I used to be questioning if utilizing one deal with per transaction would mitigate this downside
No, as a result of the general public secret is revealed at spending time nonetheless, even for those who by no means reuse addresses. The time between broadcasting the spending transaction and it being sufficiently buried on-chain nonetheless exposes the person to danger if hypothetical machines that may compute the discrete logarithm exist. Since we’re speaking about hypothetical {hardware}, you’ll be able to’t make any assumptions about how briskly it could work.
Moreover, a lot of use circumstances of Bitcoin contain sharing public keys with different not-fully-trusted events. For instance, multisig wallets require public keys to be shared between the individuals. Light-weight shoppers reveal public keys to the servers that assist them monitor their stability. Lightning channels contain shared node public keys and channel public keys on the community. Within the presence of hypothetical {hardware} that may compute non-public keys, Bitcoin as it’s used right now would just about cease current, as all these use circumstances disappear.
Lastly, even for those who your self handle to rigorously keep away from all these eventualities that contain sharing of public keys, and we one way or the other assume that transactions in flight do not pose a danger, you need to take into account that an infinite quantity of BTC is at the moment held in addresses for which the general public keys are identified, even when not your funds. Within the presence of a hypothetical EC breaking machine, so many funds would grow to be uncovered that I can’t think about BTC sustaining a lot worth.
I used to be questioning if utilizing one deal with per transaction would mitigate this downside, since apparently key-derivation features (bcrypt, Scrypt, Argon2) are principally quantum-safe. My reasoning is that out of your “grasp” non-public key, you’d derive a brand new one and from this one you’d generate the general public key which lastly generates the deal with, after which when this deal with spends any UTXO and consequently tells its public key to the community, an attacker would solely be capable to get the derived non-public key, however by no means the “grasp” one, that means in the long run the person is comparatively secure so long as they do not reuse the identical deal with and carry on producing one deal with every time they need to obtain a UTXO.
Sure and no.
- Grasp non-public keys that deterministically generate the precise deal with keys are used ubiquitously in Bitcoin, exactly as a result of it permits utilizing a brand new deal with for each transaction with no need a backup of every particular person key. The reason being not safety, however privateness nonetheless; reuse of addresses gratuitously reveals details about shared possession of UTXOs on chain.
- In idea, key derivation mechanisms do exist which are quantum-secure (or could possibly be), within the sense that an attacker who learns (by means of no matter means) the non-public key to an deal with can’t be taught the grasp key it was generated from. The frequent key derivation mechanism utilized in Bitcoin (BIP32) doesn’t use such methods nonetheless, as a result of it is incompatible with xpubs. The (unhardened) BIP32 methodology helps sharing a grasp public key with one other occasion (similar to your grasp non-public key which is rarely revealed), in such a manner that these different events can derive the general public keys similar to the non-public keys you’ll derive. This permits watch-only wallets that may monitor funds on an internet machine, whereas the non-public keys stay secure on an offline one.
- All of the arguments above nonetheless apply: even when attackers are prevented from computing the grasp non-public key from an deal with non-public key, it would not cease them from computing deal with non-public keys from public keys.
ECDSA, and different types of EC-based cryptography are inherently not quantum-secure. It is engaging to consider methods to cowl up this property or one way or the other cut back its affect, however it would not change the truth that the cryptography inherently simply is not designed for that. If we would like post-quantum safe Bitcoin, we have to swap to precise cryptography designed for that, which may be very actively being researched. I personally imagine it’s too early to push for that virtually, as current schemes right now are very novel, are ceaselessly damaged nonetheless, and include enormous downsides (principally dimension of keys or signatures), however given how quickly the sphere is progressing I am assured these considerations will cut back over time.
