Professional Documents
Culture Documents
blocks, so parties with access to quantum computation would have unfair advantage in procuring
mining rewards. Here we propose a possible solution to the quantum-era blockchain challenge and
report an experimental realization of a quantum-safe blockchain platform that utilizes quantum key
distribution across an urban fiber network for information-theoretically secure authentication. These
results address important questions about realizability and scalability of quantum-safe blockchains
for commercial and governmental applications.
txn B
txn DB: D sends B 5 coins
txn txn
quantum computer works off-line to forge the database. C txn DC: D sends C 5 coins
It changes one of the past transaction records to its ben- txn A
efit and performs a Grover search for a variant of other A txn C C c) Block n
txn DB
transactions within the same block such that its hash tx hash
n C
remains the same, to make the forged version appear le- A
txn prev. hash
gitimate. Once the search is successful, it hacks into all or tx
n DC txn A
D txn
some of the network nodes and substitutes the legitimate A
txn B
database by its forged version. However, the potential of D txn C
this attack to cause significant damage appears low, be-
cause the attacker would need to simultaneously hack Figure 2. Creation of a block in a quantum-secure blockchain.
at least one-third of the nodes to alter the consensus. a) Each node who wishes to implement a transaction sends
Furthermore, because the Grover algorithm offers only a identical copies of that transaction to all other nodes. Nodes
quadratic speed-up with respect to classical search algo- A, B and C, whose transactions are denoted as txnA , txnB
rithms, this scenario can be prevented by increasing the and txnC , respectively, follow the protocol. Node D is cheat-
convention on the length of the block hash to about a ing, attempting to send non-identical versions txnDa , txnDb
and txnDc of the same transaction to different parties. b)
square of its safe non-quantum value.
Transaction contents. c) The nodes implement the broadcast
We experimentally study the proposed blockchain pro- protocol to reconcile the unconfirmed transactions and form
tocol on the basis of a four-node, six-link network [Fig. the block. They discover that the transaction initiated by
2(a)] with information-theoretically secure authentica- node D is illegitimate and exclude it.
tion. We use an urban fiber QKD network recently de-
veloped by our team (see Appendix) to procure authen-
tication keys for two of the links connecting three nodes;
the key generation in the remaining four links is classical.
We test the operation of the blockchain and implement QKD technologies are sufficient for operating a large-
the construction of a simple transaction block under the scale blockchain platforms based on our protocol. More-
following settings [Fig. 2(a)]. Nodes A, B and C perform over, remarkable progress in theory and practice of quan-
legitimate transactions, whereas node D tries to process tum communications, including recent experiments on
three different transactions, i.e. realize a double-spending ground-to-satellite QKD and quantum repeaters, could
attack. The pool of unconfirmed transactions at each open the door to developing a public worldwide QKD
node thus consist of three legitimate and one inconsistent network (the quantum Internet [27]) and extending
transactions. The broadcast protocol is then launched on quantum-safe blockchain platforms to the global scale.
the basis of these transaction pools. This protocol elimi-
nates node Ds double-spending transaction after the sec- The development of the quantum Internet will al-
ond communication round and permits the formation of a low our protocol to preserve anonymity of each network
block containing legitimate transactions only [Fig. 2(c)]. member. A member will be able to access the global
QKD network from any station, authenticate themselves
to other parties using their private seed keys (see Ap-
OUTLOOK pendix) and enact a desired transaction.
In summary, we have developed a blockchain proto- Our protocol is likely not the only possible quantum-
col with information-theoretically secure authentication safe blockchain platform. In this context, important
based on a network in which each pair of nodes is con- horizons are opened by technologies that permit direct
nected by a QKD link. We have experimentally tested transmission of quantum states over multipartite net-
our protocol by means of a three-party urban fibre net- works combined with light quantum information pro-
work QKD in Moscow. cessing. This includes, for example, protocols for quan-
A crucial advantage of our blockchain protocol is its tum multiparty consensus [28, 29] and quantum digi-
ability to maintain transparency of transactions and se- tal signatures [30], which have been successfully stud-
curity against attacks with quantum algorithms. Our ied in experiments, including metropolitan networks [31].
results therefore open up possibilities for realizing scal- An additional important research avenue is more effi-
able quantum-safe blockchain platforms. If realized, such cient, quantum-technology based consensus algorithms
a blockchain platform can limit economic and social risks [32]. Most importantly, we hope that our work will raise
from imminent breakthroughs in quantum computation awareness and interest of the quantum information com-
technology. munity to the problem of security of distributed ledgers
Typical key generation rates of currently available in the era of quantum technology.
