Transcript | Bitcoin may be doomed. What can we learn from The Quantum Resistant Ledger? Listen Will continued quantum advancements threaten Bitcoin and other altcoin transactions? Listen as we discuss The Quantum Resistant Ledger (QRL) a cryptocurrency taking a post-quantum safe approach to blockchain. While BTC’s value may plummet at even the threat of quantum tampering, QRLs should remain immune. Can Bitcoin learn a thing or two and adapt? Will the value of QRL go up with the growing quantum industry? Guest: Michael Strike from The Quantum Resistant Ledger Listen Konstantinos Welcome to Protiviti’s new podcast series, The Post-Quantum World. I’m your host, Konstantinos Karagiannis. I lead quantum computing services at Protiviti, where we’re helping companies prepare for the benefits and threats of this exciting capability. As with the emergence of AI, machine learning and other recent game-changing technologies, quantum capabilities are exploding, creating disruption and opportunity. I hope you’ll join each episode as we explore the technology and business impacts of this post-quantum era. Do you doubt we’re in the post-quantum era? Did you know there are over two dozen real quantum computers in the cloud available to researchers, companies and even students? And they’re only getting better. Recent road maps show there will be machines of over a thousand qubits by 2023. We could see threats to cryptography within just a couple of years after that. This week, we’ll start with the threat side. Bitcoin has been soaring in value but is also based on ECC, which is known to be vulnerable to quantum computers. What would happen if 2,500 qubits came online? Is there a way to build a better altcoin? Our guest today is a director of outreach for the Quantum Resistant Ledger – that’s the QRL – and he has a flair for fancy hats, so, hey, what’s not to like about that? Welcome, Michael Strike. Michael Thanks for having me. Appreciate it. Sometimes people like to focus more on the hats than the content, but I’ll take what I can get. Konstantinos Well, I shaved my head, so in the winter, they come in handy. Michael Remember that if you shave them, then, remember, that’s a style. That’s not bald. That’s a style. Konstantinos Exactly. It’s a decision. It’s a choice. It’s deterministic head shaving. Michael Deterministic. We’ve already gone off track. Konstantinos Yes. Well, right back into quantum again somehow. To start off, why the QRL, basically? We all know that there’s a general threat to cryptocurrencies from quantum computing, so can you talk a little bit about that and how it led to the creation of this project? Michael Sure. The founder of our project is Dr. Peter Waterland, and I actually came across the project when I was coming to the same conclusions as Peter was, and I was considering looking into, “Hey, I wonder if I could maybe get some people together?” and he said, “Oh!” Just when you’re having an idea and you’re looking around for it, as usual, somebody’s already done it or is doing it. Let me start off with this: Since our project is cryptocurrency based, moving forward, a basic-level understanding of bitcoin will be helpful for your audience. The issue really comes around factorization, so in order to describe how this works, let’s talk about a bitcoin wallet for a moment. Does that work? Konstantinos Yes, absolutely. Definitely. Michael A bitcoin wallet is essentially a 256-bit random string. That’s all it is – 256 bits of ones and zeroes, so that is the private key on a bitcoin wallet. Now, this all goes back to asymmetric cryptography, which goes back up to the 1970s. It’s been around for a while, it’s proven and it’s considered to be very classically secure. When you create a wallet, you generate 256 random bits. With those 256 random bits, you apply what’s called the elliptical-curve multiplication, and this what’s referred to as a one-way function – or you might hear someone call it a one-way gate – and then you arrive at the public key. So, now that you have a public key, you have something that you could give someone. This is the way bitcoin operated in the early days. It was an address format in which you could – it’s called “pay-to-public” key. There have been some minor updates to the protocol. Since then, now you can pay-to-public key hash. Most wallets nowadays will use the pay-to-public key hash, and the hash of your public key is what ends up on the chain. Here’s the problem: When you sign a transaction on the bitcoin network, in order to sign that, you have to present your public key to the node, so public keys were never really – because they were classically secure, they were never really intended to be secret. While the hash may end up written to the blockchain, you end up signing that transaction with your public key in order to show that you have the private key in order to show that you are the