Vulnerability of Blockchain Technologies to Quantum Attacks

Home , Cryptonote, Litecoin, Monero

arXiv:2105.01815v1 [quant-ph] 5 May 2021 nomto se.Abokhi salde,adas and ledger, a it is such blockchain A asset. information fa con scmrmsd fe mechanisms often compromised, is used. occurs, backups account data-breach and/or an a offline, If taken If be con- timely can data. a servers and the in integrity of key continued fidentiality the the Revoking asso- ensures and data. manner issued the be to can ciated key-pair central new a compro- by A or revoked authority. be lost easily is can For validity key its key-pair. mised, cryptographic the a from if decoupled instance, is itself data the However, data rules. access impose and integrity, to confidentiality, used are cryptosystems private-key the on of or EC. stored with RSA, problem using logarithm assets the when discrete on factoring, data relies of security difficulty protect associated The that blockchains. private/public (EC) pairs generate Curve to key Elliptic used or are RSA cryptography as such schemes tion encryp- asymmetric Notably, techniques. tographic eemn hi ikepsr oqatmatcs efiihwt c a with and finish technologies We blockchain attacks. attacks. underlying quantum quantu quantum their to to and open exposure cryptocurrencies are risk all, their not Bitc determine but today—including deployed protocols, cryptocurrencies capab these pr blockchain-based computer of cryptographic quantum on Some a rely routines. technologies exist Blockchain will there RSA2048. scheme 2035, cryptograph by many that to estimated threat a represents computation Quantum Abstract esi htte r not are they that in tems Introduction rpitsbitdt Elsevier to submitted Preprint ), Kearney ) nataiinlbnigsse,pbi-and public- system, banking traditional a In cryp- of use the through secured is blockchain A lccanssesaeulk te cryptosys- other unlike are systems Blockchain ∗ mi addresses: Email author Corresponding is [email protected] unrblt fBokhi ehooist unu Attac Quantum to Technologies Blockchain of Vulnerability h asset. the a colo optn,Uiest fKn,Cnebr,Kn C Kent Canterbury, Kent, of University Computing, of School [email protected] just Cro .Perez-Delgado A. (Carlos oehJ Kearney J. Joseph en opoetan protect to meant Jsp J. (Joseph a alsA Perez-Delgado A. Carlos , ffiinl.Ti ocuini hrdb eles- well by shared RSA2048 (see, is break researchers conclusion to tablished ad- likely This able have more be will efficiently. is to technology it sufficiently quantum 2035 vanced that year not the confidently than by can we that this, conclude and Doing error-correction gates, of fault-tolerance[1]. fidelity qubits, num- as of such ber components essential the advancement— and all technology current including quantum extrapolate in to trends possible past is accuracy. it said, perfect with That technology future of opment technology. quantum to in vulnerable advances particularly makes This technologies used. blockchain being decoupled system encryption be blockchains the easily in from cannot short, resources a In protected if asset the stolen. or data irrevocably the compromised, be then is can exploited, de- stored be the is can or key, it vulnerability the which secured If on the lost. a vice that irrevocably If is means invariably asset it. data this of lost, description is authoritative key the online least resource— always at the an or of- considered blockchain, no is system, are The hold- cryptographic There one the backups. keys. definition fline encryption by private is the resource ing a The of keys. access owner users’ manage to authority central this recover to owner legitimate account. the allow to exist ti nesbet rdc h rgesaddevel- and progress the predict to infeasible is It no is there system, blockchain a in contrast, By cpooosi prto oa.I a been has It today. operation in protocols ic i,Ehru,Ltci n Cs,and ZCash, and Litecoin Ethereum, oin, tak.Hr eaayetemajor the analyze we Here attacks. m tcl o ayo hi seta sub- essential their of many for otocols hi eaielvl fvleaiiyto vulnerability of levels relative their eo raigtevtlcryptographic vital the breaking of le 27FUie Kingdom United 7NF T2 maaieaayi ftestudied the of analysis omparative a, ∗ e.g. 2 ],t h point the to 3]), [2, ks a ,2021 6, May that the US National Institute of Standards and is considered the ‘gold standard’ for security at the Technology (NIST) has begun the process of stan- time of writing. A simple calculation shows that it dardizing and deploying quantum-safe public-key would take a classical computer with a 5Ghz CPU cryptography[4]. roughly 13.7 billion years to break an RSA 2048 Given the strong coupling between data and cipher using current best techniques. A quantum cryptosystems in blockchains, the potential vulner- computer operating at 10Mhz would be able to do ability of these cryptosystems to quantum attacks, it in roughly 42 minutes1. In order to do so, how- the likely introduction of capable quantum com- ever, a device needs to be able to hold in quantum puters in the mid-term future—not to mention the memory a state large enough to represent (at least) usual high monetary value of the assets secured by both the input to the problem, and the output. As blockchains—it is important to more deeply under- discussed earlier, it can be estimated that a quan- stand their current level of vulnerability. tum computer large enough to break RSA-2048 will In this paper we analyze some of the most pop- likely be ready by the year 2035 (see e.g.[2, 3]). ular blockchain technologies—Bitcoin, Ethereum, The second class of algorithm—amplitude Litecoin, Monero and ZCash— with a particular eye amplification[6, 7]—consists of generalizations of towards their vulnerability to attacks from upcom- Grover’s search algorithm[8]. These algorithms al- ing quantum technologies. We finish with a com- low for a solution to be found in any search space parative analysis of these blockchain technologies, √ of cardinality N in time O N. In short, this al- in terms of their relative vulnerability to quantum lows for any NP-Complete problem to be solved attacks. quadratically faster than any known classical algorithm. While the speed-up is a lot less dra- Background matic than in the previous case, the importance of these algorithms rests in their general applicabil- We begin by giving some relevant background in- ity. In short, any problem whose solution can be formation. verified efficiently (i.e. any problem in NP) ad- mits a quadratic quantum speed-up. Amplitude Quantum Cybersecurity Threats amplification algorithms are particularly relevant Quantum computers work by exploiting quan- here because many, if not all, consensus algorithms tum physical effects to decrease the time required to for blockchain technologies rely on solving NP- solve (certain) computational problems by creating Complete problems (more details below). and utilizing quantum superpositions. There are two main families of quantum algo- Blockchain Technologies rithms that are relevant to the current discussion: Blockchain and Distributed Ledger Technology subgroup-finding algorithms, and amplitude ampli- (DLT) markets are predicted to be valued at $7.59 fication. billion by 2024 [9]. Industries that have strong The first class of algorithms is best repre- use cases include finance[10], logistics[11], and le- sented by Shor’s algorithm[5]. This algorithm gal fields [12], with many large global corporations can both factor large integers and solve the dis- getting on board and integrating the technology: crete logarithm in polynomial time. In par- for example IBM [13], JP Morgan[14] and Amazon ticular, it can factor an integer N in time [15], with Facebook also announcing their own cryp- O log2 N log log N log log log N (or more suc- tocurrency Libra[16]. This technology removes the cinctly O log3 N ) and space O (log N). Or, as need for a trusted third-party to enable the transfer a function of the input size (in bits) n = log N, of data and assets. Shor’s algorithm runs in time O n2 log n log log n Blockchains work on group consensus; the va- (or more succinctly O n3 ), using space O (n). lidity of a transaction is determined by a group This is particularly relevant because most public- of nodes that need not trust one another. The key cryptosystems deployed today—including RSA, blockchain is managed by independent nodes that EC, ElGamal and Diffie–Hellman—rely on the computational hardness of either one of these two prob- 1 We calculate this by taking the number of quantum lems. In order to understand the magnitude of the gates—counting error-correction—needed to factor an RSA issue, one can take RSA 2048 as an example. This 2048 public-key. 2 must reach consensus before updating the ledger nancial resources to solve a problem. This incen- with newly validated transactions. There are tivizes the miner to generate a valid block contain- many mechanisms that enable a network to gain ing only valid transactions. This work is also easily consensus, the most popular being Proof-of-Work verified by a any node connected to the network. (PoW)[17]. This consensus mechanism and under- This expended energy guarantees that a cost is as- lying cryptographical techniques give blockchains sociated with creating a block. Careless or mali- their trustless ability. In general, blockchains work cious miners that expend the energy to complete through the linkage of blocks in chronological order. a PoW algorithm but have created a bad block (a These blocks are groups of transactions of informa- block that