Vulnerability of Blockchain Technologies to Quantum Attacks Joseph J. Kearneya, Carlos A. Perez-Delgado a,∗ aSchool of Computing, University of Kent, Canterbury, Kent CT2 7NF United Kingdom Abstract Quantum computation represents a threat to many cryptographic protocols in operation today. It has been estimated that by 2035, there will exist a quantum computer capable of breaking the vital cryptographic scheme RSA2048. Blockchain technologies rely on cryptographic protocols for many of their essential sub- routines. Some of these protocols, but not all, are open to quantum attacks. Here we analyze the major blockchain-based cryptocurrencies deployed today—including Bitcoin, Ethereum, Litecoin and ZCash, and determine their risk exposure to quantum attacks. We finish with a comparative analysis of the studied cryptocurrencies and their underlying blockchain technologies and their relative levels of vulnerability to quantum attacks. Introduction exist to allow the legitimate owner to recover this account. Blockchain systems are unlike other cryptosys- tems in that they are not just meant to protect an By contrast, in a blockchain system, there is no information asset. A blockchain is a ledger, and as central authority to manage users’ access keys. The such it is the asset. owner of a resource is by definition the one hold- A blockchain is secured through the use of cryp- ing the private encryption keys. There are no of- tographic techniques. Notably, asymmetric encryp- fline backups. The blockchain, an always online tion schemes such as RSA or Elliptic Curve (EC) cryptographic system, is considered the resource— cryptography are used to generate private/public or at least the authoritative description of it. If a key pairs that protect data assets stored on key is lost, this invariably means that the secured blockchains. The associated security relies on the data asset is irrevocably lost. If the key, or the de- difficulty of factoring, when using RSA, or of the vice on which it is stored is compromised, or if a discrete logarithm problem with EC. vulnerability can be exploited, then the data asset In a traditional banking system, public- and can be irrevocably stolen. In short, in blockchains private-key cryptosystems are used to impose data the protected resources cannot easily be decoupled confidentiality, integrity, and access rules. However, from the encryption system being used. This makes the data itself is decoupled from the key-pair. For blockchain technologies particularly vulnerable to instance, if a cryptographic key is lost or compro- advances in quantum technology. arXiv:2105.01815v1 [quant-ph] 5 May 2021 mised, its validity can easily be revoked by a central It is infeasible to predict the progress and devel- authority. A new key-pair can be issued and asso- opment of future technology with perfect accuracy. ciated to the data. Revoking the key in a timely That said, it is possible to extrapolate current and manner ensures the continued integrity and con- past trends in quantum technology advancement— fidentiality of the data. If a data-breach occurs, including all the essential components such as num- servers can be taken offline, and/or backups used. ber of qubits, fidelity of gates, error-correction and If an account is compromised, often mechanisms fault-tolerance[1]. Doing this, we can confidently conclude that by the year 2035 it is more likely ∗ than not that quantum technology will have ad- Corresponding author vanced sufficiently to be able to break RSA2048 Email addresses: [email protected] (Joseph J. Kearney ), [email protected] (Carlos A. Perez-Delgado efficiently. This conclusion is shared by well es- ) tablished researchers (see, e.g.[2, 3]), to the point Preprint submitted to Elsevier May 6, 2021 that the US National Institute of Standards and is considered the ‘gold standard’ for security at the Technology (NIST) has begun the process of stan- time of writing. A simple calculation shows that it dardizing and deploying quantum-safe public-key would take a classical computer with a 5Ghz CPU cryptography[4]. roughly 13.7 billion years to break an RSA 2048 Given the strong coupling between data and cipher using current best techniques. A quantum cryptosystems in blockchains, the potential vulner- computer operating at 10Mhz would be able to do ability of these cryptosystems to quantum attacks, it in roughly 42 minutes1. In order to do so, how- the likely introduction of capable quantum com- ever, a device needs to be able to hold in quantum puters in the mid-term future—not to mention the memory a state large enough to represent (at least) usual high monetary value of the assets secured by both the input to the problem, and the output. As blockchains—it is important to more deeply under- discussed earlier, it can be estimated that a quan- stand their current level of vulnerability. tum computer large enough to break RSA-2048 will In this paper we analyze some of the most pop- likely be ready by the year 2035 (see e.g.