We might design a black field operate to interrupt each P2PKH and P2SH (and P2WSH, and so forth.) addresses in 2^80 single-threaded quantum pc cycles.
Assuming a clock pace on scale of GHz, this might take about 10 million years.
Vital to notice is that splitting the work and doing it in parallel is just not as helpful as with basic computer systems as a result of it might provide solely a quadratic speedup (Fluhrer, S., Reassessing Grover’s Algorithm).
In different phrases, doing the work in 1 yr would require constructing 100 trillion quantum computer systems as a result of sqrt(100T) == 10M.
Subsequently, we will say that breaking a 160-bit hash preimage is bodily attainable as a result of 10M years is a finite period of time and fewer than age of the universe.
Nonetheless, it’s nonetheless infeasible.
Breaking P2PKH
Output locking script template is:
OP_DUP OP_HASH160 OP_DATA_20 pubkey-hash-20 OP_EQUALVERIFY OP_CHECKSIG
so cracking it with a hypothetical quantum pc would require operating Grover’s algorithm to seek out some x such that hash160(x) == pubkey-hash-20.
As soon as we would discover x, we would then apply a a lot simpler Shor’s algorithm to seek out the key key.
The revealed keypair would most certainly not be the unique keypair, nevertheless it would not actually matter because the key authentication a part of the Script would consider to true for any key that might fulfill hash160(x)=pubkey-hash-20.
Breaking P2SH
Output locking script template is:
OP_HASH160 OP_DATA_20 redeem-script-hash-20 OP_EQUAL
nevertheless the precise redeem script will likely be evaluated after authentication in opposition to the hash, and it should additionally go validation.
Subsequently, discovering any random x such that hash160(x) == redeem-script-hash-20 will not do, as a result of it should most certainly be an invalid redeem script.
To deal with this, we might carry out a Grover’s seek for a selected template.
We might try this by designing a operate like f(x) = 0x21 || x || 0xac after which crack the composite operate hash160(f(x)) as our black field operate.
The uncooked bytes appended with x in f(x) definition will make our redeem script match the pay-to-public-key (P2PK) template:
OP_DATA_33 x OP_CHECKSIG.
With Grover’s algorithm we would discover x that satisfies hash160(f(x)) = redeem-script-hash-20, after which we would apply Shor’s algorithm to crack the key key of x.
Lastly, we might then spend the funds with the general public key, signature, and the P2PK redeem script (redeem-script=f(x)).
The found redeem script would most certainly not be the unique redeem script, nevertheless it would not actually matter because the redeem script authentication half would consider to true for any redeem script that might fulfill hash160(redeem-script)=redeem-script-hash-20.
Afterthoughts / potential optimization
I believe we might optimize it by embedding public key era as one other operate within the composite so we cannot want Shor’s algorithm in any respect, as a result of we would discover the key key straight:
- Outline a operate
g(x)=pthat maps a secret key to a public key. - Run Grover’s on
hash160(f(g(x))) = redeem-script-hash-20
some matching x will likely be a secret key that satisfies all the necessities, then we compute g(x) to get the general public key, then f(g(x)) to get the redeem script, which will likely be acceptable method to spend as a result of the hash will match that of the deal with.