Quantum crypto-economics: Blockchain prediction markets for the evolution of quantum technology
Peter P. Rohde, Vijay Mohan, Sinclair Davidson, Chris Berg, Darcy Allen, Gavin K. Brennen, Jason Potts
QQuantum crypto-economics: Blockchain prediction markets for the evolutionof quantum technology
Peter P. Rohde, ∗ Vijay Mohan, Sinclair Davidson, Chris Berg, Darcy Allen, Gavin Brennen, and Jason Potts Centre for Quantum Software & Information (QSI),University of Technology Sydney, NSW,Australia RMIT Blockchain Innovation Hub,RMIT University, VIC,Australia Center for Engineered Quantum Systems,Dept. of Physics & Astronomy,Macquarie University, 2109 NSW,Australia (Dated: February 2, 2021)
Two of the most important technological advancements currently underway are theadvent of quantum technologies, and the transitioning of global financial systems towardscryptographic assets, notably blockchain-based cryptocurrencies and smart contracts.There is, however, an important interplay between the two, given that, in due course,quantum technology will have the ability to directly compromise the cryptographicfoundations of blockchain. We explore this complex interplay by building financial modelsfor quantum failure in various scenarios, including pricing quantum risk premiums. Wecall this ‘quantum crypto-economics’.
CONTENTS
I. Introduction 1II. Blockchain & cryptography 3A. Blockchain 3B. Hash functions 3C. Public-key cryptography 4D. Digital signatures 4III. The quantum challenge to blockchain 5IV. A financial market indicator of quantum failure 7A. Crypto-bonds without quantum failure 7B. Quantum failure with a risk-free asset in same unit ofaccount 7C. A Shor-attack on blockchain X I. INTRODUCTION
Quantum computing (Nielsen and Chuang, 2000) hasbecome widely recognised as having the potential to com-promise essential elements of present-day cryptographictechniques, especially public-key cryptography and digital ∗ signatures. This has profound implications for emergingtechnologies such as blockchain. There are many mis-conceptions, however, on how this could occur. We spellout the margins where quantum computing could impactblockchain. We also present a financial market predictorof the likelihood of a successful quantum computer at-tack on blockchain-based assets. We define a successfulquantum attack on a blockchain as ‘quantum failure’.As a note on terminology, we refer to the origi-nal blockchain described by (Nakamoto, 2008) as the‘Blockchain’, and its associated cryptocurrency is ‘Bit-coin’. When we use the term ‘blockchain’ we are referringto any generic blockchain. We discuss the Blockchain andblockchains in general for our purposes in the next section.For a discussion of blockchains in general see (Malekan,2018) for an introductory coverage, (Werbach, 2018) fora more advanced overview, and (Berg et al. , 2019) for adiscussion of the economic implications of the blockchain.We argue that quantum failure can manifest in twoimportant and distinct ways: first, as a purely monetaryphenomenon that reduces the value of the native cryp-tocurrency, but keeps the integrity of the ledger intact,and second, as an accounting/technological phenomenonthat undermines the integrity of the ledger itself, makingthe blockchain and its native cryptocurrency worthless.We treat (and model) these as two distinct problemsassociated with quantum failure.Consider the monetary aspect of a quantum attackfirst. Quantum failure can allow an attacker to solve acomputational problem faster than other miners (on aver-age), thereby earning the majority of the block rewardsover the length of time the attack persists. For a sys- a r X i v : . [ q -f i n . P R ] F e b tem such as the bitcoin Blockchain, this implies thatmining can produce coins faster than the current 6.25coins every 10 minutes (potentially until all 21 millionfeasible Bitcoins have been produced). We refer to thisphenomenon as Grover-expansion , because it increases therate of monetary expansion (in this instance, of the nativecurrency of a blockchain), a phenomenon well-known andwell-understood in economics.A couple of points are worth noting here. First, asdefined here, Grover-expansion does not necessarily de-stroy the blockchain because if done on a small scale, itsimply adds legitimate entries at a faster pace. Intuitionwould suggest that this monetary expansion will reducethe value of the native cryptocurrency, but need not nec-essarily reduce the value to zero. Second, many blockchainsystems have a difficulty parameter built into the algo-rithms that oversee the rate at which these computationscan be solved. In the case of Bitcoin, for example, thealgorithm attempts to ensure that, on average, a block isadded every 10 minutes. One could argue, therefore, thatthe difficulty parameter will adjust to negate the fasterrate at which the quantum attacker solves the miningproblem. The reality, however, is that the difficulty pa-rameter is adjusted at discrete points in time, based onaverage computation rates in the past. For Bitcoin, thedifficulty parameter is adjusted every 2016 blocks; at thecurrent reward rate of 6.25 Bitcoin for every block, theattacker could earn a maximum of 12,600 Bitcoin beforethe parameter is adjusted. Moreover, once adjusted, theattacker would still be the fastest to solve the now moredifficult computational problem.If Grover attacks are done on a large scale, i.e by alarge mining pool equiped with quantum computers, theneven more dangerous attacks are possible like the 51%attack. This occurs when the pool has over half the com-putational power of the network and allows dominatingthe blockchain. For example, such a dominant pool canperform a ‘double spend attack’ by performing a spendtransaction on one branch of the blockchain while grow-ing a parallel branch where that spend record is missing.Given the computational dominance, this parallel chainwill likely grow larger than the original and trusted nodeswill adopt it, hence allowing for a second spend at noadditional cost.The second manner in which a quantum attacker canexploit the blockchain is by falsifying digital signaturesand stealing existing tokens. This quickly erodes trust inthe ledger and could elicit panic selling.We refer to this type of attack as a
