a16z's lengthy article (Part 1): The Misunderstood "Quantum Supremacy," No Need to Panic Before 2030

CN
PANews
Follow
3 hours ago

Nowadays, predictions in the market about when "Cryptography-Related Quantum Computers (CRQC)" will emerge are often overly aggressive and exaggerated—leading to calls for an immediate and comprehensive transition to post-quantum cryptography.

However, these calls often overlook the costs and risks of premature migration and ignore the starkly different risk profiles between various cryptographic primitives:

  • Post-quantum encryption does indeed require immediate deployment, despite the high costs: "Harvest Now, Decrypt Later" (HNDL) attacks are already occurring. Sensitive data encrypted today may still hold value even decades later when quantum computers become available. While implementing post-quantum encryption incurs performance overhead and execution risks, there is no choice for data that needs long-term confidentiality in the face of HNDL attacks.
  • Post-quantum signatures face a completely different computational logic: they are not affected by HNDL attacks. Moreover, the costs and risks associated with post-quantum signatures (larger size, poorer performance, immature technology, and potential bugs) dictate that we need to adopt a thoughtful, rather than a hasty, migration strategy.

Clarifying these distinctions is crucial. Misunderstandings can distort cost-benefit analyses, leading teams to overlook more immediate and lethal security risks—such as code bugs.

The real challenge in transitioning to post-quantum cryptography lies in matching urgency with actual threats. The following will clarify common misconceptions about quantum threats by covering encryption, signatures, and zero-knowledge proofs (especially their impact on blockchain).

How Far Are We from Quantum Threats?

Despite the hype, the likelihood of "Cryptography-Related Quantum Computers (CRQC)" emerging in the 2020s is extremely low.

What I mean by "CRQC" refers to a fault-tolerant, error-corrected quantum computer that is large enough to run Shor's algorithm in a reasonable time frame to attack elliptic curve cryptography or RSA (for example, breaking secp256k1 or RSA-2048 within a month).

Through a reasonable reading of public milestones and resource estimates, we are far from creating such a machine. While some companies claim that CRQC may appear before 2030 or 2035, the currently known public progress does not support these assertions.

Objectively speaking, across all current technological architectures—ion traps, superconducting qubits, neutral atom systems—none of today's platforms come close to the hundreds of thousands to millions of physical qubits required to run Shor's algorithm (depending on error rates and error correction schemes).

The limiting factors are not just the number of qubits but also gate fidelities, qubit connectivity, and the depth of error-correcting circuits needed to run deep quantum algorithms. While some systems now exceed 1,000 physical qubits, looking solely at the quantity is misleading: these systems lack the connectivity and fidelity required for cryptographic computations.

Recent systems have begun to approach the physical error rate threshold at which quantum error correction becomes effective, but no one has yet demonstrated more than a few logical qubits with sustained error-correcting circuit depth… let alone the thousands of high-fidelity, deep-circuit, fault-tolerant logical qubits required to run Shor's algorithm. The gap between "proving quantum error correction is feasible in principle" and "reaching the scale needed for cryptanalysis" remains vast.

In short: unless the number and fidelity of qubits increase by several orders of magnitude, CRQC remains out of reach.

However, it is easy to be confused by corporate press releases and media reports. Here are some common sources of misunderstanding:

  • Demonstrations claiming "quantum advantage": These demonstrations currently target artificially designed tasks. These tasks are chosen not for their practicality but because they can run on existing hardware and exhibit significant quantum speedup—something that is often obscured in announcements.
  • Companies claiming to have thousands of physical qubits: This usually refers to quantum annealers, not gate-model machines required to run Shor's algorithm to attack public key cryptography.
  • Misuse of the term "logical qubit": Quantum algorithms (like Shor's algorithm) require thousands of stable logical qubits. Through quantum error correction, we can use many physical qubits to realize one logical qubit—typically requiring hundreds to thousands. However, some companies have grossly misused this term. For example, a recent announcement claimed to achieve 48 logical qubits with only two physical qubits per logical qubit. Such low-redundancy codes can only detect errors, not correct them. True fault-tolerant logical qubits for cryptanalysis each require hundreds to thousands of physical qubits.
  • Playing with definitions: Many roadmaps use "logical qubit" to refer to qubits that only support Clifford operations. These operations can be efficiently simulated by classical computers and are therefore insufficient to run Shor's algorithm.

