Skip to main content
SpringerLink
Log in

On the insecurity of quantum Bitcoin mining

  • Special Issue Paper
  • Published:
International Journal of Information Security Aims and scope Submit manuscript

Abstract

Grover’s algorithm confers on quantum computers a quadratic advantage over classical computers for searching in an arbitrary data set, a scenario that describes Bitcoin mining. It has previously been argued that the only side effect of quantum mining would be an increased difficulty. In this work, we argue that a crucial argument in the analysis of Bitcoin security breaks down when quantum mining is performed. Classically, a Bitcoin fork occurs rarely, i.e., when two miners find a block almost simultaneously, due to propagation time effects. The situation differs dramatically when quantum miners use Grover’s algorithm, which repeatedly applies a procedure called a Grover iteration. The chances of finding a block grow quadratically with the number of Grover iterations applied. Crucially, a miner does not have to choose how many iterations to apply in advance. Suppose Alice receives Bob’s new block. To maximize her revenue, she should stop and measure her state immediately in the hopes that her block (rather than Bob’s) will become part of the longest chain. The strong correlation between the miners’ actions and the fact that they all measure their states at the same time may lead to more forks—which is known to be a security risk for Bitcoin. We propose a mechanism that, we conjecture, will prevent this form of quantum mining, thereby circumventing the high rate of forks.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1

Similar content being viewed by others

Notes

  1. We only describe features of the protocol that are relevant to our work. This description does not faithfully represent how Bitcoin actually works. Refer to Ref. [22] for a textbook that fully covers the subject. More concise surveys can be found in Refs. [36, 38].

  2. The reward r, originally set to 50 bitcoins, is cut in half every 4 years.

  3. These blocks are sometimes called orphaned blocks, a term that we feel is confusing: Although these blocks do not have descendants, every block, by definition, has a parent indicated by the block to which it is pointing.

  4. Despite the fact that it plays such an important role, as far as the author is aware, there are no empirical data on the propagation factor \(\gamma \). We speculate that it is because it is hard to measure \(\gamma \), directly, or indirectly. A related notion—the propagation time—was studied and measured extensively in Ref. [8].

  5. Specifically, they ignore the fact that once Grover’s algorithm fails, the miner restarts and that after a Bitcoin block is found, the process is repeated—an aspect which we also ignore in our conjecture since the repeated game is probably much harder to analyze.

  6. The specific choice depends on the Nash equilibrium, which depends on the parameters of the network, such as the number of miners and their respective hash power.

  7. For this reason alone, there is no need to consider some sort of responsible disclosure.

  8. The size of a block used to be 1 MB and then the calculation was trivial. Recently, Bitcoin has upgraded to a Segregated Witness, but the property that a miner selects the transactions that maximize her revenue is still part of the protocol.

References

  1. Aggarwal, D., Brennen, G., Lee, T., Santha, M., Tomamichel, M.: Quantum attacks on bitcoin, and how to protect against them. Ledger 3 (2018). arXiv:1710.10377

  2. Bahack, L.: Theoretical Bitcoin attacks with less than half of the computational power (draft) (2013). arXiv:1312.7013

  3. Bennett, C.H., Bernstein, E., Brassard, G., Vazirani, U.V.: Strengths and weaknesses of quantum computing. SIAM J. Comput. 26(5), 1510–1523 (1997). arXiv:quant-ph/9701001

    Article  MathSciNet  Google Scholar 

  4. Boyer, M., Brassard, G., Høyer, P., Tapp, A.: Tight bounds on quantum searching. Fortschr. Phys. 46(4–5), 493–505 (1998). arXiv:quant-ph/9605034

    Article  Google Scholar 

  5. Biryukov, A., Khovratovich, D.: Equihash: asymmetric proof-of-work based on the generalized birthday problem. Ledger 2, 1–30 (2017)

    Article  Google Scholar 

  6. Buterin, V.: Bitcoin is not quantum-safe, and how we can fix it when needed. https://bitcoinmagazine.com/articles/bitcoin-is-not-quantum-safe-and-how-we-can-fix-1375242150. http://www.webcitation.org/6wDiIPU3l (2013)

