Part 5. I'm writing a series about blockchain tech and possible future security risks. This is the fifth part of the series talking about an advanced vulnerability of BTC.
The previous parts will give you usefull basic blockchain knowledge and insights on quantum resistance vs blockchain that are not explained in this part. Part 1, what makes blockchain reliable? Part 2, The mathematical concepts Hashing and Public key cryptography. Part 3, Quantum resistant blockchain vs Quantum computing. Part 4A, The advantages of quantum resistance from genesis block, A Part 4B, The advantages of quantum resistance from genesis block, A Why BTC is vulnerable for quantum attacks sooner than you would think. Content: The BTC misconception: “Original public keys are not visible until you make a transaction, so BTC is quantum resistant.” Already exposed public keys. Hijacking transactions. Hijacks during blocktime Hijacks pre-blocktime. MITM attacks - Why BTC is vulnerable for quantum attacks sooner than you would think. - Blockchain transactions are secured by public-private key cryptography. The keypairs used today will be at risk when quantum computers reach a certain critical level: Quantum computers can at a certain point of development, derive private keys from public keys. See for more sourced info on this subject in part 3. So if a public key can be obtained by an attacker, he can then use a quantum computer to find the private key. And as he has both the public key and the private key, he can control and send the funds to an address he owns. Just to make sure there will be no misconceptions: When public-private key cryptography such as ECDSA and RSA can be broken by a quantum computer, this will be an issue for all blockchains who don't use quantum resistant cryptography. The reason this article is about BTC is because I take this paper as a reference point: https://arxiv.org/pdf/1710.10377.pdf Here they calculate an estimate when BTC will be at risk while taking the BTC blocktime as the window of opportunity. The BTC misconception: “Original public keys are not visible until you make a transaction, so BTC is quantum resistant.” In pretty much every discussion I've read and had on the subject, I notice that people are under the impression that BTC is quantum resistant as long as you use your address only once. BTC uses a hashed version of the public key as a send-to address. So in theory, all funds are registered on the chain on hashed public keys instead of to the full, original public keys, which means that the original public key is (again in theory) not public. Even a quantum computer can't derive the original public key from a hashed public key, therefore there is no risk that a quantum computer can derive the private key from the public key. If you make a transaction, however, the public key of the address you sent your funds from will be registered in full form in the blockchain. So if you were to only send part of your funds, leaving the rest on the old address, your remaining funds would be on a published public key, and therefore vulnerable to quantum attacks. So the workaround would be to transfer the remaining funds, within the same transaction, to a new address. In that way, your funds would be once again registered on the blockchain on a hashed public key instead of a full, original public key. If you feel lost already because you are not very familiar with the tech behind blockchain, I will try to explain the above in a more familiar way: You control your funds through your public- private key pair. Your funds are registered on your public key. And you can create transactions, which you need to sign to be valid. You can only create a signature if you have your private key. See it as your e-mail address (public key) and your password (Private key). Many people got your email address, but only you have your password. So the analogy is, that if you got your address and your password, then you can access your mail and send emails (Transactions). If the right quantum computer would be available, people could use that to calculate your password (private key), if they have your email address (public key). Now, because BTC doesn’t show your full public key anywhere until you make a transaction. That sounds pretty safe. It means that your public key is private until you make a transaction. The only thing related to your public key that is public is the hash of your public key. Here is a short explanation of what a hash is: a hash is an outcome of an equation. Usually one-way hash functions are used, where you can not derive the original input from the output; but every time you use the same hash function on the same original input (For example IFUHE8392ISHF), you will always get the same output (For example G). That way you can have your coins on public key "IFUHE8392ISHF", while on the chain, they are registered on "G". So your funds are registered on the blockchain on the "Hash" of the public key. The Hash of the public key is also your "email address" in this case. So you give "G" as your address to send BTC to. As said before: since it is, even for a quantum computer, impossible to derive a public key from the Hash of a public key, your coins are safe for quantum computers as long as the public key is only registered in hashed form. The obvious safe method would be, never to reuse an address, and always make sure that when you make a payment, you send your remaining funds to a fresh new address. (There are wallets that can do this for you.) In theory, this would make BTC quantum resistant, if used correctly. This, however, is not as simple as it seems. Even though the above is correct, there is a way to get to your funds. Already exposed public keys. But before we get to that, there is another point that is often overlooked: Not only is the security of your personal BTC is important, but also the security of funds of other users. If others got hacked, the news of the hack itself and the reaction of the market to that news, would influence the marketprice. Or, if a big account like the Satoshi account were to be hacked and dumped, the dump itself, combined with the news of the hack, could be even worse. An individual does not have the control of other people’s actions. So even though one might make sure his public key is only registered in hashed form, others might not do so, or might no know their public key is exposed. There are several reasons why a substantial amount of addresses actually have exposed full public keys:
Only unused addresses are quantum secure, but in reality, there are a lot of people, who reuse addresses. (To clarify: with unused I mean an address that has only been used to deposit money on, and not used to make transactions from. Because if you make a deposit, your public key stays hidden, but if you make a transaction from that address to another address, your public key will be revealed.)
Bitcoin transactions with P2PK UTXOs, so these are the addresses from the period that public keys were not hashed, but published in full. (about 1.77 million BTC fall into this category) (https://eprint.iacr.org/2018/213.pdf p. 7) This includes the Satoshi funds.
