Five, ten years or longer? A time-line assessment of quantum computing threats

2026/01/27 02:03
👤ODAILY
🌐en

How far are we from a quantum computer that can crack bitcoin

Five, ten years or longer? A time-line assessment of quantum computing threats

Original by Justin Thaler (@SuccinctJT), a16z Research Partner

Original: AididiaoJP, Foresight News

When can quantum computers break the code? The timing of this problem is often exaggerated, prompting calls for “urgent, comprehensive shift to post-quantification”。

However, these calls tend to ignore the costs and risks of premature migration, as well as the very different nature of the threats of different encryption tools:

  • Post quantum encryption needs to be deployed immediately and at any higher cost. The attack "now stolen, future declassified" already exists. Today's encrypted sensitive data, even if they appear after decades, are of great value. While late quantum encryption can be effective in depleting and risking, we have no choice in requiring data that are confidential over time。
  • The latter digital signature is different. They are not vulnerable to the above-mentioned “secretization” attacks, and their own costs and risks (larger size, performance costs, premature programmes, potential gaps) require careful planning rather than immediate action。

It is essential to distinguish that. Misunderstanding distorts cost-benefit analysis and allows teams to ignore more pressing security risks, such as procedural gaps。

The real challenge of a successful transition to post-quantifiable cryptography is to match the urgency of action with the real threat. Common misunderstandings about Quantification Threat Passwords, covering encryption, signature and zero knowledge certification, with a particular focus on their relevance for block chains, will be clarified below。

Timeline: How far are we from a quantum computer that can crack encryption

The possibility of a "cipher-related quantum computer" in the 20th century is extremely low, despite the fact that it is an exaggeration。

I refer to "ciphery-related quantum computers", which are faulty and miscorrected quantum computers that run the Shor algorithms and are large enough to break through elliptical curve passwords (e.g., secp. 256k1) or RSA (e.g., RSA-2048) within a reasonable time (e.g., continuous calculation of not more than one month)。

Based on open technological milestones and resource assessments, we are far from such a computer. Although companies claim that they could have been achieved in 2030 or even 2035, the progress known does not support these claims。

Currently, there is no quantum computing platform, whether to imprison ion, superconductive bits or neutral atoms, that can be close to the hundreds of thousands or millions of physical quantum bits (depending on error rate and error resolution) needed to break RSA-2048 or secp 256k1。

The bottlenecks are not only the quantity of quantum bits, but also the accuracy of the doors, the connectivity of the quantum bits, and the depth of continuous faulty circuits required to run the depth quantum algorithm. Some systems now have more than 1,000 physical quantum bits, but this number alone is misleading: they lack the connectivity and authenticity required for code calculations。

While the recent system is approaching the physical error rate threshold required to correct a quantum error, no one has been able to steadily run more than a few logical quantum bits, not to mention thousands of high-level, deep-circuit, fault-tolerant logical bits required to run Shor algorithms. The gap between the validation of principles and the scale required to achieve password analysis remains significant。

In short: Password-related quantum computers are out of reach until the number of quantum bits and the level of security is increased by several orders of magnitude。

However, corporate press releases and media coverage are often confusing. The main confusion points include:

  1. "Quantum Advantages" demonstration: Most of the tasks currently demonstrated are well designed, not actually useful, simply because they can run on existing hardware and "look" fast. This is often diluted in advocacy。
  2. The "thousands of physical quantum bits" campaign: this usually refers to quantum defusing machines, not door model quantum computers that can run Shor algorithms that are required to attack public key codes。
  3. The abuse of "logical quantum bits": physical quantum bits have noise, and practical algorithms require "logical quantum bits" made up of many physical quantum bits by error. Operating the Shor algorithm requires thousands of such logical quantum bits, each usually hundreds to thousands of physical quantum bits. Some companies, however, exaggerate, such as the recent claim that the error code (which can only be corrected by error and cannot be corrected) was achieved by only two physical quantum bits per logical quantum, 48 logical quantum bits, which is meaningless。
  4. The road map is misleading: the Logic Quantum Bits in many of the road maps only supports "Clifford" operations, which can be simulated efficiently by classic computers and are not sufficient to run the Shor algorithms that require a large number of "non-Clifford doors" (e.g. the T Gate). Thus, even if a road map claims that "thousands of logical quantum bits will be achieved in X", it does not mean that the company expects to break the classic code by then。

