“How is the private key calculated using the
elliptic curve mathematical computation?” “If transactions are public, why can’t someone launch
a brute-force [attack] and guess the private key, knowing the fact that we have
quantum computers now?” Let’s start with the first question for Rojit. Private keys are numbers, that’s all they are. If you wanted to generate a private key, you
can do so fairly easily using just pen and paper. A private key is a number that is 256 bits long.
A bit is either 0 or 1. How do we calculate a bit? The easiest way would be to flip a coin. Take a big sheet of paper and a coin. Flip [the coin].
If it’s heads, write down 1. If it’s tails, write down 0. Repeat this 256 times. Now you have a binary private
key, written on your piece of paper, generated randomly. If somebody else tried to do the same thing, they would have to try 10 ^ 77 times in order
to produce the same private key (on average). That private key is just a number [like 3 or 7], [though those would be] very easy to crack, not
very random [out of the vast possibilities], but still. [With] that private key, the elliptic curve mathematics
that follow is to take a known point on the elliptic curve. When I say point, that means an X,Y
coordinate on the line drawn by the function. If you take the elliptic curve function of Bitcoin, and
when drawn on a piece of paper it creates a line. That line is in the form of curve, an
elliptic curve, and it looks a bit like a squid. There is a very specific point on the line of that
elliptic curve called the generator point. It’s a set of X,Y coordinates that is pre-defined. Everybody uses the same one.
We write it down as ‘G’ for generator point. The public key is simply the point
‘G’ multiplied by the private key. If my private key is 3, then my
public key is 3 multiplied by ‘G.’ You might say, “Well, that’s very easy! If I know the
public key is 3 multiplied by ‘G’ and I know what ‘G’ is,” “why don’t I divide by ‘G’ and
then I know your private key?” The reason is because you can’t do division on
the elliptic curve. Division doesn’t exist [there]. You know 3 multiplied by ‘G’ is the public key,
but you can’t figure out that 3 is the private key, even though you know what the value of ‘G’ is. That’s how the elliptic curve computation works. Now, what does multiplication by
a scaler mean on the elliptic curve? What does it mean to take a point and multiply it by 3?
How do you multiply X,Y coordinates by 3? This has a specific meaning on the elliptic curve. To add ‘G’ to itself, to do ‘G’ plus ‘G,’ you take the
tangent of the [generator] point on the elliptic curve. The tangent is a specific mathematical construct. You draw the tangent at the point of ‘G’ and at some
point that tangent will touch the elliptic curve again. That is one of the properties of elliptic curves. If you take the tangent of a point on the elliptic curve,
the tangent will bisect the elliptic curve at another point. If you flip that point on the axis, that is ‘2G.’ Drawing a line between the two
points is how you add them up. You can create a multiple because 3 multiplied by ‘G,’
is simply ‘G’ plus ‘G’ plus ‘G.’ You can keep adding ‘G.’ Essentially, all private to public key computation is that:
taking ‘G’ and adding it to itself, with your private key. That’s the number you generated randomly. When you do that, you still end up with
some X,Y coordinate on the curve. Every time you add the points, you [end up somewhere
on the curve] and that point is your public key. You know that point, [but] you simply
have no idea how you got there. “Do all private keys start with the number 5?” No, Bill. Private keys encoded with wallet import
format (WIF) start with the number 5. But those that correspond to compressed
public keys can start with the letter ‘K’ or ‘L.’ You will see private keys for wallet
import format [that start with a 5]. When they’re ‘with compressed,’ as it’s called,
they start with a ‘K’ or ‘L’ instead of a 5. “How do you ensure the private key is transmitted
securely and privately into the blockchain?” This is also a point of confusion. The private key is
never transmitted anywhere [on the blockchain].” What you transmit is a signature, which is
a number produced from the private key… by a special equation that anyone can check. By checking that against your public key, they
can confirm you know what the private key is, but they don’t know / cannot
know what the private key is. That little trick ensures that you can sign as many times
as you want, transmit as many signatures [as you want], and people will only be able to verify that you know
the private key, but nobody else does. “Please explain key collision. Also, please
give an example of encryption collision.” ‘Collision’ as a word is mostly used for hashes. Perhaps what you’re asking is related
to the very next question. Jason asks, “Is it possible to generate a private key
that is already being used?” Yes Jason, it is possible. It is absolutely improbable, however. Even if you were trying to do this deliberately, by
generating a trillion new private keys every second, and then recruited a billion people to generate a trillion
keys each, all you would do is touch the very surface… of the absolutely enormous number [of
possible] private keys that [could] exist. This is something that a lot of people have
difficulty wrapping their heads around; the idea that the [number of possible private keys] is
so large that you will never ever get through them. The number of possible private keys is 2 ^ 256.
It’s not quite, but for rounding purposes it’s 2 ^ 256. The main idea doesn’t change,
no matter how much you round this. 2 ^ 256 is equivalent in decimal to 10 ^ 77.
That’s 10 with 77 zeros after it. Let’s say you could generate a billion keys per second.
