Abstract
Grover’s algorithm confers on quantum computers a quadratic advantage over classical computers for searching in an arbitrary data set, a scenario that describes Bitcoin mining. It has previously been argued that the only side effect of quantum mining would be an increased difficulty. In this work, we argue that a crucial argument in the analysis of Bitcoin security breaks down when quantum mining is performed. Classically, a Bitcoin fork occurs rarely, i.e., when two miners find a block almost simultaneously, due to propagation time effects. The situation differs dramatically when quantum miners use Grover’s algorithm, which repeatedly applies a procedure called a Grover iteration. The chances of finding a block grow quadratically with the number of Grover iterations applied. Crucially, a miner does not have to choose how many iterations to apply in advance. Suppose Alice receives Bob’s new block. To maximize her revenue, she should stop and measure her state immediately in the hopes that her block (rather than Bob’s) will become part of the longest chain. The strong correlation between the miners’ actions and the fact that they all measure their states at the same time may lead to more forks—which is known to be a security risk for Bitcoin. We propose a mechanism that, we conjecture, will prevent this form of quantum mining, thereby circumventing the high rate of forks.
Similar content being viewed by others
Notes
The reward r, originally set to 50 bitcoins, is cut in half every 4 years.
These blocks are sometimes called orphaned blocks, a term that we feel is confusing: Although these blocks do not have descendants, every block, by definition, has a parent indicated by the block to which it is pointing.
Despite the fact that it plays such an important role, as far as the author is aware, there are no empirical data on the propagation factor \(\gamma \). We speculate that it is because it is hard to measure \(\gamma \), directly, or indirectly. A related notion—the propagation time—was studied and measured extensively in Ref. [8].
Specifically, they ignore the fact that once Grover’s algorithm fails, the miner restarts and that after a Bitcoin block is found, the process is repeated—an aspect which we also ignore in our conjecture since the repeated game is probably much harder to analyze.
The specific choice depends on the Nash equilibrium, which depends on the parameters of the network, such as the number of miners and their respective hash power.
For this reason alone, there is no need to consider some sort of responsible disclosure.
The size of a block used to be 1 MB and then the calculation was trivial. Recently, Bitcoin has upgraded to a Segregated Witness, but the property that a miner selects the transactions that maximize her revenue is still part of the protocol.
References
Aggarwal, D., Brennen, G., Lee, T., Santha, M., Tomamichel, M.: Quantum attacks on bitcoin, and how to protect against them. Ledger 3 (2018). arXiv:1710.10377
Bahack, L.: Theoretical Bitcoin attacks with less than half of the computational power (draft) (2013). arXiv:1312.7013
Bennett, C.H., Bernstein, E., Brassard, G., Vazirani, U.V.: Strengths and weaknesses of quantum computing. SIAM J. Comput. 26(5), 1510–1523 (1997). arXiv:quant-ph/9701001
Boyer, M., Brassard, G., Høyer, P., Tapp, A.: Tight bounds on quantum searching. Fortschr. Phys. 46(4–5), 493–505 (1998). arXiv:quant-ph/9605034
Biryukov, A., Khovratovich, D.: Equihash: asymmetric proof-of-work based on the generalized birthday problem. Ledger 2, 1–30 (2017)
Buterin, V.: Bitcoin is not quantum-safe, and how we can fix it when needed. https://bitcoinmagazine.com/articles/bitcoin-is-not-quantum-safe-and-how-we-can-fix-1375242150. http://www.webcitation.org/6wDiIPU3l (2013)
Dwork, C., Naor, M.: Pricing via processing or combatting junk mail. In: Proceedings of Advances in Cryptology—CRYPTO’92, 12th Annual International Cryptology Conference, Santa Barbara, California, USA, August 16–20, 1992, pp. 139–147 (1992)
Decker, C., Wattenhofer, R.: Information propagation in the Bitcoin network. In: Proceedings of 13th IEEE International Conference on Peer-to-Peer Computing, IEEE P2P 2013, Trento, Italy, September 9-11, 2013, pp. 1–10 (2013)
Eyal, I., Gencer, A.E., Sirer, E.G., van Renesse, R.: Bitcoin-NG: a scalable blockchain protocol. In: 13th USENIX Symposium on Networked Systems Design and Implementation, NSDI 2016, pp. 45–59 (2016). arXiv:1510.02037