These practices seriously distort the public (including senior observers) perception of quantum computation progress。

Of course, progress is indeed exciting. Scott Aaronson, for example, recently wrote that, given that "hardware is moving at an alarming rate", he considered that "it is a real possibility that we have a faulty quantum computer that can run Shor algorithms before the next presidential election." However, he then clarified that this did not mean that the cipher-related quantum computers - even if the 15 = 3 x 5 (which is faster with paper and pens) were wrongly decomposition - were committed. This is still a small-scale demonstration, and such experiments are always targeted at 15, because model 15 is simple, and a slightly larger number (e.g. 21) is much more difficult。

Key findings: It is expected that there will be a lack of public support for progress over the next five years for code-related quantum computers capable of decrypting RSA-2048 or secp256k1. Even for 10 years, it was ambitious。

Thus, there is no contradiction between the excitement of progress and the time-line judgement that “it will take more than a decade”。

So what if the United States Government sets 2035 as the deadline for the full-scale post-quantitative migration of government systems? I think that this is a reasonable time plan to complete a massive transition, but it does not predict that a coded quantum computer will appear。

"Now steal, future decryption" attacks: to whom? not to whom

"Now steal, future decryption" attacks mean that the assailants now store encrypted traffic and will not decrypt it until the future availability of a code-related quantum computer. National rivals are likely to have filed a large number of encrypted communications from the United States Government for future decryption。

Therefore, encryption must be upgraded immediately, at least for those data that require a confidential period of more than 10 to 50 years。

However, digital signatures (the cornerstone of all block chains) are different from encryption: they do not require the confidentiality of a retroactive attack. Even if a quantum computer were to appear in the future, it would only have been possible to forge signatures from that point on and would not have been possible to “declassify” past signatures. As long as you can prove that the signature was created before the quantum computer appeared, it cannot be forged。

This makes the transition to back quantum digital signatures far less urgent than the transition to encryption。

This is what mainstream platforms do:

  • Chrome and Cloudflare have deployed mixed X25519+ML-KEM programs for network TLS encryption. "Mixing" means using both the back quantum security program (ML-KEM) and the existing program (X25519), both of which are secure against HNDL attacks while maintaining classic security in case of back quantum program problems。
  • Apple's iMessage (PQ3 Protocol) and Signal (PQXDH and SPQR Protocol) also have a similar hybrid back-quantitative encryption。

In contrast, the deployment of late quantum digital signatures on critical network infrastructure has been delayed until password-related quantum computers are actually approaching. Because the current back-quant signature programme will result in reduced performance (detailed below)。

ZnkSNARKs are in a similar situation to signatures. Even for those zkSNAKs that are not back quantum safe (they use elliptical curve passwords), their "zero knowledge" properties are themselves back quantum safe. The attribute ensures that no secret information is disclosed (and that there is nothing to be done by a quantum computer) and therefore there is no secret that can be " stolen now" for future decryption. So, zkSNARKs are not vulnerable to HNDL attacks. Any zkSNARK produced prior to the presence of a quantum computer is credible (even if it uses elliptical curve passwords), and only after the presence of a quantum computer can the aggressor forge a false certificate。

What does this mean for the chain

MOST BLOCK CHAINS ARE NOT VULNERABLE TO HNDL ATTACKS。

NON-PRIVILEGED CHAINS, SUCH AS THE CURRENT BITCOIN AND THE ETHER MILL, ARE MAINLY USED IN NON-QUANTIFIABLE CRYPTOGRAPHY FOR TRADE AUTHORIZATIONS (I.E. DIGITAL SIGNATURES) RATHER THAN ENCRYPTION. THESE SIGNATURES DO NOT CONSTITUTE HNDL RISKS. FOR EXAMPLE, THE BITCOIN BLOCK CHAIN IS OPEN, AND THE QUANTUM THREAT LIES IN THE FORGERY OF SIGNATURES (THE THEFT OF FUNDS) RATHER THAN THE DECRYPTION OF PUBLICLY AVAILABLE TRANSACTION DATA. THIS ELIMINATES THE INSTANT PASSWORD URGENCY FROM HNDL。

