on the insecurity of quantum bitcoin mining
play

On the insecurity of quantum Bitcoin mining arXiv:1804.08118 Or - PowerPoint PPT Presentation

Feb 27, 2023 •617 likes •872 views

On the insecurity of quantum Bitcoin mining arXiv:1804.08118 Or Sattath, Ben-Gurion University QCrypt 2018 SUMMARY The Bitcoin network will become less secure once Bitcoin miners use a quantum computer. Quantum Bitcoin mining a high

  1. On the insecurity of quantum Bitcoin mining arXiv:1804.08118 Or Sattath, Ben-Gurion University QCrypt 2018

  2. SUMMARY • The Bitcoin network will become less secure once Bitcoin miners use a quantum computer. • Quantum Bitcoin mining  a high stale-rate in the Bitcoin blockchain. • A higher stale- rate is known to have negative implications on Bitcoin’s security • double-spending (51% attack) requires less computational power • selfish mining becomes profitable with a smaller hash-rate • longer confirmation times • We proposed a countermeasure for this concern, by changing the Bitcoin protocol

  3. HOW DOES BITCOIN WORK?

  4. FIRST ATTEMPT • Suppose you have an append only, globally available public bulleting board. How can such a bulletin board be used to construct a money system?

  5. Attempt 1 • Distribution: Alice, Bob and Chalie get 10 coins each • Alice sends 2 coins to David. • Charlie sends 1 coin to Eve. Insufficient funds, ignored • Alice sends 20 coins to Francis. Problem: David can append the message “ Bob sends 10 coins to David ” , and steal Bob ’ s coins.

  6. Attempt 2: Digital signatures • Distribution: Alice with 𝑞𝑙 𝐵 , Bob with 𝑞𝑙 𝐶 and Chalie with 𝑞𝑙 𝐷 get 10 coins each • Alice sends 2 coins to David with 𝑞𝑙 𝑒 . Signature: 0110001010. • Bob sends 10 coins to David with 𝑞𝑙 𝑒 . Signature: 11101101011 invalid signature. Everyone checks that the signature is valid: Verify(message,signature,public-key)=True?

  7. IMPLEMENTING AN APPEND ONLY PUBLIC BULLETIN BOARD • A cryptographic hash function H, such as SHA256 is modeled like a random function (random oracle model) 𝐼: 0,1 ∗ → 0,1 256 . • Transactions are flooded to a peer-to-peer network. • Miners try to create a block by finding a “ nonce ” x such that H(prev_block_hash,time,x, transactions)<t . • The threshold t is adjusted so that a block is mined every 10 minutes on average. The time is used to 𝑒𝑏𝑧𝑡 𝑔𝑝𝑠 𝑚𝑏𝑡𝑢 2014 𝑐𝑚𝑝𝑑𝑙𝑡 adjust the difficulty every 2016 blocks (~2 weeks): 𝑢 𝑜𝑓𝑥 = 𝑢 𝑝𝑚𝑒 ⋅ . 14 • This mechanism is called Proof-of-Work. Classically, it is progress free: the time you spent so far on finding a block does not affect your chances in finding a block in the next minute. The number of proofs / blocks found per minute has a Poisson distribution.

  8. IMPLEMENTING AN APPEND ONLY PUBLIC BULLETIN BOARD (2) • A miner who finds a valid block gets some bitcoins (started at 50, slashed in half every 4 years) from thin air. • Honest miners keep evaluating the hash-function, until they win the lottery.

  9. Target t=00400 Block hash 00214 Block hash 00312 Previous - Previous 00214 block block Miner’s Satoshi2ff Miner’s miner 2 fsfsa address address Nonce 21231321 Nonce 5268363 Time 8:00 Time 8:12 Tx1 Sat  usr1 Miner 1 Miner 2 Miner 3

  10. Block hash 00108 Previous 00312 block Miner’s miner 1k ds address Block hash 00214 Block hash 00312 Nonce 3729963 Previous - Previous 00214 block block Time 8:19 Miner’s Satoshi2ff Miner’s miner 2 fsfsa address address Nonce 21231321 Nonce 5268363 Time 8:00 Time 8:12 Tx1 Sat  usr1 Block hash 00223 Previous 00312 block Miner’s miner 3 lqw address Nonce 3219411 Miner 1 Miner 2 Miner 3 Time 8:19 usr1  usr2

  11. FORKS • Once in a while, there may be a fork: two miners, who haven ’ t heard of each other ’ s block, find two blocks. • Longest chain rule: Honest users & miners follow the longest chain of blocks (hence, block-chain). In case of ties, they mine on top of the tip which they have heard first (this is subjective: two honest miners may mine on top of two different longest tips). Symmetry-breaking mechanism.

