Why does hashing public keys not actually provide any quantum resistance?How can I protect my funds in the event a quantum computer breaks the ECDLP that Bitcoin relies on?Why is it impossible to derive public key from address?What is the use of hashing the public key to obtain the bitcoin address?Does address-reuse make Bitcoin private keys vulnerable to quantum computing?Why do all Electrum master public keys all start with xpub661MyMwAqRbc?Bitcoin Blockchain in the Quantum computing eraIs there a short-form for addresses with seven characters length?Bitcoin public key pre-0.6 length before hashingIOTA quantum resistancePublic Key VS Wallet Address - What is the difference?

Is there a heavy usage of the word "bonfire" in English?

When does "The Mandalorian" take place?

What was the deal with the news stories about rats in "Joker"?

How can a person Insulate copper wire in a medieval world?

Is the genre 'fantasy' still fantasy without magic?

Why does the media continue to hide the identity of the Trump-Ukraine whistle blower when they have already been outed?

Does the sun cross other spiral arms in its movement around the galaxy's center?

Are results that are derived simply by using more computational power publishable?

What does Ambassador Taylor have to do with anything?

Has anyone studied linear regression where the covariance matrix of the error is a function of the parameters being estimated?

Crack hashed passwords using a known password

What is the last point where one can throw away fruits if one has indicated "not bringing any fruit" on the US customs form when flying to the US?

Print out specific fields using regular expression in Linux

What can be found in towers of Tower Bridge?

What is the communications range of a standard Starfleet combadge?

Why does Greedo say "Maclunkey" in the Mos Eisley Cantina?

:wq command not found

Should a young man establish an income/house first and then marry or vice versa?

Selecting elements from a list under multiple conditions

How to react to unfair reviewer comments?

How can I communicate to my mother that her complaints about me make me feel like I'm not enough?

Can a microwave oven cook chicken?

Is the sentence "pay some in cash" understandable?

Heavy condensation inside car during winter. Tried multiple things, but no results!



Why does hashing public keys not actually provide any quantum resistance?


How can I protect my funds in the event a quantum computer breaks the ECDLP that Bitcoin relies on?Why is it impossible to derive public key from address?What is the use of hashing the public key to obtain the bitcoin address?Does address-reuse make Bitcoin private keys vulnerable to quantum computing?Why do all Electrum master public keys all start with xpub661MyMwAqRbc?Bitcoin Blockchain in the Quantum computing eraIs there a short-form for addresses with seven characters length?Bitcoin public key pre-0.6 length before hashingIOTA quantum resistancePublic Key VS Wallet Address - What is the difference?






.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty
margin-bottom:0;









20

















In the discussions about taproot, it was mentioned that outputs will include the public key directly instead of hashing them. It is stated that, currently, hashing does not really provide quantum resistance. Why is that?










share|improve this question





















  • 2





    Related on crypto.SE

    – Raghav Sood
    Oct 16 at 0:02

















20

















In the discussions about taproot, it was mentioned that outputs will include the public key directly instead of hashing them. It is stated that, currently, hashing does not really provide quantum resistance. Why is that?










share|improve this question





















  • 2





    Related on crypto.SE

    – Raghav Sood
    Oct 16 at 0:02













20












20








20


1






In the discussions about taproot, it was mentioned that outputs will include the public key directly instead of hashing them. It is stated that, currently, hashing does not really provide quantum resistance. Why is that?










share|improve this question















In the discussions about taproot, it was mentioned that outputs will include the public key directly instead of hashing them. It is stated that, currently, hashing does not really provide quantum resistance. Why is that?







public-key quantum-computing






share|improve this question














share|improve this question











share|improve this question




share|improve this question










asked Oct 15 at 23:13









Andrew ChowAndrew Chow

40.1k4 gold badges30 silver badges77 bronze badges




40.1k4 gold badges30 silver badges77 bronze badges










  • 2





    Related on crypto.SE

    – Raghav Sood
    Oct 16 at 0:02












  • 2





    Related on crypto.SE

    – Raghav Sood
    Oct 16 at 0:02







2




2





Related on crypto.SE

– Raghav Sood
Oct 16 at 0:02





Related on crypto.SE

– Raghav Sood
Oct 16 at 0:02










1 Answer
1






active

oldest

votes


















26


















Although hashing a public key by itself does provide quantum resistance, this is really only when it is considered by itself in a vacuum. Unfortunately, public key hashes do not exist in a vacuum and there are many other things in Bitcoin that need to be considered.



