Quantum resistant blockchain and cryptocurrency, the full analysis in seven parts. Part 5.
So we continue.. More challenges when upgrading an existing blockchain to quantum resistance. I’m using BTC as an example here and there, but this really goes for any blockchain that doesn’t use a quantum resistant signature scheme.
Lost addresses and the human factor: a partly protected circulating supply after a quantum resistant upgrade
Again we face another consequence of the fact that blockchain is a decentralized system. If you have managed to change the cryptography of your blockchain, then that doesn’t mean you immediately have your full circulating supply protected without the cooperation and action of your users. After consensus between nodes is achieved, there is a second stage where you depend on others to make the change final. After successfully changing your signature scheme, you have created a blockchain that can create quantum resistant keypairs. But… None of the circulating coins are protected by them yet. You’ve just managed to change your signature scheme, but you have not canceled out all existing old keypairs. All circulating coins or tokens are still stored on old addresses, protected by old key pairs. This is because of the simple fact that you can’t change the accessibility of the existing address and therefore the accessibility of your complete circulating supply. Meaning: you can change the signature scheme, and therefore the accessibility of all new addresses created from that point of time, but not the accessibility of all old addresses created before that point of time. So all the old addresses will still be vulnerable until the users who own those addresses cooperate and take action: they need to create a new address and move their coins or tokens to that address.
The crux of the matter is this: Only the actual owners of the coins or tokens have the public and private key combination. And that is exactly what needs to be changed. The old key pairs need to be switched for new quantum resistant key pairs because these old key pairs will be vulnerable for quantum attacks. And it’s just that, that can’t be done automatically for the users of a decentralized system like blockchain. You can give the users the tools to do so themselves, so you can change the cryptography in your blockchain and therefore make sure all new key pairs that are created are quantum resistant key pairs, but the users will have to do the switch personally. Just to compare to centralized systems like your email: Everybody knows that when you lose your private key in blockchain, you lose access to your funds. There is no “I forgot my password” or “what’s your secret question”. There will be no “We will mail you your new key pair”. Therefore, even if the blockchain would be able to change your key pair for you, and change it to a quantum resistant key pair while deactivating your old key pair, you would not have this new key pair and would have effectively lost access to your funds.
There is no way to finalize the protection and the quantum resistance of the circulating supply, but to rely on all users to take personal action. And only after every single user (now and from the past) did that, the whole circulating supply would be protected from quantum attacks.
Every single user now and from the past. This is impossible.
- From the past (Old users): lost addresses cause the problem here. The longer a blockchain has been running, the more people would have possibly lost access to their funds. (Lost keys all together, crashed computer, lost USB sticks, lost interest when the price was low in the beginning of a project, etc.) Also some projects have run tests at the beginning or mined to some address that’s now unaccessible. BTC would be the most obvious example, where the infamous Satoshi addresses contain huge amounts of BTC. (And no, in those days the public keys were used as address in their full original form, so not in hashed form, so the public keys of these addresses are actually public. Not like today where they are first published in hashed form. So the Satoshi funds are vulnerable to quantum attacks.) Since you need access to the coins to move them to a quantum resistant address, and nobody actually has access to these coins, there is no one who can bring those coins under the protection of new quantum resistant key pairs. They will stay vulnerable to quantum hacks, even after the blockchain has upgraded successfully.
- Every single user now: consider human nature. Not everybody will move their funds. (In time, or not at all.) (Lots of reasons to name why people don’t do what should have been done. Because: people are people, some people haven’t followed the news (Not everyone is a frequent reddit or bitcointalk visitor, some just check the price every now and then), some don’t understand how the migration works and why it’s important, some don’t understand the urgency, maybe funds are part of a heritage/ divorce that takes time to legally process, jail, sick, lost memory stick that has been found later, you know, life, etc. etc.)
So even if an existing blockchain would implement quantum resistant cryptography, there would always be a certain percentage of the circulating supply that will not be protected.