includes at least one transaction that if tion or cryptocurrency that nodes have broadcast included into the chain would create a wrong state, to the network. This forms an immutable series of e.g. spending over a user’s balance) will be dis- information, or a chain. Each block in the chain will covered by other nodes in the network. The block contain a group of transactions and their informa- will be invalid and this would not be considered by tion that has been declared to the network. This other miners as part of the main chain, leaving the is generally through the transfer of tokens (cryp- miner financially worse off, as they would receive tocurrency). These tokens hold intrinsic value like no mining reward. This ensures the validity of the traditional fiat currencies—rather than simply hold information contained within the block that is con- information about that value like, say, a bank ac- sidered by the network as the head of the current count balance. However, unlike tradition curren- longest chain (the block to which miners will at- cies, they are not minted by a central bank. To- tempt to append the next block in the chain). The kens are distributed to miners, who are nodes that hardness of this PoW determines how quickly each form the group consensus and as such perform work block is added to the chain: if the hardness of the on the network, as a reward for good work. This problem increases then it will take miners longer to work primarily consists of creating the blocks in the solve the problem as it will require more work to be chain as well as validating that the transactions are performed by the mining nodes [18]. well formed and are mathematically fair on the net- Determination of the ownership of assets within work, i.e. not creating or destroying tokens and a blockchain network is comparatively more com- not spending more than the user transferring to- plex when compared to centrally-controlled net- kens can afford. It is through this group consensus works and financial exchanges. A holder of some that the network and underlying economy of the tokens must be able to demonstrate that they have network can function fairly and independently of the ability and authority to spend the tokens. In a any central authority. centralized system this is kept in check by a central Blockchain technologies can be simplified down authority. In decentralized systems, cryptographic to two constituent parts, the consensus protocol techniques, such as signature schemes, must be used and the transaction mechanism. The transaction to demonstrate ownership. mechanism is how actors transfer tokens and in- Signature schemes allow a holder of tokens to formation; this requires them to provide a digital cryptographically sign a transaction, and this sig- signature in order to authenticate that they possess nature directly relates to the user’s public/private the public and private key used to create the digital key pair from which their account is created. There signature. The consensus mechanism dictates how are many different signature schemes, for exam- the verifiers or mining nodes on the network agree ple ElGamal[19], RSA[20], and Schnorr [21]. El- on the next blockchain update, which transactions liptic Curve Digital Signature Algorithm (ECDSA) are added, and whether the transactions and the is a signature scheme that relies on the difficulty of block are cryptographically and structurally valid. solving the discrete logarithm problem over ellip- PoW is the most commonly used consensus mech- tic curves. Compared to other schemes, ECDSA anism within a blockchain. PoW requires a miner to allows for the same level security using smaller prove that they have committed a certain amount keys—for instance, 256 bits compared to 2048 of effort through the expenditure of computing re- bits in the case of RSA [22]. Signing and ver- sources to generate the new block. This mecha- ification speed as well as compact signature size nism was adopted by Bitcoin forcing the miner, are all essential for blockchain technologies. This while compiling transactions into a block, to per- makes ECDSA particularly well-suited for use in form some work, i.e. spend computational and fi- blockchains. However, given its reliance on the dis- 3 crete logarithm problem for its security, coupled bersecurity attacks, to provide some further context with its smaller key-sizes, ECDSA is particularly for the work presented here. vulnerable to quantum attacks[23]. Bitcoin being the oldest and most popular cryptocurrency has been analyzed extensively from a Related Work classical computing perspective. The analysis of Bitcoin covers both the underlying protocol [40] as The current literature covers security analysis of well as the cryptography which secures transactions all major cryptocurrencies[24, 25, 26, 27]. This [41]. Furthermore, Bitcoin is the only blockchain includes all the blockchain cryptocurrencies cov- that has had analysis against quantum attack per- ered here, as well as third party elements to a formed on it [2]. e.g. blockchain’s infrastructure cryptocurrency Litecoin as a hard fork of the Bitcoin blockchain wallets and client providers [28, 29]. All this said, shares a majority of its infrastructure, and while the literature so far has focused almost entirely there has not been as much dedicated research to- classical on cybersecurity threats from actors, and wards the project as Bitcoin, analysis of its protocol has almost entirely ignored the growing threat from structure is well documented from a security per- quantum attacks. spective [42, 43]. Research into the security of the In the wider more general field of cryptography Equihash PoW algorithm used by Litecoin has also there is a comprehensive study of quantum attacks been performed [44]. and methods for protecting against them. This area of study is called post-quantum cryptography, and it Ethereum, unlike Litecoin, does not share many is too vast to properly cover here, but a few good similarities with Bitcoin as it is its own unique resources include[30, 31, 32]. However, the field of protocol (and does not hardfork from any other post-quantum blockchain cryptography seems to be blockchain). Much of the security analysis of fairly barren. The existence of a quantum advan- Ethereum is based on its novel blockchain feature: smart contracts tage applicable to blockchain technologies has cer- [45, 46]. Due to Ethereum’s differ- tainly been noted before see e.g.[33, 34, 35, 36]. ences to other protocols, there is also extensive re- This realization has led to work on blockchain search analyzing its security from classical attacks systems that are more resilient against quantum at- [47, 48]. tacks (see e.g. [35, 36]), as well as blockchain tech- Both Monero and ZCash, in comparison to the nologies such as Corda [37], Bitcoin Post-Quantum other blockchains analyzed here, have a smaller user [38] and Abelian [39] that are seeking to provide base. Despite this fact, significant security analysis post-quantum infrastructure to the blockchain sec- has been performed on both these cryptocurrencies tor. However, these projects are either in an early due to their unique usage of confidential transac- development stage or simply not widely used as of tions [49, 50, 51, 26]. this writing. There are no known plans to incor- A significant amount of literature does not neatly porate this type of work into existing, widely-used, fit into the categories above since it covers the cryptocurrencies. security of various blockchains at once, see e.g. To our knowledge, the only post-quantum, in- [52, 53, 54]. This type of analysis makes sense be- depth, rigorous analysis of a blockchain, before this cause of the similarities between blockchains as well paper, is the work by Aggarwal et. al. on the secu- as the similarities of the structure of their crypto- rity of Bitcoin to quantum attacks[2]. To the best of graphic protocols. Generally, most blockchains use our knowledge, the work presented here is the first ECDSA (or some variant of the scheme) in order attempt at a more comprehensive, rigorous study of to provide cryptographic signatures to prove own- the vulnerabilities of cryptocurrencies to quantum ership over assets on the blockchain, and PoW re- attacks. mains the most popular mechanism for generating In this paper we consider five major cryptocur- consensus on blockchain networks. While from a rencies (and some of their variants): Bitcoin, classical perspective many of the small differences Ethereum, Litecoin, Monero, and ZCash. Except- in the protocols have little impact on the overall se- ing Bitcoin, none of these cryptocurrencies have a curity of the network, these differences can have a (publicly available) rigorous post-quantum vulner- significant impact on how severe a quantum attack ability analysis. We can, however, consider the cur- will be on the network, as we show in the subse- rent state of the scientific literature on classical cy- quent sections. 