Firstly, if public keys were hashed, the funds are only protected before they are spent. As soon as a P2PKH or P2WPKH output is spent, the public key is exposed. Whilst the transaction is unconfirmed, an attacker with a fast enough quantum computer could compute the private key and create a conflicting transaction which sends the funds to himself instead of the intended recipient.



Furthermore, if that attacker is a miner, they could do this with every single transaction and simply refuse to mine transactions that don't send the coins to himself.



While this is a problem, people often argue that it's better than someone just spending the Bitcoin outright because they have the public key from the blockchain. While that is true, there are an extremely large number of outputs with exposed public keys.



Over 5.5 Million Bitcoin are in outputs with exposed public keys, either because they are P2PK outputs, or because users are reusing addresses and thus public keys are exposed in other transactions. So if a quantum computer existed that could produce the private key for a public key in a reasonable amount of time, the attacker would be able to steal so much Bitcoin that they would decimate the Bitcoin economy and Bitcoin would become worthless.



So while your particular outputs may be protected by hashes, the value of those outputs would be 0 as millions of Bitcoin are stolen. All that the hashes really do is provide a false sense of security.



Then there are issues with tooling and wallet software the simply expose public keys in other ways than just in transactions and in the blockchain. No existing tools treat public keys as private information; there's no reason they should.



Many wallets send the parent extended public keys to a server so that the server can watch for transactions and send that data back to the client. Anyone who uses such a wallet, even temporarily, exposes their parent public key to a service provider. That provider could then compute the private keys to the public keys they have, derive all of the child keys, and steal all of the Bitcoin associated with anyone who has used their wallet.



Additional issues exist with complex scripts and contracts involving public keys. These scripts, such as multisigs, do not hash the public keys. Furthermore, these contracts typically exist because not all parties necessarily trust each other; one of them could be malicious. In such cases, a malicious participant in the contract would know the public keys involved (by virtue of knowing the script) and be able to steal the Bitcoin associated with those outputs. Existing public key hashes do not protect against this.



So overall, there are tons of ways that public keys are already exposed outside of transactions. These all would allow different kinds of attackers to steal millions of Bitcoin thereby causing the value of Bitcoin to go to 0, which renders any Bitcoin protected by public key hashes to be worthless anyways. Furthermore, users are probably exposing their public keys in unintended ways due to the software that they are using. So using public key hashes only serves to provide a false sense of security, while also increasing the size of transactions. In general, it is not worth the extra size.



Lastly, it is possible to do a transition to post quantum cryptography if it is found that a QC exists which can break ECDLP. If detected in time but still too late to do a proper upgrade, all use of signature algorithms relying on ECDLP (i.e. ECDSA and Schnorr) could be soft forked out thereby locking all coins. The coins could then be spent by providing a Zero Knowledge Proof of some non-exposed or quantum resistant information that indicates ownership of the private keys for the public key.



For example, users could provide a proof that they have the BIP 32 seed that was used to derive the private key for the given public key. Since it is a Zero-Knowledge Proof, the seed itself is not exposed (note that the seed is not part of a public-private keypair so there is no public component that is shared). Since most wallets use BIP 32, this should be sufficient. There may be other ways to prove ownership without risking coins that have not been thought of yet.



And of course, this all assumes that a quantum computer capable of computing the private key for a public key appears without the public being aware of the technology being close to existing. What is likely to happen is that the progression of quantum computers will be observed, and, at some point prior to them being powerful enough to break ECDLP, Bitcoin will soft fork in a Quantum resistant signature algorithm. Eventually, signatures relying on ECDLP will be removed. And all of that will occur before quantum computers truly becomes a thread. So in that scenario, hashing public keys provides no help anyways.




