Reddit Posts
Are P2WSH addresses the most quantum-secure addresses?
Let's have one last discussion about quantum computers.
Brave brings privacy to Web3 with ECC and Filecoin partnership
Hacker Steals 24M from rETH Whale [NEW INFORMATION]
Should I share possible "new " math methods regarding online cryptography?
Can quantum computing trivialize cryptocurrency?
Zcash, the popular privacy-focused Blockchain, released a new version of its full node software on Thursday, according to a post by its creator Electronic Coin Company (ECC). The software version 5.5.0 introduces several bug fixes, a proportional fee mechanism, and lays the groundwork for ...
Maximalism in the computer era versus bitcoin maximalism. Any parallel possible?
Maximalism in the computer era versus bitcoin maximalism. Any parallel possible?
Zcash to Proof of Stake? Approach, focus, and next steps - Electric Coin Company [ECC]
$4M Size ECC Launching Real-World Crypto Round-up app in the Next Few Months
Fox Inu / Stealth Launched 1h ago — The next 1000X Altcoin — Real Project with solid fundamentals and experienced team - Community Growing so fast!
Fox Inu $FInu Just Launched 30min ago!!! Airdrop: 50$ worth of token when we reach 50 members in our official telegram group !
Fox Inu $FInu Just Stealth Launched!!! | MemeUtility Token on the BSC Network! LP Locked, New opportunity for a Fox Parabolic Moon shot !
Saint Valentine | Stealth Launched!!|Locked Link Provided!|Simply hold Saint Valentine and get paid 10%!|Enter telegram and get in early! | | Auto staking rewards | Voice chat before launch | Amazing Team| Don't Miss This Gem!!|
Understanding ECC, the technology behind Litecoin's new privacy update: Minblewimble
Taking a look at Elliptic Curve Cryptography (ECC), the encryption process behind Litecoin's newfound privacy fortune
♑️Paragon Capital💎Micro MC 💎 Your Next Moonshot♑️
Empire Capital Token (ECC) – Defi 3.0 Layer of Yield Generating Protocols | True 1% Burn on Every Transaction | Incorporated Investment Firm | Hold ECC and Gain Exposure to Yield on All Chains
$ECC - Empire Capital Token - This is where my money is going! #1 on CMC today!
EmpireCapital (ECC) Fair Launched Yesterday - Low Market Cap - Strong Utility - Based Dev Team - Earn Yield By Holding
Confusion on Public Key Cryptography and digital signatures
100 Crypto Quotes - The Good, the Bold and the Ugly
Reward Switching Everyday $RSE 🔥| Doxxed dev Video and VC ✅ | 1 Day old Gem 💎 | ADA rewards for Today | Low Cap < 50 K Potential 1 M cap 🚀
Doxxed dev 🔥 | Reward Switching Everyday | ADA rewards now ⚠️ | stealth launched today 💎
SafeMoonCake is the original next-gen token that rewards you with CAKE airdrops! Only 40k mc!
🐱Cake Kitty 🍰 Fair Launched 30 Minutes Ago! Active Community with Low mcap! Earn Cake Rewards just by holding | 1000X Potential!
🐱Cake Kitty 🍰 Fair Launched Right Now! Earn Cake Rewards just by holding | 1000X Potential!
🐱Cake Kitty 🍰 Fair Launching in just 10 Minutes! Earn Cake Rewards just by holding | 1000X Potential!
🐱Cake Kitty 🍰 Fair Launching in only 30 Minutes! Earn Cake Rewards | 1000X Potential!
🐱Cake Kitty 🍰 Fair Launch in 1 Hour! Earn Cake Rewards | 1000X Potential!
🐱BabyKittyCake 🍰 just Fair Launched!! Earn Cake Rewards when you hold BabyKittyCake | 1000X Potential!
🐱 BabyKittyCake just Fair Launched! ! 🍩 Earn Cake Rewards when you hold BabyKittyCake | 1000X Potential! 🚀
🍰 CAKE LOVER | 8% Cake Rewards to Holders | Stealthed Launch | SAFU 🍰
🥞CakeLover🥞 This Big Daddy just Did a Stealthed - only at 6k Mcap!! Huge Cake rewards!! 100x from here, Join TG: CakeLoverBSC
🥞CakeLover🥞 Just stealth launch with low 5k mcap ,cake rewards! SAFU ownership renounced [ tg:Cakeloverbsc ]
🥞CakeLover🥞 Is a Heaven for all the cake lovers , join us and get cake rewards! Based dev, safu project [ tg:Cakeloverbsc ]
HoneyMoney ! Gains are sweet as Honey 🎂 Stealth Launched just now, marketing push soon
FriendOfCake - Stealth launch - Automatic $CAKE reward - LP Locked 100%
🍰 UltraCakePrint 🍰 - Stealth Launch - Nano Mcap Gem - LP Locked - Renouced - CAKE reward
Hurry up buy $50 Ecc token and earn free 20:1 eyfi token
🚀CornDog 💎Just fair launched with ONLY $500 Market Cap 🤑
🦄AstroUnicorn Token - deflationary meme token, not even one hour old, $2k market cap, locked liquidity!
🚀 ShibaMoo n 🚀 is now launching! [1 Minute Old] [8k$ market cap]
🚀 ShibaMoo n just launched! 8k market cap!
🚀 ShibaMoo n just launched! 8k market cap!
🚀 ShibaMoo n 🚀 is now launching! [1 Minute Old] [3k$ market cap]
🚀 ShibaMoo n 🚀 is now launching! [1 Minute Old] [3k$ market cap]
🚀 ShibaMoo n 🚀 is now launching! [1 Minute Old] [3k$ market cap]
🚀 ShibaMoon 🚀 is now launching! [1 Minute Old] [3k$ market cap]
VENUSIA - Official NFTs Model Content Platform
🐱 KITTEN Finance DeFi Platform is Skyrocketing 🚀 Get in while its still early 🔥
Founders of Tezos and ethereum join ECC
I coded a Java application to generate bitcoin addresses, sign transactions and brute force private keys. Is it worth anything?
Mentions
This is not strictly true. The upgrade from RSA to ECC on the card networks took years. The NSA monitors the resilience to attack of encryption methods. I would imagine that there are few quantum computing sites with the facilities, let alone know-how, to mount a credible attack. Those that will be monitored by the NSA, if not, they should be.
While you got some things right you forgot one key thing for the attack to succeed. First you need a quantum computer with 6x qbits of the key length for ECC. which means for bitcoin that uses 256bits keys, you’ll need 1536 qbits. That’s not a small feat, and I won’t get into the details but it’s not coming in 5 years that’s for sure. Second and most importantly you’ll need a public key to try this attack, and this information is not disclosed until you send bitcoin from an address. The address is a hash derived from the public key, and cannot be reversed of course. Basically if you just use an address to accumulate bitcoin, it’s not vulnerable to quantum computers, until you send bitcoins from it. That’s why it’s a recommendation to not reuse adresses and always generate new ones.
