Bitcoin Has 3 Years to Survive the Quantum Threat | Nic Carter
Audio Summary
AI Summary
The assumption that there will be clear notice before "Q-Day"—the day a cryptographically relevant quantum computer (CRQC) emerges—is flawed. Unlike Y2K, there won't be a precise date; it will simply happen. Recent papers from Google and Oratomic indicate that Q-Day might arrive sooner and more abruptly than previously thought, posing a significant threat to Bitcoin.
Nick Carter expresses concern about Bitcoin's complacency, contrasting it with Ethereum Foundation's proactivity in addressing quantum threats. The theme of the discussion is "saving Bitcoin," which requires substantial work. Bitcoin's governance, characterized by a preference for the status quo and resistance to change, is ill-suited to an existential threat with an uncertain timeline requiring total mobilization. Historically, Bitcoin's strength has been its immutability, but this now presents a weakness. The ecosystem has evolved to select for relentless optimists who ignore FUD, which makes it difficult to acknowledge and address an existential threat.
Michael Saylor, representing a segment of the Bitcoin community, dismisses quantum concerns as alarmism, trusting that core developers will eventually find a solution. However, this "process truster" mentality is inadequate for what is essentially a "wartime" scenario. Bitcoin developers themselves admit uncertainty about how consensus for sweeping changes would be achieved, and external input, even from major institutions, could be perceived as an attack.
Two recent papers, one from Google and one from Oratomic, are significant. They are not claims of having built a scaled quantum computer, but rather improved resource estimates for running Shor's algorithm to crack ECC256, the cryptographic algorithm underlying Bitcoin and parts of Ethereum. These papers suggest it might be easier to break ECC256 than previously thought. Google's paper notably did not publish the full circuit, providing only a ZK proof, suggesting a new era where such breakthroughs might be kept secret, similar to the self-censorship during the atomic bomb race. This indicates that some breakthroughs may not be public, and nation-states could be making advancements in secret.
The papers suggest an "abrupt" arrival of CRQCs, meaning little prior warning. This is due to the engineering nature of quantum computers: once error correction scales, logical qubits can be added rapidly. This implies that the current papers serve as the "notice" before actual attacks. The difference between a fast and slow "takeoff" of quantum capabilities is an engineering problem, more akin to AI scaling than fusion, though not as straightforward as AI's predictable scaling.
Quantum computing research involves numerous variables and six major modalities (e.g., superconducting qubits, neutral atoms), each with different trade-offs. Google's paper focused on superconducting qubits, while Oratomic's focused on neutral atoms. Google's method showed a 20x reduction in qubits needed for Shor's algorithm, potentially allowing an ECC key to be cracked in nine minutes. This enables "on-spend" or "short-range" attacks, where an attacker could intercept a Bitcoin transaction by cracking the public key and broadcasting a higher-fee transaction before confirmation. This completely changes the threat model, requiring the entire Bitcoin network to transition to a post-quantum regime *before* a CRQC is built. The Oratomic paper, focusing on neutral atoms, showed an even greater reduction (50x) in physical qubits required, making it particularly concerning as neutral atom systems are considered highly promising.
The two main attack vectors are:
1. **Long-range attacks:** Targeting exposed wallets, such as Satoshi's coins and other dormant coins whose public keys have been published. An attacker has infinite time to crack these.
2. **Short-range attacks:** Targeting all new transactions. When Bitcoin is spent, the public key is revealed, giving an attacker a window to crack the private key and steal the funds. This means the entire system must be post-quantum to protect against such attacks.
Proof-of-work is not considered a near-term problem, as Grover's algorithm only offers a quadratic speedup for hashing, making it an inefficient use of a CRQC.
Google has accelerated its own quantum transition plans to 2029. Bitcoin, however, faces a slower timeline due to its governance structure and the complexity of the transition. The process involves agreeing on the necessity of the change, selecting cryptographic functions, determining how to implement changes (which lacks consensus in Bitcoin), migrating all existing addresses, and deciding the fate of unmigratable coins like Satoshi's. This could take five to ten years, likely pushing Bitcoin's transition beyond 2030.
Post-quantum hashing algorithms are also significantly less efficient, potentially reducing Bitcoin's transaction throughput. While lattice-based cryptography offers smaller signatures than hash-based alternatives, both are much larger than current elliptic curve signatures, leading to a 10x to 1000x increase in resource requirements. An offsetting block size increase would be necessary and less controversial if the quantum threat is acknowledged.
The deadline for Bitcoin is Q-Day, which, while uncertain, is expected by early 2030s according to quantum computer builders and governments. The US government, for example, aims to upgrade critical functions by 2030. This implies upgrading well before Q-Day to prevent adversaries from storing and later decrypting encrypted data.
While some argue that CRQCs might never materialize or remain decades away, the expert consensus, including previously skeptical figures like Scott Aaronson, suggests it's primarily an engineering challenge, not a fundamental physics hurdle. Bitcoin's inherent paranoia, which once led it to build its own cryptographic implementations, is ironically absent in addressing this existential threat.
The lack of proactive response is attributed to institutional incentives. Core developers disclaim responsibility due to past legal harassment, creating a power vacuum and leading to a lack of updates. Individual holders, including large ones, deny the problem to avoid conveying weakness to the market. Michael Saylor's argument that "the cure could be worse than the disease" assumes a gradual notice period, which the Google paper explicitly refutes. Bitcoin's leaderless structure makes it challenging to coordinate a costly decision under uncertainty.
The transition requires settling on one or more signature schemes (e.g., parallel traditional and post-quantum signatures), with a gradual deprecation of elliptic curves. A major hurdle is deciding the fate of "Satoshi coins"—the 2.3 million Bitcoin associated with Satoshi Nakamoto, which are effectively lost and vulnerable to quantum attacks. Google's paper proposed four options: "do nothing," "burn," "hourglass" (slowing down dormant coins), and "bad sidechain" (moving them to a sidechain with a future claim mechanism).
Burning the Satoshi coins, while potentially increasing the value for existing holders through "reverse dilution," would fundamentally alter Bitcoin's immaculate supply schedule, undermining its core ideological project. However, institutions (custodians, exchanges, ETF providers) may strong-arm the community into supporting a fork where these coins are burned to protect their clients' assets from catastrophic loss. This would effectively "capture" Bitcoin, changing its ideological essence.
A more legalistic alternative, proposed by Nick Carter in his story "Trillion Dollar Salvage," involves a "salvage" approach similar to maritime law. A designated entity would salvage and hold the coins in trust for Satoshi, receiving a finder's fee, with the coins eventually reverting to the government if Satoshi never claims them. This avoids protocol-level changes but faces challenges in international governance, especially if an adversary nation acquires quantum capabilities first.
Ultimately, Nick Carter believes Bitcoin *can* and *will* survive, but it will be changed in the process, likely compromising its original ideology. The proactivity of Ethereum, which already has a roadmap and is actively working on the transition, serves as a positive example. The ETH/BTC ratio rallying could act as a price signal, forcing Bitcoin to adapt. For investors, this represents an opportunity for blockchains to demonstrate adaptability, though Bitcoin's current unwillingness to adapt is a concern for long-time holders.