You can read part 1 here, part 2 here, part 3A here, part 3B here, part 3C here, part 4A here, part 4B here, and part 4C here, and part 4D here, part 5 A here, part 5 B here, part 5 C here part 5 D here, and part 5 E here
Why BTC is vulnerable for quantum attacks sooner than todays estimates.
Small recap: Blockchain transactions are secured by public-private key cryptography. The keypairs used today will be at risk when quantum computers reach a certain critical level: Quantum computers can, at a certain point of development, derive private keys from public keys. See for more sourced info on this subject in part 3. So if a public key can be obtained by an attacker, he can then use a quantum computer to find the private key. And as he has both the public key and the private key, he can control and send the funds to an address he owns.
Just to make sure there will be no misconceptions: When public-private key cryptography such as ECDSA and RSA can be broken by a quantum computer will be an issue for all blockchains who don’t use quantum resistant signature schemes. The reason this article is about BTC, is because I take this paper as a reference point. In that paper the authors have calculated an estimate when BTC will be at risk, while taking the BTC blocktime as the window of opportunity.
The BTC misconception: “If you don’t reuse addresses, BTC is quantum resistant”
In pretty much every discussion I’ve read on the subject, I notice that people are under the impression that BTC is quantum resistant as long as you use your address only once. BTC uses a hashed version of the public key as a send-to address. Therefore the full original public key, is not made public untill you make a transaction. So in theory, all funds are registered on the chain on hashed public keys instead of on the full, original public keys, which means that the original public key is (again in theory) not public. Even a quantum computer can’t derive the original public key from a hashed public key, therefore there would be no risk that a quantum computer can derive the private key from the public key. If you make a transaction, however, the public key of the address you sent your funds from will be published in full form on the blockchain. So if you were to only send part of your funds, leaving the rest on the old address, your remaining funds would be on a published public key, and therefore vulnerable to quantum attacks. So the workaround would be to transfer the remaining funds, within the same transaction, to a new address. In that way, your funds would be once again registered on the blockchain on a hashed public key instead of a full, original public key.
If you feel lost already because you are not very familiar with the tech behind blockchain, I will try to explain the above in a more familiar way:
You control your funds through your public- private key pair. Your funds are registered on your public key. You can create transactions, which you need to sign to be valid. You can only create a signature and sign your transaction if you have your private key. See it as your e-mail address (public key) and your password (Private key). Many people got your email address, but only you have your password. So the analogy is, that if you got your address and your password, then you can access your mail and send emails (Transactions). If the right quantum computer would be available, people could use that to calculate your password (private key), if they have your email address (public key).
Now, because BTC doesn’t show your full public key anywhere until you make a transaction. That sounds pretty safe. It means that your public key is private until you make a transaction. The only thing related to your public key that is public, is the hash of your public key. In part 2 you can read a more extensive explanation of hashing. But here is a short explanation of what a hash is: a hash is an outcome of an equation. Usually one-way hash functions are used, where you can not derive the original input from the output.(Due to the nature of the math, not even with a quantum computer) Every time you use the same hash function on the same original input (For example IFUHE8392ISHF), you will always get the same output (For example G). That way you can have your coins on public key “IFUHE8392ISHF”, while on the chain, they are registered on “G”.
So your funds are registered on the blockchain on the “Hash” of the public key. The Hash of the public key is also your “email address” in this case. So you give “G” as your address to send BTC to.
As said before: since it is, even for a quantum computer, impossible to derive a public key from the Hash of a public key, your coins are safe for as long as the public key is only registered in hashed form. The obvious safe method would be, never to reuse an address, and always make sure that when you make a payment, you send your remaining funds to a fresh new address. (There are wallets that can do this for you.) In theory, this would make BTC quantum resistant, if used correctly. This, in reality, is not correct. Even if you only use your address once, your public key will be exposed long enough for quantum computer hacks.
In the next part: Already exposed public keys.