How quantum computing affects Bitcoiners ๐Ÿงต Summarizing Chaincode Labs' excellent recent paper on the topic tl;dr ๐Ÿ˜… Quantum computers do not pose a threat to Bitcoin today ๐Ÿ˜ฐ But many researchers agree they will in the next 5 - 10 years ๐Ÿง๏ธ Bitcoiners should start working on mitigations Here's how quantum computers could threaten Bitcoin: An everyday computer can derive a public key from a Bitcoin private key in a few microseconds But the reverse is much more difficult: Today's supercomputers would take ~100 quadrillion years to find the private key for a known public key Quantum computers could theoretically derive a Bitcoin private key from a known public key in just a few hours So the primary risk quantum computing poses to Bitcoiners is for situations where the public key to your coins has been exposed How might that have happened? Long-range quantum attacks: Some address types expose their public key: Pay to public key Pay to multisig Pay to Taproot Since these public keys are exposed as soon as the address receives coins, quantum computers may be used to derive their private keys and steal the coins Short-range quantum attacks: When you spend bitcoin, you reveal the public key for the coins in your transaction A quantum computer may be used to derive their private key and spend them in a new transaction with a higher fee before your transaction is included in a block Address reuse: Coins that reuse an address from which other coins have already been spent may also be vulnerable to theft because the previous spends revealed the address's public key A quantum computer may be used to derive private keys to any coins still at a reused address Exposed xpubs: Many services request that Bitcoiners provide an extended public key (xpub) used to generate addresses If such an xpub is leaked, all addresses generated by that xpub may become vulnerable to having their private keys derived by a quantum computer Advances in quantum computing could also affect mining: Quantum computers may slightly weaken the security of the SHA256 hash function used in mining, but it is unlikely they could break it This means Proof of Work is probably still reliable in a quantum computing future However, quantum miners may be subject to much stronger centralization pressures: the best quantum hardware "would gain a disproportionate speedup, eliminating the incentive for less powerful quantum miners - as well as those who lack quantum computers - to participate" Quantum resistance Fortunately, there are a number of feasible proposals for how Bitcoin could become resistant to quantum attacks Unfortunately, most of them involve using much larger signatures (read: quantum resistant spending might mean you pay a lot more in mining fees) Tomorrow, we'll look at the second half of Chaincode's paper: Migration strategies and the big question facing Bitcoiners: burn or steal? Read the full Chaincode report at: ๐Ÿ“„.pdf And be sure to follow the report's authors: Clara Shik & ozdeadman