4
1. The blockchain is a distributed database in which {m, sgn(m, kpriv ), kpubl } (1)
the records are organized in a form of consecutive
blocks. The term distributed means that copies of verifies the fact the author posseses kpriv , but does not
the database are stored by all the nodes that are in- allow one to determine kpriv .
terested in maintaining it, and that there is no single
control center in charge of the network.
Information-theoretically secure authentication
2. Distributed consensus is a set of rules governing the
blockchain construction and operation accepted by the
nodes maintaining this blockchain. Two parties, Alice and Bob, can authenticate messages
sent to each other if they share a secret private key Kaut
3. A transaction is an elementary record in a blockchain. that is not known to anyone else. The private key of nec-
In order to create a transaction, one (i) forms a corre- essary length can be generated via QKD provided that
sponding record, (ii) signs it using a digital signature, the parties have a small amount of seed key to authen-
and (iii) sends the record to all the nodes maintain- ticate themselves to each other in the beginning of the
ing the blockchain. For example, if we use a blockchain session. Once the private key is established, the authen-
for maintaining a cryptocurrency, then the transaction tication procedure is as follows: Alice sends to Bob a
corresponds to a transfer of some amount of money message with a hash tag generated using that key. After
from one party to another. receiving the message, Bob also computes its hash tag.
4. A block contains a number of transactions created over If the hash tags coincide, Bob can be certain that the
a certain period of time. Newly created transactions message has arrived from Alice.
enter a so-called pool of unconfirmed transactions. Be- In our protocol, we use Toeplitz hashing due to its
cause such transactions are created at a faster rate computational simplicity [33, 34]. Let the lengths of all
than the typical network latency time, it is difficult messages and their hash tags be the same: lM and lh
for the community to agree on their time sequence respectively. The hash tag of the ith message Mi is cal-
and validity. This motivates the solution to aggregate culated according to
new transactions into large blocks that are introduced
h(Mi ) = TS Mi ri , (2)
at regular time intervals that are much longer than the
network latency.
where TS is a lh lM Toeplitz matrix generated by a
In order to create a block with new transactions, a string S of length lh + lM 1, ri is a bit string of length
node needs to (i) check the validity of new transac- lh , and is the bitwise xor. Both S and ri are private
tions and discard invalid ones, (ii) combine the new and taken from the common private key Kaut . Then the
transactions and the hash value of the last block in the probability that an eavesdropper will correctly guess the
existing blockchain, (iii) fulfill the additional modera- hash tag of a modified message is not more than 2lh .
tion requirements imposed on new proposed block by If a series of messages is transmitted, the string S
the network rules (an example is the proof of work rule can be reused without compromising security, while the
in Bitcoin), and (iv) send the new block to all other string ri must be generated anew every time. In this
nodes. Each node then verifies the blocks validity and way, the private key is consumed at a rate of lh bits per
adds it to the local copy of the blockchain. message. In our experiment, lh = 40 and lM = 2048.
5. The cryptographic hash function H() is a one-way
map from arbitrary length strings to fixed-length
strings (let say, 256 or 512 bit). The term crypto- QKD network
graphic means that it act is pseudo-random way, i.e.
any modification of the argument string x (even in a The basis for our experimental work is our recently
single bit) yields a major and unpredictable change of developed modular QKD device [25, 3538] driven by a
H(x). Moreover, it is commonly believed that there National Instruments NI PCIe-7811R card. This setup
is no classical algorithm, except brute-force, to in- uses a semiconductor laser LDI-DFB2.5G controlled by
vert the hash function, i.e. solve an equation such an FPGA board Spartan-6 to generate optical pulses at
as H(x) = h. Quantum algorithms, in particular, the standard telecommunication wavelength 1.55 m and
Grovers algorithm [8], allow quadratic speed up in a 10 MHz repetition rate. We have used ID230 single-
solving such problems. photon detectors from ID Quantique.