rightful owner of the wallet. Now, that brings up some interesting scenarios like, as we see in crypto, “Not your keys, not your crypto.” We also say, “Not your node, not your rules.” What that means is, any number of rogue nodes that potentially were classical nodes that are around the internet could be attached to a quantum computer – instead of flooding that transaction and all the other nodes, maybe it doesn’t even try and process it or validate it, or it’s not even mining. Maybe it just sends it to a quantum computer instead, and you’re waiting for the transaction to go, and you’re waiting and waiting and waiting for one confirmation for one node to find the block and put your transaction in there, and you’re waiting. But at the same time, this is potentially being worked on by – I’m sure you probably heard of Mr. Peter Shor and his famous algorithm from 1994, and my understanding is, there’s also even some variance of that algorithm, but essentially, this is what the threat is: It’s not like a small piece of the code in bitcoin. The fundamental address structure is based on a symmetric encryption in elliptical-curve cryptography. There’s really no easy way around this, and fundamentally, that’s what the issue is. Konstantinos Yes. It could create potential for a fast-enough attack to access that information at that moment, or it’s being processed. Can a machine crack it, then? Michael Sure. Let’s say you were the only node to receive that transaction. Don’t broadcast it to other nodes – just send it over to your own quantum processor, and just work on it yourself while the purported victim is waiting for the transaction to clear. Konstantinos Yes, especially if it’s a big transaction and you know there’s a big wallet. Michael Or you can just cherry-pick the transactions. Konstantinos Yes. I probably wouldn’t attack a five-dollar one, but – hopefully not. Michael I thought about this, and I thought this type, this is one of different attack vectors. If someone were to use this one, I think what they would do is stay – is cherry-pick the right transactions to stay highly profitable, but not so much as to reveal what’s actually happening. If you were a bad actor on the network where you’re doing this, you’d want to maximize profits while also maximizing camouflage, so there’s this gray area in there, because you wouldn’t want to collapse the value with confidence of the network of that which you are trying to accumulate. Konstantinos Ironically, there are quantum algorithms that do that – that help you figure out how to maximize something like an attack or how to pack a box, basically, if it’s same kind of like a problem to solve for. So, it would be funny to be a quantum computer figuring that out and then another doing the attack process. Michael Yes, potentially, Grover’s and Shor’s algorithms running at the same time, or something like that. Konstantinos Yes. Of course, the big disaster would be if you made enough noise, it would become like a canary, and then anyone watching the blockchain would panic and say, “Wait. Now, there’s a quantum computer of sufficient power happening, and bitcoin is worth zero.” Michael There’s also the other thing: What about just the speculation of a false positive? Something strange happens because people watch the bitcoin blockchain like a hawk, and people are watching movement all the time, and they watch for strange transactions. I mean, what about a correlation of some interesting quantum news that comes out, because quantum news doesn’t come out very often. It’s basically double the exponential as far as news that comes out. Month after month and week after week, the news is going out. Maybe one of these correlates with a strange transaction, and somebody starts a GameStop Reddit storm – who knows? It doesn’t even have to necessarily be real, because anyone’s perception is anyone’s reality. There’s probably a quantum joke there somewhere. Konstantinos Yes, exactly. Some kind of many-worlds joke. Michael That’s what exactly I was going to say. Konstantinos Because we see it all the time, right? If someone in one of the big financials says something negative about bitcoin, there’s an impact, instantly. It happened years ago with Jamie Dimon. He said something about bitcoin, and, boom, the price dropped – temporarily, of course. Michael He said it was like dog food squared, or something – rat poison, rat poison squared, something like that. Not that a central banker has ever changed his mind on anything. They started developing their own blockchain, ironically – well, not ironically. I guess you could say in hindsight, it was inevitable, to quote another famous person. Konstantinos That’s interesting, because that chain we’re talking about would be Quorum, and that ended up contributing a lot upstream to Ethereum over time – some advancements and how to handle transactions with some kind of