Bitcoin Blockchain in the Quantum computing era

The design and the evolution of quantum computers has been one of the "hot" topics during the last 20 years.

My question is about the possible consequences of the rise of quantum computers (through concrete realizations of quantum computers) on the level of the Bitcoin blockchain architecture.

Given the fact, that the Bitcoin blockchain is strongly based on digital signatures generated through public-key cryptography schemes based on the hardness of prime factorization and that furthermore, the anonymity (and thus "identity") of the users is based on private keys, it is reasonable to think that quantum computers -which are expected to solve in polynomial time problems related to the prime factorization and thus to "break" those public cryptoschemes (like RSA) which base their security on the (classically) exponential hardness of prime factorization- will dramatically affect the technologies underlying Bitcoin (and other cryptocurrencies) as well.

A first thought I had, was that the rise of the computational power (relative to the problems described above) could easily be compensated -inside the present blockchain structure- by simply using "longer" private keys (with their "length" suitably chosen so that whatever the total hashing power available, going back from the public to the private will remain practically infeasible -as it is today). At the same time, the difficulty of the mathematical problem to be solved for the mining to occur, will also be rescaled so that the 10-min interval for producing a new block will remain unaltered. Is it that simple (in principle) or am I oversimplyfying? Are there some other important details one should take into account?

P.S. 2: this question is partially related to What effects would a scalable Quantum Computer have on Bitcoin?

KonKan

Posted 2016-11-04T20:48:36.243

Reputation: 183

You're not oversimplifying. What you write is simply wrong. Quantum computers don't have a multiplicative value they are better than today's computers. Their advantage is that they can use non-determinism. – UTF-8 – 2016-11-05T20:09:15.483

1Wrong. They are not expected to have "computing power which will be many orders of magnitude greater than the computing power available in today's computers". They are expected to have a different approach to solving a very specific set of computational problems which they are good at solving them. If you remove those incorrect claims from your question, it's possible to answer it. If you want to discuss what quantum computers can and cannot do, we can discuss it in chat, or you can ask on a StackExchange site where this topic is fitting. – UTF-8 – 2016-11-05T20:41:18.560

Yes. – UTF-8 – 2016-11-05T20:52:57.767

I have updated the question (especially the statements of the second paragraph). I hope it is more concrete now. – KonKan – 2016-11-05T22:05:58.943

Answers

If quantum computers become viable and the approach of factorization of numbers which has been theoretically presented works, this means that Bitcoin will have to use a different way of signing transactions as through the use of quantum computers, it becomes easy (only polynomial time required) to calculate a private key from a public key.

Simply increasing the key length doesn't work. If you double the key length, a classical computer has to work twice as hard to encrypt or decrypt the message but it becomes much, much harder than twice as hard as before to crack the encryption. Signing, in this case, really is just encrypting a hash of a message. However, for a quantum computer, the problem of cracking the encryption, only becomes twice as hard. So you can't keep up with using longer and longer keys because then the increase in effort an attacker has to put in only increases as fast as the increase of effort you have to put into using the keys.

However, there are ways to approach the problem of the signatures currently in use being rendered useless by the advent of quantum computers. Namely, quantum digital signatures.

Because quantum computers aren't faster than classical computers but reduce some exponential problems to polynomial problems, and cryptographic hashes can't be broken using quantum computers, their advent won't impact the difficulty to find a new block.

UTF-8

Posted 2016-11-04T20:48:36.243

Reputation: 2 941

the link you have provided for quantum digital signatures is helpful and very interesting. – KonKan – 2016-11-05T22:38:06.657

Signing is not just encrypting a hash of a message. This is true for RSA, but not for other digital signature schemes. Encryption is not used anywhere in Bitcoin's design (except locally inside wallet for the password protection of private keys, perhaps). – Pieter Wuille – 2016-11-06T17:12:43.280

1@PieterWuille Yes, you're right. I was oversimplifying, thanks for noting that. I corrected it. – UTF-8 – 2016-11-06T22:03:45.667

Signing of transactions in bitcoin is based on addition in elliptic curves, relatively easy to perform, like modular exponentiation (like in RSA), but hard to invert with a classical computer. In both cases, essentially the same quantum algorithm (Shor's algorithm) can be used to invert this operation on a quantum computer in polynomial time with high enough probability to be practical. This is what UTF-8 already wrote.

The proof of work algorithm involves computing a cryptographic hash. This operation is designed in such a way that computing the hash of a string is easy, but finding a string mapping to a given hash is hard. A good hashing algorithm avoids any kind of (exploitable) structure in the definition. Where in the case of RSA and elliptic curve cryptography it is known how the structure of the operation can be exploited by a quantum computer, for SHA256 this is not the case.

For an unstructured search (i.e. one in which you simply have to look case by case) quantum computer still vastly outperform classical computers (using Grover's algorithm) but now the speedup is only quadratic, not exponential. That means that you can find a hash that starts with 2n zeroes in the same number of operations which would allow you to find one starting with n zeroes on a classical computer (with high probability). This would be solved by just adjusting the difficulty.

doetoe

Posted 2016-11-04T20:48:36.243

Reputation: 175