Shor-attack ; byrendering the blockchain entries unreliable, a Shor-attackwould reduce the value of the native cryptocurrency, andindeed all assets denominated in that cryptocurrency,to zero. While this problem is distinct from Grover-expansion, it is quite possible that in some instances,depending on the nature of the blockchain, both attacksare launched simultaneously (or sequentially, with Grover- expansion preceding a Shor-attack), resulting in a Grover-Shor attack.There are two major threat vectors enabled by a Shor-attack. The first is a fast steal. After a legitimate transac-tion has been added to the network but before it has beenverified (usually within 10 minutes), the attacker can learnthe private key of the sender from the publicly announcedkey. Then the attacker can broadcast a new transactionfrom the same sender’s address to themselves. If the at-tacker offers a higher transaction fee, that transactionwill take priority in the queue and will be verified first,meaning successful and unstoppable theft. The second isthe recovery of lost Bitcoin. It is estimated up to 33%of Bitcoin allocated so far on the network are associatedwith dormant public addresses from owners who presum-ably have lost their private keys and cannot access thecoins (Stewart et al. , 2018). A Shor-attack would allowthe attacker to learn the private key and take those coins.This clearly would increase available supply and devaluethe currency especially if released quickly.To understand the impact these attacks can have onfinancial markets, we construct a model that utilises sim-ple bond pricing analytics, along with well-known parityconditions from exchange rate economics, to derive afinancial indicator associated with the possibility of quan-tum failure. This model is useful for a number of reasons.First, it provides us with a method to infer the beliefthe market places on the probability of a quantum attackon a specific blockchain based on the risk premium ofa bond denominated in the native cryptocurrency (or crypto-bond ) of the blockchain. Second, the simplicity ofthe model structure allows for a careful delineation of howdifferent types of quantum attacks — Grover-expansionand a Shor-attack — impact the risk premium for acrypto-bond threatened with a quantum attack. Third,the use of familiar parity conditions yields intuitive in-sights on relationships between the crypto and fiat (sayUSD) economy. For example, it is readily shown thatunder certain simplifying assumptions, the percentagechange in the exchange rate between the cryptocurrencyand USD equals (approximately) the difference betweenthe rate of Grover induced monetary expansion in theblockchain and the rate of inflation in the US economy;this is, of course, similar to purchasing power parity, andits derivation and intuition does indeed follow from thatwell-known exchange rate parity condition. Fourth, themodel facilitates some simple comparative static exercisesto gauge how parametric changes affect bond pricing ana-lytics in this situation. Finally, the model sets the stagefor a preliminary consideration of strategic issues relevantin this complex environment where quantum attacks thatmust be protected from ex ante and defended against expost .To motivate the final point regarding strategic interac-tion in this environment, we note that not all blockchainsare equal — some are more valuable than others. It isalso unclear what the motivations of a quantum hackermay be. A hacker motivated by financial gain may attacka blockchain based on their perception of success andamount of financial gain to be had. An ideological hacker,however, may choose to attack a very different blockchainfor very different reasons. Whatever their motivation, itis unlikely that a quantum hacker would command theresources to attack all blockchains at the same time. Thisimplies the existence of a malicious quantum hacker wouldbecome known before all blockchains could or would beattacked. This in turn raises questions as to what theoptimal response would be to this information? It is veryclear that a research agenda should exist that explores allthese issues and likely responses to quantum failure.In Sec. II, we set out the features of blockchain thatare important for our argument. We then explain thequantum computing challenge to blockchain in Sec. III,and our financial model in Sec. IV. A conclusion andsuggestions for further research follows in Sec. V.
II. BLOCKCHAIN & CRYPTOGRAPHYA. Blockchain
The Blockchain, which forms the basis for moderncryptocurrencies including Bitcoin, is a distributed data-structure which maintains a cryptographically irrevocable,chronologically-ordered ledger of transactions betweenagents.The original blockchain (the Blockchain) was designedby Satoshi Nakamoto (Nakamoto, 2008) to facilitate Bit-coin. This native internet currency has two importantfeatures of interest. First it avoids a double-spendingproblem and it solves the Byzantine generals’ problem,which briefly put is the following: “How do you assurethat multiple distant parties agree on the same plan ofaction even in the presence of a small number of malicioustraitors?”It performs both these functions by keeping an im-mutable record of the history of each Bitcoin. Economicagents — known as miners — are incentivised to maintainthe Blockchain through the issuance of Bitcoin tokens asthey add blocks containing transactions to the Blockchain.In the Blockchain protocol, miners spend computationaleffort to solve a puzzle (known as ‘proof of work’) andthe first one to do it is rewarded with a Bitcoin issuanceas well as a transaction fee.These Bitcoins are issued at a known, but diminish-ing, rate that was algorithmically established by SatoshiNakamoto. In total there will be 21 million Bitcoin is-sued over time, with the issuance amount halved roughlyevery 4 years. It is useful to differentiate between theBitcoin issuance rate and a monetary inflation rate. Theissuance rate is the rate at which the number of tokensin a blockchain increase over time. An inflation rate is the rate at which a monetary unit loses value. High is-suance of a monetary unit (popularly known as ‘printingmoney’) is usually associated with high inflation rates. Itis important, however, to maintain a distinction betweenthese two concepts. A high rate of issuance of a blockchaintoken (Bitcoin being the original token) is not guaranteedto result in price inflation (devaluation of that token).Importantly for our purposes, blockchain is based onseveral cryptographic primitives:1. Digital signatures are used to certify transactionsunder a consensus algorithm, whereby a sufficientnumber of independent parties must collectivelyagree to sign off on the legitimacy of a transactionfor it to be transcribed to the ledger.2. Hashing is used to provide chronological links be-tween connected transaction blocks, thus makingthe blockchain immutable, and Merkle tree datastructures allow for fast and efficient verification oftransactions by all parties (Merkle, 1988).3. The computational difficulty of inverse hashing isused in some proof-of-work protocols, such as Bit-coin, for mining new coins.These cryptographic primitives, however, have suscep-tibilities to the deployment of quantum computing, dis-cussed in Sec. III.
