Bitcoin Signatures are susceptible to quantum attacks - how exactly and with what practical impact?

Question

@PieterWuille wrote in another thread:

"" The hashing algorithm is probably the most quantum-resistant piece of cryptography right now in Bitcoin. Barring any specific breaks, SHA256 and RIPEMD160 are as quantum-resistant as hash functions can be (there is an inevitable square-root speedup that applies to any hash function). Much more can be said about the quantum resistance of digital signatures. – Pieter Wuille Mar 5 at 0:03 ""

I would like to ask for more precise information if possible:

Which precise parameters of bitcoins blockchain would be susceptible to quantum attacks (Pieter mentioned "signatures", but what else)? And what could be the potential impact if those parameters (signature, etc.) were successfully attacked? (one transaction could be blocked, the entire blockchain controlled, etc...which practical effects?)

-And what could be ways to prevent attacks on those parameters? Any ideas circulating among btc dev community on how to "adjust" those parameters?

• Or is the current consensus among the community to rather wait for the world till they provide new crypto schemes which are quantum proof (for example waiting for the NIST Post-Quantum Crypto Competition) ...

thank u!

Answer 1

Which precise parameters of bitcoins blockchain would be susceptible to quantum attacks?

(1) Private Key: ECDSA is the first thing that can get vulnerable with quantum computer. Using Shor’s algorithm and Grover’s algorithm you can break the private and public key encryption. As Peter said in the previous post, hashing is Quantum resistant, so you would not make your private key vulnerable in post quantum world when providing an address. However, when a person sends you some bitcoins, his signature/public key can reveal the private key. The owner of the quantum computer can go back across all transactions and calculate the private keys from the signature provided or from the public key and control all the UTXOs from it.

(2) Mining: A classical computer need O(N) operations to go through all the nonces in order to find the solution to the cryptographic puzzle. A Quantum computer would need O(sqrt(N)) to go through the nonces. This would lead to increase in efficiency in the order of magnitude of 10^10 (Tangle whitepaper). If mining is faster with a quantum computer, it could lead to consolidation of mining power if one entity were to acquire a quantum computer while it remains out of reach of others. In that case, the owner of the quantum computer can launch double spend attacks and all other benefits of 51% attack

According to this discussion, signature will need to move to post quantum world much before quantum PoW. This is because, the rough speedup is 2^240 for signatures while it is ~2^40 for proof of work.

What could be done to prevent attacks on those parameters?

(1) Bitcoin is more resistant to quantum computing than most of the security on which the internet relies. Moreover, if you never reuse addresses, then no one knows your public keys and thus there's nothing for a QC to solve. For example, when you send some bitcoins to a person, send the remaining change to an account controlled by a different private key. By the time someone gets your public keys/signatures, you've already spent the funds and sent the change to an account created by a different signature. Also the crypto algorithms in Bitcoin can be changed to quantum-resistant ones (see here).

(2) Bitcoin increases difficulty by only by a factor of 4 at a given time. This means we would need a hard fork to change the difficulty to suit that of Quantum computer it the transition does not happen gradually.