Why does hashing public keys not actually provide any quantum resistance?How can I protect my funds in the event a quantum computer breaks the ECDLP that Bitcoin relies on?Why is it impossible to derive public key from address?What is the use of hashing the public key to obtain the bitcoin address?Does address-reuse make Bitcoin private keys vulnerable to quantum computing?Why do all Electrum master public keys all start with xpub661MyMwAqRbc?Bitcoin Blockchain in the Quantum computing eraIs there a short-form for addresses with seven characters length?Bitcoin public key pre-0.6 length before hashingIOTA quantum resistancePublic Key VS Wallet Address - What is the difference?
Is there a heavy usage of the word "bonfire" in English?
When does "The Mandalorian" take place?
What was the deal with the news stories about rats in "Joker"?
How can a person Insulate copper wire in a medieval world?
Is the genre 'fantasy' still fantasy without magic?
Why does the media continue to hide the identity of the Trump-Ukraine whistle blower when they have already been outed?
Does the sun cross other spiral arms in its movement around the galaxy's center?
Are results that are derived simply by using more computational power publishable?
What does Ambassador Taylor have to do with anything?
Has anyone studied linear regression where the covariance matrix of the error is a function of the parameters being estimated?
Crack hashed passwords using a known password
What is the last point where one can throw away fruits if one has indicated "not bringing any fruit" on the US customs form when flying to the US?
Print out specific fields using regular expression in Linux
What can be found in towers of Tower Bridge?
What is the communications range of a standard Starfleet combadge?
Why does Greedo say "Maclunkey" in the Mos Eisley Cantina?
:wq command not found
Should a young man establish an income/house first and then marry or vice versa?
Selecting elements from a list under multiple conditions
How to react to unfair reviewer comments?
How can I communicate to my mother that her complaints about me make me feel like I'm not enough?
Can a microwave oven cook chicken?
Is the sentence "pay some in cash" understandable?
Heavy condensation inside car during winter. Tried multiple things, but no results!
Why does hashing public keys not actually provide any quantum resistance?
How can I protect my funds in the event a quantum computer breaks the ECDLP that Bitcoin relies on?Why is it impossible to derive public key from address?What is the use of hashing the public key to obtain the bitcoin address?Does address-reuse make Bitcoin private keys vulnerable to quantum computing?Why do all Electrum master public keys all start with xpub661MyMwAqRbc?Bitcoin Blockchain in the Quantum computing eraIs there a short-form for addresses with seven characters length?Bitcoin public key pre-0.6 length before hashingIOTA quantum resistancePublic Key VS Wallet Address - What is the difference?
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty
margin-bottom:0;
In the discussions about taproot, it was mentioned that outputs will include the public key directly instead of hashing them. It is stated that, currently, hashing does not really provide quantum resistance. Why is that?
public-key quantum-computing
asked Oct 15 at 23:13
Andrew Chow♦Andrew Chow
40.1k4 gold badges30 silver badges77 bronze badges
add a comment
|
In the discussions about taproot, it was mentioned that outputs will include the public key directly instead of hashing them. It is stated that, currently, hashing does not really provide quantum resistance. Why is that?
public-key quantum-computing
asked Oct 15 at 23:13
Andrew Chow♦Andrew Chow
40.1k4 gold badges30 silver badges77 bronze badges
2
Related on crypto.SE
– Raghav Sood
Oct 16 at 0:02
add a comment
|
In the discussions about taproot, it was mentioned that outputs will include the public key directly instead of hashing them. It is stated that, currently, hashing does not really provide quantum resistance. Why is that?
public-key quantum-computing
asked Oct 15 at 23:13
Andrew Chow♦Andrew Chow
40.1k4 gold badges30 silver badges77 bronze badges
In the discussions about taproot, it was mentioned that outputs will include the public key directly instead of hashing them. It is stated that, currently, hashing does not really provide quantum resistance. Why is that?