  7. Dwork, C., Naor, M.: Pricing via processing or combatting junk mail. In: Proceedings of Advances in Cryptology—CRYPTO’92, 12th Annual International Cryptology Conference, Santa Barbara, California, USA, August 16–20, 1992, pp. 139–147 (1992)

  8. Decker, C., Wattenhofer, R.: Information propagation in the Bitcoin network. In: Proceedings of 13th IEEE International Conference on Peer-to-Peer Computing, IEEE P2P 2013, Trento, Italy, September 9-11, 2013, pp. 1–10 (2013)

  9. Eyal, I., Gencer, A.E., Sirer, E.G., van Renesse, R.: Bitcoin-NG: a scalable blockchain protocol. In: 13th USENIX Symposium on Networked Systems Design and Implementation, NSDI 2016, pp. 45–59 (2016). arXiv:1510.02037

  10. Eyal, I., Sirer, E.G.: Majority is not enough: Bitcoin mining is vulnerable. In: Financial Cryptography and Data Security—18th International Conference, FC 2014, Christ Church, Barbados, March 3–7, 2014, Revised Selected Papers, pp. 436–454 (2014). arXiv:1311.0243

  11. Eyal, I.: The miner’s dilemma. In: 2015 IEEE Symposium on Security and Privacy, SP 2015, San Jose, CA, USA, May 17–21, 2015, pp. 89–103 (2015). arXiv:1411.7099

  12. Goldwasser, S., Micali, S., Rivest, R.L.: A digital signature scheme secure against adaptive chosen-message attacks. SIAM J. Comput. 17(2), 281–308 (1988)

    Article  MathSciNet  Google Scholar 

  13. Goldreich, O.: The Foundations of Cryptography. Basic Applications, vol. 2. Cambridge University Press, Cambridge (2004)

    Book  Google Scholar 

  14. Grover, L.K.: A fast quantum mechanical algorithm for database search. In: Proceedings of the Twenty-Eighth Annual ACM Symposium on the Theory of Computing, Philadelphia, Pennsylvania, USA, May 22–24, 1996, pp. 212–219 (1996). arXiv:quant-ph/9605043

  15. Heilman, E.: One weird trick to stop selfish miners: fresh bitcoins, a solution for the honest miner (poster abstract). In: Böhme, R., Brenner, M., Moore, T., Smith, M. (eds.) Financial Cryptography and Data Security—FC 2014 Workshops, BITCOIN and WAHC 2014, Christ Church, Barbados, March 7, 2014, Revised Selected Papers, volume 8438 of Lecture Notes in Computer Science. Springer, pp. 161–162 (2014). IACR Cryptogoly ePrint Archive: report 2014/007

  16. Katz, J., Lindell, Y.: Introduction to Modern Cryptography, 2nd edn. CRC Press, Boca Raton (2014)

    Book  Google Scholar 

  17. Kiayias, A., Russell, A., David, B., Oliynykov, R.: Ouroboros: a provably secure proof-of-stake blockchain protocol. In: Advances in Cryptology—CRYPTO 2017, Part I, volume 10401 of Lecture Notes in Computer Science. Springer, pp. 357–388 (2017). Cryptology ePrint Archive: report 2016/889

  18. Lee, T., Ray, M., Santha, M.: Strategies for quantum races. In: Blum, A. (ed.) 10th Innovations in Theoretical Computer Science Conference, ITCS 2019, volume 124 of LIPIcs. Schloss Dagstuhl - Leibniz-Zentrum fuer Informatik, pp. 51:1–51:21 (2019). arXiv:1809.03671

  19. Lewenberg, Y., Sompolinsky, Y., Zohar, A.: Inclusive block chain protocols. In: Financial Cryptography and Data Security—19th International Conference, FC 2015, San Juan, Puerto Rico, January 26–30, 2015, Revised Selected Papers, pp. 528–547 (2015)