4 Methodology of current and past trends in the essential components of quantum technologies such as number of First, we selected a representative set of qubits, fidelity of gates, error-correction and fault- blockchain technologies. We considered several fac- tolerance[1]. We base our estimate on a consensus tors in deciding whether to include a particular of various experts in the field[3, 2], as reflected by blockchain technology. The first is popularity, mea- official state policy[4]. sured by popular interest using Google Trends, and academic interest using number of academic ci- tations. We also strived to ensure a diverse set Results in terms of technological and cryptographic tech- In this section we discuss several blockchain techniques. For each blockchain technology selected, nologies, the cryptographic schemes they use, and we carefully studied the cryptographic primitives how these dependencies can be exploited by a used, and their level of reliance on cryptographic quantum-capable attacker. While the work in this protocols known to be vulnerable to quantum at- section is almost entirely original, the results in the tacks. This analysis is in-line with the original Bitcoin section follow Aggarwal et. al.[2], who first et. al. analysis of Bitcoin done by Aggarwal [2]. reported these findings. For each technology, we considered two primary attack vectors. First, we consider attacks against Blockchain Subgroup- Amplitude the blockchain network’s consensus mechanism us- Finding Ampli- ing a quantum amplitude amplification algorithm. algorithm fication Then, we study Shor’s algorithm-based attacks (Shor’s) (Grover’s) against the blockchain scheme’s transaction signa- Bitcoin ✗ – ture schemes. When relevant to a blockchain tech- Ethereum ✗ – nology, we also study potential attack vectors not Litecoin ✗ – covered by Aggarwal et. al.. Additionally, consid- Monero ✗ X erations such as the attractiveness, or profitability ZCash ✗ – of an attack are discussed when applicable. Having completed the analysis described above, Table 1: Vulnerabilities of Key Blockchain Tech- we collate the results in the following way. For each nologies: This table shows the vulnerabilities of key cryp- selected blockchain technology, we present and rank tocurrencies against two forms of quantum attack. An ✗denotes the blockchain has strong vulnerabilities against quan- its vulnerabilities to quantum attacks. We then de- tum attacks: due to the exponential quantum advantage for scribe the most damaging attack in terms of po- such attacks, as soon as quantum computers exist with suf- tential financial or reputation loss to the network. ficient memory, these could be used to effectively attack the Whether these vulnerabilities can be removed or blockchain in question. A – denotes that the blockchain has an intermediate level of vulnerability: while a quantum ad- mitigated is also considered where relevant. These vantage exists, this is only quadratic in nature, hence it will factors are then combined into a score in Table 1 take longer for quantum technologies to advance to the point that represents the blockchain’s overall vulnerabil- of becoming a threat. Finally, a Xmeans that the cryptocur- ity. This allows us to rank blockchains by their rel- rency is currently considered safe from quantum attacks. ative vulnerability from those with a limited potential for quantum attack given a vulnerability score of low, to a blockchain that could be rendered com- Bitcoin pletely unfit for use by the introduction of quan- Bitcoin, first described in a paper by a person or tum technologies given a vulnerability rating of very a group under the pseudonym Satoshi Nakamoto high. On the other end, a blockchain that is suscep- [55], is the most popular and first true blockchain tible to quantum attack, but employs technologies technology. The 2008 paper paved the way for the that could dissuade an attacker or make an attack development of the distributed ledger technological more difficult, would be given a rating of medium. space. Designed as a peer to peer payment method, This information is summarized in Table 1, on Page it removed the need for a central authority. It is 12. underpinned by cryptographic schemes that allow Finally, the estimate that we give of the year 2035 peers in the network to validate transactions in a for the likely introduction of quantum computers trustless environment, and store these in a ledger that can break RSA 2028 is based an extrapolation that is cryptographically secure and immutable. 5 These cryptographic techniques are secure from at- signature. During this process a user must also de- tack on a classical computer, however, they can be clare the public key associated with their account exploited by a sufficiently powerful quantum com- in order for validation to occur. This process sig- puter. nature is required for every input of a transaction, Bitcoin uses Hashcash as its PoW mechanism. otherwise the transaction will be invalid and will Hashcash[56] was originally designed as a denial of not be added in a block in the blockchain. service countermeasure for email systems. This was Bitcoin and its underlying cryptographic schemes done by requiring the potential sender to expend are vulnerable to possible quantum attacks. One time solving a computationally hard problem, be- such attack uses Grover’s search algorithm to per- fore being able to send an email. As implemented form PoW at a much faster rate than classical min- in Bitcoin, Hashcash requires the prospective miner ers. An attacker would aim to generate just over as to calculate a SHA-256 hash value for the header— much PoW as the rest of the network combined— plus some random number— so that the hash value effectively forcing consensus on any block the at- is smaller than a predetermined number. This num- tacker so desires (this is known as a 51% attack). ber is an adjustable parameter in the Bitcoin net- Current ASIC miners are capable of performing work. The smaller the number, the higher the com- roughly 18TH/s. This, combined with the current putational difficulty of the problem. sizes of Bitcoin networks, makes a quantum based The use of the Hashcash PoW mechanism has two 51% attack infeasible for the time being. Our own net effects. One, with the current high difficulty calculations based on current ASIC technology, as parameter, miners are incentivized to use specialist well as that of other authors[3, 2], put the earliest hardware, such as ASIC miners, and/or join min- likely date that this type of attack will be possible ing pools where the work and reward are divided at 2028. However, advances in ASIC technology are among various users. More importantly, PoW de- likely to push back this date much farther. incentivizes attempts to add bad blocks to the net- However, the most damaging attack on the Bit- works. These blocks have a very high chance of coin blockchain is on its ECDSA scheme; more being rejected by the network due to error correc- specifically upon transactions that had been de- tion, and therefore ensuring very high wasted costs clared to the network and not yet added to the on the potential miner. blockchain. The hardness of ECDSA relies on the The transaction mechanism within Bitcoin uses hardness of the Elliptic Curve Discrete Logarithm ECDSA signature scheme in order to prove author- Problem. As noted in the previous section, this 3 ity and ownership of tokens, as well as irrefutable problem can be solved in polynomial time O(n ) evidence that the tokens have been spent and that on a quantum computer of sufficient size where on the transaction has not been meddled with after a classical computer it can be solved in exponen- n the transaction has been signed. The elliptic-curve tial time at approximately O(2 ). While on the Bitcoin employs for its ECDSA is secp256-k1. The bitcoin network it could be possible to not only signature in Bitcoin is made up of two values S and hijack individual transaction it must also be con- R [57]. R is the x coordinate of a point of an elliptic sidered that a quantum attack could also aim to curve2. This point is the public key of an ephemeral take control of a users entire bitcoin wallet. If the public / private key pair, created by a user during same public / private key pair is used to hold the the process of signing the transaction. S, the other users bitcoin after the public key becomes public half of the signature can then be created as follows: knowledge, then all funds secured by the key pair S = k−1(SHA256(m)+ dA R) mod p. Where k will be vulnerable. However, it must also be con- is the temporary private key,· SHA256(m) is the sidered that bitcoin wallets tend to not repeatedly hash of the transaction message, dA is the signing use the same key pairs. Bitcoin transactions send private key, and p is the prime order of the elliptic an entire UTXO (potentially multiple depending on field. Given S and R of a signature, the signature whether the user is in possession of one UTXO that can be validated by any user as K, the ephemeral is greater than the amount to be transacted). In the public key, can be found from the two parts of the most simple form of bitcoin transaction, one UTXO will be spent as the input, there will then be two outputs. One creates a new UTXO of the amount 2A further description of elliptic-curve cryptography can being transferred to the relevant account. If the be found here[58]. UTXO in the input is greater than the UTXO in 6 the output a second UTXO is created as the change, The threat of quantum attack has given rise to which will be returned to the original user. This ac- a project called Bitcoin Post-Quantum. [38] This count where the change is sent to typically will be project hard forked from the bitcoin network at controlled by a newly generated public / private block height 555,000 (mined on 22/12/2018). This key pair. This means that an attack designed to project utilizes a quantum secure digital signature get access to the entirety of the users wallet while scheme [60] as well as implementing a Proof-of- possible on the bitcoin network