Original Title: Bitcoin's quantum deadline just moved up
Original Author: Protos
Translated by: Peggy, BlockBeats
Editor's Note: Recently, two studies on quantum cryptography have significantly compressed the resources and time required to crack the underlying cryptography of Bitcoin, making this once-distant risk more tangible.
The trigger for this discussion was two papers released almost simultaneously the day before: one from Google's Quantum AI team and the other from neutral atom quantum computing company Oratomic. Viewed individually, each represents an important advancement; together, they compress different stages of the quantum computing stack, displaying a multiplicative effect.
The rapid drop in the attack threshold from millions to tens of thousands is reshaping the market's assessment of the boundaries of cryptographic security.
However, another equally clear signal is that responses are progressing in parallel. From post-quantum solution explorations within the Bitcoin community to timelines provided by technology organizations, a security restructure around the "quantum era" has already begun.
The following is the original text:
This Monday, two studies on quantum cryptography significantly lowered the hardware threshold required to crack private keys, which correspond to substantial assets, including over a million Bitcoins (BTC) held by Satoshi Nakamoto. Some believe that the time window for Bitcoin to migrate to a post-quantum cryptographic system has been advanced by a full two orders of magnitude.
In other words, these two research teams have brought about "multiplicative" rather than "additive" progress. Although they approach the problem from different aspects of quantum computing systems, the effects of their improvements amplify together.
In short, the physical quantum bits needed to crack the private key corresponding to an exposed Bitcoin public key have plummeted from about 9 million to as low as approximately 10,000.
A white paper released by Google Quantum AI (co-authored with Stanford researcher Dan Boneh and Ethereum Foundation's Justin Drake) pointed out that using Shor's algorithm, fewer than 1,200 logical quantum bits and 90 million Toffoli gates may solve the 256-bit elliptic curve discrete logarithm problem (ECDLP) in the Bitcoin protocol. On a superconducting quantum computer, this translates to fewer than 500,000 physical quantum bits and can be completed in a matter of minutes. Google claims this result represents about a 20-fold decrease compared to previous estimates.
Hours later, Oratomic, founded by scholars from Caltech and Harvard, also announced its breakthrough. The team adopted a new error correction strategy on "neutral atom" quantum hardware, enabling Shor's algorithm to crack private keys at a speed achievable with as few as 10,000 physical quantum bits. If a faster variant is used, with about 26,000 quantum bits, a private Bitcoin key could be cracked solely from the public key in about 10 days.
Significance of the "Multiplicative Breakthrough"
Although the two papers describe private key cracking capabilities that may only be realized in the future, advancements in superconducting quantum computing have actually amplified the effects of the neutral atom route, creating a "multiplicative" relationship. Consequently, the overall timeline for when relevant hardware will actually materialize has been advanced by several years.
In the past, many Bitcoin security experts estimated that the risk of attacking the BTC held by Satoshi Nakamoto would roughly emerge in the 2030s or even 2040s. However, these new technologies may push that threat forward to within the next five years.
Generally, the total number of physical quantum bits required for a quantum attack equals the number of logical quantum bits required by the algorithm, multiplied by the number of physical quantum bits needed for each logical quantum bit (for error correction). Error correction is a key aspect of quantum computing because, at such microscopic physical states, the computational results themselves have a high degree of uncertainty.
Specifically, Google's research has primarily compressed the first variable—the number of logical quantum bits. Through circuit optimization, the number of logical quantum bits required for the ECDLP-256 problem used by Bitcoin has been reduced from about 2,330 in 2017 to below 1,200.
Oratomic, on the other hand, has compressed the second variable—error correction overhead. Traditional surface codes typically require about 400 physical quantum bits to support one logical quantum bit; however, Oratomic's proposed lifted-product codes enhance encoding efficiency to nearly 30%, reducing this ratio to approximately 10:1, improving efficiency by about 160 times under the same error correction performance.
Previously, the best estimates came from a 2023 paper by Daniel Litinski, which suggested that around 9 million physical quantum bits would be needed.
A cryptography research institution has summarized that since 2012, the scale of quantum computation necessary to crack ECC-256 has cumulatively decreased by about five orders of magnitude:
2012: 1 billion physical quantum bits
2019: 20 million
2025: Below 1 million
2026: Below 25,000
Bitcoin is Still Addressing Quantum Risks
Ethereum-supporting researcher Justin Drake stated that his assessment of the "breakthrough in cryptography before 2032" has significantly increased. He estimates that by then, the probability of quantum computers recovering secp256k1 ECDSA private keys from exposed BTC public keys will reach at least 10%.
Currently, there are still millions of BTC (worth hundreds of billions of dollars) stored in addresses vulnerable to quantum attacks. Approximately 1.7 million of these belong to early "pay-to-public-key" outputs, including mining rewards from the Satoshi era.
In terms of responses, the post-quantum signature proposal, Bitcoin Improvement Proposal 360 (BIP 360), has yet to gain broad consensus within the core developer community.
Meanwhile, relevant work surrounding hard forks of Bitcoin node software to introduce quantum-resistant mechanisms is ongoing.
Quantum computing poses a potential threat to Bitcoin, but the industry is already responding
Radical Timelines and Assumptive Foundations
Of course, these two papers also have reasonable reservations. Google has not publicly disclosed its specific quantum circuits but verified results through zero-knowledge proofs. Justin Drake also pointed out that Oratomic's achievements depend on qLDPC coding, which has yet to be validated on a large scale, warranting caution.
Additionally, the nine authors of Oratomic are also shareholders in the company, which may leverage this wave of media attention to advance financing, indicating that the research motives are not entirely neutral.
More importantly, the two papers are based on completely different hardware paths: Google assumes superconducting qubits, while Oratomic uses a neutral atom system. Simply overlaying the "optimal results" of both as a feasible unified hardware product overlooks the immense complexity of underlying engineering implementations.
However, these factors have not changed a clearer trend: the threat posed by quantum computing to Bitcoin is advancing at an "accelerating monthly" pace. The timeline proposed internally by Google for the "migration of cryptographic systems before 2029" itself indicates a serious judgment about this technological path.
On a policy level, efforts are also moving forward in parallel. The National Security Agency (NSA) has requested that national security systems complete the migration to quantum-resistant algorithms by 2030; the National Institute of Standards and Technology (NIST) plans to have all U.S. government agencies fully phase out quantum-vulnerable cryptographic systems by 2035.
免责声明:本文章仅代表作者个人观点,不代表本平台的立场和观点。本文章仅供信息分享,不构成对任何人的任何投资建议。用户与作者之间的任何争议,与本平台无关。如网页中刊载的文章或图片涉及侵权,请提供相关的权利证明和身份证明发送邮件到support@aicoin.com,本平台相关工作人员将会进行核查。
