Ninjastic
PostEdited versionsQuotes to this post
Post
Topic
Board Development & Technical Discussion
Re: Quantum Computer vs Bitcoin
by
haltingprobability
on 24/12/2017, 18:55:43 UTC
Quote from: nullius on December 24, 2017, 06:39:37 PM
haltingprobability, thank you for your informative overview of the sitation.

A few nits:

Quote from: haltingprobability on December 24, 2017, 05:55:57 PM
In fact, this is why Bitcoin uses the public-key hash instead of the public-key itself and recommends against address-reuse; in the event of working, at-scale QC, your coins are still secured behind 128-bit-equivalent security as long as you don't reuse addresses or publish the public-keys for your addresses.

0. Actually, that would be 160-bit equivalent security, yes?

No, because the Bitcoin address is RIPEMD160(SHA256(pubkey)), with some additional protocol things tacked onto it. If you can find some reduction of SHA256 to RIPEMD160 such that you can recover any SHA256 preimage more or less for free from the RIPEMD160 preimage, then it would be 160-bit equivalent security. The 128-bit number comes from dividing 256 by two on the assumption that the best way to brute-force a Bitcoin address with a QC is to break the RIPEMD160 (I'm counting this as zero-cost) and then break the SHA256 (I'm counting this as 256-bit / 2 security = 128-bits security).

Quote
1. As a general point, I will worry about disclosing Bitcoin public keys at the same time I start to worry about disclosing my long-term PGP public key.  (For those in the peanut gallery:  The latter would be entirely useless without public disclosure.)

Mostly agreed. AFAIK, no one has ever shown any evidence that a PGP public key has ever been brute-forced to its private key. I would imagine that the NSA may have built equipment capable of doing that, among other things, if for no other reason than for research purposes, to probe the limits of what's possible (because, the Russians, of course).

Quote
There are excellent reasons to avoid address reuse; but this is not one of them.  I say this as a paranoid security nut:  The security of publicly disclosed public keys is just fine.  That is why they are called public keys.  The only exception I would here make is if you have coins which you intend to potentially leave in cold storage for decades.  Then, yes, you will want the extra security margin of the key being unpublished.

Bingo.