Quantum Crackdown on Bitcoin Countdown: 50% Probability Before 2032?
- Core Thesis: The threat (Q-Day) posed by quantum computers to encryption systems like cryptocurrencies is accelerating. Breakthrough optimizations by research teams, including Google, have significantly reduced the resources required for an attack. The probability of occurrence is estimated at 50% by 2032, but the migration to post-quantum cryptography must proceed cautiously to avoid hasty actions.
- Key Elements:
- Google's optimization of Shor's algorithm for Elliptic Curve Cryptography achieved a 10x performance improvement and, for the first time, used Zero-Knowledge Proofs (ZK) to hide the underlying circuit details, sparking significant academic interest and renewed exploration.
- French expert André Schrottenloher rediscovered Google's core optimization just two months after the paper's publication. Subsequently, through the "Shor-at-home" collaborative challenge, global enthusiasts have already achieved results that are 8.4% better than Google's circuit.
- Startup Ortatomic claims that by combining physical layer optimization with neutral atom technology, Shor's algorithm can run on secp256k1 using only 10,000 physical qubits. This figure is far lower than previously understood, and this technical pathway has attracted Google's attention.
- Author Justin Drake, based on public and unpublished information, predicts a 50% probability of Q-Day occurring before 2032, and 10% before 2030. He believes the US government's 2035 migration deadline is severely lagging.
- The reasonable target year for post-quantum cryptography migration is 2029. The Ethereum Foundation is promoting secure replacement of existing signatures and commitment schemes at the consensus, data, and execution layers through hash-based leanVM and SNARK technology.
- Currently, there are two public challenges worth millions of dollars: the Proximity Prize (solving a coding theory conjecture) and the Poseidon Initiative (breaking SNARK-friendly hash functions) to advance the development of post-quantum cryptography.
Original text by Bitcoin security researcher Justin Drake
Compiled by Odaily (@QinXiaofeng 888 )
Editor's Note: In March this year, Google's quantum research team published a research paper stating that the resources required for future quantum computers to crack the elliptic curve cryptography protecting cryptocurrencies are far less than previously thought. The threat of quantum computing to cryptocurrencies quickly became a focal point of discussion on foreign networks. Interestingly, Google's research paper did not fully disclose the underlying circuit details. Instead, after communicating with the US government, they proved their estimation results through a zero-knowledge proof (ZK). This has led numerous technical experts over the past few months to tirelessly attempt to crack the original paper's details.
On June 2nd, Google quantum paper co-author and Bitcoin security researcher Justin Drake stated that the probability of Q-Day occurring by 2032 is 50%. By 2030, it is 10%. (Odaily Note: Q-Day, i.e., Quantum Day, refers to the day when a quantum computer becomes powerful enough to break the world's current mainstream encryption technologies.)
Below is the original text, compiled by Odaily. Enjoy~
————————————
Today, the crazy quantum story gets even stranger.
On March 31st, the Google Quantum AI team published a landmark result on the application of Shor's algorithm to elliptic curve cryptography. Strictly speaking, the paper was a bombshell: a performance improvement of 10x compared to the previous state-of-the-art. As a hook and a wake-up call for the blockchain space, these optimizations were demonstrated on the secp256k1 elliptic curve – the very curve underpinning Bitcoin and Ethereum signatures.
But perhaps the most striking aspect of the paper was not technical, but its social impact. Instead of following standard academic processes, they kept these optimizations secret, hidden behind a zero-knowledge proof (ZK). Google's article mentioned they "engaged with the US government." This ZK proof demonstrates the algorithmic improvements without revealing any details. Using zero-knowledge proofs for academic review is unprecedented!
As a co-author of this Google paper, I have personally witnessed some of the background surrounding this review. Honestly, there are many elements behind it that make me uneasy. I certainly believe the public deserves to know more, but my avenues for whistleblowing are limited. However, let me make one thing clear: the professionalism of the Google team was exemplary, and they deserve nothing but praise.
Censorship often backfires. The Streisand effect – where trying to hide something makes it more prominent – is happening today. First, Google's key optimizations have been rediscovered by a French researcher. An even more exciting twist is the launch of a collaborative challenge called "Shor-at-home." The initiative's website is ecdsa[.]fail, and within hours of its launch, it broke the world record for Shor's algorithm.
Part One: 8.4% Performance Improvement
Let's talk about this rediscovery. Just two months after Google's paper was published, French quantum expert André Schrottenloher cracked the core secret optimization. His paper, "Optimized Point Addition Circuits for the Elliptic Curve Discrete Logarithm," went up on arXiv today. Warm congratulations to André, who beat out several other experts deeply fascinated by this problem and vying for the solution. In a blog post published today, world authority on Shor optimization, Craig Gidney, revealed that due to censorship pressure, he had been sitting on this optimization for a full year.
