Securing Elliptic Curve Cryptocurrencies Against Quantum Vulnerabilities [pdf]
Comments
int32_64
xhkkffbf
And it's worse than that. In order to "factor" 15=3x5, they designed the circuit knowing that the factors were three and five. In other words, they just validated it. And that's something you can do with a regular CPU.
Retr0id
Fusion power comes to mind.
nostrademons
It's interesting, solar panels were in this category in the 1980s and self-driving cars were in the 2010s, and both have had the gap between theory and practice significantly narrowed since.
PowerElectronix
With fusion it's gonna be harder, I think. First you need to pump energy into it to get the fusion itself. This involves energising supermagnets, vacuum pumps and heating and controlling the plasma. We are not even here yet.
And once you get to that point, you need to harness the output energy of a million degrees plasma through something that yields a pretty high efficiency (so that pumping energy into the plasma is not only worthwhile, but makes financial sense) and requires a reasonably low maintenance.
I see fusion more practical as a rocket technology (which is just basically impossible) than as an actual energy facility asset.
tagrun
What big gap are you referring to that you believe exists between the theory of any quantum computing platform (which is device physics) and the experiment?
You seem to be conflating the theory with pitches to investors?
The number of qubits is increasing exponentially, and the error rates are getting lower. People have factored numbers larger than 21 (not that Shor's algorithm is commonly used benchmarks by experimentalists at this point but people with little knowledge about quantum computers and device physics love it, https://link.springer.com/chapter/10.1007/978-3-032-12983-3_... did 221 and and in fact, you can do it yourself using Qiskit on IBM's publicly available devices [or on a local simulator for few qubits] following their tutorial https://qiskit.qotlabs.org/docs/tutorials/shors-algorithm if memory serves the largest instance for public is ibm_kingston with 156 qubits https://quantum.cloud.ibm.com/computers?limit=25&system=ibm_...) but it will take more time until we have millions of good qubits to harvest your Satoshis.
For the programmer folks here, as a physicists working on the device side of things for many years now, the best analogy I have is: we didn't get from a few hand-made vacuum tubes to billions of transistors with 18A manufacturing process overnight, and we won't get from hundreds to millions of better qubits overnight either. A realistic expectation would be thousands within this decade, but keep in mind that the growth has so far been exponential in various types of qubits, much like Moore's law, so reaching to millions of qubits shouldn't take us 10 millenia.
scorpionfeet
Y2K
Oh wait: thousands of programmers started working on this in the early 90s so that there would be so few failures people thought it was a scam.
The entire financial and government infrastructure was based on ecdsa until the shift to pqc. The consequences of not preparing are literal threats to global economy. That can’t be understated. The cost to switch to (hybrid) pqc is essentially zero when compared to the costs for not doing it.
0xdeafbeef
Cost is 100+ times bigger signature size and more cpu usage. If you process several k per second it matters
scorpionfeet
Key is 2600 bytes for mldsa 87. Your fav icon is 10x bigger than that. Verify time and encapsulation is a few hundred microseconds for one verify and encaps. Your scary proportions are minuscule in practice. Even cortex m class can handle it. Not sure you have an argument when you put it up against a typical browser session. Plus 50% of all web traffic already uses pqc ciphersuites sooooo….
0xdeafbeef
I was thinking about transaction processing, eg visa/blockchain. And here storing and sending almost full packet for signature instead of 32 bytes matters. For sessions this shouldn't matter
scorpionfeet
Oh good point. Thanks. I don’t think about cryptocurrency at all. But yes the sigs are now 4.6k. Thats a huge block. Yeah that sure throws a wrench into blockchain. But the alternative is that blockchains based on ecdsa go away. Seems like a win to me. But I despise cryptocurrency.
jryio
Here's an interesting discussion from Section 8 - Dormant Wallets:
If a nation state develops a sufficiently powerful quantum computer. Seizure of the Satoshi-era bitcoin wallets without post quantum protections would fund either rogue actors or nation states.