5
The QKD network contains two links with different In subsequent rounds, the nodes communicate all
physical implementations, realized in an urban environ- the information they received in the previous round
ment in Moscow. The parameters of both links are listed from other nodes (messages are of the form such
in the table below. as node i2 told node i1 that node i3 told node i2
. . . that node ir told node ir1 that its private value
is U ).
First link Second link
Encoding polarization phase In Ref. [26], Lamport, Shostak and Pease proved that
Length (km) 30 15 the consensus vector can be obtained with no more than
Loss (dB) 13 7 m + 1 rounds for m < n/3 dishonest nodes.
Key rate (bit/s) 20 100 In our setup, the private value Vi is the pool of trans-
actions received by the ith node (together with its own
transactions), as well as the set of bits indicating the
nodes opinion of each transactions admissibility. After
obtaining the consensus vector V ~ cons , the honest nodes
Broadcast protocol and block construction
are able to create a block containing the complete set of
admissible transactions from the pool.
Here we briefly summarize the protocol for reaching A shortcoming of the protocol of Ref. [26] in its origi-
Byzantine agreement in the presence of faulty nodes [26, nal form is that it becomes exponentially data-intensive
39]. Consider n nodes connected by pairwise authen- if a large number of cheating or unoperational nodes
ticated channels. Let each ith node possess a certain are present. Therefore further research on developing
private value Vi . an efficient consensus protocol is required. We are opti-
The goal of the protocol is to make all nodes aware of mistic that this issue can be resolved. Indeed, classical
all Vi s with a complication that there are m dishonest blockchain networks do routinely face the same challenge
(or faulty) nodes. This can be rephrased as obtaining an and have learned to deal with it efficiently.
n-dimensional consensus vector V ~ cons with the following
properties: (i) all the honest nodes obtain the same vec-
~ cons , and (ii) the ith component of V~ cons equals Vi ACKNOWLEDGMENTS
tor V
for all honest nodes.
We thank D. Gottesman for making us aware of
The consensus vector is determined through a series of the broadcast protocol. We acknowledge financial
communication rounds that proceed as follows. support from Ministry of Education and Science of
the Russian Federation (Agreement 14.582.21.0009, ID
In the first round, the nodes transmit their values RFMEFI58215X0009). AL is supported by NSERC and
of Vi to each other. is a CIFAR Fellow.
[1] Franco, P. Understanding Bitcoin: Cryptography, Engi- [10] Merkle, R. Secrecy, authentication and public key sys-
neering and Economics (John Wiley & Sons, 2014). tems / A certified digital signature. Ph.D. disserta-
[2] Extance, A. The future of cryptocurrencies: Bitcoin and tion, Dept. of Electrical Engineering, Stanford Univer-
beyond. Nature 526, 2123 (2015) sity, 1979.
[3] Marr, B. How Blockchain Technology Could Change The [11] Bernstein, D.J. Introduction to post-quantum cryptogra-
World. Forbes, May 27, 2016. phy (Springer-Verlag Berlin Heidelberg, 2009).
[4] Swan, M. Blockchain (OReilly Media, Inc., 2015). [12] Gisin, N., Ribordy, G., Tittel, W., & Zbinden H. Quan-
[5] Witte, J.H. The blockchain: A gentle four page introduc- tum cryptography. Rev. Mod. Phys. 74, 145195 (2002).
tion. arXiv:1612.06244. [13] Scarani, V., et al. The security of practical quantum key
[6] Schneier, B. Applied cryptography (John Wiley & Sons, distribution. Rev. Mod. Phys. 81, 13011350 (2009).
Inc., New York, 1996). [14] Diamanti, E., Lo, H.-K., & Yuan, Z. Practical challenges
[7] Shor, P.W. Polynomial-time algorithms for prime factor- in quantum key distribution. npj Quant. Inf. 2, 16025
ization and discrete logarithms on a quantum computer. (2016).