Note that all of the above is not just limited to quantum computers. It generally applies to any cryptographic break of ECDSA (or Schnorr).






share|improve this answer























  • 4





    Perhaps worth noting that considering one of the current Post Quantum signatures schemes (such as RFC 8391) for Bitcoin today would be extremely premature. Such signature schemes would greatly affect Bitcoin's usefulness, because they are huge in terms of size and/or slow and/or have footguns such as statefulness. This is still a very active research field with new schemes being proposed frequently and ongoing standardization efforts.

    – nickler
    Oct 16 at 8:02











  • The mention of using a ZKP of a BIP32 seed to recover coins in a post-quantum world is interesting. Based on your reasoning, I'd agree hashing a pubkey doesn't provide meaningful protection for your BTC-stored wealth, but clearly there are advantages to more complex constructions for addresses (the BIP32 key-derivation function being more quantum-proof, in this case). So I think this prompts the question: what constructions are known to provide some level of safety from a quantum computer defeating the ECDLP?

    – chytrik
    Oct 17 at 4:29












Your Answer








StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "308"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);

else
createEditor();

);

function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/4.0/"u003ecc by-sa 4.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
noCode: true, onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);



);














draft saved

draft discarded
















StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fbitcoin.stackexchange.com%2fquestions%2f91049%2fwhy-does-hashing-public-keys-not-actually-provide-any-quantum-resistance%23new-answer', 'question_page');

);

Post as a guest















Required, but never shown


























1 Answer
1






active

oldest

votes








1 Answer
1






active

oldest

votes









active

oldest

votes






active

oldest

votes









26


















Although hashing a public key by itself does provide quantum resistance, this is really only when it is considered by itself in a vacuum. Unfortunately, public key hashes do not exist in a vacuum and there are many other things in Bitcoin that need to be considered.



Firstly, if public keys were hashed, the funds are only protected before they are spent. As soon as a P2PKH or P2WPKH output is spent, the public key is exposed. Whilst the transaction is unconfirmed, an attacker with a fast enough quantum computer could compute the private key and create a conflicting transaction which sends the funds to himself instead of the intended recipient.



Furthermore, if that attacker is a miner, they could do this with every single transaction and simply refuse to mine transactions that don't send the coins to himself.



While this is a problem, people often argue that it's better than someone just spending the Bitcoin outright because they have the public key from the blockchain. While that is true, there are an extremely large number of outputs with exposed public keys.



Over 5.5 Million Bitcoin are in outputs with exposed public keys, either because they are P2PK outputs, or because users are reusing addresses and thus public keys are exposed in other transactions. So if a quantum computer existed that could produce the private key for a public key in a reasonable amount of time, the attacker would be able to steal so much Bitcoin that they would decimate the Bitcoin economy and Bitcoin would become worthless.



So while your particular outputs may be protected by hashes, the value of those outputs would be 0 as millions of Bitcoin are stolen. All that the hashes really do is provide a false sense of security.



Then there are issues with tooling and wallet software the simply expose public keys in other ways than just in transactions and in the blockchain. No existing tools treat public keys as private information; there's no reason they should.



Many wallets send the parent extended public keys to a server so that the server can watch for transactions and send that data back to the client. Anyone who uses such a wallet, even temporarily, exposes their parent public key to a service provider. That provider could then compute the private keys to the public keys they have, derive all of the child keys, and steal all of the Bitcoin associated with anyone who has used their wallet.



Additional issues exist with complex scripts and contracts involving public keys. These scripts, such as multisigs, do not hash the public keys. Furthermore, these contracts typically exist because not all parties necessarily trust each other; one of them could be malicious. In such cases, a malicious participant in the contract would know the public keys involved (by virtue of knowing the script) and be able to steal the Bitcoin associated with those outputs. Existing public key hashes do not protect against this.



So overall, there are tons of ways that public keys are already exposed outside of transactions. These all would allow different kinds of attackers to steal millions of Bitcoin thereby causing the value of Bitcoin to go to 0, which renders any Bitcoin protected by public key hashes to be worthless anyways. Furthermore, users are probably exposing their public keys in unintended ways due to the software that they are using. So using public key hashes only serves to provide a false sense of security, while also increasing the size of transactions. In general, it is not worth the extra size.



