In a number of threads, I have observed confusion over the security level of the of the secp256k1 elliptic curve used by Bitcoins public keys. Following is an image of Table 1 at page 8 of the pertinent standard (PDF). I have added a red arrow pointing to the line matching what Bitcoin uses. The two most important columns here are Strength, representing the security level of the algorithm, and Size, the actual key size in bits. The strength equivalence to RSA/DSA is a vexed estimate I would prefer to mostly ignore here.
Thus, as you can see, Bitcoins public-key crypto uses 256-bit keys but is deemed to have a 128-bit security level. I will briefly explain what that means.
If an attacker were to use a bruteforce attack, trying keys one by one, that would require on the order of 2256 work. (I here ignore the restrictions on valid secp256k1 keys, which reduces that to about 2255.5; the difference would be negligible in practical terms, and its anyway not here relevant.)
However, no serious attacker would ever try to bruteforce elliptic-curve crypto. Rather, it is estimated that breaking Bitcoins 256-bit keys with the best known attacks should require around 2128 work to solve the ECDLP and thus calculate the private key from the public key. In practical terms, it is therefore considered to have security equivalent to that of a 128-bit cipher for which the best known attack is bruteforce.
Similar security-level estimates are used for other public-key crypto, such as RSA. However, RSA security level estimates are so vexed and unreliable that I quite mistrust them. I remember when 1024-bit RSA was oftentimes claimed to be oh so secureum, no. The above table estimates that Bitcoins public-key crypto has an equivalent strength to 3072-bit RSA. I suppose that sounds reasonablemaybe.
For comparison, Ed25519 is also considered to have a 128-bit security level; and Ed448-goldilocks is considered to have a 224-bit security level. NIST P256 is claimed to have a 128-bit security level, and NIST P521 is claimed to have a 256-bit security level, although nobody sane uses NIST curves anymore.
In laymans terms, a 128-bit security level is very, very strong. It is what buzzword-lovers usually refer to as military-grade security. Those who seek better than military-grade security (or wish to make fun of that idiotic term) may instead seek Spinal Tap grade security.
How strong is a 128-bit security level? For reference, at current hashrate, it would take the entire Bitcoin mining network more than one trillion (1012) years to perform 2128 workand thats with SHA-256 ASICs, which cant be repurposed to do other calculations. Performing 2128 calculations of any kind is what I call boil the oceans security: The energy required would actually do that, and worse. It is unreasonable to suppose that it could ever be humanly possible to do 2128 work.
Thus, Bitcoins public-key security is humanly impossible to break now and for the foreseeable future. It could only be broken in one of two cases: Either a new mathematical advance drastically reduces the work required for the best known attack, say to 280 or less; or there is constructed that mythical quantum computer which doesnt exist, and may or may not be possible. Very smart people have spent many years trying to do each of these tasks. Research in these fields usually tends to be incremental; so if (if) they ever succeed, we will probably have at least a few years warning.
The usual reasons for seeking a 256-bit security level are (0) to provide an extra security margin against unforeseen mathematical breakthroughs, and (1) because for most use cases, the extra cost is relatively small; so why not have the security of something which is twice as impossible to break? (Well, if you need to store keys in transaction outputs on the Bitcoin blockchain, the size difference would cause higher feesfor one problem, a real and immediate cost to users.)
But setting aside the potential of such unlikely events, the upshot is that Bitcoins public keys are plenty strong enough to protect the monetary value equivalent of hundreds of billions of dollars. Or trillions. Or all the money on Earth.
I strongly recommend that anybody not deeply involved in developing Bitcoins long-term security should absolutely not worry about the strength of Bitcoins public-key security. Its worse than useless worry: It is a distraction from real problems. Worry instead about your computer security, your operational security, and your financial privacy. (Nobody can target you for theft or coercion if nobody knows you have anything significant to take.)
