<html><head></head><body><div style="font-family: Verdana;font-size: 12.0px;"><div>Dear Gerald,</div>
<div> </div>
<div>Great question! If you have your bitcoins in an address with no outgoing transactions from that address, then your coins are currently safe even from attacks on secp256k1.</div>
<div> </div>
<div>Specifically, your address is RIPEMD160(SHA256(publickey)), and thus an attacker would need to reverse both of those cryptographic hash functions rather than just breaking the elliptic curve discrete logarithm. There's much less chance of there being a clever mathematical attack against these hash functions than there is against secp256k1.</div>
<div> </div>
<div>I've written a blog post discussing this very aspect, because the benefit of not prematurely* revealing your unhashed public key doesn't seem to be common knowledge even amongst bitcoiners:</div>
<div> </div>
<div><a href="https://cp4space.hatsya.com/2021/01/13/keep-your-public-keys-private/" target="_blank">https://cp4space.hatsya.com/2021/01/13/keep-your-public-keys-private/</a></div>
<div> </div>
<div>In particular, you have 160 bits of security against classical computers (trying different random private keys until you find one with the same address), but this degrades to 128 bits of security when the secp256k1 public key is published (because Pollard rho). Of course, if any of these index-calculus-inspired approaches manage to work, then the true security level of secp256k1 discrete logarithm could be even lower.</div>
<div> </div>
<div>* naturally, you need to reveal your public key when you make a transaction, but (provided you move all the coins in the process) that would only give an attacker a few minutes to attempt to solve the discrete logarithm problem before the transaction is buried in layers of successive confirmations and the original address is irrevocably empty.</div>
<div> </div>
<div>I've taken a look at the censored preprint. It doesn't mention the curve secp256k1 by name, but it discusses 'elliptic curves of j-invariant 0'. When a curve is expressed in Weierstrass normal form:</div>
<div> </div>
<div>y^2 = x^3 + a x + b</div>
<div> </div>
<div>then 'j-invariant 0' is equivalent to a = 0. The elliptic curve secp256k1 has a = 0, b = 7, and is modulo some large 256-bit prime. There's long been speculation that these a = 0 curves (sometimes called 'Koblitz curves') are potentially weaker than general elliptic curves, but (at the time of writing) there's been no better-than-Pollard-rho attack against them for curves over prime fields.</div>
<div> </div>
<div>My intuition is that this particular censored preprint is probably a fake attempt to drive the bitcoin price down (maybe the poster has a negative exposure to the price, or has some other reason for wanting bitcoin to fail?). In particular, I have a somewhat more cynical view than jzrx's comment:</div>
<div> </div>
<div>> Many people who don't know much about cryptography or crypto currency are trying to spread fear, uncertainty, and doubt.</div>
<div> </div>
<div>and I don't think Hanlon's razor is applicable to this preprint. In particular, if the preprint were correct (or believed to be so by the authors) then it's unlikely that the authors would post a censored screenshot on Reddit instead of just waiting for the natural peer-review process to conclude. That said, such better-than-Pollard-rho attacks may well exist (and even have been discovered and kept secret!), which is why I gave the advice to store your coins in fresh addresses.</div>
<div> </div>
<div>And in answer to your question: yes, if it's deemed necessary, then the bitcoin network could include (via a BIP, or 'bitcoin improvement proposal') another address format which supports a different elliptic curve or completely new signature scheme. For example, a lattice-based digital signature scheme such as Dilithium* might be reasonable to include soon, especially as improvements in quantum computing continue.</div>
<div> </div>
<div>* or indeed one of the other finallists here: <a href="https://en.wikipedia.org/wiki/NIST_Post-Quantum_Cryptography_Competition" target="_blank">https://en.wikipedia.org/wiki/NIST_Post-Quantum_Cryptography_Competition</a></div>
<div> </div>
<div>As jzrx mentioned, there has indeed been lots of scrutiny over Satoshi's paper and original code. Back in 2014, for instance, someone fixed an undefined behaviour bug (where a right-shift in C/C++ with shift amount >= word size is undefined by the language standard) in Satoshi's original code which would have, on certain architectures, resulted in another 21 000 000 coins being produced every 64 halvings. The problem is mentioned here:</div>
<div> </div>
<div>https://github.com/bitcoin/bips/blob/master/bip-0042.mediawiki (warning: rife with sarcasm!)</div>
<div> </div>
<div>and fixed here: https://github.com/bitcoin/bitcoin/pull/3842/commits/c5a9d2ca9e3234db9687c8cbec4b5b93ec161190</div>
<div> </div>