[2, 3]). ular blockchain technologies—Bitcoin, Ethereum, The second class of algorithm—amplitude Litecoin, Monero and ZCash— with a particular eye amplification[6, 7]—consists of generalizations of towards their vulnerability to attacks from upcom- Grover’s search algorithm[8]. These algorithms al- ing quantum technologies. We finish with a com- low for a solution to be found in any search space parative analysis of these blockchain technologies, √ of cardinality N in time O N. In short, this al- in terms of their relative vulnerability to quantum lows for any NP-Complete problem to be solved attacks. quadratically faster than any known classical al- gorithm. While the speed-up is a lot less dra- Background matic than in the previous case, the importance of these algorithms rests in their general applicabil- We begin by giving some relevant background in- ity. In short, any problem whose solution can be formation. verified efficiently (i.e. any problem in NP) ad- mits a quadratic quantum speed-up. Amplitude Quantum Cybersecurity Threats amplification algorithms are particularly relevant Quantum computers work by exploiting quan- here because many, if not all, consensus algorithms tum physical effects to decrease the time required to for blockchain technologies rely on solving NP- solve (certain) computational problems by creating Complete problems (more details below). and utilizing quantum superpositions. There are two main families of quantum algo- Blockchain Technologies rithms that are relevant to the current discussion: Blockchain and Distributed Ledger Technology subgroup-finding algorithms, and amplitude ampli- (DLT) markets are predicted to be valued at $7.59 fication. billion by 2024 [9]. Industries that have strong The first class of algorithms is best repre- use cases include finance[10], logistics[11], and le- sented by Shor’s algorithm[5]. This algorithm gal fields [12], with many large global corporations can both factor large integers and solve the dis- getting on board and integrating the technology: crete logarithm in polynomial time. In par- for example IBM [13], JP Morgan[14] and Amazon ticular, it can factor an integer N in time [15], with Facebook also announcing their own cryp- O log2 N log log N log log log N (or more suc- tocurrency Libra[16]. This technology removes the cinctly O log3 N ) and space O (log N). Or, as need for a trusted third-party to enable the transfer a function of the input size (in bits) n = log N, of data and assets. Shor’s algorithm runs in time O n2 log n log log n Blockchains work on group consensus; the va- (or more succinctly O n3 ), using space O (n). lidity of a transaction is determined by a group This is particularly relevant because most public- of nodes that need not trust one another. The key cryptosystems deployed today—including RSA, blockchain is managed by independent nodes that EC, ElGamal and Diffie–Hellman—rely on the com- putational hardness of either one of these two prob- 1 We calculate this by taking the number of quantum lems. In order to understand the magnitude of the gates—counting error-correction—needed to factor an RSA issue, one can take RSA 2048 as an example. This 2048 public-key. 2 must reach consensus before updating the ledger nancial resources to solve a problem. This incen- with newly validated transactions. There are tivizes the miner to generate a valid block contain- many mechanisms that enable a network to gain ing only valid transactions. This work is also easily consensus, the most popular being Proof-of-Work verified by a any node connected to the network. (PoW)[17]. This consensus mechanism and under- This expended energy guarantees that a cost is as- lying cryptographical techniques give blockchains sociated with creating a block. Careless or mali- their trustless ability. In general, blockchains work cious miners that expend the energy to complete through the linkage of blocks in chronological order. a PoW algorithm but have created a bad block (a These blocks are groups of transactions of informa- block that includes at least one transaction that if tion or cryptocurrency that nodes have broadcast included into the chain would create a wrong state, to the network. This forms an immutable series of e.g. spending over a user’s balance) will be dis- information, or a chain. Each block in the chain will covered by other nodes in the network. The block contain a group of transactions and their informa- will be invalid and this would not be considered by tion that has been declared to the network. This other miners as part of the main chain, leaving the is generally through the transfer of tokens (cryp- miner financially worse off, as they would receive tocurrency).