public-key quantum-computing
public-key quantum-computing
asked Oct 15 at 23:13
Andrew Chow♦Andrew Chow
40.1k4 gold badges30 silver badges77 bronze badges
asked Oct 15 at 23:13
Andrew Chow♦Andrew Chow
40.1k4 gold badges30 silver badges77 bronze badges
asked Oct 15 at 23:13
Andrew Chow♦Andrew Chow
40.1k4 gold badges30 silver badges77 bronze badges
asked Oct 15 at 23:13
Andrew Chow♦Andrew Chow
40.1k4 gold badges30 silver badges77 bronze badges
asked Oct 15 at 23:13
Andrew Chow♦Andrew Chow
40.1k4 gold badges30 silver badges77 bronze badges
40.1k4 gold badges30 silver badges77 bronze badges
2
Related on crypto.SE
– Raghav Sood
Oct 16 at 0:02
add a comment
|
2
Related on crypto.SE
– Raghav Sood
Oct 16 at 0:02
2
2
Related on crypto.SE
– Raghav Sood
Oct 16 at 0:02
Related on crypto.SE
– Raghav Sood
Oct 16 at 0:02
add a comment
|
1 Answer
1
active
oldest
votes
Although hashing a public key by itself does provide quantum resistance, this is really only when it is considered by itself in a vacuum. Unfortunately, public key hashes do not exist in a vacuum and there are many other things in Bitcoin that need to be considered.
Firstly, if public keys were hashed, the funds are only protected before they are spent. As soon as a P2PKH or P2WPKH output is spent, the public key is exposed. Whilst the transaction is unconfirmed, an attacker with a fast enough quantum computer could compute the private key and create a conflicting transaction which sends the funds to himself instead of the intended recipient.
Furthermore, if that attacker is a miner, they could do this with every single transaction and simply refuse to mine transactions that don't send the coins to himself.
While this is a problem, people often argue that it's better than someone just spending the Bitcoin outright because they have the public key from the blockchain. While that is true, there are an extremely large number of outputs with exposed public keys.
Over 5.5 Million Bitcoin are in outputs with exposed public keys, either because they are P2PK outputs, or because users are reusing addresses and thus public keys are exposed in other transactions. So if a quantum computer existed that could produce the private key for a public key in a reasonable amount of time, the attacker would be able to steal so much Bitcoin that they would decimate the Bitcoin economy and Bitcoin would become worthless.
So while your particular outputs may be protected by hashes, the value of those outputs would be 0 as millions of Bitcoin are stolen. All that the hashes really do is provide a false sense of security.
Then there are issues with tooling and wallet software the simply expose public keys in other ways than just in transactions and in the blockchain. No existing tools treat public keys as private information; there's no reason they should.
Many wallets send the parent extended public keys to a server so that the server can watch for transactions and send that data back to the client. Anyone who uses such a wallet, even temporarily, exposes their parent public key to a service provider. That provider could then compute the private keys to the public keys they have, derive all of the child keys, and steal all of the Bitcoin associated with anyone who has used their wallet.
Additional issues exist with complex scripts and contracts involving public keys. These scripts, such as multisigs, do not hash the public keys. Furthermore, these contracts typically exist because not all parties necessarily trust each other; one of them could be malicious. In such cases, a malicious participant in the contract would know the public keys involved (by virtue of knowing the script) and be able to steal the Bitcoin associated with those outputs. Existing public key hashes do not protect against this.
So overall, there are tons of ways that public keys are already exposed outside of transactions. These all would allow different kinds of attackers to steal millions of Bitcoin thereby causing the value of Bitcoin to go to 0, which renders any Bitcoin protected by public key hashes to be worthless anyways. Furthermore, users are probably exposing their public keys in unintended ways due to the software that they are using. So using public key hashes only serves to provide a false sense of security, while also increasing the size of transactions. In general, it is not worth the extra size.
Lastly, it is possible to do a transition to post quantum cryptography if it is found that a QC exists which can break ECDLP. If detected in time but still too late to do a proper upgrade, all use of signature algorithms relying on ECDLP (i.e. ECDSA and Schnorr) could be soft forked out thereby locking all coins. The coins could then be spent by providing a Zero Knowledge Proof of some non-exposed or quantum resistant information that indicates ownership of the private keys for the public key.