20 funds selected for monthly dividend distribution: Fund Ticker.....annual Yield ECC.....18.73% ACP..... 17.7% CRF.....17.67% SVOL..... 16.27% IGR...... 13.64% RYLD.... 11.9% RIV..... 12.77% RYLD..... 11.51% THW..... 11.13% MORT..... 10.71% XYLD..... 9.47% SPE..... 8.5% ETJ..... 8.3% EXG..... 8.16% LGI..... 7.88% JEPI..... 7.24% AMZA..... 7.17% EINC..... 3.49% Almost pure ETFs. Some closed ended funds. Main theory behind it was to promote DCA. All the dividends get reinvested to rebalance the portfolio to an even 5% split across 20 funds. I'll prune out the closed ended funds this year and rebalance for pure ETF portfolio. But again, this is about 50% of my brokerage account. With these funds exceed the allocation for it, the dividends buy BTC etfs and other growth focused ETFs that may have quarterly, annual, or no dividend at all.
Supercomputers cannot break 128-bit cryptography, that is like guessing the one correct atom in the visible universe, and guessing has a cost of energy and computation. However, quantum computers could break ECC cryptography, although all indications point to that being far away or perhaps not possible given the current rate of errors. Bitcoin may need to eventually adopt quantum-secure digital signature schemes, but all lost or unmoved coins could be stolen.
Depends on what you're thinking about. I don't think quantum computers will overtake bitcoin mining. It would simply cost too much. One think I tend not to hear actually is about how efficient quantum computing is compared to bit computing. For sure it will be faster, but how much power does it take to reach that speed? If we're talking about cracking addresses, there's SHA256, there's the ECC algorithm, there's usually some SHA512 in HD wallets (which is basically all wallets now) So cracking an address is hard and cracking a wallet is even harder. I just don't think it's worth being worried about right now.
One of the most significant threats quantum computers pose to SHA-256 is their ability to efficiently perform Shor’s algorithm. Shor’s algorithm can factor large numbers exponentially faster than the best-known classical algorithms, which could compromise the security of widely used encryption methods like RSA and ECC. These encryption methods often rely on the difficulty of factoring large numbers for their security. Quantum computers also threaten the security of hash functions like SHA-256 by utilizing Grover’s algorithm. Grover’s algorithm can search unsorted databases quadratically faster than classical algorithms, making brute-force attacks on hash functions more feasible. While a 256-bit hash is still considered secure against classical attacks, it is theoretically as secure as a 128-bit hash against quantum attacks.
Depends how well grounded you are in computer science and cryptography. As a software engineer, I was able to comprehend the paper the first time I read through it, and then diving in to the Bitcoin Core code solidified it all even more. I still don't understand ECC math but I do trust that the cryptography is strong.
I also wondered if there is a proof for addresses which cannot have a private key. Where do you have this address from? Link? I guess it falls mathematically into the same category as the eliptic curve cryptography(ECC). BTC relies on the discrete logarithm problem, but there is also no proof for this. So in this sense BTC is as "risky" as the famous N vs NP problem. If you think N=NP, than you should not buy BTC 😎
Hmmm this is what I was thinking as well, sounds like the best possible 'solution'. Backward compatibility is a pretty core feature of Bitcoin, at a minimum it would create another fork, but I don't know how else to do it if ECC and SHA 256 are compromised then those stashes of old coins will crash the market hard. But Bitcoin would still survive, so what's worse, a massive market crash or requiring everyone to recreate their private keys or forfeit their funds.
BTW ECC algorithm used by BTC,ETH,etc is also time constant.
76302 0xD85C478106D15ECC391409cc212b36Fd07e7B6BD
1. 428,929 2. 0x346ca5B85a0eec8FA0ECC59fd0b5aea6Da184055
I mean obviously you bought it already and are now trying pump it by posting here...we aren't completely gullible! But I'm glad to have given you some key words to search for. It seems sensible to get a basic understanding of cryptography if you want to invest in quantum resistance projects... otherwise you're just going to get tricked by scammers using impressive sounding buzzwords. A good place to start would be CloudFlare's introduction to ECC: https://blog.cloudflare.com/a-relatively-easy-to-understand-primer-on-elliptic-curve-cryptography/
Sha256 is a hashing algorithm. It is not encryption. iMessage used RSA and ECC. Bitcoin priv keys use ecdsa. QC is less of a threat to mining and double sha256 hashes than to ecdsa since there's a difficulty adjustment as well. So no QC "51% attack soon." Sha1 is bad, sha2 still works, and sha3 like keccac already exists for a decade. There is no encryption in bitcoin so there's nothing to replace like what Apple is doing.
It all started with ECC, but that is predated by RSA, so in 1977 Ron Rivest, Adi Shamir and Leonard Adleman but wait if you don't mind me taking a 30 second, maybe half-minute, detour - we should first look at prime numbers and the persona of Pitagoras... but to there, did you know that The Rhind Mathematical Papyrus, from around 1550 BC, has Egyptian fraction expansions of different forms for prime and composite numbers
> it's not as secure as a long password of random characters. It's every bit as secure *if it has the same entropy*. Which is *exactly* what a mnemonic in a deterministic wallet is about. It may be just a series of unaltered words from a limited dictionary, but it still has 128–256 bits of security. And it's easier to remember. Applying that to your example (), you could take 421 bits of entropy, pad them with 8 checksum bits, and turn them into 39 words from a 2048-word dictionary, and have something just as secure. And not need to be a savant to remember it. But 421 bits is pretty extreme, IMO. You're ignoring that Bitcoin keys have only 128 bits of security (because of a known attack on ECC), so no wallet password is going to provide protection much better than that.
Apologies if I've misunderstood what you're expressing here, but looking at the *NSA kleptographic backdoor in the Dual\_EC\_DRBG PRNG* section you pointed out, we read: "(NSA) inserted a backdoor into a pseudorandom number generator (PRNG) of NIST SP 800-90A...as independent security experts long suspected", citing [a 2007 Wired article by (eminent) cryptographer Bruce Schneier](https://www.wired.com/2007/11/securitymatters-1115/). Put plainly, cryptographers were (publicly!) suspicious of NIST crypto recommendations before Bitcoin was released (2009). Thus the suggestion that *not* using NIST ECC curves implies some kind of NSA insider knowledge is silly.
I think you may be right, but I still disagree with his conclusion; it seems an entirely unnecessary assumption that we should dismiss (per Occam's Razor). Do we really believe that the only way someone *wouldn't* choose an ECC curve from the US government's handpicked list is because that person worked for the intelligence agency? Would a dissident use NIST's curves? Would (say) a Russian engineer? There are many plausible explanations that fit the facts, so there's really no basis to make the assumption he does. It's probably not so obvious now, but if you were in software in the 90s, it was a *weird* time. [It was illegal to export "strong cryptography"](https://en.wikipedia.org/wiki/Export_of_cryptography_from_the_United_States) in the US—what we'd now consider totally normal crypto your browser would use to talk to your bank's website was *illegal math*. Which meant normal browsers and other programs had to / were supposed to jump through weird hoops to weaken encryption if it they were available on the internet. The government was trying to [backdoor all voice and data transmissions through a special chip](https://en.wikipedia.org/wiki/Clipper_chip). There was a growing awareness that the Internet would be super important, but also that there was essentially *no* privacy. All of that got even worse after 9/11. My point in mentioning all of that is that the cypherpunks came up in that era, when trust in the US government with respect to all things digital was at an all time low, and the roots of Bitcoin trace back to that world. In a certain way, I'd be shocked if Satoshi *did* pick an off-the-shelf NIST ECC curve.