Any other revealing of public keys, such as part of signed messages to ensure integrity, in forums, or in payment channels (e.g. Lightning Network ). (https://eprint.iacr.org/2018/213.pdf p. 7)
In total, about 36% of all BTC are on addresses with exposed public keysOf which about 20% is on lost addresses. and here Hijacking transactions. But even if you consider the above an acceptable risk, just because you yourself will make sure you never reuse an address, then still, the fact that only the hashed public key is published until you make a transaction is a false sense of security. It only works, if you never make a transaction. Why? Public keys are revealed while making a transaction, so transactions can be hijacked while being made. Here it is important to understand two things: 1.) How is a transaction sent? The owner has the private key and the public key and uses that to log into the secured environment, the wallet. This can be online or offline. Once he is in his wallet, he states how much he wants to send and to what address. When he sends the transaction, it will be broadcasted to the blockchain network. But before the actual transaction will be sent, it is formed into a package, created by the wallet. This happens out of sight of the sender. That package ends up carrying roughly the following info: the public key to point to the address where the funds will be coming from, the amount that will be transferred, the address the funds will be transferred to (depending on the blockchain this could be the hashed public key, or the original public key of the address the funds will be transferred to). This package also carries the most important thing: a signature, created by the wallet, derived from the private- public key combination. This signature proves to the miners that you are the rightful owner and you can send funds from that public key. Then this package is sent out of the secure wallet environment to multiple nodes. The nodes don’t need to trust the sender or establish the sender’s "identity”, because the sender proofs he is the rightful owner by adding the signature that corresponds with the public key. And because the transaction is signed and contains no confidential information, private keys, or credentials, it can be publicly broadcast using any underlying network transport that is convenient. As long as the transaction can reach a node that will propagate it into the network, it doesn’t matter how it is transported to the first node. 2.) How is a transaction confirmed/ fulfilled and registered on the blockchain? After the transaction is sent to the network, it is ready to be processed. The nodes have a bundle of transactions to verify and register on the next block. This is done during a period called the block time. In the case of BTC that is 10 minutes. If we process the information written above, we will see that there are two moments where you can actually see the public key, while the transaction is not fulfilled and registered on the blockchain yet. 1: during the time the transaction is sent from the sender to the nodes 2: during the time the nodes verify the transaction. (The blocktime) Hijacks during blocktime This paper describes how you could hijack a transaction and make a new transaction of your own, using someone else’s address and send his coins to an address you own during moment 2: the time the nodes verify the transaction: https://arxiv.org/pdf/1710.10377.pdf "(Unprocessed transactions) After a transaction has been broadcast to the network, but before it is placed on the blockchain it is at risk from a quantum attack. If the secret key can be derived from the broadcast public key before the transaction is placed on the blockchain, then an attacker could use this secret key to broadcast a new transaction from the same address to his own address. If the attacker then ensures that this new transaction is placed on the blockchain first, then he can effectively steal all the bitcoin behind the original address." (Page 8, point 3.) So this means that BTC obviously is not a quantum secure blockchain. Because as soon as you will touch your funds and use them for payment, or send them to another address, you will have to make a transaction and you risk a quantum attack. Hijacks pre-blocktime. The story doesn't end here. The paper doesn't describe the posibility of a pre-blocktime hijack. So back to the paper: as explained, while making a transaction your public key is exposed for at least the transaction time. This transaction time is 10 minutes where your transaction is being confirmed during the 10 minute block time. That is the period where your public key is visible and where, as described in the paper, a transaction can be hijacked, and by using quantum computers, a forged transaction can be made. So the critical point is determined to be the moment where quantum computers can derive private keys from public keys within 10 minutes. Based on that 10 minute period, they calculate (estimate) how long it will take before QC's start forming a threat to BTC. (“ By our most optimistic estimates, as early as 2027 a quantum computer could exist that can break the elliptic curve signature scheme in less than 10 minutes, the block time used in Bitcoin.“ This is also shown in figure 4 on page 10 and later more in depth calculated in appendix C, where the pessimistic estimate is around 2037.) But you could extend that 10 minutes through network based attacks like DDoS, BGP routing attacks, NSA Quantum Insert, Eclipse attacks, MITM attacks or anything like that. (And I don’t mean you extend the block time by using a network based attack, but you extend the time you have access to the public key before the transaction is confirmed.) Bitcoin would be earlier at risk than calculated in this paper. Also other Blockchains with way shorter block times imagine themselves safe for a longer period than BTC, but with this extension of the timeframe within which you can derive the private key, they too will be vulnerable way sooner. Not so long ago an eclipse attack demonstrated it could have done the trick. and here Causing the blockchain to work over max capacity, means the transactions will be waiting to be added to a block for a longer time. This time needs to be added on the blocktime, expanding the period one would have time to derive the private key from the public key. That seems to be fixed now, but it shows there are always new attacks possible and when the incentive is right (Like a few billion $ kind of right) these could be specifically designed for certain blockchains. MITM attacks An MITM attack could find the public key in the first moment the public key is exposed. (During the time the transaction is sent from the sender to the nodes) So these transactions that are sent to the network, contain public keys that you could intercept. So that means that if you intercept transactions (and with that the private keys) and simultaneously delay their arrival to the blockchain network, you create extra time to derive the private key from the public key using a quantum computer. When you done that, you send a transaction of your own before the original transaction has arrived and is confirmed and send funds from that stolen address to an address of your choosing. The result would be that you have an extra 10, 20, 30 minutes (or however long you can delay the original transactions), to derive the public key. This can be done without ever needing to mess with a blockchain network, because the attack happens outside the network. Therefore, slower quantum computers form a threat. Meaning that earlier models of quantum computers can form a threat than they assume now. When MITM attacks and hijacking transactions will form a threat to BTC, other blockchains will be vulnerable to the same attacks, especially MITM attacks. There are ways to prevent hijacking after arrival at the nodes. I will elaborate on that in the next article. At this point of time, the pub key would be useless to an attacker due to the fact there is no quantum computer available now. Once a quantum computer of the right size is available, it becomes a problem. For quantum resistant blockchains this is differetn. MITM attacks and hijacking is useless to quantum resistant blockchains like QRL and Mochimo because these projects use quantum resistant keys.
“We only have public keys in hashed form published. Even quantum computers can't reverse the Hash, so no one can use those public keys to derive the private key. That's why we are quantum resistant.” This is incorrect.