Lastly, it is possible to do a transition to post quantum cryptography if it is found that a QC exists which can break ECDLP. If detected in time but still too late to do a proper upgrade, all use of signature algorithms relying on ECDLP (i.e. ECDSA and Schnorr) could be soft forked out thereby locking all coins. The coins could then be spent by providing a Zero Knowledge Proof of some non-exposed or quantum resistant information that indicates ownership of the private keys for the public key.



For example, users could provide a proof that they have the BIP 32 seed that was used to derive the private key for the given public key. Since it is a Zero-Knowledge Proof, the seed itself is not exposed (note that the seed is not part of a public-private keypair so there is no public component that is shared). Since most wallets use BIP 32, this should be sufficient. There may be other ways to prove ownership without risking coins that have not been thought of yet.



And of course, this all assumes that a quantum computer capable of computing the private key for a public key appears without the public being aware of the technology being close to existing. What is likely to happen is that the progression of quantum computers will be observed, and, at some point prior to them being powerful enough to break ECDLP, Bitcoin will soft fork in a Quantum resistant signature algorithm. Eventually, signatures relying on ECDLP will be removed. And all of that will occur before quantum computers truly becomes a thread. So in that scenario, hashing public keys provides no help anyways.




Note that all of the above is not just limited to quantum computers. It generally applies to any cryptographic break of ECDSA (or Schnorr).






share|improve this answer























  • 4





    Perhaps worth noting that considering one of the current Post Quantum signatures schemes (such as RFC 8391) for Bitcoin today would be extremely premature. Such signature schemes would greatly affect Bitcoin's usefulness, because they are huge in terms of size and/or slow and/or have footguns such as statefulness. This is still a very active research field with new schemes being proposed frequently and ongoing standardization efforts.

    – nickler
    Oct 16 at 8:02











  • The mention of using a ZKP of a BIP32 seed to recover coins in a post-quantum world is interesting. Based on your reasoning, I'd agree hashing a pubkey doesn't provide meaningful protection for your BTC-stored wealth, but clearly there are advantages to more complex constructions for addresses (the BIP32 key-derivation function being more quantum-proof, in this case). So I think this prompts the question: what constructions are known to provide some level of safety from a quantum computer defeating the ECDLP?

    – chytrik
    Oct 17 at 4:29















26


















Although hashing a public key by itself does provide quantum resistance, this is really only when it is considered by itself in a vacuum. Unfortunately, public key hashes do not exist in a vacuum and there are many other things in Bitcoin that need to be considered.



Firstly, if public keys were hashed, the funds are only protected before they are spent. As soon as a P2PKH or P2WPKH output is spent, the public key is exposed. Whilst the transaction is unconfirmed, an attacker with a fast enough quantum computer could compute the private key and create a conflicting transaction which sends the funds to himself instead of the intended recipient.



Furthermore, if that attacker is a miner, they could do this with every single transaction and simply refuse to mine transactions that don't send the coins to himself.



While this is a problem, people often argue that it's better than someone just spending the Bitcoin outright because they have the public key from the blockchain. While that is true, there are an extremely large number of outputs with exposed public keys.



Over 5.5 Million Bitcoin are in outputs with exposed public keys, either because they are P2PK outputs, or because users are reusing addresses and thus public keys are exposed in other transactions. So if a quantum computer existed that could produce the private key for a public key in a reasonable amount of time, the attacker would be able to steal so much Bitcoin that they would decimate the Bitcoin economy and Bitcoin would become worthless.



So while your particular outputs may be protected by hashes, the value of those outputs would be 0 as millions of Bitcoin are stolen. All that the hashes really do is provide a false sense of security.



Then there are issues with tooling and wallet software the simply expose public keys in other ways than just in transactions and in the blockchain. No existing tools treat public keys as private information; there's no reason they should.



Many wallets send the parent extended public keys to a server so that the server can watch for transactions and send that data back to the client. Anyone who uses such a wallet, even temporarily, exposes their parent public key to a service provider. That provider could then compute the private keys to the public keys they have, derive all of the child keys, and steal all of the Bitcoin associated with anyone who has used their wallet.



Additional issues exist with complex scripts and contracts involving public keys. These scripts, such as multisigs, do not hash the public keys. Furthermore, these contracts typically exist because not all parties necessarily trust each other; one of them could be malicious. In such cases, a malicious participant in the contract would know the public keys involved (by virtue of knowing the script) and be able to steal the Bitcoin associated with those outputs. Existing public key hashes do not protect against this.