  20. Nakamoto, S.: Bitcoin: a peer-to-peer electronic cash system (2008)

  21. Nash, J.F.: Equilibrium points in n-person games. Proc. Natl. Acad. Sci. 36(1), 48–49 (1950)

    Article  MathSciNet  Google Scholar 

  22. Narayanan, A., Bonneau, J., Felten, E.W., Miller, A., Goldfeder, S.: Bitcoin and Cryptocurrency Technologies—A Comprehensive Introduction. Princeton University Press, Princeton (2016)

    MATH  Google Scholar 

  23. Nielsen, M.A., Chuang, I.L.: Quantum Computation and Quantum Information: 10th Anniversary Edition, 10th edn. Cambridge University Press, New York (2011)

    MATH  Google Scholar 

  24. Nayak, K., Kumar, S., Miller, A., Shi, E.: Stubborn mining: generalizing selfish mining and combining with an eclipse attack. In: IEEE European Symposium on Security and Privacy, EuroS&P 2016, pp. 305–320 (2016). Cryptology ePrint Archive: report 2015/796

  25. Roetteler, M., Naehrig, M., Svore, K.M., Lauter, K.E.: Quantum resource estimates for computing elliptic curve discrete logarithms. In: Advances in Cryptology—ASIACRYPT 2017, Part II, pp. 241–270 (2017). arXiv:1706.06752

  26. Rosenfeld, M.: Analysis of Bitcoin pooled mining reward systems (2011). arXiv:1112.4980

  27. Schrijvers, O., Bonneau, J., Boneh, D., Roughgarden, T.: Incentive compatibility of Bitcoin mining pool reward functions. In: Financial Cryptography and Data Security—20th International Conference, FC 2016, Revised Selected Papers, volume 9603 of Lecture Notes in Computer Science. Springer, pp. 477–498 (2016)

  28. Shor, P.W.: Polynomial-time algorithms for prime factorization and discrete logarithms on a quantum computer. SIAM J. Comput. 26(5), 1484–1509 (1997). arXiv:quant-ph/9508027

    Article  MathSciNet  Google Scholar 

  29. Sompolinsky, Y., Lewenberg, Y., Zohar, A.: SPECTRE: a fast and scalable cryptocurrency protocol. IACR Cryptology ePrint Archive, vol. 2016, p. 1159 (2016)

  30. Solat, S., Potop-Butucaru, M.: Brief announcement: ZeroBlockd: timestamp-free prevention of block-withholding attack in Bitcoin. In: Lecture Notes in Computer Science. Springer International Publishing, pp. 356–360 (2017). arXiv:1605.02435

  31. Stifter, N., Schindler, P., Judmayer, A., Zamyatin, A., Kern, A., Weippl, E.R.: Echoes of the past: recovering blockchain metrics from merged mining. IACR Cryptology ePrint Archive, vol. 2018, p. 1134 (2018)

  32. Sapirshtein, A., Sompolinsky, Y., Zohar, A.: Optimal selfish mining strategies in Bitcoin. In: Grossklags, J., Preneel, B. (eds.) Financial Cryptography and Data Security, volume 9603 of Lecture Notes in Computer Science. Springer, pp. 515–532 (2016). arXiv:1507.06183

  33. Sompolinsky, Y., Zohar, A.: Secure high-rate transaction processing in Bitcoin. In: Financial Cryptography and Data Security—19th International Conference, FC 2015, Revised Selected Papers, pp. 507–527 (2015). Cryptology ePrint Archive: report 2013/881

  34. Sompolinsky, Y., Zohar, A.: PHANTOM: a scalable BlockDAG protocol. IACR Cryptology ePrint Archive, vol. 2018, p. 104 (2018)

  35. Tessler, L., Byrnes, T.: Bitcoin and quantum computing (2017). arXiv:1711.04235

  36. Tschorsch, F., Scheuermann, B.: Bitcoin and beyond: a technical survey on decentralized digital currencies. IEEE Commun. Surv. Tutor. 18(3), 2084–2123 (2016). Cryptology ePrint Archive: report 2015/464