How much is a billion keys? That is 10 ^ 9. What you’re doing now is taking 10 ^ 77 and
dividing it by 10 ^ 9, which is a billion keys. What you’re left with is 10 ^ 68. You cut
that number from 10 ^ 77 down to 10 ^ 68. That’s 10 with 68 zeroes [after it]. That’s how many [possible keys
you may still have to generate]… to [find] a private key that
matches somebody else’s. Let’s say you take a billion people and
they all try a billion keys per second. Instead of 10 ^ 68, it will now be 10 ^ 59. It may seem like you’re making progress, but not really. Because a billion seconds would
mean that you would be no closer. You would be down to 10 ^ 50 with
a billion people trying a billion keys. I’m using very big, big numbers here. Let’s say that you were able to do all of that for a year,
and then you decided to do it for a billion years. As you can see, if we take off nine more digits from
the end of this [exponent], it doesn’t get much smaller. You’re still looking at numbers
that are unfathomably large. At this rate, the amount of time it would take you
to run through all private key combinations… exceeds the total time of the universe’s existence. Which, depending on whether you apply science
or not, is either 13.4 billion years or 6,000 years. “If transactions are public, why can’t someone launch
a brute-force [attack] and guess the private key,” “knowing the fact that we have
quantum computers available now?” I already gave you the answer as to why you can’t guess
the private key by trying [to generate] all possible keys. You will run out of time. The sun will extinguish,
its nuclear fusion reactions will end. The universe will expand into nothingness.
Civilizations will come and go. And you will still be trying to [guess] private keys.
That’s the scale of numbers we’re talking about. But what about quantum computers?
Does that change the equation? Yes, it does. With a quantum computer, you could actually work out
all possible combinations of a 256-bit number instantly, as long as you had a quantum
computer [with sufficient qubits]. If you follow news about quantum computing,
you know we currently have 5 to 10 qubits. The progress of adding each additional
qubit is actually slowing down. To quote Peter Todd and one of his
memorable memes that I really like: “Quantum computing may be the one area of
science that scales worse than blockchains.” Quantum computers are not getting to 256 qubits
anytime soon. In fact, you would only need 128 qubits… to break [the elliptic curve function in
Bitcoin], but we are very far from there. What happens when quantum computers become
available? We have to change cryptographic algorithms. There are algorithms that are better in terms of
protecting against quantum computing [attacks]. We don’t need to use those algorithms [yet] because
there are not quantum computers with enough qubits to be able to crack Bitcoin’s private keys. The next question comes from Sesame Meow: “Quantum attacks on Bitcoin and
how to protect against them.” “I just listened to an Epicenter podcast about
quantum threats to Bitcoin. Here is their paper.” “From what I understand, quantum computing effects
would start to kick in, at the earliest, during 2027.” “Attacks on proof-of-work are straightforward
to address, but attacks on ECDSA… for [unconfirmed] transactions are a credible threat.” “I’m aware of the argument that if the ECDSA is broken,
we are worried about a lot of other things.” “Focusing on Bitcoin: how easily can Bitcoin incorporate
quantum-safe public key signature schemes?” “Does it require a complete overhaul of the
code, a hard fork, or a soft fork? What?” Sesame Meow, do not fret! Yes, it’s it’s true that
quantum effects could limit the lifetime of the ECDSA. All cryptographic algorithms have a limited lifetime.
The good news is that ECDSA can easily be replaced. It can be replaced with a very simple soft fork. One of the important innovations that came
with the introduction of Segregated Witness, was the ability to have a script version
number that allows soft fork upgrades to the scripting language within Bitcoin. This was introduced and activated on August 1st 2017.
It means other signature schemes can be introduced, by a simple soft fork. The first of such schemes [will be] Schnorr signatures,
[acting] in conjunction with or in addition to ECDSA. A lot of this isn’t about replacing ECDSA, but rather
about adding more signature algorithms so that… people can choose which signature algorithms
they want to use and effectively migrate their funds… to more secure signature algorithms. Schnorr signatures, which are about to be introduced,
have been in testing and development for quite a while. They are one of the soft fork upgrades that can be done with the script versioning capability
and Segregated Witness. But they’re not the only one. Bitcoin could introduce
quantum-safe signature schemes with a soft fork, just by using the script versioning. It’s actually a very simple soft fork.
It’s completely optional. It’s not mandatory. It’s opt-in. People can choose to use it, if they want to.
If they don’t, they can continue to what they used before, which may be ECDSA or something else. It can be introduced incrementally so that different
parts of the system upgrade and [add] support slowly, just like we’ve seen with the new
bech32 address format for SegWit. Some wallets support it, some don’t.
Gradually, the ecosystem is evolving. Quantum attacks on Bitcoin? Not as scary as
you might think. 2027 is a very long way away. Within the next decade, the number of [security]
improvements that could be made to introduce… quantum-safe digital signatures in Bitcoin,
and the ease by which these could be done, really [makes it] not a problem. Let’s see what other bogeymen and scary thoughts
we can banish with all of these questions, which are showing a high level
of anxiety in the Bitcoin space. Before we continue to the next question, remember: when engaging in cryptocurrencies, it is important
every now and then to take a deep breath. Realize that there are many things in life that
are more important, and the end is not near. The apocalypse is not coming,
Bitcoin is not dead or dying. It is going to be okay. The roller-coaster is part of the
show. Don’t worry too much about all of these things. A lot of the articles and academic papers you read
have come out with a sensationalist [title] and they say: “We’ve discovered a fatal flaw
that will be the end of Bitcoin!” They mostly address academic edge cases that are
very hard to apply and fairly easy to mitigate. But that’s not what they’re going to
tell you in the sensationalist headline. They’re not going to write a headline that says: “Edge case discovered; will have minimal impact and
be easily mitigated, but we wrote a great paper about it!” No. They’re going to say: “Doom! Gloom! Bitcoin’s dead!” Don’t believe it.