量子破解比特币倒计时:2032年之前概率50%?
- 核心观点:量子计算机对加密货币等加密体系的威胁(Q-Day)正在加速迫近,谷歌等研究团队的突破性优化显著降低了破解所需资源,预计到2032年发生概率高达50%,但后量子密码学的迁移需谨慎推进,避免仓促行动。
- 关键要素:
- 谷歌在椭圆曲线密码学上的Shor算法优化实现了10倍性能提升,并首次使用零知识证明(ZK)隐藏底层电路细节,引发学术界广泛关注和重新探索。
- 法国专家André Schrottenloher在论文发表仅两个月后重新发现了谷歌的核心优化,且后续通过“Shor-at-home”协作挑战,全球业余爱好者已实现比谷歌电路提升8.4%的成果。
- 初创公司Ortatomic宣称,结合中性原子技术的物理层优化,仅需1万个物理量子比特即可在secp256k1上运行Shor算法,这一数字远低于此前认知,且该技术路线已获谷歌关注。
- 作者Justin Drake基于公开及未公开信息预测,2032年前发生Q-Day的概率为50%,2030年前为10%,并认为美国政府设定的2035年迁移期限严重滞后。
- 后量子密码学迁移的合理目标年份是2029年,以太坊基金会正通过基于哈希的leanVM和SNARK技术,推动在共识层、数据层和执行层安全替换现有签名与承诺方案。
- 当前存在两个百万美元级别的公开挑战:Proximity Prize(解决编码理论猜想)和Poseidon Initiative(攻破SNARK友好哈希函数),以促进后量子密码学发展。
Original content from Bitcoin security researcher Justin Drake
Compiled by Odaily Planet Daily Qin Xiaofeng (@QinXiaofeng 888 )
Editor's Note: In March of this year, Google's quantum research team published a research paper stating that the resources required for a future quantum computer to break the elliptic curve cryptography protecting cryptocurrencies are far fewer than previously thought. The threat of quantum computing to cryptocurrencies quickly became a focus of discussion on foreign networks. Interestingly, the Google research paper did not fully disclose the underlying circuit details but instead, after communicating with the U.S. government, proved its estimation results through a zero-knowledge proof. This has led to numerous technical experts tirelessly attempting to crack the details of the original Google paper over the past few months.
On June 2nd, co-author of the Google quantum paper and Bitcoin security researcher Justin Drake stated that the probability of Q-Day occurring by 2032 is 50%, and by 2030 is 10%. (Odaily Note: Q-Day, short for Quantum Day, refers to the day when a quantum computer becomes powerful enough to break current mainstream global encryption technologies.)
The following is the original content, compiled by Odaily Planet Daily, Enjoy~
————————————
Today, the crazy quantum story gets even more bizarre.
On March 31st, the Google Quantum AI team published a milestone achievement regarding the application of Shor's algorithm to elliptic curve cryptography. Strictly speaking, the paper is a bombshell: it demonstrates a 10x performance improvement over the previous state-of-the-art. As a promotional hook and a wake-up call for the blockchain space, these optimizations were illustrated using the secp256k1 elliptic curve – the very curve underlying Bitcoin and Ethereum signatures.
But the most striking aspect of the paper might not be the technology, but its social impact. Instead of following standard academic processes, they kept these optimizations secret, hidden behind a zero-knowledge proof. The Google article mentions they "engaged with the U.S. government." This ZK proof demonstrates the algorithmic improvement without revealing any details. Using a zero-knowledge proof for academic review is unprecedented!
As a co-author of this Google paper, I have witnessed some of the background surrounding this review firsthand. Honestly, there are many elements behind it that make me uneasy. While I certainly believe the public deserves to know more, my channels for whistleblowing are limited. However, let me make one thing perfectly clear: the professionalism of the Google team was exemplary, and they deserve nothing but praise.
Censorship often backfires. The Streisand effect – attempting to suppress something, making it more prominent – is playing out today. First, Google's key optimizations have already been rediscovered by a French researcher. In an even more exciting twist, a collaborative challenge called "Shor-at-home" has just been launched. The initiative's website is ecdsa[.]fail, and within hours of its launch, it shattered the world record for Shor's algorithm.
Part 1: 8.4% Performance Improvement
First, about this rediscovery. Just two months after the Google paper was published, French quantum expert André Schrottenloher cracked the core secret optimization. His paper, "Optimized Point Addition Circuits for Elliptic Curve Discrete Logarithms," went live on arXiv today. My warm congratulations to André, who beat out several other experts who were also deeply fascinated by and competing over this problem. In a blog post published today, global authority on Shor optimization Craig Gidney revealed that, due to censorship pressure, he had been sitting on this optimization for an entire year.