  37. Unruh, D.: Formal verification of quantum cryptography [Youtube video] (2016). https://kodu.ut.ee/~unruh/publications/2016-09-15%20-%20Verification%20of%20Quantum%20Cryptography%20-%20QCrypt%20invited%20talk.pptx

  38. Zohar, A.: Bitcoin: under the hood. Commun. ACM 58(9), 104–113 (2015)

    Article  Google Scholar 

  39. Zhang, R., Preneel, B.: Publish or perish: a backward-compatible defense against selfish mining in Bitcoin. In: Handschuh, H. (ed.) Topics in Cryptology—CT-RSA 2017—The Cryptographers’ Track at the RSA Conference 2017, San Francisco, CA, USA, February 14–17, 2017, Proceedings, volume 10159 of Lecture Notes in Computer Science. Springer, pp. 277–292 (2017)

Download references

Acknowledgements

The author is grateful for his fruitful discussions with Yotam Ashkenazi, Ittay Eyal, Robin Kothari, Troy Lee, Maharshi Ray, Yonatan Sompolinsky and Aviv Zohar. He would also like to thank Troy Lee for noticing a vulnerability in the countermeasure presented in an earlier version of this manuscript—see Appendix B.

Funding

This research was supported by ERC Grant 280157, by the Israel Science Foundation (ISF) Grant Nos. 682/18 and 2137/19 and by the Cyber Security Research Center at Ben-Gurion University.

Author information

Authors and Affiliations

  1. Computer Science Department, Ben-Gurion University, Beer-Sheva, Israel

    Or Sattath

Authors
  1. Or Sattath
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Or Sattath.

Ethics declarations

Conflict of interest

The author declares that he has no conflict of interest.

Ethical approval

This article does not contain any studies with human participants or animals performed by the author.

Additional information

Publisher's Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Appendices

Subtle implications of quantum mining

Quantum mining has some subtle implications, which are discussed below.

1.1 Effects on the confirmation time

The confirmation time for a transaction is defined as the time it takes for the transaction to be included in a block after being broadcast to the network by the user. Classically, it takes a miner a fraction of a second for each attempt to solve a proof-of-work puzzle. Upon receiving a transaction, a miner can include the transaction in the next attempt to solve the proof-of-work puzzle. Therefore, a block typically contains the transactions paying with the highest fees (measured in bitcoin per byte) that fit into a blockFootnote 8 at the time that the block was mined. For a user who is willing to pay enough, under normal circumstances (i.e., assuming that the user has Internet connection, miners are rational, no denial-of-service attack, etc.), she can guarantee that her transaction will be confirmed in the next block by offering a high enough fee (for example, a higher fee rate than all others).

A quantum miner can only update her block after a full run of the Grover algorithm. This condition holds with or without our proposed selection rule. For example, if the number of Grover algorithm iterations by all miners is set to 2 min, a user who offers a high enough fee can only guarantee her inclusion in blocks created 2 min after the transaction is broadcast. In a more realistic scenario, where the number of Grover iterations is chosen according to some distribution, users who pay high enough fees can only be guaranteed inclusion in the next two blocks (rather than in the next block, which is the current state of affairs).

Apparently, the reduced ability to guarantee inclusion is relatively unimportant since the block creation process is already unpredictable: There are no guarantees regarding the time it will take for the next block to be mined (only the expected time is guaranteed). Quantum mining will only increases the unpredictability. More precisely, although classically, a user could guarantee that a transaction would get included in the next block, she could not guarantee the more important property, i.e., when it would get included. Because this property cannot be guaranteed, the loss of the guarantees on the less relevant property is of secondary importance.

1.2 Economy of mining equipment

Suppose there are two classical mining devices with hash rates of x and 2x. Other things being equal (such as electricity consumption), we would expect the second device to cost twice as much as the first, since classically, the revenue from Bitcoin mining is linear in the hash rate. For quantum devices, the quadratic speedup renders a different scenario: One would expect, at least naively, that the cost of the second device will be quadruple that of the first.

