In the 3rd episode of the Reckless Review podcast, co-hosts Udi Wertheimer and Lawrence Nahum have discussed the potential use of quantum computers to steal bitcoins. Also, they took a deep dive into Unspent Transaction Outputs (UTXOs).
About the Reckless Review Podcast
The Reckless Review, launched in March 2019, focuses on the most important current issues in the bitcoin community. Co-hosts Udi Wertheimer and Lawrence Nahum engage in discussions that usually involve complex and technical issues.
Wertheimer describes himself as a Bitcoin coder and adversarial thinker, while Nahum is the founder of GreenAddress bitcoin wallet and the chief architect of Blockstream. In only three episodes, the two have made their subscribers more knowledgeable on the topics such as full nodes, privacy, hardware wallets, and Lightning exchanges.
The Possibility of Stealing Bitcoins With Quantum Computers
The conversation in the 3rd episode started with the following Pieter Wuille tweet:
The seemingly simple hypothetical question implies a plethora of privacy and security concerns with regards to the Bitcoin blockchain. Udi and Lawrence went on to dissect the tweet by explaining all related processes and technical terms.
They first clarified that the question was asking how much bitcoin could be stolen and not how much one should steal. In other words, “how many bitcoins in existence could be lost in such an attack?”
It was also explained that the hypothetical quantum computer can only compute a private key from a public key, and not from a Bitcoin address. According to the co-hosts, this is because a bitcoin address is a hash of the public key.
What this means is that only coins associated with exposed public keys will be prone to such an attack. The special machine Wuille mentioned in his tweet will not be able to “guess” a private key if it’s granted access to only an address.
How and Why are Public Keys Exposed
Udi and Lawrence mentioned that Bitcoin transactions were formerly pay-to-public-key (P2PK). This means payments are made directly from one public key to the other. According to the co-hosts, this was more efficient and saved space since only public keys had to be stored. The process of making a transaction has since been changed to-pay-to-public-key-hash (P2PKH) in a bid to guard against the type of attack described in Wuille’s tweet. This is because P2PKH transactions use public keys with their hash.
On the show, it was pointed out that P2PKH is not so relevant when it comes to protecting against attacks from quantum computers. The hosts mentioned that Pieter Wuille scanned the Bitcoin blockchain for scripts with accessible public keys. It was revealed that already exposed public keys are associated with an about 4 million bitcoins. Additionally, an estimated 500,000 bitcoins are linked to public keys exposed by users who claimed forked coins.
Beyond the loss of bitcoins, privacy is also a concern when public keys are exposed. The problem was encapsulated by Lawrence’s statement:
“There are two dimensions here. One is that I get hurt because someone can take my coins. The other dimension is my privacy. That’s the part I am thinking of because that can hurt you now. You don’t have to wait for people to break keys.”
Udi mentioned that there is time to prepare for quantum computer attacks, but advised listeners to avoid reusing addresses.
The Basics of Unspent Transaction Outputs UTXOs
Udi and Lawrence first approached UTXOs by differentiating them from balance-based models. For instance, bank accounts and Ethereum accounts are balanced-based, while Bitcoin is UTXO-based. They explained that in a UTXO-based model, funds received by a wallet do not just add to the balance, but create new outputs.
The hosts defined an output as comprising the amount sent and a lockscript containing the terms under which the said amount can be spent in the future. They added that most lockscripts require a signature and public key to spend an output.
The privacy on UTXO-based models was discussed. It was explained that it is impossible to establish a link between two outputs without additional data/history. This offers more privacy on UTXO models.
The hosts agreed that UTXO models are also more efficient. They further explained that to verify the validity of a transaction, a full node can use the list of all UTXOs (all amounts received but yet to be spent). A transaction is valid if the new output being spent is on the list of unspent transaction outputs.
Udi and Lawrence clarified that balance systems require attention to the order of transactions. An account that receives $10 twice and spends $20 was used as an example. The transactions in this account can be listed as +10, +10 and -20. Changing the order to +10, -20 and +10 would be problematic since it will mean spending $20 dollars when the account balance is +10. According to the hosts, this makes balance systems more complex. They also mentioned the need for a nonce to differentiate transactions to avoid transaction replays in balance systems.