For example, users could provide a proof that they have the BIP 32 seed that was used to derive the private key for the given public key. Since it is a Zero-Knowledge Proof, the seed itself is not exposed (note that the seed is not part of a public-private keypair so there is no public component that is shared). Since most wallets use BIP 32, this should be sufficient. There may be other ways to prove ownership without risking coins that have not been thought of yet.
And of course, this all assumes that a quantum computer capable of computing the private key for a public key appears without the public being aware of the technology being close to existing. What is likely to happen is that the progression of quantum computers will be observed, and, at some point prior to them being powerful enough to break ECDLP, Bitcoin will soft fork in a Quantum resistant signature algorithm. Eventually, signatures relying on ECDLP will be removed. And all of that will occur before quantum computers truly becomes a thread. So in that scenario, hashing public keys provides no help anyways.
Note that all of the above is not just limited to quantum computers. It generally applies to any cryptographic break of ECDSA (or Schnorr).
answered Oct 16 at 0:09
Andrew Chow♦Andrew Chow
40.1k4 gold badges30 silver badges77 bronze badges
4
Perhaps worth noting that considering one of the current Post Quantum signatures schemes (such as RFC 8391) for Bitcoin today would be extremely premature. Such signature schemes would greatly affect Bitcoin's usefulness, because they are huge in terms of size and/or slow and/or have footguns such as statefulness. This is still a very active research field with new schemes being proposed frequently and ongoing standardization efforts.
– nickler
Oct 16 at 8:02
The mention of using a ZKP of a BIP32 seed to recover coins in a post-quantum world is interesting. Based on your reasoning, I'd agree hashing a pubkey doesn't provide meaningful protection for your BTC-stored wealth, but clearly there are advantages to more complex constructions for addresses (the BIP32 key-derivation function being more quantum-proof, in this case). So I think this prompts the question: what constructions are known to provide some level of safety from a quantum computer defeating the ECDLP?
– chytrik
Oct 17 at 4:29
add a comment
|
Your Answer
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "308"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/4.0/"u003ecc by-sa 4.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
noCode: true, onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fbitcoin.stackexchange.com%2fquestions%2f91049%2fwhy-does-hashing-public-keys-not-actually-provide-any-quantum-resistance%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
Although hashing a public key by itself does provide quantum resistance, this is really only when it is considered by itself in a vacuum. Unfortunately, public key hashes do not exist in a vacuum and there are many other things in Bitcoin that need to be considered.
Firstly, if public keys were hashed, the funds are only protected before they are spent. As soon as a P2PKH or P2WPKH output is spent, the public key is exposed. Whilst the transaction is unconfirmed, an attacker with a fast enough quantum computer could compute the private key and create a conflicting transaction which sends the funds to himself instead of the intended recipient.
Furthermore, if that attacker is a miner, they could do this with every single transaction and simply refuse to mine transactions that don't send the coins to himself.
While this is a problem, people often argue that it's better than someone just spending the Bitcoin outright because they have the public key from the blockchain. While that is true, there are an extremely large number of outputs with exposed public keys.
Over 5.5 Million Bitcoin are in outputs with exposed public keys, either because they are P2PK outputs, or because users are reusing addresses and thus public keys are exposed in other transactions. So if a quantum computer existed that could produce the private key for a public key in a reasonable amount of time, the attacker would be able to steal so much Bitcoin that they would decimate the Bitcoin economy and Bitcoin would become worthless.
So while your particular outputs may be protected by hashes, the value of those outputs would be 0 as millions of Bitcoin are stolen. All that the hashes really do is provide a false sense of security.
Then there are issues with tooling and wallet software the simply expose public keys in other ways than just in transactions and in the blockchain. No existing tools treat public keys as private information; there's no reason they should.
Many wallets send the parent extended public keys to a server so that the server can watch for transactions and send that data back to the client. Anyone who uses such a wallet, even temporarily, exposes their parent public key to a service provider. That provider could then compute the private keys to the public keys they have, derive all of the child keys, and steal all of the Bitcoin associated with anyone who has used their wallet.
Additional issues exist with complex scripts and contracts involving public keys. These scripts, such as multisigs, do not hash the public keys. Furthermore, these contracts typically exist because not all parties necessarily trust each other; one of them could be malicious. In such cases, a malicious participant in the contract would know the public keys involved (by virtue of knowing the script) and be able to steal the Bitcoin associated with those outputs. Existing public key hashes do not protect against this.
