The future of post-quantum resistant blockchains

Facing the facts: Quantum computers are quickly becoming a reality

Quantum computing is finally on the verge of becoming commercially useful¹² and is being developed at an accelerating pace³. As of this article, two Chinese teams claim to have reached primacy (first stage of being commercially useful) with quantum computers.

Seven out of the top ten tech giants are either publicly competing for market dominance or involved in some capacity⁴. This includes Google⁵, Amazon⁶, Alibaba⁷, TSMC⁸, Tencent Holdings⁹ IBM¹⁰, Intel¹¹, Rigetti¹² and Microsoft¹³. Other notable entrants include GlobalFoundries¹⁴, PsiQuantum¹⁵, Honeywell¹⁶, dMY Technology Group III¹⁷, and IonQ¹⁸.

Additionally, every single one of the G7 countries are either involved in quantum computing like the USA¹⁹, China²⁰, France²¹, Canada²², Japan²³, and the United Kingdom²⁴, or getting involved such as Italy²⁵. Some other notable nation states and groups outside of the G7 include the European Union²⁶, and Russia²⁷.

In-Q-Tel, a corporation that uses Central Intelligence Agency (CIA) supplied funds to make strategic investments in companies focused on producing commercially focused technology that’s of value to the national security for the U.S. and its allies, is also invested in the quantum computing initiatives Rigetti, Q-CTRL, and D-WAVE²⁸.

Why? Quantum computers offer advances that aren’t currently possible with classical computers, or can be otherwise sped up by quantum computers. This class of problems solvable by a quantum computer are known in computational complexity theory as bounded-error quantum polynomial time (BQP). This additional class of new problems that can be solved will lead to the revolutionary advancement for AI²⁹, chemistry³⁰, materials science³¹, finance³², and security³³ sectors, combined worth a total of trillions. Financial motives aside, quantum computers can break current public key cryptography used for the Internet, Banks, Blockchain, and many other systems.

There’s a lot on the line, and the time is really running out to act - at least for blockchain.

The security impact is understood and accepted as real

A look at who’s preparing

NIST has initiated a process to solicit, evaluate, and standardize one or more quantum-resistant public-key cryptographic algorithms, and has put out a recommendation for Stateful hash-based signature schemes, including XMSS, which is what Quantum Resistant Ledger uses.

Other organisations preparing for the quantum threat includes Cloudflare, Google, and others³⁴. Banks fully realise what’s on the line and are preparing as well³⁵.

When will quantum computers be an immediate threat?

This is the million (trillion?) dollar question. It’s estimated to take 2330 logical qubits to break most public key cryptography used today³⁶.

Both PsiQuantum (working with GlobalFoundries) and IBM are vying to have one million qubit computers by the end of this decade³⁷. While these aren’t logical qubits, they can form logical qubits that are close to the numbers above. Adding to the mix, quantum computers can be networked together³⁸.

Experts in the field have weighed in from time to time in evaluating the likelihood of a significant quantum threat to public-key cybersecurity, and 77% think there’s at least a 5% chance of it happening within 10 years.

That might not seem like much, but there’s two key components missing.

1. The risk assessment of cost. For blockchain, that cost is currently 2.6 Trillion (not including NFT’s).
2. The time it takes to prepare, otherwise evaluated as Mosca’s Theorem

Why waiting for the immediate threat isn’t enough

This is best explained in a metaphor: If you have a fleet of boats that can handle 5 foot waves, but it’s known that 50 foot waves are coming in a few years, do you wait until those 50 foot waves appear in the wild to try and patch your fleed or prepare ahead of time? If you’re smart, you prepare, which involves research, planning, and development and takes time.

It’s that estimated preparation time that you want to use to work back-words for when those 50 foot waves are expected appear. If it takes an estimated 10 years to update a fleet of boats, and you start in the year 2022, your fleet of boats will be ready in the year 2032 to handle 50 foot waves.

Worth a read on this subject is Allen Walters who broke down Mosca’s Theorem and applied to the blockchain.

For everyone, that preparation time will involve research, development, integration/deployment, and migration. It’s no surprise then that we find Google, Cloudflare and others with deployed test implementations by now taking this seriously, even when the immediate danger might seem so far off³⁴.

Updating centralized vs decentralized systems

There are a lot of critical systems that rely on vulnerable cryptography, but they’re also centralized systems, leading to fast-migrations in the case of a black swan event. This means they don’t face some crucial issues decentralized blockchains do.

For blockchains including Bitcoin, ‘not your keys, not your crypto’ is the golden standard, and most people will individually need to update their keys. Banks, on the other hand, hold and control your keys so can upgrade them at any-point. They can, for example, centrally change their cryptography without compliance of their users and the whole process can be done without user interface.

What does this mean for blockchains like Bitcoin?

Most blockchains (including all in the top 10 on CMC) use either Elliptic Curve Digital Signature Algorithm (ECDSA) for public key cryptography, or some variant of it vulnerable to quantum computers³⁹. Using a quantum computer, Shor’s algorithm⁴⁰ can be used to break ECDSA⁴⁰.

A paper by Deloitte Netherlands found that 25% of all Bitcoin are potentially vulnerable to a quantum attack, while some estimate that to be higher at 36%.

Anytime you make a transaction, your public key is revealed to the network. At that point, if the quantum computer is fast enough, or the network is congested, a private key can be derived and a new transaction with a higher fee can be made which will process sooner, and empty the persons assets.

More can be read in the paper “quantum attacks on bitcoin, and how to protect against them”.

How Quantum Resistant Ledger comes in

As we’ve found in creating our own blockchain, the process of making a blockchain quantum secure wasn’t merely matter of dropping in another signature scheme and opening a github repository.

We first needed to consult with experts in the field of post-quantum cryptography and begin work on the structure of our codebase, which was first released to github in 2016 and later released as mainnet after a long testnet period in 2018.

And we’re safe from future threats too. The QRL includes the possibility to upgrade signature schemes and cryptographic hash functions, and indicate so through an address format. This brings forward the capability of being crypto-agile, something no blockchain should be without.

This space needs secure, impenetrable blockchain systems more than ever. Right now, cryptocurrency and blockchain’s entire security model rests on the assumption that quantum computers will not exist for at least another decade. When they do emerge and bring with them the ability to break existing protocols, we will be left in a dangerous, high-risk state. We need to address this threat now before it becomes too late.

The Quantum Resistant Ledger is a brand new blockchain system that is post-quantum secure and employs post-quantum computing technologies in its design for absolute security, audited by red4sec and x41 D-sec.

Current features are:

• Desktop (Windows, Mac, Linux)
• Mobile (iOS, Android)
• Web (wallet, explorer)
• Hardware wallet support with Ledger Nano S
• On-chain message support (80 bytes)
• Notarisation
• Keybase ID integration

Along with several methods to interact with the foundation to further expand the ecosystem.

• QRL API: Organized around GRPC which uses protocol buffers for serializing structured data. If you’re working on an integrated application, this is what you want.
• Explorer API: Great for quickly getting QRL address balances, population, and other such data.
• Wallet API (requires node): If you’re working with wallets (ie. exchanges and other services), this is recommended.
• qrl command line (requires node): Comes equipped with the python node, offers simpler functionality to the wallet API.
• qrl-cli: Executable with mac, linux, and osx binaries, for interacting with the QRL blockchain via scripts and applications without requiring a full node.
• Suitable documentation and API sites.

On the horizon we have smart-contracts and proof-of-stake which are ending their period of research and entering development along with a UAE developer hub that aims to triple our development output.

This will position QRL as the most secure and feature rich blockchain project that can be counted on for secure digital assets into the future.

References