  12. Block hash 00108 Previous 00312 block Miner’s miner 1k ds address Block hash 00214 Block hash 00312 Nonce 9224663 Previous - Previous 00214 block block Time 8:19 Miner’s Satoshi2ff Miner’s miner 2 fsfsa address address Nonce 21231321 Nonce 7421168 Time 8:00 Time 8:12 Tx1 Sat  usr1 Block hash 00223 Block hash 00108 Previous 00312 Previous 00223 block block Miner’s miner 3 lqw Miner’s miner 2 fsfs a address address Nonce 3219411 Nonce 1183462 Miner 1 Miner 2 Miner 3 Time 8:19 Time 8:31 00108 00223 usr1  usr2

  13. IMPLEMENTING AN APPEND ONLY PUBLIC BULLETIN BOARD (3) • Miners invest money (to buy mining rigs) & electricity and get Bitcoins in return. • Why does the Bitcoin network “ spend ” so much “ money ” (bitcoins) on mining? • Miners secure the network. The more computational power invested, the harder it is for an attacker to perform a double-spend attack, AKA a 51% attack.

  14. Block hash 00108 Previous 00312 block Miner’s miner 1k ds address Block hash 00214 Block hash 00312 Nonce 3219411 Previous - Previous 00214 block block Time 8:19 Miner’s Satoshi2ff Miner’s miner 2 fsfsa Tx1 mnr3  store1 address address Nonce 21231321 Nonce 21231321 Time 8:00 Time 8:12 Tx1 Miner 3 Tx:mnr3  store1 Miner 1 Miner 2

  15. Block hash 00108 Previous 00312 block Miner’s miner 1k ds address Block hash 00214 Block hash 00312 Nonce 3219411 Previous - Previous 00214 block block Time 8:19 Miner’s Satoshi2ff Miner’s miner 2 fsfsa Tx1 mnr3  store1 address address Nonce 21231321 Nonce 21231321 Time 8:00 Time 8:12 Tx1 Block hash 00223 Previous 00312 block Miner’s miner 3 lqw Miner 3 address Nonce 3219411 Miner 1 Miner 2 Time 8:19 mnr3  store2

  16. Block hash 00108 Previous 00312 block Miner’s miner 1k ds address Block hash 00214 Block hash 00312 Nonce 3219411 Previous - Previous 00214 block block Time 8:19 The more money invested in mining, Miner’s Satoshi2ff Miner’s miner 2 fsfsa Tx1 mnr3  store1 the cost for this attack increases. address address Nonce 21231321 Nonce 21231321 Time 8:00 Time 8:12 Tx1 Block hash 00223 Block hash 00108 Previous 00312 Previous 00223 block block Miner’s miner 3 lqw Miner’s miner 2 fsfs a Miner 3 address address Nonce 3219411 Nonce 3219411 Miner 1 Miner 2 Time 8:19 Time 8:31 mnr3  store2

  17. QUANTUM ATTACKS? • The current digital signature scheme can be forged using a quantum computer, using (a variant of) Shor ’ s algorithm. • The proposed solution is to use a post-quantum digital signature scheme – for example, hash-based signature schemes (such as Lamport signatures). Downside: somewhat inefficient. Efficiency is especially important in Bitcoin since a block has a fixed size (larger signatures  less transactions per second). • This was well known.

  18. IMPLICATIONS OF QUANTUM MINING • Grover ’ s algorithm can be applied to find solutions for Proof of work puzzles • Suppose we have quantum miners, that use Grover ’ s algorithm. • Immediate consequence: the difficulty of mining will increase. • Not really a problem. • This was well known.

  19. OBSERVATION |𝑧〉 • Grover ’ s algorithm achieves a quadratic speedup even when stopped 𝑢 |𝑗𝑜𝑗𝑢〉 𝑉 𝑠 𝑉 prematurely. 𝑔 • We can stop the algorithm 2 |𝑗𝑜𝑗𝑢〉 𝑉 𝑠 𝑉 prematurely, and still get a quadratic 𝑔 advantage! After 𝑢 iterations, the 𝑉 𝑠 𝑉 𝑔 |𝑗𝑜𝑗𝑢〉 (2𝑢 + 1)𝜚 𝑢 2 success probability is ∼ 𝑂 . |𝑗𝑜𝑗𝑢〉 • The number of iterations doesn ’ t need to be chosen in advance! 𝑧 ⊥ 𝑉 𝑔 |𝑗𝑜𝑗𝑢〉