Eyal, I., Sirer, E.G.: Majority is not enough: Bitcoin mining is vulnerable. In: Financial Cryptography and Data Security—18th International Conference, FC 2014, Christ Church, Barbados, March 3–7, 2014, Revised Selected Papers, pp. 436–454 (2014). arXiv:1311.0243
Eyal, I.: The miner’s dilemma. In: 2015 IEEE Symposium on Security and Privacy, SP 2015, San Jose, CA, USA, May 17–21, 2015, pp. 89–103 (2015). arXiv:1411.7099
Goldwasser, S., Micali, S., Rivest, R.L.: A digital signature scheme secure against adaptive chosen-message attacks. SIAM J. Comput. 17(2), 281–308 (1988)
Goldreich, O.: The Foundations of Cryptography. Basic Applications, vol. 2. Cambridge University Press, Cambridge (2004)
Grover, L.K.: A fast quantum mechanical algorithm for database search. In: Proceedings of the Twenty-Eighth Annual ACM Symposium on the Theory of Computing, Philadelphia, Pennsylvania, USA, May 22–24, 1996, pp. 212–219 (1996). arXiv:quant-ph/9605043
Heilman, E.: One weird trick to stop selfish miners: fresh bitcoins, a solution for the honest miner (poster abstract). In: Böhme, R., Brenner, M., Moore, T., Smith, M. (eds.) Financial Cryptography and Data Security—FC 2014 Workshops, BITCOIN and WAHC 2014, Christ Church, Barbados, March 7, 2014, Revised Selected Papers, volume 8438 of Lecture Notes in Computer Science. Springer, pp. 161–162 (2014). IACR Cryptogoly ePrint Archive: report 2014/007
Katz, J., Lindell, Y.: Introduction to Modern Cryptography, 2nd edn. CRC Press, Boca Raton (2014)
Kiayias, A., Russell, A., David, B., Oliynykov, R.: Ouroboros: a provably secure proof-of-stake blockchain protocol. In: Advances in Cryptology—CRYPTO 2017, Part I, volume 10401 of Lecture Notes in Computer Science. Springer, pp. 357–388 (2017). Cryptology ePrint Archive: report 2016/889
Lee, T., Ray, M., Santha, M.: Strategies for quantum races. In: Blum, A. (ed.) 10th Innovations in Theoretical Computer Science Conference, ITCS 2019, volume 124 of LIPIcs. Schloss Dagstuhl - Leibniz-Zentrum fuer Informatik, pp. 51:1–51:21 (2019). arXiv:1809.03671
Lewenberg, Y., Sompolinsky, Y., Zohar, A.: Inclusive block chain protocols. In: Financial Cryptography and Data Security—19th International Conference, FC 2015, San Juan, Puerto Rico, January 26–30, 2015, Revised Selected Papers, pp. 528–547 (2015)
Nakamoto, S.: Bitcoin: a peer-to-peer electronic cash system (2008)
Nash, J.F.: Equilibrium points in n-person games. Proc. Natl. Acad. Sci. 36(1), 48–49 (1950)
Narayanan, A., Bonneau, J., Felten, E.W., Miller, A., Goldfeder, S.: Bitcoin and Cryptocurrency Technologies—A Comprehensive Introduction. Princeton University Press, Princeton (2016)
Nielsen, M.A., Chuang, I.L.: Quantum Computation and Quantum Information: 10th Anniversary Edition, 10th edn. Cambridge University Press, New York (2011)
Nayak, K., Kumar, S., Miller, A., Shi, E.: Stubborn mining: generalizing selfish mining and combining with an eclipse attack. In: IEEE European Symposium on Security and Privacy, EuroS&P 2016, pp. 305–320 (2016). Cryptology ePrint Archive: report 2015/796
Roetteler, M., Naehrig, M., Svore, K.M., Lauter, K.E.: Quantum resource estimates for computing elliptic curve discrete logarithms. In: Advances in Cryptology—ASIACRYPT 2017, Part II, pp. 241–270 (2017). arXiv:1706.06752
Rosenfeld, M.: Analysis of Bitcoin pooled mining reward systems (2011). arXiv:1112.4980
Schrijvers, O., Bonneau, J., Boneh, D., Roughgarden, T.: Incentive compatibility of Bitcoin mining pool reward functions. In: Financial Cryptography and Data Security—20th International Conference, FC 2016, Revised Selected Papers, volume 9603 of Lecture Notes in Computer Science. Springer, pp. 477–498 (2016)
Shor, P.W.: Polynomial-time algorithms for prime factorization and discrete logarithms on a quantum computer. SIAM J. Comput. 26(5), 1484–1509 (1997). arXiv:quant-ph/9508027
Sompolinsky, Y., Lewenberg, Y., Zohar, A.: SPECTRE: a fast and scalable cryptocurrency protocol. IACR Cryptology ePrint Archive, vol. 2016, p. 1159 (2016)
Solat, S., Potop-Butucaru, M.: Brief announcement: ZeroBlockd: timestamp-free prevention of block-withholding attack in Bitcoin. In: Lecture Notes in Computer Science. Springer International Publishing, pp. 356–360 (2017). arXiv:1605.02435