This is not worth taking seriously. Presumably he's referring to the [secp256k1 elliptic curve](https://en.bitcoin.it/wiki/Secp256k1) Bitcoin uses with ECDSA, which *was* an unusual choice at the time. The choice of what curve parameters to use for encryption / signing is a question of *math*, which is to say that a "backdoor" in this sense really just means that someone else (*e.g.* the government) knows a way to make a certain math problem easy that others presume is always hard. A good cryptographer might come to an independent conclusion that a particular form of encryption is not safe, or even just *suspect* it and steer clear. There has been skepticism about government (*e.g.* NIST) suggested encryption algorithms / parameters long before Bitcoin existed—presumably from the *beginning* of published standards. And the cypherpunks (out of which Bitcoin grew) were exactly the type of folks to be skeptical. If Bitcoin was created by a three-letter agency, it would presumably use one of the backdoored algorithms so that the agency could gain advantage. The fact that it *doesn't* lends credence to the idea that it was *not* created by them. If he's just saying that the creator might have worked at one of those agencies at some point and knew which algorithms had vulnerabilities, fine—but what does it matter? There are numerous (perhaps infinite? I'm not intimately familiar with ECDSA) [choices of curves to use for ECC](https://safecurves.cr.yp.to/index.html). If you were aiming to build a secure, global, digital cash system, outside the reach of fiat, and you had the cryptographic proficiency, would you choose your (pivotal) encryption parameters from an opaque menu presented to you by a government, or would you come to an independent conclusion? Even if *you* trusted said government, would future users trust the system, knowing that that government might have a backdoor to that entire financial system? Moreover, "unlike the popular NIST curves, secp256k1's constants were selected in a predictable way, which significantly reduces the possibility that the curve's creator inserted any sort of backdoor into the curve" ([https://en.bitcoin.it/wiki/Secp256k1](https://en.bitcoin.it/wiki/Secp256k1)). This is a *great* quality to have if you're trying to inspire trust in your choice, and some kind of choice needed to be made. It seems like Satoshi made the best, most logical choice available to him / her / them.
> My thinking was to use the Ian Coleman "IC" site for its strengths and choose a different language as any hacker getting it from the USA would likely try English Why is English a problem? Are you thinking of dictionary attacks? I don't believe that applies here. Dictionary attacks work with *passwords* because people are not very random with their choice of passwords and like to make short ones based on a word or two. Key word: "choice". Passwords people choose tend to be low-entropy, because people are bad at randomness. However, here you are letting an RNG generate 128–256 bits of entropy. The mnemonic is nothing but an encoding of that entropy. It doesn't make it any easier to guess. But it *does* make it easier for you to handle as a human. That is, *if* you use the mnemonic, as opposed to just copying master keys or whatever. > derivation 84 (I was just saying 32 because earlier because it was the standard and messing it with is a good way to make your coins unrecoverable) thru experimenting I realized only 84 will produce bc1 addresses, which I think is best going into the future. BIP 84 is the standard that specifies the derivation path for P2WPKH (pay-to-witness-public-key-hash) wallets, P2WPKH being the script type that has "bc1q" addresses associated with it. So it makes sense you get those only if you choose BIP 84. Other choices there, other than BIP 32, correspond to other script types. One that is missing on that page is BIP 86, which is for P2TR (pay-to-Taproot) scripts, which have "bc1p" addresses. But then, Electrum doesn't yet support P2TR wallets. > 1. ... > 2. ... > 3. ... I'm not sure I understand what this is about. Were these different things you tried? Did you create multiple wallets using these different steps? Or something else? > if I could get the QR to work that would be great, but getting the laptop camera to snap a picture in a mirrror didnt work. QR codes generally cannot be scanned in mirror image, as they are not designed to make such a distinction apparent to a scanner. A mirrored QR code looks superficially like a non-mirrored one turned a different way, but things are in the wrong places. If you really need to have a device scan a QR code from its own screen, you need to use an even number of mirrors, so the image goes back non-mirrored. However... > However next to the camera button there was the choice to "Read from file". I snapped a screenshot (.png) and went to the .png file and entered it. It took a few seconds but it seemed to load/accept it Yes, this is a lot easier. But is even that really necessary? Does Tails prevent you doing a simple copy-and-paste of the field, instead of going through all that rigamarole? I'm not familiar with use of Tails, so I don't actually know. But surely there is an easier way than what you're trying to do. > enter 12 more custom words (this is another reason im using IC, I get a good set of 12 more words This is your passphrase, then. That's what the "extend with custom words" option in Electrum is referring to. > then the PassPhrase There is no "then" at this point. You have already entered your second 12-word phrase as the passphrase. There is no option to add anything more. If you want to enter 24 words in Electrum (which is of dubious benefit, as Bitcoin keys, being ECC, only have ~128 bits of security, the same as the entropy you get through a 12-word mnemonic), then just generate a 24-word mnemonic, which Electrum will accept as a BIP 39 mnemonic. It's only Electrum mnemonics that must be 12 words. > HERE IS the main reason Im trying to use the IC -as long as it doesn't make my wallet unrecoverable- it generates a 100 digit passphrase, the longest allowable, in my brain I hope you have a savant-level memory, because there is no way *I* would be able to remember something like that. And there is no way I can recommend it to anyone, including you. Word of advice: unless you have superb discipline, don't try to get fancy with your security measures. A lot more people lose their bitcoin by losing or forgetting all the details of what they did than by actually having it stolen.
Yes the reason is important. It’s important to stay in the loop, and try to be ahead of the news instead of behind it. I know that the amount of seed phrases is more than the atoms in the universe or whatever. But thanks for pointing out ECC, I’ll research it. It would be nice if our personal bank account was something more personal tho… like a feeling only you could have, lol. Thoughts about the future can get pretty wild. But I’ll take one of my atoms for now 😚
Depends on the reason it went down. If it was just selling pressure then I’d buy as much as disposable income I could. If it was something way worse like someone figured out how to crack seed phrases… that’s when you’d want to be out. The good thing is that seed phrase cracking won’t be an issue unless some major technological breakthrough happens. Highly unlikely due to the nature of ECC.
Are you sure about not using sha 256 for keys? On kraken's website they say: "Bitcoin uses elliptic curve cryptography (ECC) and the Secure Hash Algorithm 256 (SHA-256) to generate public keys from their respective private keys".
Thats an old video but Shor's algorithm could break RSA-256 bit encryption with a quantum computer with about 4098 logical qubits and ECC-256 with around 2330 logical qubits. It's inevitable in the next few years.
Not SHA-256. That's the mining puzzle algorithm. Public/private keys are based on ECC.
>We have. Bitcoin will move away from elliptic curve crypto Why? There is no reason to do that. While there are sound reasons to expect space mining of gold could become a reality in the next 15 - 75 years, using already existing technology and methods, there isnt any basis to expect ECC to become broken in the same time frame.