is less likely by the Work mechanism utilizing the birthday paradox common security mechanism of changing the public as in Z-Cash discussed in section 1. Because this / private key pair after every transaction. project is a fork, however, it provides no actual se- An effective quantum attack would consist of curity benefits to the original Bitcoin chain. Hence, finding the private key when the public key is re- the discussion in this section is still very much rel- vealed following the broadcast of a signed trans- evant. action to the network. This would allow an at- In summary, Bitcoin will be very vulnerable to tacker to sign a new transaction using the private quantum attacks using Shor’s algorithm. The most key, thus impersonating the key owner. As long as wide-spread vulnerability open to attack will be the quantum attacker can ensure that their transac- transactions that have been declared to the network tion is placed on the blockchain before the genuine and not yet added to a block. The most vulnerable transaction, they can essentially ‘steal’ the transac- accounts are those that divulged their public-key in tion and direct the newly created Unspent Transac- the earlier days of the Bitcoin network. Finally, Bit- tion Output (UTXO) into whichever account they coin’s consensus mechanism exhibits a vulnerability choose. It is easy to calculate that a quantum to Grover algorithm-based attacks. However, since computer with 485550 qubits and running at a Grover’s algorithm only provides a quadratic ad- clock-speed of 10GHz could solve the problem us- vantage, advances in classical computer technology ing Shor’s algorithm in 30 minutes[2]. At the same are likely to keep Bitcoin secure against this type of time, the average waiting time for transactions in attack for much longer than for Shor’s algorithm- the pool of transactions currently waiting to be in- based attacks. tegrated into a block in the Bitcoin blockchain fre- quently exceeds 30 minutes [59]. This makes this Ethereum type of attack quite feasible. Ethereum is considered the second generation Early in the implementation of Bitcoin it was of blockchain technologies. It has an associ- possible for Bitcoin users to be paid directly to their ated cryptocurrency, Ether, and introduced the public key (P2PK), rather than to the hash of the use of smart contracts and distributed Applica- public key, which is commonly known as the user’s tions(dApps). Ethereum uses an account-based payment address. This has potential repercussions system where each transaction will deduct or add for older Bitcoin accounts. An example of this is Ether to a user’s account. Smart contracts allow the first ever Bitcoin transaction between Hal Finey users of the blockchain to create a computationally- and Satoshi Nakamoto at block 170 of the Bitcoin binding contract, meaning that it allows the cre- blockchain. This form of transaction is common ation of transactions dependent on certain trackable in early coinbase transactions used to reward Bit- objectives. coin miners. This means that some of the original Ethereum is currently transitioning from a Proof- (often quite affluent) accounts may have revealed of-Work (PoW) consensus mechanism, to a Proof- their public key in the early stages of the Bitcoin of-Stake (PoS) one. EthHash is a PoW mecha- blockchain. nism that is used in the current implementation of Thus, these accounts are extremely vulnerable to Ethereum at the time of writing this paper. A sin- quantum attacks using Shor’s algorithm. Unlike the gle round of SHA-3 (Keccak-265) hashing is used attack on the ECDSA signature scheme described to create the PoW problem, in a similar manner to earlier, there is no time limit to perform this type Bitcoin. Mining nodes then compete to generate of attack. Once a sufficiently large quantum com- a hash that solves the PoW problem. The second puter exists (estimated by the year 2035), a quan- is the currently not implemented PoS mechanism tum attacker can easily calculate these accounts’ known as Casper [61]. As mentioned earlier, PoW is private keys, sign new transactions as these users, used to provide a computationally tasking problem and empty these accounts of all their funds. to ensure that a block produced by a miner is valid. 7 PoS however dissuades bad miners from attempting key, and can be verified using the public key. Once to subvert the system as they risk losing their Ether a user has an outgoing transaction, the account’s if they perform a poor job. The security in the sys- public key is available to anyone that reconstructs it tem relies on the fact that the larger the stake the using the key recovery process mentioned earlier. A more voting power a miner will receive, by staking quantum assailant can thus request the public key, more coins a user is more likely to behave honestly calculate the private key using Shor’s algorithm, as they have more to lose if discovered. Further and thus takeover the entire account. This vulner- security is gained from the disincentive that a user ability is exacerbated by the existence of tools such would have to own a large amount of Ether in or- as Etherscan [65] that allow an assailant to search der to perform an attack, a successful attack would for, and target, accounts holding a large amount inevitably cause price drops for the cryptocurrency of Ether. This attack would be severely damaging thereby negatively impacting a user that is wealthy as the potential reward (for the attacker) and loss in ether. (for the victim) would be significantly higher when Ethereum, like Bitcoin, uses a variant of the compared to targeting individual transactions since ECDSA scheme based on the secp256-k1 elliptic the quantum attacker would be targeting an entire curve[62, 63]. In an Ethereum transaction there accounts balance of tokens. is no ‘from’ field, which means that the primary In summary, while Ethereum has a considerably public key K associated with account is not explic- shorter block-time when compared to Bitcoin it is itly revealed. It can however be retrieved through significantly more vulnerable to quantum attack a process called public key recovery where a user due to its account-based transaction system. While can reconstruct the public key from another user’s some other blockchains allow a user to reuse the transaction signature. same public key for multiple transactions, it is far Similar to Bitcoin’s consensus mechanism, a less common and users are dissuaded from this prac- quantum attacker can make use of Grover’s algo- tice. In Ethereum, all outgoing transactions are rithm to attack EthHash. We can calculate the signed using a single private/public key pair as- hash rate possible on a quantum computer against sociated with the account. This makes the entire the Ethereum as follows. First, we calculate the account balance vulnerable after a single outgoing Hr ×B difficulty D of the PoW for Ethereum: D = 232 transaction. where Hr is the network hash rate and B is the block time of the blockchain. In Ethereum B is cur- Litecoin 13 rently 16 seconds, while Hr is currently 18 10 Litecoin is a source-code fork of the Bitcoin H/s [64]. Therefore, the difficulty value is currently× blockchain. This means that it shares many sim- 670552. The equivalent hash rate for a quantum ilarities with Bitcoin. However, Litecoin also has computer is hq =0.04 s√D, where s is the clock marked differences: these include the block time as speed of the computer.× Even without any advances well as the PoW mechanism[66]. It has very sim- in ASIC technology, a quantum attacker would re- ilar use-case to Bitcoin as an electronic payment quire a clock speed of about 5THz before being method. However, due to a shorter block time, its able to attempt a 51% attack Ethereum’s consensus goal is to process transactions faster than Bitcoin. mechanism. Litecoin uses a different PoW scheme than Bit- The Ethereum signature scheme is highly inse- coin, called Scrypt. It has the same goal of expend- cure against attacks using Shor’s algorithm, since ing computing resources in order to solve a problem Ethereum’s signature scheme relies on the hard- to give a user authority to create the next block on ness of the discrete logarithm problem. This can the chain. Scrypt is designed to use significantly be solver in polynomial time (O(n3)) using Shor’s less hashing power; this can be seen in compari- algorithm compared to exponential time (O(2n)) son with Bitcoin where the hashing rate is approx- on classical infrastructures. Ethereum does have imately 46,000,000TH/s [67] against 298TH/s [68] one minor advantage in that it has a significantly for Litecoin. shorter transaction processing time when compared Scrypt is a simplified version of the password to Bitcoin. This is countered, however, with one derivation function created by C. Percival [69], orig- major disadvantage: Ethereum’s use of account- inally for the Tarsnap online backup system. Scrypt based transactions. Every single outgoing transac- differs from other PoW schemes in that rather than tion needs to be signed using the account’s private being highly intensive on the processing power, it is 8 highly intensive on the use of RAM on the mining to demonstrate the severe vulnerabilities faced by node. This originally was chosen in order to reduce blockchain technologies based on Bitcoin. the advantage of using—and hence prevalence of— Many of these altcoins have significantly lower ASIC miners when compared with blockchain tech- transaction processing times than Bitcoin. This nologies. However