secrecy. Eventually, we’re going to want to talk a little bit about what we can learn from QRL to maybe potentially protect other chains. With that, maybe we could talk a little bit about why QRL is immune to this potential quantum threat. Michael Sure. As we talked about earlier, bitcoin based off prime number factorization, which is susceptible to Shor’s – QRL works differently than that. Instead of using elliptical-curve digital-signature algorithm, we use something called XMSS. XMSS is a hash-based onetime signature scheme that’s stateful in nature and uses hashes instead of elliptical curves in factorization. The way it does this is, XMSS borrows a style, which I may add was just actually four months ago added and moved from draft recommended to recommended on NIST’s post-quantum initiative site. If you were to picture a Merkle tree, it just looks like an upside-down tree, and each of the branches is basically a key pair. You have multiple key pairs, you have multiple pairs of keys, and the way that this works is, when you sign a transaction, you use a key pair. What I said when I meant that this was stateful is, XMSS doesn’t work for all use cases. It only works for use cases where you’re able to create a message – in this case, signing a transaction in which you’re able to keep track of the state. Blockchain makes a great use case for being able to track the state because of its immutability and its distributed-security model. In short, instead of using elliptical-curve, we use a hash-based signature scheme. Actually, when you generate the wallet, you can select which hashing algorithm you want. I think the default is SHA-256. SHA-256 is considered to be quantum resistant/secure, I suppose, depending on who you talk to. Finding the pre-image on something that’s been SHA-256 is quite difficult. Konstantinos That could be somewhat weakened by quantum computer, but not completely weakened. It could be made more like a 128, if you were to . . . Michael I don’t know where that curve exactly lies, but apparently, Grover’s is one algorithm that can process the transaction. But if you look at how many ASICs – perhaps even someone in your audience could chime in on this one that has little bit more experience with the hashing and Grover’s, but if you look at how powerful the ASICs are and how many gigawatts of power – that how’s strong that network is, I don’t see being able to find a pre-image happening anytime soon. Konstantinos Yes, I agree. We would be able to say that if NIS decided that there were some kind of flaw – because now you’re on round three, basically, of the selection process. If they were to find a flaw, would you be able to make any modifications? Michael Yes. Within our protocol, we have different hashing-based hashes that we can use and could port over to a different hashing algorithm. So, that hashing algorithm is the fundamental component of the logic that lives within the Merkle tree. The Merkle tree itself is kind of like the scaffolding, and the hashing algorithm is what type of algorithm that you’re using in order to be quantum resistant. There’s three on the website, and I remember, if you read the white paper, there’s actually additional slots within the protocol where additional algorithms can be added. Konstantinos Yes. That’s terrific, because whenever we talk to customers about post-quantum crypto, the word is agility, agility, agility – be crypto agile. It would be great if the solutions were crypto agile too, just in case something happens in the future, of course. Michael Yes. Like I said, when you create the wallet, you also have the ability to select different types of hashing algorithms. Konstantinos Yes, that’s a pretty good design. People have a hard time figuring out when this real threat is going to hit. A lot of the math seems to indicate that the threat to bitcoin could be as soon as when there are 2,500 quality logical qubits. Of course, logical means that there’s a whole lot of physical qubits doing error correction and things to get to that 2,500 number. IBM’s already planning a thousand logical qubits in two years, and that’s a really big leap from where we are right now, so it makes me feel like it’s not insane to think that bitcoin is threatened as soon as three years from now. It’s quite possible. Michael t’s not insane to think that. As I was saying before, even the potential threat given the cryptocurrencies’ market cap – I don’t know whether it was just over a trillion dollars now, surpassing Visa and Mastercard put together. Obviously, there are other use cases as well as far RSA and being able to potentially decrypt communications between countries. I’ve said this before, and I was a little hesitant initially, but I would not be surprised if the level of secrecy based on what is at stake in an information age when big data is everything from corporation to government