Also, there's no cryptography in the Bitcoin blockchain. "The Bitcoin network and database itself does not use any encryption. As an open, distributed database, the blockchain has no need to encrypt data. All data passed between Bitcoin nodes is unencrypted in order to allow total strangers to interact over the Bitcoin network." Also, "ECDSA, which stands for Elliptic Curve Digital Signature Algorithm, uses the same mathematical primitives as ECC (elliptic curve cryptography) and, as such, also uses an asymmetric key pair of public and private keys. This is synonymous with other cryptography algorithms which use a public key to encrypt messages and a private key to decrypt them. However, these keys are not used to encrypt or decrypt anything." So, no cryptography, no anonymity, and no encryption. And being *pseudonymous* isn't worth much if you bought your BTC from a KYC exchange. Seems to me the title of the Wired article is just clickbait.
Pretty sure my barista had a computer science degree this morning. It doesn’t change the fact that you’re wrong. You clearly don’t even know what you are talking about since you repeated my error in mentioning sha256 instead of ECC But please continue to parrot and misrepresent memes that were proven to be misleading over a decade ago.
Mathematical shortcut being discovered for ECC.
The whole blockchain doesn't need kept or stored. It says so right in the Bitcoin Whitepaper: > 7. Reclaiming Disk Space > Once the latest transaction in a coin is buried under enough blocks, the spent transactions before it can be discarded to save disk space. To facilitate this without breaking the block's hash, transactions are hashed in a Merkle Tree, with only the root included in the block's hash. Old blocks can then be compacted by stubbing off branches of the tree. The interior hashes do not need to be stored. > A block header with no transactions would be about 80 bytes. If we suppose blocks are generated every 10 minutes, 80 bytes * 6 * 24 * 365 = 4.2MB per year. With computer systems typically selling with 2GB of RAM as of 2008, and Moore's Law predicting current growth of 1.2GB per year, storage should not be a problem even if the block headers must be kept in memory. Also, Satoshi said: > Long before the network gets anywhere near as large as that, it would be safe for users to use Simplified Payment Verification (section 8) to check for double spending, which only requires having the chain of block headers, or about 12KB per day. Only people trying to create new coins would need to run network nodes. At first, most users would run network nodes, but as the network grows beyond a certain point, it would be left more and more to specialists with server farms of specialized hardware. A server farm would only need to have one node on the network and the rest of the LAN connects with that one node. > > The bandwidth might not be as prohibitive as you think. A typical transaction would be about 400 bytes (ECC is nicely compact). Each transaction has to be broadcast twice, so lets say 1KB per transaction. Visa processed 37 billion transactions in FY2008, or an average of 100 million transactions per day. > > That many transactions would take 100GB of bandwidth, or the size of 12 DVD or 2 HD quality movies, or about $18 worth of bandwidth at current prices. > > If the network were to get that big, it would take several years, and by then, sending 2 HD movies over the Internet would probably not seem like a big deal. > > Satoshi Nakamoto > https://www.mail-archive.com/cryptography@metzdowd.com/msg09964.html
The majority didn't decide the keep the blocks small. Over 85% of nodes were signalling for a blocksize increase. I think your scenario of 1gb blocks is unrealistic, but if it were the case, the whole blockchain doesn't need kept or stored. It says so right in the Bitcoin Whitepaper: > 7. Reclaiming Disk Space > Once the latest transaction in a coin is buried under enough blocks, the spent transactions before it can be discarded to save disk space. To facilitate this without breaking the block's hash, transactions are hashed in a Merkle Tree, with only the root included in the block's hash. Old blocks can then be compacted by stubbing off branches of the tree. The interior hashes do not need to be stored. > A block header with no transactions would be about 80 bytes. If we suppose blocks are generated every 10 minutes, 80 bytes * 6 * 24 * 365 = 4.2MB per year. With computer systems typically selling with 2GB of RAM as of 2008, and Moore's Law predicting current growth of 1.2GB per year, storage should not be a problem even if the block headers must be kept in memory. Also, Satoshi said: > Long before the network gets anywhere near as large as that, it would be safe for users to use Simplified Payment Verification (section 8) to check for double spending, which only requires having the chain of block headers, or about 12KB per day. Only people trying to create new coins would need to run network nodes. At first, most users would run network nodes, but as the network grows beyond a certain point, it would be left more and more to specialists with server farms of specialized hardware. A server farm would only need to have one node on the network and the rest of the LAN connects with that one node. > > The bandwidth might not be as prohibitive as you think. A typical transaction would be about 400 bytes (ECC is nicely compact). Each transaction has to be broadcast twice, so lets say 1KB per transaction. Visa processed 37 billion transactions in FY2008, or an average of 100 million transactions per day. > > That many transactions would take 100GB of bandwidth, or the size of 12 DVD or 2 HD quality movies, or about $18 worth of bandwidth at current prices. > > If the network were to get that big, it would take several years, and by then, sending 2 HD movies over the Internet would probably not seem like a big deal. > > Satoshi Nakamoto > https://www.mail-archive.com/cryptography@metzdowd.com/msg09964.html
To make it more challenging there is no mathematical proof saying a shortcut is not possible in theory for ECC. Such a proof exists for DH on the other hand.
An encryption algorithm takes an input value that you want to encrypt and an encryption key. It produces an unreadable series of letters and numbers. Anyone with the key can unlock that unreadable string and get the initial value. Encryption is a two-way thing. Hashing is a one-way thing. You take a value and a hashing algorithm like SHA-256 and you produce an unreadable string of characters. Once you do, there is no going back. You can test it out here [https://emn178.github.io/online-tools/sha256.html](https://emn178.github.io/online-tools/sha256.html) The same algorithm will always produce the same hash for the same input. Encryption is used when the information needs to be transferred through an untrusted medium and decrypted on the other end. Most common use case is SSL. When you put your credit card details in a web portal, they are encrypted to be sent to let's say MasterCard and decrypted there. Hashing is used when knowledge of the actual value is not needed on the other end. Best example is passwords on online platforms. Reddit for example does not store your password in clear text. It hashes it. Every time you login, they hash the password you provided and compare the hashes. The actual password is never stored on their servers. If someone steals the password hash they cannot derive the password. ( To be more precise, they can if the algorithm is weak, google SHA-1 or rainbow tables) ​ In the context of Bitcoin, many people think that SHA-256 is used for private key generation but that's not true. In very simplified terms, a bitcoin private key is a very large random number. So random that it would take you millions of years to guess an existing one. A public key is a hash of the private key using Elliptic Curve Cryptography. This is different than SHA-256 and even more powerful and hard to crack. Finally, a part of the public key is used along with some other info to generate your wallet's addresses using SHA-256. For someone to crack Bitcoin they would have to first crack SHA-256 to acquire the public key and then crack ECC to get to your private key and spend your Bitcoin.
Can you be more specific? ECC is pretty common and Ed25519 is considered safer than secp256k1 or whatever.