So overall, there are tons of ways that public keys are already exposed outside of transactions. These all would allow different kinds of attackers to steal millions of Bitcoin thereby causing the value of Bitcoin to go to 0, which renders any Bitcoin protected by public key hashes to be worthless anyways. Furthermore, users are probably exposing their public keys in unintended ways due to the software that they are using. So using public key hashes only serves to provide a false sense of security, while also increasing the size of transactions. In general, it is not worth the extra size.
Lastly, it is possible to do a transition to post quantum cryptography if it is found that a QC exists which can break ECDLP. If detected in time but still too late to do a proper upgrade, all use of signature algorithms relying on ECDLP (i.e. ECDSA and Schnorr) could be soft forked out thereby locking all coins. The coins could then be spent by providing a Zero Knowledge Proof of some non-exposed or quantum resistant information that indicates ownership of the private keys for the public key.
For example, users could provide a proof that they have the BIP 32 seed that was used to derive the private key for the given public key. Since it is a Zero-Knowledge Proof, the seed itself is not exposed (note that the seed is not part of a public-private keypair so there is no public component that is shared). Since most wallets use BIP 32, this should be sufficient. There may be other ways to prove ownership without risking coins that have not been thought of yet.
And of course, this all assumes that a quantum computer capable of computing the private key for a public key appears without the public being aware of the technology being close to existing. What is likely to happen is that the progression of quantum computers will be observed, and, at some point prior to them being powerful enough to break ECDLP, Bitcoin will soft fork in a Quantum resistant signature algorithm. Eventually, signatures relying on ECDLP will be removed. And all of that will occur before quantum computers truly becomes a thread. So in that scenario, hashing public keys provides no help anyways.
Note that all of the above is not just limited to quantum computers. It generally applies to any cryptographic break of ECDSA (or Schnorr).
answered Oct 16 at 0:09
Andrew Chow♦Andrew Chow
40.1k4 gold badges30 silver badges77 bronze badges
4
Perhaps worth noting that considering one of the current Post Quantum signatures schemes (such as RFC 8391) for Bitcoin today would be extremely premature. Such signature schemes would greatly affect Bitcoin's usefulness, because they are huge in terms of size and/or slow and/or have footguns such as statefulness. This is still a very active research field with new schemes being proposed frequently and ongoing standardization efforts.
– nickler
Oct 16 at 8:02
The mention of using a ZKP of a BIP32 seed to recover coins in a post-quantum world is interesting. Based on your reasoning, I'd agree hashing a pubkey doesn't provide meaningful protection for your BTC-stored wealth, but clearly there are advantages to more complex constructions for addresses (the BIP32 key-derivation function being more quantum-proof, in this case). So I think this prompts the question: what constructions are known to provide some level of safety from a quantum computer defeating the ECDLP?
– chytrik
Oct 17 at 4:29
add a comment
|
Although hashing a public key by itself does provide quantum resistance, this is really only when it is considered by itself in a vacuum. Unfortunately, public key hashes do not exist in a vacuum and there are many other things in Bitcoin that need to be considered.
Firstly, if public keys were hashed, the funds are only protected before they are spent. As soon as a P2PKH or P2WPKH output is spent, the public key is exposed. Whilst the transaction is unconfirmed, an attacker with a fast enough quantum computer could compute the private key and create a conflicting transaction which sends the funds to himself instead of the intended recipient.
Furthermore, if that attacker is a miner, they could do this with every single transaction and simply refuse to mine transactions that don't send the coins to himself.
While this is a problem, people often argue that it's better than someone just spending the Bitcoin outright because they have the public key from the blockchain. While that is true, there are an extremely large number of outputs with exposed public keys.
Over 5.5 Million Bitcoin are in outputs with exposed public keys, either because they are P2PK outputs, or because users are reusing addresses and thus public keys are exposed in other transactions. So if a quantum computer existed that could produce the private key for a public key in a reasonable amount of time, the attacker would be able to steal so much Bitcoin that they would decimate the Bitcoin economy and Bitcoin would become worthless.
