Monday, January 30, 2023
HomeBitcoinsafety - Does key derivation make (or assist to make) Bitcoin "quantum...

safety – Does key derivation make (or assist to make) Bitcoin “quantum secure”?

I used to be questioning if utilizing one deal with per transaction would mitigate this drawback

No, as a result of the general public key’s revealed at spending time nonetheless, even should you by no means reuse addresses. The time between broadcasting the spending transaction and it being sufficiently buried on-chain nonetheless exposes the person to danger if hypothetical machines that may compute the discrete logarithm exist. Since we’re speaking about hypothetical {hardware}, you possibly can’t make any assumptions about how briskly it might work.

Moreover, a number of use instances of Bitcoin contain sharing public keys with different not-fully-trusted events. For instance, multisig wallets require public keys to be shared between the members. Light-weight purchasers reveal public keys to the servers that assist them monitor their steadiness. Lightning channels contain shared node public keys and channel public keys on the community. Within the presence of hypothetical {hardware} that may compute non-public keys, Bitcoin as it’s used as we speak would just about cease present, as all these use instances disappear.

Lastly, even should you your self handle to rigorously keep away from all these eventualities that contain sharing of public keys, and we by some means assume that transactions in flight do not pose a danger, it’s important to take into account that an unlimited quantity of BTC is at the moment held in addresses for which the general public keys are recognized, even when not your funds. Within the presence of a hypothetical EC breaking machine, so many funds would change into uncovered that I can’t think about BTC sustaining a lot worth.

I used to be questioning if utilizing one deal with per transaction would mitigate this drawback, since apparently key-derivation features (bcrypt, Scrypt, Argon2) are principally quantum-safe. My reasoning is that out of your “grasp” non-public key, you’d derive a brand new one and from this one you’d generate the general public key which lastly generates the deal with, after which when this deal with spends any UTXO and consequently tells its public key to the community, an attacker would solely be capable of get the derived non-public key, however by no means the “grasp” one, that means ultimately the person is comparatively secure so long as they do not reuse the identical deal with and carry on producing one deal with every time they need to obtain a UTXO.

Sure and no.

  • Grasp non-public keys that deterministically generate the precise deal with keys are used ubiquitously in Bitcoin, exactly as a result of it permits utilizing a brand new deal with for each transaction while not having a backup of every particular person key. The reason being not safety, however privateness nevertheless; reuse of addresses gratuitously reveals details about shared possession of UTXOs on chain.
  • In principle, key derivation mechanisms do exist which are quantum-secure (or could possibly be), within the sense that an attacker who learns (by means of no matter means) the non-public key to an deal with can’t study the grasp key it was generated from. The widespread key derivation mechanism utilized in Bitcoin (BIP32) doesn’t use such methods nevertheless, as a result of it is incompatible with xpubs. The (unhardened) BIP32 technique helps sharing a grasp public key with one other social gathering (similar to your grasp non-public key which isn’t revealed), in such a manner that these different events can derive the general public keys similar to the non-public keys you’ll derive. This permits watch-only wallets that may monitor funds on a web based machine, whereas the non-public keys stay secure on an offline one.
  • All of the arguments above nonetheless apply: even when attackers are prevented from computing the grasp non-public key from an deal with non-public key, it does not cease them from computing deal with non-public keys from public keys.

ECDSA, and different types of EC-based cryptography are inherently not quantum-secure. It is engaging to consider methods to cowl up this property or by some means cut back its impression, but it surely does not change the truth that the cryptography inherently simply is not designed for that. If we wish post-quantum safe Bitcoin, we have to change to precise cryptography designed for that, which could be very actively being researched. I personally consider it’s too early to push for that virtually, as present schemes as we speak are very novel, are incessantly damaged nonetheless, and include large downsides (largely measurement of keys or signatures), however given how quickly the sector is progressing I am assured these issues will cut back over time.



Please enter your comment!
Please enter your name here

Most Popular

Recent Comments