Quantum Attacks on Bitcoin, and How to Protect Against Them

The key cryptographic protocols used to secure the internet and financial transactions of today are all susceptible to attack by the development of a sufficiently large quantum computer. One particular area at risk is cryptocurrencies, a market currently worth over 100 billion USD. We investigate the risk posed to Bitcoin, and other cryptocurrencies, by attacks using quantum computers. We find that the proof-of-work used by Bitcoin is relatively resistant to substantial speedup by quantum computers in the next 10 years, mainly because specialized ASIC miners are extremely fast compared to the estimated clock speed of near-term quantum computers. On the other hand, the elliptic curve signature scheme used by Bitcoin is much more at risk, and could be completely broken by a quantum computer as early as 2027, by the most optimistic estimates. We analyze an alternative proof-of-work called Momentum, based on finding collisions in a hash function, that is even more resistant to speedup by a quantum computer. We also review the available post-quantum signature schemes to see which one would best meet the security and efficiency requirements of blockchain applications.

[1]  Anna Y. Herr,et al.  Ultra-low-power superconductor logic , 2011, 1103.4269.

[2]  Lov K. Grover A fast quantum mechanical algorithm for database search , 1996, STOC '96.

[3]  Jay M. Gambetta,et al.  Process verification of two-qubit quantum gates by randomized benchmarking , 2012, 1210.7011.

[4]  S. N. Coppersmith,et al.  Measurement-free implementations of small-scale surface codes for quantum-dot qubits , 2017, 1708.08683.

[5]  R. Barends,et al.  Superconducting quantum circuits at the surface code threshold for fault tolerance , 2014, Nature.

[6]  Johannes A. Buchmann,et al.  XMSS - A Practical Forward Secure Signature Scheme based on Minimal Security Assumptions , 2011, IACR Cryptol. ePrint Arch..

[7]  Robert Joynt,et al.  Improved Error Thresholds for Measurement-Free Error Correction. , 2015, Physical review letters.

[8]  A. Harrow,et al.  Quantum algorithm for linear systems of equations. , 2008, Physical review letters.

[9]  Sophia E. Economou,et al.  Robustness of error-suppressing entangling gates in cavity-coupled transmon qubits , 2017, 1703.03514.

[10]  Craig Gentry,et al.  Trapdoors for hard lattices and new cryptographic constructions , 2008, IACR Cryptol. ePrint Arch..

[11]  J. Gambetta,et al.  Procedure for systematically tuning up cross-talk in the cross-resonance gate , 2016, 1603.04821.

[12]  Nina Bindel Submission to NIST ’ s post-quantum project : lattice-based digital signature scheme qTESLA Name of the cryptosystem : qTESLA Principal and auxiliary submitters : , 2018 .

[13]  Yuval Yarom,et al.  To BLISS-B or not to be: Attacking strongSwan's Implementation of Post-Quantum Signatures , 2017, IACR Cryptol. ePrint Arch..

[14]  Jintai Ding,et al.  Rainbow, a New Multivariable Polynomial Signature Scheme , 2005, ACNS.

[15]  Andrew W. Cross,et al.  Implementing a strand of a scalable fault-tolerant quantum computing fabric , 2013, Nature Communications.

[16]  Xavier Boyen,et al.  Sealing the Leak on Classical NTRU Signatures , 2014, PQCrypto.

[17]  Stanislav Bulygin,et al.  Selecting Parameters for the Rainbow Signature Scheme , 2010, PQCrypto.

[18]  Phong Q. Nguyen,et al.  Learning a Parallelepiped: Cryptanalysis of GGH and NTRU Signatures , 2009, Journal of Cryptology.

[19]  Máire O'Neill,et al.  Practical Lattice-Based Digital Signature Schemes , 2015, ACM Trans. Embed. Comput. Syst..

[20]  Scott Aaronson,et al.  Quantum lower bounds for the collision and the element distinctness problems , 2004, JACM.

[21]  Roberto Cabral,et al.  High Performance of Hash-based Signature Schemes , 2017 .

[22]  John Tromp,et al.  Cuckoo Cycle: A Memory Bound Graph-Theoretic Proof-of-Work , 2015, Financial Cryptography Workshops.

[23]  Martin Rötteler,et al.  Quantum Resource Estimates for Computing Elliptic Curve Discrete Logarithms , 2017, ASIACRYPT.

[24]  Matthieu Finiasz,et al.  How to Achieve a McEliece-Based Digital Signature Scheme , 2001, ASIACRYPT.

[25]  Sedat Akleylek,et al.  An Efficient Lattice-Based Signature Scheme with Provably Secure Instantiation , 2016, AFRICACRYPT.

