Modern encryption has served as a powerful way to protect data online for years now. But, even the most optimistic experts claim that it will stand no chance against quantum computers. This led to the rise of post-quantum cryptography.
What is post-quantum cryptography?
It is a branch of cryptography created to withstand the threat of quantum computers. Experts claim that this is a very real threat even now. Online criminals can already store encrypted data today and decrypt it at a later date, which will be a simple thing to do when quantum technology matures. Researchers have named this threat “Q-day,” and it is something that greatly concerns blockchain developers.
Developers of some of the most advanced blockchains have already responded to this future threat. This includes Polkadot 3.0’s integration of CRYSTALS-Kyber and STARK proofs in zkSync (Boojum upgrade). It is important to note that developers have taken the threat very seriously, and are actively experimenting in building post-quantum protocols in an attempt to tackle this problem.
The ticking quantum clock
Quantum computers pose a significant threat to the current state of modern security. This is because they are not just faster versions of regular computers. They are fundamentally different. Where regular computing relies on bits, which can be 0 or 1, quantum computing uses qubits, which can represent 0, 1, or a combination of both at the same time, thanks to the concept of superposition. This lets them tackle problems that are beyond the scope of regular computing.
Furthermore, they have two key algorithms that make them a major threat to modern cryptography:
- Shor’s algorithm: An algorithm that can break RSA and ECC — two asymmetric encryption algorithms used for securing digital communication
- Grover’s algorithm: An algorithm that weakens symmetric encryption by reducing brute-force time from exponential to square root
Thanks to these algorithms, most blockchain wallets, signatures, and even transaction histories would be vulnerable once quantum computers reach enough stable qubits. This is not a threat that is in the distant future, either. Most experts predict cryptographically-relevant quantum computers by roughly 2031. In other words, the quantum clock is ticking, and developers have yet to create a real quantum-proof blockchain.
Why blockchains are a special target
Blockchain technology was made to be transparent and decentralized, and it was not designed to resist quantum threats. This makes it uniquely vulnerable to quantum computing.
If you think about it, blockchains already expose public keys by default, relying on private keys to carry the burdens of security. For example, in Bitcoin and other Unspent Transaction Output (UTXO) chains, keys get revealed when the coins are spent. Similarly, Ethereum’s Externally-Owned Accounts (EOAs) leak public keys during interactions.
For a quantum computer, reversing a public key to identify private keys could be a trivial matter, meaning that all funds tied to that key, including past and future ones, are in danger. On top of that, blockchains were also designed to have irreversible transactions. This means that a bad actor could steal millions in crypto from old wallets, and there is no admin setting that can be used to freeze them or reverse the process and retrieve the funds.
As a result, quantum computers can make blockchain theft instant and permanent, and it can target anyone in the world. That includes dormant wallets that have been holding countless BTC, ETH, and other cryptocurrencies, even if the owners themselves have forgotten their keys. Most of these old wallets still use old key formats that have never been upgraded, and robbing them would be quick and simple for quantum computers.
Protocol strategies in the post-encryption era
As mentioned, most blockchains did not think about the threat of quantum computing when they were initially created. However, their developers have become aware of the threat since, and so many different ecosystems started working on ways to protect themselves, whether through quick fixes or complete overhauls of core cryptographic primitives. Many developers are working on post-quantum cryptography algorithms that could help protect their blockchains.
What are the most promising post-quantum cryptography algorithms?
There are several examples of cryptography algorithms that are being prepared for the world where traditional encryption no longer works as an adequate security level. For example:
Drop-in PQC (Kyber, Dilithium)
Post-Quantum Cryptography (PQC) aims to replace vulnerable algorithms with more complex alternatives. That means that solutions like RSA and ECDSA need to be replaced with CRYSTALS-Kyber in terms of encryption, and CRYSTALS-Dilithium in terms of digital signatures.