> Indeed, some governments will have the option of using CRQCs (or paying a bounty to companies) to acquire these assets (possibly to burn them by sending them to the unspendable OP RETURN address [321]) as a national security matter. As before, blockchain’s loss of the ability to reliably identify asset owners combined with the laches doctrine [319] enables governments to argue that the original owners, through years of inaction, have failed to assert their property rights
lifis
I don't think you can steal Bitcoin with a quantum computer because the blockchain only stores the 256-bit hash of the public key, so you need to reverse that, which costs 2^128 with grover's algorithm
tigereyeTO
You’re right that P2PKH addresses use the hashed public key, but there are other address types.
The very early days of Bitcoin had addresses created using the now-deprecated P2PK address variant—Pay To Public Key. These addresses are simple encoded secp256k1 public keys with no hashing.
There are still > 1.5 million BTC stored in P2PK UTXOs as of this post, all of which are up for grabs to the first person who can derive the private keys for the known public keys
PowerElectronix
As soon as activity is detected and reasonably atributable to sha256 being broken, bitcoin goes to zero.
some_furry
What?
Quantum computers don't break SHA256, nor would this attack be "reasonably attributable" to a SHA256 break.
In fact, if you have funds in a wallet that has never spent a transaction before (only received), it's still reasonably difficult for a CRQC to steal your funds. The trick is, the moment you've ever spent a transaction, now your public key is known (and therefore breakable).
(Yes, I'm aware of the literature on quantum search vs hash functions, but it's not a complete break like RSA or ECC.)
upofadown
You can save time by first looking at the required noise performance of these schemes. From the abstract of the paper:
>On superconducting architectures with 10−3 physical error rates...
So good old 0.1% noise performance again. That seems to have come from the "20 million noisy qubits to break RSA" scheme[1] from back in 2019. That level of noise performance is still wildly out of reach and for all we know might be physically impossible.
adgjlsfhk1
> That level of noise performance is still wildly out of reach
It's only ~1 order of magnitude away from current capability. current gen QCs are around 1% gate error rate, and a decade ago SOTA was ~10% error rate, so if progress continues it should be achievable relatively soon.
api
People don't understand the exponential function.
Let's say you start adding water to a fish tank drop by drop, and double the number of drops each time. One drop, two, four, eight, and so on. When is the fish tank half full? When it's like 1/16 of the way full, or something like that.
Strilanc
> [0.1% gate error rate] is still wildly out of reach
This is false. When Fowler et al assumed 0.1% gate error rates would be reached for his estimates in 2012 [0], that was ostentatious. Now it's frankly a bit overly conservative. All the big architectures are approaching or surpassing 0.1% gate error rates.
From 2022 to 2024, the google team improved mean two qubit gate error rate from 0.6% [1] to 0.4% [2]. Quantinuum's Helios has a two qubit gate error rate of 0.08% [3]. IBM has Heron processors available on their cloud service with two qubit gate error rates ranging from 0.2% to 0.7% [4]. Neutral atom machines have demonstrated 0.5% gate error rates [5].
[0]: https://arxiv.org/abs/1208.0928
[1]: fig 1c of https://arxiv.org/pdf/2207.06431
[2]: fig 1b of https://arxiv.org/pdf/2408.13687
[3]: https://arxiv.org/abs/2511.05465
[4]: https://quantum.cloud.ibm.com/computers?processorType=Heron (numbers may vary as the website is not static)
upofadown
I can think of a case where it turned out that there was some aspect of the noise performance that made the technology unsuitable for running Shor's algorithm. So would one of the presented low noise approaches actually work for Shor's?
JustinGoldberg9
The one crypto that has no hashpower or security budget
SrslyJosh
I can't think of a less useful avenue of research in cryptography right now.
commandersaki
Quantum Cryptanalysis feels like the Y2K problem all over again.
vibe42
Will be pretty wild when mass migration of accounts begin.
The analytics of thousands of accounts sending tokens to new accounts. Better use a VPN a migrate on an unusual hour in your time zone :D
gosub100
'Code is law' doesn't exclude quantum code.
jditu
[flagged]
meling
Call me when they have broken ECC with a real quantum computer.
alphager
That would be about 10-15 years after the moment it would have been wise to migrate to PQC. You won't have the time to migrate before breach when you start after ECC is broken.
nh23423fefe
Why is your use case interesting?
rvz
There is a $2T dollar use-case.
Is there any field with as big of gap between theory and experiment than QC? You read papers like this and think they will be harvesting all Satoshi's coins in a couple years and then you remember that nobody has even factored 21 yet on a real quantum computer.