This example has been explained in the previous article. To summarize: Hashed public keys can be used as an address for deposits. Deposits do not need signature authentication. Alternatively, withdrawals do need signature authentication. To authenticate a signature, the public key will always need to be made public in full, original form. As a necessary requirement, the full public key would be needed to spend coins. Therefore the public key will be included in the transaction. The most famous blockchain to use hashed public keys is Bitcoin. Transactions can be hijacked during the period a user sends a transaction from his or her device to the blockchain and the moment a transaction is confirmed. For example: during Bitcoins 10 minute blockchain, the full public keys can be obtained to find private keys and forge transactions. Page 8, point 3 Hashing public keys does have advantages: they are smaller than the original public keys. So it does save space on the blockchain. It doesn't give you Quantum Resistance however. That is a misconception.
“Besides having only hashed public keys on the blockchain, we also have instant transactions. So there is no time to hijack a transaction and to obtain the public key fast enough to forge a transaction. That's why we are quantum resistant.” This is incorrect and impossible.
There is no such thing as instant transactions. A zero second blocktime for example is a claim that can’t be made. Period. Furthermore, transactions are collected in pools before they are added to a block that is going to be processed. The time it takes for miners to add them to a new block before processing that block depends on the amount of transactions a blockchain needs to process at a certain moment. When a blockchain operates within its maximum capacity (the maximum amount of transactions that a blockchain can process per second), the adding of transactions from the pool will go quite swiftly, but still not instantaneously. However, when there is high transaction density, transactions can be stuck in the pool for a while. During this period the transactions are published and the full public keys can be obtained. Just as with the previous hijacking example, a transaction can be forged in that period of time. It can be done when the blockchain functions normally, and whenever the maximum capacity is exceeded, the window of opportunity grows for hackers. Besides the risk that rush hours would bring by extending the time to work with the public key and forge transactions, there are network based attacks that could serve the same purpose: slow the confirmation time and create a bigger window to forge transactions. These types are attacks where the attacker targets the network instead of the sender of the transaction: Performing a DDoS attack or BGP routing attack or NSA Quantum Insert attack on a peer-to-peer network would be hard. But when provided with an opportunity to earn billions, hackers would find a way. For example: https://bitcoinmagazine.com/articles/researchers-explore-eclipse-attacks-ethereum-blockchain/ For BTC: https://eprint.iacr.org/2015/263.pdf An eclipse attack is a network-level attack on a blockchain, where an attacker essentially takes control of the peer-to-peer network, obscuring a node’s view of the blockchain. That is exactly the recipe for what you would need to create extra time to find public keys and derive private keys from them. Then you could sign transactions of your own and confirm them before the originals do. This specific example seems to be fixed now, but it most definitely shows there is a risk of other variations to be created. Keep in mind, before this variation of attack was known, the common opinion was that it was impossible. With little incentive to create such an attack, it might take a while until another one is developed. But when the possession of full public keys equals the possibility to forge transactions, all of a sudden billions are at stake.
“Besides only using hashed public keys as addresses, we use the First In First Out (FIFO) mechanism. This solves the forged transaction issue, as they will not be confirmed before the original transactions. That's why we are quantum resistant.” This is incorrect.
There is another period where the public key is openly available: the moment where a transaction is sent from the users device to the nodes on the blockchain network. The sent transaction can be delayed or totally blocked from arriving to the blockchain network. While this happens the attacker can obtain the public key. This is a man-in-the-middle (MITM) attack. A MITM is an attack where the attacker secretly relays and possibly alters the communication between two parties who believe they are directly communicating with each other. No transaction is 100% safe from a MITM attack. This type of attack isn’t commonly known amongst average usergroups due to the fact communication is done either encrypted or by the use of private- public key cryptography. Therefore, at this point of time MITM attacks are not an issue, because the information in transactions is useless for hackers. To emphasize the point made: a MITM attack can be done at this point of time to your transactions. But the information obtained by a hacker is useless because he can not break the cryptography. The encryption and private- public key cryptography is safe at this point of time. ECDSA and RSA can not be broken yet. But in the era of quantum computers the problem is clear: an attacker can obtain the public key and create enough time to forge a transaction which will be sent to the blockchain and arrive there first without the network having any way of knowing the transaction is forged. By doing this before the transaction reaches the blockchain, FIFO will be useless. The original transaction will be delayed or blocked from reaching the blockchain. The forged transaction will be admitted to the network first. And First In First Out will actually help the forged transaction to be confirmed before the original.
“Besides having only hashed public keys, we use small standardized fees. Forged transactions will not be able to use higher fees to get prioritized and confirmed before the original transactions, thus when the forged transaction will try to confirm the address is already empty. This is why we are quantum resistant.” This is incorrect.
The same arguments apply as with the FIFO system. The attack can be done before the original transaction reaches the network. Thus the forged transaction will still be handled first no matter the fee hight.
“Besides the above, we use multicast so all nodes receive the transaction at the same time. That's why we are quantum resistant.” This is incorrect.
Multicast is useless against a MITM attack when the attacker is close enough to the source.
“Besides the above, we number all our transactions and authenticate nodes so the user always knows who he's talking to. That's why we are quantum resistant.” This is incorrect.
Besides the fact that you’re working towards a centralized system if only verified people can become nodes. And besides the fact that also verified nodes can go bad and work with hackers. (Which would be useless if quantum resistant signature schemes would be implemented because a node or a hacker would have no use for quantum resistant public keys and signatures.) There are various ways of impersonating either side of a communication channel. IP-spoofing, ARP-spoofing, DSN-spoofing etc. All a hacker needs is time and position. Time can be created in several ways as explained above. All the information in the transaction an original user sends is valid. When a transaction is hijacked and the communication between the user and the rest of the network is blocked, a hacker can copy that information to his own transaction while using a forged signature. The only real effective defense against MITM attacks can be done on router or server-side by a strong encryption between the client and the server (Which in this case would be quantum resistant encryption, but then again you could just as well use a quantum resistant signature scheme.), or you use server authentication but then you would need that to be quantum resistant too. There is no serious protection against MITM attacks when the encryption of the data and the authentication of a server can be broken by quantum computers. Only quantum resistant signature schemes will secure blockchain to quantum hacks. Every blockchain will need their users to communicate their public key to the blockchain to authenticate signatures and make transactions. There will always be ways to obtain those keys while being communicated and to stretch the period where these keys can be used to forge transactions. Once you have, you can move funds to your own address, a bitcoin mixer, Monero, or some other privacy coin. Conclusion There is only one way to currently achieve Quantum Resistance: by making sure the public key can be made public without any risks, as is done now in the pre-quantum period and as Satoshi has designed blockchain. Thus by the use of quantum resistant signature schemes. The rest is all a patchwork of risk mitigation and delaying strategies; they make it slightly harder to obtain a public key and forge a transaction but not impossible. Addition And then there is quite often this strategy of postponing quantum resistant signature schemes
“Instead of ECDSA with 256 bit keys we will just use 384 bit keys. And after that 521 bit keys, and then RSA 4096 keys, so we will ride it out for a while. No worries we don’t need to think about quantum resistant signature schemes for a long time.” This is highly inefficient, and creates more problems than it solves.