Interestingly, André missed a few minor micro-optimizations, which include both those initially disclosed by Google and some improvements discovered later. There are likely still significant gains to be had in Shor's algorithm, and this is precisely the focus of the ecdsa[.]fail challenge. The verification program developed for the ZK proof serves a dual purpose, automatically filtering valid submissions. Dozens of stacked small and micro-optimizations are emerging. At the time of writing, there is already an 8.4% improvement over the Google circuit, measured by the product of logical qubits and Toffoli gates. Nice!
The depth of this "solve-by-challenge" craze has exceeded anyone's expectations. Over the past few weeks, things have gone beyond the circle of André and other quantum experts. Behind the scenes, a small army of hobbyists has quietly gotten to work. Inspired by Karpathy-style autonomous research, they have applied AI to Shor's algorithm. Ironically, the verification program for that ZK proof has become an ideal reward function for AI. The low barrier to entry for this modern research style is refreshing; several non-experts, and even a teenager, have found decent optimizations. If you want to join a Telegram group with other autonomous researchers, feel free to contact me.
Part 2: Neutral Atoms and Q-Day
The story doesn't stop with Google. On the same day Google announced its results, a secretive startup named Oratomic simultaneously published its own Shor paper. This paper caused a sensation, eventually becoming the most voted-on paper on scirate[.]com, a site that ranks arXiv papers.
Oratomic's claims were stunning. Building on Google's logical optimizations and applying physical-layer optimizations tailored for neutral atoms, they claim that only 10,000 physical qubits are sufficient to run Shor's algorithm on secp256k1. This number is incredibly low.
When the Oratomic paper came out, I knew almost nothing about neutral atoms. It piqued my interest, so I decided to investigate the technology thoroughly. I dove in, spending hundreds of hours. I became somewhat obsessed, watching every YouTube video I could find and talking with many experts.
My conclusion: this technology is very, very real. Even Google recently decided to build a neutral atom lab, a significant shift from focusing on superconducting qubits. If you care about Q-Day (the day a quantum computer cracks the first real-world encryption algorithm), neutral atoms are worth your attention. In a 30-minute talk at the ZKProof cryptography conference, I shared some of what I learned about Shor and neutral atoms. You can find it on YouTube by searching "zkproof neutral atom."
An interesting observation about these two breakthrough papers: Neither Google nor Oratomic mentioned what their results imply for Q-Day. No timeline – zero – complete silence. This is particularly puzzling given that the entire purpose of white-hat quantum cryptanalysis is precisely to inform Q-Day estimates and help the public make good decisions.
Therefore, allow me to try and partially fill this silence, much like Scott Aaronson did in his blog post on April 29th. Based on everything I know, including some terrible information I cannot make public, I now estimate a 50% probability of Q-Day occurring before 2032, and 10% before 2030.
As an aside: the U.S. government has its own date: 2035. This date originated from the NSA and was later adopted by NIST, by which time all branches of the U.S. government must cease using quantum-vulnerable cryptography. To put it bluntly: in hindsight, that date is a joke and should be completely ignored. I do not believe NIST can avoid being forced to move it forward by several years.
Part 3: Post-Quantum Cryptography
There are ample reasons to sound the alarm today, but please do not panic. A hasty and reckless rush towards immature post-quantum cryptography would be a disaster. In my view, a good target date for migration is 2029, about three and a half years from now. 2029 is also the date selected by Google, Cloudflare, and the Ethereum Foundation.
Recently, most of my time has been dedicated to safely migrating Ethereum to post-quantum cryptography within the broader framework of "Lean Ethereum." There is much work to be done. We need to remove and replace BLS signatures in the consensus layer, replace KZG commitments in the data layer, and replace ECDSA signatures in the execution layer.
The plan to achieve this is exciting, and it's based on hash-based cryptography. Within the Ethereum Foundation, we have built a Swiss Army knife called leanVM (github[.]com/leanEthereum/leanVM), powered by hash-based SNARK algorithms. Thanks to the truly exceptional work by Emile, Thomas, and others, the performance risk has been eliminated. In terms of security, leanVM is a gem, a streamlined zkVM built for end-to-end formal verification and extreme security.
Want to help? There are two million-dollar initiatives. First, the Proximity Prize (proximityprize[.]org). Solve an open mathematical conjecture in coding theory to improve hash-based SNARKs, and you become a millionaire. Second, the Poseidon Initiative (poseidon-initiative[.]info), offering a $1 million bounty for breaking Poseidon, a SNARK-friendly hash function.
