Quantum threat to Ethereum
As described above, the security of Ethereum (and many other cryptocurrencies) is based on the one-way relation between the private key and the address. A quantum computer using Shor’s algorithm is expected to break the one-way relation between the private and the public keys. This is the first step in Figure 1, The relation between the public key and the address is only partially impacted3. This means that a quantum computer can only derive the private key associated with a specific address if the public key is already known. This is only the case if the address has been used before to send funds.
We define quantum-exposed funds as coins residing in addresses where the public key is already published in the blockchain (through a transaction). Funds in addresses where the public key is not known (if funds have never been transferred out of the address) are not exposed, and are safe against currently known quantum attacks.
The unique way cryptography is used in cryptocurrencies (public keys are not always public) results in two distinct types of attacks: the storage attack and the transit attack.
Storage attack
In this attack, a malicious actor will search for funds that are stored in quantum-exposed addresses. They will then use a quantum computer to derive the private key associated with the vulnerable address, which will allow them to transfer the funds to a new address that is not vulnerable to a quantum attack.
Finding quantum-exposed funds is particularly easy in the Ethereum blockchain. Each node in the network keeps a balance sheet, called the world state, with all addresses that have ever been used and a counter that shows how many times they were used to transfer funds from. An attacker can simply look for all addresses in the world state where the counter is larger than 0. From the resulting list, the attacker picks a target address with plenty of funds. Next, they scan the blockchain for a transaction sent by this specific address and use it to obtain the corresponding public key. As explained before, after having obtained the public key, the attacker can now use a quantum computer to derive the private key and steal the funds from the targeted address.
We performed an analysis on the Ethereum blockchain to find out how many coins would be vulnerable to this type of attack. For the purpose of this analysis, we are focusing solely on Ethereum’s native token, Ether, and ignore other third party tokens implemented on Ethereum. Despite being ignored in this analysis, tokens implemented using the ERC20 standard that are stored in quantum-exposed addresses, would also be vulnerable to the storage attack.
In Figure 2 we see the result of the analysis, showing the total number of Ether in circulation over time, distinguishing between those in quantum-exposed addresses and those in non quantum-exposed addresses. From the data, it is clear that currently over 65% of all Ether are vulnerable to a quantum attack, and this number has been continuously increasing. This is a significantly larger percentage than the 25% we found for the Bitcoin blockchain in a previous analysis1.
The difference between Ethereum and Bitcoin is primarily caused by the fact that the Bitcoin architecture is based on generating a new address for each transaction (known as the “UTXO model”). Ethereum’s architecture is based on reusing the same address unless forced to do otherwise (known as the “account model”). The account model was intentionally chosen for Ethereum in order to facilitate the implementation and usage of smart contracts. However, it causes the funds within the network to, on average, be more vulnerable to quantum attacks.