  20. IMPLICATIONS OF QUANTUM MINING • Suppose your fellow miner found a block. What do you do? • Strategy 1: Stop everything, and start to mine on top of the new block. • Strategy 2: Measure the quantum state immediately, hoping to find a block, and to propagate it faster than your fellow miner. If the block becomes part of the longest chain, you win! • Rational miners will use strategy 2, as it is strictly better. • Therefore, once one miner finds a block, all others will measure their state. There is strong correlation between the time different miners measure their state. • This may lead to more forks in the blockchain • Classically, forks happen due to propagation time / network effects. Stale rate  0 as propagation time decreases. • In the quantum setting, forks happen for an entirely different reason. Stale rate does not go to zero as propagation time is decreased.

  21. Suppose all miners are symmetric, and they choose the same number of Grover iterations to apply, which takes t minutes. The stale rate (# blocks outside longest chain / total # blocks)

  22. PROPOSED COUNTERMEASURE • Solution should prohibit the adaptive strategy. • Intuition: force miners to choose how many Grover iterations they will apply, in advance. • Proposal: • Change the tie-breaking rule. • Old rule: follow the tip that was received first. Provides an advantage to well-connected & high- bandwidth miners. • New rule: let 𝑢 1 and 𝑢 2 the times the competing blocks were received (subjective). Let 𝑢 = min{𝑢 1 , 𝑢 2 } . Let 𝑡 1 and 𝑡 2 the timestamps in the blocks (objective). Honest miners follow the block which minimizes min |𝑡 1 − 𝑢 |, 𝑡 2 − 𝑢 . • Honest miners know how many iterations they will apply, and therefore will have a low difference, whereas adaptive miners will usually have a high difference. A miner cannot change the timestamp after starting to mine.

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Bitcoin Mining The Task of Bitcoin Miners Mining Hardware Energy Consumption &amp;

Bitcoin Mining The Task of Bitcoin Miners Mining Hardware Energy Consumption &amp;

Cryptocurrency Technologies Bitcoin Mining Bitcoin Mining The Task of Bitcoin Miners Mining Hardware Energy Consumption &amp; Ecology Mining Pools Mining Incentives and Strategies Recap: Bitcoin Miners Bitcoin depends on

821 views • 35 slides
All about mining Joseph Bonneau Recap: Bitcoin miners Bitcoin depends on miners to: Store

All about mining Joseph Bonneau Recap: Bitcoin miners Bitcoin depends on miners to: Store

Lecture 4 All about mining Joseph Bonneau Recap: Bitcoin miners Bitcoin depends on miners to: Store and broadcast the block chain Validate new transactions Vote (by hash power) on consensus Who are the miners? Lecture 4.1: The

1.16k views • 99 slides
Mining Pools Prof. Tom Austin San Jos State University Review: Bitcoin mining Miners

Mining Pools Prof. Tom Austin San Jos State University Review: Bitcoin mining Miners

Cryptocurrencies &amp; Security on the Blockchain Mining Pools Prof. Tom Austin San Jos State University Review: Bitcoin mining Miners verify transactions Must find a proof-of-work. Reward: newly generated bitcoins, plus

796 views • 28 slides
Mining, network, economics Joseph Bonneau Recap: Bitcoin miners

Mining, network, economics Joseph Bonneau Recap: Bitcoin miners

Lecture 2 Mining, network, economics Joseph Bonneau Recap: Bitcoin miners Bitcoin depends on miners to: Store and broadcast the block chain Validate new transactions Vote (by hash

1.1k views • 98 slides
Introduc)on to Bitcoin CONTENTS What is Bitcoin Who created it? Who prints it? How does Bitcoin

Introduc)on to Bitcoin CONTENTS What is Bitcoin Who created it? Who prints it? How does Bitcoin

Introduc)on to Bitcoin CONTENTS What is Bitcoin Who created it? Who prints it? How does Bitcoin work? The characteris5cs of Bitcoin WHAT IS BITCOIN Bitcoin is a form of digital currency, created and held electronically. No one controls it.