I'm very much a person who is here because of the decentralisation. Solana does not fit that category. Even if someone wants to make the case that by definition it is decentralised because its not running on one machine, sure, but it is so far on the scale of being centralised that it wouldn't even be a good point to make. What they will say is that this allows the network to process more TPS, but on the flip side, look at how many times the chain has been switched off because of the central control. Not to mention most of the TPS aren't actually TPS, but rather consensus messages added onto that metric so it looks like it being used far more than it actually is. The hardware requirements to run a node is off the charts, for example suggested 256GB of ECC ram but recommended 512GB ECC "or more". At that point you're basically building your own mini data centre. They also recommend a 10GBit/s asymmetric commercial internet connection, so at that point you might as well just buy a machine in a datacentre anyway given that type of internet connection must cost a fortune. For me this isn't even possible, the highest I can get is 1Gbit/s. They need to pay node operators a huge amount of money because of the huge upfront and ongoing costs, and the Solana network barely makes any revenue in fees anyway, so where do they pay the node operators from? Via new coin issuance, which means high inflation, which means the network security is quite literally dependent on the price of Solana.
It's the private keys themselves that are no longer secure (ECC is not quantum resistant, meaning there is an algorithm). Mining is the least of the problems. Bitcoin would simply become worthless.
the math checks, shouldn’t be any issue unless the basic arithmetic of ECC were vulnerable
There's no way this "ECC offset" strategy is secure for EOAs vanity addresses are already inherently less secure (eoa only, does not apply to contracts), and allowing others to generate the private keys using an offset is a terrible idea. It is only a matter of time until there are victims from this.
Bitcoin stood on the shoulders of giants. It might have seemed sudden, but the groundwork for Bitcoin was being built decades before the white paper. Blockchains have actually been around since the 90's (although fairly different in design) . There were many breakthroughs in the decades before the white paper. Hash cash, reusable proof of works, elliptic curve cryptography (ECC), Wei dei's b-money. Digital cash has been the holy grail of Cypherpunks for a long time prior to bitcoin. It can feel like bitcoin appeared out of thin air, but there's a fascinating history to dig through of previous break through.
Bitcoin uses ECC private keys and SHA256 hashes, it's crypto
Well, you heard it from OP first. IBM is now capable of breaking RSA or ECC in seconds. If only this 1.6T dollar industry full of the brightest engineers, mathematicians, scientist, and other academics could have seen this coming. All these roadmaps to upgrading to quantum resistant encryption, but we never stood a chance without OP. If only OP could just borrow one of these academics for a lesson on how to Google "How to short Bitcoin?". Feels bad.
Another question, if I may: Am I correct in the assumption, that the security of a 160bit P2WPKH address is 159bit against a classical computer and 129bit against a quantum computer? The classical computer simply has to try different private/public keys until it finds a suitable one that produces the address. So, this should take on average (2^160)/2 trys, that is 159 bit security. The quantum computer can use Grover's algorithm to find the preimage of the address (which is a RIPEMD-160 hash) within 2^80 iterations. But then it still has to find the preimage of the Sha256 hash. Again, using Grover's algo, this halves to 128bits. Finally, it has to break the ECC to find the private key corresponding to the public key, which is again 128bits. So in total, approx. 129 bits. PS: To preemptively defend myself, because often people get mad when you mention quantum computers: I know we are far away from this being a concern. In fact, we don't even know if quantum computers this strong are even possible to build. I don't mean to spread FUD, just asking out of curiosity.
True, that's best practice. However, if an attacker really were able to beat the ECC, he may be able to frontrun your transaction, so nothing will be sent to your change address. That assumes that he can break the ECC and thus find your private key, before the next block is mined, so he has approx 10 minutes time. Obviously all very unrealistic, but still fun to think about.
1) Very much info, thank you! Do I understand this link correctly, that P2WPKH addresses only have 160 bits of brute-force resistance, since they again use RIPEMD-160? I would've thought they are considered "modern" and thus have 256 bits. https://en.bitcoin.it/wiki/Bech32 2) Another thing: afaik from reading some pages in Mastering Bitcoin, the ECC is only used to create public keys from private keys, while the address is then a hash of the public key, as explained in the link above. As long, as you don't spend from an address, the public key remains secret and the ECC security is not relevant. Obviously, at the moment you broadcast a signed transaction, your pubkey is leaked, so if you ever want to spend Bitcoin (its money after all), the ECC security is what matters.
P2WSH addresses are 256 bits. But the length of the address isn't the limiting issue for security ECC key pairs have a mathematical shortcut which reduces bruce force effort by the square root. A 256-bit ECC secp256k1 Bitcoin key can be brute forced with 2^128 iterations, is 128-bit secure, not 256 There's no need for more than 90 bits. Round up to 128 bits because 128 is a power of 2, and make a 12 word mnemonic by adding 4 checksum bits The passphrase has purposes apart from increasing the entropy. It also adds a usability risk, but that's a separate topic
Thank you for this answer! Can you explain to someone with limited knowledge on ECC why ECC only has the security equivalent to half the bits?
Modern addresses have 256-bits, so really your question is basically done at that point. But ignoring that, it depends on how those 160 bits of seed are turned into an address. ECC only has security equivalent to half the bits. So normally a 256-bit key has 128 bits of security. But if you make a 160-bit key which lies in a regular subspace of the curve (as would be the case for just using a 160-bit private key) then you will only have 80 bits of security. This isn't the product of any kid of obscure attack, the *ordinary* and sensible attack against ECC (or any cryptosystem in a finite cyclic group) works via a collision search rather than an enumeration of all possible keys. So even in the 160-bit address case the ECC strength itself was already security-limiting against someone trying to find your private key. Why are modern addresses longer? For a couple reasons but the big one is that an attacker that tries to generate two different private keys that share a single address (like a multisig key involving you and one just involving them) only need to do work equivalent to half the address length.. so 160 bit addresses result in 80-bit security. 80-bits is not considered an acceptable level of security today (bitcoin's mining, to give a not very applicable example has done many times 2^80 operations).
ECC doesn't realy on multiplying prime numbers. Also you're totally ignoring the very basis of math. People found proof that these methods are secure. There are no patterns we can't see if there's mathematical proof.
It's more theoretical, isn't the Shor-Algorithm suitable to crack RSA but not ECC? I've read in a paper that quantum computers would be more of a threat to other types at first. There might also be a solution for ECC to become 100% quantum resistant, even though it isn't right now
Nothing more :D There are several different ways to create private keys, but ECC is pretty common and it's also supposedly quantum computer safe (at least right now)
SHA256 is NOT encryption. It's the hash being used for creating blocks. SHA might be used at some point, but Bitcoin's private key is an ECC key.
Why do so many people talk about encryption and AI without having a basic understanding of how it all works? AI can barely do math, and math has already shown that this kind of encryption is secure. People try to make themselves more interesting by spreading bullshit like this. A good indicator of bullshit is that they don't distinguish between different types of encryption. For example, there is RSA and there is ECC (which is what Bitcoin uses).
Only the ECC is quantum vulnerable. When the time comes for core to release a quantum secure signing algorithm, just your coins to a new quantum secure wallet.
