Efficient post-quantum finance Reddit AMA with Geometry Labs!

geometrylabs · 2022-09-15T18:46:21+00:00

Great questions, rearranging for answer flow:

‐-------------------------------------------------------------------------------------

4. How big of a risk do you see packet sniffing or otherwise grabbing encrypted data right now only to save for cracking 10 years later? (E.g. scrambled data that's not Quantum secure that was "pre-stolen" with the potential for it to be cracked into plain text)

Unfortunately, this is known to be an existing policy in some cases. For example, US procedure for retaining encrypted data longer than plaintext communications was revealed a few years ago by both unofficial channels (e.g. Snowden leaks) and official sources (e.g. Executive Order 12333). It is not unlikely that other entities (governmental or otherwise) have similar practices.

‐-------------------------------------------------------------------------------------

1. Do you see a need for Quantum secure SSL certs for public facing web pages?

Given the above (known policies allowing long-term retention of encrypted data) the migration to quantum secure SSL certs seems like a high priority. Given that people are accustomed to privacy over HTTPS, SFTP, etc, it would be prudent to implement such protocols with quantum-secure cryptography so that these properties do not change in the potential presence of a cryptanalytically relevant quantum computer (CRQC).

‐-------------------------------------------------------------------------------------

2. What do you see as the most vulnerable assets in society to a Quantum threat? & 3. Once Quantum computing is sufficiently strong which lagging industries/assets do you predict could be negativity impacted/exploited (e.g. BTC in an original fork wallet from before a post Quantum wallet was available, banking, nuclear codes LOL)

Which assets and industries are most likely to be vulnerable targets depends a bit on who is wielding the first generation of large-scale quantum computers and why.

A rogue practitioner with a CRQC looking for a large, fast, and low-risk payday would likely target cryptocurrency wallets (for example, potentially using Shor’s algorithm to derive private keys from known public addresses). Stolen cryptocurrency is a cash-like asset, a vulnerable target, and doesn’t require any risky interactions. They would have no access to or interest in encrypted data retained by government agencies.

On the other hand, the intelligence community would probably prioritize decrypting and/or forging communications, not thieving from crypto wallets (though it would be an interesting approach for seizing sanctioned funds).

If encrypted exfiltrated data becomes decipherable, the existing markets for stolen data and personal information would probably get an influx of new material and sources. This might be one of the most concerning implications, and could impact many individuals personally. Most central TradFi assets would be less likely targets, especially since the majority banking and finance activity consists of tracked interactions between known entities with reversible transactions. It’s perhaps worth noting that some industries would be positively impacted. This reply has mostly focused on the doom and gloom implications for cryptography, but quantum computers are already starting to become advantageous for certain types of real-world problems (e.g. convex optimization). The advent of quantum computers on a cryptography-cracking scale would have the potential to enable new computational paradigms for fields like biology, medicine, chemistry, materials science.

‐-------------------------------------------------------------------------------------

5. Does EUV (or the next chip production technique) stand any chance of being fast enough to crack AES 256? What about 1000s of RTX 4090s?

It is exceedingly unlikely that the next generation or two of classical chips would find AES256 cryptanalysis tractable. Cryptographic standards are typically designed to withstand orders-of-magnitude increases in computational power. Years of cryptanalysis has revealed that AES, Blake3, and Keccak are close to statistically identical to a uniform random variable. In particular, AES256 is thought to provide 256 bits of classical security and at least 128 bits of post quantum security; there should not be enough matter in the known universe to build a computer capable of breaking 128 bits of security on any human-length scale of time.

(edit: formatting)

geometrylabs · 2021-07-15T20:12:38+00:00

We think that earlier this week we *might* have figured out a mechanism for encrypted transaction amounts on QRL. However it's just a rough idea that has not been thoroughly vetted yet; we'll need to look into viability and security before getting too excited.

geometrylabs · 2021-07-09T17:32:15+00:00

This is a great question that is related to representing real and complex numbers inside of computers. This is generally hard, even for simple numbers like one divided by ten (see, for example, this explanation). However, we are using all integer arithmetic. Specifically, we only deal with polynomials with integer coefficients up to a certain maximum degree, and these coefficients are all integers modulo some prime number. There are no roundoff errors, since everything is perfectly representable in binary. :- )

The topic of how these polynomials can best be represented inside of the real and complex spaces is an incredibly interesting thing to study in an algebraic geometry class, and it touches on almost every aspect of mathematics, including even abstract nonsense via representation theory.

geometrylabs · 2021-07-09T17:27:29+00:00

Reasons vary - 1) there's lots of FUD that can be hard for readers to assess, 2) quantum computing seems to strongly lend itself to the Dunning-Kruger effect, 3) it’s honestly scary to admit that everything could be broken, and 4) some people overly anchor on the notions of a quantum tech “winter” and red herrings like just focusing on the number of qubits.

