Many believe that blockchains are completely secure against today’s cyberattacks; however, they are vulnerable to threats from quantum computers. Though this threat has not been manifested in practical terms, it is nonetheless serious and likely to become operational sooner than many expect. The integrity of entire blockchains is at risk. This article looks at why this risk exists and offers some thoughts on what can be done about the problem.
A Brief Overview of How Blockchains Work
To understand why blockchains face risk exposure, it’s essential to know how they work. For some of you, this may be familiar territory. However, the technology has been so extensively hyped that its core functionality tends to get obscured.
A blockchain is so named because it “chains” together “blocks” of data. It’s neither a new concept nor something that was invented for the purpose of cryptocurrencies. It was conceptualized over 30 years ago as a way to use cryptography to make it extremely difficult, if not impossible, to tamper with digital documents. A blockchain comprises a decentralized, distributed ledger containing linked blocks of transactions. It exists on a network with many nodes. Any new transaction posted to the blockchain must be validated by the network before being appended to the ledger. The transaction cannot be altered once it has been validated.
To function as required, a blockchain is secured by two cryptographic primitives: cryptographic hash functions and public key signatures. The key signatures enable users to authenticate their transactions with their private keys. The blockchain can verify a transaction’s validity with the public key. Hash functions provide immutability by making it impossible to modify a transaction once the hash has been published to the blockchain.
In 2008, the idea took off with the advent of Bitcoin. However, while cryptocurrencies are the main use case for blockchains today, the technology has many other applications. These include securing supply chains, government processes, scientific research, and many others.
Why Blockchains are Vulnerable to Quantum Computers
Cryptography is the foundation of a blockchain’s security and integrity. Until recently, it’s been enough. However, quantum computing will have the power to demolish the cryptography that anchors blockchains, just like the risks quantum computers pose to today’s encryption standards. A quantum computer performs calculations using subatomic particles that exist in multiple quantum computational states. This approach makes them able to perform tasks like cracking an encryption key at an exponentially faster rate than a conventional computer.
Quantum computers now in development will be able to crack Bitcoin’s SHA256 hashing algorithm in a matter of hours. With conventional computers, which would take centuries. For now, Bitcoin and other blockchain data is safe, but it is only a matter of time until a powerful enough quantum computer is available and can be weaponized against blockchains.
When that happens, blockchains will certainly collapse. According to Arthur Herman of the Hudson Institute, in a 2022 study sponsored by QuSecure, a single quantum attack on Bitcoin would cause immense damage. The study states: “The loss in unrealized gains for Bitcoin alone would amount to just over $830 billion, while total unrealized gains-at-risk for the aggregate cryptocurrency market would exceed $1.3 trillion.” Blockchain’s ability to establish immutable transactions will vanish. Cryptocurrencies will plummet in value. Any industrial process that relies on blockchain will become untrusted.
Mitigating the Quantum Threat Against Blockchains
Blockchain entities that want to get ahead of the quantum threat – and that should really be all of them if they’re paying attention – need to start investigating post-quantum cryptography (PQC) solutions. Several such solutions are already in development in the blockchain space. For example, the Ethereum project is actively planning for a post-quantum future. Ethereum 3.0 is expected to contain quantum-resistant features. However, cryptocurrency is still in transition to Ethereum 2.0, so these protections may not come online soon enough.
Other examples include the Quantum Resistant Ledger and Bitcoin Post Quantum, which is not related to Bitcoin the cryptocurrency. These are both based on the use of post-quantum algorithms to mitigate the risk of cryptography being cracked by quantum computers. The Hyperledger Foundation, which produces open-source software for blockchain, has its Ursa project, which involves post-quantum cryptography.
One potential with the current crop of post-quantum solutions in blockchain is that they require longer encryption keys, which will become a drag on performance. For this reason, alternative approaches may be preferable. Instead of using longer keys, it is possible to become quantum resistant by changing the way keys are used, managed and generated.
“Lattice-based cryptography” is one such approach. Lattice-based cryptography generates encryption keys using a complex mathematical “lattice” of calculations. The lattice’s pattern makes it difficult in the extreme for an attacker to know even where to begin. Working this way, it becomes impossible for a quantum computer to crack the cryptography that’s holding the blockchain together.
It's important for blockchain entities to be aware of the risks quantum computers pose. While the threat is not here today, the time to act and begin to investigate countermeasures that enable blockchains to become quantum secure is now. Depending on the size of the network, it will take from a few years to a decade for networks to become quantum resilient. PQC options are available today for blockchain entities to begin investigating to see what works for their specific operation.
About the author: Dave Krauthamer is co-founder and CEO of QuSecure. Dave is an information systems executive who is an experienced CEO, CIO, CTO, CRO, CMO, and CSO and serves as a Board Member and Chairman of the Digital Disruption Group at the Band of Angels. He has created and sold award-winning companies in addition to teaching university-level courses in information technology.
