[ad_1]
In our 2019 March of the Blocks paper we commented on the substantial compliance obstacles that the General Data Protection Regulation (GDPR) presents the ongoing development of blockchain solutions that involve storing (and transacting with) data. There, we concluded that blockchain solutions that adhere to the core principles of data protection and privacy are achievable. But is our conclusion firm in light of the threat posed by quantum technology to the integrity of data recorded on a blockchain?
In this article, with the help of the team at our Quantum Computing Hub, we revisit our thinking and question whether quantum computers herald the end of data security in the context of blockchain solutions or if the reality is actually more nuanced.
Simply put, quantum computers are computers that make use of two laws of quantum mechanics: superposition and entanglement. They do this via quantum bits or “qubits”. This is easier to explain by referring to classical computers (the computers we currently use) that make use of bits, units of information that can only exist in one of two states: off or on, 0 or 1.
Due to superposition, which refers to the ability of individual units to exist in several possible states at the same time, a qubit in a quantum computer can be turned on, off or on and off in a variety of states combined at a single point of time.
Entanglement, which describes the phenomenon whereby particles interact with each other and share their states even when separate, means that the state of a series of qubits can be connected.
These properties allow quantum computers to perform certain tasks with greater efficiency than even the most powerful classical computers. These activities include finding a specific item in an unordered list, identifying causal relationships, and finding prime factors of large numbers.
Identification of the quantum threat to the blockchain
A blockchain is a series of data blocks, linked together by a cryptographic hash to form a chain. A cryptographic hash is a function that transforms a block of data of any length into a fixed-length output. The hash stored in each block in the chain works like a fingerprint from the previous block and you can perform a hash check process on the previous block to confirm that it generates the correct hash. If the previous block is modified in any way, it will not generate the correct hash and the chain will be broken. Therefore, the data of any block in the chain cannot be changed without changing the hash of each block that comes after it in the chain.
Many blockchain solutions also implement public key cryptography, in which public and private keys are made up of a string of alphanumeric characters. If a user wants to send encrypted data to a recipient, they must use that recipient’s public key (which is transmitted to the network). The sender can encrypt their data with this public key and send the data to the recipient. Only the recipient’s private key (which the recipient keeps secret) can then be used to decrypt the data. Where blockchain solutions facilitate transactions, private keys are often used to “sign” and authenticate transactions.
The flaw (and a crack in the armor of the blockchain) is that many popular public key cryptographic algorithms, including RSA cryptography, are vulnerable to quantum computer attacks. This is because those cryptographic algorithms rely on mathematical calculations that break down large numbers into their prime factors (the prime numbers which, when multiplied, equal the original large number), which is time-consuming for conventional computing circuits. As we have already noted, this is a task that quantum computers are ready to do with relative ease compared to classical computers.
It has also been suggested that quantum computers increase the risk of a ‘51% ‘or’ majority ‘attack, whereby a bad actor tries to take control of most nodes in a blockchain network and thereby gains the ability to stop recording new blocks, as well as reverse records of blocks that were completed while in control of the network.
What does this mean from a legal point of view?
In a UK context, numerous legal risks arise and similar obligations may apply in other jurisdictions. In particular, the GDPR requires data controllers and processors to ensure that personal data are processed in such a way as to protect against unauthorized or unlawful processing and, consequently, to implement appropriate technical and organizational security measures. Furthermore, data protection should be “integrated” into processing activities and business practices from the design state through the life cycle. If quantum computers were able to compromise data stored on a blockchain, compliance with these requirements would similarly be compromised.
Legal responsibility doesn’t stop with the GDPR, however, and can vary depending on the type of entity storing data on a blockchain solution. For example, organizations that fall within the scope of the Network and Information Security Directive (NIS), which includes operators of essential services, are subject to additional requirements to manage the risks posed to the security of networks and information systems they use in their operations.
UK financial services firms should also be aware of the proposed PRA and FCA rules to improve business resilience, which are expected to be published in the first quarter of 2021, as well as requirements relating to appropriate systems and controls and management systems. adequate risk. Senior managers within regulated companies who are responsible for data security may also be subject to regulatory scrutiny in the event that data is compromised.
In addition, interference with the integrity of data recorded on a blockchain could constitute a breach of directors’ duties under the Companies Act 2006, as well as a breach of the UK Corporate Governance Code.
As this legal position survey demonstrates, the implications of quantum computers making vulnerable data stored on a blockchain are significant. But how real is this threat in practice?
Commentators seem confident that cryptography will be able to keep pace with developments in quantum computers, which are expected to be used by governments and companies in 2030. Therefore, current cryptographic techniques can be shifted to quantum-resistant cryptography (sometimes called “post-quantum cryptography”). There is, however, no evidence that any of the currently recognized post-quantum methods are safe against a quantum computer.
The degree of vulnerability of existing blockchain systems is also subject to debate. For example, the blockchain solution behind Bitcoin (which uses a number of cryptographic techniques in addition to public key cryptography) is considered by some to be quantum resistant in its current incarnation, although this appears to be a minority view.
Where existing systems are vulnerable to quantum computers, it is certainly true that a bad actor could steal data now and wait for advances in quantum computing to allow access, regardless of any subsequent precautions put in place.
While the degree of the threat remains a matter of debate, it is clear that quantum computing has the potential to undermine the integrity of data stored on blockchain solutions. As we have explored, this could give rise to a number of negative legal consequences, particularly under the GDPR.
However, various measures can be taken to mitigate these consequences. We have already highlighted the need to update current cryptographic techniques with post-quantum cryptography. Furthermore, as noted in our March of the Blocks document, the storage of personal data on a blockchain should be avoided as much as possible.
This could potentially be achieved through middleware applications (software that sits on top of one or more underlying blockchain networks, allowing those blockchain networks to be applied to particular use cases) by avoiding, for example, any free-form data fields for names and contact details. These applications could also employ more advanced techniques to recognize and remove personal data from information sent to the blockchain network.
To conclude, we remain optimistic that GPDR and other data security regulations should not hinder the development of blockchain solutions. The limitations presented by blockchain must, however, be recognized and a pragmatic approach adopted, particularly in light of the threat to data integrity posed by quantum computers.