So while your particular outputs may be protected by hashes, the value of those outputs would be 0 as millions of Bitcoin are stolen. All that the hashes really do is provide a false sense of security.
Then there are issues with tooling and wallet software the simply expose public keys in other ways than just in transactions and in the blockchain. No existing tools treat public keys as private information; there's no reason they should.
Many wallets send the parent extended public keys to a server so that the server can watch for transactions and send that data back to the client. Anyone who uses such a wallet, even temporarily, exposes their parent public key to a service provider. That provider could then compute the private keys to the public keys they have, derive all of the child keys, and steal all of the Bitcoin associated with anyone who has used their wallet.
Additional issues exist with complex scripts and contracts involving public keys. These scripts, such as multisigs, do not hash the public keys. Furthermore, these contracts typically exist because not all parties necessarily trust each other; one of them could be malicious. In such cases, a malicious participant in the contract would know the public keys involved (by virtue of knowing the script) and be able to steal the Bitcoin associated with those outputs. Existing public key hashes do not protect against this.
So overall, there are tons of ways that public keys are already exposed outside of transactions. These all would allow different kinds of attackers to steal millions of Bitcoin thereby causing the value of Bitcoin to go to 0, which renders any Bitcoin protected by public key hashes to be worthless anyways. Furthermore, users are probably exposing their public keys in unintended ways due to the software that they are using. So using public key hashes only serves to provide a false sense of security, while also increasing the size of transactions. In general, it is not worth the extra size.
Lastly, it is possible to do a transition to post quantum cryptography if it is found that a QC exists which can break ECDLP. If detected in time but still too late to do a proper upgrade, all use of signature algorithms relying on ECDLP (i.e. ECDSA and Schnorr) could be soft forked out thereby locking all coins. The coins could then be spent by providing a Zero Knowledge Proof of some non-exposed or quantum resistant information that indicates ownership of the private keys for the public key.
For example, users could provide a proof that they have the BIP 32 seed that was used to derive the private key for the given public key. Since it is a Zero-Knowledge Proof, the seed itself is not exposed (note that the seed is not part of a public-private keypair so there is no public component that is shared). Since most wallets use BIP 32, this should be sufficient. There may be other ways to prove ownership without risking coins that have not been thought of yet.
And of course, this all assumes that a quantum computer capable of computing the private key for a public key appears without the public being aware of the technology being close to existing. What is likely to happen is that the progression of quantum computers will be observed, and, at some point prior to them being powerful enough to break ECDLP, Bitcoin will soft fork in a Quantum resistant signature algorithm. Eventually, signatures relying on ECDLP will be removed. And all of that will occur before quantum computers truly becomes a thread. So in that scenario, hashing public keys provides no help anyways.
Note that all of the above is not just limited to quantum computers. It generally applies to any cryptographic break of ECDSA (or Schnorr).
answered Oct 16 at 0:09
Andrew Chow♦Andrew Chow
40.1k4 gold badges30 silver badges77 bronze badges
4
Perhaps worth noting that considering one of the current Post Quantum signatures schemes (such as RFC 8391) for Bitcoin today would be extremely premature. Such signature schemes would greatly affect Bitcoin's usefulness, because they are huge in terms of size and/or slow and/or have footguns such as statefulness. This is still a very active research field with new schemes being proposed frequently and ongoing standardization efforts.
– nickler
Oct 16 at 8:02
The mention of using a ZKP of a BIP32 seed to recover coins in a post-quantum world is interesting. Based on your reasoning, I'd agree hashing a pubkey doesn't provide meaningful protection for your BTC-stored wealth, but clearly there are advantages to more complex constructions for addresses (the BIP32 key-derivation function being more quantum-proof, in this case). So I think this prompts the question: what constructions are known to provide some level of safety from a quantum computer defeating the ECDLP?
– chytrik
Oct 17 at 4:29
add a comment
|
Although hashing a public key by itself does provide quantum resistance, this is really only when it is considered by itself in a vacuum. Unfortunately, public key hashes do not exist in a vacuum and there are many other things in Bitcoin that need to be considered.
