May 20, 2020
Monero transactions created between 2014 and 2020 utilize cryptographic mechanisms that were not designed to be private or secure against quantum computers. Algorithms that could theoretically circumvent several of Monero's security and privacy features are already known, such as Shor's algorithm (which breaks security based on the discrete logarithm problem) and Grover's algorithm (which could be used to forge blocks).
Let us define a hypothetical “practical” quantum computer as any device that enables an adversary to effectively circumvent some security expectation provided by cryptographic mechanisms. This is not defined by some magic number of qubits or any particular configuration; it refers to the capability to leverage methods such as Fourier fishing, Grover's algorithm, or Shor's algorithm with enough complexity to tackle modern cryptography. Speculation on whether practical quantum computers will ever exist, and when they might arrive, is outside the scope of this cryptography research proposal.
There are several ways that a sophisticated quantum adversary might access funds and sensitive information that would otherwise be cryptographically obfuscated:
Retroactive deanonymization puts today's Monero users at the hands of tomorrow's [quantum or classical] adversaries. If practical quantum computers that can break Monero's encryption arrive at any point in the future, then users' lifelong transaction history willl become public for ingestion by the AdTech industry, stalkers, criminals, and governments. It is irrelevant which party publishes a de-anonymized copy of the Monero blockchain first - the universal evaporation of privacy is irreversible.
Thankfully, cryptographers have developed several post-quantum security and privacy schemes that may be adaptable to Monero. Promising techniques include zero-knowledge lattice cryptography based on the shortest vector problem. Methods such as hash-based ring signatures, GLYPH (Schnorr-like lattice-based signature scheme), and the cohort of NIST post-quantum candidates were all designed to enable security in a post-quantum world. The quantum resistant ledger is of particular interest due to its extensibility, immutability, and RandomX integration - however no privacy features are currently implemented. Other designs for anonymous post-quantum cryptocash have been considered, and the Halo recursive zero-knowledge proving system offers plausible post-quantum security. Each approach has its own benefits, drawbacks, and space/time complexity - our research recommendations will take into account these practical considerations in addition to theoretical compatibility.
This research will (1) study and simulate the threats listed above to assess Monero's vulnerability to quantum computers, (2) evaluate post-quantum cryptography scheme candidates to create a roadmap for hardening Monero against quantum adversaries, and (3) openly communicate the results for a variety of audiences.
The advent of powerful quantum computers will wreak havoc on almost every aspect of our digital infrastructure. Access to sound money (which requires privacy) is a fundamental human right and should be considered a high priority for hardening against quantum adversaries. To our knowledge, there are currently no plausibly post-quantum anonymous currencies in use today, meaning that only short-to-intermediate term financial privacy is available with current technology. The first coin to implement long-term post-quantum privacy features will be in a strong position for adoption, even long before quantum computers arrive.
"A post-quantum world would destroy Amazon, Wells Fargo, Visa, and most world governments. But there's no reason it has to also destroy Monero."
R & D Institution: Insight
Funding Institution: Monero CCS
Duration: 3 months (June - August 2020)
The first phase of this problem will focus on identifying which of Monero's security features are susceptible to quantum adversaries. We'll look for vulnerabilities to known tools such as Shor's algorithm (which can find discrete logarithms is polynomial time, breaking the DL problem), Grover's algorithm (which produces a quadratic speedup when searching for inputs that map to a particular output for any black box function), and Fourier fishing in conjunction with the Deutsch-Josza algorithm (which can potentially be used in taking advantage of Monero's proof of work method in bounded-error quantum polynomial time).
Some vulnerabilities are already known, for example that cryptography based on elliptic curve and the discrete logarithm problem can be made insecure using Shor's algorithm. We will examine Monero's protocol for other examples of security based on problems that are computationally intractable for classical computers and easy for quantum computers. Some current privacy features are thought to be quantum resistant (such as Monero's masked amounts) and we will cautiously verify their security against our algorithmic adversarial toolkit.
Phase 1 deliverables:
|Monero mechanism 1
|Monero mechanism 2
After locating and documenting Monero's quantum vulnerabilities, we will identify alternative cryptographic schemes that mitigate these weaknesses. Known post-quantum systems will be examined for Monero-compatibility (see Appendix 1 for a list of potentially relevant literature to be analyzed). In addition to interoperability, we will note practical considerations related to verification time, signature/proof size, and implementation. If there are no known solutions for mitigating a particular vulnerability, we will note the constraints necessary for developing a unique solution.
There are three broad categories of implications, which are not mutually exclusive:
Vulnerable privacy features will be given highest priority, since retroactive deanonymization poses a threat to today's Monero users, whereas theft and mining are not an issue until quantum computers scale past a distant threshold. Mining vulnerabilities are the lowest priority, since switching consensus mechanisms is easier than implementing new cryptographic schemes.
It's important to note that many current post-quantum cryptography candidates require large proofs and significant computational resources, and will thus not be suitable for immediate deployment. For this reason, understanding broad strategies and their tradeoff will be more useful than specific implementations. Thankfully, consumer device capabilities increase over time, and researchers continue to discover new faster/smaller proving systems, so these practical barriers are temporary.
Phase 2 deliverables: List of vulnerabilities, following this format when possible:
Monero's [component] is vulnerable to [impact] by a hypothetical adversary that can leverage [algorithm]. In general, the solution must meet [requirements]. Current relevant methods include [cryptosystem] which would require [migration process] and has [tradeoffs] that would prevent implementation until [device bandwidth/resource threshold] is widely available.
Throughout this entire project, the community will receive updates during the weekly #monero-research-lab meetings. During phase 3 however, several specific documents (the key deliverables from this research) will be freely published:
Phase 3 deliverables:
User-friendly writeup: This community-facing writeup will provide an approachable explanation of how hypothetical quantum computers may impact Monero, and possible future mitigations. The writeup should minimize FUD and provide the context that these vulnerabilities apply to almost all cryptocurrencies (not only Monero).
Technical documentation: An MRL position paper to distill key information for (current and future) researchers and developers. The writeup should formally describe vulnerabilities, and highlight potential strategies and solutions, noting their tradeoffs. Code snippets may be included if appropriate for pedagogical purposes or clarity.
Non-technical 1-pager: An ELI5 / TL;DR summary will be provided for journalists, Monero Outreach, etc. This blurb will discuss risks and myths with no technical jargon, with key takeaways that a broad audience will appreciate.
Results and updates will be also disseminated via Twitter threads, Reddit posts, and Breaking Monero videos.
Updated 2020-05-20: Based on discussion in #monero-community earlier today, we are moving forward with option #2 below (pre-payment to mitigate volatility risks). The original text is left below for transparency & context.
The team tackling this project consists of one full-time researcher dedicated solely to this proposal (Adam), along with mentoring and writing by Mitchell (5-15 hr/wk), input from the Director of Security, and internal editors/reviewers. We intend to execute this research initiative over a twelve week period between June - August 2020 for 37500 USD.
Insight's bills and employees' salaries are dollar-denominated, so we must minimize exposure to volatility risk. We are open to three different approaches, and will let the community choose how to proceed:
Here is relevant literature that will be reviewed and annotated for utility to Monero. List compiled by Dr. Brandon Gooddell
To be paid: 100% (576 XMR)
Completion date: 14 July 2020
To be paid: 0% (0 XMR)
Completion date: September 2020
To be paid: 0% (0 XMR)
Completion date: September 2020
To be paid: 0% (0 XMR)
Completion date: October 2020
Funds Awarded: 576
Date: 14 July 2020