surveillance – it is not difficult for me to say that the secrecy behind quantum computing at the national level, that level of secrecy could be compared possibly to the Manhattan Project. If you look at the National Quantum Initiative, which is the United States’ approach to quantum computing research – I’ll read from their 2021 budget forecast right here: They’re putting $450 million for QIS research and development, and this was 2019; $450 million in 2019; $580 million budget capital set aside in 2020; and for 2021, $710 million. Now, I went on another site, and I was looking: “OK, this is really cool. Where are the updates on your progress? That’s strange. I don’t see anything.” I just want to make sure my tax dollars are being spent properly but the Freedom of Information Act might not apply here. Joking aside, I view this as like an iceberg analogy. We see what comes off from Honeywell. We see what comes off from IonQ, we see what comes off from Google, we see what comes out from IBM, Intel. We see this progress, but to me, this is like a bit of an iceberg: We see what’s on the top, but we’re supposed to see what’s happening in these trillion dollars, and I’m just talking about one country here, but progress is being made there. That’s happening in an information vacuum – no physics joke intended. Konstantinos A very cold vacuum. Yes, I’ve heard different variations on this. I can’t say what company, but someone who works for a company working on quantum computers said that he wonders if they’re going to be allowed to always say the progress they’ve made for fear of some nation-state actor literally coming and taking it. You know, just like marching in and taking something that they’ve developed because it’s that good. Like, if you made a breakthrough tomorrow, and you did have, let’s say, 2,500 great qubits coming along, that’s worthy of stealing if it can be taken away. Michael Twenty-five hundred logicals? Konstantinos Yes, logicals. Michael Definitely. Konstantinos That would decimate bitcoin. We would need, let’s say, another 1,500 on top of that to do just general RSA. But then again, the advancement alone, you could learn a lot from stealing something like that, so it is possible that somewhere, they’ve made some more progress that we haven’t heard about. I think the first leak of how much money was being spent on this was part of all the Snowden leaks – penetrating hard targets, I think it was called. It was something like $79 million being put aside for, I guess, work on a quantum computer, and it was a lot of that. Michael That was years ago. Konstantinos Yes, that was years and years ago. I could see the numbers have ramped up significantly since then. Michael Yes, as I said, there are security protocols on leaked information. Konstantinos Yes. Maybe they should have true quantum files that, when you look at them, they disappear, and then there’s no chance of anything leaking at all. Michael Or quantum-secure information, quantum-secure internet – that’s been heavily being worked on by China. There’s just too much money being pumped into this to ignore. Just for giggles, the other day – when I was growing up as a kid, I loved computers, and I did a report on ENIAC: the size of a building, 2,000 vacuum tubes, whatever it was. I just was going back, and I was reading the new articles for ENIAC, and I just wanted to see how much they correlated between what we’re saying about quantum computers now and what we’re saying about the first classical vacuum tube machines. If you read the articles, they’re going on about improvements in mathematics, industrial applications in all these different areas. It didn’t say molecular engineering or anything like that, but it read very similarly, and I probably won’t say that history always repeats, but more often than not, it usually rhymes. Konstantinos Yes. I could see that. A lot of the promises were very similar, and there are all these parallels – and computing in general. Let’s face it: The first supercomputer, Colossus, was built to crack encryption, and that’s the number one reason people were interested in quantum when they first started talking about it, I guess, because of Shor’s algorithm. Everyone got all excited about cracking encryption again, so we’re right back where we started. We just have all these other use cases that we’re looking at within the next couple of years. Michael Consider, as well, that when these early systems were being developed, there was communication. When you want to talk to someone, you pick up the phone, and you could give them a call in the ‘40s and ‘50s. Nowadays, information moves and aggregates much faster. Collaboration has been increasing exponentially. The ability to be able to talk to people and coordinate on the other side of the world – video and Zoom and all these – if you want to compare, some people would compare current quantum