What if someone found a way to calculate the private key from a public key? \ stacker news ~bitcoin

pull down to refresh

What if someone found a way to calculate the private key from a public key?

189 sats \ 3 comments \ @SpaceHodler 1 May 2023 bitcoin

What would happen to Bitcoin in this scenario - whether through quantum computing or someone coming up with a fast enough way to reverse the 'one-way' function that calculates the public key from the private key (which, if I'm not mistaken, uses elliptic curves and SHA256)?

This is not the same problem as just cracking SHA256 for the purpose of mining; that could pose a threat of a 51% attack, but from what I understand that's more of a DoS thing than a theft threat and it could easily be solved by forking and switching to a different hash function.

If someone found a way to calculate private keys from public keys, however, they could access your wallets and steal your coins. I imagine we'd want to replace that [no longer one-way] function with one that's harder to crack and migrate wallets from the old chain to the fork (which would require the owner to generate a new key pair). But in the meantime thieves could steal your coins. Whatever coins they stole, we'd have a good reason to reverse those theft txs. I understand the idea of reversing txs is not popular in the Bitcoin community, but in this case it would be justified, because the security of the network has been compromised and something needs to be done about it; we don't want people to lose coins through no fault of their own. How would it be decided which txs to reverse? A cut-off by broadcast time wouldn't necessarily work, because some txs broadcasted after the first theft tx may be legitimate. Of course it would be reasonable for people to stop transacting when they find out security has been compromised, but the news about the incident might take time to reach every user.

view all related items

1428 sats \ 1 reply \ @gnilma 1 May 2023

If something like that were to happen, bitcoin will no longer be valuable. A network that cannot safeguard the users’ value will no longer be trusted by users.

The network can try to fork, but it will be hard to decide which point to begin the fork for the reasons you outlined very well. Also, reversing transactions is a precedent that we do not want to set, no matter the reason; because once that precedent is set, someone will always find some other reason to do the same. Then it becomes a slippery slope to become a shitcoin like Eth, where you can just roll back the chain for whatever reason. Even if the network manages to fork and stay alive, it will take some time for people to gain confidence in the network again.

0 sats \ 0 replies \ @SpaceHodler OP 2 May 2023

Ok, I guess the best thing to do would be to prevent that from happening in the first place and change the hash function e.g. from SHA256 to SHA512 as soon as our technology starts approaching the breakability of SHA256.

10 sats \ 0 replies \ @Zilla 1 May 2023 freebie

A way to protect from this threat is to never reuse addresses - when there's no outgoing transactions the public key hasn't yet been revealed.

I'm not sure whether this threat would allow to steal from lightning channels though. The funding transaction does reveal public keys. But perhaps ones created with taproot and Shnorr signatures would be better protected. Need an expert to voice in on this.