Quantum-secured blockchain

E.O. Kiktenko,1, 2 N.O. Pozhar,1 M.N. Anufriev,1 A.S. Trushechkin,1, 2
R.R. Yunusov,1 Y.V. Kurochkin,1 A.I. Lvovsky,1, 3 and A.K. Fedorov1, 4
1
Russian Quantum Center, Skolkovo, Moscow 143025, Russia
2
Steklov Mathematical Institute of Russian Academy of Sciences, Moscow 119991, Russia
3
Institute for Quantum Science and Technology, University of Calgary, Calgary AB T2N 1N4, Canada
4
LPTMS, CNRS, Univ. Paris-Sud, Université Paris-Saclay, Orsay 91405, France
(Dated: May 29, 2017)
Blockchain is a distributed database which is cryptographically protected against malicious mod-
ifications. While promising for a wide range of applications, current blockchain platforms rely on
digital signatures, which are vulnerable to attacks by means of quantum computers. The same,
albeit to a lesser extent, applies to cryptographic hash functions that are used in preparing new
arXiv:1705.09258v2 [quant-ph] 26 May 2017

blocks, so parties with access to quantum computation would have unfair advantage in procuring
mining rewards. Here we propose a possible solution to the quantum-era blockchain challenge and
report an experimental realization of a quantum-safe blockchain platform that utilizes quantum key
distribution across an urban fiber network for information-theoretically secure authentication. These
results address important questions about realizability and scalability of quantum-safe blockchains
for commercial and governmental applications.

INTRODUCTION Block n-1 Block n Block n+1

hash hash hash
The blockchain is a distributed ledger platform with
high Byzantine fault tolerance, which enables achiev- prev. hash prev. hash prev. hash
ing consensus in a large decentralized network of par-
txn (n-1).1 txn n.1 txn (n+1).1
ties who do not trust each other. A paramount feature
of blockchains is the accountability and transparency of txn (n-1).2 txn n.2 txn (n+1).2
transactions, which makes it attractive for a variety of
txn (n-1).3
... txn n.3
... txn( n+1).3
...
applications ranging from smart contracts and finance
to manufacturing and healthcare [1]. One of the most
prominent applications of blockchains is cryptocurren- Figure 1. Organization of data in blockchains (“txn” stands
cies, such as Bitcoin [2]. It is predicted that ten percent of for “transaction”).
global GDP will be stored on blockchains or blockchain-
related technology by 2025 [3].
In a modern blockchain network, any member can in-
the blocks are guaranteed not to emerge too frequently,
troduce a record (transaction) to the ledger. Every trans-
so every node has an opportunity to verify the validity
action must be signed by its initiator’s digital signature;
of the block and the transactions therein before a new
this rule enables, for example, exchange of digital as-
block arrives. This ensures the identity of the database
sets between parties. The transactions are stored on
stored by all network nodes. Whenever a new block is
each member’s computer (node) as a sequence of groups
accepted by the community, its “miner” is rewarded in
known as blocks. All transactions that have been intro-
bitcoins for the computational power they spend.
duced over a period of time are compiled in a block that
is linked to the previous one [4]. This linking is imple- A more detailed summary of the blockchain concept is
mented by cryptographic hash functions: each block con- presented in Appendix.
tains a hash value of its content, and the content also We see that blockchain relies on two one-way com-
includes the hash of the previous block (Fig. 1). Any putational technologies: hash functions and digital sig-
modification of a block inside the chain yields a change natures. Most blockchain platforms rely on the elliptic
of its hash, which would in turn require modification of curve public-key cryptography (ECDSA) or the large in-
all subsequent blocks. This structure protects the data teger factorization problem (RSA) to generate a digital
inside a blockchain from tampering and revision [5]. signature [5]. The security of these algorithms is based
While each node is allowed, in principle, to introduce a on the assumption of computational complexity of cer-
block to the network, each blockchain network has a set tain mathematical problems [6].