Meh. How worried? Zero or a bit less. There is no encryption in Bitcoin. SHA256 and ECDSA on Secp256k1 are both "simple". SHA256 can be done on paper and its easy to see that the incoming message gets hashed and is unrecoverable. Similarly ECC taking a private key to a public key for example is easy to do one way and not back. I think its very unlikely chatgpt will spit out vulnerabilities in either given the right prompt.
Bitcoin is a cryptocurrency as are all the Altcoins. Bitcoin was just first and the best version. The coins all use cryptography. Bitcoin uses elliptic curve cryptography (ECC) and the Secure Hash Algorithm 256 (SHA-256) to generate public keys from their respective private keys
Bitcoin is a cryptocurrency as are all the Altcoins. Bitcoin was just first and the best version. The coins all use cryptography. Bitcoin uses elliptic curve cryptography (ECC) and the Secure Hash Algorithm 256 (SHA-256) to generate public keys from their respective private keys
I know this isn't popular here but Bitcoin is a cryptocurrency as are all the Altcoins. Bitcoin was just first and the best version. The coins all use cryptography. Bitcoin uses elliptic curve cryptography (ECC) and the Secure Hash Algorithm 256 (SHA-256) to generate public keys from their respective private keys
Bitcoin uses ECC with 256 Bit and quantum computers aren't a threat for it
They're not useless, but I don't keep alot of stuff on password managers. Including bank info. The cryptography used to secure bitcoin (ECC) allows you to have much greater cybersecurity than ever before, if you use it properly. Putting it on a Diffie-Hellman/RSA secured database defeats the purpose. If you have 25 BTC tied up in cold storage, you should definitely follow good custody standards (like air gapping, and generating keys offline).
SHA256 is just the hash algorithm used by the miners, the keys are ECC and I'm not sure about that (I see different opinions about whether it's secure or not). A lot of our communication may be broken in the future, that's a real problem. Let's just hope it lasts long enough that most of the data is no longer relevant. I've also heard that AES is considered to be safe. I must dig deeper into this topic because I can only rely on stuff I read somewhere
I am not exactly a cryptographer, but there might be an RSA-specific flaw, not affecting ECC in general.
AI is still doing the same thing it did 30 years ago, just with more data and computing power, by the way. Don't fall for all the hype Musk and others are doing. There is no strong AI i sight, sometimes it can't even tell if a sign says 30 or 80. Of course, if a government agency can crack ECC or RSA, they won't publish a paper about it, that's true. But it doesn't seem likely that public science has taken baby steps while they've taken giant leaps. They'd need the best scientists and people in science would know that something was going on. People also knew about the nuclear program.
The nuclear bomb is not quantum computers. Quantum computers really only endanger asymmetric or public key cryptography algorithms such as RSA, ECC, and Diffie Helman. These are proven to be broken by quantum computing using Shors algorithm. NIST has already announced 4 quantum resistant algorithms.
Well, ECC (Bitcoin and others) may be fucked, but we'll need a Quantum Computer with an estimated minimum of 6,000 entangled quantum bits (QBits). Right now the biggest has 51. As far as I know, Shor's Algorithm could do it. It seems like the effort exponential. The next 51 QBits are much harder to achieve, even more the 51 QBits after that... But I'm no expert
Have you considered using [DVDisaster?](https://en.wikipedia.org/wiki/Dvdisaster) It basically modifies the ISO and embeds an error-correcting code on the unused space of the disc. So if there's any bit-rot or damage the ECC can be used to recover corrupted data. Supposedly it's even good enough to work even with DVDs that have been [intentionally drilled holes into](https://np.reddit.com/r/DataHoarder/comments/ikt606/dvdisaster_0796_semirevival/g802umn/) (!).
I know what you mean, but you don't have to understand the technology, just how to use it. The technology is very similar to what happens when you look at a https website (except it's ECC for BTC and not RSA, I think?). I don't necessarily have to understand that either. "Be your own bank" is a bit exaggerated. All you do is keeping your own private key.
> I don't see this as a rational response Your claims are not rational. You made them up. There is no risk to AES. A quantum computer is not a cracking tool. RSA is not relevant to Bitcoin. Bitcoin has no encryption > If in 10 years quantum computers can break 32 bit ECC There's no such thing as 32-bit ECC > Peter Shor has already solved the discrete logarithm problem back in 1994, theoretically at least. And it will probably take another 30 years before any practical application of his algorithm can be used Most likely never going to happen. The "30 years from now" estimates are now more than 30 years old. In 30 years, we will still be predicting useful quantum computers in 30 years time. Eventually, the infinite 30-year timeframe leads to a realization that it's not possible > will the bitcoin protocol have time to switch Ask again in 30 years
Satoshi said: > Long before the network gets anywhere near as large as that, it would be safe for users to use Simplified Payment Verification (section 8) to check for double spending, which only requires having the chain of block headers, or about 12KB per day. Only people trying to create new coins would need to run network nodes. At first, most users would run network nodes, but as the network grows beyond a certain point, it would be left more and more to specialists with server farms of specialized hardware. A server farm would only need to have one node on the network and the rest of the LAN connects with that one node. > > The bandwidth might not be as prohibitive as you think. A typical transaction would be about 400 bytes (ECC is nicely compact). Each transaction has to be broadcast twice, so lets say 1KB per transaction. Visa processed 37 billion transactions in FY2008, or an average of 100 million transactions per day. > That many transactions would take 100GB of bandwidth, or the size of 12 DVD or 2 HD quality movies, or about $18 worth of bandwidth at current prices. > > If the network were to get that big, it would take several years, and by then, sending 2 HD movies over the Internet would probably not seem like a big deal. > > Satoshi Nakamoto https://www.mail-archive.com/cryptography@metzdowd.com/msg09964.html
Nothing, Quantum computers are expected to be able to efficiently factor large numbers and solve discrete logarithm problems, which are the foundation of many encryption algorithms like RSA and ECC, through algorithms like Shor's algorithm. When this will happen depends on the progress of quantum technology development, which is challenging to predict precisely and what exactly will break is also highly uncertain. The security of Bitcoin, in particular, is based on elliptic curve cryptography (ECC). So far these 2 approaches seem to be not breakable but also remain uncertain, but can be quite good for btc for example. Lattice-based cryptography: This is a class of mathematical problems that are believed to be hard for both classical and quantum computers. Algorithms like NTRUEncrypt and Ring-LWE fall into this category. Also algorands falcon keys fall under this category. Hash-based cryptography: Hash-based digital signatures, like the Lamport and Winternitz one-time signature schemes.
"*at least until someone cracks the SHA-256 encryption that secures it*" That's nonsense. SHA256 is being used (in mining for example) but the encryption is ECC (elliptic curve cryptography).
No, it can't break everything. A QC can't solve every problem faster than bit-based computers. There's an algorithm for ECC (Bitcoin) though.
QC can search with sqrt(N), N being the number of bits in your key. That is the optimum. No exponential speedup there. But they can break ECC in poly time with poly many qubits. Does this help?
You are correct. Bitcoin uses ECC, not RSA, and the hash algorithms do not depend on factoring. Sorry. But I do see that these features make Bitcoin impervious to quantum computing algorithms as well.
