Skip to content

What are the potential attacks against ECDSA that would be possible if we used raw public keys as addresses?

According to this answer about why addresses are hashes rather than public keys there are potential attacks that are possible if you have the public key rather than the address, what are these attacks? If one was writing a cryptocurrency would you advise against the addresses being the public key encoded in base58 with a checksum on the end? why?

Question Link


Answer

Answered by: Pieter Wuille

The theory
It is assumed that in order to forge an ECDSA signature you need to compute the private key for a given public key first (this operation is known as the "discrete logarithm" (DL), and its hardness is the basis for ECDSA's security). In order to do so, you must actually have the public key.

Once you have the public key, it is assumed that you need at least 2128 operations to compute its private key. That's an enormous amount (if every computer in the world could do one relevant operation per clock cycle it would take over 100 million years; in reality it'd be orders of magnitude more than that). However, that is assuming that there are no fundamental breakthroughs in algorithms to compute the discrete logarithm, or quantum computers. A sufficiently powerful quantum computer (not anything anywhere near what already exists) may be able to do this computation much faster.

By using an address that contains a hash of the public key rather than the public key directly, the actual public key is not revealed to the world until the output is spent by its owner. Barring any (spectacular) vulnerabilities found in the used hash functions (SHA256 and RIPEMD160), even a quantum computer cannot trivially find a public key from a hash function. However, the 160-bit hashes used are still considered relatively weak in this case (280 operations on a sufficiently powerful quantum computer).

In short: the argument is that by using public key hashes, the ability for someone with a DL break, or a hypothetical quantum computer, to steal coins is made harder.

In practice
What I write in this section is my own opinion, and presumably not everyone agrees with it.

I believe this (often repeated) advantage of hashed public keys is marginal at best, and a false sense of security at worst. There are several reasons for this:

  • The argument only applies until the output is (attempted to be) spent. Once someone tries to spend a pay-to-pubkey-hash output, they reveal the full public key. With minor cooperation from miners, the original transaction could be delayed temporarily to give the hypothetical quantum computing attacker time to find the private key and steal the coins.
  • Address reuse was, and still is, very common, and apparently hard to avoid. Whenever addresses are reused, their public key is revealed on the first spend, making all future ones vulnerable still.
  • Almost all interesting things that people do with Bitcoin (including multisig, 2FA, escrows, payment channels, BIP32 accounts, ...) involve sharing public keys with other parties. It's an illusion to think that in such a world any security is gained by using public key hashes - as public keys are revealed all the time still, often without people even knowing about it.
  • Even if you restrict yourself to carefully not rely on any of these techniques and keep all your public keys actually secret until spent, there are over 5 million BTC (my own research) stored with publicly known public keys. I cannot imagine that BTC retains any value if those become practically vulnerable to theft (or even just credibly believed to be vulnerable).

This doesn't mean we have a problem. Sufficiently powerful quantum computers are far away - if they're feasible at all for the enormous number of q-bits needed to solve these problems. This gives us time to slowly migrate to schemes that are actually quantum resistant (by not using ECDSA or similar cryptography at all). This is not yet done, as currently existing quantum-resistant schemes come with very large keys and signatures, and various other caveats. This makes them very unappealing fow now, but research on them is proceeding rapidly, and, if needed, they exist.

Should you use public key addresses?

If one was writing a cryptocurrency would you advise against the addresses being the public key encoded in base58 with a checksum on the end? why?

Advice on other cryptocurrencies is off-topic here, but the Taproot proposal for Bitcoin would effectively do this. Its outputs (and thus addresses) contain a full public key, because it comes with numerous advantages (it's smaller, cheaper, and makes a number of more advanced protocols on top a lot easier).

The Bech32 address format is used for these types of outputs, which has a number of advantages over Base58 (easier to transliterate/compare, stronger error detection, more extensible, smaller QR codes, ...).

Disclaimer: I'm a co-author of both the Taproot proposal and the Bech32 standard.

TL;DR: Public keys should be public.