It's not that urgent, I think ... The most optimistic (from quantum computing point of view) estimations talk about the early 2030s, but most think quantum computers which are able to break ECDSA 256 bit with Shor's algorithm are at least a decade away (they need millions of qubits, current QCs have hundreds). So an address which is only used until the end of the year should not be in danger. And if I'm wrong with that, then we're doomed anyway because in this case QC is evolving much faster than expected and much more severe attacks are possible than an attack on Bitcoin ...

In this sentence I was referring to those people that participate in a bounty campaign but do not spend the received funds for a while, for example if they want to HODL these BTC. Of course most people spend the rewards from time to time, and those would benefit from sending the coins to an unused address as I wrote in the OP.

Of course. However, the lower the number of re-used addresses, the lower the "evil QC attackers" can steal. It is likely that the "evil QC attackers" will first concentrate on Satoshi's coins and other unspent block rewards from 2009/2010. But eventually they could try to break re-used addresses once QCs become faster.

But if the problem begins to appear on the horizon, for example if the first million-qubit QC is built by the Pentagon (but private attackers are still years away), then I expect many people to rush to spend their Bitcoins to unused addresses. This would lead to a high fee level. The more people doing this kind of "consolidation" now, the less high the fees would get in this phase.

Correct. But that's why there's so much research going on about post-quantum cryptography, because otherwise online banking and basically everything depending on encrypted data is doomed. And also Bitcoin eventually probably will include the option to switch to "quantum safe" addresses.

There are discussions in the mailing list already. Matt Corallo recently proposed adding a state of the art post-quantum algorithm like SPHINCS+ to Tapscript. He thinks that it would make sense to add such a feature around a decade before the problem becomes urgent, to give people time to migrate.

However there seems to be uncertainty if the complexity this adds (it would require at least two softforks to work as expected, because Taproot itself would also to have be changed to prevent the attacker spending via the key-path which would continue to be ECDSA as far as I understand) would be worth it considering the feature would probably not being used much today.

In theory one could even add post quantum cryptography via a Bitcoin-pegged token on the Bitcoin chain (using an OP_RETURN based technique like Counterparty or ... erm ... Runes ) without "Core developer approval". There may be other techniques like BitVM. But an "official" PQC algorithm would of course be much better. And for today, the approach described in the OP, simply sending coins to an unused address, is definitely enough for those who have a lot of coins sitting on re-used or P2PK addresses/UTXOs.

Hello d5000!

Please be aware that AOBT started working on translating your thread in various languages. I hope this is good news

And a First translation is already done: Portuguese translation, made by r_victory.

I would also suggest you, if you like the idea, to list the translations and the translators' names at the bottom of your topic. You can find here an example of how authors listed our translations.

Thank you! I'll be linking the translations in the OP.

I think consolidating amounts into a single unused address is recommendable if one of these conditions apply:

1) the amount isn't too large (e.g. consolidating several small outputs),
2) you explicitly want the fortune to be on one address, e.g. to store it in some cold-walled solution (metal, paper etc.),
3) the addresses already are connected in some way, so chain analysis companies already identify them as a single wallet, e.g. if you got different payments from a single exchange, service etc. on all of them, or if you use them without additional protections in a single Electrum wallet for example.

In all other cases I agree with you that it's better to store the coins on several addresses.

I think you mean the "history of addresses appearing first in transactions" (because address which haven't been used, can't be detected observing the blockchain).
It is of course correct that this can be checked.

But if you transact from your old, reused address A to a new address B, then nobody knows for sure if B is yours, from the fact alone that there was a transaction from A. It looks like any other payment.

Chain analysis companies need other elements to assign a higher probability that B is yours. Such elements can be:

- Transactions from B to another address which can be linked to you, for example a CEX deposit address, or another address you also used with A.
- Transacting in a short timeframe, or in a single transaction, to several addresses including B.
- Various transactions from A to B - so don't use your newly created addresses twice!
- Transacting at approximately the same time of the day to several addresses including B, however you could also be making payments typically at this hour of the day, so they can't assign a too high probability to this.
- Perhaps also too "round" amounts, e.g. if you tend to transact always 0.01 BTC to other addresses (like B).
- And of course, if you send any coins on B back to A, then a perfect circle will be detected and B being linked to the same identity as A.
- Some wallets like Electrum "leak" addresses which are part of the same wallet to the servers when querying data about transactions. Thus, even when using Tor, if chain analysis companies happen to operate such a server, they can link these addresses together. For best privacy, don't use this kind of wallet, or use one wallet per address you want to separate.

These practices should thus be also avoided.

If you want to make your coins even more private, more steps are possible, like sending first a relatively big amount from A to B, then a smaller amount to an address C, and so on. The more it looks like "random payments from random addresses", the better.

I wanted to stay the OP relatively short so I didn't mention these details, often I think my posts are considered "too long to read" I've linked this post in the OP.

As long as quantum computers aren't able to crack ECDSA keys in 10 minutes (during the transaction phase, while the public key is exposed), addresses which never were use are safe, from today's science point of view. Even trying to crack an address in 10 minutes is risky if the block time can be 2 or even 1 minute if they're unlucky.

QCs will first take a lot of time to crack keys, so re-used addresses and of course P2PK users are those most at risk.

I am coming back to this thread for announcing one more translation made by AOBT:

German translation, made by cygan

Later edit: make that two more translations I also translated this thread in Romanian.

I am coming back to this thread to announce that AOBT made one more translation:

Indonesian translation, made by Husna QA.

@GazetaBitcoin: Thanks, added all translations!

@cygan: Nice slides. However, I quite do not like the penultimate one, which tries to oversimplify a bit much when it says that quantum computers would take "hours to days". According to what I've read about this topic, this depends largely on the qubit capacity of the quantum computer. Thus a small QC which is "just" capable to crack an ECDSA key could take months instead, and this would be probably what we'd to expect at first. Basically this slide is assuming a quantum computer with millions of qubits, and omits that information.

A source for this (quite obvious) dependency on the number of qubits is here: according to Craig Gidney, a 20 million qubit QC would take 8 hours for RSA-2048, while a 1 million qubit QC would take a week. While this seems to confirm the "hours to days" claim (and is probably the source of the slide), if QCs advance we will probably first see some with tens or hundreds of thousands of qubits, which would take months to years. As of now, the largest quantum computers have around 1000 qubits; while there are annealers with higher qubit numbers like the D-Wave devices, they aren't capable to run Shor's algorithm.

now i will present you more slides on this topic today
here i will go into more detail about the quantum computer technology in relation to the security of Bitcoin and what the differences are between the so-called long-range and short-range attacks
here we go:







https://twitter.com/Bitcoin_Devs

Hey d5000, please allow me to let you know that AOBT made a new translation for your topic:

Russian translation, made by zasad@.

Also, please do not forget to add to OP also the Indonesian translation, which I mentioned above

As of now, AOBT made 9 translations for your topic, so at least 1 more should be expected.