Quite some but one stands out ECC (ether connect coin), I was new to crypto and was advised to seek crypto information from telegram and Reddit, I chose telegram and long story short, I bought the coin on pancake swap using BNB with it's two sister coins. I watched the coins x1000 but couldn't sell since they're locked up in the company's website and by the time they open up withdrawal months later, they have pulled liquidity and everything went to x -10000 and their site went down for some days before coming on again but by then it has already dawned on us that they've dumped the tokens on us and my $100 investment that shot up to $10k is now worth less than a buck. That was how I learnt about liquidity and rugpull.
>Bitcoin != Crypto Bitcoin uses private keys based on ECC (elliptic curve cryptography) and mining is being done using the SHA256 hash algorithm. It's definitely crypto.
This is a bit of a nitpick, but I'll post it bc you seem interested. While it is true that you use 256 bits to generate a 24 key phrase, and the corresponding private key generated from the key phrase are 256 bits in length. The strength of ECC in general is approximately half of the bits used to make the key, bc the fastest known algo to work backwards from a public key to. a private key is sq-root k. So in general when talking about the statistics of anything related to the strength, or odds of uncovering a private key, one should refer to actual strength of the encryption, which in this case is slightly less than 2\^128. While it's true that 2\^256 is true for the type of collision you responded to, people can infer incorrectly that 2\^256 is the strength of their private key, when it's actually a little less than half of that.
In theory, when it's made by humans, it can be broken by humans. And once it breaks, shit will hit the fan. Users of 'crypto phones' like EncroChat, Sky ECC and Exclu thought they were safe as well. It's a matter of time and the amount of resources used, also for Monero I'm afraid..
Dude, just no. You are still young. Apple has AI since 2010 implemented in their phones. Quantum won't be ready to break ECC even in 10 years. It's not the first time they think they are close.
This is a really great post! Glad to see people spreading this knowledge. If I had anything of value to add, just a few things. First, I have a playlist of videos that break down Encryption and how it works, ECC, hashing, and relating these to blockchain and their use cases, and more. I don't know if I can post links, so I won't try. But if you go to "EpochSec" on YouTube (multi blue round logo), you can find the playlist "Encryption and Hashing". Or you can find that via my website, (I don't even know if I can post that in here). This would be a great complimentary set of knowledge, to go along with this post. SECP = Standard for Efficient Cryptography. This has been around a very long time. secp256k1 is an elliptical curve, as mentioned. You also have ECDSA and Schnorr. Then you also have ed25519 (EdDSA + Curve25519). And there are others. ECDSA and ed25519 are often used in many other things. You might be familiar with what is derived. Public and Private Keys. Folks use them for their SSH keys, they are used in blockchain. They are also used (asymmetric encryption) to transfer your symmetric key, when you are typing in your password to login to a site, for example. There are plenty of other examples, and analogies. Then hashing plays a big role as well. To save this reply from becoming long, I'll stop there and just refer back to my video playlist I mentioned above. I'll also share a general message. This option is very secure, indeed. However, as the OP mentioned, many people might say "I have no idea what I am doing". I generally recommend to not stress about using the most secure thing immediately (it depends). That is a good end goal though. So if you are nervous, start out with an easy method, or something you are comfortable with. In parallel, start using a more secure option, in a testing/learning manner. Once you are comfortable with that, then move to that option. This is also a security vs availability, individual decision to be made by each person. Though it is important to at least know the pros/cons/etc of the option you are using. In any aspect of your personal security. I left a WHOLE lot out of this reply. It was just some basic thoughts I wanted to share. Again, great post and thanks for sharing that with the community.
Chapters one, two and three from "Programming Bitcoin" by Jimmy Song explains ECC in terms that don’t require all that much more prior mathematical knowledge than, say, algebra. He also open-sourced the [book](https://github.com/jimmysong/programmingbitcoin).
That though doesn't have to mean a lot. Or as Satoshi said: "When you generate a new bitcoin address, it only takes disk space on your own computer (like 500 bytes). It's like generating a new PGP private key, but less CPU intensive because it's ECC. The address space is effectively unlimited. It doesn't hurt anyone, so generate all you want."
If ECC was broken it would not allow double spends (which is what I think you mean by "duplicate transactions"). It would allow the attacker to spend coins of other people (in some specific circumstances). Anyway, should that threat had any non-trivial chance of happening any time soon, migration from ECC to post-quantum algorithms could happen quite quickly. The only major problem would be with lost coins, whose owners are dead, or can't access the coins, thus those could not migrate. But even for that scenario there are some possible mitigations that have been invented years ago as this topic is well studied for a long time.
Uh, ya. It poses an EXTREME problem for all ECC Cryptography. From the entire web to your bitcoin wallet. The difference is, it's relatively easy to change a whole internet cryptography standard than it is to change Bitcoin. That's besides the fact that any such change will see the loss of millions of coins that may or may not be "dead" which would call into question the permanence of peoples holdings. Take a hedge in Quantum Resistant Ledger. Sleep easy.
Quantum-resistant encryption algorithms are cryptographic algorithms designed to be resistant against attacks by quantum computers. These algorithms are developed to secure data against potential threats from quantum computing advancements that could easily break traditional cryptographic systems, such as RSA and Elliptic Curve Cryptography (ECC). * Lattice-based Cryptography * Code-based Cryptography * Multivariate Cryptography * Hash-based Cryptography * Supersingular Isogeny-based Cryptography
This 1. "As a thought experiment, imagine there was a base metal as scarce as gold but with the following properties: - boring grey in colour - not a good conductor of electricity - not particularly strong, but not ductile or easily malleable either - not useful for any practical or ornamental purpose and one special, magical property: - can be transported over a communications channel If it somehow acquired any value at all for whatever reason, then anyone wanting to transfer wealth over a long distance could buy some, transmit it, and have the recipient sell it. Maybe it could get an initial value circularly as you've suggested, by people foreseeing its potential usefulness for exchange. (I would definitely want some) Maybe collectors, any random reason could spark it." And this 1. "Long before the network gets anywhere near as large as that, it would be safe for users to use Simplified Payment Verification (section 8) to check for double spending, which only requires having the chain of block headers, or about 12KB per day. Only people trying to create new coins would need to run network nodes. At first, most users would run network nodes, but as the network grows beyond a certain point, it would be left more and more to specialists with server farms of specialized hardware. A server farm would only need to have one node on the network and the rest of the LAN connects with that one node. The bandwidth might not be as prohibitive as you think. A typical transaction would be about 400 bytes (ECC is nicely compact). Each transaction has to be broadcast twice, so lets say 1KB per transaction. Visa processed 37 billion transactions in FY2008, or an average of 100 million transactions per day. That many transactions would take 100GB of bandwidth, or the size of 12 DVD or 2 HD quality movies, or about $18 worth of bandwidth at current prices. If the network were to get that big, it would take several years, and by then, sending 2 HD movies over the Internet would probably not seem like a big deal."
>high qubit quantum computer (which doesn't exist and no one is sure if will ever exist) ECC breaking QC is sci-fi for now.