<div> </div>
<div>Best wishes,</div>
<div> </div>
<div> </div>
<div>Adam P. Goucher</div>
<div> </div>
<div>
<div>
<div style="margin: 10.0px 5.0px 5.0px 10.0px;padding: 10.0px 0 10.0px 10.0px;border-left: 2.0px solid rgb(195,217,229);">
<div style="margin: 0 0 10.0px 0;"><b>Sent:</b> Wednesday, February 03, 2021 at 1:17 PM<br/>
<b>From:</b> "Gerald Oxley via cryptography" <cryptography@metzdowd.com><br/>
<b>To:</b> "cryptography@metzdowd.com" <cryptography@metzdowd.com><br/>
<b>Subject:</b> [Cryptography] Does Bitcoin have unaddressed design flaws?</div>
<div>
<div>Greetings all,</div>
<div> </div>
<div>I discovered this mailing list by way of it being the place where Satoshi posted the original Bitcoin white paper, so I thought it might be an appropriate venue for this particular question. Reading some recent threads, it seems I'm among compatriots. Also I saw the Bitcoin white paper is apparently now banned reading material (DuckDuckGo it if you haven't seen it) which made me smile until I remembered my Ray Bradbury.</div>
<div> </div>
<div>Not too long ago I happened to come across a <a href="https://www.reddit.com/r/crypto/comments/kgo2qo/how_does_knowledge_of_a_bitcoin_public_key_square/ggi4z1u/" target="_blank" title="https://www.reddit.com/r/crypto/comments/kgo2qo/how_does_knowledge_of_a_bitcoin_public_key_square/ggi4z1u/">curious post</a> on the Cryptography Reddit which claims some sort of breakthrough attack for the “secp256k1” elliptic curve created by Bitcoin.</div>
<div> </div>
<div>The post is rather flitty about the details, but links to a <a href="https://i.ibb.co/JKZvYgM/secp256k1-summation-attack.png" target="_blank" title="https://i.ibb.co/JKZvYgM/secp256k1-summation-attack.png">redacted document</a> which provides the basis of alleged “intriguing conclusions” and “practical breakages” which the post claims will be interesting to cryptographers. I’m generally worried by all this, but also left wondering why the document need be redacted. It all seems rather suspicious to me.</div>
<div> </div>
<div>Though I took maths in university many years ago, trying to even attempt to read the paper it is all quite very much above my head. Having said as much, I’m writing as someone invested in Bitcoin who looks at all of this with a bit of confusion and worry.</div>
<div> </div>
<div>Can anyone validate this document or speak to the merit of this potential breakthrough? I am aware that elliptic curves are used to form Bitcoin signatures, so particularly concerning to me is whether this could represent some sort of unraveling of those signatures, as I understand they provide the basis of Bitcoin's security aside from the Proof-Of-Work (which I understand is separate from the signatures).</div>
<div> </div>
<div>I am a bit skeptical of the claims, as the document itself does not mention Bitcoin or secp256k1, so I’m also wondering if the Reddit post is leaping to conclusions or if there's something to it all which I'm just short of grasping. Does this even effect Bitcoin or is the Reddit poster simply mistaken? What is the connection I'm missing here?</div>
<div> </div>
<div>If it so happens that there is a real breakthrough discovery here, is there any way that Bitcoin can address it? Is there a better ellpitic curve that Bitcoin should plan to switch to in the near future?</div>
<div> </div>
<div>Full disclosure, I ask all of this as someone invested in Bitcoin, but with the lack of price stability and the recent concerns about double spend attacks, I’m beginning to wonder if I might be over-leveraged and it might be a good time to sell. Also in regard to the double spend attacks I'm not sure what to think there however I'm seeing mostly "false alarm" reports myself but very curious to hear others opinions.</div>
<div> </div>
<div>Really the whole thing has become quite nutty as of late, has it not?</div>
<div> </div>
<div>The idea there might be latent unaddressed issues lurking in the core designs of Bitcoin really got me thinking, and I'm wondering how much of Bitcoin depends on Satoshi's early decisions which really haven't gotten much scrutiny since.</div>
<div> </div>
<div>Not to insult Satoshi! I dare not think such a thing and everything I say here is very much with due respect. But with his prolonged absence, I'm wondering how much of Bitcoin is assumed to be solid ground only because it's territory which has gone unconsidered in such time in absence of a genius curator. It seems Bitcoin contained many novel and intriguing ideas and I wonder in general how many of those ideas have not been duly reconsidered since Satoshi vanished.</div>
<div> </div>
<div>Cheers, Gerald</div>
_______________________________________________ The cryptography mailing list cryptography@metzdowd.com <a href="https://www.metzdowd.com/mailman/listinfo/cryptography" target="_blank">https://www.metzdowd.com/mailman/listinfo/cryptography</a></div>
</div>
</div>
</div></div></body></html>