The great P2PK Bitcoin heist. Millions of Bitcoins WILL be stolen, but should we even try to stop it?

First of all, do not worry, your Bitcoins are safe (unless you have certain unspent coins from 2009-2011, I’m looking at you Satoshi Nakamoto). The headline is not sensational though, unless action is taken it is inevitable that at some time in the future millions of Bitcoins will be stolen. You could argue that rather than theft, they’d be claimed as a bounty and returned to circulation, but I’ll talk more about that later.

What are P2PK Bitcoins, and why they are at risk?

Bitcoin works using asymmetric public key cryptography. Huh? Basically, every Bitcoin account is associated with a public key and a private key which are mathematically linked.

In simple terms, the public key is the destination where Bitcoins are ‘received’, and the private key is a secret password that allows only the holder to create a valid transaction signature which will spend the Bitcoin to a different public key.

As long as nobody knows the private key, they cannot steal your Bitcoin. The ECDSA signature scheme used by Bitcoin makes it impossible to calculate or reverse engineer the private key from the knowing public key, for now that is.

You see, cryptography is a constantly evolving area. The security of cryptographic algorithms typically lasts in the decades before they become vulnerable to attacks or are ‘cracked’.

Fortunately, even if it one day becomes possible to reverse engineer the private key from the public key, Bitcoin has a trick up its sleeve.

A Bitcoin address isn’t actually a public key, it is a hash of a public key. I discussed hashes in a previous article, but basically they consistently scramble the data and cannot be reverse engineered. This means that until someone creates and broadcasts a transaction to spend the Bitcoins held in an address, the public key itself is kept secret. This is brilliant since a hash is impossible to reverse, it is impossible to even attempt to crack those Bitcoins even if the encryption algorithm is broken.

Unfortunately in the very early days of Bitcoin there was period before paying to public key hashes (P2PKH) became the standard. Instead, it was common to pay to public keys (P2PK) directly. It is those P2PK Bitcoin that will one day be at risk.

Right now, ECDSA is considered rock solid, with elliptic curve cryptography first proposed in 1985 and no major vulnerabilities discovered in the decades since. There is one major known problem however: Shor’s algorithm.

Shor’s algorithm can be used to break elliptic curve cryptography on quantum computers. The good news is that we have a long time to go until quantum computers are sufficiently advanced that they reach this milestone.

The current cutting edge of quantum computing sees Google ahead at 72 qubits, followed by IBM (50 qubits) and Intel (49 qubits). Even then, these early machines are huge, require extensive cooling and are likely unstable.

For perspective, it will take a quantum computer with 2330 qubits before it even becomes viable to crack an ECDSA private key from a public one. Even then, it won’t be as simple as immediately cracking it, likely taking weeks, months or initially perhaps even years of computation. It will likely follow as with binary computing where giant expensive supercomputers costing millions of dollars gradually transitioned their way to the consumer market over a period of of decades.

I have no idea how long it will take until we have a viable quantum computer, but for perspective the $8m 1975 Cray-1 supercomputer achieved 80MHz and 136 MFLOPS. This performance wasn’t seen in the consumer market until the mid-1990s. These days you can get the latest Raspberry Pi for around £35 ($45) which has a 4x1100MHz CPU achieving over 6,000 FLOPS. Outrageously speculating a similar progression, 40 years from now could see very inexpensive quantum machines that could trivially claim any remaining P2PK Bitcoins, though they would likely have already all been claimed perhaps decades earlier!

Cray-1 Supercomputer

Even when the first machines are created that hypothetically could crack an ECDSA private key, it’s unlikely these very expensive machines will be used for this purpose unless the reward for doing so was incredibly high. Most P2PK Bitcoin accounts typically hold a 50BTC balance. If a multi million pound computer takes a month of processing to crack one of these, that’s a huge opportunity cost when it could be working on other potentially lucrative applications such as AI and curing diseases.

We already have new cryptographic algorithms available that are quantum resistant, and Bitcoin was designed with such upgrades in mind. These signatures use more data so there just isn’t any point in switching until it becomes necessary.

Even if ECDSA somehow became completely broken tomorrow, the use of hashed public keys means we’ve already devised methods (such as commitments) to allow us to move any P2PKH Bitcoin to a new algorithm without any risk of theft. Broken encryption is not an existential risk to Bitcoin that should create panic, the P2PK issue is just a legacy of a small oversight in the very early days of Bitcoin.

As a side note, if you reuse a Bitcoin address you have already spent from you have also revealed your public key to the world and are at risk of one day having your Bitcoin stolen. Address reuse has been warned against since Bitcoin was first created, but people still do it. Many will no doubt have their funds stolen one day, but that is their fault for ignoring the warnings, so please make sure you’re not one of them.