of rules that organize and moderate the block formation A universal quantum computer would enable efficient
process. In Bitcoin, for example, a member introduc- solving of these problems, thereby making digital signa-
ing a new block must solve an NP-hard problem: intro- tures, including those used in blockchains, insecure. In
duce a set of numbers to the block’s header such that particular, Shor’s quantum algorithm solves factorisation
the hash of that header must not exceed a certain value of large integers and discrete logarithms in polynomial
(this paradigm is known as proof-of-work ). In this way, time [7] Another security issue is associated with Grover’s

because it is vulnerable to quantum computer in many experiments [15–25] and is now publicly avail. quantum node. This opens a possibility for attacks such tum computer. ing to the presence of dishonest or faulty nodes. in which a syn. we propose to create blocks in a decentralized raphy schemes vulnerable. in combination firmed transaction. In this way. Instead. contains the information about the sender. time of creation. in or- utilize the quantum computer to dominate the network’s der to verify that each transaction has sufficient funds. Each node checks these entries with respect ally intensive and are not helpful against attacks that to their local copy of the database and each other. New trans- of new blocks. used for transmitting messages with authentication tags the data need not be transmitted through quantum chan- based on Toeplitz hashing (see Appendix) that are cre. employing QKD for communica. we consider a blockchain maintaining a calculating the inverse hash function. private keys. The RESULTS block is added to the database. thereby entering the pool of unconfirmed more. This against attacks with quantum computers [11]. Such an attack would allow the perpetra. QKD. Quantum channels are only required to generate ated using the private keys procured in the first layer. In particular. That be the case). this digital currency. We also emphasize that. and forms an opinion regarding the transaction’s admissi- Another way to guarantee authentication in the quan. we describe a blockchain plat. post-quantum digital signatures are computation. First. Such schemes are considered to be robust has enough funds for the operation (see Appendix). At a certain moment in time (e. attacks in at least two ways. which exclude double-spending events (a dishonest party send- guarantees information-theoretic security based on the ing different versions of a particular transaction to differ- laws of quantum physics [12–14]. key for each pair of nodes. proposed in the classic paper by Shostak. This means that a miner In the present work. actions are created by those nodes who wish to trans- tors to sabotage other parties’ transactions or prevent fer their funds to another node. amount to be transferred. However. i. Each node then forms a block out of all admissible transactions. will enable a so-called 51-percent attack. we employ the “broadcast” protocol The utility of QKD for blockchains may appear coun. fashion. transactions are not able through multiple commercial suppliers. has complete freedom to fabricate arbitrary. double-spending) and whether the transaction is admis- sible. as QKD networks rely on trust among nodes. re- The security of blockchains can be enhanced by using ceiver. and a post-quantum digital signature schemes [9.g. Each individual new their own spending transactions from being recorded in transaction record is constructed akin to those in Bit- the blockchain. Sec- demonstrating its capability in a three-node urban QKD ond. The operation of the blockchain is based on two pro- dicate of malicious parties controlling a majority of the cedures: (i) creation of transactions and (ii) construction network’s computing power would monopolize the mining of blocks that aggregate new transactions. but also those that may potentially be as the 51-percent attack described above. every ten is. apparently form that is based on QKD and implement an experiment valid. nodes or communication channels not operating prop- mit establishing information-theoretically secure private erly during its implementation. n − 1 nodes. which allows quadratic speedup in For concreteness. our layer network with n nodes. The second (classical) layer is while the broadcast protocol is relatively data intensive. can be used in lieu correct version of that transaction (thereby eliminating of classical digital signatures. rigged with digital signatures. erate a secret key between two parties connected by a Subsequently. 2 search algorithm [8]. the network applies the protocol to each uncon- ducing a transaction. This protocol allows achiev- whereas the earmark of many blockchains is the absence ing a Byzantine agreement in any network with pairwise of such trust. the community does not attempt to tum era is to use quantum key distribution (QKD). Further. At this stage. Because the broadcast protocol is relatively forgiv- Here we consider a blockchain protocol within a two. We abolish the classical blockchain a public classical channel (for post processing). bility. nels. Lamport and terintuitive. the unconfirmed transactions are aggre- quantum channel (for transmitting quantum states) and gated into a block. practice of having the blocks proposed by individual nology enabling QKD networks have been demonstrated “miners”. sorted according to their time stamps. minutes). nobody can pretend to be somebody else when intro. ent nodes of the network). 10] for signing list of reference transactions that justifies that the sender transactions. discovered in the future to make post-quantum cryptog. coin. . However. Pease [26] (see Appendix). mining hashrate. transactions and include them in the block. a node equipped with a quantum computer is able network. The first layer is a QKD blockchain setup has significant tolerance to some of the network with pairwise communication channels that per.e. To this end. transactions. record is then sent via authenticated channels to all other this robustness relies on unproven assumptions. QKD is able to gen. We believe this scheme to be robust against to mine new blocks dramatically faster than any non- not only the presently known capabilities of the quan. authenticated communication provided that the number tion between two parties via a direct quantum channel of dishonest parties is less than n/3 (which we assume to permits these parties to authenticate each other. The tech. arriving at a consensus regarding the with classical consensus algorithms.