it was proven relatively quickly gives these blockchains slightly higher resilience to that Scrypt was not ASIC-resistant [70]. Shor algorithm-based attacks—though they are all Litecoin uses an ECDSA scheme in order to sign ultimately quite vulnerable to such attacks. transactions. Similarly to Bitcoin, it implements On the other hand, given current hash rates, and its signature scheme using the secp-256k1 elliptic likely improvements in ASIC technology, Litecoin is curve. likely to be safe from Grover’s algorithm-based at- Like other PoW systems, Scrypt is poten- tacks on its consensus mechanisms for the foresee- tially vulnerable to a quantum 51% attack using able future. However, a drop in this hash rate—for Grover’s algorithm. Litecoin’s current hash rate is example, due to a reduction of the block reward for 320TH/s[71]. Litecoin’s difficulty can be calculated completing the PoW as has happened before[74]— 32×1013×150 could leave the network more vulnerable. as: D = 232 = 11175870. Thus a quantum computer would have to run at a clock speed Monero of 2.4 Thz to even attempt such an attack at cur- Monero is a blockchain that focuses on the pri- rent hash rates. This, plus future improvements in vacy of its users. A majority of blockchains ad- ASIC technology make this type of attacks unlikely vocate anonymity through the use of pseudonyms. in the foreseeable future. Pseudonym identities however do not provide a user Because of its use of ECDSA, Litecoin is vul- with anonymity as their pseudonym is known to nerable to quantum attacks in polynomial time 3 other users. Through the use of chain analysis of O(n ) while using Shor’s algorithm performed techniques it is possible to discover who has sent against transactions that are awaiting to be incor- and received transactions, furthermore the num- porated into a block. This is likely to be the most ber of tokens sent or received, or account balances. profitable attack for a quantum attacker. Litecoin Monero provides obfuscation of both a user’s iden- has the advantage of a shorter block time and a tity and value of transactions through the use of slightly quicker throughput when compared to Bit- further cryptographical techniques. It offers true coin. Therefore, Litecoin has some minor improved anonymity to its users through the use of Pedersen resistance against quantum attacks when compared Commitments [75] and Range Proofs [76]. to Bitcoin. This advantage is however minimal: Monero uses the ASIC-resistant CryptoNight v8 given a quantum computer capable of attacking Bit- PoW scheme which is derived from the Egalitarian coin, a slight increase in its clock speed would suffice Proof of Work from CryptoNote [77]. The scheme to make it capable of attacking Litecoin. relies on access to slow memory at random inter- While this section focused on Litecoin, a simi- vals. CryptoNight is particularly memory intensive, lar analysis applies to many more ‘altcoins’ that requiring 2Mb per instance. are based on the Bitcoin blockchain or the orig- EdDSA is used as the signing algorithm in Mon- inal Bitcoin code. These range from direct hard ero. EdDSA is implemented using the twisted Ed- forks of the Bitcoin blockchain of which there are wards curve Ed25519. This signature scheme is a 45 current active projects, through Bitcoin cashcite- variant of ECDSA and is still reliant on the hard- bcash, Bitcoin gold[72] and Bitcoin core[73], to ness of the discrete logarithm problem. A keccak- source code forks like Litecoin. While a detailed 256 (SHA-3) hashing function H is used. The signa- discussion of each of every single ‘altcoin’ is neces- ture for signing a transaction using EdDSA is made sarily beyond the scope of this paper, this section up of two parts R and s [78]. First, a user must com- serves to highlight the vulnerability of all ECDSA pute the hash of their private key k so that H(k) to based blockchains—which includes almost all Bit- create hk. They then compute r = H(hk,m) where coin forks—to quantum attacks that use Shor’s al- m is the message of the transaction. r is then as- gorithm. sociated with a generator of the elliptic curve G to In summary, due to its similarities to Bitcoin, form R = rG. The second signature component s Litecoin displays the same vulnerabilities to quan- is then computed as s = (r + H(R,K,m)) k, where tum attacks. Moreover, Litecoin can be used K is the user’s public key. This signature· scheme 9 is extended in Monero, through the use of ring sig- ero’s privacy system gives it some added level of natures. security. An attacker would not know the amount A further area of interest in Monero is how it being transferred in a target transaction. Hence, gains transaction anonymity. It does so through transactions of value are unobservable without the use of three technologies working together: prior attacks. Further, the use of RingCT means stealth addresses, ring signatures and ring confiden- that the quantum assailant would need to solve tial transactions. multiple Pedersen commitments in order to find In simple terms, stealth addresses and ring sig- the correct public key used in the transaction. This natures work in the following way. For every trans- makes Monero slightly more secure against—or at action, Monero also broadcasts several ‘fake’ inputs least a slightly less attractive target for—quantum to the transaction. Only the senders and receivers assailants than other blockchain networks. of the transaction will know which is the correct Bulletproofs are particularly susceptible to quan- commitment for the transaction, as the senders and tum attack. They rely on the discrete logarithm receivers of tokens share a secret key. Moreover, if problem for their hardness and so similarly can be there are multiple recipients within the transaction, solved in polynomial time of O(n3). The security only the sender will have knowledge of the whole relies on the fact that no-one knows any xG = H transaction. The process consists of the user in- and no xH = G for the Pedersen commitment. A cluding one input using UTXO (balance) from their quantum attacker could breach the commitment re- wallet, and padding with extra randomly selected vealing the values contained within. This would spent outputs to the transaction up to the ring size. allow the attacker to reveal all previous transac- For instance, if the ring size is five then a further tions that have been obfuscated, since one of the four randomly selected spent outputs are added as key features of a blockchain is that it is immutable. inputs into the transaction. Which input is the cor- While this does not have any financial benefit, the rect one (signed by the user) will not be deducible information gained could be valuable, as the hidden to other users[79]. information may be confidential, and could poten- The Monero network needs a way to ensure that tially be used to extort users of the network. the above transactions balance correctly, in other In summary, Monero transactions are highly vul- words that the incoming currency into the transac- nerable to quantum attacks—though the network’s tion equals the outgoing currency. Monero’s current transaction anonymization makes these less attrac- mechanism for doing so is called Bulletproof,[80]. tive targets for attack than transactions in other Bulletproof is a zero knowledge proof protocol blockchain networks. However, it should also be that can ensure the balance of transactions. It noted, Monero’s PoW system—RandomX—is the is much more efficient than previous zero knowl- only such system with no known quantum vulnera- edge range proofs, both in computational terms and bilities. the amount of space required on the blockchain to record these proofs. Beam and Grin Monero very recently moved it’s PoW scheme Beam[82] and Grin[83] are similar to Monero in from CryptoNight to RandomX [81]. RandomX that they use Pedersen commitments to mask the is PoW system based on the execution of random amounts transferred. However, they use a tech- programs in a special instruction-set that consists nique called Mimblewimble. Mimblewimble is an of integer math, floating point math and branches. obfuscation protocol like Bulletproof. Here, each This PoW system was developed with the intent newly created UTXO is obfuscated by a blinding of minimizing GPU advantage in PoW. However, factor. This blinding factor hides the amount rep- it is possible that this may also, indirectly, lead to resented by the UTXO and this provides an extra more quantum resiliency. As of this writing, no level of anonymity to the blockchain. [84]. method for gaining quantum advantage for Ran- Like Monero, both Beam and Grin are vul- domX is known. nerable to quantum attacks against both their Monero’s signing algorithm EdDSA, like obfuscation technique as well as their signature ECDSA, relies on the hardness of the discrete scheme. Thereby, attacks presented against Mon- logarithm problem for its security, making it ero are equally valid against these two blockchains. highly susceptible to quantum attacks using Shor’s However, as with Monero, the obfuscation of ac- algorithm in O(n3) computations. However, Mon- count and transaction values provides both of these 10 blockchains with an element of resilience. While S and R. This is defined by the scheme described the obfuscation can be removed by a quantum at- in [88] and is also described in the ZCash white tacker, the attacker has no way of knowing whether paper [86]. This signature scheme is reliant on the the transactions that they are attempting to view