Besides the fact that this doesn’t make a project quantum resistant, it is nothing but postponing the switch to quantum resistant signatures, it is not a solution. Going from 256 bit keys to 384 bit keys would mean a quantum computer with ~ 3484 qubits instead of ~ 2330 qubits could break the signature scheme. That is not even double and postpones the problem either half a year or one year, depending which estimate you take. (Doubling of qubits every year, or every two years). It does however have the same problems as a real solution and is just as much work. (Changing the code, upgrading the blockchain, finding consensus amongst the nodes, upgrading all supporting systems, hoping the exchanges all go along with the new upgrade and migrate their coins, heaving all users migrate their coins.) And then quite soon after that, they'll have to go at it again. What they will do next? Go for 512 bit curves? Same issues. It's just patchworks and just as much hassle, but then over and over again for every “upgrade” from 384 to 521 etc. And every upgrade the signatures get bigger, and closer to the quantum resistant signature sizes and thus the advantage you have over blockchains with quantum resistant signature schemes gets smaller. While the quantum resistant blockchains are just steady going and their users aren’t bothered with all the hassle. At the same time the users of the blockchain that is constantly upgrading to a bigger key size, keep on needing to migrate their coins to the new and upgraded addresses to stay safe.
I decided to post this here as I saw some questions on the QRL discord.
Is elliptic curve cryptography quantum resistant?
Why do people say that BTC is quantum resistant, while they use elliptic curve cryptography? (Here comes the idea from that never reusing a private key (and public key since they form a pair) from elliptic curve cryptography would be quantum resistant.)
Why would Nexus be any differtent?
Why are WOTS+ signatures (and by extension XMSS) quantum resistant?
What is WOTS+?
What are the risks of WOTS+?
How is XMSS different?
Is elliptic curve cryptography quantum resistant? No. Using a quantum computer, Shor's algorithm can be used to break Elliptic Curve Digital Signature Algorithm (ECDSA). Meaning: they can derive the private key from the public key. So if they got your public key, they got your private key, and they can empty your funds. https://en.wikipedia.org/wiki/Elliptic-curve_cryptography#Quantum_computing_attackshttps://eprint.iacr.org/2017/598.pdf Why do people say that BTC is quantum resistant, while they use elliptic curve cryptography? (Here comes the idea from that never reusing a private key from elliptic curve cryptography (and public key since they form a pair) would be quantum resistant.) Ok, just gonna start with the basics here. Your address, where you have your coins stalled, is locked by your public- private key pair. See it as your e-mail address (public key) and your password (Private key). Many people got your email address, but only you have your password. If you got your address and your password, then you can access your mail and send emails (Transactions). Now if there would be a quantum computer, people could use that to calculate your password/ private key, if they have your email address/ public key. What is the case with BTC: they don't show your public key anywhere, untill you make a transaction. So your public key is private untill you make a transaction. How do they do that while your funds must be registered on the ledger? Wel, they only show the Hash of your public key (A hash is an outcome of an equation. Usually one-way hash functions are used, where you can not derive the original input from the output. But everytime you use the same hash function on the same original input (For example IFUHE8392ISHF), you will always get the same output (For example G). That way you can have your coins on public key IFUHE8392ISHF, while on the chain, they are on G.) So your funds are registered on the blockchain on the "Hash" of the public key. The Hash of the public key is also your "email address" in this case. So you give "G" as your address to send BTC to. By the way, in the early days you could use your actual public key as your address. And miners would receive coins on their public key, not on the hashed public key. That is why all the Satoshi funds are vulnerable to quantum attacks even though these addresses have never been used to make transactions from. These public keys are already public instead of hashed. Also certain hard forks have exposed the public keys of unused addresses. So it's really a false sense of security that most people hang on to in the first place. But it's actually a false sense of security over all. Since it is impossible to derive a public key from the Hash of a public key, your coins are safe for quantum computers as long as you don't make any transaction. Now here follows the biggest misconseption: Pretty much everyone will think, great, so BTC is quantum secure! It's not that simple. Here it is important to understand two things: 1 How is a transaction sent? The owner has the private key and the public key and uses that to log into the secured environment, the wallet. This can be online or offline. Once he is in his wallet, he states how much he wants to send and to what address. When he sends the transaction, it will be broadcasted to the blockchain network. But before the actual transaction that will be sent, it is formed into a package, created by the wallet. This happens out of sight of the sender. That package ends up carrying roughly the following info: The public key to point to the address where the funds will be coming from, the amount that will be transferred, the public key of the address the funds will be transferred to. Then this package caries the most important thing: a signature, created by the wallet, derived from the private- public key combination. This signature proves to the miners that you are the rightfull owner and you can send funds from that public key. So this package is then sent out of the secure wallet environment to multiple nodes. The nodes don’t need to trust the sender or establish the sender’s "identity." And because the transaction is signed and contains no confidential information, private keys, or credentials, it can be publicly broadcast using any underlying network transport that is convenient. As long as the transaction can reach a node that will propagate it into the network, it doesn’t matter how it is transported to the first node. 2 How is a transaction confirmed/ fullfilled and registered on the blockchain? After the transaction is sent to the network, it is ready to be processed. The nodes have a bundle of transactions to verify and register on the next block. This is done during a period called the block time. In the case of BTC that is 10 minutes. If you comprehend the information written above, you can see that there are two moments where you can actually see the public key, while the transaction is not fullfilled and registered on the blockchain yet. 1: during the time the transaction is sent from the sender to the nodes 2: during the time the nodes verify the transaction. This paper