B. Hash functions
Hash functions, also an essential cryptographic primi-tive with widespread applications, that take an arbitraryinput bit-string and reduce it to a short, fixed-length hash that acts as a fingerprint of the original data in highlycompact form, h ( x ) → y. (2.1)While the hash doesn’t contain the original data, good(cryptographic) hash functions are designed to make itincredibly difficult to infer what the (or a) likely inputwas that it corresponds to, on the basis that they are one-way functions (i.e computationally easy to evaluate in theforward direction, but extremely computationally difficultto invert) and exhibit highly quasi-random behaviour.The problem of inverting hash functions — finding aninput that maps to a given hash, x = h − ( y ) , (2.2)is, from a computational complexity perspective, concep-tually similar to the problem of brute-forcing a symmetric-key crypto-system, and can be described mathematicallyin the same manner as a satisfiability problem. Note that,unlike the similarly-structured case of symmetric-key en-cryption, there is no key involved, and because the lengthof the output is fixed, there are necessarily collisions ,whereby multiple unique inputs map to the same outputhash.The Bitcoin Blockchain implements proof-of-work via inverse hashing , whereby a legitimate coin is defined asa bit-string whose hash lies within a particular range.Specifically, SHA256(SHA256( c )) = y (2.3)where SHA256 is a standard 256-bit hash function (256-bit Secure Hash Algorithm), and c represents a legitimatecoin when the output bit-string y satisfies the constraintof having a fixed number of leading zeros. Since hashfunctions are one-way functions by definition, the miningprocess requires repeatedly hashing random bit-strings viabrute-force until an input is found satisfying the outputconstraint.In economic terms, this implies that monetary expan-sion is directly related to the hash rate of computersallocated towards the mining process, modulated by a difficulty function , which algorithmically ensures that min-ing becomes progressively harder by adjusting the num-ber of necessary leading zeros in the output bit-string y from Eq. (2.3). This imposes an asymptotic cap onthe token supply. Thus, the token issuance rate is effec-tively determined by the collective hash rate, and thealgorithmically-imposed difficulty function. C. Public-key cryptography
The most important cryptographic primitive we havetoday is public-key cryptography. Here the encryption-decryption process relies on two distinct keys, a public-key which can only be used to encrypt messages, and a private-key which can only be used to decrypt them. For thisreason, such protocols are also referred to as asymmetriccryptography . Both keys combined are jointly referred toas a key-pair .The encryption and decryption operations can be de-fined mathematically as, f ( m, k pub ) → c,f − ( c, k priv ) → m, (2.4)where f and f − are the encryption and decryption oper-ations, m is the plain-text message, c is the cipher-text,and k = { k pub , k priv } is the key-pair comprising the publicand private keys.The reason asymmetric cryptography is so useful, isthat in most real-world scenarios in a globalised economy,we cannot go and meet people in advance of communi-cating with them to securely exchange secret keys. Infact, we may not even know them. By making everyone’spublic-keys openly available, we are able to securely send messages to them, without first having to perform anysecret key-exchange with them a priori in a dark alleyway.Importantly, one of the main criteria for such protocolsis that the public and private keys cannot be computedfrom one another. Obviously, if one were able to lookup a public-key on a key-server, and infer the associatedprivate-key from it, the whole thing would be useless.The original asymmetric cryptographic protocol wasRSA, named after its inventors (Rivest et al. , 1978). Morerecently, more efficient elliptic-curve cryptography (ECC)has become the norm (Koblitz, 1987; Miller, 1985).The mathematical basis of RSA is that a private-keyis defined by two prime numbers, and the correspondingpublic-key is given by their product. The computationalsecurity arises from the unproven, but widely held beliefthat integer factorisation is an extremely computationallycomplex problem — believed to be NP -intermediate —that classical computers cannot efficiently solve. Thisdirectly equates to their inability to infer private-keysfrom public-keys — a so-called trapdoor function — andhence the cryptographic integrity of RSA. ECC is basedon a different, but closely related mathematical problem,with the same essential cryptographic properties. D. Digital signatures
While public-key cryptography can be utilised for se-curing messages, by reversing the roles of the public andprivate keys it can also be used to authenticate messagesvia the provision of digital signatures . When you receivean email from someone, you want to be sure it was actuallythey who sent it, and that the email you received hasn’tbeen modified or forged by someone else. Similarly, whenlogging into an online service like your email, users wantto be sure they’re interacting with whom they actuallythink it is.Using the same public-key system as before, let everyonewho wishes to be able to authenticate their messagescreate an additional key-pair. This time, they make thekey that can only be used for decryption public, keepingthe one that can only be used for encryption private.Now when they send a message they want to digitallysign, they encrypt it (or just a hash of it), that theysend along with the message. This encrypted hash acts asa digital signature, which others cannot falsify withoutknowing the privately-held encryption key. However, thepublicly available decryption key can be used, upon receiptof a message along with its digital signature, to decryptthe signature and compare it with the message itself,thereby establishing its integrity.
III. THE QUANTUM CHALLENGE TO BLOCKCHAIN
Large-scale quantum computers directly compromiseboth RSA and ECC, via a quantum algorithm knownas Shor’s integer factorisation algorithm (Shor, 1994)and closely related discrete logarithm algorithm, allowingthem to efficiently calculate private-keys directly fromtheir associated public-keys. If and when quantum com-puting eventuates, this implies that the entire crypto-graphic backbone of our contemporary internet infrastruc-ture would be compromised.In addition to compromising encrypted messages, Shor-armed quantum computers could by the same logic alsocompromise digital signatures.The analysis changes slightly, however, for symmetriccryptography (and similarly for inverse hashing). Heretwo parties share a secret-key in common, which is usedfor both encryption and decryption. Because the same keyfacilitates both roles, this is also referred to as symmetric cryptography. The foremost current standard symmetric-key algorithm is AES256 (Advanced Encryption Standard,with 256-bit key-length) (Daemen and Rijmen, 2002).This standard is a widely-used cryptographic primitive intoday’s internet software infrastructure.In general, good symmetric cryptographic techniquesare regarded as being very strong, in the sense that theyare considered highly robust against conventional cryptan-alytic techniques, such as differential cryptanalysis, whicharen’t known to provide significant shortcuts over brute-force attacks. It’s therefore largely reasonable to associatetheir security with their vulnerability to brute-forcing,whereby we systematically try out all possible keys, at-tempting to decrypt an intercepted message using eachone, and then running some simple tests (e.g statisticalor language tests) to flag whether one such decryptionattempt is likely to correspond to the unencrypted plain-text message (it’s effectively certain that an incorrect keywill not pass this test, providing a false-positive).Using an encryption algorithm with key-length n , thereare 2 n possible choices to work through, of which onaverage we’d have to try half until we find the right one.This exponential scaling grows extremely rapidly, andalready 2 combinations (as for AES256) far exceedswhat any classical computer, present or future, couldrealistically iterate through systematically, from whichthe security of the algorithm arises.This brute-force approach to cracking a code can beinterpreted as what computer scientists refer to as a sat-isfiability problem — for some function that maps a plain-text input message and a key to an output cipher-text, f ( m, k ) → c , which input value m evaluates to a partic-ular output c , assuming I don’t know the key k ? In thiscase, the input is a given choice of key, and the binaryoutput answers the question ‘is this a legitimate decryp-tion?’