[26]  Alex Biryukov,et al.  Equihash: Asymmetric Proof-of-Work Based on the Generalized Birthday Problem , 2016, NDSS.

[27]  Benoît Valiron,et al.  Concrete resource analysis of the quantum linear-system algorithm used to compute the electromagnetic scattering cross section of a 2D target , 2015, Quantum Inf. Process..

[28]  Burton S. Kaliski A Quantum "Magic Box" for the Discrete Logarithm Problem , 2017, IACR Cryptol. ePrint Arch..

[29]  今井 浩 20世紀の名著名論:Peter Shor : Polynomial-Time Algorithms for Prime Factorization and Discrete Logarithms on a Quantum Computer , 2004 .

[30]  Per J. Liebermann,et al.  Optimized cross-resonance gate for coupled transmon systems , 2017, 1701.01841.

[31]  Louis Goubin,et al.  QUARTZ, 128-Bit Long Digital Signatures , 2001, CT-RSA.

[32]  Damien Stehlé,et al.  CRYSTALS - Dilithium: Digital Signatures from Module Lattices , 2017, IACR Cryptol. ePrint Arch..

[33]  Tim Güneysu,et al.  Practical Lattice-Based Cryptography: A Signature Scheme for Embedded Systems , 2012, CHES.

[34]  Peter Selinger,et al.  Quantum circuits of T-depth one , 2012, ArXiv.

[35]  E Solano,et al.  Ultrafast quantum gates in circuit QED. , 2011, Physical review letters.

[36]  Peter Schwabe,et al.  SPHINCS: Practical Stateless Hash-Based Signatures , 2015, EUROCRYPT.

[37]  Andrew M. Childs,et al.  Quantum linear systems algorithm with exponentially improved dependence on precision , 2015 .

[38]  Gilles Brassard,et al.  Strengths and Weaknesses of Quantum Computing , 1997, SIAM J. Comput..

[39]  Mihir Bellare,et al.  Random oracles are practical: a paradigm for designing efficient protocols , 1993, CCS '93.

[40]  Gilles Brassard,et al.  Tight bounds on quantum searching , 1996, quant-ph/9605034.

[41]  Adam Paetznick,et al.  Universal fault-tolerant quantum computation with only transversal gates and error correction. , 2013, Physical review letters.

[42]  Léo Ducas,et al.  Lattice Signatures and Bimodal Gaussians , 2013, IACR Cryptol. ePrint Arch..

[43]  Adam Back,et al.  Hashcash - A Denial of Service Counter-Measure , 2002 .

[44]  Zhenfei Zhang,et al.  Falcon: Fast-Fourier Lattice-based Compact Signatures over NTRU , 2019 .

[45]  Léo Ducas,et al.  Learning a Zonotope and More: Cryptanalysis of NTRUSign Countermeasures , 2012, ASIACRYPT.

[46]  Peter W. Shor Polynomial-Time Algorithms for Prime Factorization and Discrete Logarithms on a Quantum Computer , 1999 .

[47]  Avishai Wool,et al.  One-Time Signatures Revisited: Have They Become Practical? , 2005, IACR Cryptol. ePrint Arch..

[48]  Jason Twamley,et al.  Fault tolerance with noisy and slow measurements and preparation. , 2010, Physical review letters.

[49]  Andris Ambainis,et al.  Quantum walk algorithm for element distinctness , 2003, 45th Annual IEEE Symposium on Foundations of Computer Science.

[50]  Pierre-Alain Fouque,et al.  Revisiting Lattice Attacks on Overstretched NTRU Parameters , 2017, EUROCRYPT.

[51]  Andrew W. Cross,et al.  Demonstration of a quantum error detection code using a square lattice of four superconducting qubits , 2015, Nature Communications.

[52]  Martin Rötteler,et al.  Reversible circuit compilation with space constraints , 2015, ArXiv.

[53]  Colin P. Williams,et al.  Generalized quantum search with parallelism , 1999, quant-ph/9904049.

[54]  Jason Teutsch,et al.  Smart Contracts Make Bitcoin Mining Pools Vulnerable , 2017, Financial Cryptography Workshops.

[55]  Frederic T. Chong,et al.  Estimating the Resources for Quantum Computation with the QuRE Toolbox , 2013 .

[56]  M. Mariantoni,et al.  Surface codes: Towards practical large-scale quantum computation , 2012, 1208.0928.

[57]  Michele Mosca,et al.  Estimating the Cost of Generic Quantum Pre-image Attacks on SHA-2 and SHA-3 , 2016, SAC.

[58]  Vadim Lyubashevsky,et al.  Lattice Signatures Without Trapdoors , 2012, IACR Cryptol. ePrint Arch..