OUTLOOK Our protocol is likely not the only possible quantum- In summary. Node D is cheat- rithms. The broadcast protocol is then launched on quantum-safe blockchain platforms to the global scale. txnA It changes one of the past transaction records to its ben. the block. which have been successfully stud- ability to maintain transparency of transactions and se. ied in experiments. the key generation in the remaining four links is classical. and txnC . such [32]. the database is still some. 29] and quantum digi- A crucial advantage of our blockchain protocol is its tal signatures [30]. Nodes A. including metropolitan networks [31]. A txnC C c) Block n efit and performs a Grover search for a variant of other txnDb tx hash n transactions within the same block such that its hash A txn C prev. 2(a)] with information-theoretically secure authentica- tion. The pool of unconfirmed transactions at each open the door to developing a public worldwide QKD node thus consist of three legitimate and one inconsistent network (“the quantum Internet” [27]) and extending transactions. we hope that our work will raise a blockchain platform can limit economic and social risks awareness and interest of the quantum information com- from imminent breakthroughs in quantum computation munity to the problem of security of distributed ledgers technology. i. Figure 2. authenticate themselves to other parties using their private seed keys (see Ap- pendix) and enact a desired transaction. protocol to reconcile the unconfirmed transactions and form We experimentally study the proposed blockchain pro. 2(c)]. B and C perform over. be. we have developed a blockchain proto. node D is illegitimate and exclude it. 2(a)]. More- following settings [Fig. in the era of quantum technology. A member will be able to access the global QKD network from any station. This includes. If realized. it hacks into all or txnB some of the network nodes and substitutes the legitimate D txnC database by its forged version. whose transactions are denoted as txnA . cause the attacker would need to simultaneously hack a) Each node who wishes to implement a transaction sends at least one-third of the nodes to alter the consensus. txnDb and txnDc of the same transaction to different parties. respectively. Nodes Furthermore. They discover that the transaction initiated by tocol on the basis of a four-node. member. txn txnDa: D sends A 5 coins B what vulnerable while it is stored. b) convention on the length of the block hash to about a Transaction contents. tx n c txnA txn D Da gitimate. tum multiparty consensus [28. including recent experiments on three different transactions. the potential of this attack to cause significant damage appears low. A possible attack txn B txnDb: D sends B 5 coins txn A txnB scenario is as follows: a malicious party equipped with a txn txnDc: D sends C 5 coins C quantum computer works off-line to forge the database. realize a double-spending ground-to-satellite QKD and quantum repeaters. could attack. follow the protocol. c) The nodes implement the broadcast square of its safe non-quantum value. protocols for quan- work QKD in Moscow. because the Grover algorithm offers only a A. safe blockchain platform. identical copies of that transaction to all other nodes. We use an urban fiber QKD network recently de- veloped by our team (see Appendix) to procure authen- tication keys for two of the links connecting three nodes. this scenario can be prevented by increasing the ing. remarkable progress in theory and practice of quan- legitimate transactions. the basis of these transaction pools. for example. six-link network [Fig. whereas node D tries to process tum communications. important col with information-theoretically secure authentication horizons are opened by technologies that permit direct based on a network in which each pair of nodes is con. Our An additional important research avenue is more effi- results therefore open up possibilities for realizing scal. Typical key generation rates of currently available We test the operation of the blockchain and implement QKD technologies are sufficient for operating a large- the construction of a simple transaction block under the scale blockchain platforms based on our protocol. cessing. . We have experimentally tested works combined with light quantum information pro- our protocol by means of a three-party urban fibre net. transmission of quantum states over multipartite net- nected by a QKD link. txnB quadratic speed-up with respect to classical search algo. 3 While the proposed protocol seems to be efficient a) b) txnA: A sends B 5 coins txnB: B sends D 3 coins against quantum attacks on the distribution of transac- B txnC: C sends A 4 coins tions and formation of blocks. This protocol elimi- nates node D’s double-spending transaction after the sec. In this context. However. Most importantly. B and C. cient. attempting to send non-identical versions txnDa . quantum-technology based consensus algorithms able quantum-safe blockchain platforms. The development of the “quantum Internet” will al- ond communication round and permits the formation of a low our protocol to preserve anonymity of each network block containing legitimate transactions only [Fig. Once the search is successful. Creation of a block in a quantum-secure blockchain.e. to make the forged version appear le. curity against attacks with quantum algorithms. hash remains the same.