. In general, satisfiability problems are extremelycomputationally hard to solve. From the field of computa- tional complexity theory (Arora and Barak, 2009), theyare known to be NP -complete in general. Although it’sunproven whether NP -complete problems can or cannotbe efficiently solved on classical computers (proving this isone of the biggest open questions in the field of theoreticalcomputer science), it is very strongly believed that theycannot be.Formally, for a good cryptographic code, evaluating thefunction, f ( m, k ) → c, (3.1)should be computationally easy, whereas evaluating itsinverse, f − ( c, k ) → m, (3.2)should also be computationally easy if k is known, butextremely computationally hard (or impossible) if it isnot.A quantum algorithm known as Grover’s search algo-rithm provides a relatively modest quantum advantage insolving this class of problems (Grover, 1996). The com-putational advantage it provides is to effectively quadrat-ically reduce the input search-space over the equivalentclassical brute-force approach. That is, whereas previouslywe had to search over 2 n possible input configurations,now we effectively have to search over only √ n = 2 n/ ofthem. The right hand side of this equation provides thedirect interpretation that it compromises security to theextent of effectively halving the respective key-length: n becomes n/
2. That is, the security of AES256 is effectivelyreduced to that of AES128. This is not an insurmount-able problem, however, as a security response would beto simply switch to an AES512 standard.Note that this enhanced scaling provided by Grover’salgorithm is in the ideal context of error-free quantumcomputation. In reality, large-scale quantum computersnecessarily require error-correction (Shor, 1995), whichincurs significant overheads of its own (the scaling of whichis highly architecture-dependent). For this reason, anypractical future quantum advantage will be significantlyless than the already modest advantage described above.Indeed, if the error-correction overhead is too great, theremay be no advantage at all.While symmetric cryptography is far more robustagainst quantum attacks than asymmetric cryptography,it cannot be used for digital signatures by virtue of itssymmetry.Although it appears that symmetric cryptography isrobust to the advent of quantum computing, this is notproven. Security remains at the level of computationalsecurity , i.e the assumption that computers, classical orotherwise, are unable to provide sufficient computationalresources to implement a systematic brute-force attack,or that future cryptanalytic techniques will not provideshortcuts around it.A far stronger claim to security is via information-theoretic security , whereby no such assumptions aboutadversarial computational capabilities are made. There isone (and only one) such symmetric-key algorithm whichprovides this information-theoretic level of security — the one-time-pad (OTP) algorithm, also known as the Vernamcipher. This algorithm, however, is absurdly impracticalfor use. For any given encrypted message, a key of exactlythe same length must be employed, which cannot then bereused; hence the name.Encryption is performed via a bit-wise XOR (or modulo-2 addition) operation between the plaintext message andkey, c = m ⊕ k. (3.3)Decryption is performed by repeating the same procedureon the encrypted cipher-text, m = c ⊕ k. (3.4)Thus the protocol is symmetric.This ‘solution’, however is trivial: If agents had theability to share a key of the same length as the messageitself, which couldn’t subsequently be reused, they coulduse that opportunity to directly communicate the mes-sage. In short, one-time-pad encryption has very limitedapplicability.Quantum cryptography provides a potential avenue toresolving the problems associated with the OTP protocol.By exploiting the randomness inherent in the measure-ment of quantum states, something imposed by the lawsof quantum mechanics, it is possible to construct proto-cols for securely sharing long random bit-strings betweenremote parties. This is known as Quantum Key Distribu-tion (QKD) (Bennett and Brassard, 1984; Ekert, 1991).It is impossible for the shared random strings to be com-promised via intercept-resend attacks. This provides onlythe ability to securely share random data not messagesthemselves. But by utilising this secure shared random-ness as a source for OTP keys, it is possible, in principle,to resolve its impracticalities.Of course, QKD need not only be used for OTP keys,but could be used for sharing secrets keys for any othersymmetric-key algorithm, such as AES256. This createsa hybrid protocol, whereby the distribution of secret-keysis facilitated by QKD, but any unknown vulnerabilities inthe underlying conventional crypto-system go unchanged. The reason the key can only be safely employed once is becauseif two cipher-texts encrypted with the same key are XORedtogether we obtain the same as the XOR of the plain-texts, c ⊕ c = ( m ⊕ k ) ⊕ ( m ⊕ k ) = m ⊕ m , upon which wecan directly apply a conventional two-letter frequency attack tostatistically predict m and m . As soon as either of these areknown we trivially extract the key via k = m ⊗ c . In contemporary encrypted communications systems itis common to employ similar hybrid schemes combiningsymmetric and asymmetric elements, where a public-keysystem is used to share a shorter session-key , that issubsequently employed in a symmetric cipher . Typicallythis is performed using the Diffie-Hellman key-exchangeprotocol (Diffie and Hellman, 1976; Merkle, 1978). Sucha hybrid QKD system effectively substitutes only thecomponent associated with the exchange of session-keys.While quantum algorithms do not entirely compro-mise hashing, they very much compromise digital sig-natures based on conventional public-key cryptographictechniques. This implies the ability for future quantumcomputers to transcribe fraudulent transactions to theBlockchain via falsifying the consensus, thereby undermin-ing the integrity of the transaction ledger it maintains.In the worst-case scenario, this could effectively invali-date the future value of transcribed contracts from thepoint in time at which such a Shor-enabled compromiseof the ledger becomes viable.This highlights the importance of ‘post-quantum cryp-tography’ for future quantum-proof blockchain imple-mentations. Already efforts are underway towards thisgoal. For example, the Quantum Resistant Ledger em-ploys hash-based digital signatures for this purpose (notethat hash-based signatures, despite being presumably ro-bust against quantum attack vectors, have caveats oftheir own). And NIST has launched a project to identifyand standardise post-quantum cryptographic protocols(csrc.nist.gov/projects/post-quantum-cryptography).In summary, Grover’s algorithm can enhance hash-inversion as an instance of a satisfiability problem. Thisimplies that quantum computation has the potential todistort the algorithmic token supply policy. We definethe ability to artificially enhance monetary expansionas ‘Grover expansion’. This combined with Shor’s algo-rithm ability to compromise digital signatures suggeststhat blockchain technology would be severely compro-mised by the advent of quantum computing. This abilityof quantum computing to compromise the public keycryptography that underpins blockchain, either throughGrover-expansion or a Shor-attack, or both, can be de-scribed as ‘quantum failure’. An analysis of quantumattack vectors on cryptocurrencies is presented in (Aggar-wal et al. , 2017). One of the notable results there, is thatwhen accounting for fault tolerance overheads, the time-line for a successful Shor-attack is much sooner, perhaps10-15 years, than for a substantial Grover-attack. The motivation for exchanging a session-key for use in a symmetriccipher, as opposed to directly communicating using an asymmetriccipher, is that the former are block-ciphers that map plain-textmessages to cipher-text messages of the same length, | c | = | m | ,whereas the latter induces significant space overheads in thecipher-text, | c | (cid:29) | m | , thereby making it most space efficient toemploy the latter once-off and the former thereafter. IV. A FINANCIAL MARKET INDICATOR OFQUANTUM FAILURE
In this section, we construct a simple model basedon (Bierman and Hass, 1975; Yawitz, 1977) to predictthe impact of quantum failure on the assets in a crypto-economy.