Interestingly, André missed a few minor micro-optimizations, including some from Google's original publication and some improvements discovered later. There's likely still plenty of low-hanging fruit left on Shor's algorithm, and this is the focus of the ecdsa[.]fail challenge. The verification program developed for the ZK proof serves a dual purpose, automatically filtering valid submissions. Dozens of compounding small and micro-optimizations are constantly emerging. As of writing, measured by the product of logical qubits and Toffoli gates, a result showing an 8.4% improvement over Google's circuit has been achieved. Not bad!
This wave of " motivated problem-solving " has gone deeper than anyone anticipated. In recent weeks, it has moved beyond the circle of André and other quantum experts. Behind the scenes, a small army of amateur enthusiasts has quietly gone to work. Inspired by Karpathy-style autonomous research, they have applied AI to Shor's algorithm. Ironically, the verification program for that ZK proof turned out to be an excellent reward function for AI. The barrier to entry for this modern research style is refreshingly low, and several non-professionals, including a teenager, have found decent optimizations. If you want to join a Telegram group working alongside other autonomous researchers, feel free to contact me.
Part Two: Neutral Atoms and Q-Day
The story doesn't stop at Google. On the same day Google announced its results, a secretive startup called Oratomic simultaneously published its own Shor paper. This paper caused a sensation, eventually becoming the most voted-on paper on scirate[.]com (a site that ranks arXiv papers).
Oatomic's claims were astonishing. They built upon Google's logical optimizations and applied physical-layer optimizations tailored for neutral atoms, claiming that only 10,000 physical qubits would be sufficient to run Shor's algorithm on secp256k1. This number is incredibly low.
When the Oratomic paper came out, I knew almost nothing about neutral atoms. It piqued my interest, and I decided to delve into the technology. I dove deep, spending hundreds of hours. I became somewhat obsessed, watching every YouTube video I could find and talking to many experts.
My conclusion: this technology is very, very real. Even Google recently decided to build a neutral atom lab, a significant shift from its focus on superconducting qubits. If you care about Q-Day (the day a quantum computer breaks the first real-world encryption algorithm), neutral atoms are worth your attention. I shared some of my learnings on Shor and neutral atoms in a 30-minute talk at the ZKProof cryptography conference, which you can find by searching "zkproof neutral atom" on YouTube.
An interesting observation about these two groundbreaking papers: Neither Google nor Oratomic mentioned what their results mean for Q-Day. No timelines – zero – complete silence. This is particularly puzzling given that the entire point of white-hat quantum cryptanalysis is to inform Q-Day estimates and help the public make good decisions.
So, allow me to try and partially fill this silence, as Scott Aaronson did in his blog post on April 29th. Based on everything I know, including some scary information I cannot make public, I now estimate a 50% probability of Q-Day occurring before 2032. 10% before 2030.
As an aside, a piece of trivia: the US government has its own date: 2035. This date originated from the NSA and was later adopted by NIST, by which time all US government branches must stop using quantum-vulnerable cryptography. To put it bluntly: in hindsight, that date is a joke and should be completely disregarded. I don't think NIST can avoid being forced to adjust it forward by several years.
Part Three: Post-Quantum Cryptography
There are good reasons to sound the alarm today, but please do not panic. Hasty and rashly migrating to immature post-quantum cryptography would be a disaster. In my view, a good target date for migration is 2029, roughly three and a half years from now. 2029 is coincidentally also the date chosen by Google, Cloudflare, and the Ethereum Foundation.
Recently, most of my time has been dedicated to securely migrating Ethereum to post-quantum cryptography within the broader framework of "Lean Ethereum." There's much to be done. We need to remove and replace BLS signatures in the consensus layer, replace KZG commitments in the data layer, and replace ECDSA signatures in the execution layer.
The plan to achieve this is exciting, and it's based on hash-based cryptography. Within the Ethereum Foundation, we have built a Swiss Army knife called leanVM (github[.]com/leanEthereum/leanVM), powered by hash-based SNARKs. Thanks to truly outstanding work by Emile, Thomas, and others, the performance risk has been eliminated. In terms of security, leanVM is a gem – a streamlined zkVM built for end-to-end formal verification and extreme security.
Want to help? There are two million-dollar initiatives. First, the Proximity Prize (proximityprize[.]org). Solve an open mathematical conjecture in coding theory to improve hash-based SNARKs, and you'll become a millionaire. Second, the Poseidon Initiative (poseidon-initiative[.]info), which offers a $1 million bounty for breaking Poseidon, a SNARK-friendly hash function.
