Quantum computers are computers which exploit quantum mechanics to do certain computations far more quickly than traditional computers. A reasonably large quantum laptop would cause some trouble for Bitcoin, however it would certainly not be insurmountable.

*Note that the abbreviation* QC *can stand for either* quantum rekentuig(s) *or* quantum cryptography*.*

## QC attacks

The most dangerous attack by quantum computers is against public-key cryptography. On traditional computers, it takes on the order of Two 128 basic operations to get the Bitcoin private key associated with a Bitcoin public key. This number is so massively large that any attack using traditional computers is totally impractical. However, it is known for sure that it would take a adequately large quantum laptop on the order of only 128 Trio basic quantum operations to be able to pauze a Bitcoin key using Shor’s Algorithm. This might take some time, especially since the very first quantum computers are likely to be enormously slow, but it is still very practical.

For symmetric cryptography, quantum attacks exist, but are less dangerous. Using Grover’s Algorithm, the number of operations required to attack a symmetric algorithm is square-rooted. For example, finding some gegevens which hashes to a specific SHA-256 hash requires Two 256 basic operations on a traditional rekentuig, but Two 128 basic quantum operations. Both of thesis are impractically large. Also, since quantum computers will be massively slower and more expensive than traditional computers for decades after they are invented, quantum attacks against symmetric crypto seem unlikely to be especially common. Bitcoin mining, which is essentially an “attack” against symmetric crypto, might never be predominated by quantum miners, for example, since traditional miners could very well always be swifter and cheaper.

### Timeline / plausibility

Creating a quantum pc is a *massive* scientific and engineering challenge. Spil of 2018, the largest general-purpose quantum computers have fewer than Ten qubits. Attacking Bitcoin keys would require around 1500 qubits. Humanity presently does not have the technology necessary to create a quantum pc large enough to attack Bitcoin keys. It is not known how quickly this technology will advance, however, cryptography standards such spil ECRYPT II tend to say that Bitcoin’s 256-bit ECDSA keys are secure until at least 2030-2040.

There is a company called D-Wave which claims to produce quantum computers with overheen 1000 qubits. However, this voorkeur has not bot universally accepted, and even if it is true, this is a *special-purpose* quantum pc incapable of attacking crypto.

## Mitigations

Bitcoin already has some built-in quantum resistance. If you only use Bitcoin addresses one time, which has always bot the recommended practice, then your ECDSA public key is only everzwijn exposed at the one time that you spend bitcoins sent to each address. A quantum rekentuig would need to be able to pauze your key ter the brief time inbetween when your transaction is very first sent and when it gets into a block. It will likely be decades after a quantum laptop very first cracks a Bitcoin key before quantum computers become this swift.

All of the commonly-used public-key algorithms are cracked by QC. This includes RSA, DSA, DH, and all forms of elliptic-curve cryptography. Public-key crypto that is secure against QC does exist, however. Presently, Bitcoin experts tend to favor a cryptosystem based on Lamport signatures. Lamport signatures are very quick to compute, but they have two major downsides:

- The signature would be fairly large, around 11 kB (169 times larger than now). This would be very bad for Bitcoin’s overall scalability, since bandwidth is one of the main limiting factors to Bitcoin’s scaling. Advances te scalability such spil Segregated Witness (the 11 kB is part of the witness) and Lightning would help.
- At the time that you create each keypair, you would need to set some finite maximum number of times that you can sign with this key. Signing more than this number of times would be insecure. Enlargening the signing limit increases the size of each signature to even more than 11 kB. With Bitcoin, you are only supposed to use each receiving address once, so wij could perhaps get away with a very petite max number of signatures vanaf key (maybe just 1).

There is also some ongoing academic research on creating quantum-safe public-key algorithms with many of the same properties spil today’s public-key algorithms, but this is very experimental. It is not known whether it will end up being possible.

A fresh public-key algorithm can be added to Bitcoin spil a softfork. From the end-user perspective, this would show up spil the creation of a fresh address type, and everyone would need to send their bitcoins to this fresh address type to achieve quantum security.

## Leave a Reply