Who is going to lose their Bitcoin?

I’ve not checked exactly how many, but there are millions of P2PK Bitcoin that unless action is taken will be stolen. Luckily it is likely that nobody at all will lose their Bitcoins. Huh!? You see, the P2PK heyday was 2009-2010. In the days of CPU mining the original Bitcoin software would unfortunately pay the 50BTC block reward directly to P2PK, a small oversight. As soon as any of these Bitcoins were later moved, they became safe, since transactions have always been P2PKH (except for a tiny number of the quickly abandoned ‘IP transactions’ in 2009).

The beginning of the end for CPU mining was late 2010 as people started mining with GPUs requiring different software. There are millions of mined Bitcoins from those early days that have sat untouched ever since. Satoshi Nakamoto alone has around a million of them!

It’s incredibly unlikely that any unclaimed Bitcoins from back then still have owners, except perhaps those held by Nakamoto himself. In those days Bitcoins were practically worthless and it is reasonable to assume that anybody mining then who still hasn’t spent them probably threw away their hard drive a long time ago like this gentleman. Seeing their Bitcoin rendered unspendable or stolen might give these poor souls some closure rather than spend their lives desperately rummaging through landfill.

Fortunately there is a trivial fix, as anybody that does still hold P2PK Bitcoin from these early days can simply move them and they will be secured. This simple fact is the reason it is unlikely any Bitcoin the owner wants to keep will be stolen.

So, millions of ownerless Bitcoins will be stolen! How do we stop this, and should we?

I discussed the P2PK problem at the last Bitcoin meetup I was at. The idea of Satoshi Nakamoto’s early bitcoin re-entering circulation certainly caused a stir. One person argued it was part of the ‘social contract’ of Bitcoin that those coins would never be spent. It is widely believed that Nakamoto has no intention of ever doing anything with those coins even if he does still hold the private keys. There was even some support for the idea of hard forking to make these Bitcoins unspendable forever anyway, just incase he did try to move them. I personally think such a move would undermine the durability of Bitcoin and set a dangerous precedent.

That said, the question of what we do about millions of unclaimed Bitcoins being potentially stolen by quantum computing pioneers and returned to circulation is a more difficult one.

The only thing we could really do to prevent this is creating a hard fork that at some future point makes all remaining P2PK coins unspendable forever so they cannot be stolen, irreversibly shrinking the supply.

Anybody with P2PK coins would have until that date to move their coins to a new address to protect them from loss. This seems a reasonable approach, nobody is losing anything, and everybody else benefits as coins that are ownerless remain that way forever and the current status quo is maintained. The supply remains smaller and everybody else’s Bitcoin are more valuable as a consequence.

Making P2PK Bitcoins unspendable could potentially force Satoshi Nakamoto’s hand. If he is still alive and wanted to keep his coins, he would be forced into action potentially causing a huge impact on the market. Alternatively if we didn’t hard fork and he wanted to prevent his coins getting stolen he could move them to a burn address. This would make them forever unspendable anyway, minimising the impact on the market, but any activity would certainly fire up the debate around him and at least show the world he is still alive.

There is another perspective. Claiming quantum vulnerable P2PK Bitcoin will be a similar process to mining. It will require an outlay on hardware, and much like hashing will consume time and electricity. Bitcoin will be earned as reward for their efforts based on how much computation they have contributed to the process. At some point this ‘quantum sweeping’ will become a profitable endeavour. Unlike mining, the difficulty won’t change, it will only get easier and cheaper until all P2PK Bitcoin have been claimed.

There are so many variables in establishing when and over what period this heist might take place, and who would benefit. The quantum computing pioneers in IBM, Intel and Google would certainly have a massive head start. And since they are contributing billions of dollars to developing technology that could benefit all of humanity, don’t they deserve to be rewarded for their efforts by claiming the bounty accidentally left on the Bitcoin blockchain? It’s not inconceivable that if the value of bitcoin was sufficiently high, all the worlds early quantum computers could be dedicated to claiming the P2PK bounty.

What we should do is not a question I have the answer to, the Bitcoin community will have to form its own consensus in the future. Either way, it’s going to be an exciting debate to have.

John Hardy
Follow me

John Hardy

Software developer living in UK.
Longtime Bitcoin advocate.
Email [email protected]
Donations welcome: 1H2zNWjxkaVeeE3yX6uVqng5Qoi6gGvYTE
John Hardy
Follow me

Author: John Hardy

Software developer living in UK. Longtime Bitcoin advocate. Email [email protected] Donations welcome: 1H2zNWjxkaVeeE3yX6uVqng5Qoi6gGvYTE

  • RJF

    Interesting discussion but, given we have some time to figure it out, perhaps new solutions will present themselves as is usually the case.