computers to vacuum tube machines. I’d argue that that’s not necessarily far off, that this is still in its infancy, but based on how we’re able to collaborate and work more efficiently nowadays when compared to how we were able to work decades ago, I think that’s going to end up being a big factor in progress moving forward. Konstantinos Yes. I don’t think we’re anywhere near that time scale away. So, that was 70 years ago. I don’t believe that we’re 70 years away from making quantum this far. Michael Exactly. Konstantinos Yes, I think it’s going to be much sooner than anyone expected, especially, with IonQ. Their approach is going to be essentially link these photonic machines together and – Michael They’re merging and going public, right? Konstantinos Yes, exactly, and other companies are going to do the same thing, so, as that happens, there’ll be investments. Do you think that QRL’s value will march in pace with them? Because it makes sense, as people invest in quantum, and believing in the threats to encryption, maybe they’ll see something like QRL is more than a proof of concept of being secure. Michael Our project lives in a very interesting intersection. It’s a niche within a niche. Konstantinos Yes, definitely. Michael First of all, we’re blockchain – we’re what? Then we’re quantum computing: “Oh, no.” I would say both influence right now – I would say the majority of it possibly is blockchain related, because the price does seem to have fluctuated. Bitcoin’s something that provides positive or negative buoyancy to all the other altcoins. I do see that in bitcoin bull runs, QRL does go up. Now, in retrospect, that could be because the higher value of bitcoin is more at risk to the quantum threat, or Y2Q, as we like to call it on the team. I think it’s probably a combination of both. Konstantinos Yes, definitely. Would you say that other companies, other blockchains – is there something they can learn from QRL? Can they try to implement some of the same strategies? Michael Well, as I was saying earlier, they can, but this one of those things that really need to be thought up ahead of time. For example, we’re purpose-built. We’re built for this. Coming in after the fact isn’t changing – the addressing scheme is fundamental to how the chain works. Let’s use bitcoin for an example: How you could fix that coin? You could possibly move over to Lamport signatures. You create a soft fork, and all of a sudden, Lamport signatures, you can start using post-quantum security signatures on bitcoin. That’s fine. That’s assuming you can get everyone to agree on what the code looks like, and there’s a lot of interest, there are a lot of developers in this space. If you can get the coordination, which would be unprecedented in blockchain to make a change of this scale to these many nodes just to – it’s the number one. It has most action power; it’s the most everything. Let’s just assume you could get everyone on the same page. Now, I switched over my bitcoin wallet, now, I’m running Lamport signatures, talking to it, bitcoin node. What about all the addresses that exist? What about Satoshi’s addresses? Those publics are still on the chain. What about people that don’t get the memo? Code is law, right? If code is law, we port it, you didn’t follow – I just don’t see how it works and having been done – having a project management and an enterprise architectural background, I know how, essentially, 50% of projects fail, 70% percent usually go over budget. These are on centralized projects. Things happen that are unexpected, right? Even if you’re doing your best to follow ITIL standards, even good companies screw up projects. Something this big can’t really screw up. Do we want Bitcoin Cash II? What would happen? There’s so much variability and there’s so much work that it would take, and there’s lost – at the end of the day, no matter what, how much of bitcoin is real, how much is lost? Konstantinos I think 20% of bitcoin is lost. That’s a lot of coins. So, that’s your process, all in hard drives. Michael You’d literally have to get everyone coordinated, all developers to agree so you did not end up with too many – x amount of hard fork chains. If everyone agreed, then there has to be a cut-off date. At this point, if you haven’t migrated it, if you haven’t typed your information in and sent it, if you haven’t sent in to your new signature, then everything else probably just gets burned, gets forked off into something else, and then get, I don’t know. Let’s say there was a quantum threat before then. If you want quantum information secure – let’s say you want it secured 10 to 15 years from now, you have to quantum secure it now, because if you have an encrypted file that’s not quantum secure now – all someone else has to do is hold onto that, theoretically, for 10-15 years, and decrypt it later, and if this is sensitive information, you