Yes, you are talking about a search in a 2^80 keyspace, even with quantum speedups. It’ll be a long, long time before anyone has the capability to o 2^80 large quantum computations in the span of 10 minutes, much longer until the cost of doing that computation will be less than the value of the coins.
So long as you are not stupid enough to reuse keys, it’s a non-issue.
Yes, you are talking about a search in a 2^80 keyspace, even with quantum speedups.
I have no problem with searching in a 2^80 keyspace with conventional means in a second. I have a low likelihood of finding the key but the likelihood is around the same if I do 100000 searches that take 1 second or one search that takes 100000 seconds.
If I want to stay under a 10 minute time threshold I can just switch the key I’m attacking every second.
I don’t know enough about quantum computation to know whether switching the attacked key frequently possible in the same way with the quantum algortihms but I would expect it to be.
I’m sorry, I don’t understand. That doesn’t make it any more economical. 2^80 is a big, big number: 1,208,925,819,614,629,174,706,176. Assuming you could try a billion keys a second (that’s quite the quantum computer!) then it’d still take you nearly 40 million years before you have a reasonable chance of guessing a single key.
But you can’t attack the ECDSA by Shor’s algorithm if you don’t know the public key, as is the case with a pubkey-hash address that has never been used. If you avoid key reuse, the only moment when coins are vulnerable is that ~10 minute interval after you’ve broadcast a transaction spending the coins but it hasn’t yet made it into a block.
No, first of all they are qualitatively different. Not all targets are the same. At best you could attack whatever the largest input in your current mempool is, perhaps a few dozen bitcoins at most. Whereas if you could choose your targets, something like this is better:
Second, it doesn’t change the fact that you’d still have this insanely powerful quantum supercomputer running for millions of years before you have a chance at double-spending a single coin. Not economically viable as I said before.
Second, it doesn’t change the fact that you’d still have this insanely powerful quantum supercomputer running for millions of years before you have a chance at double-spending a single coin. Not economically viable as I said before.
Various people do consider ECDSA to be effectively broken with quantum computers. It’s hard to estimate what a quantum computer of a certain power is going to cost in 20 years.
That said, I don’t need to capture enough coins to pay for the attack. I can buy options on failing bitcoin price and attack. If it’s known that there’s an attacker who randomly hijacks transactions the bitcoin price takes a blow.
Yes, you are talking about a search in a 2^80 keyspace, even with quantum speedups. It’ll be a long, long time before anyone has the capability to o 2^80 large quantum computations in the span of 10 minutes, much longer until the cost of doing that computation will be less than the value of the coins.
So long as you are not stupid enough to reuse keys, it’s a non-issue.
I have no problem with searching in a 2^80 keyspace with conventional means in a second. I have a low likelihood of finding the key but the likelihood is around the same if I do 100000 searches that take 1 second or one search that takes 100000 seconds.
If I want to stay under a 10 minute time threshold I can just switch the key I’m attacking every second.
I don’t know enough about quantum computation to know whether switching the attacked key frequently possible in the same way with the quantum algortihms but I would expect it to be.
I’m sorry, I don’t understand. That doesn’t make it any more economical. 2^80 is a big, big number: 1,208,925,819,614,629,174,706,176. Assuming you could try a billion keys a second (that’s quite the quantum computer!) then it’d still take you nearly 40 million years before you have a reasonable chance of guessing a single key.
The point is that the 10 minute time limited in which transactions get confirmed is irrelevant and provides no protection.
Shor’s algorithm runs in polynomial time and can thus effectively used to attack public key crypto if you have a quantum computer at your disposal.
Bitcoin public key crypto also runs on ECDSA and Bruce Scheiner annouced earlier this year that he fears the NSA might have the ability to hack into ECDSA: http://www.wired.com/opinion/2013/09/black-budget-what-exactly-are-the-nsas-cryptanalytic-capabilities/
But you can’t attack the ECDSA by Shor’s algorithm if you don’t know the public key, as is the case with a pubkey-hash address that has never been used. If you avoid key reuse, the only moment when coins are vulnerable is that ~10 minute interval after you’ve broadcast a transaction spending the coins but it hasn’t yet made it into a block.
Yes, but as I said above that 10 minutes interval is irrelevant when you can just change your target key every minute.
As a attacker it’s quite okay to capture random transactions instead of attacking specific transactions.
No, first of all they are qualitatively different. Not all targets are the same. At best you could attack whatever the largest input in your current mempool is, perhaps a few dozen bitcoins at most. Whereas if you could choose your targets, something like this is better:
http://blockchain.info/address/1933phfhK3ZgFQNLGSDXvqCn32k2buXY8a
Second, it doesn’t change the fact that you’d still have this insanely powerful quantum supercomputer running for millions of years before you have a chance at double-spending a single coin. Not economically viable as I said before.
Various people do consider ECDSA to be effectively broken with quantum computers. It’s hard to estimate what a quantum computer of a certain power is going to cost in 20 years.
That said, I don’t need to capture enough coins to pay for the attack. I can buy options on failing bitcoin price and attack. If it’s known that there’s an attacker who randomly hijacks transactions the bitcoin price takes a blow.