Both of these are part of the NIST-approved quantum-resistant algorithms that show real promise when it comes to resisting quantum computing. As mentioned, Polkadot 3.0 is already testing both in its ecosystem, and the upgrades should be fairly simple to perform. All that is needed is to swap old key types, so there is no need to overhaul the entire consensus model. The problem is that PQC signatures are larger and slower, so there is a need for additional optimization to allow scaling.
Hybrid Handshakes (Chrome Model)
Thanks to its advanced technology and in-depth research, Google has been aware of the quantum computing threat for a long time now. This is why it has already introduced hybrid cryptographic handshakes to Google Chrome. This approach combines classical encryption with PQC, so if one fails, the other one serves as back-up. Some blockchains are starting to adopt this model, as well.
Their Hybrid schemes will allow developers to slowly introduce PQC and make it compatible with the current blockchain infrastructure. For now, implementing PQC is still in the early stages, and in many instances, it is still purely theoretical, but even this might only be a temporary solution.
Proof-System Swaps (STARKs)
Some chains have attempted to overcome the public-key threat by adopting zero-knowledge proofs. These are systems that do not use key pairs for proving transactional validity. The previously mentioned zkSync’s Bojum upgrade, for example, was designed to replace SNARK circuits with STARK proofs.
STARK proofs are believed to be able to resist quantum computing, which means that STARK-based Layer-2 chains might be the key or achieving post-quantum scalability.
Quantum key distribution/QKD Sidechains
One of the more theoretical solutions is something called Quantum Key Distribution (QKD). The idea is to resist quantum computers by using quantum particles to exchange encryption keys. Several research teams have proposed QKD-enabled sidechains where every key exchange would use the laws of physics to ensure its security.
While this solution is considered to be cutting-edge, it is also very hardware-heavy and it has a small range limit. As such, it could be used to protect validator networks rather than user wallets, at least for now. Additional breakthroughs in this field could change this in the coming years, however, which is why many researchers remain optimistic.
Polkadot 3.0’s Kyber roll-out
Polkadot was among the first major blockchain ecosystems to actively deploy post-quantum cryptography at a protocol level. The project’s 3.0 roadmap explained that the network is rolling out support for ML-KEM, which is the NIST-standard implementation of CRYSTALS-Kyber, aimed at replacing both validator randomness and encryption on an account level.
Polkadot decided to go for Kyber because it represents an IND-CCA-2 secure key encapsulation mechanism. This means that it can resist advanced attacks, such as adaptive chosen ciphertext attacks, which is a major requirement for a network where attackers could see and interact with encrypted traffic. Polkadot can use this technology to secure messages flowing between different parachains.
Another key advantage of this approach lies in small ciphertexts and keys. Unlike other post-quantum algorithms that increase message size, Kyber has a more compact structure, that can keep Polkadot’s messages lightweight and ensure that they remain high speed and not overencumber its chain.
zkSync Era & STARK proofs
As for Ethereum, one of its most promising approaches is zkSync, which is an ETH L2 solution created by Matter Labs. Matter Labs opted for a different solution than Polkadot, choosing to rely on STARK-based zero-knowledge proofs. This was further expanded upon with the recent Boojum upgrade, which introduced new STARK proofs that can run on regular, consumer GPUs, ensuring a practical decentralized proof generation.
SNARKs, which have been in use so far, rely on elliptic curve cryptography and trusted setups. On the other hand, STARKs are hash-based and their setup procedures are more transparent. Their security depends on the hardness of collision-resistant hash functions, such as SHA-256 encryption, which is currently considered to be resistant to Grover’s algorithm.
Because of this, STARKs have an advantage over traditional systems that will have to be completely cryptographically overhauled, whereas zkSync’s proof system is already quantum-resistant.
Another thing that zkSync uses to maintain Ethereum compatibility is a hybrid proof pipeline. With it, zkSync can convert its own STARK proofs into a form that is compatible with traditional SNARKs, and as such, can be verified on Ethereum’s Layer-1. This approach allows for faster and cheaper settlements on L1 chains, while it still maintains quantum resistance.
