we don’t know that Satoshi [owns] a million coins. It is difficult to attribute exactly how many [coins] were mined directly by Satoshi. So that is an estimate, but let’s say it is one million.
There is a lot more bitcoin which has been lost over the
I have lost keys [for] small amounts of bitcoin. I am sure many others have [lost keys] too.
So what [will] happen with those? Quantum computers [with sufficient qubits] would mean
the elliptic curve digital signature algorithm is vulnerable. There are two categories of [cryptographic]
algorithms used within Bitcoin: a hashing algorithm (SHA-256) and
a digital signature algorithm (ECDSA). Quantum computing [attacks] will most likely
affect the digital signature algorithm first.
Whether you can use a quantum algorithm to short-cut SHA-256… I’m not sure about that. I don’t know how easy it is. [Hashing] algorithms are in a different class and might require a different approach. Let’s say that ECDSA is affected. That means if you lost
your keys but had previously [spent from] that address, then [the] public key will be visible on the blockchain.
When you spend from an address, you [expose]
the public key and a digital signature. [As far as we know], Satoshi never spent any of the initial mined coins.
[However, the Coinbase transactions used pay-to-public-
key (P2PK) instead of pay-to-public-key-hash (P2PKH), [where the] address is the result of a
double hash [of the ECDSA public key]. If a quantum computer can [reverse an] ECDSA [public
key] but not SHA-256, coins [acquired via P2PKH]… are safe, [but Satoshi’s P2PK coins are not safe, as
this means the public keys are already exposed]. The only other coins affected are the ones [in]
addresses that have been reused several times. That is one of the reasons why it is a best practice to only use an address once; the first time a signature… appears on the blockchain [and the public key]
is [exposed], those funds should have moved. [The address is] empty and never gets used again,
that key never gets used again. Even if the public key can be cracked in the future,
it results in a private key that doesn’t control funds, because you only used it once. That means people who don’t follow the best practice
may have their keys affected by quantum computing… long before people who do use that practice.
[Though again], Satoshi’s one million coins never moved,
[but are exposed due to pay-to-public-key (P2PK)]. Quantum computing doesn’t necessarily mean
that all coins are vulnerable immediately. It’s only the case for those where [the
public key] is visible on the blockchain. If SHA-256 is vulnerable but ECDSA isn’t, then
you can reverse the address to a public key perhaps. That would [be] a very big vulnerability, not simply
finding a collision but reversing the hash algorithm, which is a whole different class of problem.
In that case, you [must still reverse] the
[resulting] public key [to get] the private key. You [must] break both SHA-256 and ECDSA to [take]
funds from an address which has never been reused… [as long as it doesn’t use pay-to-public-key (P2PK)]. It is not as simple [as you might expect], but if quantum
computing becomes a problem, we will need to… move funds to a new type of address [with keys]
from a quantum-secure digital signature algorithm. [This will not be a] problem for
the foreseeable future, of course.