5G controlled by vert the hash function. The term “crypto. except brute-force. that is not known to anyone else. to in. terested in maintaining it. The basic idea is that the author has a pair of keys: private key kpriv and public key Here we sum up the main definitions and concepts of kpubl (kpriv ). Each node then verifies the block’s validity and way. and (iv) send the new block to all other string ri must be generated anew every time. uses a semiconductor laser LDI-DFB2. enter a so-called pool of unconfirmed transactions. (ii) signs it using a digital signature. Information-theoretically secure authentication 2. sgn(m. We have used ID230 single- solving such problems. The private key of nec- In order to create a transaction. This motivates the solution to aggregate culated according to new transactions into large blocks that are introduced h(Mi ) = TS Mi ⊕ ri . can authenticate messages sent to each other if they share a secret private key Kaut 3.e. allow quadratic speed up in a 10 MHz repetition rate. After from one party to another. QKD network graphic” means that it act is pseudo-random way. In our protocol. we use Toeplitz hashing due to its cause such transactions are created at a faster rate computational simplicity [33. 35–38] driven by a H(x). Bob also computes its hash tag. In this nodes. it is difficult messages and their hash tags be the same: lM and lh for the community to agree on their time sequence respectively. . 4 APPENDIX 6. tion requirements imposed on new proposed block by If a series of messages is transmitted. Distributed consensus is a set of rules governing the blockchain construction and operation accepted by the nodes maintaining this blockchain. ri is a bit string of length node needs to (i) check the validity of new transac. (2) at regular time intervals that are much longer than the network latency. hash tag of a modified message is not more than 2−lh . in particular. 5. The cryptographic hash function H(·) is a one-way map from arbitrary length strings to fixed-length strings (let say. Two parties. Then the transactions and the hash value of the last block in the probability that an eavesdropper will correctly guess the existing blockchain. lh . solve an equation such an FPGA board Spartan-6 to generate optical pulses at as H(x) = h. kpubl } (1) the records are organized in a form of consecutive blocks. Let the lengths of all than the typical network latency time. 256 or 512 bit). (iii) fulfill the additional modera. The hash tag of the ith message Mi is cal- and validity. kpriv ). receiving the message. if we use a blockchain session. the parties have a small amount of “seed” key to authen- and (iii) sends the record to all the nodes maintain. and ⊕ is the bitwise xor. For example. i. i.55 m and Grover’s algorithm [8]. Quantum algorithms. photon detectors from ID Quantique. message. A transaction is an elementary record in a blockchain. The blockchain is a distributed database in which {m. any modification of the argument string x (even in a The basis for our experimental work is our recently single bit) yields a major and unpredictable change of developed modular QKD device [25. 34]. one (i) forms a corre. the standard telecommunication wavelength 1. but does not the database are stored by all the nodes that are in. conventional blockchains. Bob can be certain that the a certain period of time. essary length can be generated via QKD provided that sponding record. it is commonly believed that there National Instruments NI PCIe-7811R card. the string S the network rules (an example is the proof of work rule can be reused without compromising security. where TS is a lh × lM Toeplitz matrix generated by a In order to create a block with new transactions. and there is a one-way function sgn(m. lh = 40 and lM = 2048. Newly created transactions message has arrived from Alice. In our experiment. Be. and that there is no single control center in charge of the network. allow one to determine kpriv . the authen- for maintaining a cryptocurrency. 4. The digital signature is an algorithm which allows one to verify that a certain message has been created by Blockchain workflow a particular author. then the transaction tication procedure is as follows: Alice sends to Bob a corresponds to a transfer of some amount of money message with a hash tag generated using that key. This setup is no classical algorithm. (ii) combine the new and taken from the common private key Kaut . A block contains a number of transactions created over If the hash tags coincide. ticate themselves to each other in the beginning of the ing the blockchain. The term “distributed” means that copies of verifies the fact the author posseses kpriv . a string S of length lh + lM − 1. Moreover. Alice and Bob. while the in Bitcoin). such that the triplet 1.e. Both S and ri are private tions and discard invalid ones. the private key is consumed at a rate of lh bits per adds it to the local copy of the blockchain. k). Once the private key is established.