hardness of the discrete logarithm problem. The are of significant enough value to warrant perform- signature consists of: ing a quantum attack. • An elliptic curve generator B of mod L Zcash • A cryptographic hash function H which in the case of ZCash is BLAKE-2b-256. Zcash is another privacy-based blockchain. Un- like Monero, however, Zcash allows for transac- • M which the message being signed tions to go from private accounts to public ones, and vice versa. Anonymity is integral to the • The private key a Zcash blockchain. Rather than pseudonymising • The public key A which is generated from the the identity of users through the use of account private key in the form A = aB where B is a address, input and outputs can be obfuscated. generator on the Ed25519 elliptic curve. It allows private transactions as well as public transactions. Zcash transactions implement zero- First r is created where r = H(a,M), then r is knowledge proofs in the form of zk-snarks (Zero- multiplied by B so that it is R = rB. S can then Knowledge Succinct Non-Interactive Argument of be computed as S = (r + H(R,A,M)a) mod , Knowledge); these use a trusted set up. Trusted giving the signature Sig = (S, R). L setup uses some form of publicly-available element Zk-Snarks, as previously stated, rely on a trusted as part of the proving mechanism for a transaction. set-up. This set-up requires the pre-generation of These publicly-available elements are either gener- a greater public-key. This global public-key must ated by a central entity, or alternatively in collabo- have no private-key, otherwise the holder of such ration with the entire network in the form of a pub- a key could create ZCash tokens at will. This lic ceremony [85]. Zk-snarks are a zero-knowledge greater public-key is created by many users col- proof system that allows a user to demonstrate laboratively creating shards, or small portions, of that a transaction they are sending is fair while a greater public-key from individual user private- not revealing the amount being transacted. Within keys. After the public ceremony, if at least one user Zcash there are four transaction types [86]: private, destroys their individual private key, then attempt- deshielding, shielding and public. Private transac- ing to find the greater public-key’s corresponding tions obfuscate the amount being transacted at in- private-key becomes computationally infeasible on put and output. Shielding transactions obfuscate a classical computer. This is because this private- previously publicly-visible transactions, while de- key can only be computed by either solving the shielding does the opposite. Public transactions can discrete logarithm problem, or by having access to be considered “traditional transactions”, similar to all the ephemeral private keys used to create the those in other blockchains, in that they employ only greater public-key. pseudonym identities to protect users, and in that Zcash is open to quantum attacks in three dis- the value being transacted is publicly visible. tinct ways. The first one is quantum attacks against Zcash uses the Equihash PoW to gain consen- its consensus mechanism. Grassi [89] et. al. devel- sus. Equihash [87] is a memory-hard PoW based oped a quantum algorithm for the k xor prob- on the generalized birthday problem. Equihash lem (generalized birthday problem), that− improves has the parameters n and k. k is the target value on Wagner’s classical algorithm. This quantum al- while the miner is given a sequence of X1...N n bit gorithm has an improved time and memory com- k n/(2+⌊log (k)⌋) strings. The miner must find 2 distinct Xij such plexity of O 2 2 compared to Wag- k 2 n/(1+ ⌊log (k)⌋) that Xij = 0. The solution to this problem is ner’s O 2 2 . This opens the avenue ⊕j=1 found using Wagner’s algorithm, which is the most for a quantum attack against the consensus mecha- efficient known algorithm for finding the solution to nism, potentially leading to a quantum 51% attack this problem on a classical computer. against the network. ZCash implements EdDSA, instantiated on the Since the signature scheme for ZCash is reliant Ed25519 curve. A signature consists of two parts on the hardness of the discrete logarithm problem, 11 Blockchain Risk Level Target Vulnerabilities Bitcoin High Transactions Transactions declared to the network are vulnerable to quantum attack, specifically with regards to their declared to the signature scheme. The main form of attack identified is against transactions declared to the network which network have not yet been incorporated into a block. Using the public key declared by the sender of a transaction, a quantum attacker can find the private key. This will allow them to duplicate the transaction with whichever output location they desire. Ethereum High Re-use of pub- Ethereum is designed on an account-based system, within which reuse of public keys is common. The attack lic keys mechanism we have identified can target accounts that have previously declared transactions to the network, while still retaining some Ether tokens in the account. By solving the public key to gain the private key using Shor’s algorithm, a quantum attacker could forge transactions in a user’s name, by generating a valid transaction signature. Litecoin High Transactions As Litecoin shares a majority of its technical structure with Bitcoin, it is equally vulnerable to quantum declared to the attack. The most damaging attack technique as in Bitcoin is against transactions declared to the network network that have not yet been added to the blockchain. Bitcoin Gold High Transactions Due to the similarities with the Bitcoin cryptographic elements, Bitcoin Gold shares the same vulnerabili- declared to the ties. network Bitcoin Core High Transactions Due to the similarities with the Bitcoin cryptographic elements, Bitcoin Core shares the same vulnerabili- declared to the ties. network Bitcoin Cash High Transactions Due to the similarities with the Bitcoin cryptographic elements, Bitcoin Cash shares the same vulnerabili- declared to the ties. network Monero Medium Obfuscated The signature scheme used in Monero EdDSA is vulnerable to quantum attack as it relies on the discrete transactions logarithm problem. However Monero gains some resilience to quantum attack through the anonymity of and transac- its users as well as the amounts being transacted. Although the Bulletproof protocol used in Monero to tions declared achieve this obfuscation of transacted amounts is vulnerable to quantum attack, an attacker would be to the network reliant on luck in order to select a transaction of significant value. Furthermore, due to a recent change in the consensus protocol implemented on Monero where RandomX was introduced, it would also have further resistance to quantum attacks attempting to perform a 51% attack utilizing Grover’s algorithm. BEAM Medium Obfuscated BEAM’s signature scheme, as well as the obfuscation technique Mimblewimble, are vulnerable to quantum transactions attack. Quantum attack could both, intercept transactions broadcast to the network and remove anonymity and transac- from hidden transactions. However as with Monero, the hiding of transaction and account values removes tions declared some of the incentive for a quantum attacker. to the network Grin Medium Obfuscated Grin’s signature scheme, as well as the obfuscation technique Mimblewimble, are vulnerable to quantum transactions attack. Quantum attack could both, intercept transactions broadcast to the network and remove anonymity and transac- from hidden transactions. However as with Monero, the hiding of transaction and account values removes tions declared some of the incentive for a quantum attacker. to the network ZCash Very High Public param- ZCash is highly vulnerable to quantum attack against both its consensus algorithm and its signature scheme. eter generated However, the most damaging attack found against ZCash is vulnerability of its zero-knowledge proof pro- during the tocol ZK-SNARKS, as this obfuscation method requires a trusted set up and therefore the production of Zk-SNARK a public parameter, which is a public key. If a quantum attacker gains the private key to this public ceremony parameter, they will be able to generate tokens at will.