describes how you could hijack a transaction and make a new transaction of your own, using someone elses address to send his coins to an address you own during moment 2: the time the nodes verify the transaction: https://arxiv.org/pdf/1710.10377.pdf "(Unprocessed transactions) After a transaction has been broadcast to the network, but before it is placed on the blockchain it is at risk from a quantum attack. If the secret key can be derived from the broadcast public key before the transaction is placed on the blockchain, then an attacker could use this secret key to broadcast a new transaction from the same address to his own address. If the attacker then ensures that this new transaction is placed on the blockchain first, then he can effectively steal all the bitcoin behind the original address." So this means that practically, you can't call BTC a quantum secure blockchain. Because as soon as you will touch your coins and use them for payment, or send them to another address, you will have to make a transaction and you risk a quantum attack. Why would Nexus be any differtent? If you ask the wrong person they will tell you "Nexus uses a combination of the Skein and Keccak algorithms which are the 2 recognized quantum resistant algorithms (keccal is used by the NSA) so instead of sha-256, Nexus has SK-1024 making it much harder to break." Which would be the same as saying BTC is quantum resistant because they use a Hashing function to hash the private key as long as no transaction is made. No, this is their sollid try to be quantum resistant: Nexus states it's different because they have instant transactions (So there wouldn't be a period during which time the nodes verify the transaction. This period would be instant.) Also they use a particular order in which the miners verify transactions: First-In-First-Out (FIFO) (So even if instant is not instant after all, and you would be able to catch a public key and derive the private key, you would n't be able to have your transaction signed before the original one. The original one is first in line, and will therefore be confirmed first. Also for some reason Nexus has standardized fees which are burned after a transaction. So if FIFO wouldn't do the trick you would not be able to use a higher fee to get prioritized and get an earlyer confirmation. So, during during the time the nodes verify the transaction, you would not be able to hijack a transaction. GREAT, you say? Yes, great-ish. Because there is still moment # 1: during the time the transaction is sent from the sender to the nodes. This is where network based attacks could do the trick: There are network based attacks that can be used to delay or prevent transactions to reach nodes. In the mean time the transactions can be hijacked before they reach the nodes. And thus one could hijack the non quantum secure public keys (they are openly included in sent signed transactions) who then can be used to derive privatekeys before the original transaction is made. So this means that even if Nexus has instant transactions in FIFO order, it is totally useless, because the public key would be obtained by the attacker before they reach the nodes. Conclusion: Nexus is Nnot quantum resistant. You simply can't be without using a post quantum signature scheme. Performing a DDoS attack or BGP routing attacks or NSA Quantum Insert attacks on a peer to peer newtork would be hard. But when provided with an opportunitiy to steal billions, hackers would find a way. For example: https://bitcoinmagazine.com/articles/researchers-explore-eclipse-attacks-ethereum-blockchain/ For BTC: https://eprint.iacr.org/2015/263.pdf "An eclipse attack is a network-level attack on a blockchain, where an attacker essentially takes control of the peer-to-peer network, obscuring a node’s view of the blockchain." That is exactly the receipe for what you would need to create extra time to find public keys and derive private keys from them. Then you could sign transactions of your own and confirm them before the originals do. By the way, yes this seems to be fixed now, but it most definately shows it's possible. And there are other creative options. Either you stop tranasctions from the base to get out, while the sender thinks they're sent, or you blind the network and catch transactions there. There are always options, and they will be exploited when billions are at stake. The keys can also be hijacked when a transaction is sent from the users device to the blockchain network using a MITM attack. The result is the same as for network based attacks, only now you don't mess with the network itself. These attacks make it possible to 1) retrieve the original public key that is included in the transaction message. 2) Stop or delay the transaction message to arrive at the blockchain network. So, using a quantum computer, you could hijack transactions and create forged transactions, which you then send to the nodes to be confirmed before the nodes even receive the original transaction. There is nothing you could change to the Nexus network to prevent this. The only thing they can do is implement a quantum resistant signature scheme. They plan to do this in the future, like any other serious blockchain project. Yet Nexus is the only of these future quantum resistant projects to prematurely claim to be quantum resistant. There is only one way to get quantum resistancy: POST QUANTUM SIGNATURE SCHEMES. All the rest is just a shitty shortcut that won't work in the end. (If you use this info on BTC, you will find that the 10 minutes blocktime that is used to estimate when BTC will be vulnerable for quantum attacks, can actually be more then 10 minutes if you catch the public key before the nodes receive them. This makes BTC vulnerable sooner thatn the 10 min blocktime would make you think.) By the way, Nexus using FIFO and standadrized fees which are burned after the transaction comes with some huge downsides:
FIFO: If there are a lot of transactions, there would be nothing you can do to create a faster transaction. If you need a quick transaction during rush hours, you can’t pay a higher fee to get priority.
Fees are burned after the transactions. This means they are not sent to miners, which would lesser the incentive to mine. Also, because only Blockrewards pay miners, what if the max supply is reached in the future and there is nothing to pay out blockrewards? What would be the incentive to mine or stake?
The risk that comes with small standardized fees is that when someone is willing to pay to harm or spam your chain, they can force spam or small transactions into the system without you being able to stop them. (Miners wouldn't be able to exclude lower fee transactions containing spam or extremely small amounts meant for clogging the chain)
Another risk that comes with small standardized fees would be this: How do you prevent big backlog if there is no higher fee incentive for miners at rush hours to come mine? Usually fees follow the free market? So the larger the backlog of transactions, the higher the fees usually are. This then leads to more miners joining in and that way reducing backlog. Having fixed fees would cancel out that possibility. So the risk of backlog would be huge.