UNFORTUNATELY, EVEN THE ANALYSIS OF AUTHORITIES SUCH AS THE FED HAD WRONGLY CLAIMED THAT BITCOIN WAS VULNERABLE TO HNDL ATTACKS, EXAGGERATING THE URGENCY OF THE TRANSITION。

Of course, a reduction in urgency does not mean that bitcoin is safe. It faces different time pressures from the enormous social coordination required by the agreement change (detailed below)。

The current exception is the privacy chain. Many privacy chains encrypt or conceal the recipients and amounts. This confidential information can now be stolen and retroactively anonymousized after a future quantum computer has broken the elliptical curve code. The gravity of the attack varies from design to design (e.g., the ring signature of Menrocoin and the key mirror may result in the complete reconstruction of the trade map). Thus, if users care that their transactions are not exposed to future quantum computers, the privacy chain should move as soon as possible to a later quantum original (or a hybrid scheme) or adopt a structure that does not decipher a secret chain。

Bitcoin's special dilemma: governance impasse and "sleepingcoin"

For Bitcoin, two realistic factors drive the urgency of starting planning for a post-quantitative signature, none of which is related to quantum technology per se:

  • Governance is slow: bitcoin is slow to change, and any controversy can trigger a destructive hard-wiring。
  • NO PASSIVE MIGRATION: CURRENCY OWNERS MUST ACTIVELY MOVE THEIR CURRENCY. THIS MEANS THAT ABANDONED, FRAGILE QUANTUM CURRENCIES CANNOT BE PROTECTED. IT IS ESTIMATED THAT THIS TYPE OF "SLEEPING" AND FRAGILE QUANTUM BTC COULD BE MILLIONS, WITH A PRESENT VALUE OF HUNDREDS OF BILLIONS OF DOLLARS。

However, the Quantum Threat is not the end of "one night" and is more like a selective, progressive targeting process. Early quantum attacks will be extremely expensive and slow, and the attackers will selectively target high-value wallets。

In addition, users who avoid re-use of the address and do not use the Taproot address (the latter exposes the public key directly on the chain) are generally safe even without an upgrade of the protocol - their public key has been hidden after the Hash value before spending. The public key is only revealed when it is spent on a commercial broadcast, when there is a short real-time competition: honest users need to confirm the transaction as soon as possible, while quantum attackers try to calculate the private key and steal the currency before doing so。

So the real vulnerable currency is those public keys that have been exposed: early P2PK output, reuse address and Taproot holding assets。

For abandoned and vulnerable currency, the solution is difficult: either the community agrees on a "cut-off date" and does not subsequently move the currency to be considered destroyed; or it is left to be taken by future quantum computer owners. The latter poses serious legal and security problems。

The last problem that is unique to bitcoin is low trade throughput. Even if the relocation plan is finalized, it will take months to move all vulnerable funds at the current rate。

These challenges make it necessary for Bitcoin to begin planning for the post-quantitative transition now — not because quantum computers are likely to appear before 2030, but because the governance, coordination and technical logistics required to move hundreds of billions of dollars worth of assets will itself take years。

Bitcoin ' s quantum threat is real, but time pressure is mainly due to its own constraints, not to the imminent quantum computer。

Note: The above loopholes regarding signatures do not affect the economic security of Bitcoin (i.e., consensus on workload proof). PoW relies on al-Hashi calculations and is only affected by the secondary acceleration of Grover search algorithms, which is highly expensive and unlikely to achieve a significant acceleration. Even if there were, it would simply make the large miners more advantage, not subvert their economic security model。

Cost and risk of late quantum signature

Why should a block chain not be rushed to post-deployment quantum signatures? We need to understand its performance costs and our confidence that these new programmes are still evolving。

