But you can’t attack the ECDSA by Shor’s algorithm if you don’t know the public key, as is the case with a pubkey-hash address that has never been used. If you avoid key reuse, the only moment when coins are vulnerable is that ~10 minute interval after you’ve broadcast a transaction spending the coins but it hasn’t yet made it into a block.
No, first of all they are qualitatively different. Not all targets are the same. At best you could attack whatever the largest input in your current mempool is, perhaps a few dozen bitcoins at most. Whereas if you could choose your targets, something like this is better:
Second, it doesn’t change the fact that you’d still have this insanely powerful quantum supercomputer running for millions of years before you have a chance at double-spending a single coin. Not economically viable as I said before.
Second, it doesn’t change the fact that you’d still have this insanely powerful quantum supercomputer running for millions of years before you have a chance at double-spending a single coin. Not economically viable as I said before.
Various people do consider ECDSA to be effectively broken with quantum computers. It’s hard to estimate what a quantum computer of a certain power is going to cost in 20 years.
That said, I don’t need to capture enough coins to pay for the attack. I can buy options on failing bitcoin price and attack. If it’s known that there’s an attacker who randomly hijacks transactions the bitcoin price takes a blow.
The point is that the 10 minute time limited in which transactions get confirmed is irrelevant and provides no protection.
Shor’s algorithm runs in polynomial time and can thus effectively used to attack public key crypto if you have a quantum computer at your disposal.
Bitcoin public key crypto also runs on ECDSA and Bruce Scheiner annouced earlier this year that he fears the NSA might have the ability to hack into ECDSA: http://www.wired.com/opinion/2013/09/black-budget-what-exactly-are-the-nsas-cryptanalytic-capabilities/
But you can’t attack the ECDSA by Shor’s algorithm if you don’t know the public key, as is the case with a pubkey-hash address that has never been used. If you avoid key reuse, the only moment when coins are vulnerable is that ~10 minute interval after you’ve broadcast a transaction spending the coins but it hasn’t yet made it into a block.
Yes, but as I said above that 10 minutes interval is irrelevant when you can just change your target key every minute.
As a attacker it’s quite okay to capture random transactions instead of attacking specific transactions.
No, first of all they are qualitatively different. Not all targets are the same. At best you could attack whatever the largest input in your current mempool is, perhaps a few dozen bitcoins at most. Whereas if you could choose your targets, something like this is better:
http://blockchain.info/address/1933phfhK3ZgFQNLGSDXvqCn32k2buXY8a
Second, it doesn’t change the fact that you’d still have this insanely powerful quantum supercomputer running for millions of years before you have a chance at double-spending a single coin. Not economically viable as I said before.
Various people do consider ECDSA to be effectively broken with quantum computers. It’s hard to estimate what a quantum computer of a certain power is going to cost in 20 years.
That said, I don’t need to capture enough coins to pay for the attack. I can buy options on failing bitcoin price and attack. If it’s known that there’s an attacker who randomly hijacks transactions the bitcoin price takes a blow.