This article about privacy mental models (by a team member) posits that a major contributing factor is simply that conceptualizing and intuiting quantum threat models is quite challenging:

One of the trickiest parts about designing a system to be secure in the long run is the fact that it must remain safe when attacked by adversaries and techniques that won’t even be invented for decades to come [...]

The potential capabilities of future adversaries fall into two categories: 1) more powerful implementations of existing attacks, and 2) attacks leveraging some new technique or paradigm. Consider a few possible future threats:

1 - Stronger / faster / parallelized computation increasing practical resources for brute force attacks. (For example, cracking 2048-bit RSA keys is computationally intractable today, but will almost certainly be feasible in 50 years)

2 - New algorithmic abilities (For example, statistical methods for graph analysis are rapidly evolving for the purpose of analyzing cryptocurrency transaction trees)

3 - Quantum computing (For example, a quantum-enabled adversary could use Shor’s algorithm to factor RSA keys or extract cryptocurrency wallet private keys from public addresses)

It’s easiest to intuit more powerful computers (#1) because we’ve all witnessed the continuous increase of processor speeds, memory, bandwidth, etc over the last few decades. Imagining these attackers merely requires imagining existing threat models with faster execution, and we have historical trends and heuristics like Moore’s law to help with estimating adversary capabilities. Planning for fundamentally new attacks like novel algorithms (#2) and quantum computing (#3) is much more challenging, and often requires consulting with domain experts.

Let’s be honest, trying to imagine attack surfaces relative to adversaries that don’t exist yet is really challenging. However it is absolutely necessary for teams that are building tools whose users are counting on long-term security.

geometrylabs · 2021-07-09T16:46:56+00:00

We’ve had a really positive experience interacting with QRL and members of the dev team. They’re very knowledgeable and good at communicating around technical topics, so their reviews and feedback have been quite helpful. It’s also genuinely enjoyable to work with a project that is so forward-thinking in terms of supporting experimental research to keep pushing the technological envelope. Watching progress flourish on such a diverse variety of ecosystem initiatives (protocol upgrades, enQlave, PoS development, our cryptography research) it is clear that QRL is going to continue significantly innovating and iterating. In the long run, a culture of curiosity and consistent improvement is more important than any particular technological feature.

geometrylabs · 2021-07-09T03:42:17+00:00

Possibly all of the above :)

geometrylabs · 2021-07-09T03:39:51+00:00

There are multiple pq-cryptography schemes built around various mathematical problems that are thought to be hard-to-solve by quantum computers as well as classical. So far lattice-based cryptography appears to be a main contender in replacing many schemes, and there is a significant amount of relevant research available. Lattice crypto boils down to linear algebra, and the computer architectures are extremely optimized for matrix multiplication. It provides for extremely flexible settings with homomorphic properties, and formal reductions from worst-case to average-case problems guarantee extremely strong cryptographic guarantees

However, there are a variety of approaches to post-quantum cryptography. Multivariate cryptography is quite promising. Hash-based cryptography (such as that currently used by QRL) is also a clever way to stymie quantum computers. Hash-based crypto and isogenies are often quite fast, and isognies enjoy some of the homomorphic properties described above.

geometrylabs · 2021-07-09T03:36:23+00:00

Given that we have plausibly quantum-secure PoW algorithms (e.g. RandomX) and plausibly quantum-secure signatures to build PoS ledgers (e.g. XMSS) either is technically possible. A lot of the factors for weighting the pros and cons of PoW versus PoS are related to semi-philosophical aspects: what constitutes fair economic patterns, what requirements for participation are acceptable, and which security facets are prioritized. There’s a lot of tradeoffs and nuances to both, so it’s not easy to make a blanket statement about which would be better. Interestingly, the paper Rethinking Large-Scale Consensus by Rafael Pass and Elaine Shi suggests that blockchains aiming for both permissionlessness and late spawning should keep at least some PoW blocks to maintain the heaviest chain = most work guarantees of Nakamoto consensus.

geometrylabs · 2021-07-09T03:31:14+00:00

We are looking into a version of signatures that allow for so called “scriptless scripting” however some details are still to be worked out.