Post-quantic cryptography is based on five types of mathematical difficulties: Hash, coding, grids, multi-dimensional equation groups, ellipse curve congener. This diversity is due to the fact that programme efficiency is linked to the “structure” of the problem on which it depends: the more structure, the more efficiency, the more efficient it is usually, but the more breakthroughs that may be left to attack algorithms, a fundamental trade-off。

  • THE HASHI PROGRAMME IS THE MOST CONSERVATIVE (SECURITY CONFIDENCE) BUT THE LEAST PERFORMING. FOR EXAMPLE, THE MINIMUM NUMBER OF NIST-STANDARDED HASHI SIGNATURES IS 7-8KB, WHILE THE CURRENT ELLIPTICAL CURVE SIGNATURE IS ONLY 64 BYTES, WHICH IS ABOUT 100 TIMES DIFFERENT。
  • It is the focus of current deployment. The only late quantum encryption scheme (ML-KEM) selected by NIST and two of the three signatures (ML-DSA, Falcon) are based on cells。
  • THE ML-DSA SIGNATURE IS APPROXIMATELY 2.4-4.6 KB, 40-70 TIMES THE CURRENT SIGNATURE。
  • Falcon signatures are smaller (0.7-1.3KB), but they are extremely complex and involve constant time-floating operations, with success cases of side-link attacks. One of its founders called it "the most sophisticated code algorithm I've ever achieved."。
  • Implementation challenges are greater: Gki signatures have more sensitive intermediates and complex rejection logic than elliptical curve signatures, requiring stronger side channels and fail-safe injections。

The immediate risks posed by these problems are far more realistic than distant quantum computers。

The lessons of history also require caution: NIST ' s leading candidate programs in standardization, such as Rainbow (signature based on MQ) and SIKE/SIDAH (encoded on the basis of the same source), have all been broken by classic computers. This illustrates the risk of premature standardization and deployment。

THE CAREFUL APPROACH TAKEN BY THE INTERNET INFRASTRUCTURE TO THE RELOCATION OF SIGNATURES IS PARTICULARLY NOTEWORTHY, AS THE TRANSITION TO CRYPTOGRAPHY ITSELF IS LENGTHY (E.G. MIGRATION FROM MD5/SHA-1 HAS LASTED FOR MANY YEARS AND REMAINS INCOMPLETE)。

the unique challenge of internet infrastructure

The advantage is that block chains maintained by open-source communities (e.g., the ETA, Solana) can be upgraded faster than traditional network infrastructure. To the disadvantage, traditional networks can reduce the face of attack by frequent key rotations, while the currency and associated key of the block chain can be exposed over time。

OVERALL, HOWEVER, THE BLOCK CHAIN SHOULD FOLLOW THE CAREFUL SIGNATURE MIGRATION STRATEGY OF THE NETWORK. BOTH ARE NOT SUBJECT TO HNDL ATTACKS ON THEIR SIGNATURES, AND THE COSTS AND RISKS OF PREMATURE RELOCATION ARE SIGNIFICANT。

There are also some particular complexities that make premature migration particularly dangerous:

  • SYNDICATION OF SIGNATURES NEEDS: BLOCK CHAINS OFTEN REQUIRE RAPID AGGREGATION OF LARGE NUMBERS OF SIGNATURES (E. G. BLS SIGNATURES). BLS IS FAST, BUT NOT LATE QUANTUM IS SAFE. SNARK-BASED BACK-QUANT SIGNATURE AGGREGATION STUDIES ARE PROMISING BUT STILL EARLY。
  • The future of SNARKs: The community is now primarily looking at Hashi-based late quantum SNARK, but I believe that in the months to years to come SNARK-based alternatives will emerge and that they will perform better in many ways, such as proven length。

The more serious problem today is the implementation of security。

Over the coming years, implementation gaps will pose greater security risks than quantum computers. For SNARKs, the main threat is a procedural loophole. Digital signatures and encryption have been challenged, and SNARKs are much more complex. In practice, digital signatures can be considered as a very simple zkSNAK。