Were such a cost difference the case, quantum Bitcoin mining hardware manufacturers would be more strongly motivated to improve the hash rate (analogous to CPU speed), a scenario that may also exist in other markets affected by quantum speedups. This example is illuminating, since the connection between computational power and revenue is direct and can be calculated easily.

1.3 Finding the equilibrium and barrier of entry

The current strategy for classical miners is extremely simple: mine on top of the tip of the longest chain as fast as possible. It is plausible that in the PQMS equilibrium, the distribution over the number of Grover iterations Q the miner should apply (see Algorithm 1, line 6) in a PQMS would depend on the properties of the other miners (most importantly, the number and hash rates of the mining devices in each pool). To see a concrete example of such a dependence, see [18]. This information may not be accessible to all miners, in which case equilibrium would not be achieved.

Outside equilibrium, miners with more information about the strategies of the other miners would realize higher profits. This may lead to a high barrier to entry, which does not exist now.

An unsuccessful countermeasure

Equation (2) provides a new default tie-breaking rule as a countermeasure—a mechanism that we conjecture prevents the AQMS. In an earlier version of this manuscript, we provided a different, older rule that, it turns out, prevents the AQMS. But in so doing, it introduces a new vulnerability, which was discovered by Troy Lee. The goal of this Appendix is to explain the earlier countermeasure and the resulting vulnerability.

The old tie-breaking rule was as follows: Suppose the tips of the longest chains have timestamps \(s_1,\ldots , s_n\), and they were first received at the times \(t_1,\ldots ,t_n\). Let \(t_{min}=\min _{i\in [n]} t_i\) and let the penalty of each of these tips be defined as \(p_i=|t_{min} - s_i|\). The (old) default strategy was to mine “on-top” of the block that had the lowest penalty \(p_i\).

Though the (old) tie-breaking rule seems to efficiently prevent the AQMS strategy, consider Mallory, the malicious miner who wants to harm Alice, an honest miner. We assume Mallory has an complete knowledge of the network and its properties, and we present a strategy that can be executed at no cost.

Consider the following example. Let us assume that a block sent by Alice is received by all the other miners after exactly 1 second and that Mallory is also aware of Alice’s activity. Mallory waits for Alice to create a valid block. Suppose that a block has a timestamp \(s_A\) and that it was received by all the other miners at time \(t_A = s_A + 1\). Mallory then starts mining a block with the timestamp \(s_M=s_A+1\). Suppose that Mallory finds a block after running Grover’s algorithm for 100 seconds. As her block will be received much later than Alice’s block—roughly, \(t_A + 100\), and therefore, \(t_{min}\) will remain \(t_A\). Note that Mallory’s penalty in this case is \(|t_{min}-s_M|=|t_{min}-s_A+1|=0\), whereas Alice’s penalty will be \(|t_{min}-s_A|=1\), and therefore, Mallory will minimize the penalty and win the fork race. As a result, other miners will start to mine on the top of Mallory’s block rather than on Alice’s block. In terms of costs—since all miners will mine the top of Mallory’s block if she succeeds—the strategy used by Mallory entails no risk to her, but it may cause Alice to incur significant damage. Insofar as Bitcoin mining is a zero-sum game, it may even be indirectly beneficial to use this strategy not just to attack others. We emphasize that Mallory does not need to be well connected to the other nodes. Rather, she needs to know Alice’s propagation time. We are not aware of similar classical or quantum attacks in the context of mining. This attack does not work if the default tie-breaking rule is as defined in Eq. (2). Note that in this example, \(|s_M-t_M|\) is roughly 100 seconds, and basically, because of that, Mallory’s penalty will be higher than that of Alice. Therefore, this specific attack will not work.

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Sattath, O. On the insecurity of quantum Bitcoin mining. Int. J. Inf. Secur. 19, 291–302 (2020). https://doi.org/10.1007/s10207-020-00493-9

Download citation

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s10207-020-00493-9

Keywords

Search

Navigation