So overall, there are tons of ways that public keys are already exposed outside of transactions. These all would allow different kinds of attackers to steal millions of Bitcoin thereby causing the value of Bitcoin to go to 0, which renders any Bitcoin protected by public key hashes to be worthless anyways. Furthermore, users are probably exposing their public keys in unintended ways due to the software that they are using. So using public key hashes only serves to provide a false sense of security, while also increasing the size of transactions. In general, it is not worth the extra size.



Lastly, it is possible to do a transition to post quantum cryptography if it is found that a QC exists which can break ECDLP. If detected in time but still too late to do a proper upgrade, all use of signature algorithms relying on ECDLP (i.e. ECDSA and Schnorr) could be soft forked out thereby locking all coins. The coins could then be spent by providing a Zero Knowledge Proof of some non-exposed or quantum resistant information that indicates ownership of the private keys for the public key.



For example, users could provide a proof that they have the BIP 32 seed that was used to derive the private key for the given public key. Since it is a Zero-Knowledge Proof, the seed itself is not exposed (note that the seed is not part of a public-private keypair so there is no public component that is shared). Since most wallets use BIP 32, this should be sufficient. There may be other ways to prove ownership without risking coins that have not been thought of yet.



And of course, this all assumes that a quantum computer capable of computing the private key for a public key appears without the public being aware of the technology being close to existing. What is likely to happen is that the progression of quantum computers will be observed, and, at some point prior to them being powerful enough to break ECDLP, Bitcoin will soft fork in a Quantum resistant signature algorithm. Eventually, signatures relying on ECDLP will be removed. And all of that will occur before quantum computers truly becomes a thread. So in that scenario, hashing public keys provides no help anyways.




Note that all of the above is not just limited to quantum computers. It generally applies to any cryptographic break of ECDSA (or Schnorr).






share|improve this answer























  • 4





    Perhaps worth noting that considering one of the current Post Quantum signatures schemes (such as RFC 8391) for Bitcoin today would be extremely premature. Such signature schemes would greatly affect Bitcoin's usefulness, because they are huge in terms of size and/or slow and/or have footguns such as statefulness. This is still a very active research field with new schemes being proposed frequently and ongoing standardization efforts.

    – nickler
    Oct 16 at 8:02











  • The mention of using a ZKP of a BIP32 seed to recover coins in a post-quantum world is interesting. Based on your reasoning, I'd agree hashing a pubkey doesn't provide meaningful protection for your BTC-stored wealth, but clearly there are advantages to more complex constructions for addresses (the BIP32 key-derivation function being more quantum-proof, in this case). So I think this prompts the question: what constructions are known to provide some level of safety from a quantum computer defeating the ECDLP?

    – chytrik
    Oct 17 at 4:29













26














26










26









Although hashing a public key by itself does provide quantum resistance, this is really only when it is considered by itself in a vacuum. Unfortunately, public key hashes do not exist in a vacuum and there are many other things in Bitcoin that need to be considered.



Firstly, if public keys were hashed, the funds are only protected before they are spent. As soon as a P2PKH or P2WPKH output is spent, the public key is exposed. Whilst the transaction is unconfirmed, an attacker with a fast enough quantum computer could compute the private key and create a conflicting transaction which sends the funds to himself instead of the intended recipient.



Furthermore, if that attacker is a miner, they could do this with every single transaction and simply refuse to mine transactions that don't send the coins to himself.



While this is a problem, people often argue that it's better than someone just spending the Bitcoin outright because they have the public key from the blockchain. While that is true, there are an extremely large number of outputs with exposed public keys.



Over 5.5 Million Bitcoin are in outputs with exposed public keys, either because they are P2PK outputs, or because users are reusing addresses and thus public keys are exposed in other transactions. So if a quantum computer existed that could produce the private key for a public key in a reasonable amount of time, the attacker would be able to steal so much Bitcoin that they would decimate the Bitcoin economy and Bitcoin would become worthless.



