All 21 million Bitcoin is at risk from quantum computers

It’s widely believed that only about 25% to 30% of Bitcoin is at risk of being attacked in the future by quantum computers. 

For example, Project 11’s Bitcoin Risq List currently lists 6,887,180 Bitcoin worth more than $450 billion as “at risk.” It defines “at risk” as Bitcoin held in addresses with exposed public keys. Around 3-4 million of this is believed “lost” and can’t be upgraded to quantum secure. 

But that’s not the whole story. 

In fact, all 21 million Bitcoin —barring lost coins in quantum secure addresses— can theoretically be broken by sufficiently advanced quantum computers as soon as the coins are spent if nothing is done to move to post-quantum security.

It’s just that the one in four Bitcoin held in the old address types are the easiest to attack and will be stolen first. A quantum computer could grind away for months if required to attack Satoshi’s coins, which have had their public keys exposed for the past 15 years.

But the remainder of the Bitcoin supply will still be vulnerable to more sophisticated attackers. That’s because when you spend Bitcoin, the public keys are exposed in the mempool for as long as it takes for the transaction to be processed. 

Typically, that period lasts between 10 minutes and 60 minutes, depending on network usage, providing a brief window of time for an attack. As quantum computers scale up, it’s believed they’ll one day be able to perform a “just in time” attack.

“If you want to spend your Bitcoin, you have to reveal the public key,” explains Yoon Auh, CEO of BOLTS, which is running a proof of concept for the Canton network with its QFlex technology that hotswaps quantum-proof signatures during a session.

“You can’t get around that. And the problem is that your bad actor will become a big Bitcoin miner and intercept that transaction from ever happening.”

Charles Edwards from Capriole has been agitating to upgrade Bitcoin to post-quantum  security and says a short-range attack is much more difficult. 

“The difference, I suppose, why that’s not probably discussed as much at the moment, is because the technical capability to do that is much more advanced. You have to be able to move and solve and decrypt very quickly to do what that is, which is to basically steal coins in the mempool, and effectively hack every single Bitcoin.”

He says that means the coins with public keys exposed for years will be attacked first. 

“That’s kind of the easy money, then the next step is, as the technology progresses, is to just attack the entire chain. So every coin, if your time horizon is long enough, every coin will be taken long term.”

BIP-360 does not prevent “short exposure attacks”

The recently updated BIP-360 proposal outlines the danger explicitly. The proposal creates a new address type (output) called Pay To Merkle Root (P2MR) that should enable a considerable proportion of the “at risk” Bitcoin to be moved to quantum-resilient addresses.

However, the proposal specifically cautions that “P2MR outputs are only resistant to ‘long exposure attacks’ on elliptic curve cryptography; that is, attacks on keys exposed for time periods longer than needed to confirm a spending transaction.”

Also read: Bitcoin may face hard fork over any attempt to freeze Satoshi’s coins

“Protection against more sophisticated quantum attacks, including protection against private key recovery from public keys exposed in the mempool while a transaction is waiting to be confirmed (a.k.a. ‘short exposure attacks’), may require the introduction of post-quantum signatures in Bitcoin.”

BIP-360 co-author Ethan Heilman tells Magazine that “long exposure” attacks are the big threat that needs to be tackled first:

“With short-exposure attacks, the attacker only learns the public key after the output is spent. This means the attacker is in a race to break the public key and double-spend the transaction, before the honest transaction is confirmed by a miner.”

“It is likely that the first quantum computers that are a threat to Bitcoin will take a very long time to break a public key. Imagine you have a quantum computer that takes 6 months to break a public key. It wouldn’t make sense to do short exposure attacks. However, a giant pile of coins in an output that exposes the public key would make sense.”

Is a short-range…