bitcoin crypto{bounties for quantum capable bitcoin crypto{bounties for quantum capable adversaries

Download Bitcoin Crypto{Bounties for Quantum Capable Bitcoin Crypto{Bounties for Quantum Capable Adversaries

Post on 24-Jun-2020




0 download

Embed Size (px)


  • Bitcoin Crypto–Bounties for Quantum Capable Adversaries

    Dragos I. Ilie1, Kostis Karantias2, and William J. Knottenbelt1

    1 Centre for Cryptocurrency Research and Engineering, Imperial College London {dii14, wjk}

    2 IOHK

    Abstract. With the advances in quantum computing taking place over the last few years, researchers have started considering the implications on cryptocurrencies. As most digital signature schemes would be im- pacted, it is somewhat reassuring that transition schemes to quantum resistant signatures are already being considered for Bitcoin. In this work, we stress the danger of public key reuse, as it prevents users from recov- ering their funds in the presence of a quantum enabled adversary despite any transition scheme the developers decide to implement. We emphasise this threat by quantifying the damage a functional quantum computer could inflict on Bitcoin (and Bitcoin Cash) by breaking exposed public keys.

    1 Introduction

    The theory behind quantum computers (QC) was first introduced about 40 years ago. Research in the space has produced outstanding results, that have the po- tential to undermine the most popular cryptographic protocols in use today. One notable theoretical result is Peter Shor’s quantum algorithm [25] which can be used to break digital signature schemes such as RSA or ECDSA. The engi- neering advancements needed to physically implement such a complex machine have only recently started to appear, but a sudden improvement in the approach towards scaling might lead to a powerful QC appearing virtually overnight.

    The Bitcoin community is also affected by these developments, as the mech- anism for ensuring ownership of funds relies on ECDSA. Bitcoin’s cryptography must be updated; in fact there are plenty post-quantum cryptographic schemes to choose from if one is willing to sacrifice speed and storage. Such a scheme will be implemented in Bitcoin at some point and the majority of users will be able to safely lock their funds with quantum resistant signatures. However, in the extreme scenario of a Quantum Computer appearing without notice, not all users would be able to benefit from this upgrade. Interestingly, the recommended practices in Bitcoin would offer some level of quantum resistance that allows re- covering funds safely, but unfortunately, many users do not follow these. In this paper we analyse Bitcoin (BTC) and Bitcoin Cash (BCH) for the amount of funds secured by exposed public keys; or, from the perspective of a quantum

  • research group, the “crypto–bounty” for engineering a powerful quantum com- puter.

    1.1 Contributions

    This paper builds upon previous work of the authors [27] and brings the following contributions to the research space:

    1. In Section 4.1 we describe the setting in which a quantum enabled adversary would operate if it were to start attacking the Bitcoin network considering developers and users take immediate measures to protect their funds and recover the network.

    2. In Section 4.3 we present two models of attackers: one that can run Shor’s algorithm virtually instantly and a slower one that might be more realistic for the first generations of attackers.

    3. In Section 4.4 we describe attack vectors for maximising the crypto–bounty, i.e. the amount of funds that are impossible to recover by legitimate users in the presence of the attacker.

    4. In Section 5 we present a study of the evolution of the crypto–bounty in Bitcoin and its most significant fork, Bitcoin Cash. Furthermore, we describe our methodology for obtaining these results and discuss what can be deduced from them.

    2 Related Work

    Previous work [27] of some of the authors of this paper has looked into revealed public keys to motivate the introduction of a protocol for transitioning to quan- tum resistance. They have found that approximately 33% of Bitcoin is secured by public keys that are exposed either trivially in an output, or in an input due to address reuse. In this study, we would like to consolidate that data and perform a more in-depth analysis looking not only at the current UTXO set, but also at the history of public key exposure and its source.

    Other researchers have carried out a similar analysis [6], but their estimates represent a much lower bound than what we are providing and does not con- sider P2SH and P2WSH type addresses which are very popular in recent years. Furthermore, their study only looks at reused addresses, while we also inspect reused public keys between different addresses.