Stifter, N., Schindler, P., Judmayer, A., Zamyatin, A., Kern, A., Weippl, E.R.: Echoes of the past: recovering blockchain metrics from merged mining. IACR Cryptology ePrint Archive, vol. 2018, p. 1134 (2018)
Sapirshtein, A., Sompolinsky, Y., Zohar, A.: Optimal selfish mining strategies in Bitcoin. In: Grossklags, J., Preneel, B. (eds.) Financial Cryptography and Data Security, volume 9603 of Lecture Notes in Computer Science. Springer, pp. 515–532 (2016). arXiv:1507.06183
Sompolinsky, Y., Zohar, A.: Secure high-rate transaction processing in Bitcoin. In: Financial Cryptography and Data Security—19th International Conference, FC 2015, Revised Selected Papers, pp. 507–527 (2015). Cryptology ePrint Archive: report 2013/881
Sompolinsky, Y., Zohar, A.: PHANTOM: a scalable BlockDAG protocol. IACR Cryptology ePrint Archive, vol. 2018, p. 104 (2018)
Tessler, L., Byrnes, T.: Bitcoin and quantum computing (2017). arXiv:1711.04235
Tschorsch, F., Scheuermann, B.: Bitcoin and beyond: a technical survey on decentralized digital currencies. IEEE Commun. Surv. Tutor. 18(3), 2084–2123 (2016). Cryptology ePrint Archive: report 2015/464
Unruh, D.: Formal verification of quantum cryptography [Youtube video] (2016). https://kodu.ut.ee/~unruh/publications/2016-09-15%20-%20Verification%20of%20Quantum%20Cryptography%20-%20QCrypt%20invited%20talk.pptx
Zohar, A.: Bitcoin: under the hood. Commun. ACM 58(9), 104–113 (2015)
Zhang, R., Preneel, B.: Publish or perish: a backward-compatible defense against selfish mining in Bitcoin. In: Handschuh, H. (ed.) Topics in Cryptology—CT-RSA 2017—The Cryptographers’ Track at the RSA Conference 2017, San Francisco, CA, USA, February 14–17, 2017, Proceedings, volume 10159 of Lecture Notes in Computer Science. Springer, pp. 277–292 (2017)
Acknowledgements
The author is grateful for his fruitful discussions with Yotam Ashkenazi, Ittay Eyal, Robin Kothari, Troy Lee, Maharshi Ray, Yonatan Sompolinsky and Aviv Zohar. He would also like to thank Troy Lee for noticing a vulnerability in the countermeasure presented in an earlier version of this manuscript—see Appendix B.
Funding
This research was supported by ERC Grant 280157, by the Israel Science Foundation (ISF) Grant Nos. 682/18 and 2137/19 and by the Cyber Security Research Center at Ben-Gurion University.
Author information
Authors and Affiliations
Corresponding author
Ethics declarations
Conflict of interest
The author declares that he has no conflict of interest.
Ethical approval
This article does not contain any studies with human participants or animals performed by the author.
Additional information
Publisher's Note
Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
Appendices
Subtle implications of quantum mining
Quantum mining has some subtle implications, which are discussed below.
1.1 Effects on the confirmation time
The confirmation time for a transaction is defined as the time it takes for the transaction to be included in a block after being broadcast to the network by the user. Classically, it takes a miner a fraction of a second for each attempt to solve a proof-of-work puzzle. Upon receiving a transaction, a miner can include the transaction in the next attempt to solve the proof-of-work puzzle. Therefore, a block typically contains the transactions paying with the highest fees (measured in bitcoin per byte) that fit into a blockFootnote 8 at the time that the block was mined. For a user who is willing to pay enough, under normal circumstances (i.e., assuming that the user has Internet connection, miners are rational, no denial-of-service attack, etc.), she can guarantee that her transaction will be confirmed in the next block by offering a high enough fee (for example, a higher fee rate than all others).
A quantum miner can only update her block after a full run of the Grover algorithm. This condition holds with or without our proposed selection rule. For example, if the number of Grover algorithm iterations by all miners is set to 2 min, a user who offers a high enough fee can only guarantee her inclusion in blocks created 2 min after the transaction is broadcast. In a more realistic scenario, where the number of Grover iterations is chosen according to some distribution, users who pay high enough fees can only be guaranteed inclusion in the next two blocks (rather than in the next block, which is the current state of affairs).