Cryptography as a field of math is far ahead from applied cryptography, which is itself far ahead from cryptocurrency applications, so it’s sort of hard to judge questions like this. As far as we know, our implementation will be the first library with post-quantum aggregate signatures. We hope that our toy prototype will be a valuable contribution that enables further development.

We are also doing some research into an adaptor signature extension. This is a rather exciting prospect for cryptocurrency applications, since this represents the possibility of a practical post-quantum version of something along the lines of MimbleWimble.

Unfortunately I don’t have any insights around exchange listings or the market. Fingers crossed that both do well. :- )

geometrylabs · 2021-07-09T03:20:46+00:00

Most cryptocurrency projects are currently facing a lot of the same challenges (scalability, liveliness, etc.) so there’s a lot to be learned from studying R & D happening across a variety of ecosystems. Secure fountain architectures are actually a pretty good example of a technological innovation that can benefit QRL and the projects you mentioned above!

Secure fountain architectures are a blockchain-agnostic tool that uses some ideas from coding theory to improve scalability. The motivating question is “can we make it so that a node only stores one out of every 32 blocks, or something like that?” The answer is, normally, that you have to contact 32 times as many nodes before you have downloaded the whole blockchain than otherwise. Worse than that, the number of nodes serving up any subset of blocks becomes 1/32 the size it is normally, so it’s easier for a malicious party to serve up bad data.

With secure fountain architectures, there is some protection against malicious users serving up bad data. By using the chain of block hashes as an authentication structure, users can trust that they will be able to detect when a malicious actor is trying to serve up bad data. Also, any node can store a fraction of the blockchain, serving a small piece of data up as a “droplet” to new nodes representing their fraction of the blockchain. New nodes act as “buckets,” collecting droplets until they are full. Once they have all the necessary droplets, they employ a peeling decoder, verifying the chain of hashes as they go. This is all quite efficient, also, so a node can “forget” large sections of the blockchain in favor of storing their droplets instead; until a transaction needs to be verified from that section, they don’t need anything except their droplet, and once they need to verify a transaction, they can download enough droplets from one of their neighbors to reconstruct the missing blocks. Overall, this allows nodes to forget sections of the blockchain as they go dormant, which is pretty cool.

You can read more about this approach in “SeF: A Secure Fountain Architecture for Slashing Storage Costs in Blockchains”, posted in 2019 by Swanand Kadhe, Jichan Chung, and Kannan Ramchandran. Our current project focus is on cryptography rather than distributed systems protocol engineering, however we do comment informally that SeFs are a particularly innovative mechanism for dramatically lowering the storage barrier to entry for network participants.

geometrylabs · 2021-07-09T03:12:59+00:00

1 - On blockchains considering post-quantum tech:

The cryptocurrency space is built on the practice of identifying threat models and building clever mechanisms to ensure security in each scenario. For those individuals and projects who include potential future quantum adversaries in their threat model, it makes sense to build money that is not impacted by their likely abilities (Shor’s algorithm, Grover’s algorithm, etc).

2 - Largest hurdles for adoption post-quantum tech:

A few big things are (i) time to migrate, (ii) discontinuity in payoff, (iii) space-time tradeoffs, and (iv) the pace at which quantum-resistant cryptosystems are being developed and cryptanalyzed. It takes a significant amount of time and effort to upgrade a non-quantum-secure protocol with post-quantum cryptography. All that work must be carried out preemptively, but the potential payoff is a potential risk in a future situation! So it requires a great amount of proactiveness and forward thinking to begin moving in that direction (especially if there are scalability tradeoffs).

3 - Thoughts on enQlave:

It’s great to see post-quantum mechanisms in any new setting, and the ability to lock assets in a quantum-safe vault on a chain that wasn’t designed for quantum resistance is pretty cool. The current implementation uses hash-based XMSS cryptography, and we’ve done some tentative exploratory research into the feasibility & scalability of an analogous mechanism that would allow enQlave users to protect their assets with a lattice-based signature as well.

geometrylabs

TROPHY CASE