SIAM J. Comput. 26, 14841509 (1997). [15] Salvail, L., et al. Security of trusted repeater quantum
[8] Grover, L.K. A fast quantum mechanical algorithm for key distribution networks. J. Comput. Sec. 18, 6187
database search. Proceedings of 28th Annual ACM Sym- (2010).
posium on the Theory of Computing (New York, USA, [16] Elliott, C., et al. Current status of the DARPA quantum
1996), pp. 212219. network. Proc. SPIE 5815, 138 (2005).
[9] Lamport, L. Constructing digital signatures from a one- [17] Peev, M. et al. The SECOQC quantum key distribution
way function. Technical Report SRI-CSL-98, SRI Inter- network in Vienna. New J. Phys. 11, 075001 (2009).
national Computer Science Laboratory, Oct. 1979.
6
[18] Stucki, D. et al. Long-term performance of the Swis- cation protocols. npj Quant. Inform. 2, 16010 (2016).
sQuantum quantum key distribution network in a field [30] Gottesman, D. & Chuang, I. Quantum digital signatures.
environment. New J. Phys. 13, 123001 (2011). arXiv:quant-ph/0105032.
[19] Chen, T.-Y. et al. Field test of a practical secure com- [31] Yin, H.-L. et al. Experimental measurement-device-
munication network with decoy-state quantum cryptog- independent quantum digital signatures over a metropoli-
raphy. Opt. Express 17, 65406549 (2009). tan network. Phys. Rev. A 95, 042338 (2017).
[20] Chen, T.-Y. et al. Metropolitan all-pass and inter- [32] Fitzi, M., et al. Detectable Byzantine agreement se-
city quantum communication network. Opt. Express 18, cure against faulty majorities, Proceedings of the 21st
2721727225 (2010). ACM Symposium on Principles of Distributed Comput-
[21] Wang, S. et al. Field test of wavelength-saving quantum ing, 118126 (2002).
key distribution network. Opt. Lett. 35, 2454 (2010). [33] Krawczyk, H. LFSR-based hashing and authentication.
[22] Sasaki, M. et al. Field test of quantum key distribution in Lect. Notes Comp. Sci. 839, 129139 (1994).
the Tokyo QKD Network. Opt. Express 19, 10387 (2011). [34] Krawczyk, H. New hash functions for message authenti-
[23] Frohlich, D. et al. A quantum access network. Nature cation. Lect. Notes Comp. Sci. 921, 301310 (1995).
501, 6972 (2013). [35] Sokolov, A.S. et al. Modular quantum key distribu-
[24] Zhang, Q. et al. Chinas 2,000-km quantum link is almost tion setup for research and development applications.
complete. IEEE Spectr., Oct. 2016. arXiv:1612.04168.
[25] Kiktenko, E.O. et al. Demonstration of a quantum [36] Kiktenko, E.O., Trushechkin, A.S., Kurochkin, Y.V., &
key distribution network across urban fiber channels. Fedorov, A.K. Post-processing procedure for industrial
arXiv:1705.07154. quantum key distribution systems. J. Phys. Conf. Ser.
[26] Pease, M., Shostak, R., & Lamport, L. Reaching agree- 741, 012081 (2016).
ment in presence of faults. J. ACM 27, 228 (1980). [37] Kiktenko, E.O. et al. Symmetric blind information recon-
[27] Kimble, H.J. The quantum internet. Nature 453, 1023 ciliation for quantum key distribution. arXiv:1612.03673.
1030 (2008). [38] Kiktenko, E.O. et al. Post-processing procedure for quan-
[28] Fitzi, M., Gisin, N., & Maurer, U. Quantum solution to tum key distribution systems. Zenodo. Available at:
the Byzantine agreement problem. Phys. Rev. Lett. 87, https://dx.doi.org/10.5281/zenodo.200365.
217901 (2001). [39] Lamport, L., Shostak, R., & Pease, M. The Byzan-
[29] Smania, M., Elhassan, A.M., Tavakoli, A. & Bouren- tine generals problem. ACM T. Progr. Lang. Sys. 4, 382
nane, M. Experimental quantum multiparty communi- (1982).