Why are WOTS+ signatures (and by extension XMSS) more quantum resistant? First of all, this is where the top notch mathematicians work their magic. Cryptography is mostly maths. As Jackalyst puts it talking about post quantum signature schemes: "Having papers written and cryptographers review and discuss it to nauseating levels might not be important for butler, but it's really important with signature schemes and other cryptocraphic methods, as they're highly technical in nature." If you don't believe in math, think about Einstein using math predicting things most coudldn't even emagine, let alone measure back then. Then there is implementing it the right way into your blockchain without leaving any backdoors open. So why is WOTS+ and by extension XMSS quantum resistant? Because math papers say so. With WOTS it would even take a quantum computer too much time to derive a private key from a public key. https://en.wikipedia.org/wiki/Hash-based_cryptographyhttps://eprint.iacr.org/2011/484.pdf What is WOTS+? It's basiclally an optimized version of Lamport-signatures. WOTS+ (Winternitz one-time signature) is a hash-based, post-quantum signature scheme. So it's a post quantum signature scheme meant to be used once. What are the risks of WOTS+? Because each WOTS publishes some part of the private key, they rapidly become less secure as more signatures created by the same public/private key are published. The first signature won't have enough info to work with, but after two or three signatures you will be in trouble. IOTA uses WOTS. Here's what the people over at the cryptography subreddit have to say about that: https://www.reddit.com/crypto/comments/84c4ni/iota_signatures_private_keys_and_address_reuse/?utm_content=comments&utm_medium=user&utm_source=reddit&utm_name=u_QRCollector With the article: http://blog.lekkertech.net/blog/2018/03/07/iota-signatures/ Mochimo uses WOTS+. They kinda solved the problem: A transaction consists of a "Source Address", a "Destination Address" and a "Change Address". When you transact to a Destination Address, any remaining funds in your Source Address will move to the Change Address. To transact again, your Change Address then becomes your Source Address. But what if someone already has your first address and is unaware of the fact you already send funds from that address? He might just send funds there. (I mean in a business environment this would make Mochimo highly impractical.) They need to solve that. Who knows, it's still a young project. But then again, for some reason they also use FIFO and fixed fees, so there I have the same objections as for Nexus. How is XMSS different? XMSS uses WOTS in a way that you can actually reuse your address. WOTS creates a quantum resistant one time signature and XMSS creates a tree of those signatures attached to one address so that the address can be reused for sending an asset.
Abstract As the most successful cryptocurrency to date, Bitcoin constitutes a target of choice for attackers. While many attack vectors have already been uncovered, one important vector has been left out though: attacking the currency via the Internet routing infrastructure itself. Indeed, by manipulating routing advertisements (BGP hijacks) or by naturally intercepting traffic, Autonomous Systems (ASes) can intercept and manipulate a large fraction of Bitcoin traffic. This paper presents the first taxonomy of routing attacks and their impact on Bitcoin, considering both small-scale attacks, targeting individual nodes, and large-scale attacks, targeting the network as a whole. While challenging, we show that two key properties make routing attacks practical: (i) the efficiency of routing manipulation; and (ii) the significant centralization of Bitcoin in terms of mining and routing. Specifically, we find that any network attacker can hijack few (<100) BGP prefixes to isolate ~50% of the mining power---even when considering that mining pools are heavily multi-homed. We also show that on-path network attackers can considerably slow down block propagation by interfering with few key Bitcoin messages. We demonstrate the feasibility of each attack against the deployed Bitcoin software. We also quantify their effectiveness on the current Bitcoin topology using data collected from a Bitcoin supernode combined with BGP routing data. The potential damage to Bitcoin is worrying. By isolating parts of the network or delaying block propagation, attackers can cause a significant amount of mining power to be wasted, leading to revenue losses and enabling a wide range of exploits such as double spending. To prevent such effects in practice, we provide both short and long-term countermeasures, some of which can be deployed immediately. References  “A Next-Generation Smart Contract and Decentralized Application Platform ,” https://github.com/ethereum/wiki/wiki/White-Paper.  “Bitcoin Blockchain Statistics,” https://blockchain.info/.  “bitnodes,” https://bitnodes.21.co/.  “Bitnodes. Estimating the size of Bitcoin network,” https://bitnodes.21.co/.  “CAIDA Macroscopic Internet Topology Data Kit.” https://www.caida.org/data/internet-topology-data-kit/.  “Dyn Research. Pakistan hijacks YouTube.” http://research.dyn.com/2008/02/pakistan-hijacks-youtube-1/.  “FALCON,” http://www.falcon-net.org/.  “FIBRE,” http://bitcoinfibre.org/.  “Litecoin ,” https://litecoin.org.  “RIPE RIS Raw Data,” https://www.ripe.net/data-tools/stats/ris/ris-raw-data.  “Routeviews Prefix to AS mappings Dataset (pfx2as) for IPv4 and IPv6.” https://www.caida.org/data/routing/routeviews-prefix2as.xml.  “Scapy.” http://www.secdev.org/projects/scapy/.  “The Relay Network,” http://bitcoinrelaynetwork.org/.  “ZCash,” https://z.cash/.  A. M. Antonopoulos, “The bitcoin network,” in Mastering Bitcoin. O’Reilly Media, Inc., 2013, ch. 6.  H. Ballani, P. Francis, and X. Zhang, “A Study of Prefix Hijacking and Interception in the Internet,” ser. SIGCOMM ’07. New York, NY, USA: ACM, 2007, pp. 265–276.  A. Boldyreva and R. Lychev, “Provable Security of S-BGP and Other Path Vector Protocols: Model, Analysis and Extensions,” ser. CCS ’12. New York, NY, USA: ACM, 2012, pp. 541–552.  J. Bonneau, A. Miller, J. Clark, A. Narayanan, J. A. Kroll, and E. W. Felten, “Sok: Research perspectives and challenges for bitcoin and cryptocurrencies,” in Security and Privacy (SP), 2015 IEEE Symposium on. IEEE, 2015, pp. 104–121.  