Firstly, if public keys were hashed, the funds are only protected before they are spent. As soon as a P2PKH or P2WPKH output is spent, the public key is exposed. Whilst the transaction is unconfirmed, an attacker with a fast enough quantum computer could compute the private key and create a conflicting transaction which sends the funds to himself instead of the intended recipient.
Furthermore, if that attacker is a miner, they could do this with every single transaction and simply refuse to mine transactions that don't send the coins to himself.
While this is a problem, people often argue that it's better than someone just spending the Bitcoin outright because they have the public key from the blockchain. While that is true, there are an extremely large number of outputs with exposed public keys.
Over 5.5 Million Bitcoin are in outputs with exposed public keys, either because they are P2PK outputs, or because users are reusing addresses and thus public keys are exposed in other transactions. So if a quantum computer existed that could produce the private key for a public key in a reasonable amount of time, the attacker would be able to steal so much Bitcoin that they would decimate the Bitcoin economy and Bitcoin would become worthless.
So while your particular outputs may be protected by hashes, the value of those outputs would be 0 as millions of Bitcoin are stolen. All that the hashes really do is provide a false sense of security.
Then there are issues with tooling and wallet software the simply expose public keys in other ways than just in transactions and in the blockchain. No existing tools treat public keys as private information; there's no reason they should.
Many wallets send the parent extended public keys to a server so that the server can watch for transactions and send that data back to the client. Anyone who uses such a wallet, even temporarily, exposes their parent public key to a service provider. That provider could then compute the private keys to the public keys they have, derive all of the child keys, and steal all of the Bitcoin associated with anyone who has used their wallet.
Additional issues exist with complex scripts and contracts involving public keys. These scripts, such as multisigs, do not hash the public keys. Furthermore, these contracts typically exist because not all parties necessarily trust each other; one of them could be malicious. In such cases, a malicious participant in the contract would know the public keys involved (by virtue of knowing the script) and be able to steal the Bitcoin associated with those outputs. Existing public key hashes do not protect against this.
So overall, there are tons of ways that public keys are already exposed outside of transactions. These all would allow different kinds of attackers to steal millions of Bitcoin thereby causing the value of Bitcoin to go to 0, which renders any Bitcoin protected by public key hashes to be worthless anyways. Furthermore, users are probably exposing their public keys in unintended ways due to the software that they are using. So using public key hashes only serves to provide a false sense of security, while also increasing the size of transactions. In general, it is not worth the extra size.
Lastly, it is possible to do a transition to post quantum cryptography if it is found that a QC exists which can break ECDLP. If detected in time but still too late to do a proper upgrade, all use of signature algorithms relying on ECDLP (i.e. ECDSA and Schnorr) could be soft forked out thereby locking all coins. The coins could then be spent by providing a Zero Knowledge Proof of some non-exposed or quantum resistant information that indicates ownership of the private keys for the public key.
For example, users could provide a proof that they have the BIP 32 seed that was used to derive the private key for the given public key. Since it is a Zero-Knowledge Proof, the seed itself is not exposed (note that the seed is not part of a public-private keypair so there is no public component that is shared). Since most wallets use BIP 32, this should be sufficient. There may be other ways to prove ownership without risking coins that have not been thought of yet.
And of course, this all assumes that a quantum computer capable of computing the private key for a public key appears without the public being aware of the technology being close to existing. What is likely to happen is that the progression of quantum computers will be observed, and, at some point prior to them being powerful enough to break ECDLP, Bitcoin will soft fork in a Quantum resistant signature algorithm. Eventually, signatures relying on ECDLP will be removed. And all of that will occur before quantum computers truly becomes a thread. So in that scenario, hashing public keys provides no help anyways.
Note that all of the above is not just limited to quantum computers. It generally applies to any cryptographic break of ECDSA (or Schnorr).
answered Oct 16 at 0:09
Andrew Chow♦Andrew Chow
40.1k4 gold badges30 silver badges77 bronze badges
Although hashing a public key by itself does provide quantum resistance, this is really only when it is considered by itself in a vacuum. Unfortunately, public key hashes do not exist in a vacuum and there are many other things in Bitcoin that need to be considered.