It is as if many people are keeping their coins in a safe with an unbreakable door (the cryptographyall of it) and walls made of tissue paper (the malware-infested PC, privacy leaks which may allow thieves to identify you and know what money you have, etc., etc.). Then, they obsessively worry about the security of the door! Dont do that.
Thus, as you can see, Bitcoins public-key crypto uses 256-bit keys but is deemed to have a 128-bit security level. I will briefly explain what that means.
If an attacker were to use a bruteforce attack, trying keys one by one, that would require on the order of 2256 work. (I here ignore the restrictions on valid secp256k1 keys, which reduces that to about 2255.5; the difference would be negligible in practical terms, and its anyway not here relevant.)
However, no serious attacker would ever try to bruteforce elliptic-curve crypto. Rather, it is estimated that breaking Bitcoins 256-bit keys with the best known attacks should require around 2128 work to solve the ECDLP and thus calculate the private key from the public key. In practical terms, it is therefore considered to have security equivalent to that of a 128-bit cipher for which the best known attack is bruteforce.
Similar security-level estimates are used for other public-key crypto, such as RSA. However, RSA security level estimates are so vexed and unreliable that I quite mistrust them. I remember when 1024-bit RSA was oftentimes claimed to be oh so secureum, no. The above table estimates that Bitcoins public-key crypto has an equivalent strength to 3072-bit RSA. I suppose that sounds reasonablemaybe.
For comparison, Ed25519 is also considered to have a 128-bit security level; and Ed448-goldilocks is considered to have a 224-bit security level. NIST P256 is claimed to have a 128-bit security level, and NIST P521 is claimed to have a 256-bit security level, although nobody sane uses NIST curves anymore.
In laymans terms, a 128-bit security level is very, very strong. It is what buzzword-lovers usually refer to as military-grade security. Those who seek better than military-grade security (or wish to make fun of that idiotic term) may instead seek Spinal Tap grade security.
How strong is a 128-bit security level? For reference, at current hashrate, it would take the entire Bitcoin mining network more than one trillion (1012) years to perform 2128 workand thats with SHA-256 ASICs, which cant be repurposed to do other calculations. Performing 2128 calculations of any kind is what I call boil the oceans security: The energy required would actually do that, and worse. It is unreasonable to suppose that it could ever be humanly possible to do 2128 work.
Thus, Bitcoins public-key security is humanly impossible to break now and for the foreseeable future. It could only be broken in one of two cases: Either a new mathematical advance drastically reduces the work required for the best known attack, say to 280 or less; or there is constructed that mythical quantum computer which doesnt exist, and may or may not be possible. Very smart people have spent many years trying to do each of these tasks. Research in these fields usually tends to be incremental; so if (if) they ever succeed, we will probably have at least a few years warning.
The usual reasons for seeking a 256-bit security level are (0) to provide an extra security margin against unforeseen mathematical breakthroughs, and (1) because for most use cases, the extra cost is relatively small; so why not have the security of something which is twice as impossible to break? (Well, if you need to store keys in transaction outputs on the Bitcoin blockchain, the size difference would cause higher feesfor one problem, a real and immediate cost to users.)
But setting aside the potential of such unlikely events, the upshot is that Bitcoins public keys are plenty strong enough to protect the monetary value equivalent of hundreds of billions of dollars. Or trillions. Or all the money on Earth.
I strongly recommend that anybody not deeply involved in developing Bitcoins long-term security should absolutely not worry about the strength of Bitcoins public-key security. Its worse than useless worry: It is a distraction from real problems. Worry instead about your computer security, your operational security, and your financial privacy. (Nobody can target you for theft or coercion if nobody knows you have anything significant to take.)
It is as if many people are keeping their coins in a safe with an unbreakable door (the cryptographyall of it) and walls made of tissue paper (the malware-infested PC, privacy leaks which may allow thieves to identify you and know what money you have, etc., etc.). Then, they obsessively worry about the security of the door! Dont do that.