    We have also become aware of other similar studies created by members of the cryptocurrency space, but we could not find descriptions of their methods or details of the results. One such analysis was done by one of the developers of BlockSci [12], who summarised his result that 5.8 million Bitcoins are secured by exposed public keys in an online discussion [11].

    3 Background

    In this section we briefly cover the basic concepts necessary for understanding the motivation behind the analysis we are conducting and the methods used to perform it. We present some of the structures that are used in Bitcoin to secure and move funds across the network and offer insight into the workings of Shor’s quantum algorithm.

  • 3.1 Bitcoin Fundamentals

    Bitcoin transactions are data structures that encode the transfer of ownership of funds using inputs and outputs. Transactions are created, shared and stored by network participants following a protocol which dictates their validity and ordering. Funds reside in unspent transaction outputs (aka. UTXOs), each hav- ing an associated value and a locking script. For usability, some standard types of locking scripts are encoded in base 58 to produce addresses, which can easily be shared with others. To spend funds, a transaction input references an output and includes an unlocking script, which is used in combination with the locking script for validation. Ownership is guaranteed by a combination of hash com- mitments and public key cryptography. In general, each input contains a digital signature over the transaction spending the output. The signature is verified against a public key that is encoded in the output either in plaintext or inside a hash commitment which is revealed by the input. Depending on the type of locking script in the output, the input consuming it needs to provide unlocking data in various formats [4]. We can distinguish the following standard script types:

    1. Pay-To-Public-Key (P2PK) is the script type used for the first Bitcoin transaction. This is the most simplified form of locking and unlocking scripts: the public key is written in plaintext in the locking script, and the digital signature appears in the input, also in plaintext. Only the owner of the cor- responding private key can create a signature that would be verified against the public key from the locking script.

    2. Pay-To-Multisig (P2MS) is a script pattern that allows users to lock funds to multiple public keys but require signatures only from a subset of those. Similarly to P2PK the public keys are all listed in plaintext in the locking script together with a minimum threshold number of signatures that need to be provided in the unlocking script. However, public keys are quite large and data on the blockchain costs fees, so this outputs are not very popular.

    3. Pay-To-Public-Key-Hash (P2PKH) is an improved version of P2PK. The locking script contains a 20 byte hash commitment to the public key and the input contains both the public key and digital signature. This type of script was introduced to minimise the size of the output as hashes are only 20 bytes compared to public key which are 65 bytes uncompressed or 33 bytes compressed.

    4. Pay-To-Script-Hash (P2SH) outputs are yet another improvement; in- stead of specifying the locking script in the output, a 20 byte hash com- mitment to it is stored instead. A valid input contains the unlocking script and the pre–image of the hash commitment from the output. This type of output has the same size as P2PKH outputs, but allows for more complex locking scripts to be encoded without requiring the payer to incur the fees associated with the extra data. This script is most commonly used to nest P2MS, P2WPKH, or P2WSH.

  • 5. Pay-To-Witness-Public-Key-Hash (P2WPKH) was deployed in 2017 via a soft-fork in order to address several issues such as signature malleability and throughput limitations. Similarly to P2PKH the locking script contains a 20 byte hash of the public key and the input holds the public key and signature. The difference is that the input data is held in a segregated area called segwit which does not contribute towards the hash of the transaction and size limit of a block.

    6. Pay-To-Witness-Script-Hash (P2WSH) is a script type introduced to- gether with P2WPKH and represents the P2SH version of segwit. The output contains a 32 byte hash of the actual locking script, 12 bytes larger than the 20 byte hash from P2SH. This increase is meant to improve security against possible collision attacks as the work needed to find a collision in a 20 byte hash is no longer infeasible. This script type usually nests P2MS.

    Digital Signatures in Bitcoin are implemented using the Elliptic Curve Dig- ital Signature Algorithm (ECDSA); an implementation of the Digital Signature Standard (DSS) based on Elliptic Curve Cryptography (ECC) [3]. ECC is an approach to public key cryptography that relies on the mathematics of elliptic curves over finite fields. To this end, the public key is a point on an elliptic curve3, and the secret key is the exponent at which a base point3 is raised in order to obtain the


View more >