pull down to refresh
I don't think I'm worried about quantum stuff. But I do think the reality is that no cryptographic algorithm (this could be the wrong word, but I can't find the better term to refer to it: eg. curve only applies to elliptic curve cryptography. what if I also want to reference sha-256?) will last forever.
I think Heilman's point that we can be reasonably confident that the cryptography used in bitcoin is solid on a 1-5 year time scale, but less so on a 75-year time scale.
I'm curious if you think we will still be happily and safely relying on secp256k1 in the year 2085?
cryptographic algorithm (this could be the wrong word, but I can't find the better term to refer to it: eg. curve only applies to elliptic curve cryptography. what if I also want to reference sha-256?)
It's not the wrong word. Cryptographic algorithms are e.g.: ECDSA, Schnorr, SHA256, RIPEMD-160
I'm curious if you think we will still be happily and safely relying on secp256k1 in the year 2085?
Hard to tell what will be in 59 years, but let's speculate.
Right now the best known practicable algorithm to find private keys from exposed public keys without knowing a single bit of the private key is Pollard's Rho. This algorithm has a time complexity of . So it effectively cuts the number of bits of security in half. A 256-bit private key can be found with about iterations.
If computers ever become fast enough to be a threat, we could simply switch to an elliptic curve over a larger prime field with let's say 512 bits. Therefore Pollard's Rho would require iterations.
But the likelihood of that becoming necessary any time soon seems very low. Looking at the records of breaking the Elliptic Curve Dircrete Logarithm Problem (ECDLP) over time we can see a growth rate of roughly 1 bit of security in 4 years:
| Year | Bits of security |
| 2000 | 54 |
| 2002 | 54.5 |
| 2009 | 56 |
| 2014 | 56.5 |
| 2016 | 58.675 |
If we project this out to 2085 we get:
bits of security
Unless some more efficient algorithm for solving the ECDLP is found, we are probably going to be fine.
Now just for fun, I projected this very rough estimate out even further into the future. According to this growth rate, we would be able break 128 bit security in the year 2294.
thanks for the detailed response.
Several of the people in the mailing list thread I quoted above expressed similar sentiments, I believe. Their response seems to be something like, "Don't mess with it until we are much closer to having a real problem."
I can get behind such an attitude.
secp256k1 is not a cryptographic algorithm, rather it's a specific elliptic curve over a specific prime field.
The quantum FUD is so silly. Don't fall for the marketing hype.
In 2001 the number 15 was factored with Shor's algorithm on a quantum computer.
In 2012 Shor's algorithm was applied on a quantum computer to factor 21.
And now it is the year 2026 and we still haven't gotten past 21, not to mention factoring numbers which are actually used in cryptography.
Also note the quantum circuits were compiled beforehand with the knowledge of the solution already.
And when it comes to classical computers, we have a live view of the progress on cracking private keys thanks to the Bitcoin Puzzles:
https://bitcointalk.org/index.php?topic=5218972.msg53649852#msg53649852
As of now, the best someone managed was finding the remaining bits of a private key with 126 bits exposed by applying Pollard's Kangaroo onto the respective public key.
And using brute force the best someone managed was finding the remaining bits of a private key with 187 bits exposed.
So absolutely nothing to worry about if you expose 0 bits of your private key.