So while your particular outputs may be protected by hashes, the value of those outputs would be 0 as millions of Bitcoin are stolen. All that the hashes really do is provide a false sense of security.



Then there are issues with tooling and wallet software the simply expose public keys in other ways than just in transactions and in the blockchain. No existing tools treat public keys as private information; there's no reason they should.



Many wallets send the parent extended public keys to a server so that the server can watch for transactions and send that data back to the client. Anyone who uses such a wallet, even temporarily, exposes their parent public key to a service provider. That provider could then compute the private keys to the public keys they have, derive all of the child keys, and steal all of the Bitcoin associated with anyone who has used their wallet.



Additional issues exist with complex scripts and contracts involving public keys. These scripts, such as multisigs, do not hash the public keys. Furthermore, these contracts typically exist because not all parties necessarily trust each other; one of them could be malicious. In such cases, a malicious participant in the contract would know the public keys involved (by virtue of knowing the script) and be able to steal the Bitcoin associated with those outputs. Existing public key hashes do not protect against this.



So overall, there are tons of ways that public keys are already exposed outside of transactions. These all would allow different kinds of attackers to steal millions of Bitcoin thereby causing the value of Bitcoin to go to 0, which renders any Bitcoin protected by public key hashes to be worthless anyways. Furthermore, users are probably exposing their public keys in unintended ways due to the software that they are using. So using public key hashes only serves to provide a false sense of security, while also increasing the size of transactions. In general, it is not worth the extra size.



Lastly, it is possible to do a transition to post quantum cryptography if it is found that a QC exists which can break ECDLP. If detected in time but still too late to do a proper upgrade, all use of signature algorithms relying on ECDLP (i.e. ECDSA and Schnorr) could be soft forked out thereby locking all coins. The coins could then be spent by providing a Zero Knowledge Proof of some non-exposed or quantum resistant information that indicates ownership of the private keys for the public key.



For example, users could provide a proof that they have the BIP 32 seed that was used to derive the private key for the given public key. Since it is a Zero-Knowledge Proof, the seed itself is not exposed (note that the seed is not part of a public-private keypair so there is no public component that is shared). Since most wallets use BIP 32, this should be sufficient. There may be other ways to prove ownership without risking coins that have not been thought of yet.



And of course, this all assumes that a quantum computer capable of computing the private key for a public key appears without the public being aware of the technology being close to existing. What is likely to happen is that the progression of quantum computers will be observed, and, at some point prior to them being powerful enough to break ECDLP, Bitcoin will soft fork in a Quantum resistant signature algorithm. Eventually, signatures relying on ECDLP will be removed. And all of that will occur before quantum computers truly becomes a thread. So in that scenario, hashing public keys provides no help anyways.




Note that all of the above is not just limited to quantum computers. It generally applies to any cryptographic break of ECDSA (or Schnorr).






share|improve this answer
















Although hashing a public key by itself does provide quantum resistance, this is really only when it is considered by itself in a vacuum. Unfortunately, public key hashes do not exist in a vacuum and there are many other things in Bitcoin that need to be considered.



Firstly, if public keys were hashed, the funds are only protected before they are spent. As soon as a P2PKH or P2WPKH output is spent, the public key is exposed. Whilst the transaction is unconfirmed, an attacker with a fast enough quantum computer could compute the private key and create a conflicting transaction which sends the funds to himself instead of the intended recipient.



Furthermore, if that attacker is a miner, they could do this with every single transaction and simply refuse to mine transactions that don't send the coins to himself.



While this is a problem, people often argue that it's better than someone just spending the Bitcoin outright because they have the public key from the blockchain. While that is true, there are an extremely large number of outputs with exposed public keys.



Over 5.5 Million Bitcoin are in outputs with exposed public keys, either because they are P2PK outputs, or because users are reusing addresses and thus public keys are exposed in other transactions. So if a quantum computer existed that could produce the private key for a public key in a reasonable amount of time, the attacker would be able to steal so much Bitcoin that they would decimate the Bitcoin economy and Bitcoin would become worthless.



So while your particular outputs may be protected by hashes, the value of those outputs would be 0 as millions of Bitcoin are stolen. All that the hashes really do is provide a false sense of security.