Firstly, if public keys were hashed, the funds are only protected before they are spent. As soon as a P2PKH or P2WPKH output is spent, the public key is exposed. Whilst the transaction is unconfirmed, an attacker with a fast enough quantum computer could compute the private key and create a conflicting transaction which sends the funds to himself instead of the intended recipient.
Furthermore, if that attacker is a miner, they could do this with every single transaction and simply refuse to mine transactions that don't send the coins to himself.
While this is a problem, people often argue that it's better than someone just spending the Bitcoin outright because they have the public key from the blockchain. While that is true, there are an extremely large number of outputs with exposed public keys.
Over 5.5 Million Bitcoin are in outputs with exposed public keys, either because they are P2PK outputs, or because users are reusing addresses and thus public keys are exposed in other transactions. So if a quantum computer existed that could produce the private key for a public key in a reasonable amount of time, the attacker would be able to steal so much Bitcoin that they would decimate the Bitcoin economy and Bitcoin would become worthless.
So while your particular outputs may be protected by hashes, the value of those outputs would be 0 as millions of Bitcoin are stolen. All that the hashes really do is provide a false sense of security.
Then there are issues with tooling and wallet software the simply expose public keys in other ways than just in transactions and in the blockchain. No existing tools treat public keys as private information; there's no reason they should.
Many wallets send the parent extended public keys to a server so that the server can watch for transactions and send that data back to the client. Anyone who uses such a wallet, even temporarily, exposes their parent public key to a service provider. That provider could then compute the private keys to the public keys they have, derive all of the child keys, and steal all of the Bitcoin associated with anyone who has used their wallet.
Additional issues exist with complex scripts and contracts involving public keys. These scripts, such as multisigs, do not hash the public keys. Furthermore, these contracts typically exist because not all parties necessarily trust each other; one of them could be malicious. In such cases, a malicious participant in the contract would know the public keys involved (by virtue of knowing the script) and be able to steal the Bitcoin associated with those outputs. Existing public key hashes do not protect against this.
So overall, there are tons of ways that public keys are already exposed outside of transactions. These all would allow different kinds of attackers to steal millions of Bitcoin thereby causing the value of Bitcoin to go to 0, which renders any Bitcoin protected by public key hashes to be worthless anyways. Furthermore, users are probably exposing their public keys in unintended ways due to the software that they are using. So using public key hashes only serves to provide a false sense of security, while also increasing the size of transactions. In general, it is not worth the extra size.
Lastly, it is possible to do a transition to post quantum cryptography if it is found that a QC exists which can break ECDLP. If detected in time but still too late to do a proper upgrade, all use of signature algorithms relying on ECDLP (i.e. ECDSA and Schnorr) could be soft forked out thereby locking all coins. The coins could then be spent by providing a Zero Knowledge Proof of some non-exposed or quantum resistant information that indicates ownership of the private keys for the public key.
For example, users could provide a proof that they have the BIP 32 seed that was used to derive the private key for the given public key. Since it is a Zero-Knowledge Proof, the seed itself is not exposed (note that the seed is not part of a public-private keypair so there is no public component that is shared). Since most wallets use BIP 32, this should be sufficient. There may be other ways to prove ownership without risking coins that have not been thought of yet.
And of course, this all assumes that a quantum computer capable of computing the private key for a public key appears without the public being aware of the technology being close to existing. What is likely to happen is that the progression of quantum computers will be observed, and, at some point prior to them being powerful enough to break ECDLP, Bitcoin will soft fork in a Quantum resistant signature algorithm. Eventually, signatures relying on ECDLP will be removed. And all of that will occur before quantum computers truly becomes a thread. So in that scenario, hashing public keys provides no help anyways.
