Why Bitcoin fears Quantum Computers — and IOTA doesn’t
If there is one thing which can cause real trouble to the whole Blockchain sphere it certainly is Quantum Computing. The new technology gives access to a lot more computing power than we have ever had before which could also be used for cracking the security systems of Bitcoin and the likes: At the CES 2018 it could be seen that this new kind of processor is not a thing of the future anymore, but its development is rapidly making progress (Intel has just announced a ‘major breakthrough’). IOTA is striving to be the new base layer for the whole Internet of Things (IoT), a whole new ecosystem with millions and billions of connected devices and transactions — of course, such a network must be safe from attacks, also from attacks from Quantum Computers. I shall argue that IOTA — in contrast to Bitcoin and the likes- is using an underlying architecture which makes it safe from malicious attacks carried out by Quantum computers.
1. What you need to know
Note: The goal here is to explain the process by means of easy words, so I have to skip some deep and confusing technicalities.
Bitcoin uses a public ledger to store its data on. It packs all of the data of a specific time period into one so-called block. What this block also carries is a so-called “hash” of the previous block: a mathematical function which turns data into a set of specific length, normally a long string of random numbers and letters (“a003c86b3e1038….”). In order to prevent users from spending the same Bitcoin multiple times, there is a so-called timestamp which is also added to each transaction and stored in the block. And then there is another number called the nonce.
Block = Hash of the previous block + transactions / timestamps + nonce
A miner checks the transactions which are about to be sent through the network if they are valid (by comparing if all the hashes and values make sense). If they are valid, he grabs the transactions into a block and hashes the whole thing twice using a very famous and secure algorithm called SHA-256. By doing this, a new hash is created and this hash must be smaller than a certain target value in order for the block to be published as the new block of the blockchain. The only value which can be changed by the miner is the nonce, so if the hash is not smaller than the target value, the miner must try another number. This is a lot of work in terms of calculations and is rewarded by Bitcoins once you find the nonce which verifies the block: All of this together is called mining, which you might have heard of :-). By the way some food for thought:
According to a research conducted by a U.K.-based energy comparison tariff service called PowerCompare, the average electricity used to mine bitcoin this year has surpassed the annual energy usage of some 159 countries . […] A single bitcoin transaction consumes enough energy to power the average household for an entire month.(link)
2a) Risk of 51%-attack
Now here’s the kicker: Because every miner packs one individual transaction into the block (the one which will send him his hopefully rewarded bitcoins), each miner’s hashingproblem is individual. Which means that theoretically two miners can find a solution to their problem at the same time, the result would be two mined blocks. The Bitcoin protocol’s rule here is to only accept the one which has been worked on more. So far, so good.
But what happens if miners come together in mining pools and share their mined bitcoins because everybody is working on it, like in a team (which is what is happening) and they have such powerful PCs that they represent more than 50% of the computational power of the network? Then it “[could] spend bitcoins twice, by deleting transactions so they are never incorporated into the blockchain. The [rest of the miners] are none the wiser because they have no oversight of the mining process. (MIT technology review)” So with that much computational power the whole mining system could break down!
So far, this has never happened because it would need a whole lot of people to come together and put all of their computational power together — but what would happen if you used one or more Quantum Computer to mine Bitcoins?
According to MIT experts the answer is that this would not really be a danger (at least not for the next 10 years) because the clockspeeds of the quantum processors are not (yet) high enough to keep up with today’s most powerful mining machines from Nvidia and the likes.
2b) Risk of calculating the private key
Of course, the Bitcoin protocol wants to ensure that every Bitcoin can only be spent by its owner. Every wallet has a secret private key (so to speak the password to gain access to the bitcoin account) and public key which is easily generated from the private key and is published to the network (the hash of this key is the wallet address!): So basically you could say one is the password and one is the wallet address.
What you can do is to use a signature which shows others that you really have the private key for this account without sharing your password/secret key. This technology is called “elliptic curve signature scheme” (Such a signature identified IOTA’s Come-from-Beyond as the creator of NXT)
So you can easily create a public key from the private key and prove your ownership by means of the above-mentioned scheme — but not vice versa! Even with our fastest computers today, this is not possible because the encryption method is strong enough. However,
[…] with a quantum computer, it is easy.