Exchanges won't help if the underlying asset is broken. But let's focus on Bitcoin for a second. Firstly, power (afaik) isn't the factor holding back quantum computers. Secondly, no quantum computer can break hashing which is what most of Bitcoin's security relies upon. Hashing is a lossy process, and also not all Cryptography is broken because of quantum. Quantum computing can theoretically break ECC which is what the secp256k1 algorithm used for bitcoin key pairs. Fortunately, public keys are not typically revealed on the blockchain until an address has been spent from, and a best practice we've all been following is "no address re-use". Therefore the effectiveness of breaking it is very limited. Of course, even if quantum can break ECC, it may not be able to break secp256k1 specifically or may take time to do so. At the same time, to think that there are not quantum resistant algorithms that can be used in its place if necessary is misguided. We just don't want to change anything that isn't likely to be broken any time soon. To be clear, quantum resistant algorithms don't need to be run on a quantum computer, despite what many think: as you said yourself. So all in all, what you are spreading here is just fud and worse still your advice is awful either way.
SHA256 is not encryption, it's a hashing algorithm. And no, even a strong quantum computer would not be able to find preimage of SHA256 hash. A strong quantum computer might be able to break ECC used in Bitcoin, and there finally you are right on something - to find a private key from a public key. So it seems like you have just heard couple of terms and you're not sure what they are and then it leads you to make such claims that make no sense and are obviously wrong. Bitcoin protocol does not use encryption (some communication encryption has been suggested as BIP but not implemented widely at the moment). What you probably meant to ask is whether it is possible to replace underlying cryptographic elements used in Bitcoin (not for encryption, but for signing and verifying) with quantum-resistant cryptographic elements. And the answer is yes, but it's not completely straightforward, has its problems and it is definitely not a problem to be solved today as strong quantum computers are too far from available. If such a transition occurred, however, it would not affect past transactions as it would be done, as always, from some point on (think block number or time) and would not apply to what happened before. This is standard way of upgrading and in fact Bitcoin implemented a similar kind of new cryptographic primitives recently with Taproot. Taproot introduced Schnorr signatures which were not present before. And nothing happened to pre-Taproot transactions.
Also, in vector based crypto such as ECC the selection of the key vectors is also random, so again vulnerable .
Bitcoin uses elliptic curve cryptography (ECC) \*and\* the Secure Hash Algorithm 256 (SHA-256) to generate public keys from their respective private keys.
> I couldn't invent a trapdoor function You don't need to. They exist. Division is the opposite of multiplication, and is inherently more difficult. Make it a trapdoor function by choosing large enough divisors to make it take more than 10 human lifetimes. Someone cracks your trapdoor by factoring your divisors. Improve your trapdoor by choosing only prime divisors In ECC, logarithms are orders of magnitude more difficult than calculating exponentiation. That's why they used to sell books of logarithm tables to junior high school students - because they're so hard to calculate, it's essential to use a lookup table. So a trapdoor only needs to choose numbers outside the scope of all known lookup tables, and too hard to make new tables for Is there any mathematical research which can one day discover a shortcut for the elliptic curve discrete logarithm problem? You might have looked for this question before posting your generic hypothetical. But, that would be an effort, and you're a lazy person
Ecc is constrained as a given. Backdoors can be built in. The backdoor is a shortcut. The question to ask is, "are there shortcut methods to all ECC?" Does it involve the math itself, or some other property you don't notice? Food for thought. If the NSA likes it (now), have they found this? More food..
> Bitcoin has a BIP on the shelf, ready to execute if the capability is demonstrated. This involves migrating from ECC to an unnamed quantum-resistant cryptography scheme. I think in reality if there was the possibility of an actual quantum computer capable of breaking ECC that the post-quantum cryptography scheme would already be deployed to the network as a soft fork. It would be something that people can start using before a quantum computer exists, and so people could begin migrating their coins before any such breakthrough. Of course, this still has the possibility of a breakthrough that results in a vulnerability in the new scheme, so your story could still work. > The Bitcoin network would be forked, and all users must migrate their balances to new addresses. Addresses that aren't migrated in time (for example Satoshi's Bitcoin are considered likely to be in this category) are considered up for grabs, and some consider them a bounty to quantum computing development. I would expect that another soft fork is deployed that actually just disallows spending of those coins. Of course this would be highly controversial and is something that you can explore in your story. There's also been some ideas floated that would allow people to prove that they owned the private keys without actually creating any signatures or relying on the private key itself. One idea is that since the vast majority of keys are now derived deterministically with BIP 32, it should be possible to create a zero knowledge proof that someone has a seed and derivation path for a particular key. Since derivation uses hashing, it is quantum resistant (enough) that this would work in lieu of actual signatures. But it wouldn't let people who don't use BIP 32 to spend their coins.
Im am not an expert on this matter, but I love this sci-fi novel already, so I will provide my two cents even if they are not 100% accurate, knowing people have a tendency to correct others. First a question out of curiosity, is the story suggesting the Bitcoin is already commonly used? Or is that something that would spoil it. <- not important, just curious. As for your question, generating a public address is based on the ECC then combined with a hashing algorithm, so from my understanding a quantum computer needs to be able to first reverse the base58Check, then reverse the ECC efficiently to make it realistically viable. <- your story assumes this will be possible. So now, you are saying people who don’t move their coins from old design to new, will basically get their public keys reversed and their private keys hacked, hence they will be accessible. That such a cool idea that I actually hope it happens lol then we will be able to recover all lost coins and get back to full 21m. And that would be an amazing reward to whomever makes it happen as a step to strengthening the security of the network. They will be dead addresses anyway. While I am not sure if that’s how they solve the problem, and leave it to the need of migrating, still I like this story a lot. Will read.
> If you can pull the private keys off of a public key under an ECC compromise, my understanding is users would actually have to move their balances to a new attack-resistant address This is mostly false. Most addresses are a hash of a public key, using RIPEMD160(SHA256(pubkey)). The pubkey is exposed when a coin is spent. This means (as per the previous comment) coins which reuse an address are vulnerable if one or more have been spent. The pubkey for the unspent coins is exposed in the txinput script for the coins which have been spent Also, some amount of early mined coins are pay-to-public-key (not pay-to-pubkey-hash). Any of these which are still unspent are vulnerable to private key discovery And an important note: There is no such thing as "large numbers of Satoshi's coins"
To elaborate, the situation with the "on the shelf" BIP is that no ECC vulnerability has yet been shown in any publication or by any QC research group, until this breakthrough happens. The assumption is there will be some indication it is possible before it starts happening in the wild.
Are you sure about that? If you can pull the private keys off of a public key under a ECC compromise, my understanding is users would actually have to move their balances to a new attack-resistant address.
You don't 'move' a cryptocurrency accross space. You cycle ECC signatures on a shared database.
The clueless author of this article doesn't realize that the Bitcoin mining difficult automatically adjusts every two weeks. If everyone starts using quantum computing, everyone's difficulty will rise, so they're back at high energy usage. Even worse, quantum computers powerful enough to break ECC through Shor's Algorithm will break public key cryptography, Bitcoin, and half of the Internet.