Some people might think “So what, I will make sure my coins are in a quantum resistant address after the upgrade. So I won’t run any extra risk.” This, however is not true. The fact that not 100% of the circulating supply is protected, does bring a risk for the value of all 100%. So each coin, the ones in quantum resistant addresses and the ones in old addresses. You need to guarantee there will not be a news headline screaming “BTC hacked!” (Or whatever other blockchain project) which is the nightmare of any investor. Reading or hearing that, means sell your bags, even if you yourself use the quantum resistant option. Having your personal BTC protected, simply means that the amount of BTC will be safe, not the value of your BTC. So in the case where someone’s BTC gets stolen, you yourself will still have 3 BTC. But because of the news, which will cause people to sell and the BTC value to drop, your 3 BTC that used to be worth 40.000$, now is worth 3.000$ for example, while the value still drops. The bigger the percentage of coins on an old vulnerable address, the bigger the security risk. The MtGox hack of 2011 caused an imediate drop of 49% and a 5 months drop of 93%. That was 2k stolen BTC (0.04% circ suppl back then) hacked from an exchange. Not BTC itself. In this case it will be the blockchain that is hacked. That is a next level hack compared to exchange hacks we eventually got used to now. So to make the upgrade to a success, all coins need to be moved from old addresses to new quantum resistant addresses. This means that for you as a user, to secure your value, you depend on the action of all other users. Which is at this point of time estimated to be around 7 million users. Which includes about 700.000 addresses that hold more than 1 Bitcoin. That is a lot of people that need to take action. Security wise, you depend on the need for all those other other people to pay attention to developments, understand the necessity, understand the need for personal action after BTC itself has already upgraded to quantum resistance, behave responsible, proactive and fast. This is the human factor.
In cryptocurrency, being a quantum resistant blockchain isn’t about offering the option. It’s about protecting your currency and the value of that currency. So either you have a 100% quantum resistant blockchain that protects all of it’s supply, or a certain percentage is obviously still vulnerable to hacks.
It’s pretty much an impossible problem to solve without creating other problems. You could create a deadline within which you would need to take action and move your coins. Then burn the “left-overs” after the deadline is passed. The thought would be “all BTC that are on non-quantum secure addresses after passing the deadline, are BTC that owners can’t access, so useless anyway. These are of no actual value to the owners. So no harm done if burned.” But losing the key, doesn’t end ownership. Just ike when you lose the key to your house or car. So that legal point might become an issue for the ones deciding to write the code to actually burn the left overs. But more importantly, you don’t know for sure that the addresses that are left over after a certain amount of time are actual lost addresses because of the human factor. Even after warnings and request to move coins and a deadline, there might still be people that have been preocupied with other aspects of life, or simply have not understood the issue and implications. This opens up another legal point. Legally, burning BTC would just not be possible, because it is impossible to determine if an amount of BTC that is still on an old non-quantum secure address, is there because the owner lost it’s access, or because he just hasn’t moved them to a secure address yet. Decentralized is the problem here. Chainalysis concluded that between 17% (low estimate) and 23% (high estimate) of BTC was lost at the time of publishing. The big discrepancy between the high and low estimate (1 mill BTC) shows the issues there will be to determine with certainty what stagnant addresses are lost and what are long term holders. You can’t just one-sided decide to vaporize someone’s funds. There is no pre-made agreement where is mutually established that this is something investors or users (however you will call crypto holders) should have taken into account when they bought their coins or tokens. Unless we’re talking ERC20 tokens, where you know in advance you will have make the switch at a certain point of time. Burning someone’s assets is just unprecedented. Not everybody is part of “the community”, some just glance at the price every now and then and don’t follow technical development. Investing in BTC doesn’t obligate you to have a reddit or bitcointalk account. There is no preset condition that obligates you to keep up with the developments. So devs would simply not have the right to burn your coins if you don’t migrate in time. It’s a legal issue. You could say, “but we give them a reasonable amount of time, then we burn the left overs.” But what’s a reasonable amount of time that holds in the court of law when we’re talking effectively burning someone’s assets? There is no legal obligation to stay up to date or to move your coins if it’s no pre set condition. So the ones who got burned will take it to court. And even worse for the value of BTC, they will take it to the press. You wouldn’t sue BTC. You would sue the devs who burned your BTC. Those are people whose actions harmed your assets. They deliberately planned and executed code to make sure that your BTC got burned. It ight be just as bad as a hack for the brandname BTC.
Eventually the news will either be “people claiming BTC has burned their portfolio” which will result in legal claims with the necessary fuss and FUD which will damage BTC brand and value, or “BTC was hacked by a quantum computer”. None of the two options are exactly harmless for BTC (or other crypto.) And this event will take place in a time where Quantum Resistant crypto are available which have been QR from the beginning, from genesis block. This new generation of blockchains don’t face these risks and will be the attractive new product and investment.
Is it likely that a hack will occur? What would be the incentive for someone to hack BTC or any other non-quantum resistant blockchain? Would it be practically possible to make enough gains? Would it be cost effective? If they would dump the stolen coins, wouldn’t they shoot themselves in the foot, crashing the price of what they just obtained?
Here’s a scenario: Coins get stolen. Then these coins are sold. Gains are made in fiat. But before the plan is executed, they will short the hell out of the target. So after the hack they start selling slow to get minimum price drops and maximum gains. But when the bag is getting empty, the dump is made. And at the same time, the hacker himself will bring out the news there was a hack using a quantum computer, providing proof including the hacked addresses. The media will eat this news like vultures. The price dumps and due to the shorting, a double gain is made.