Note that all of the above is not just limited to quantum computers. It generally applies to any cryptographic break of ECDSA (or Schnorr).
answered Oct 16 at 0:09
Andrew Chow♦Andrew Chow
40.1k4 gold badges30 silver badges77 bronze badges
edited Oct 16 at 0:44
answered Oct 16 at 0:09
Andrew Chow♦Andrew Chow
40.1k4 gold badges30 silver badges77 bronze badges
answered Oct 16 at 0:09
Andrew Chow♦Andrew Chow
40.1k4 gold badges30 silver badges77 bronze badges
answered Oct 16 at 0:09
Andrew Chow♦Andrew Chow
40.1k4 gold badges30 silver badges77 bronze badges
40.1k4 gold badges30 silver badges77 bronze badges
4
Perhaps worth noting that considering one of the current Post Quantum signatures schemes (such as RFC 8391) for Bitcoin today would be extremely premature. Such signature schemes would greatly affect Bitcoin's usefulness, because they are huge in terms of size and/or slow and/or have footguns such as statefulness. This is still a very active research field with new schemes being proposed frequently and ongoing standardization efforts.
– nickler
Oct 16 at 8:02
The mention of using a ZKP of a BIP32 seed to recover coins in a post-quantum world is interesting. Based on your reasoning, I'd agree hashing a pubkey doesn't provide meaningful protection for your BTC-stored wealth, but clearly there are advantages to more complex constructions for addresses (the BIP32 key-derivation function being more quantum-proof, in this case). So I think this prompts the question: what constructions are known to provide some level of safety from a quantum computer defeating the ECDLP?
– chytrik
Oct 17 at 4:29
add a comment
|
4
Perhaps worth noting that considering one of the current Post Quantum signatures schemes (such as RFC 8391) for Bitcoin today would be extremely premature. Such signature schemes would greatly affect Bitcoin's usefulness, because they are huge in terms of size and/or slow and/or have footguns such as statefulness. This is still a very active research field with new schemes being proposed frequently and ongoing standardization efforts.
– nickler
Oct 16 at 8:02
The mention of using a ZKP of a BIP32 seed to recover coins in a post-quantum world is interesting. Based on your reasoning, I'd agree hashing a pubkey doesn't provide meaningful protection for your BTC-stored wealth, but clearly there are advantages to more complex constructions for addresses (the BIP32 key-derivation function being more quantum-proof, in this case). So I think this prompts the question: what constructions are known to provide some level of safety from a quantum computer defeating the ECDLP?
– chytrik
Oct 17 at 4:29
4
4
Perhaps worth noting that considering one of the current Post Quantum signatures schemes (such as RFC 8391) for Bitcoin today would be extremely premature. Such signature schemes would greatly affect Bitcoin's usefulness, because they are huge in terms of size and/or slow and/or have footguns such as statefulness. This is still a very active research field with new schemes being proposed frequently and ongoing standardization efforts.
– nickler
Oct 16 at 8:02
Perhaps worth noting that considering one of the current Post Quantum signatures schemes (such as RFC 8391) for Bitcoin today would be extremely premature. Such signature schemes would greatly affect Bitcoin's usefulness, because they are huge in terms of size and/or slow and/or have footguns such as statefulness. This is still a very active research field with new schemes being proposed frequently and ongoing standardization efforts.
– nickler
Oct 16 at 8:02
The mention of using a ZKP of a BIP32 seed to recover coins in a post-quantum world is interesting. Based on your reasoning, I'd agree hashing a pubkey doesn't provide meaningful protection for your BTC-stored wealth, but clearly there are advantages to more complex constructions for addresses (the BIP32 key-derivation function being more quantum-proof, in this case). So I think this prompts the question: what constructions are known to provide some level of safety from a quantum computer defeating the ECDLP?
– chytrik
Oct 17 at 4:29
The mention of using a ZKP of a BIP32 seed to recover coins in a post-quantum world is interesting. Based on your reasoning, I'd agree hashing a pubkey doesn't provide meaningful protection for your BTC-stored wealth, but clearly there are advantages to more complex constructions for addresses (the BIP32 key-derivation function being more quantum-proof, in this case). So I think this prompts the question: what constructions are known to provide some level of safety from a quantum computer defeating the ECDLP?
– chytrik
Oct 17 at 4:29
add a comment
|
Thanks for contributing an answer to Bitcoin Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fbitcoin.stackexchange.com%2fquestions%2f91049%2fwhy-does-hashing-public-keys-not-actually-provide-any-quantum-resistance%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
2
Related on crypto.SE
– Raghav Sood
Oct 16 at 0:02