Also published to SubStack where I will add edits if needed: https://open.substack.com/pub/antic/p/response-to-the-end-of-cryptocurrency
A friend of mine sent me this video, explaining why the Atom quantum cluster spells the end of cryptocurrency and bitcoin, which I hate to link because I don't want to drive traffic and engagement to FUD, but for context, here it is: https://www.tiktok.com/t/ZT8Sb4qC3/
This video in particular struck me because the author knows just enough about these topics to sound like he knows what he’s talking about and to convince people like my friend who don’t know the technical details enough to see why he’s wrong.
In this case, he's ignoring two very important things that I can hopefully explain without a lot of technical detail:
- There is a COST to running these quantum computers that must be lower than the profits gained from the attack
- There is a significant difference between simple public/private key encryption and the many ways payments can be secured on the bitcoin network (like P2SH/multisig)
He's right that some cryptocurrencies are going to be adversely affected by quantum compute. I won't argue for random cryptos that are most certainly broken, and some aspects of Bitcoin may need to upgraded eventually, but I can explain why he's completely off the mark on what he says about Bitcoin specifically.
If you are simply talking about public/private key encryption, sure there are ways that quantum poses a risk, and there are mitigations already being rolled out: https://cloud.google.com/blog/products/identity-security/why-google-now-uses-post-quantum-cryptography-for-internal-comms
There was a very old way of spending bitcoin called P2PK (pay to public key), which allows bitcoin to be sent to the public key itself, but current bitcoin addresses, in the worst cases, use P2PKH, or pay to public key hash, which does not expose the public key until the moment funds are sent FROM the address and only while they sit in the mempool for processing. If you do not reuse addresses, and you have never spent funds from a P2PKH address, the world does not know the public key. P2PKH is considered legacy, but there is still a TON of bitcoin on the ledger attached to these addresses, so let's dig into them a bit.
However, with bitcoin, you generally do not know the public key behind an address. Let's say you want to try to steal the
530 BTC that are currently sitting in this address: 1111111111111111111114oLvT2Well, that looks like a really simple address to crack, right? Look at all those 1's! Let's explore that. First, this is not the public key, so you cannot just use Shor's algorithm with a sufficiently large quantum array to factor it to the private key because this isn't even the right number to factor. And once we get there, it's another huge task for quantum that requires significant qubits that don't currently exist on the market, about 2,330.
This bitcoin address is a
ripemd160 hash of the sha256 hash of the public key. So if you want to use Shor's algorithm to crack it, you first have to use Grover's algorithm to break sha256, and ripemd160 in two other runs of your quantum cluster--more costly. But let's assume that you can break these things in a positive cost to benefit way and go over the steps of how the address was created and how you would have to attack it. And note, that bitcoin payment addresses are a little more complicated than just these hashings of the pub key but the other steps in P2PKH are simple enough not to require major compute: https://www.oreilly.com/library/view/mastering-bitcoin-2nd/9781491954379/ch04.htmlThis is (roughly) how the address was created (giving us some variable names so we can discuss this without using word soup).
shaPub = sha256(pubKey) address = ripemd160(shaPub)
So the steps to reverse this to find the
pubKey look like this:- Spin up your world's largest quantum compute datacenter to use Grover's algorithm to get the ripemd160 source of
address(the value that you had to pass into ripemd160 hash in order to get a result of1111111111111111111114oLvT2-- this input value isshaPub. - Use that same expensive cluster to then get the sha256 source of
shaPub(what you have to pass into sha256 to return the value of shaPub), this will return thepubKey - Use that cluster again with Shor's algorithm to factor
pubKeyto findprivKey - Use a regular computer to sign and issue a network transaction to steal the funds
- Hope that the owner of that address isn't programmatically watching the mempool for transactions using keys they own and that they don't have automation in place and miners setup to replace the transaction by fee and move their funds to a different address before your transaction can go through (they most certainly are watching and have this automation and are running their own miners because you are attacking a very large player).