Other runners in the quantum-resistance race
While Polkadot and zkSync have been the main examples of how to reach quantum resistance in the blockchain sector, many others have been exploring various methods of protection.
One example is the messaging app Signal, which has introduced its new PQXDH protocol. This is a version of its X3DH key exchange meant to be more resilient to quantum computing threats. It utilizes CRYSTALS-Kyber, which is integrated into the initial exchange along with classical keys, therefore representing a hybrid model.
Another example is IBM’s z16 quantum-safe stacks. IBM has already started shipping its z16 mainframes with quantum-safe cryptographic stacks. Its solution is primarily meant to be used by banks and governments, which are also likely to be targeted by bad actors, and as such, must step up their quantum resistance.
Finally, there is also the EU’s Quantum Flagship — a program that has invested heavily in Quantum Key Distribution and post-quantum algorithms. The initiative has rolled out several projects aimed at strengthening security of telecoms and blockchains against quantum attacks.
Migration checklist
With quantum computing being a not-so-distant threat, anyone who could be a potential target, such as institutions, governments, and blockchains, need to take steps to prepare. At this point, the shift to quantum computing is no longer a theoretical issue, but a matter of time. Even so, there is no need to panic; instead, developers should create a plan of action to prepare for the upcoming shift by taking steps such as:
Inventory crypto
The first step should be to create an inventory of cryptographic assets and map the public key cryptography within the system. That includes blockchain wallets, keys, authentication protocols, and alike.
Classify data
Teams should also note that not all data is equally vulnerable, and the information that is more likely to be targeted includes things that are unlikely to change in the long term. This data can be targeted even now through store now, decrypt later attacks, where hackers might start preparing the ground for a major attack a decade from now.
Pilot hybrid TLS 1.3 Handshakes
Developers should also consider adopting a hybrid encryption model, similarly to what Google Chrome has done, and use post-quantum key encapsulation mechanisms (KEMs) like Kyber together with their classical keys, where one can act as a backup for the other.
Evaluate wallets and signing schemes
The next step is to start testing post-quantum digital signature algorithms like Dilithium. They can be applied to user accounts, wallets, and even for proving validator identities.
Test post-quantum clients
L2 bridges and parachains should conduct regular tests of their post-quantum systems and always try to challenge their security measures in new ways. Quantum technology will continue to evolve even when it becomes commonplace, and security must follow as it always has.
Build internal policy and upgrade plans
Finally, teams should develop plans and roadmaps to introduce post-quantum upgrades over time, rather than having single large overhauls at once. This should be done before NIST finalises standard rollouts.
Conclusion
Quantum computing has been the talk of online security circles for years, and now, it is no longer something expected to arrive in the distant future. Experts predict that we are only a few short years from it becoming a reality, which poses a threat to anyone who does not prepare for it upfront, especially when it comes to banks, governments, enterprises, and blockchains, all of which handle either money, sensitive information, or both.
In terms of blockchain ecosystems, there are already some projects that have emerged as leaders in preparing for the post-quantum era, such as Polkadot 3.0 and zkSync. These projects are leading the way by introducing changes on a protocol level that can directly tackle quantum threats. However, most other chains are still doing little, if anything, to prepare, which is putting them in harm’s way, especially considering that bad actors are already preparing the ground for future attacks.
If you are a blockchain developer, ask yourself if your cryptography is ready to tackle the next series of challenges that quantum computing will bring. If not, start the migration now, before these threats become a reality.
Glossary
- Post-Quantum Cryptography (PQC) — Encryption methods designed to resist attacks from quantum computing by replacing vulnerable algorithms.
- Zero-Knowledge Proof (ZKP) — A cryptographic method that proves something is true without revealing the information.
- Ethereum Layer-2 — A secondary protocol built on top of Ethereum’s main network to process transactions faster and at lower cost
- QKD (Quantum Key Distribution) — A method of sending encryption keys using quantum physics