A. Crypto-bonds without quantum failure
To keep the analysis intuitive, we consider a zero-coupon bond, B , denominated in some cryptocurrency, X . The bond has face value A , and time to maturityof one-year. We do not allow other maturities, althoughthese could readily be incorporated to derive yield curves.Risk in this model centres around the risk of quantumfailure. While there is no equivalent of risk-free treasurybonds in the crypto-bond market, future bond face valuepayments can be guaranteed through smart contracts.Consequently, default risk can be eliminated throughthe requirement that 100% of the borrowed funds bekept as collateral (possibly in assets denominated in adifferent currency, or even physical assets) in escrow viaa smart contract. Thus, while expensive, smart contractscan eliminate the possibility of the idiosyncratic risk ofdefault by the bond issuer. We assume that all agents arerisk-neutral.The first scenario we consider is one where either dueto technological advancements in blockchain technologyor lack of advancement in quantum ones, or both, a bondhas no risk of quantum failure. Thus, in addition to zeroidiosyncratic default risk, we impose zero systemic quan-tum risk. Given a yield to maturity (YTM) of i and price P , we have, P = A i . (4.1) B. Quantum failure with a risk-free asset in same unit ofaccount
Now consider a hypothetical intermediate case wherethere are two bonds existing simultaneously denominatedin the same cryptocurrency X :• B , which is risk-free as before.• ˆ B , which is susceptible to quantum attack.This cannot happen in general, because either the entire X network is susceptible to quantum failure in the formof a Shor-attack (in which case all X denominated assetsare at risk) or the entire network if free from risk ofquantum failure. Since quantum risk is systemic, this caseis unrealistic and hypothetical because it assumes thatquantum risk is idiosyncratic to some bonds. However, itis a useful intermediate stage in the thought process. Let 0 < ρ < ρ = 0 and ρ = 1 are trivial. In the caseof ρ = 0 quantum failure never occurs and the problemreduces trivially to the standard analysis. In the secondinstance, ρ = 1, quantum failure occurs with certainty, inwhich case no rational agent will hold risky crypto-bondsat any positive price. We assume that if quantum failureoccurs for ˆ B , it will pay zero to the holder of the bond.For the risky asset we have, similar to before,ˆ P = A i . (4.2)Arbitrage between the risky and risk-free bonds yields,ˆ i = 1 + iρ − . (4.3)From this we can determine the bond risk premiumthat arises from the possibility of quantum failure, R = ˆ i − i = (1 + i )(1 − ρ ) ρ . (4.4)This result essentially translates risk of quantum failureto its respective bond risk premium. So, if quantum riskwere to be idiosyncratic, by looking at the risk-premium R = ˆ i − i , we can infer the expected probability 1 − ρ thecrypto-market is placing on quantum failure occurring,providing a mechanism (for even non-market-participants)to infer quantum risk from a market-based indicator. C. A Shor-attack on blockchain X Now consider the existence of two separate systems, oneof which is free from quantum risk and one that is exposedto quantum failure. It is not necessary that the formerexists in the crypto world — it could well be the fiateconomy. The two requirements needed to conceptualise‘risk-free’ in this context are:1. There must be no idiosyncratic risk of default forthe bond.2. The system must not be susceptible to quantumfailure.Fiat can satisfy the first requirement through the is-suance of government securities (treasury bills and bonds)and, even if public key cryptography fails, can satisfythe second requirement through the exclusive use of cash(notes and coins). A crypto-system can satisfy the firstrequirement through smart contracts, and the second onlyif the required technological advancements occur.For the purposes of our analysis, there is one system (ei-ther fiat or crypto) using currency X ∗ , and one blockchain, X , that is susceptible to quantum risk in the form of aShor-attack that will render its cryptocurrency worthless.The former has a risk-free bond, B ∗ ; the latter’s crypto-bond, which is susceptible to quantum failure, is ˆ B fromSec. IV.B, and will pay out zero if there is a Shor-attack.In the following we assume X ∗ to be fiat, specificallyUSD.Since these two systems rely on different units of ac-count to price assets, there is a current spot exchangerate, S , that measures the price of 1 unit of X ∗ in termsof X . Thus, a bond priced at P units of X is worth P/S units of X ∗ , and so on.Further, suppose the expected spot rate at the end ofthe one-year period when the bond matures is S e . Thereare two possibilities:1. The exchange rate is fixed: X is a stablecoin peggedto X ∗ (USD), in which case S e = S .2. The exchange rate is flexible: S e = S , in general.Suppose exchange rates are flexible. To link the yield tomaturity of the crypto-bond with risk of quantum failureto the yield to maturity of the risk-free treasury bond, weproceed via two steps. First, we compare two assets withidentical risk attributes — the (hypothetical) risk-freecrypto-bond, B , denominated in X (from Sec. IV.B) withthe risk-free bond denominated in X ∗ . Second, we valuethe risky crypto-bond, ˆ B (denominated in X ).For the first step, if i ∗ is the interest rate on B ∗ , as-suming uncovered interest parity (UIP) holds,1 + i = S e (1 + i ∗ ) S . (4.5)For an equilibrium where both ˆ B and B ∗ are held, fromEqs. (4.1) and (4.5), we have,ˆ i = S e (1 + i ∗ ) ρS − , (4.6) S e = ρS " i i ∗ , (4.7)or in terms of percentages,˙ S e = ρ " i i ∗ − , (4.8)where, ˙ S e ≡ S e − SS . (4.9)Thus, the equilibrium expected appreciation or depreci-ation of X ∗ in terms of X depends not only on the interestrate differential, but also on the probability of quantum failure. For any other spot rate expectation, given theyields to maturity, arbitrage possibilities will exist.The risk premium on the risky crypto-bond becomes, R = ˆ i − i ∗ = (1 + i ∗ )(1 + ˙ S e − ρ ) ρ . (4.10)Compared to the previous result from Eq. (4.4), there isan added element of foreign exchange risk, that is capturedby the presence of ˙ S e .In the case where X is a stablecoin, ˙ S e = 0, and if weknow i ∗ (say the interest rate on USD 1-year treasurybond) and ˆ i (the yield to maturity on the risky bond), wecan infer ρ , the market expectation for quantum failure. Inthe case of a flexible exchange rate, however, the market’sbeliefs about ˙ S e would have to be estimated before suchan inference about market perceptions of quantum failurecan be made. D. The impact of expansion
