# The Security of Bitcoin's Cryptography

A common anxiety among those new to Bitcoin is to wonder whether the cryptography used in Bitcoin is secure enough to protect against threats. Could a big, powerful government with huge computing resources break Bitcoin's cryptography? What about a very clever hacker who might bring down the entire system? What about super powerful computers of the future, like quantum computers?

These are healthy concerns to have when a person is deciding whether Bitcoin is a sound protocol and worth investing in. Every Bitcoin private key is some number between 1 and 2256, and *in principle* a computer could continue generating numbers billions or trillions of times per second until it found one that could access your bitcoins. However, 2256 is a *very* big number; in fact, it's approximately 1077 or a 1 with 77 zeroes behind it. Putting that in perspective, approximately 1050 atoms make up the earth. If you chose a single atom in the earth at random, and then chose a second atom, also at random, the odds that you picked the same atom twice would be *significantly* greater than randomly guessing someone's private key.

Could an extremely powerful computer, based on futuristic technology that is yet to be invented, guess a private key? Theoretical physicists have estimated that the smallest amount of energy to perform the simplest computation (changing a 0 to a 1 or vice versa) requires at least 3 x 10-21joules (this is known as the Landauer limit^{[1]}). A computer that used this amount of energy per computation would theoretically be the most efficient computer allowed by the laws of thermodynamics. If you then could harness 100 percent of the energy of the sun (not just the tiny fraction that falls on the earth, but the entire amount, by building a sphere of perfect solar panels surrounding the entire star), with no losses, you could theoretically capture 1034joules per year. If you harvested that energy for 100 years and fed all of it into your maximally efficient computer designed for the single purpose of guessing someone's Bitcoin private key, it would be able to perform only 1055 computations. Of course, calculating a private key is more complicated than flipping a 0 into a 1, but even if we assume that this computer could calculate 1055 private keys, it would run out of energy before it would even have one-trillionth of a chance of correctly guessing yours.

In summary, it is physically impossible, independent of future technological developments, to create a computer that could steal bitcoins by randomly guessing private keys. However, that does not eliminate the concern that a weakness exists in the cryptographic methods that Bitcoin uses. Perhaps it is easier than we think to work backward from a Bitcoin address to calculate the underlying private key. Here, it is important to note that the cryptographic methods used by Bitcoin are standard methods used by governments and major corporations to ensure security in communications, financial transactions, and network security. If a weakness exists in the methods that Bitcoin uses, a weakness exists in the methods the entire world uses.

Also, if weaknesses *are* discovered in the cryptographic standards, such that new methods need to be used, it is possible to update the methods that Bitcoin uses without affecting how Bitcoin functions. A new version of the SHA256 algorithm may be used in the future, or ECDSA might be replaced with a different digital signature algorithm. However, Bitcoin's reliance on cryptography in general will not change.

The bottom line is that Bitcoin's cryptography has a solid technical foundation. If a hacker ever does steal your bitcoins, it is far more likely the hacker would do so by finding a bug in a *specific implementation* of this cryptography that is flawed or by using the many other ways we've discussed, such as simply stealing your private key through a computer virus. It is far less likely that a hacker would be able to steal your money by finding a flaw in the mathematics of the cryptography.

# Pseudocode for Elliptic Point Summation and Point Multiplication

To follow along with the elliptic curve digital signature examples earlier in the chapter, you'll need to be able to correctly calculate elliptic point summations and point multiplication operations using modular arithmetic. Pseudocode for the implementation of these operations follows:

In this elliptic curve point summation (ECPS) pseudocode, which allows you to add two points on the elliptic curve to generate a third point, we first check whether A or B is the zero point O (recall that this is the single weird point that's part of an elliptic curve that is essentially at infinity). Next, we handle the typical case where two points have different *x* locations, and we don't need to worry about the slope between the points being divided by zero 0. Then, we handle the case where the slope is indeed zero, which forces C to be at the zero point ®. Finally, we handle the case where A and B are the same, in which case we need to calculate the answer differently using a mathematical derivative to calculate C using the point's tangent line O.

For elliptic curve multiplication, we simply run the ECPS function repeatedly O. This is really inefficient! In fact, this method of point multiplication is so inefficient that it ceases to be a "one-way" function. It is just as computationally difficult to calculate the public key (knowing the private key) as it is to guess the private key (knowing the public key). For the small number of points we were using in this chapter, it's fine to use our brute-force approach, but for practical applications, more efficient schemes for point multiplication need to be used. We leave this as an exercise for the reader.

- [1] Rolf Landauer, "Irreversibility and heat generation in the computing process,"
*IBM Journal of Research and Development*5 (1961): 183—191.