Now how about another scenario. No actual hack needs to be done. No criminal activity. Someone at a university with access to a quantum computer. Could be a very profitable PhD project. Or a professor with a side project. Or a white hat hacker. This person could hack his own wallet and write a paper about it and therefore officially proof the blockchain in question is vulnerable. Then short the hell out of the hacked blockchain and publish his paper. Same result when published. The reaction to that news will cause a dump. Oldest trick in the book of financial attacks. Proven over time.
The time factor
The longer implementation is postponed, the bigger the risk that another factor will become a problem: time. As said before, the implementation is a specialism, it takes time to figure out what to implement and how, it’s no small adjustment, it affects several components of the blockchain, it affects exchanges, ledger, supporting systems and then consensus takes time, migration takes time if completion is possible at all. A timeline assessment needs to be made for all consecutive events. The events will follow each other, they can’t be taken care of all at the same time. There can’t be consensus on a method that hasn’t been proposed yet. You can’t propose a method without having decided which method you want to use. Exchanges will not start to adapt without the assurance that consensus is reached and the changes will actually apply to the blockchain. Etc. etc. All these events have a timeline and will follow each other up: The research period, decision period, development and implementation period, adjustment period for supporting systems, consensus period, exchange adoption period, migration period. All these consecutive events take time. To make a serious risk assessment, this timeline needs to be made. Then estimates need to be made on quantum computer and quantum algorithm development and the expected timeline. And on top of that, you need to take into account that at a certain point of time post-quantum cryptographers will be quite busy due to the fact that there will be a domino effect that causes a growing group of companies, blockchain and other companies, to start changing signature schemes. Lots of projects and companies are postponing, until the masses start to move. Cryptographers will become scarce and expensive. So for some projects the knowledge might not be easily available to figure things out.
The case of a black swan event where unexpectedly fast, an entity will appear to have a quantum computer of critical level.
In the unrealistic, best case scenario where a blockchain would be able to implement a post-quantum cryptography in a small amount of time, all coins should still be migrated to quantum resistant addresses. But even the migration of coins at that time, is then already is vulnerable through hijacking of transactions. Hijacking of transactions during or pre transaction will be explained in the next article.
So if a project postpones implementation until after quantum computers reach that critical level, it might be to late for that particular project altogether. If we talk about a blockchain that has full public keys published, all keys are open and all funds is at risk right away because quantum computers can derive the private key from the public key. But if it’s a blockchain where the public keys are only published in hashed form, the funds is safe as long as it isn’t transferred. (Remember, not even a quantum computer can derive the original public key from the hash of that public key.) The funds will be stuck. You can’t spend it safely, but you can’t transfer it to a safe address either, because during the transaction of sending funds from an old, non-quantum resistant wallet with an old keypair, the transaction can be hijacked.
The only safe solution to transfer funds at a time like that, is proposed in this paper. It is the proof of knowledge option where a period of 6 months locked funds is proposed.
What is proposed is this: A quantum resistant signature scheme is implemented. A user creates a quantum resistant wallet and as a result he has a quantum resistant keypair. Then he publishes a commitment where he publishes the hash of both his old public key and his new quantum resistant public key and the amount he wants to send to this new quantum resistant key. Since this is published in hashed form, no one can read the info of this commitment. Any further attempted use of this keypair without pointing to the published commit, would fail in accordance with the new protocol rules. Now after he has done this, in a future spending, he can point in his transaction to the earlier published commitment and proof he is the owner of the funds because only he could have published this hash of the committed transaction from old public key to new public key. After all the old public key was only known to him. Now to make sure no one can hijack the second transaction, and reorganize blocks in such a way that he can forge a published commitment. In the paper it’s calculated that the feasibility of block reorganization attacks, such as 51% attacks or selfish mining attacks requiring a smaller fraction of the overall computational power, is significantly increased for quantumcapable adversaries. So to prevent the block reorganization, there has to be a delay phase. So after the commitment is published, you would have to wait for a certain period before you can safely spend your funds to prevent the possibility of block reorganization. This period is calculated to be 6 months. Yeah … that is a period of six months. Now that period could be reduced, but any period of locked funds will create a huge downside for any blockchain.
Conclusion: The switch to a quantum resistant signature scheme will come with some challenges that should not be underestimated. Implementing a quantum resistant signature scheme from the beginning of launch, so from genesis block like QRL has done, would obviously make these challenges non existent. For existing blockchains, fully quantum-protecting their current circulating supply is going to be impossible.