P. Bosshart, D. Daly, G. Gibb, M. Izzard, N. McKeown, J. Rexford, C. Schlesinger, D. Talayco, A. Vahdat, G. Varghese et al., “P4: Programming protocol-independent packet processors,” ACM SIGCOMM Computer Communication Review, vol. 44, no. 3, pp. 87–95, 2014.  C. Decker and R. Wattenhofer, “Information propagation in the bitcoin network,” in Peer-to-Peer Computing (P2P), 2013 IEEE Thirteenth International Conference on. IEEE, 2013, pp. 1–10.  ——, Bitcoin Transaction Malleability and MtGox. Cham: Springer International Publishing, 2014, pp. 313–326. [Online]. Available: http://dx.doi.org/10.1007/978-3-319-11212-1_18  M. Edman and P. Syverson, “As-awareness in tor path selection,” in Proceedings of the 16th ACM Conference on Computer and Communications Security, ser. CCS ’09, 2009.  I. Eyal, “The miner’s dilemma,” in 2015 IEEE Symposium on Security and Privacy. IEEE, 2015, pp. 89–103.  I. Eyal and E. G. Sirer, “Majority is not enough: Bitcoin mining is vulnerable,” in Financial Cryptography and Data Security. Springer, 2014, pp. 436–454.  N. Feamster and R. Dingledine, “Location diversity in anonymity networks,” in WPES, Washington, DC, USA, October 2004.  J. Garay, A. Kiayias, and N. Leonardos, “The bitcoin backbone protocol: Analysis and applications,” in Advances in Cryptology-EUROCRYPT 2015. Springer, 2015, pp. 281–310.  A. Gervais, G. O. Karama, V. Capkun, and S. Capkun, “Is bitcoin a decentralized currency?” IEEE security & privacy, vol. 12, no. 3, pp. 54–60, 2014.  A. Gervais, H. Ritzdorf, G. O. Karame, and S. Capkun, “Tampering with the delivery of blocks and transactions in bitcoin,” in Proceedings of the 22Nd ACM SIGSAC Conference on Computer and Communications Security, ser. CCS ’15. New York, NY, USA: ACM, 2015, pp. 692–705.  P. Gill, M. Schapira, and S. Goldberg, “Let the Market Drive Deployment: A Strategy for Transitioning to BGP Security,” ser. SIGCOMM ’11. New York, NY, USA: ACM, 2011, pp. 14–25.  S. Goldberg, M. Schapira, P. Hummon, and J. Rexford, “How Secure Are Secure Interdomain Routing Protocols,” in SIGCOMM, 2010.  E. Heilman, A. Kendler, A. Zohar, and S. Goldberg, “Eclipse attacks on bitcoin’s peer-to-peer network,” in 24th USENIX Security Symposium (USENIX Security 15), 2015, pp. 129–144.  Y.-C. Hu, A. Perrig, and M. Sirbu, “SPV: Secure Path Vector Routing for Securing BGP,” ser. SIGCOMM ’04. New York, NY, USA: ACM, 2004, pp. 179–192.  J. Karlin, S. Forrest, and J. Rexford, “Pretty Good BGP: Improving BGP by Cautiously Adopting Routes,” in Proceedings of the Proceedings of the 2006 IEEE International Conference on Network Protocols, ser. ICNP ’06. Washington, DC, USA: IEEE Computer Society, 2006, pp. 290–299.  E. K. Kogias, P. Jovanovic, N. Gailly, I. Khoffi, L. Gasser, and B. Ford, “Enhancing bitcoin security and performance with strong consistency via collective signing,” in 25th USENIX Security Symposium (USENIX Security 16). Austin, TX: USENIX Association, 2016, pp. 279–296.  J. A. Kroll, I. C. Davey, and E. W. Felten, “The economics of bitcoin mining, or bitcoin in the presence of adversaries.” Citeseer.  A. Miller, J. Litton, A. Pachulski, N. Gupta, D. Levin, N. Spring, and B. Bhattacharjee, “Discovering bitcoin’s public topology and influential nodes.”  S. J. Murdoch and P. Zielinski, “Sampled traffic analysis by Internet- ´ exchange-level adversaries,” in Privacy Enhancing Technologies: 7th International Symposium, PET 2007, N. Borisov and P. Golle, Eds. Springer-Verlag, LNCS 4776, 2007, pp. 167–183.  K. Nayak, S. Kumar, A. Miller, and E. Shi, “Stubborn mining: Generalizing selfish mining and combining with an eclipse attack,” IACR Cryptology ePrint Archive, vol. 2015, p. 796, 2015.  T. Neudecker, P. Andelfinger, and H. Hartenstein, “A simulation model for analysis of attacks on the bitcoin peer-to-peer network,” in IFIP/IEEE International Symposium on Internet Management. IEEE, 2015, pp. 1327–1332.  P. v. Oorschot, T. Wan, and E. Kranakis, “On interdomain routing security and pretty secure bgp (psbgp),” ACM Trans. Inf. Syst. Secur., vol. 10, no. 3, Jul. 2007.  A. Pilosov and T. Kapela, “Stealing The Internet. An Internet-Scale Man In The Middle Attack.” DEFCON 16.  Y. Rekhter and T. Li, A Border Gateway Protocol 4 (BGP-4), IETF, Mar. 1995, rFC 1771.  M. Rosenfeld, “Analysis of hashrate-based double spending,” arXiv preprint arXiv:1402.2009, 2014.  A. Sapirshtein, Y. Sompolinsky, and A. Zohar, “Optimal selfish mining strategies in bitcoin,” CoRR, vol. abs/1507.06183, 2015.  E. B. Sasson, A. Chiesa, C. Garman, M. Green, I. Miers, E. Tromer, and M. Virza, “Zerocash: Decentralized anonymous payments from bitcoin,” in 2014 IEEE Symposium on Security and Privacy. IEEE, 2014, pp. 459–474.  B. Schlinker, K. Zarifis, I. Cunha, N. Feamster, and E. Katz-Bassett, “Peering: An as for us,” in Proceedings of the 13th ACM Workshop on Hot Topics in Networks, ser. HotNets-XIII. New York, NY, USA: ACM, 2014, pp. 18:1–18:7.  J. Schnelli, “BIP 151: Peer-to-Peer Communication Encryption,” Mar. 2016, https://github.com/bitcoin/bips/blob/mastebip-0151.mediawiki.  X. Shi, Y. Xiang, Z. Wang, X. Yin, and J. Wu, “Detecting prefix hijackings in the Internet with Argus,” ser. IMC ’12. New York, NY, USA: ACM, 2012, pp. 15–28.  Y. Sompolinsky and A. Zohar, “Secure high-rate transaction processing in bitcoin,” in Financial Cryptography and Data Security. Springer, 2015, pp. 507–527.  Y. Sun, A. Edmundson, L. Vanbever, O. Li, J. Rexford, M. Chiang, and P. Mittal, “RAPTOR: Routing attacks on privacy in TOR.” in USENIX Security, 2015.  A. Tonk, “Large scale BGP hijack out of India,” 2015, http://www.bgpmon.net/large-scale-bgp-hijack-out-of-india/.  ——, “Massive route leak causes Internet slowdown,” 2015, http://www.bgpmon.net/massive-route-leak-cause-internet-slowdown/.  L. Vanbever, O. Li, J. Rexford, and P. Mittal, “Anonymity on quicksand: Using BGP to compromise TOR,” in ACM HotNets, 2014.  Z. Zhang, Y. Zhang, Y. C. Hu, and Z. M. Mao, “Practical defenses against BGP prefix hijacking,” ser. CoNEXT ’07. New York, NY, USA: ACM, 2007.  Z. Zhang, Y. Zhang, Y. C. Hu, Z. M. Mao, and R. Bush, “iSPY: Detecting IP prefix hijacking on my own,” IEEE/ACM Trans. Netw., vol. 18, no. 6, pp. 1815–1828, Dec. 2010.