Then there are issues with tooling and wallet software the simply expose public keys in other ways than just in transactions and in the blockchain. No existing tools treat public keys as private information; there's no reason they should.



Many wallets send the parent extended public keys to a server so that the server can watch for transactions and send that data back to the client. Anyone who uses such a wallet, even temporarily, exposes their parent public key to a service provider. That provider could then compute the private keys to the public keys they have, derive all of the child keys, and steal all of the Bitcoin associated with anyone who has used their wallet.



Additional issues exist with complex scripts and contracts involving public keys. These scripts, such as multisigs, do not hash the public keys. Furthermore, these contracts typically exist because not all parties necessarily trust each other; one of them could be malicious. In such cases, a malicious participant in the contract would know the public keys involved (by virtue of knowing the script) and be able to steal the Bitcoin associated with those outputs. Existing public key hashes do not protect against this.



So overall, there are tons of ways that public keys are already exposed outside of transactions. These all would allow different kinds of attackers to steal millions of Bitcoin thereby causing the value of Bitcoin to go to 0, which renders any Bitcoin protected by public key hashes to be worthless anyways. Furthermore, users are probably exposing their public keys in unintended ways due to the software that they are using. So using public key hashes only serves to provide a false sense of security, while also increasing the size of transactions. In general, it is not worth the extra size.



Lastly, it is possible to do a transition to post quantum cryptography if it is found that a QC exists which can break ECDLP. If detected in time but still too late to do a proper upgrade, all use of signature algorithms relying on ECDLP (i.e. ECDSA and Schnorr) could be soft forked out thereby locking all coins. The coins could then be spent by providing a Zero Knowledge Proof of some non-exposed or quantum resistant information that indicates ownership of the private keys for the public key.



For example, users could provide a proof that they have the BIP 32 seed that was used to derive the private key for the given public key. Since it is a Zero-Knowledge Proof, the seed itself is not exposed (note that the seed is not part of a public-private keypair so there is no public component that is shared). Since most wallets use BIP 32, this should be sufficient. There may be other ways to prove ownership without risking coins that have not been thought of yet.



And of course, this all assumes that a quantum computer capable of computing the private key for a public key appears without the public being aware of the technology being close to existing. What is likely to happen is that the progression of quantum computers will be observed, and, at some point prior to them being powerful enough to break ECDLP, Bitcoin will soft fork in a Quantum resistant signature algorithm. Eventually, signatures relying on ECDLP will be removed. And all of that will occur before quantum computers truly becomes a thread. So in that scenario, hashing public keys provides no help anyways.




Note that all of the above is not just limited to quantum computers. It generally applies to any cryptographic break of ECDSA (or Schnorr).







share|improve this answer















share|improve this answer




share|improve this answer








edited Oct 16 at 0:44

























answered Oct 16 at 0:09









Andrew ChowAndrew Chow

40.1k4 gold badges30 silver badges77 bronze badges




40.1k4 gold badges30 silver badges77 bronze badges










  • 4





    Perhaps worth noting that considering one of the current Post Quantum signatures schemes (such as RFC 8391) for Bitcoin today would be extremely premature. Such signature schemes would greatly affect Bitcoin's usefulness, because they are huge in terms of size and/or slow and/or have footguns such as statefulness. This is still a very active research field with new schemes being proposed frequently and ongoing standardization efforts.

    – nickler
    Oct 16 at 8:02











  • The mention of using a ZKP of a BIP32 seed to recover coins in a post-quantum world is interesting. Based on your reasoning, I'd agree hashing a pubkey doesn't provide meaningful protection for your BTC-stored wealth, but clearly there are advantages to more complex constructions for addresses (the BIP32 key-derivation function being more quantum-proof, in this case). So I think this prompts the question: what constructions are known to provide some level of safety from a quantum computer defeating the ECDLP?

    – chytrik
    Oct 17 at 4:29












  • 4





    Perhaps worth noting that considering one of the current Post Quantum signatures schemes (such as RFC 8391) for Bitcoin today would be extremely premature. Such signature schemes would greatly affect Bitcoin's usefulness, because they are huge in terms of size and/or slow and/or have footguns such as statefulness. This is still a very active research field with new schemes being proposed frequently and ongoing standardization efforts.