To investigate the impact of increases in the rate of coinissuance through Grover-expansion, we begin by notingthat typically no cryptocurrency, including Bitcoin, actsas a unit of account for the purchase and sale of goods andservices. Rather, as pointed out by (Bolt and Van Oordt,2019), vendors who accept payments in cryptocurrenciesoften simply convert a fiat price to the cryptocurrencyprice using an exchange rate S .Assuming that the currency free from quantum risk, X ∗ (USD), is the unit of account, this essentially impliesthat the Law of One Price holds. If so, for any good orservice φ , the price denominated in cryptocurrency X is p φ = p ∗ φ S , where p ∗ φ is the price of φ denominated in X ∗ .Since this is true for every good, it follows that PurchasingPower Parity (PPP) holds for any aggregate measure ofprice levels (such as the Consumer Price Index) in anyperiod t . Denoting the price levels in period t as C t and C ∗ t , PPP implies, C t = C ∗ t S t . (4.11)Consider now the transactions version of the quantityequation (Fisher, 1911), used in (Bolt and Van Oordt,2019) in the context of pricing cryptocurrencies, whichwe now suppose holds in cryptocurrency system X , C t T t = M t V t . (4.12)Here,• V t denotes the velocity of cryptocurrency X duringperiod t .• T t denotes the quantity of goods and services trans-acted on blockchain X during period t .• C t is the aggregate price level in blockchain X .• M t is the quantity of tokens (money) issued in cryp-tocurrency X .Eq. (4.12) can now be expressed as, C t C ∗ t ( C ∗ t T t ) = M t V t , (4.13)where C ∗ t T t denotes the value of transactions onblockchain X but denominated in currency X ∗ . Giventhat PPP holds, it follows from Eq. (4.11) that, S t = M t V t C ∗ t T t . (4.14)If PPP holds in every period, we have, S t − = M t − V t − C ∗ t − T t − . (4.15)To integrate this with the bond market analysis, it isworthwhile outlining the timeline more precisely, as shownin Fig. 1. Specifically, we assume that each period lastsfor 1 year and we consider period t −
1, as the past year.The bond is issued at the end of period t − S t − . Thebond matures at the end of the following one-year period t . With probability the crypto-economy survives period ρX t
Period t Bonds mature at end of period t Bonds issued at end of period t − 1 Period t − 1 Figure 1 Timeline for the asset pricing model.
As is evident from the timeline in Fig. 1, all the vari-ables realised during period t − t − S t − , M t − , V t − , C ∗ t − and T t − arepredetermined variables at the time of bond issuance andwhen investment decisions are made. At this time, more-over, investors must form expectations over the realisationof period t variables. In the absence of a quantum attack,the issuance of money is algorithmically determined forcryptocurrencies, and M t is known to investors at the endof period t −
1. Investors must form expectations over theremaining variables, which include: S et , C e ∗ t , V et and T et .With this timeline, it follows that, S et = M t V et C e ∗ t T et . (4.16) Given the relatively short timeline we are focusing on(two periods, t and t − and common knowledge,such that V t − = V t = V . Then, from Eqs. (4.15) & (4.16),we have, in the absence of quantum attack, S et S t − = M t M t − C ∗ t − C e ∗ t T t − T et . (4.17)Converting this to percentage changes gives,1 + ˙ S e = 1 + µ (1 + π ∗ e )(1 + ˙ T e ) , (4.18)where:• M t M t − = 1+ µ , where µ is the rate of change of moneysupply, or in other words, the rate at which newtokens are issued in X , which is an algorithmicallydetermined constant.• C e ∗ t C ∗ t − = 1 + π ∗ e , where π ∗ e is the expected inflationof goods and services in the fiat system X ∗ .• T et T t − = 1+ ˙ T e , where ˙ T e is the rate at which transac-tions are expected to change over the given period.• S et S t − = 1 + ˙ S e , where ˙ S e is the expected apprecia-tion/depreciation of X ∗ in terms of X .In order to focus on the role of token issuance on ex-change rate expectations, let us assume that the volumeof transactions using cryptocurrency is expected to bestable, i.e ˙ T e = 0. This assumption is readily dropped ifthe focus shifts from token issuance to gauging the impactof increasing or decreasing popularity of X measured interms of the volume of transactions, or if a more generalapproach is required. Under this assumption we obtain,1 + ˙ S e = 1 + µ π ∗ e . (4.19)The following approximation then holds (ignoring ˙ S e π ∗ e for small percentage changes),˙ S e ∼ = µ − π ∗ e . (4.20)Assuming that transaction volumes are stable ( ˙ T e = 0)and that the velocity of cryptocurrency X is stable, thepercentage change in the exchange rate is approximatelyequal to the rate of token issuance for cryptocurrency X minus inflation of goods and services in the risk-freesystem X ∗ . So, for example, if BTC (blockchain X ) tokensupply increases by 5% every year and inflation of goodsand services in the US (risk-free system X ∗ ) is 2%, wewould expect the USD to appreciate by approximately3% in terms of BTC. As an aside, it is evident that theexpectation of inflation in the US may itself be driven bythe expected rate of change of the USD money supply bythe Federal Reserve.0Now suppose we allow for the possibility of a quantumattack and Grover-expansion in period t . Letting µ G rep-resent the maximum possible monetary expansion thatcan be achieved by the quantum attacker by virtue ofspeeding up the mining process through enhanced com-putational (quantum) capabilities, Eq. (4.16) transformsto, S Gt = M Gt V et C e ∗ t T et , (4.21)where, M Gt M t − = 1 + µ G . (4.22)Thus, allowing for the possibility of Grover-expansionthe expected exchange rate is now, S et = ρ M t V et C e ∗ t T et + (1 − ρ ) M Gt V et C e ∗ t T et = V et C e ∗ t T et [ ρM t + (1 − ρ ) M Gt ] . (4.23)This yields the parallels to Eqs. (4.19) & (4.20),1 + ˙ S e = 1 + ρµ + (1 − ρ ) µ G π ∗ e , ˙ S e ∼ = ρµ + (1 − ρ ) µ G − π ∗ e . (4.24)Eq. (4.24) suggests that the expected exchange willincorporate the possibility of Grover-expansion in a quan-tum attack. Moreover, the higher the magnitude of Grover-expansion the market expects, the more the USD is ex-pected to appreciate (and the cryptocurrency depreciate).Apart from being interesting in its own right as a wayto predict exchange rate changes based on algorithmi-cally determined token increases and (fiat) inflation, thisexchange rate forecast impacts the risk-premium of therisky bond if we combine combine Grover-expansion witha Shor-attack, R = ˆ i − i ∗ = 1 + i ∗ ρ (cid:20) ρµ + (1 − ρ ) µ G π ∗ e − ρ (cid:21) . (4.25)This implies that if ˆ i and i ∗ are known along withthe algorithmically determined µ , the market expectationof the impact of Grover-expansion ( µ G ), and a publiclyavailable forecast of expected inflation in system X ∗ , wecan infer the market expectation of the probability ofquantum failure, 1 − ρ .Finally, we can state some simple comparative staticresults. All else being equal, the risk premium on crypto-bond ˆ B increases when, from Eq. (4.25):1. The rate of token issuance is higher (since ∂R∂µ = i ∗ π ∗ e > X ∗ (say fiat) is more than 100% ( π ∗ e < π ∗ e < ∂R∂µ G = (1 − ρ )(1+ i ∗ ) ρ (1+ π ∗ e ) > X ∗ (sayfiat) is more than 100% ( π ∗ e < π ∗ e < X ∗ decreases (since ∂R∂π ∗ e = − (1+ i ∗ )(1+ ρµ +(1 − ρ ) µ G ) ρ (1+ π ∗ e ) < X survivingdecreases (since ∂R∂ρ = − (1+ i ∗ )(1+ µ G ) ρ (1+ π ∗ e ) < E. Quantum failure & heterogenous blockchains
Now suppose that there is one risk-free system (cryptoor fiat), X ∗ , and n blockchain systems { X , X , . . . , X n } that are at risk of quantum failure with associated sur-vival rates of { ρ , ρ , . . . , ρ n } . Without loss of generality,suppose ρ > ρ > . . . > ρ n , such that the market be-lieves X has the greatest chance of surviving a quantumattack, and X n the lowest.One question is why this belief structure exists. Giventhat quantum attacks are costly, the answer may dependon the attacker’s objective. There are two separate issueshere: first the security of blockchains vary; second, thevalue of blockchains vary. Moreover, ‘value’ itself maydepend on the attacker: a mercenary attacker may placethe highest value on the blockchain with largest capitali-sation; a political attacker may target a blockchain thatcauses the greatest harm to a certain group. Irrespectiveof their motive, the expected benefit (to the attacker) ofan attack on X i is σ i v i , where σ i denotes the probabilitythat an attack will succeed, and v i the (subjective) valueto the attacker upon success.For the market to form a clear assessment of { ρ i } ,agents may therefore first need to establish who the at-tacker is and their motives. That is, it is quite possiblethat the probabilities of quantum failure, { − ρ i } , do notdepend on technological security { σ i } alone.Once such an assessment of { ρ i } is formed, however,the set of risk premia { R i } reflect the market assessmentof quantum failure in each system.It is likely that in this situation, there being a singledominant blockchain — for example, the state of affairsconceived by Bitcoin maximalists — is not necessarily a1good thing, because all the resources of the attacker couldbe devoted to compromising the security of the dominantsystem.Indeed, this opens up a number of strategic possibilitiesopen to attackers and market participants.For example, suppose the attacker commences an attackon X i . Assuming they do not have the resources to attackall n systems, how should participants in other systemsrespond? Should they immediately abandon blockchains X \ X i and flee to the safety of X ∗ ? But if that werethe case, they could can destroy all n systems by simplyattacking the system with the greatest σ i . The flight fromall these blockchains will: (a) reduce their security to zeroas miners depart; and, (b) drive the exchange rate valueof all cryptocurrencies in terms of X ∗ , 1 /S i , to crash(presumably to zero), making tokens worthless during theprocess of exchanging them to X ∗ .A better market response might be to diversify portfo-lios across blockchains (possibly stochastically) such thatmercenary attackers are less likely to find highly concen-trated capitalisation worth attacking. This suggests somedegree of randomisation (mixed strategies) both by agentsand attackers. There are some interesting game-theoreticconsiderations here that may be worth exploring in futureresearch. V. CONCLUSION & FUTURE RESEARCH DIRECTIONS