Apparently, the reduced ability to guarantee inclusion is relatively unimportant since the block creation process is already unpredictable: There are no guarantees regarding the time it will take for the next block to be mined (only the expected time is guaranteed). Quantum mining will only increases the unpredictability. More precisely, although classically, a user could guarantee that a transaction would get included in the next block, she could not guarantee the more important property, i.e., when it would get included. Because this property cannot be guaranteed, the loss of the guarantees on the less relevant property is of secondary importance.
1.2 Economy of mining equipment
Suppose there are two classical mining devices with hash rates of x and 2x. Other things being equal (such as electricity consumption), we would expect the second device to cost twice as much as the first, since classically, the revenue from Bitcoin mining is linear in the hash rate. For quantum devices, the quadratic speedup renders a different scenario: One would expect, at least naively, that the cost of the second device will be quadruple that of the first.
Were such a cost difference the case, quantum Bitcoin mining hardware manufacturers would be more strongly motivated to improve the hash rate (analogous to CPU speed), a scenario that may also exist in other markets affected by quantum speedups. This example is illuminating, since the connection between computational power and revenue is direct and can be calculated easily.
1.3 Finding the equilibrium and barrier of entry
The current strategy for classical miners is extremely simple: mine on top of the tip of the longest chain as fast as possible. It is plausible that in the PQMS equilibrium, the distribution over the number of Grover iterations Q the miner should apply (see Algorithm 1, line 6) in a PQMS would depend on the properties of the other miners (most importantly, the number and hash rates of the mining devices in each pool). To see a concrete example of such a dependence, see [18]. This information may not be accessible to all miners, in which case equilibrium would not be achieved.
Outside equilibrium, miners with more information about the strategies of the other miners would realize higher profits. This may lead to a high barrier to entry, which does not exist now.
An unsuccessful countermeasure
Equation (2) provides a new default tie-breaking rule as a countermeasure—a mechanism that we conjecture prevents the AQMS. In an earlier version of this manuscript, we provided a different, older rule that, it turns out, prevents the AQMS. But in so doing, it introduces a new vulnerability, which was discovered by Troy Lee. The goal of this Appendix is to explain the earlier countermeasure and the resulting vulnerability.
The old tie-breaking rule was as follows: Suppose the tips of the longest chains have timestamps \(s_1,\ldots , s_n\), and they were first received at the times \(t_1,\ldots ,t_n\). Let \(t_{min}=\min _{i\in [n]} t_i\) and let the penalty of each of these tips be defined as \(p_i=|t_{min} - s_i|\). The (old) default strategy was to mine “on-top” of the block that had the lowest penalty \(p_i\).
Though the (old) tie-breaking rule seems to efficiently prevent the AQMS strategy, consider Mallory, the malicious miner who wants to harm Alice, an honest miner. We assume Mallory has an complete knowledge of the network and its properties, and we present a strategy that can be executed at no cost.
Consider the following example. Let us assume that a block sent by Alice is received by all the other miners after exactly 1 second and that Mallory is also aware of Alice’s activity. Mallory waits for Alice to create a valid block. Suppose that a block has a timestamp \(s_A\) and that it was received by all the other miners at time \(t_A = s_A + 1\). Mallory then starts mining a block with the timestamp \(s_M=s_A+1\). Suppose that Mallory finds a block after running Grover’s algorithm for 100 seconds. As her block will be received much later than Alice’s block—roughly, \(t_A + 100\), and therefore, \(t_{min}\) will remain \(t_A\). Note that Mallory’s penalty in this case is \(|t_{min}-s_M|=|t_{min}-s_A+1|=0\), whereas Alice’s penalty will be \(|t_{min}-s_A|=1\), and therefore, Mallory will minimize the penalty and win the fork race. As a result, other miners will start to mine on the top of Mallory’s block rather than on Alice’s block. In terms of costs—since all miners will mine the top of Mallory’s block if she succeeds—the strategy used by Mallory entails no risk to her, but it may cause Alice to incur significant damage. Insofar as Bitcoin mining is a zero-sum game, it may even be indirectly beneficial to use this strategy not just to attack others. We emphasize that Mallory does not need to be well connected to the other nodes. Rather, she needs to know Alice’s propagation time. We are not aware of similar classical or quantum attacks in the context of mining. This attack does not work if the default tie-breaking rule is as defined in Eq. (2). Note that in this example, \(|s_M-t_M|\) is roughly 100 seconds, and basically, because of that, Mallory’s penalty will be higher than that of Alice. Therefore, this specific attack will not work.
Rights and permissions
About this article
Cite this article
Sattath, O. On the insecurity of quantum Bitcoin mining. Int. J. Inf. Secur. 19, 291–302 (2020). https://doi.org/10.1007/s10207-020-00493-9
Published:
Issue Date:
DOI: https://doi.org/10.1007/s10207-020-00493-9