The Cost
So this attack requires running several operations on large quantum compute clusters, which are NOT free to run, nor are they entirely stable yet. The current cost of running quantum compute is non-trivial. And there are major differences between physical and logical qubits, quantum annealing, etc--you need to really research this stuff if you want to plan an attack. If you think you can run the world's largest quantum computer cluster at a cost below the reward of what you are attacking, you might want to rethink your plans. You could spend millions of dollars trying to hack this key and not get to the result. But maybe a bigger address is vulnerable like
12ib7dApVFvg82TXKycWBNpN8kFyiAN1dr, which has $1,078,252,625 worth of bitcoin in it as of this writing—surely you could spend less than $1B to run this attack, right? They are also relying on the simple P2PKH security method, so the process is the same. The owner of this billion dollars worth of bitcoin clearly doesn't think that the cost-to-benefit ratio exists yet for quantum to be a threat to these addresses--and you will absolutely see that as quantum grows, balances will move out of P2PKH that exceed the cost of attack.But not everyone will or even can move their bitcoin from P2PKH--Satoshi mined a LOT of bitcoin to addresses early on and very likely Satoshi is not around, has lost those keys, or never saved them to disk because the mining was experimental and the payment addresses may have been programmatically generated and thrown away.
The video author makes the argument that attackers are going to steal just a little bit of bitcoin from people's wallets (not enough to be noticed). How absurd is that? Bitcoin isn't 49 cents worth of pennies floating in your pocket that you won't notice turned into 48 pennies, or a rounding error bug in your bank account stealing fractions of a cent. Bitcoin owners watch the contents of their wallets programmatically. They will know as soon as any amount of satoshis are moved from their wallets. This idea of an attack assumes that the cost of quantum compute is free and that nobody will notice the security is compromised and it's somehow worth it to just take a little bit. That's absurd.
Why would you try to steal a tiny bit of someone's bitcoin, when you could crack Satoshi's keys and sign messages to the internet AS SATOSHI? You would effectively be the CEO of a $648B company. Additionally, nobody would be able to contest you on the rights to the funds because nobody else has these keys. You could target
1NSPqTZae3bCdiCNWSbkE4qBxfqjybA93S, one of the early block reward addresses (P2PKH) and then just sign messages to the internet saying things about bitcoin or other cryptocurrencies or about satoshi that would MOVE MARKETS. You would be immensely powerful. Stealing pocket change not only would be noticed as soon as you did it, it would be the most absurd usage of spending the resources to break P2PKH.Additionally, there are about 4 million bitcoin that are currently assigned to public keys or to P2PKH sources that have been used multiple times. These are the easiest target for quantum to attack since you don't need to do the multiple Grover's steps and only need to use Shor's to factor the public key into the private key. When the cost of running this attack becomes a positive equation, we will see these funds move. These are the canary in the trillion dollar bitcoin mine.
In theory, and attacker could also try to skip the Grover's steps and only use Shor's by attacking transactions as they wait in the mempool, but this would require running the quantum attack during the window where funds wait to be processed. In order to achieve this rapidly, you need a MASSIVE quantum compute cluster. This would take 317 × 10^6 physical qubits (or 317,000,000 qubits, far more than Atom’s 1,000+ cluster) to break the encryption within one hour. See Webber et al
Higher Security
So we've shown how to reverse a P2PKH into a pubKey and hope that you can afford to Shor's algorithm your way to the private key, but this method is not so easy when you use other methods of security like P2SH (script addresses that start with a
3), P2TR (taproot, starting with bc1p). These newer systems offer multiple layers of security that require a lot more than simply identifying a single public key and factoring the private key to match. All you really need to do to not be eaten by the bear is to run faster than all the people who are lazily eating a picnic behind you. Proper self-custody of bitcoin and key management is hard. It’s not for everyone.There are several valid ways to add even more security if you are concerned about quantum attacks:
- The simplest: don't assign large balances to a single address (don't be a valid cost-to-attack target). With an HD wallet, you can create as many addresses as you want and keep all of them below 1 BTC. The cost to attack you will not be worth it vs attacking someone else for the foreseeable future.
- Use multisig, requiring the signature from multiple private keys to spend funds--now they have to identify multiple keys that go with each other in order to move the funds, which turns this into an astronomical problem.
- Watch the large addresses and see where the money flows. You can be sure that major companies like Coinbase and Binance are smarter about this than you are and if you are storing your bitcoin in the same way they are but with smaller address balances (not in the 1000+ per address range), you are probably safu with your self-custody in terms of quantum risk (you may have other problems).
- Not typically recommended (and I’ll probably get destroyed in the comments by the hardcore folks), but if you really don’t think you can keep up with the security requirements of having sovereign control of your finances, maybe just put your bitcoin in Coinbase or CashApp and let them worry about quantum resistance—maybe it’s too soon in the adoption curve for you to worry about this.
secp256k1in either case. Just the signature is different, and the respective output type requires one or the other in the witness stack for spending.