By Matthew Dove (Digital Editor)
The hysteria surrounding the threat quantum computing could pose to the world’s encrypted information stems from its potential ability to take a mathematical theory and make it tangible.
Cryptography – the art of writing and solving codes – has underpinned the communication of sensitive information for centuries. In its most modern incarnations, it’s used to encrypt everything from contactless card payments to emails and messenger services.
Furthermore, there’s presently somewhere north of 120 billion US dollars invested in the cryptocurrency market, a market almost wholly prefaced on the presumed immutability of encrypted blockchain technologies. So, is a quantum menace about to descend on Bitcoin and friends? And what’s more, is Grandma’s Hotmail account safe?
Shor’s algorithm is designed to perform prime number factorisation, which essentially means that it can take very large numbers and work out which pairs of prime numbers have been multiplied to calculate them. This is no easy feat and can’t be performed by classical computers. A sufficiently powerful QC, on the other hand, could perform Shor’s algorithm with ease, spelling trouble for encryptions that rely on the difficulty of such calculations.
So-called public-key encryptions – like those made possible by the Elliptic Curve Digital Signature Algorithm (ECDSA) – are especially vulnerable. Simply put, in the ECDSA those really big numbers and their constituent prime number factors protect the secret relationship between your username, email address or cryptocurrency public key and their underlying passwords or private keys. Prime number factorisation exposes this secret relation and could allow bad actors to access your private keys through your public address.
So, how realistic is this threat? Abinheet Sarkar, a fintech and emerging tech consultant, thinks it’s worth worrying about.
“Yes, quantum computing can break passwords. Hackers are continually trying to break passwords using various algorithms and computations using classical computing methodology.
Quantum computing gives an edge to hackers to simulate and implement the attacks at a faster pace, because quantum computing works on the specific property of superposition in qubits, which allows the qubits to stay in both the state of 0 and 1 at the same time.”
Sarkar’s assessment of the blockchain’s chances of withstanding quantum interference is similarly bleak. “Blockchain creates a decentralised system, a secure digital record based on the consensus of each participant in the network. Messages created from hash algorithms [on the blockchain] are practically irreversible by classical computing.
However, Quantum computing with qubits, can exponentially enhance the computational speed of the system and Shor’s algorithm can be used to reverse the hash and forge digital signatures.”
Elsewhere, opinion is split, with Messrs Koltun and Stein offering less dystopian visions of a quantum future. Speaking like a true exponent of superposition theory, Stein’s response to the question of whether quantum computing can break passwords is both 1 and 0. “The answer is neither yes or no: Quantum computers can be faster in breaking passwords. Breaking passwords by computer amounts to trying passwords, perhaps from a list of popular passwords, or completely by trying all possible combinations, or a combination of these two approaches. A consequence of quantum computing could be a change in what is considered too short a password.
Whilst a classical computer can do no better than searching for your password by trying candidate passwords one at a time, needing x amounts of work for x attempts, quantum computers can use a trick known as Grover’s algorithm to cover x^2 (x-squared) attempts for the same amount of work.
To summarise: Your passwords are safe from a quantum computer assuming you’re willing to double the minimum length of your passwords.”
When pressed on the same issue, Adam Koltun provides an even more reassuring summation.
“Quantum computers can’t break passwords assuming they’re properly salted and hashed at the server level, which most banks and online institutions should be doing. What they will be able to do is compromise the security of our public key infrastructure (PKI) which encrypts data in transit to the website you’re using making man-in-the-middle (MITM) attacks trivial to do.
As there’s currently initiatives like http://test-pqpki.com/ to update the internet’s PKI, there’s very little reason to worry. There will be nothing for users to do except maintain browser updates, something often done seamlessly now.
The most common threats to anyone’s security, of virtually any type, is garden-variety social manipulation and impersonation. Being mindful of what information you make public, directly or indirectly, updating one’s passwords and being aware of what types of back-doors already exist into your accounts (password reset to an email/phone, insecure 2fa, etc.) is still the most effective way to secure one’s self.”
Your passwords are safe from a quantum computer assuming you’re willing to double the minimum length of your passwords
The Quantum Resistant Ledger’s resident business strategist seems less sure when it comes to the blockchain’s chances against the brute force of QC.
“Blockchain utilises ECDSA, which is the same thing that underpins the internet. Assuming a powerful enough quantum computer, they will be able to break blockchain by deriving its private key from its public key. Right now, this is only revealed when spending, though there is about 19% of addresses which hold 36% of the total supply of Bitcoin.”
The decentralised nature of cryptocurrency means that any systemic quantum proofing needs to be applied across the entirety of hundreds of disparate networks. Consensus is key and one weak link could undermine the whole chain. This implies that the technology’s greatest strength could yet prove its undoing.
Blockchain developers aren’t known for their flat footedness and measures are already being put in place to ensure that the QC horror stories don’t become a reality.
QRL itself is made quantum safe by using a hash-based signature algorithm called XMSS. Similar to classical computing, quantum computing has what is known as ‘quantum bits of security’. Generally anything 128 bits or higher is considered an adequate level of encryption protection so is prudent to use as a minimum. XMSS is by default 128 quantum bits of security and can be made higher if necessary.
A blockchain versus quantum showdown might be grabbing headlines (including ours!), but it’s arguable that the real potential of QC tech lies in its application to other areas of finance.