Expectations in the field of quantum computer development.
To give you an idea what the expectations of quantum computer development are, expressed by the companies that are working on quantum computers:
(Take note of the fact that the type and error rate of the qubits that are mentioned is not specified in these articles. It is not said these will be enough to break ECDSA or RSA, neither is it said these will not be enough. What these articles do show, is that a huge speed up in development is expected.)
- “It should be about 5 years to 1000 qubit chips with superconducting technology. It should be about 10 years to million qubit chips.”
- “And a million-physical-qubit system, whose general computing applications are still difficult to even fathom? It’s conceivable, says Neven, “on the inside of 10 years.” “ (That is Harmut Neven of Google’s quantum computing effort)
- IBM believes quantum computers will be mainstream in 5 years. (Meaning outside of research labs, but not necessarily in livingrooms of the average Joe. And no amount of qubits mentioned though)
- “Five years from now, we will have a commercial quantum computer,” says Microsoft’s Holmdahl.
- And those are just the commercial companies. The pentagon sees quantum computing as the next arms race. China is about to pump $10 Billion in a research centre. They won’t be open about their developments as Google etc. It’s not a bad idea to start looking for solutions and new opportunities in blockchain.
- This paper estimates ECDSA being at risk as soon as 2027.
The big question is: When will ECDSA be at risk? Estimates are only estimates, there are several estimates to be found, some well founded and more educated than others but there is no fixed date so it’s hard to really tell.
The National Academy of Sciences (NAS) has made a very thorough report on the development of quantum computing. The report came out in the end of 2018. They brought together a group of over 70 scientists from different interconnecting fields in quantum computing who, as a group, have come up with a close to 200 pages report on the development, funding, implications and upcoming challenges for quantum computing development. But, even though this report is one of the most thorough up to date, it doesn’t make an estimate on when the risk for ECDSA or RSA would occur. They acknowledge that making an estimate is quite impossible due to the fact there are a lot of unknowns and due to the fact that they have to base any findings only on publicly available information, obviously excluding any non available advancements from commercial companies and national efforts that keep (parts) of their advances secret. So if this group of specialized scientists can’t make an estimate, who can make that assessment? Is there any credible source to make an accurate prediction?
The conclusion at this point of time can only be that we do not know the answer to the big question “when”.
Now if we don’t have an answer to the question “when”, then why act? Why go for quantum resistant cryptography? If we’re talking about security, most take certainty over uncertainty. To find the answer to the question when the threat materializes, we still need to guess. Whether you guess soon, or you guess not for the next three decades, both are guesses. Going for certain means you’d have to plan for the worst, hope for the best. No matter how sceptical you are, having some sort of a plan ready would be a responsible thing to do. Obviously not if you’re just running a blog about knitting. But for systems that carry a lot of important, private and valuable information, planning and maybe even implementing starts today. The NAS describes it quite well. What they lack in guessing, they make up in advice. They have a very clear advice:
“Even if a quantum computer that can decrypt current cryptographic ciphers is more than a decade off, the hazard of such a machine is high enough — and the time frame for transitioning to a new security protocol is sufficiently long and uncertain — that prioritization of the development, standardization, and deployment of post-quantum cryptography is critical for minimizing the chance of a potential security and privacy disaster.”
Another organization that looks ahead is the National Security Agency (NSA) They have made a threat assessment in 2015. In August 2015, NSA announced that it is planning to transition “in the not too distant future” (statement of 2015) to a new cipher suite that is resistant to quantum attacks. “Unfortunately, the growth of elliptic curve use has bumped up against the fact of continued progress in the research on quantum computing, necessitating a re-evaluation of our cryptographic strategy.” NSA advised: “For those partners and vendors that have not yet made the transition to Suite B algorithms, we recommend not making a significant expenditure to do so at this point but instead to prepare for the upcoming quantum resistant algorithm transition.”
What these organizations both advice is to start taking action. They don’t say “implement this type of quantum resistant cryptography now”. They don’t say when at all. As said before, the “when” question is one that is a hard one to specify. It depends on the system you have, the value of the data, the consequences of postponing a security upgrade. You just run a blog, or a bank or a cryptocurrency? It’s an individual risk assessment that’s different for every organization and system. Assessments do need to be made now though.What time frame should organizations think about when changing cryptography? How long would it take to go from the current level of security to fully quantum resistant security? What changes does it require to handle bigger signatures and is it possible to use certain types of cryptography that require to keep state? Do your users need to act, or can al work be done behind the user interface? These are important questions that one should start asking. I will elaborate on these challenges specifically for cryptocurrencies in the next articles.
Besides the unanswered question on “when”, the question on what type of quantum resistant cryptography to use is unanswered too. This also depends on the type of system you use. The NSA and NAS both point to NIST as the authority on developments and standardization of quantum resistant cryptography. NIST is running a competition right now that should end up with one or more standards for quantum resistant cryptography. The NIST competition handles criteria that should filter out a type of quantum resistant cryptography that is feasible for a wide range of systems. This takes time though. There are some new algorithms submitted and assessing them must be done thoroughly. They intend to wrap things up around 2022–2024. From a blockchain perspective it is important to notice that a specific type of quantum resistant cryptography is excluded from the NIST competition: Stateful Hash-Based Signatures. (LMS and XMSS) This is not because these are no good. In fact they are excellent and XMSS is accepted to be provable quantum resistant. It’s due to the fact that implementations will need to be able to securely deal with the requirement to keep state. And this is not a given for most systems.
At this moment NIST intends to approve both LMS and XMSS for a specific group of applications that can deal with the stateful properties. The only loose end at this point is an advice for which applications LMS and XMSS will be useful and for what applications it is discouraged. These questions could be answered as soon as april this year. This means that quite likely LMS and XMSS will be the first type of standardized quantum resistant cryptography ever. To give a small hint: keeping state, is pretty much a naturally added property of blockchain. (It does however, require a specific design in the blockchain structure to implement XMSS, so even though blockchain is highly suited for XMSS, it still isn’t just a matter of copy paste. QRL is the only blockchain at this point of time that has a successful and externaly audited implementation of XMSS.
In the next part I give the defenition of a quantum resistant blockchain and what it takes for a blockchain to be labeled quantum resistant. Also I elaborate on the fact that attempts to upgrad blockchains to quantum resistance will face some exclusive challenges due to the decentralized nature of blockchain and why centralized systems like banks, e-mail and the rest of the internet will not face those challenges. You can continue reading part 3C here.