Z. Quan- [5] Witte. W.. 11. [4] Swan. & Zbinden H. 21–23 (2015) sity. J. Lamport. Oct. 2009). tion. M. May 27. arXiv:1612. Mod. AL is supported by NSERC and of Vi to each other. & Yuan. Shostak and Pease proved that Length (km) 30 15 the consensus vector can be obtained with no more than Loss (dB) 13 7 m + 1 rounds for m < n/3 dishonest nodes. Dept. Comput. 075001 (2009). After obtaining the consensus vector V ~ cons . tum cryptography. [14] Diamanti. et al.J. B. 2. Gottesman for making us aware of The consensus vector is determined through a series of the broadcast protocol. [1] Franco.. of Electrical Engineering. Engi. Therefore further research on developing private value Vi . in quantum key distribution. distribution.-K. Constructing digital signatures from a one.582. J. . . et al. tems / A certified digital signature. is a CIFAR Fellow. Key rate (bit/s) 20 100 In our setup. 74. the private value Vi is the pool of trans- actions received by the ith node (together with its own transactions). the nodes communicate all physical implementations. How Blockchain Technology Could Change The [11] Bernstein. Inc. authentication and public key sys- neering and Economics (John Wiley & Sons. the nodes transmit their values RFMEFI58215X0009). ID • In the first round. disserta- [2] Extance. n-dimensional consensus vector V ~ cons with the following properties: (i) all the honest nodes obtain the same vec- ~ cons . Rev. 16025 ization and discrete logarithms on a quantum computer. USA. that node ir told node ir−1 that its private value is U ”). C. Nature 526. H. pp. [15] Salvail.. and (ii) the ith component of V~ cons equals Vi ACKNOWLEDGMENTS tor V for all honest nodes.. The parameters of both links are listed from other nodes (messages are of the form such in the table below. posium on the Theory of Computing (New York. Comput. Let each ith node possess a certain are present. 5 The QKD network contains two links with different • In subsequent rounds. the honest nodes Broadcast protocol and block construction are able to create a block containing the complete set of admissible transactions from the pool. New York. Technical Report SRI-CSL-98. Rev.K. as “node i2 told node i1 that node i3 told node i2 .. First link Second link Encoding polarization phase In Ref. Proc. N. Ribordy. V.. 1996). (2016). 1979. The SECOQC quantum key distribution way function. L. Phys. SIAM J. Indeed. [17] Peev. Proceedings of 28th Annual ACM Sym. SPIE 5815. B. 212–219. Mod. New J.H. Inf. nal form is that it becomes exponentially data-intensive 39]. 138 (2005). Sec.06244. [26].. realized in an urban environ. classical all Vi ’s with a complication that there are m “dishonest” blockchain networks do routinely face the same challenge (or faulty) nodes. Blockchain (O’Reilly Media. G.. et al.D. 61–87 database search. L. M. 1484–1509 (1997). [10] Merkle. Applied cryptography (John Wiley & Sons. A fast quantum mechanical algorithm for key distribution networks. 2015). D. [13] Scarani. [26] in its origi- Byzantine agreement in the presence of faulty nodes [26. This can be rephrased as obtaining an and have learned to deal with it efficiently. as well as the set of bits indicating the node’s opinion of each transaction’s admissibility. network in Vienna. (2010).W. We acknowledge financial communication rounds that proceed as follows. Inc. Here we briefly summarize the protocol for reaching A shortcoming of the protocol of Ref. A. Understanding Bitcoin: Cryptography. network. 26. Practical challenges [7] Shor. Consider n nodes connected by pairwise authen. support from Ministry of Education and Science of the Russian Federation (Agreement 14. .0009. Phys. Current status of the DARPA quantum 1996). The future of cryptocurrencies: Bitcoin and tion. if a large number of cheating or unoperational nodes ticated channels. Introduction to post-quantum cryptogra- World. an efficient consensus protocol is required. Secrecy. national Computer Science Laboratory. Forbes. [16] Elliott. Lo. We are opti- The goal of the protocol is to make all nodes aware of mistic that this issue can be resolved. Stanford Univer- beyond. et al. Polynomial-time algorithms for prime factor. 2014).21. 2016. phy (Springer-Verlag Berlin Heidelberg. E. R. Phys. [3] Marr. The security of practical quantum key [6] Schneier. the information they received in the previous round ment in Moscow. L. The blockchain: A gentle four page introduc. Security of trusted repeater quantum [8] Grover. P. 18. P. [12] Gisin.. SRI Inter. We thank D.. 81. npj Quant. Tittel. Ph. 1301–1350 (2009). [9] Lamport. 1979. 145–195 (2002).