Even if a roadmap aims to "achieve thousands of logical qubits in X years," it does not mean that the company expects to run Shor's algorithm to break classical cryptography in that year.

These marketing tactics severely distort the public's (and even some seasoned observers') perception of how imminent the quantum threat is.

Nevertheless, some experts are indeed excited about the progress. Scott Aaronson recently stated that, given the pace of hardware advancements, he believes "it is possible to achieve a fault-tolerant quantum computer running Shor's algorithm before the next U.S. presidential election." But he also made it clear that this does not equate to a CRQC that threatens cryptography: even just factoring 15 = 3 × 5 in a fault-tolerant system counts as "predictive success." This is clearly not on the same scale as breaking RSA-2048.

In fact, all quantum experiments that "factor 15" use simplified circuits rather than the full fault-tolerant Shor's algorithm; factoring 21 requires additional hints and shortcuts.

In simple terms, there is no public progress that proves we can build a quantum computer capable of breaking RSA-2048 or secp256k1 within the next five years.

Predicting within ten years is still considered very aggressive.

The U.S. government has proposed completing the post-quantum migration of government systems by 2035, which is a timeline for the migration project itself, not a prediction that CRQC will appear by then.

What Types of Cryptosystems Are Vulnerable to HNDL Attacks?

"HNDL (Harvest Now, Decrypt Later)" refers to attackers storing encrypted communications now to decrypt them later when quantum computers become available.

State-level adversaries are likely already archiving U.S. government encrypted communications on a large scale for future decryption. Therefore, cryptographic systems need to migrate immediately, especially in scenarios where confidentiality periods exceed 10–50 years.

However, the digital signatures that all blockchains rely on are different from encryption: they do not have confidential information that can be subjected to retrospective attacks.

In other words, when quantum computers emerge, they can indeed forge signatures from that moment onward, but past signatures will not be affected—because they have no secrets to leak, as long as it can be proven that the signature was generated before the emergence of CRQC, it cannot be forged.

Thus, the urgency to migrate to post-quantum signatures is far lower than that for encryption migration.

Mainstream platforms have also adopted corresponding strategies:

  • Chrome and Cloudflare have deployed a hybrid mode of X25519+ML-KEM for TLS.
  • Apple iMessage (PQ3) and Signal (PQXDH, SPQR) have also deployed hybrid post-quantum encryption.

However, the deployment of post-quantum signatures on critical web infrastructure has been deliberately postponed—only to be undertaken when CRQC is truly imminent, as the current performance regression of post-quantum signatures remains significant.

The situation with zkSNARKs (a zero-knowledge succinct non-interactive argument of knowledge technology) is similar to that of signatures. Even using elliptic curves (non-PQ secure), their zero-knowledge property still holds in a quantum environment.

Zero-knowledge proofs do not leak any secret witnesses, so attackers cannot "collect proofs now and decrypt them later." Therefore, zkSNARKs are not easily susceptible to HNDL attacks. Just as signatures generated today are secure, any zkSNARK proof generated before the emergence of quantum computers is trustworthy—even if that zkSNARK used elliptic curve cryptography. Only after the emergence of CRQC can attackers forge proofs of false statements. A new digital world, far exceeding the scale of human economies, will be built through value exchanges occurring around the clock.

免责声明:本文章仅代表作者个人观点,不代表本平台的立场和观点。本文章仅供信息分享,不构成对任何人的任何投资建议。用户与作者之间的任何争议,与本平台无关。如网页中刊载的文章或图片涉及侵权,请提供相关的权利证明和身份证明发送邮件到support@aicoin.com,本平台相关工作人员将会进行核查。

Share To

Related Articles

avatar
avatarPANews
10 minutes ago
How do you view the x402 V2 upgrade?
avatar
avatarTechub News
33 minutes ago
Weekend Recommended Reading: SpaceX seeks to go public next year, x402 launches V2 version.
avatar
avatarOdaily星球日报
40 minutes ago
The internal divisions within the Federal Reserve are intensifying, and inflation remains high— the cryptocurrency market is waiting for clarification.
avatar
avatar律动BlockBeats
41 minutes ago
After ten years of back and forth, the "Cryptocurrency Market Structure Bill" is racing towards the Senate.
avatar
avatarPANews
1 hour ago
Asia's "Micro Strategy" Metaplanet stops accumulating coins, is it a strategic shift or a buildup for launch?
APP

X

Telegram

Facebook

Reddit

CopyLink