Hi /Bitcoin , I am open to correction on any areas I have have misunderstood, but I do have some concerns for the future of mining and consensus. Miners receive BTC for mining new blocks, these can be physical individual miners or logical mining pools. Block rewards will continue diminishing until all Bitcoins are in circulation, ETA the year 2140. In the run up to this date, Bitcoin mining will become less and less feasible, and assuming BTC finds a stable price prior to this date then profitability will also decline. Without a large number of miners, the Bitcoin network could become more and more centralized over the years, allowing a single entity to reach consensus once more. Therefore the Network could be hijacked, resulting in the end of Bitcoin. In an alternate scenario, mining fees continue to increase to combat the diminishing profitability of block rewards. As you are all aware, mining fees are already becoming a growing concern and are accelerating the deflationary nature of Bitcoin, i.e a wallet with $20 worth of BTC may find it impossible to move this BTC. This leads to an eventuality where millions of users can own and store BTC, but are unwilling to transact with it. The reduction of transactions reduces the mining fee income and profitability of miners, who cease operation and the Network becomes more centralized than ever. In a final scenario, these concerns are addressed early and maintaining the hash power of the network becomes a recognized public utility, and Service-Provider are delegated the responsibility of hosting mining farms to validate transactions. Similar to BGP, the running of the full Internet Routing Table becomes a Service-Provider task. Individual miners cease operations, and the Network becomes more centralized than ever. With the current state of the protocol, I see no future scenario where the Bitcoin Network can remain both usable and decentralized. Without one, the other is worthless. Any feedback is appreciated.
Requiring human interaction for proper configuration makes BGP peering reasonably secure, as ISPs will not peer with anyone without a legitimate reason. These hijacks and miner redirections would not have been possible without peer-to-broadcast routes. Although BGP hijacking is possible, the overall threat is minimal. BGP-Hijacking: Hacker leitet Bitcoin-Miner zu sich um Logo, Bitcoin, Crypto-Währung Bildquelle: Bitcoin. Einem Hacker soll es gelungen sein, verschiedenen Cryptowährungen im Gesamtwert von rund ... „BGP-Hijacking für Cryptocurrency Profit. BitcoinMiner Schritt 2 - Führen Sie HitmanPro aus, um die Überreste des Trojaners zu entfernen. Sobald ein Benutzer einen Bitcoin-Client auf seinem Computer installiert, kann er Bitcoins direkt an einen anderen Bitcoin-Benutzer übertragen. Cryptonight Miner, WaterMiner Malware, Auto Refresh Plus Adware Miner und viele mehr. Wenn es dann eine ... Cryptocurrency Miner können mit Bedrohungen wie Informationsdealern kombiniert werden, um zusätzliche Einnahmen zu erzielen. Wie dieser Vorfall jedoch nahelegt, könnte die Auswirkung eines Crypto-Mining-Angriffs auch den Verlust von Computerressourcen für heimliche Crypto-Currency-Miner beinhalten. Einige verwenden zur Weitergabe EternalBlue-Exploits, andere verwenden Mimikatz, um ... BGP-Hijacking: Hacker leitet Bitcoin-Miner zu sich um Einem Hacker soll es gelungen sein, verschiedenen Cryptowährungen im Gesamtwert von rund 83.000 US-Dollar über eine Umleitung entwendet zu ...
BSides Vancouver 2015 - Andree Toonk - BGP Hijack - Who's Stealing Your Prefixes?
BGP - From Route Hijacking to RPKI: How Vulnerable is the Internet? - Duration: 24:44. ... Hijacking Bitcoin: Routing Attacks on Cryptocurrencies - Duration: 21:14. IEEE Symposium on Security and ... BGP - From Route Hijacking to RPKI: How Vulnerable is the Internet? - Duration: 24:44. ... Hijacking Bitcoin: Routing Attacks on Cryptocurrencies - Duration: 21:14. IEEE Symposium on Security and ... BGP hijacking is now a reality: it happens often (mostly in the form of route leak due to misconfiguration, though), there's no practical way to prevent it, we have to deal with it. Internet ... In this lab i use mininet labs to show BGP hijacking and how that can affect businesses and private citizens. BGP is the internet routing protocol, but we ar... BGP Route Leak Misdirects Google Cloud Traffic Through Russia & China - Duration: 4:30. ... Hijacking Bitcoin: Routing Attacks on Cryptocurrencies - Duration: 21:14. IEEE Symposium on Security and ...