Is the "Quantum Threat" Imminent, and How Much Time Does Bitcoin Have Left?

Original Title: btc-42">Bitcoin's quantum deadline just moved up
Original Author: Protos
Translation: Peggy, BlockBeats

Editor's Note: Recently, two quantum cryptography research efforts have significantly reduced the resources and time needed to break Bitcoin's underlying encryption, bringing this once-distant risk closer to reality.

Triggering this discussion were two papers released almost simultaneously the day before: one from the Google Quantum AI team and the other from the neutral atom quantum computing company Oratomic. Individually, each represents important progress; taken together, they have compressed different parts of the quantum computing stack, resulting in a "multiplicative" advancement.

From orders of magnitude in the millions to orders of magnitude in the tens of thousands, the rapidly decreasing attack thresholds are reshaping the market's perception of cryptographic security boundaries.

But another equally clear indicator is that the response is also advancing in parallel. From the Bitcoin community's post-quantum solution exploration to the migration timelines provided by tech institutions, a security overhaul around the "quantum era" is already underway.

Here is the original text:

This Monday, two research efforts on quantum cryptography drastically lowered the hardware threshold required to crack private keys associated with significant assets, including over a million bitcoins (BTC) held by Satoshi Nakamoto. Some believe that the time window for Bitcoin to transition to a post-quantum cryptographic system has been moved up by a full two orders of magnitude.

In other words, what these two research teams have brought about is a "multiplicative" rather than "additive" advancement. While they each tackled different aspects of the quantum computing system, their improvement effects are stacking up and amplifying each other.

In essence, the number of physical quantum bits required to crack the elliptic curve signature of a compromised Bitcoin public key corresponding to a private key has plummeted from about 9 million to a minimum of about 10,000.

A whitepaper released by Google Quantum AI (co-authored with Stanford researcher Dan Boneh and Justin Drake from the Ethereum Foundation) pointed out that using the Shor algorithm, solving the 256-bit elliptic curve discrete logarithm problem (ECDLP) in the Bitcoin protocol would only require fewer than 1200 logical quantum bits and 90 million Toffoli gates. On a superconducting quantum computer, this is equivalent to fewer than 500,000 physical quantum bits and can be accomplished in a matter of minutes. Google stated that this result represents an approximately 20-fold decrease from previous estimates.

A few hours later, Oratomic, founded by scholars from the California Institute of Technology and Harvard University, also announced its own breakthrough. The team adopted a new error correction strategy on "neutral atom" quantum hardware, enabling the Shor algorithm to achieve the speed to crack a private key with only about 10,000 physical quantum bits. Using a faster variant, under conditions of approximately 26,000 quantum bits, it is possible to crack a Bitcoin private key using only the public key in about 10 days.

Meaning of the "Multiplicative Breakthrough"

Although the capabilities for private key cracking described in the two papers are still only achievable in the future, the progress of superconducting quantum computing has effectively magnified the impact of the neutral atom approach, creating a "multiplicative" relationship between the two. Therefore, the expected timeframe for when the relevant hardware will truly materialize has been accelerated by several years as a whole.

Previously, many Bitcoin security experts believed that the risk of attacking the BTC held by Satoshi Nakamoto would roughly occur in the 2030s or even the 2040s. However, these new technologies may advance this threat to within the next five years.

Generally, the total number of physical quantum bits required for a single quantum attack equals the number of logical quantum bits required by the algorithm multiplied by the number of physical quantum bits required per logical quantum bit (used for error correction). Error correction is a critical step in quantum computing because at such a microscopic physical state, the computation results themselves are highly uncertain.

Specifically, Google's research mainly compressed the first variable—the number of logical quantum bits. Through circuit optimization, the ECDLP-256 problem used by Bitcoin, which required about 2,330 logical quantum bits in 2017, has been reduced to fewer than 1,200.

Oratomic, on the other hand, compressed the second variable—the error correction overhead. Traditional surface codes usually require about 400 physical quantum bits to support 1 logical quantum bit; whereas Oratomic's lifted-product codes have increased the coding efficiency to close to 30%, reducing this ratio to about 10:1 and improving efficiency by about 160 times under the same error correction performance.

The previous best estimate came from Daniel Litinski's 2023 paper, suggesting that approximately 9 million physical quantum bits would be needed.

An encryption research institution summarized that since 2012, the scale of quantum operations required to crack ECC-256 has decreased by about five orders of magnitude:

2012: 1 Billion Physical Quantum Bits

2019: 20 Million

2025: Less than 1 Million

2026: Less than 25,000

Bitcoin Still Dealing with Quantum Risk

Researcher supporting Ethereum, Justin Drake, has significantly raised his likelihood of a "cryptography breakthrough by 2032." He estimates that by that time, the probability of a quantum computer recovering the secp256k1 ECDSA private key from a leaked BTC public key will be at least 10%.

Currently, there are still millions of BTC (worth billions of dollars) stored in addresses vulnerable to quantum attacks. Around 1.7 million of them belong to early "pay-to-public-key" outputs, including mining rewards from the time of Satoshi Nakamoto.

In terms of mitigation, the proposed post-quantum signature scheme Bitcoin Improvement Proposal 360 (BIP 360) has yet to gain widespread consensus among the core developer community.

Meanwhile, work related to hard forking Bitcoin node software to introduce post-quantum resistance mechanisms is still actively progressing.

Quantum computing poses a potential threat to Bitcoin, but the industry has been proactive in response

Aggressive Timeline and Underlying Assumptions

Of course, these two papers themselves also come with reasonable caveats. Google did not publicly disclose its specific quantum circuit but instead validated the results through zero-knowledge proofs. Justin Drake also points out that Oratomic's findings rely on qLDPC encoding, which has not yet been validated at a large scale, warranting cautiousness.

Furthermore, the nine authors of Oratomic are also shareholders in the company, which may leverage this media attention to drive funding, indicating that their research motivation may not be entirely neutral.

Moreso, the two papers are based on completely different hardware paths: Google assumes superconducting qubits, while Oratomic uses a neutral atomic system. Simply overlaying the "optimal results" of both as a potentially achievable unified hardware product overlooks the immense complexity of underlying engineering implementations.

However, these factors have not changed a more clear trend: the threat of quantum computing to Bitcoin is advancing at an "accelerated monthly" pace. Google's internally proposed timeline of "completing the cryptographic system migration by 2029" itself indicates its serious assessment of this technological path.

At the policy level, progress is also being made in sync. The National Security Agency (NSA) has mandated that the national security system complete the transition to post-quantum algorithms by 2030; the National Institute of Standards and Technology (NIST) plans to have all U.S. government agencies completely eliminate encryption systems vulnerable to quantum attacks by 2035.