just start thinking about this now. That’s why NIST started this whole thing years ago. Now, at the end of the day, I’m a quantum optimist. I’m a little bit biased. I’m a technology optimist, and I do my best to connect the dots, and I’m connecting the dots, and everything just feels – because no one knows for sure – but everything just feels like this is where everything’s headed. It seems organic, it feels organic, it feels natural, just like nature, right? Konstantinos Yes, I’m an optimist the same way with this field, definitely. I think it’s coming, and I don’t know how they fix this problem. The lost coins are a major problem. I keep scratching my head about that one. What do you do? You just admit that they’re gone forever. Some people probably want a quantum computer in hopes of reclaiming the lost coins and then staying quiet. I don’t know. I always think of Satoshi’s coins as like a canary there. If those start moving, what’s going on? Something pretty weird. That might cause panic too. Michael Someone could cry, “Quantum!” if his moved, and that’s a very – that’s a viable narrative right there, definitely, and I could see that. This is why the project was put together in order to – we’re not saying we’re better than bitcoin; I’m not saying we’re better than Ethereum. What we want to do is provide people an option in order to – if you’re looking at the quantum threat, and you ask yourself this question: Let’s say there’s a 1% chance, or 2% chance or 3% chance, and you’ve got your digital asset portfolio. To me, it makes sense to hedge some of that in the direction based on how severe – what you perceive the risk to actually be. To me, that’s just logical, but others may disagree. Konstantinos I really do think that something is going to have to be done. I feel like Ethereum will probably get there before bitcoin just because of the way – Vitalik’s energy with that project. He’s always thinking a few steps ahead, and I have a feeling they might be able to do this somehow before bitcoin could. Michael How long has Ethereum 2.0 been in the works? Konstantinos Yes, I know. He’s trying to do some serious stuff there. Bitcoin is killing the Earth in a sense, right? It’s so much power required to get that to work, and Ethereum 2.0 would allow us to have proof of stake instead of proof of work, which would be a lot more efficient, and sharding too – the whole idea of not having to do everything, just little pieces. That’s more efficient too – kind of like BitTorrent. So, those are good models. I just wonder if there’s going to be an Ethereum 2.5 that contains something a little more post-quantum. I guess we’ll see. Michael By then, the network would be more complex. There’ll be more nodes and more developers to coordinate with, as an advantage – or disadvantage. This is why if you really want to be quantum secure, I feel the only clear path to success is to be purpose-built. Everything else results in an increasing risk over time as systems get bigger, just like a regular IT system as a computer network evolves. Things just get larger and more difficult to manage. You have to hire more and more people. The problem gets larger. Look at it from a simple process perspective, where it’s easy to argue that a dollar spent up front is worth ten dollars down the road. Keep the process. Talking about the process, lean manufacturing, depending on your audience’s background, which is probably process-based. I think they understand what I’m saying. Konstantinos There you have it, guys. I’m not an investment adviser, but we might be talking about the last crypto coin that’s going to be left standing – that’s my opinion. It’s possible that the others will fold one day. So, I’d like to thank you for coming on and sharing all these insights with us, and we’ll see what happens in this post-quantum world as far as the collapse of cryptocurrency. Michael Yes, sounds good. For your listeners, if they want to know more information, we’re at www.theqrl.org, and we also have a passionate Discord community, and if you’re looking for more information as far as the white paper and technical information, docs.theqrl.org. Konstantinos Great, yes. It’s really interesting reading, so you guys should check it out. Thanks again. Michael Thank you so much. Konstantinos That does it for this episode. Thanks again to Michael Strike for joining today to discuss the QRL. Thank you for listening. If you enjoyed the show, please subscribe to Protiviti’s The Post-Quantum World and leave a review to help others find us. Be sure to follow me on Twitter and Instagram at konstanthacker – that’s “konstant with a k hacker.” You’ll find links there to what we’re doing in quantum computing services at Protiviti. You can also find information on our quantum services at www.protiviti.com, or follow us on Twitter and LinkedIn. Until next time, be kind and stay quantum curious.