Bitcoin is taking the world by storm. The decentralized digital currency is a secure payment platform that anybody can use. It is free from government interference and operated by an open, peer-to-peer network.
This independence is one reason Bitcoin has become so popular, causing its value to rise steeply. At the beginning of 2017, a single bitcoin was worth around $1,000. By November 2017, this had risen to around $7,000. Indeed, the total value of the cryptocurrency market is some $150 billion.
A crucial feature of Bitcoin is its security. Bitcoins have two important security features that prevent them from being stolen or copied. Both are based on cryptographic protocols that are hard to crack. In other words, they exploit mathematical functions, like factorization, that are easy in one direction but hard in the other—at least for an ordinary classical computer.
But there is a problem on the horizon. Quantum computers can solve these problems easily. And the first quantum computers are currently under development.
That raises an urgent question: how secure is Bitcoin to the kinds of quantum attack that will be possible in the next few years?
Today, we get an answer thanks to the work of Divesh Aggarwal at the National University of Singapore and a few pals. These guys have studied the threat to Bitcoin posed by quantum computers and say that the danger is real and imminent.
First some background. Bitcoin transactions are stored in a distributed ledger that collates all the deals carried out in a specific time period, usually about 10 minutes. This collection, called a block, also contains a cryptographic hash of the previous block, which contains a cryptographic hash of the one before that, and so on in a chain. Hence the term blockchain.
(A hash is a mathematical function that turns a set of data of any length into a set of specific length.)
The new block must also contain a number called a nonce that has a special property. When this nonce is hashed, or combined mathematically, with the content of the block, the result must be less than some specific target value.
Given the nonce and the block content, this is easy to show, which allows anybody to verify the block. But generating the nonce is time consuming, since the only way to do it is by brute force—to try numbers one after the other until a nonce is found.
This process of finding a nonce, called mining, is rewarded with Bitcoins. Mining is so computationally intensive that the task is usually divided among many computers that share the reward.
The block is then placed on the distributed ledger and, once validated, incorporated into the blockchain. The miners then start work on the next block.
Occasionally, two mining groups find different nonces and declare two different blocks. The Bitcoin protocol states that in this case, the block that has been worked on more will be incorporated into the chain and the other discarded.
This process has an Achilles’ heel. If a group of miners controls more than 50 percent of the computational power on the network, it can always mine blocks faster than whoever has the other 49 percent. In that case, it effectively controls the ledger.
If it is malicious, it can spend bitcoins twice, by deleting transactions so they are never incorporated into the blockchain. The other 49 percent of miners are none the wiser because they have no oversight of the mining process.
That creates an opportunity for a malicious owner of a quantum computer put to work as a Bitcoin miner. If this computational power breaks the 50 percent threshold, it can do what it likes.
So Aggarwal and co specifically examine the likelihood of a quantum computer becoming that powerful on the network. They look at the projected clock speeds of quantum computers in the next 10 years and compare that to the likely power of conventional hardware.
Their conclusion will be a relief to Bitcoin miners the world over. Aggarwal and co say that most mining is done by application-specific integrated circuits (ASICs) made by companies such as Nvidia. This hardware is likely to maintain a speed advantage over quantum computers over the next 10 years or so.
“We find that the proof-of-work used by Bitcoin is relatively resistant to substantial speedup by quantum computers in the next 10 years, mainly because specialized ASIC miners are extremely fast compared to the estimated clock speed of near-term quantum computers,” they say.
But there is a different threat that is much more worrying. Bitcoin has another cryptographic security feature to ensure that only the owner of a Bitcoin can spend it. This is based on the same mathematics used for public-key encryption schemes.
The idea is that the owner generates two numbers—a private key that is secret and a public key that is published. The public key can be easily generated from the private key, but not vice versa. A signature can be used to verify that the owner holds the private key, without revealing the private key, using a technique known as an elliptic curve signature scheme.
In this way, the receiver can verify that the owner possesses the private key and therefore has the right to spend the Bitcoin.
The only way to cheat this system is to calculate the private key using the public key, which is extremely hard with conventional computers. But with a quantum computer, it is easy.
And that’s how quantum computers pose a significant risk to Bitcoin. “The elliptic curve signature scheme used by Bitcoin is much more at risk, and could be completely broken by a quantum computer as early as 2027,” say Aggarwal and co.
Indeed, quantum computers pose a similar risk to all encryption schemes that use a similar technology, which includes many common forms of encryption.
There are public-key schemes that are resistant to attack by quantum computers. So it is conceivable that the Bitcoin protocols could be revised to make the system safer. But there are no plans to do that now.
Bitcoin is no stranger to controversy. It has weathered various storms over its security. But that is no guarantee that it will cope well in the future. One thing is sure: the pressure to change will increase as the first powerful quantum computers come online in the next few years.
Ref: arxiv.org/abs/1710.10377 : Quantum Attacks On Bitcoin, And How To Protect Against Them
Inside the machine that saved Moore’s Law
The Dutch firm ASML spent $9 billion and 17 years developing a way to keep making denser computer chips.
The 50-year-old problem that eludes theoretical computer science
A solution to P vs NP could unlock countless computational problems—or keep them forever out of reach.
The US is worried that hackers are stealing data today so quantum computers can crack it in a decade
The US government is starting a generation-long battle against the threat next-generation computers pose to encryption.
This new startup has built a record-breaking 256-qubit quantum computer
QuEra Computing, launched by physicists at Harvard and MIT, is trying a different quantum approach to tackle impossibly hard computational tasks.
Get the latest updates from
MIT Technology Review
Discover special offers, top stories, upcoming events, and more.