839 views • 17 slides
Mechanics of Bitcoin Bitcoin Transactions Bitcoin Scripts Applications of Bitcoin

Mechanics of Bitcoin Bitcoin Transactions Bitcoin Scripts Applications of Bitcoin

Cryptocurrency Technologies Mechanics of Bitcoin Mechanics of Bitcoin Bitcoin Transactions Bitcoin Scripts Applications of Bitcoin Scripts Bitcoin Blocks The Bitcoin Network Limitations and Improvements Mechanics of

695 views • 33 slides
Bitcoin Mining is Vulnerable Ittay Eyal and Emin G un Sirer 2019.03.25 1 Ittay Eyal 2

Bitcoin Mining is Vulnerable Ittay Eyal and Emin G un Sirer 2019.03.25 1 Ittay Eyal 2

Majority is not Enough: Bitcoin Mining is Vulnerable Ittay Eyal and Emin G un Sirer 2019.03.25 1 Ittay Eyal 2 Cryptocurrencies Popular algorithm: PoW 4 Proof-of-Work Mining They use blockcha kchain to run without a trusted third

632 views • 34 slides
Outline Atlanta, GA What is food insecurity? Food Insecurity in Why we care about

Outline Atlanta, GA What is food insecurity? Food Insecurity in Why we care about

2010 MOWAA Annual Conference and EXPO Outline Atlanta, GA What is food insecurity? Food Insecurity in Why we care about food insecurity? Older Americans: What are barriers to achieve food security? What are the consequences of

290 views • 4 slides
Bitcoin vs. Bitcoin Cash: Coexistence or Downfall of Bitcoin Cash? Yujin Kwon* , Hyoungshick Kim

Bitcoin vs. Bitcoin Cash: Coexistence or Downfall of Bitcoin Cash? Yujin Kwon* , Hyoungshick Kim

Bitcoin vs. Bitcoin Cash: Coexistence or Downfall of Bitcoin Cash? Yujin Kwon* , Hyoungshick Kim , Jinwoo Shin*, Yongdae Kim* *KAIST, Sungkyunkwan University 1 Governance conflict The number of Bitcoin transaction per month Bad scala bility

731 views • 46 slides
Optimising the SHA256 Hashing Algorithm for Faster and More Efficient Bitcoin Mining Presented

Optimising the SHA256 Hashing Algorithm for Faster and More Efficient Bitcoin Mining Presented

Optimising the SHA256 Hashing Algorithm for Faster and More Efficient Bitcoin Mining Presented by: Rahul P. Naik (12026189) Supervisor: Dr. Nicolas T. Courtois MSc Information Security DEPARTMENT OF COMPUTER SCIENCE September 17, 2013

579 views • 33 slides
Bitcoin as a Platform We have built Bitcoin. What can we build on top of it? Commitments

Bitcoin as a Platform We have built Bitcoin. What can we build on top of it? Commitments

Cryptocurrency Technologies Bitcoin as a Platform Bitcoin as a Platform We have built Bitcoin. What can we build on top of it? Commitments Token tracking Multiparty lotteries Public randomness Prediction markets A fine stew

714 views • 38 slides
Bitcoin Selfish Mining Marie Vasek Secure Electric Commerce (some slides heavily inspired by Dr.

Bitcoin Selfish Mining Marie Vasek Secure Electric Commerce (some slides heavily inspired by Dr.

Bitcoin Selfish Mining Marie Vasek Secure Electric Commerce (some slides heavily inspired by Dr. Moore) s k c a t t a g n i d l o h h t i w k c o l b y r a r o p m e T n i o c t i B Bitcoin Selfish

567 views • 14 slides
On instabilities of the Bitcoin protocol Ricardo P erez-Marco @rperezmarco CNRS, IMJ-PRG,

On instabilities of the Bitcoin protocol Ricardo P erez-Marco @rperezmarco CNRS, IMJ-PRG,

Dynamical instability Perdurance of the Bitcoin protocol. Hard forks Double spend attacks Catch-up mining instability On instabilities of the Bitcoin protocol Ricardo P erez-Marco @rperezmarco CNRS, IMJ-PRG, Univ. Paris 7 Breaking

1.23k views • 85 slides
Information Propagation in the Bitcoin Network Christian Decker ETH Zurich Distributed

Information Propagation in the Bitcoin Network Christian Decker ETH Zurich Distributed

Information Propagation in the Bitcoin Network Christian Decker ETH Zurich Distributed Computing Group www.disco.ethz.ch What is Bitcoin? What is Bitcoin? + What is Bitcoin? = + Whats it worth? USD / Bitcoin exchange price 300

752 views • 48 slides
Distributed Synthetic Data Platform for Deep Learning Applications BITCOIN OR ETHER AMAZON DEEP

Distributed Synthetic Data Platform for Deep Learning Applications BITCOIN OR ETHER AMAZON DEEP

Distributed Synthetic Data Platform for Deep Learning Applications BITCOIN OR ETHER AMAZON DEEP MINING LEARNING BITCOIN OR AMAZON DEEP The AI industry is ready to x 6 ETHER MINING LEARNING pay miners for their computational resources GPU

