Welcome,
Thank you to everyone who joined our events at Bitcoin Vegas. We’re launching our first product very soon - keep an eye out.
We released two blog posts recently: Quantum Wargames and Quantum Earthquakes, and Chaincode released a report on Bitcoin and Quantum Computing that’s worth a read.
P11 is hiring! We’re seeking a Special Projects lead, GTM specialist, social media manager and generalist operators. We’d be glad to hear from interested people at [email protected].
In security parlance, people talk about the ‘threat landscape’ for a given situation. The military tries to define an ‘operational environment.’ What’s going to cause problems and trouble? What do we need to watch out for and prepare for? Who are the relevant actors, what are the weak points, and how do we win? Take these situations and hypotheticals, play them out, and you get wargames.
Bitcoin has its own threat landscape, and the forums and mailing lists are rife with possible scenarios: 51% attacks, selfish mining, spam, zero day bugs in Core, phishing, censorship… Much of the Bitcoin project is an effort to foresee and prevent such threats. For a system created by cryptographers and chiefly concerned with censorship-resistance, this is natural.
We are concerned with quantum computing. Which parts of the Bitcoin protocol are vulnerable to quantum computing advantages, and how might those advantages be applied to compromise Bitcoin, or to enrich an attacker?
‘Not your keys, not your crypto.’
Forged signatures and private keys are the most plausible near-term targets for quantum computers. Bitcoin relies on 256-bit elliptic curve digital signatures. We expect ECC to be compromised around the same time as RSA-2048, and possibly earlier - these will be some of the first protocols in widespread use that will be broken by quantum computers. By forging signatures, an attacker will, in principle, be able to transfer the balance out of any address that has previously exposed its public key. Addresses that have previously sent BTC have exposed their public key by signing a transaction, while older wallets from the pay to public key (P2PK) era are also exposed. Today, 1/3 of all Bitcoin in circulation are vulnerable to this type of attack, worth $700B.
Will we know if a quantum computer capable of this attack exists? Maybe not. The public efforts in quantum computing are those by Google, QuEra, IBM, AWS, IONQ etc, and are largely US-based. We know much less about Chinese efforts, and there may be a substantial US government effort in quantum hardware. One scenario to consider is a Chinese quantum computer, developed in secrecy, being used to attack Bitcoin. Another scenario is that the US Government (USG) might demand access to, say, Google’s quantum computer(s) as soon as they are capable of running Shor’s algorithm, in which case the USG would possess an unprecedented ability to undermine Bitcoin. Presumably, the USG’s main interest in a QC would be to decrypt communications, but the capacity to attack Bitcoin would be one new lever in its toolbox.
Bitcoin’s proverbial socks would be thoroughly rocked. Trust in the network - and the financial value ascribed to it - is largely based on trust in cryptography. The world has a lot of faith in cryptography; enough for Blackrock to allow $70B of investment into a decentralised network started by an anon and without a board, CEO, or any sort of governance that could be compared to a public corporation. That cryptography is currently unassailable - Nobody can credibly claim to have compromised it today. If that changes, however, Bitcoin’s position is dramatically weakened, and it becomes a much less stable (ha!) proposition. BTC holders could rapidly and permanently exit their positions at scale. Result: BTC price approaches $0, and stays there.
Suppose an adversary does possess a quantum computer and wants to attack Bitcoin. What might they do with it?
That depends on their goals. If their aim is to steal money, as North Korea might aim to do - see the ByBit attack - then they will try to extract and sell as many Bitcoin as possible, before causing a run. That requires concealing the fact that they can run Shor’s algorithm for as long as possible. One strategy would be to compile a set of private keys that control large wallets, and then attempt to sell them all at once. The largest wallets are monitored, and active, so any large, unexpected movements from those would probably trigger chaos. The attacker should focus on smaller, inactive wallets and strike a balance between dollar-value of the wallet and likelihood that it is being monitored. There is a constant stream of dormant wallets ‘waking up’ - as long as the attacker avoided moving BTC known to be mined by Satoshi, they could probably avoid detection. It’s difficult to say which wallets are truly dormant. A state might use apparently dormant wallets as an early-warning system of sorts for QDay, though they would need to have implemented this 5+ years ago.
Instead of accruing wealth, the attacker’s goal might be to trigger chaos in the financial markets, or delegitimise Bitcoin for ideological reasons. In that case, they could target some of Bitcoin’s largest wallets: The Binance, Robinhood, Bitfinex or Tether wallets. Is it too much to expect that these companies would quickly recognise an unauthorised transfer from their wallets? Even if they did, they might take a few days to investigate the lost funds and not share news of the attack with the world immediately. An adversary could instead target some Satoshi wallets. At first, it appears that Satoshi has returned, and quickly becomes apparent that something is very wrong. What would be the single most destructive address to resurrect? This is left as an exercise for the reader.
There are myriad other scenarios, as well as details that could improve the above thought experiments, but they give a clear idea of the main ways in which the first quantum computer(s) could attack Bitcoin.
If Bitcoin upgrades to post-quantum signatures soon enough, none of these scenarios need occur, and mitigation becomes a lot simpler. Proof-of-work attacks need further consideration, but are far less urgent than signatures due to the much larger quantum speedup for discrete log problems (Shor’s algorithm, exponential speedup) compared to preimage attacks on hashes (Grover’s algorithm, quadratic speedup).
- P11 Blog: Quantum Wargames
- P11 Blog: Quantum Earthquakes - Crypto Foundations
- 1/3 of all Bitcoin are at risk to quantum computing attacks.
- Blackrock iBit, BTC ETF.
- ByBit attack.
- $322M BTC wallet wakes up.
- 100 richest BTC wallets.
- Chris Monroe, IONQ founder on 632 nm podcast.
- Code for Gidney’s recent paper.
- Litinski, 2023, Shor’s algorithm for elliptic curve discrete logs.
- Bottlenecks to Shor’s algorithm for elliptic curve discrete logs.
- Scott Aaronson: how much structure is needed for huge quantum speedups?
Until next time,
The Project Eleven Team