All 21 million Bitcoin is at risk from quantum computers

It’s widely believed that only about 25% to 30% of Bitcoin is at risk of being attacked in the future by quantum computers. 

For example, Project 11’s Bitcoin Risq List currently lists 6,887,180 Bitcoin worth more than $450 billion as “at risk.” It defines “at risk” as Bitcoin held in addresses with exposed public keys. Around 3-4 million of this is believed “lost” and can’t be upgraded to quantum secure. 

But that’s not the whole story. 

In fact, all 21 million Bitcoin —barring lost coins in quantum secure addresses— can theoretically be broken by sufficiently advanced quantum computers as soon as the coins are spent if nothing is done to move to post-quantum security.

It’s just that the one in four Bitcoin held in the old address types are the easiest to attack and will be stolen first. A quantum computer could grind away for months if required to attack Satoshi’s coins, which have had their public keys exposed for the past 15 years.

But the remainder of the Bitcoin supply will still be vulnerable to more sophisticated attackers. That’s because when you spend Bitcoin, the public keys are exposed in the mempool for as long as it takes for the transaction to be processed. 

Typically, that period lasts between 10 minutes and 60 minutes, depending on network usage, providing a brief window of time for an attack. As quantum computers scale up, it’s believed they’ll one day be able to perform a “just in time” attack.

“If you want to spend your Bitcoin, you have to reveal the public key,” explains Yoon Auh, CEO of BOLTS, which is running a proof of concept for the Canton network with its QFlex technology that hotswaps quantum-proof signatures during a session.

“You can’t get around that. And the problem is that your bad actor will become a big Bitcoin miner and intercept that transaction from ever happening.”

Charles Edwards from Capriole has been agitating to upgrade Bitcoin to post-quantum  security and says a short-range attack is much more difficult. 

“The difference, I suppose, why that’s not probably discussed as much at the moment, is because the technical capability to do that is much more advanced. You have to be able to move and solve and decrypt very quickly to do what that is, which is to basically steal coins in the mempool, and effectively hack every single Bitcoin.”

He says that means the coins with public keys exposed for years will be attacked first. 

“That’s kind of the easy money, then the next step is, as the technology progresses, is to just attack the entire chain. So every coin, if your time horizon is long enough, every coin will be taken long term.”

BIP-360 does not prevent “short exposure attacks”

The recently updated BIP-360 proposal outlines the danger explicitly. The proposal creates a new address type (output) called Pay To Merkle Root (P2MR) that should enable a considerable proportion of the “at risk” Bitcoin to be moved to quantum-resilient addresses.

However, the proposal specifically cautions that “P2MR outputs are only resistant to ‘long exposure attacks’ on elliptic curve cryptography; that is, attacks on keys exposed for time periods longer than needed to confirm a spending transaction.”

Also read: Bitcoin may face hard fork over any attempt to freeze Satoshi’s coins

“Protection against more sophisticated quantum attacks, including protection against private key recovery from public keys exposed in the mempool while a transaction is waiting to be confirmed (a.k.a. ‘short exposure attacks’), may require the introduction of post-quantum signatures in Bitcoin.”

BIP-360 co-author Ethan Heilman tells Magazine that “long exposure” attacks are the big threat that needs to be tackled first:

“With short-exposure attacks, the attacker only learns the public key after the output is spent. This means the attacker is in a race to break the public key and double-spend the transaction, before the honest transaction is confirmed by a miner.”

“It is likely that the first quantum computers that are a threat to Bitcoin will take a very long time to break a public key. Imagine you have a quantum computer that takes 6 months to break a public key. It wouldn’t make sense to do short exposure attacks. However, a giant pile of coins in an output that exposes the public key would make sense.”

Is a short-range quantum attack on Bitcoin possible?

A short-range attack is possible in theory, but no one really knows how many years it will take before a cryptographically relevant quantum computer has enough physical qubits running fast enough to take advantage of that window of time.

Construction began on the first quantum computer facility with 1 million physical qubits in Chicago last week. It’s targeting completion in 2027. PsiQuantum raised $1 billion from funds affiliated with BlackRock, so investors certainly believe the tech is close enough to spend large sums of money on.

The estimated number of physical qubits required to break encryption has dropped sharply in the past few years. In February, a preprint scientific paper called ‘The Pinnacle Architecture’ suggested that 2048-bit RSA encryption could be broken in around one month with “less than one hundred thousand physical qubits” or in one day with 471,000 qubits.

Also read:Bitcoin faces 6 massive challenges to become quantum secure

The security of RSA encryption relies on how difficult it is to factor prime numbers, while Bitcoin’s elliptic curve cryptography does not, so the research isn’t a precise guide — but some believe ECC would be even easier to crack.