    – nickler
    Oct 16 at 8:02











  • The mention of using a ZKP of a BIP32 seed to recover coins in a post-quantum world is interesting. Based on your reasoning, I'd agree hashing a pubkey doesn't provide meaningful protection for your BTC-stored wealth, but clearly there are advantages to more complex constructions for addresses (the BIP32 key-derivation function being more quantum-proof, in this case). So I think this prompts the question: what constructions are known to provide some level of safety from a quantum computer defeating the ECDLP?

    – chytrik
    Oct 17 at 4:29







4




4





Perhaps worth noting that considering one of the current Post Quantum signatures schemes (such as RFC 8391) for Bitcoin today would be extremely premature. Such signature schemes would greatly affect Bitcoin's usefulness, because they are huge in terms of size and/or slow and/or have footguns such as statefulness. This is still a very active research field with new schemes being proposed frequently and ongoing standardization efforts.

– nickler
Oct 16 at 8:02





Perhaps worth noting that considering one of the current Post Quantum signatures schemes (such as RFC 8391) for Bitcoin today would be extremely premature. Such signature schemes would greatly affect Bitcoin's usefulness, because they are huge in terms of size and/or slow and/or have footguns such as statefulness. This is still a very active research field with new schemes being proposed frequently and ongoing standardization efforts.

– nickler
Oct 16 at 8:02













The mention of using a ZKP of a BIP32 seed to recover coins in a post-quantum world is interesting. Based on your reasoning, I'd agree hashing a pubkey doesn't provide meaningful protection for your BTC-stored wealth, but clearly there are advantages to more complex constructions for addresses (the BIP32 key-derivation function being more quantum-proof, in this case). So I think this prompts the question: what constructions are known to provide some level of safety from a quantum computer defeating the ECDLP?

– chytrik
Oct 17 at 4:29





The mention of using a ZKP of a BIP32 seed to recover coins in a post-quantum world is interesting. Based on your reasoning, I'd agree hashing a pubkey doesn't provide meaningful protection for your BTC-stored wealth, but clearly there are advantages to more complex constructions for addresses (the BIP32 key-derivation function being more quantum-proof, in this case). So I think this prompts the question: what constructions are known to provide some level of safety from a quantum computer defeating the ECDLP?

– chytrik
Oct 17 at 4:29


















draft saved

draft discarded















































Thanks for contributing an answer to Bitcoin Stack Exchange!


  • Please be sure to answer the question. Provide details and share your research!

But avoid


  • Asking for help, clarification, or responding to other answers.

  • Making statements based on opinion; back them up with references or personal experience.

To learn more, see our tips on writing great answers.




draft saved


draft discarded














StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fbitcoin.stackexchange.com%2fquestions%2f91049%2fwhy-does-hashing-public-keys-not-actually-provide-any-quantum-resistance%23new-answer', 'question_page');

);

Post as a guest















Required, but never shown





















































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown

































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown









Popular posts from this blog

Canceling a color specificationRandomly assigning color to Graphics3D objects?Default color for Filling in Mathematica 9Coloring specific elements of sets with a prime modified order in an array plotHow to pick a color differing significantly from the colors already in a given color list?Detection of the text colorColor numbers based on their valueCan color schemes for use with ColorData include opacity specification?My dynamic color schemes

Invision Community Contents History See also References External links Navigation menuProprietaryinvisioncommunity.comIPS Community ForumsIPS Community Forumsthis blog entry"License Changes, IP.Board 3.4, and the Future""Interview -- Matt Mecham of Ibforums""CEO Invision Power Board, Matt Mecham Is a Liar, Thief!"IPB License Explanation 1.3, 1.3.1, 2.0, and 2.1ArchivedSecurity Fixes, Updates And Enhancements For IPB 1.3.1Archived"New Demo Accounts - Invision Power Services"the original"New Default Skin"the original"Invision Power Board 3.0.0 and Applications Released"the original"Archived copy"the original"Perpetual licenses being done away with""Release Notes - Invision Power Services""Introducing: IPS Community Suite 4!"Invision Community Release Notes

199年 目錄 大件事 到箇年出世嗰人 到箇年死嗰人 節慶、風俗習慣 導覽選單