We have identified two vulnerabilities that blockchainshave to the advent of quantum computing. Quantum hack-ers could falsify blocks being added to a blockchain and/ordouble spend tokens on any given blockchain dependingon the features of the blockchain. This behaviour wouldmanifest itself as monetary inflation — a well-known andwell-understood problem in the fiat economy. We are ableto deploy standard economic analysis to develop a finan-cial indicator that would reveal whether quantum failurehad occurred or not. Our indicator relies on the existenceof financially motivated individuals and pricing relation-ships that depend on the existence of efficient markets. Assuch we are confident that the indicator will be reasonablyreliable in detecting quantum failure.Our indicator, however, is only the beginning of anunderstanding of quantum failure. Scaleable quantumcomputing will not arrive spontaneously or immediatelybe deployed to looting blockchains or stealing wealth.Widespread adoption is likely to be gradual and, initially,can be expected to be expensive and possessed by few.In short, the initial applications are unlikely to be ma-licious. If the cost of dedicating quantum infrastructureto compromising a given cryptographic asset outweighsthe realisable profit from doing so — assuming financiallymotivated hackers — a rational quantum-capable playerwould not be expected to make this investment. Thus,one would reasonably expect cheap cryptographic assets to retain their integrity via the lack of incentive to com-promise them. On the other hand, cryptographic assetsof tremendous value would logically stand higher in thelist of priorities to quantum hackers.These insights raise all manner of questions as to howbest to respond to the generalised problem of quantumcomputers hacking blockchains. Which blockchains arelikely to be hacked and by whom? How should observersreact? Would a successful quantum attack result in a‘flight to quality’? What does ‘flight to quality’ mean? Is ita flight to fiat? Should individuals diversify their exposureto quantum risk across blockchains? If so, should the riskof quantum attack be thought of as being systematic riskas in Markowitz portfolio risk (Markowitz, 1952)?Another avenue of study is the effect on crypto-economics when many adversarial agents are equipedwith quantum computers. For example, in Grover’s al-gorithm there is a non-negligible probability to solve aproblem by measurement before the algorithm finishes.This gives rise to a mixed Nash equilibrium strategy fortime to measure among many players trying to solve aproblem like inverse hashing for mining first (Lee et al. ,2018). This would have implications on the fluctuationsin transaction speeds, presenting new opportunities formarket manipulation.Then there are geo-political risks. In addition to pri-vate agents developing quantum computing capability fortheir own purposes, nation states are also interested inquantum technology. How will this technology be regu-lated and controlled? The existence of rogue nation statesdeveloping capacity in this space is an immediate chal-lenge to digital economic infrastructure over and aboveblockchain.We propose that the analysis of the interplay betweenquantum computing and blockchain as economic infras-tructure be labelled quantum crypto-economics . ACKNOWLEDGEMENTS
Peter Rohde is funded by an ARC Future Fellow-ship (project FT160100397). Chris Berg, Sinclair David-son, and Jason Potts are funded by an ARC Discov-ery (DP200101808). This research was fundedin partby the Australian Research Council Centre of Ex-cellence for Engineered Quantum Systems (Project num-ber CE170100009)
REFERENCES
Aggarwal, Divesh, Gavin K. Brennen, Troy Lee, Miklos San-tha, and Marco Tomamichel (2017), “Quantum attackson bitcoin, and how to protect against them,” Ledger ,10.5195/ledger.2018.127.Arora, Sanjeev, and Boaz Barak (2009), Computational com-plexity: a modern approach (Cambridge University Press). Bennett, C H, and G. Brassard (1984), “Quantum cryptogra-phy: Public key distribution and coin tossing,” Proceedingsof the IEEE , 8.Berg, Chris, Sinclair Davidson, and Jason Potts (2019),
Un-derstanding the Blockchain Economy: An Introduction toInstitutional Cryptoeconomics (Edward Elgar, Cheltenham).Bierman, Jr, H, and J. E. Hass (1975), “An analytical modelof bond risk differentials,” Journal of Financial and Quanti-tative Analysis , 757.Bolt, W, and M. R. C. Van Oordt (2019), “On the value ofvirtual currencies,” Journal of Money, Credit and Banking , 835.Daemen, Joan, and Vincent Rijmen (2002), The design of Ri-jndael: AES – the Advanced Encryption Standard (Springer-Verlag).Diffie, Whitfield, and Martin E. Hellman (1976), “New direc-tions in cryptography,” IEEE Transactions on InformationTheory , 644.Ekert, Artur K (1991), “Quantum cryptography based onbell’s theorem,” Physical Review Letters , 661.Fisher, Irving (1911), “The purchasing power of money: Itsdetermination and relation to credit, interest and crisis,”The Economic Journal , 393.Grover, L K (1996), “A fast quantum mechanical algorithm fordatabase search,” in Proceedings of the 28th annual ACMsymposium on theory of computing , p. 212.Koblitz, N (1987), “Elliptic curve cryptosystems,” Mathemat-ics of Computation , 203.Lee, Troy, Maharshi Ray, and Miklos Santha (2018), “Strate-gies for quantum races,” arXiv:1809.03671.Malekan, Omid (2018), The story of the Blockchain (TripleSmoke Stack, New York). Markowitz, Harry (1952), “Portfolio selection,” The Journalof Finance , 77.Merkle, R C (1988), “A digital signature based on a con-ventional encryption function,” Advances in Cryptology -CRYPTO ’87 , 369.Merkle, Ralph C (1978), “Secure communications over insecurechannels,” Communications of the ACM , 294.Miller, V (1985), “Use of elliptic curves in cryptography,”CRYPTO: Lecture Notes in Computer Science Quantum Computationand Quantum Information (Cambridge University Press,Cambridge).Rivest, R, A. Shamir, and L. Adleman (1978), “A method forobtaining digital signatures and public-key cryptosystems.”Communications of the ACM , 120.Shor, Peter W (1994), “Algorithms for quantum computation:discrete logarithms and factoring,” in Symposium on theFoundations of Computer Science , Vol. 35, p. 124.Shor, Peter W (1995), “Scheme for reducing decoherence inquantum computer memory,” Physical Review A , R2493.Stewart, I, D. Ilie, A. Zamyatin, S. Werner, M. F. Torshizi,and W. J. Knottenbelt (2018), “Committing to quantumresistance: a slow defence for bitcoin against a fast quantumcomputing attack,” R. Soc. Open Sci. , 180410.Werbach, Kevin (2018), The Blockchain and the New Archi-tecture of Trust (The MIT Press, Cambridge).Yawitz, J B (1977), “An analytical model of interest ratedifferentials and different default recoveries,” Journal ofFinancial and Quantitative Analysis12