Quantum computing expert Professor Scott Aaronson said that RSA encryption uses 2048-bit keys while Bitcoin’s ECC uses 256-bit keys, making it easier to crack because “Shor’s algorithm mostly just cares about the key size.”

How long will it take to crack Bitcoin with a quantum computer?

According to Deloitte partner Marc Verdonk’s research report Quantum computers and the Bitcoin blockchain: “Current scientific estimations predict that a quantum computer will take about 8 hours to break an RSA key, and some specific calculations predict that a Bitcoin signature could be hacked within 30 minutes.”

Verdonk says that would still provide protection from a short-range attack but cautions the field is still in its infancy. “It is unclear how fast such a quantum computer will become in the future. If a quantum computer will ever get closer to the 10 minutes mark to derive a private key from its public key, then the Bitcoin blockchain will be inherently broken.”

There are also trenchant critics of the idea that quantum computers will ever be affordable and fast enough to even make long-range attacks feasible on the majority of at-risk addresses.

CoinShares’ Christopher Bendiksen put out a report recently arguing that only about 10,200 Bitcoin could realistically be stolen. He claims that most of the OG miners’ coins are in 32,607 individual addresses that would take “millenia to unlock even in the most outlandishly optimistic scenarios of technical progression in quantum computing.”

Bendiksen claims that to break Bitcoin within a day would require a quantum computer with 13 million physical qubits, and to do so within an hour would require a quantum computer that’s 3 million times better than Google Willow’s 105 qubits.

Also read:Bitcoin may take 7 years to upgrade to post-quantum: BIP-360 co-author

The assertion is based on research from 2022, which does appear to be the most recent research looking at breaking Bitcoin specifically.

However, the dramatically lower estimates last month for breaking RSA with 100,000 qubits suggest this research may now be outdated. The 2022 paper itself stated that RSA-2048 “is of a comparable difficulty to the EC encryption of Bitcoin.”

The type of quantum computer matters

Ethereum researcher Justin Drake was asked about Bendiksen’s report on Unchained, and while he hadn’t read it, he took issue with its timeframes.

Drake said the amount of time to crack a private key will depend on how research into different types of qubits progresses. Google is researching superconducting qubits while firms like PsiQuantum encode qubits in photons that enable rapid gate operations. Both types of qubits are very fast. Other research into trapped ions and neutral atoms prioritizes coherence over speed.

“There’s different quantum computing modalities,” Drake pointed out. “You know, there’s the fast computers, the superconducting and photonics, and then the slow ones, the trapped ions and the neutral atoms. If you have the fast flavor, so for example, you have Google working on the superconducting stuff, then the estimate for the time it takes to crack a key is on the order of minutes, like roughly ten minutes.”

Why a short-range attack may not be worth it anyway

Edwards says that while short-range attacks are theoretically possible, the economics probably won’t justify them after the first long-range attacks on Bitcoin tank the price.

“Obviously, that wouldn’t happen in reality because once the capability got there, then probably no one would even hold Bitcoin or the value would be next to zero, so no one would bother.”

“That’s why we have to solve this, right? Like, if we want this network to thrive and go much higher, like we all would like to see, then we need to upgrade the network. Like, no action is just not an option at all anymore.”

Subscribe

The most engaging reads in blockchain. Delivered once a
week.

Andrew Fenton

Andrew Fenton is a writer and editor at Cointelegraph with more than 25 years of experience in journalism and has been covering cryptocurrency since 2018. He spent a decade working for News Corp Australia, first as a film journalist with The Advertiser in Adelaide, then as deputy editor and entertainment writer in Melbourne for the nationally syndicated entertainment lift-outs Hit and Switched On, published in the Herald Sun, Daily Telegraph and Courier Mail. He interviewed stars including Leonardo DiCaprio, Cameron Diaz, Jackie Chan, Robin Williams, Gerard Butler, Metallica and Pearl Jam. Prior to that, he worked as a journalist with Melbourne Weekly Magazine and The Melbourne Times, where he won FCN Best Feature Story twice. His freelance work has been published by CNN International, Independent Reserve, Escape and Adventure.com, and he has worked for 3AW and Triple J. He holds a degree in Journalism from RMIT University and a Bachelor of Letters from the University of Melbourne. Andrew holds ETH, BTC, VET, SNX, LINK, AAVE, UNI, AUCTION, SKY, TRAC, RUNE, ATOM, OP, NEAR and FET above Cointelegraph’s disclosure threshold of $1,000.

Follow the author @andrewfenton