And that’s how quantum computers pose a significant risk to Bitcoin. “The elliptic curve signature scheme used by Bitcoin is much more at risk, and could be completely broken by a quantum computer as early as 2027,” say Aggarwal and co.
Indeed, quantum computers pose a similar risk to all encryption schemes that use a similar technology, which includes many common forms of encryption. MIT technology review
This would make it possible for a Quantum Computer to calculate the private key = password of any account once the wallet address/public key is known (if you want to dig deeper, the keyword is Shor’s algorithm.
3. IOTA
As opposed to Bitcoin, IOTA does not use the elliptic curve cryptography (ECC) but hash-based signatures thus not only making the protocol resistant against by Quantum Computers but also simpler and faster for signing and verifying transactions.
IOTA is quantum-secure because of its usage of Winternitz signatures:
The best summary I could come up with is the following:
For this kind of signature one generates random data for each case of having a ‘0’ or a ‘1’ representing a single bit of the message. This is the private key. The public key represents the hashed version for each of the random data blocks. To sign a message, the private key data for each bit is revealed, depending on the single message bit being ‘0’ or ‘1’. A verifier can calculate the hashes and compare them to the public key. Here one notices that generating a second signature would tell more about the private key and allow an attacker to forge further signatures. Therefore a single key pair must only be used once. To improve performance and reduce space requirements, Merkle proposed the Winternitz OTS (One-time-signatures), named after Robert Winternitz. The basic idea of the Winternitz OTS is to sign several bits at once.
As for IOTA, this is — simply speaking- the reason, why you should not use the same address for sending IOTAs twice because each time a part of the private key is revealed; using the same address more than once would make it attackable even with today’s methods.
However, IOTA is still being developed and improved — one of the main aspects is its focus on ternary (instead of binary) hardware, i.e. developing a chip which can handle the cryptographic calculations as fast as possible. Of course, this also needs a software-solution which takes ternary logic into account. Since there is nothing on the market which could be used, it had to be invented by some really bright people: the IOTA developers!
IOTA’s ternary (again, NOT binary as above!) hash-function is called CURL-P (P = Prototype). At the moment, this is being reviewed/audited by one of the worlds most renowned security audit firms (which makes sense because it’s entirely new technology which is supposed to handle tomorrow’s billion-transaction-IoT-network). To cite the IOTA-foundation,
CURL is “based on well-studied sponge construction invented by the Keccak creators (SHA-3) and strictly conforms to all requirements described in their official paper.”
Because it cannot be used without a complete and successful security audit, security precautions have been undertaken by using a NIST standard Keccak (SHA-3) algorithm for signing: since the IOTA network is not yet running on ternary hardware, there needs to be a software function which converses information from binary to ternary; this hashing function is called Kerl (=Keccak-384).
Outlook
As can be seen, quantum computing provides a real danger to the security of Bitcoin (and also its derivate) accounts because of the elliptic curve cryptography and its shortcomings in this context. IOTA has nothing to fear from this due to its choice of hash-based signatures.
At the moment, IOTA is not yet running on full speed because the calculations have to go through a software-conversion (KERL). In the future, this will be done by IoT-tailored microprocessors:
This means that even small devices in the Fog/Edge of the network will be fully capable of carrying out their own hashing for hundreds/thousands of transactions per second locally without the need to outsource it. With hardware support the fundamental limit of IOTA’s scaling will be the laws of physics themselves. I.E how fast radio waves/photons can communicate data. It’s important to note that this hardware component does not add any extra cost either in price or size of the chip to the manufacturer and will be entirely open source. (David Sonstebo, IOTA Co-founder)
I hope this helped you a bit to understand a) why IOTA is such a great and special undertaking and b) why IOTA is (despite its already huge success) still only in the beginning when it comes to its actual capabilities in combination with the hardware… And remember: All this will be done at a fraction of the energy costs (compared to Bitcoin and the likes) and without any fees!
If you want to, I would be happy about a little donation ;-):
IOTA: KGOZYHJRYVDBSXTUSECYJVEBLDVYFKCAKAWTPTCKXMBNOWNVRDRHRVSJNIVOQUFRODFPXWYSGROKRWKRZWJZTJOHSX