Hacking Crypto Wallets Could Happen, But There Is Still Time to Prepare
(Sponsored: Post-Quantum, CEO Andersen Cheng) In some ways, I have a lot in common with the cryptocurrency community and its values. Its steadfast pursuit in democratizing finance, ensuring that economic involvement and prosperity need no longer be afforded to the select few, is one that I admire.
As the leader of a firm offering some of the world’s most secure encryption, I believe deeply in the fundamental need for privacy and giving people the power to control how their data is being used. You can already see the similarities between these two philosophies.
I also appreciate the fact that cryptocurrencies are becoming more mainstream each day. According to data from Chainalysis, global adoption of cryptocurrency has taken off in the last year, up 881%.
However, if the industry is to build on this trend and deliver on its vision of democratizing the financial world, it must place post-quantum security at the top of the agenda.
Debunking some misconceptions
Right now, there is a lot of confusion about cryptocurrencies and the potential impact of quantum computers, which is the first hurdle that needs to be addressed. Outside of timescales and when code-breaking Quantum Computers will emerge, the central misconception surrounds how quantum computers will threaten the crypto market.
It’s worth pointing out at this stage that bitcoin and other cryptos use two security schemes, the hashing function used in the block creation and the Elliptic Curve Digital Signature Algorithm (ECDSA) used for signatures.
Some in the crypto community have pointed out the hashing function is quantum-safe, which is largely correct. But hashing is not what we need to worry about the most, as that is just confirmation of ‘immutability’ of a transaction. The major challenge is with the public-key algorithm used for signatures.
We all know that most of the world runs on asymmetric cryptography, in which individuals use a private and public key pair to access things like online banking. The public-private key pair lets users produce a digital signature, using their private key, which can be verified by anyone who has the corresponding public key.
In the case of cryptocurrencies, particularly Bitcoin and Ethereum, this digital signature is done through the ECDSA, which has become the go-to way in creating keys under the public key cryptographic system that is used to sign for transactions in most blockchains. This system allows crypto users to create a random private key and a deriving public key, meaning it is very difficult to find the private key that generated the public key.
However, quantum computers will be able to employ an algorithm to unravel the relationship between a public key and a private key, thus revealing and compromising the private key and threatening key ownership and the authenticity of the system itself.
What’s at risk?
The truth is that blockchain only provides immutability but not security, meaning if you had a quantum computer today, you could probably crack wallets on the blockchain. In the security community, we are of the view that this will be within five years’ time, and not the 10-20 years some are predicting for the commercial viability of quantum computers to come to fruition.
Yet, despite all this evidence, some in the crypto community still believe they won’t be at risk, particularly ledgers that claim they are hiding the public key from being exposed in intricate, but unclear ways. There are many problems with this position, namely that they are still vulnerable during the block confirmation time, which takes up to 10 minutes for bitcoin. Even if you ignore this risk, this obfuscation only serves to muddy the waters as the underlying crypto primitive is still not quantum-safe.
However, focusing on these intricacies also doesn’t consider the bigger picture. While key ownership and the signature process is arguably the most pressing issue, the reality is the entire crypto ecosystem is at risk. None of the current trade instruction, processing, settlement, monitoring, mark to market and client reporting platforms at the custodian end are secure for a post-quantum world.
It’s true that cryptocurrencies have a large developer community and it is likely that they will be able to come up with a replacement ledger that is post-quantum. This is fine if the community is only interested in the ledger and not the overall infrastructure for the entire ecosystem, but I’m firmly of the view that the latter will need as much protection, if not more, as crypto gets even more mainstream.
Take multi-signature wallets as an example: they will need to become upgraded as the underlying infrastructure from the signing request, approvers’ identity, authentication, the actual approval and transmission back to the multisignature entity will also need to become post-quantum.
Steps towards protection
The long and short of it is that the transition to post-quantum security across the entire crypto ecosystem needs to happen now. There is no recourse when Y2Q comes, as there is no government or central bank to compensate a cryptocurrency owner as everything is decentralized. And with the quantum migration likely to take years to accomplish, we must act now if we are to ensure the community is prepared. Otherwise, blockchain’s undeniable immutability will only serve to confirm beyond doubt that the cryptocurrency in your wallet has been signed and transferred to the wrong counterparty.
Fortunately, we know that steps are being taken to simplify this process. The National Institute of Standards and Technology (NIST) competition and the new post-quantum algorithms they are currently judging will be the central way the crypto community can quantum-proof the entire ecosystem. These post-quantum algorithms will be crucial if we are to not only easily upgrade the blockchain ledger’s crypto primitives, but also everything from future-proofing the wallet, transmission and all the custodian/exchange processes that have made crypto the success it is today.
I am rooting for the cryptocurrency community to succeed in its mission to even the financial playing field, but its longevity and ability to succeed will be determined by how seriously it takes this once-in-a-lifetime threat.