Blog · 12 Feb 2017

Blockchain has a huge security flaw - can it be fixed?

Bitcoin changed money forever. But without blockchain, it has no intrinsic value. Find out why all companies need to be concerned about its significant security flaw.

Halloween’s biggest trick or treat

When Satoshi Nakamoto published his paper introducing Bitcoin on Halloween 2008, he really was out to change money forever.

The “too big to fail” financial crisis had just shown how fragile economies can be, and a solid half of the world had no access to any form of banking.

No one knows who this pseudonymous pioneer of currency is, or if he is a she or them. Yet we know Satoshi solved the classic digital problem of double spend. Put simply: while it’s okay to send someone a digital picture and retain a copy, you can’t expect money to work that way.

Avoiding a double spend

Satoshi avoided double spend by creating a distributed ledger, or blockchain, that would ensure transactions were fair. On this platform, a cryptocurrency called Bitcoin would have intrinsic value due to its difficulty of creation and scarcity.

The cryptography making this possible came with a reassuring statement, calling transactions “computationally impractical to reverse”. Our world was ready. Bitcoin soared in value and popularity, despite occasional bad press involving the use of anonymous money in dark web marketplaces.

Other cryptocurrencies appeared, and blockchain technology ledgers soon began empowering smart-contracts and other applications where validation of identity, ownership, or some other valuable item were needed. Even banks got on board, exploring ways to use blockchain across their organisations. It may soon be impossible to work in a company that isn’t developing something on a blockchain — like trying to find a company without a web presence a few short years ago.

But is it safe?

My RSA 2017 talk, “Hacking Blockchain”, includes a fair amount of time explaining historic and current attacks faced by all implementations of the technology. A lot of these attacks are old school, focusing on supporting technology and not on the blockchain itself.

Consider attacks against credentials used at an online cryptocurrency exchange. Such exchanges act as hot wallets, or storage of funds available for transacting online at any time. Traditional authentication hacking of these sites can lead to illegal transactions. Some attacks are even more creative, such as the ability to force a cold or offline wallet to become hot and therefore a target for fraudulent transactions.

The major issue I cover, though, is the inherent flaw on page one of Satoshi’s paper. That elegant if pesky line about “computationally impractical to reverse” transactions. You see, the crypto behind cryptocurrency is actually public key. We are likely less than three years away from this being completely hackable by a quantum computer.

Facing reality

Fantasy? Hardly. Labs around the world have already proven that quantum computers can run Shor’s Algorithm and almost instantly find the private key of a public key pair even 4,096 bits long. Because of how public key works in most blockchain implementations, including Bitcoin, this would mean any time a transaction occurs, a quantum computer has everything it needs to obtain a user’s private key. Spend a single cryptocoin, and any entity with a quantum computer can download that currency’s blockchain, see your transaction, and in a few moments spend the rest of your funds.

The threat seems even worse if you consider blockchains designed to prove ownership of land or other critical identity-related transactions. A private key attack here can lead to an irreversible type of identity theft, at least within that blockchain ecosystem.

The NSA has already warned against the use of non-quantum-safe encryption. Its’ time to realise we may be rushing towards putting everything on a digital house of cards rather than an unbreakable chain. Let’s fix blockchain’s inherent flaws now, before it’s too late.