The threat of an attack, such as a side channel and a failure injection, is even more pressing for late quantum signatures. Communities need years to strengthen these realizations。

Therefore, a premature transition before dust is settled may lock itself into sub-optimal programmes or be forced to move twice to repair loopholes。

What should we do? Seven recommendations

Based on these realities, I make the following recommendations to all parties, from builders to policymakers. The general principle is to take quantum threats seriously, but not to pre-empt the emergence of coded related quantum computers by 2030 (which are not supported by the current progress). At the same time, there are things that we can and should do now:

  1. Immediate deployment of hybrid encryption: at least where long-term confidentiality is required and affordable. Many browsers, CDNs and communication applications (e.g. iMessage, Signal) have started to deploy. Mixed programs (post quantum + classic) protect against HNDL attacks and circumvent potential weaknesses of postquantification programs。
  2. In situations where large dimensions are tolerated, Hashi-based signatures are immediately used: low-frequency, unsensitized scenes such as software / solidware upgrades, and mixed Hashi signatures are now available (mixed to implement gaps in hedge programmes). This provides a conservative "lifeboat" in case of an unexpected presence of quantum computers。
  3. The block chain does not need to be signed in haste, but planning should begin immediately:
  4. DEVELOPERS SHOULD FOLLOW THE CAUTION OF THE NETWORK PKI COMMUNITY TO MAKE THE PROGRAMME MORE MATURE。
  5. It is important for public chains such as bitcoin to define migration routes and policies for "sleeping" fragile funds. Bitcoin, in particular, needs to start planning now, as its challenges are mainly non-technical (slow governance, high-value “sleeping” addresses)。
  6. Leave mature time (possibly a few more years) for studies of late quantum SNARKs and polymerized signatures to avoid early targeting of sub-optimal solutions。
  7. With regard to the Taifung account: the smart contract wallet (upgradable) may provide a more smooth migration path, but with limited differences. More important than the type of accounts, communities continue to advance back-to-back quantum studies and contingency plans. Broader design revelations: Unlocking account identities and specific signature programs (e.g., accounts abstract) can provide greater flexibility, not only for back-up quantum migration, but also to support functions such as sponsorship of transactions, social rehabilitation, etc。
  8. THE PRIVACY CHAIN SHOULD TRANSITION AS A MATTER OF PRIORITY (IF PERFORMANCE IS ACCEPTABLE): ITS USER CONFIDENTIALITY IS BEING EXPOSED TO HNDL ATTACKS. MIXED PROGRAMMES OR STRUCTURAL ADJUSTMENTS COULD BE CONSIDERED TO AVOID DECRYPTING SECRETS。
  9. In the short term, priority is given to securing the implementation of security rather than over-focusing on quantum threats: for complex ciphers, such as SNARKs and late quantum signatures, loopholes and attacks will be more risky than quantum computers in the years to come. Investing in auditing, fuzzy testing, formalization and deep defence now does not allow quantum anxiety to mask the more pressing threat of loopholes。
  10. Ongoing funding for quantum computing research and development: from a national security perspective, sustained investment in funding and human capacity development is essential. The leading counterparty would pose a serious risk if it were to take the lead in obtaining the capability to calculate the coded relevant quantum。
  11. A rational view of quantum computing news: more milestones in the future. But each milestone proves precisely that we are far from the goal. Press releases should be seen as progress reports requiring critical assessment, rather than signals of hasty action。

Of course, technological breakthroughs can accelerate and bottlenecks can prolong predictions. I am not asserting that it is impossible in five years, but that it is very unlikely. Following these recommendations will help us to avoid the more immediate and likely risks: implementation gaps, hasty deployments and common mistakes in password transitions。

QQlink

Tiada pintu belakang kripto, tiada kompromi. Platform sosial dan kewangan terdesentralisasi berasaskan teknologi blockchain, mengembalikan privasi dan kebebasan kepada pengguna.

© 2024 Pasukan R&D QQlink. Hak Cipta Terpelihara.