Table 2: Blockchain Quantum Vulnerability Overview: This table shows a summary of the blockchain vulnerabilities discussed in this paper. The table shows, from left to right, the blockchain in question, the level of risk established here, the particular underlying cryptographic technology at risk, and a summary of the attack. it is susceptible to quantum attacks using Shor’s broadcast to the network. However, on ZCash the Algorithm. Transactions broadcast to the network vulnerability allows a quantum assailant to create could be stolen by a quantum attacker, before they tokens. Further to this, the work shown by Grassi et are added to the blockchain. al., means the consensus mechanism used by ZCash The global public parameter that is used in the is also more vulnerable than other blockchain tech- production of zk-SNARKs, is a public-key that has nologies discussed. Transactions that have been no corresponding private-key and is reliant on the broadcast to the network are equally vulnerable, hardness of the discrete logarithm problem. Quan- since the signing mechanism relies on the hardness tum attackers through the use of Shor’s algorithm of the discrete logarithm problem. could solve to find the global private key. This would not be reliant on the need for any further information as to how the global public parameter Conclusion was created during the ceremony. With the possession of the global private key, a quantum attacker This paper demonstrates that the cryptographic could create an infinite amount of ZCash tokens. schemes that underpin blockchain technologies are With the private key they would not be able to ac- highly susceptible to quantum attack, particularly cess other users’ transactions being broadcast on from subgroup-finding-algorithms, such as Shor’s the network. However, being able to create tokens algorithm. Table 1 summarizes the vulnerabilities at will, especially in a network that has obfuscated of the blockchain protocols that have been analyzed transactions this would be extremely dangerous to in this paper, as well as some additional technolo- the network and its associated economy. gies of note that have had in depth analysis. ZCash has a high vulnerability to quantum at- Based on the information presented here, we can tacks. Previous examples that we have discussed derive a comparative analysis and ranking of the are at threat to transactions being stolen once discussed blockchains. 12 Of the blockchains analyzed here, we can con- algorithm one has the option to swap out vulnerable clude Monero to be the most secure. This is cryptography (e.g. RSA) to quantum-safe or post- due to the obfuscation of transacted values on the quantum cryptography. In the case of PoW there is blockchain. While this obfuscation technique is vul- no such option to swap out the underlying compu- nerable to quantum attacks, as it relies on the dif- tational problem (from, say, hashing) to one that ficulty of the discrete logarithm problem, the ob- is not vulnerable Grover speed-up. By definition, fuscation of many transactions may have to be re- PoW requires a computational problem that can moved in order for the attack to be effective— be efficiently verified. This necessitates a computa- each time by running Shor’s algorithm. Other- tional problem that is in NP, which in turn implies wise, a quantum attacker would be blindly attack- the problem is amenable to Grover algorithm speed- ing transactions that could be of very little financial up. In short, there is no possible PoW system that value. Performing this against many private trans- is not susceptible to Grover speed-up. This implies actions would be more computationally expensive that quantum actors will always have an advantage than similar attacks on other networks. This is fur- over classical ones in PoW-based blockchains—and ther explained in section 1 on page 9. can use this advantage either to mine more effec- The next most secure blockchains are Bitcoin and tively, or as a basis for a 51% attack. The only those with a similar cryptographic structure, like counter to this being dropping PoW completely in LiteCoin. Transactions that are declared to the net- favor of an entirely different system such as Proof work are highly vulnerable to quantum attack from of Stake (PoS). Shor’s algorithm. However, under best-use prac- Finally, in conclusion, all blockchain technologies tices, only individual transactions would be under analyzed here have varying, yet ultimately criti- threat, as the reuse of public keys is discouraged in cal vulnerabilities that can be exploited using a these blockchains. sufficiently-developed quantum computer. Fortu- In Ethereum, public-key reuse is more com- nately, blockchain technologies are still a fledgling mon because of its account-based structure. Once technology, and quantum computers even more so. a public-key for an account becomes known to This gives the industry time to adapt, and course- the network, that account will be vulnerable to correct. PoW and many other consensus mecha- quantum attack. Using a quantum computer the nisms available are sufficiently resistant in the near private-key for an account can be computed from to medium term from all currently-known quantum the public-key. At this point the attacker can take algorithms. However, signature schemes for trans- over the account completely, including the ability action broadcast will need to be changed to use to siphon all current funds to another account. appropriately designed (post-quantum) cryptogra- Of the blockchains discussed here, the most vul- phy in order for a blockchain network to become nerable to quantum attack is ZCash. Despite be- quantum-safe. ing a privacy-based blockchain, ZCash uses a public ceremony in order to enable the anonymity of transactions. This creates a global public key based Acknowledgements on elliptic-curve cryptography. Using Shor’s algorithm, a quantum assailant can easily find this pri- The authors of this paper would like to acknowl- vate key. This would allow them to create an un- edge the contribution to the early work for this limited supply of tokens. Furthermore, because the paper from Jeathra Sivarajasingam. The authors values are obfuscated, this attack would remain un- would also like to thank Dr. Pauline Bernat and known to the rest of the network. Joanna I. Ziembicka for useful comments during the Finally, it is worth highlighting the particular is- preparation on this manuscript. CP-D would like sue of Grover algorithm-based attacks. Typically, to acknowledge funding through the EPSRC Quan- attacks based on Grover’s algorithm are considered tum Communications Hub (EP/T001011/1). less of a threat than those based on Shor’s algorithm [see e.g. 2]. However, there is one way in which Grover’s algorithm represents a much more serious References threat to blockchain technologies than Shor’s algo- [1] R. Van Meter and C. Horsman, “A blueprint for rithm does. building a quantum computer,” Commun. ACM, Consider that in order to face the threat of Shor’s vol. 56, pp. 84–93, Oct. 2013. 13 [2] D. Aggarwal, G. Brennen, T. Lee, M. Santha, and “Simple schnorr multi-signatures with applications to M. Tomamichel, “Quantum attacks on bitcoin, and bitcoin,” Designs, Codes and Cryptography, vol. 87, how to protect against them,” Ledger, vol. 3, Oct 2018. pp. 2139–2164, Sep 2019. [3] M. Mosca, “Cybersecurity in an era with quantum [22] S. Levy, “Performance and security of ecdsa,” 2015. computers: Will we be ready?,” IEEE Security [23] D. Cheung, D. Maslov, J. Mathew, and D. K. Privacy, vol. 16, pp. 38–41, Sep. 2018. Pradhan, “On the design and optimization of a [4] NIST, “Post-quantum cryptography.” https://csrc. quantum polynomial-time attack on elliptic curve nist.gov/Projects/Post-Quantum-Cryptography/ cryptography,” in Theory of Quantum Computation, Post-Quantum-Cryptography-Standardization, 2017. Communication, and Cryptography (Y. Kawano and [5] P. W. Shor, “Algorithms for quantum computation: M. Mosca, eds.), (Berlin, Heidelberg), pp. 96–104, Discrete logarithms and factoring,” in Proceedings Springer Berlin Heidelberg, 2008. 35th annual symposium on foundations of computer [24] I.-K. Lim, Y.-H. Kim, J.-G. Lee, J.-P. Lee, science, pp. 124–134, Ieee, 1994. H. Nam-Gung, and J.-K. Lee, “The analysis and [6] G. Brassard, P. Hoyer, M. Mosca, and A. Tapp, countermeasures on security breach of bitcoin,” in “Quantum amplitude amplification and estimation,” International conference on computational science Contemporary Mathematics, vol. 305, pp. 53–74, 2002. and its applications, pp. 720–732, Springer, 2014. [7] A. Ambainis, “Quantum search algorithms,” SIGACT [25] P. Praitheeshan, L. Pan, J. Yu, J. Liu, and R. Doss, News, vol. 35, p. 22–35, jun 2004. “Security analysis methods on ethereum smart [8] L. K. Grover, “Quantum mechanics helps in searching contract vulnerabilities: a survey,” arXiv preprint for a needle in a haystack,” Phys. Rev. Lett., vol. 79, arXiv:1908.08605, 2019. pp. 325–328, Jul 1997. [26] G. Kappos, H. Yousaf, M. Maller, and S. Meiklejohn, [9] G. V. Research, “Blockchain technology market worth “An empirical analysis of anonymity in zcash,” in 27th $57,641.3 million by 2025.” https://www. {USENIX} Security Symposium ({USENIX} Security grandviewresearch.com/press-release/ 18), pp. 463–477, 2018. global-blockchain-technology-market, 07 2019. [27] M. Möser, K. Soska, E. Heilman, K. Lee, H. Heffan, [10] M. del Castillo, “Jpmorgan is hiring for more S. Srivastava, K. Hogan, J. Hennessey, A. Miller, blockchain jobs than any other wall street firm.” A. Narayanan, et al., “An empirical analysis of https://www.forbes.com/sites/michaeldelcastillo/ traceability in the monero blockchain,” arXiv preprint 2019/03/28/ arXiv:1704.04299, 2017. jpmorgan-is-hiring-more-blockchain-jobs-than-any-other-wall-street-firm/#[28] A. R. Sai, J. Buckley, and A. Le Gear, “Privacy and 4362991668c8, 03 2019. security analysis of cryptocurrency mobile [11] Maersk, “Maersk and ibm introduce tradelens applications,” in 2019 Fifth Conference on Mobile and blockchain shipping solution.” https://www.maersk. Secure Services (MobiSecServ), pp. 1–6, IEEE, 2019. com/en/news/2018/06/29/ [29] D. He, S. Li, C. Li, S. Zhu, S. Chan, W. Min, and maersk-and-ibm-introduce-tradelens-blockchain-shipping-solutionN. Guizani,, “Security analysis of cryptocurrency 08 2018. wallets in android-based applications,” IEEE Network, [12] S. Shah, “How blockchain is revolutionising the legal vol. 34, no. 6, pp. 114–119, 2020. sector.” https://www.raconteur.net/ [30] A. Lohachab, A. Lohachab, and A. Jangra, “A risk-management/ comprehensive survey of prominent cryptographic blockchain-revolutionising-legal-sector, 02 2018. aspects for securing communication in post-quantum [13] IBM, “Ibm blockchain. now delivering value around iot networks,” Internet of Things, vol. 9, p. 100174, the world..” https://www.ibm.com/uk-en/blockchain. 