5281/zenodo. ACM Symposium on Principles of Distributed Comput- [21] Wang. New hash functions for message authenti- [23] Fröhlich. npj Quant. Opt. Phys.O. Long-term performance of the Swis. [19] Chen. A quantum access network. The quantum internet. Conf. ACM 27. 228 (1980). A. 129–139 (1994).03673. the Tokyo QKD Network. E. cure against faulty majorities. A. 741. Inform. 10387 (2011). Post-processing procedure for industrial arXiv:1705. Express 17.. H. et al. D. Field test of a practical secure com.04168. 382 nane. [31] Yin. Phys. M. cation protocols. et al. Phys. tan network. Gisin. E.-Y. 87. [20] Chen. & Bouren. Post-processing procedure for quan- [28] Fitzi. 301–310 (1995). independent quantum digital signatures over a metropoli- raphy.200365.-L. et al. Nature cation. et al.. A. 2454 (2010). et al. 13. (1982). et al. D.S. Tavakoli. A. 217901 (2001). Oct. Notes Comp. Lett. Kurochkin. & key distribution network across urban fiber channels. Fedorov. R. [26] Pease. Opt. 921. N. et al. 042338 (2017). 16010 (2016). Lett. Elhassan. D. Symmetric blind information recon- [27] Kimble. Field test of wavelength-saving quantum ing. New J. Chinas 2. tine generals problem. M. R. et al. 123001 (2011). [37] Kiktenko...doi. M. [33] Krawczyk. & Pease. U. ment in presence of faults. Proceedings of the 21st 27217–27225 (2010). sQuantum quantum key distribution network in a field [30] Gottesman. [25] Kiktenko.. [34] Krawczyk. & Maurer.. Notes Comp. Detectable Byzantine agreement se- city quantum communication network. . M. J. arXiv:quant-ph/0105032. complete. & Lamport. arXiv:1612. et al. 6 [18] Stucki. Rev. 1023– ciliation for quantum key distribution. Phys. I. Opt.. [39] Lamport. Express 19. H. et al. Y. S. et al. Zenodo. M. Rev.O. et al. 2016. Demonstration of a quantum [36] Kiktenko. J. Experimental quantum multiparty communi.. Reaching agree. Lect. quantum key distribution systems. 1030 (2008)..org/10. E. IEEE Spectr. Available at: the Byzantine agreement problem. [32] Fitzi. [38] Kiktenko.. Quantum solution to tum key distribution systems. Ser. arXiv:1612. 839. Experimental measurement-device- munication network with decoy-state quantum cryptog. L. Express 18. 4. 6540–6549 (2009). M. LFSR-based hashing and authentication. Field test of quantum key distribution in Lect. et al. Nature 453. Sci.O. L. Progr.K. 012081 (2016). Lang. Shostak.M. Q. A. environment.07154. Opt. ACM T. [22] Sasaki. Quantum digital signatures. Sys...000-km quantum link is almost tion setup for research and development applications. T.. 501. H. E. & Chuang. [35] Sokolov. Modular quantum key distribu- [24] Zhang. 69–72 (2013).O. Trushechkin. https://dx. A 95.-Y.V. 118–126 (2002). 35.J. Metropolitan all-pass and inter. M. T.S. Shostak. H. key distribution network. Sci. 2. The Byzan- [29] Smania.