51% Attack via Difficulty Increase with a Small Quantum Miner

239 views
Skip to first unread message

Or Sattath

unread,
Mar 18, 2024, 9:31:37 AMMar 18
to Bitcoin Development Mailing List
Hi,
In a recent work with Bolton Bailey (still not peer-reviewed) , we showed how a single quantum miner, with relatively little hashing power, can execute a 51% attack. The attack isn't relevant for the forthcoming years, requiring an extremely fast, noise-tolerant quantum computer.
The attack is surprisingly simple. The attacker creates a private fork, increasing the difficulty by a factor c. Due to the properties of Grover's algorithm, it is only \sqrt c harder for the quantum miner to mine at the new difficulty level, but these blocks count as $c$ times more for the PoW. Therefore, by mining even a single epoch for a large enough $c$, the quantum miner can generate more proof-of-work than the competing (classical) chain. The complexity of the attack is ~1/r^2 epochs, where r is the fraction of the block rewards that the quantum miner would have received if they mined honestly. This attack (or variants thereof) provides essentially the same benefits as classical 51% attacks, including double spending, and all the revenue from the block rewards. 

This attack might be relevant when considering future protocol modifications.

Or



Antoine Riard

unread,
Mar 20, 2024, 4:53:02 PMMar 20
to Bitcoin Development Mailing List
Hi Or,

Thanks for the research.

> The complexity of the attack is ~1/r^2 epochs, where r is the fraction of the block rewards that the quantum miner would have received if they mined honestly. This attack (or variants thereof) provides essentially the same benefits as classical 51% attacks, including double spending, and all the revenue from the block rewards. 

Quantum algorithm like Grover's algorithm are well-adapted to solve problems with a hidden structure, e.g where the answer can be easily verified.
This is the case any randomly yielded state from a qubit vector can be fast verified as a PoW on a classical computer architecture.
However, I'm not sure Grover's algorithm works well for dynamic block template construction and corresponding PoW calculations.
Any last-minute high-fee transaction might be selected in the block template, invalidating all the oracle calls performed so far by the run of the Grover's algorithm.
Classical computers do not have this issue that you cannot observe the state until the computation ends, contrary to quantum computers.
Inability to adapt to a fast-dynamic fee market might render this 51% attack unsustainable, in a post-subsidy world.

The attack isn't relevant for the forthcoming years, requiring an extremely fast, noise-tolerant quantum computer.

Information on what is the qubit format and associated solid-state technology used for the estimation can be valuable. Especially to estimate the real-world energy cost compared to hydro pure ASIC-based mining infrastructure.

Best,
Antoine
Reply all
Reply to author
Forward
0 new messages