2020. [14] J. Morgan, “Blockchain and distributed ledger.” [31] H. Nejatollahi, N. Dutt, S. Ray, F. Regazzoni, https://www.jpmorgan.com/global/blockchain. I. Banerjee, and R. Cammarota, “Post-quantum [15] Amazon, “Amazon managed blockchain.” https:// lattice-based cryptography implementations: A aws.amazon.com/managed-blockchain/. survey,” ACM Computing Surveys (CSUR), vol. 51, [16] J. Constine, “Facebook announces libra no. 6, pp. 1–41, 2019. cryptocurrency: All you need to know.” https:// [32] R. A. Perlner and D. A. Cooper, “Quantum resistant techcrunch.com/2019/06/18/facebook-libra/, 06 public key cryptography: a survey,” in Proceedings of 2019. the 8th Symposium on Identity and Trust on the [17] I. Bentov, A. Gabizon, and A. Mizrahi, Internet, pp. 85–93, 2009. “Cryptocurrencies without proof of work,” in [33] W. Cui, T. Dou, and S. Yan, “Threats and International Conference on Financial Cryptography opportunities: Blockchain meets quantum and Data Security, pp. 142–157, Springer, 2016. computation,” in 2020 39th Chinese Control [18] bitcoin.it, “Difficulty.” https://en.bitcoin.it/wiki/ Conference (CCC), pp. 5822–5824, IEEE, 2020. Difficulty. [34] J. Suo, L. Wang, S. Yang, W. Zheng, and J. Zhang, [19] T. ElGamal, “A public key cryptosystem and a “Quantum algorithms for typical hard problems: a signature scheme based on discrete logarithms,” IEEE perspective of cryptanalysis,” Quantum Information transactions on information theory, vol. 31, no. 4, Processing, vol. 19, p. 178, 2020. pp. 469–472, 1985. [35] C. Li, Y. Tian, X. Chen, and J. Li, “An efficient [20] R. L. Rivest, A. Shamir, and L. Adleman, “A method anti-quantum lattice-based blind signature for for obtaining digital signatures and public-key blockchain-enabled systems,” Information Sciences, cryptosystems,” Commun. ACM, vol. 21, pp. 120–126, vol. 546, pp. 253–264, 2020. Feb. 1978. [36] C. Wu, L. Ke, and Y. Du, “Quantum resistant [21] G. Maxwell, A. Poelstra, Y. Seurin, and P. Wuille, key-exposure free chameleon hash and applications in

14 redactable blockchain,” Information Sciences, P. Szalachowski, “A security reference architecture for vol. 548, pp. 438–449. blockchains,” in 2019 IEEE International Conference [37] “R3 publishes a new post-quantum signature on Blockchain (Blockchain), pp. 390–397, IEEE, 2019. algorithm tailored to blockchains,” Aug 2020. [53] X. Li, P. Jiang, T. Chen, X. Luo, and Q. Wen, “A [38] N. Anhao, “Bitcoin post-quantum,” 2018. survey on the security of blockchain systems,” Future [39] Z. Liu, D. Wong, K. Nguyen, G. Yang, and H. Wang, Generation Computer Systems, vol. 107, pp. 841–853, “Abelian coin (abe) – a quantum-resistant 2020. cryptocurrency balancing privacy and accountability,” [54] R. Zhang, R. Xue, and L. Liu, “Security and privacy Jun 2018. on blockchain,” ACM Computing Surveys (CSUR), [40] J. Garay, A. Kiayias, and N. Leonardos, “The bitcoin vol. 52, no. 3, pp. 1–34, 2019. backbone protocol: Analysis and applications,” in [55] S. Nakamoto et al., “Bitcoin: A peer-to-peer electronic Annual international conference on the theory and cash system,” 2008. applications of cryptographic techniques, pp. 281–310, [56] A. Back et al., “Hashcash-a denial of service Springer, 2015. counter-measure,” 2002. [41] I. Giechaskiel, C. Cremers, and K. B. Rasmussen, “On [57] A. M. Antonopoulos, Mastering Bitcoin: unlocking bitcoin security in the presence of broken digital cryptocurrencies. ” O’Reilly Media, Inc.”, 2014. cryptographic primitives,” in European Symposium on [58] H. Knutson, “What is the math behind elliptic curve Research in Computer Security, pp. 201–222, cryptography.” https://hackernoon.com/ Springer, 2016. what-is-the-math-behind-elliptic-curve-cryptography-f61b25253da3, [42] M. K. Popuri and M. H. Gunes, “Empirical analysis of 05/04/2018. crypto currencies,” in Complex Networks VII, [59] blockchain.com, “Average confirmation time pp. 281–292, Springer, 2016. (bitcoin).” https://www.blockchain.com/charts/ [43] H. Wang, Y. Wang, Z. Cao, Z. Li, and G. Xiong, “An avg-confirmation-time?timespan=1year. overview of blockchain security analysis,” in China [60] A. Hülsing, D. Butin, S.-L. Gazdag, J. Rijneveld, and Cyber Security Annual Conference, pp. 55–72, A. Mohaisen, “Xmss: extended merkle signature Springer, Singapore, 2018. scheme,” in RFC 8391, IRTF, 2018. [44] L. Alcock and L. Ren, “A note on the security of [61] V. Buterin and V. Griffith, “Casper the friendly equihash,” in Proceedings of the 2017 on Cloud finality gadget,” arXiv preprint arXiv:1710.09437, Computing Security Workshop, pp. 51–55, 2017. 2017. [45] A. Mense and M. Flatscher, “Security vulnerabilities [62] A. M. Antonopoulos and G. Wood, Mastering in ethereum smart contracts,” in Proceedings of the ethereum: building smart contracts and dapps. 20th International Conference on Information O’Reilly Media, 2018. Integration and Web-Based Applications & Services, [63] G. Wood et al., “Ethereum: A secure decentralised pp. 375–380, 2018. generalised transaction ledger,” Ethereum project [46] M. Wohrer and U. Zdun, “Smart contracts: security yellow paper, vol. 151, no. 2014, pp. 1–32, 2014. patterns in the ethereum ecosystem and solidity,” in [64] B. I. Charts, “Ethereum hash rate historical chart.” 2018 International Workshop on Blockchain Oriented https://bitinfocharts.com/comparison/ Software Engineering (IWBOSE), pp. 2–8, IEEE, ethereum-hashrate.html. 2018. [65] Etherscan, “Transactions (ethereum).” https:// [47] H. Chen, M. Pendleton, L. Njilla, and S. Xu, “A etherscan.io/txs. survey on ethereum systems security: Vulnerabilities, [66] J. Fernando, “Bitcoin vs. litecoin: What’s the attacks, and defenses,” ACM Computing Surveys difference?.” https://www.investopedia.com/ (CSUR), vol. 53, no. 3, pp. 1–43, 2020. articles/investing/042015/ [48] F. Ma, M. Ren, Y. Fu, M. Wang, H. Li, H. Song, and bitcoin-vs-litecoin-whats-difference.asp, Y. Jiang, “Security reinforcement for ethereum virtual 25/06/2019. machine,” Information Processing & Management, [67] blockchain.com, “Hash rate (bitcoin).” https://www. vol. 58, no. 4, p. 102565, 2021. blockchain.com/charts/hash-rate? [49] S.-F. Sun, M. H. Au, J. K. Liu, and T. H. Yuen, [68] B. I. Charts, “Litecoin hashrate historical chart.” “Ringct 2.0: A compact accumulator-based (linkable https://bitinfocharts.com/comparison/ ring signature) protocol for blockchain cryptocurrency litecoin-hashrate.html. monero,” in European Symposium on Research in [69] C. Percival, “Stronger key derivation via sequential Computer Security, pp. 456–474, Springer, 2017. memory-hard functions,” 2009. [50] D. A. Wijaya, J. Liu, R. Steinfeld, and D. Liu, [70] Litecoin.com, “New scrypt litecoin miners might be “Monero ring attack: Recreating zero mixin about to hit the market.” https://medium.com/ transaction effect,” in 2018 17th IEEE International @LitecoinDotCom/ Conference On Trust, Security And Privacy In new-scrypt-litecoin-miners-might-be-about-to-hit-the-market-3a9057e93375, Computing And Communications/12th IEEE 13/11/2018. International Conference On Big Data Science And [71] B. I. Charts, “Litecoin hash rate historical chart.” Engineering (TrustCom/BigDataSE), pp. 1196–1201, https://bitinfocharts.com/comparison/ IEEE, 2018. litecoin-hashrate.html. [51] J. O. M. Chervinski, D. Kreutz, and J. Yu, [72] bitcoingold.org, “Bitcoin gold..” https:// “Floodxmr: Low-cost transaction flooding attack with bitcoingold.org/. monero’s bulletproof protocol.,” IACR Cryptol. ePrint [73] bitcoin.com, “Bitcoin core..” https://bitcoin.org/ Arch., vol. 2019, p. 455, 2019. en/bitcoin-core/. [52] I. Homoliak, S. Venugopalan, Q. Hum, and [74] N. Sulemanji, “Litecoin’s falling hash rate is a

15 worrying sign.” https://decrypt.co/10855/ litecoins-falling-hash-rate-is-a-worrying-sign, 29/10/2019. [75] G. Maxwell, “Confidential transactions.” https:// people.xiph.org/~greg/confidential values.txt, 06 2015. [76] T. Koens, C. Ramaekers, and C. Van Wijk, “Efficient zero-knowledge range proofs in ethereum,” tech. rep., Technical Report, 2018. [77] N. Van Saberhagen, “Cryptonote v 2.0,” 2013. [78] K. M. Alonso and J. H. Joancomart´ı, “Monero - privacy in the blockchain.” Cryptology ePrint Archive, Report 2018/535, 2018. https://eprint.iacr.org/ 2018/535. [79] S. Noether, A. Mackenzie, et al., “Ring confidential transactions,” Ledger, vol. 1, pp. 1–18, 2016. [80] B. Bünz, J. Bootle, D. Boneh, A. Poelstra, P. Wuille, and G. Maxwell, “Bulletproofs: Short proofs for confidential transactions and more,” in 2018 IEEE Symposium on Security and Privacy (SP), pp. 315–334, IEEE, 2018. [81] “Monero’s randomx.” [82] Beam, “Beam.” https://www.beam.mw/. [83] Grin, “Grin.” https://grin-tech.org/. [84] T. E. Jedusor, “Mimblewimble,” 2016. [85] Z. Wilcox, “The design of the ceremony.” https://z. cash/blog/the-design-of-the-ceremony/, 10 2016. [86] D. Hopwood, S. Bowe, T. Hornby, and N. Wilcox, “Zcash protocol specification,” Tech. rep. 2016–1.10. Zerocoin Electric Coin Company, Tech. Rep., 2016. [87] A. Biryukov and D. Khovratovich, “Equihash: Asymmetric proof-of-work based on the generalized birthday problem,” Ledger, vol. 2, pp. 1–30, 2017. [88] D. J. Bernstein, N. Duif, T. Lange, P. Schwabe, and B.-Y. Yang, “High-speed high-security signatures,” Journal of Cryptographic Engineering, vol. 2, pp. 77–89, Sep 2012. [89] L. Grassi, M. Naya-Plasencia, and A. Schrottenloher, “Quantum algorithms for the k-xor problem,” in International Conference on the Theory and Application of Cryptology and Information Security, pp. 527–559, Springer, 2018.