222 views • 18 slides
SELFISH MINING RE-EXAMINED Kevin Alarcn Negy 1 , Peter Rizun 2 , Emin Gn Sirer 1 1 Computer

SELFISH MINING RE-EXAMINED Kevin Alarcn Negy 1 , Peter Rizun 2 , Emin Gn Sirer 1 1 Computer

SELFISH MINING RE-EXAMINED Kevin Alarcn Negy 1 , Peter Rizun 2 , Emin Gn Sirer 1 1 Computer Science Department, Cornell University 2 Bitcoin Unlimited Bitcoin folk theorems Incentive compatibility Hash power is proportional to winnings

591 views • 39 slides
Swiss E-Voting Workshop 2010 Verifiability in Remote Voting Systems September 2010 Jordi

Swiss E-Voting Workshop 2010 Verifiability in Remote Voting Systems September 2010 Jordi

Swiss E-Voting Workshop 2010 Verifiability in Remote Voting Systems September 2010 Jordi Puiggali VP Research &amp; Development Jordi.Puiggali@scytl.com Index Auditability in e-voting Types of verifiability Verifiability methods

719 views • 27 slides
Prt Voter with Confirmation Codes Peter Y A Ryan Universit du Luxembourg

Prt Voter with Confirmation Codes Peter Y A Ryan Universit du Luxembourg

Prt Voter with Confirmation Codes Peter Y A Ryan Universit du Luxembourg EVT/WOTE San P Y A Ryan 1 Francisco 2011 Outline End-to-end verifiable voting. Outline of Prt Voter (polling station).

780 views • 28 slides
Secure Internet Voting on Limited Devices with Anonymized DSA Public Keys Rolf Haenni and Oliver

Secure Internet Voting on Limited Devices with Anonymized DSA Public Keys Rolf Haenni and Oliver

Secure Internet Voting on Limited Devices with Anonymized DSA Public Keys Rolf Haenni and Oliver Spycher Bern University of Applied Sciences, Switzerland http://e-voting.bfh.ch EVT/WOTE11, San Francisco August 9th, 2011 1 Outline

550 views • 23 slides
Efficient and Fair MPC using Blockchain and Trusted Hardware Souradyuti Paul Ananya Shrivastava

Efficient and Fair MPC using Blockchain and Trusted Hardware Souradyuti Paul Ananya Shrivastava

Efficient and Fair MPC using Blockchain and Trusted Hardware Souradyuti Paul Ananya Shrivastava (IIT Bhilai) (IIT Gandhinagar) Latincrypt 2019 Santiago, Chile October 3, 2019 Outline Multiparty Computation (MPC) Security

613 views • 22 slides
Overview of HATEOAS Approaches W3C WoT IG / IRTF T2TRG Joint Meeting, Nice, France, 2016

Overview of HATEOAS Approaches W3C WoT IG / IRTF T2TRG Joint Meeting, Nice, France, 2016

Overview of HATEOAS Approaches W3C WoT IG / IRTF T2TRG Joint Meeting, Nice, France, 2016 Matthias Kovatsch (kovatsch@inf.ethz.ch) 1 Web Mashups through Open APIs Internal microservice APIs 2 Often Break 3 Human Web Interaction 4

739 views • 35 slides
Statement Voting &amp; Liquid Democracy Hong-sheng Zhou Virginia Commonwealth University

Statement Voting &amp; Liquid Democracy Hong-sheng Zhou Virginia Commonwealth University

Statement Voting &amp; Liquid Democracy Hong-sheng Zhou Virginia Commonwealth University Joint with Bingsheng Zhang (Lancaster University) e-voting E-voting encompasses a broad range of voting systems that apply electronic

425 views • 16 slides
Social Media Savvy Teen Self-Expression and Communication in a Digital Era How has access to

Social Media Savvy Teen Self-Expression and Communication in a Digital Era How has access to

Social Media Savvy Teen Self-Expression and Communication in a Digital Era How has access to mobile technology changed student learning? Sage on the Stage Guide on the Side The Heart of Social Media Influence - The Need for Acceptance

1.22k views • 77 slides
POLL 1 8/23/2017 The View of Pedagogical Documentation as a Tool for Learning, Communication

POLL 1 8/23/2017 The View of Pedagogical Documentation as a Tool for Learning, Communication

8/23/2017 POLL 1 8/23/2017 The View of Pedagogical Documentation as a Tool for Learning, Communication and Engagement! Three Elements of Pedagogical Documentation Observe Document Interpret Listen Record Share Observe in everyday

608 views • 15 slides

More recommend