To put this in context, we've had a string of improvements to Shor's algorithm that have put the horizon much closer. In 2022, people from Microsoft estimated that it would take more than 10M (physical) qubits to implement factoring. We're now standing at a 1000x improvement. It's still years away for sure, but who can be unhappy with all that progress?
I worked at a quantum computing company that builds superconducting QC chips (so, not really applicable to one of the “bombshells” from the article). My team was designing the software stack which allows to control the QC, run quantum jobs/algorithms, and calibrate the parameters.
I’ve made two attempts to explain the work we’ve been doing and to explain the current realistic state of the industry:
The company I left a few months ago is planning its IPO this year. Like almost all other quantum companies, it’s gonna be a SPAC merger, not a pure IPO. Those traded companies mentioned in the other comments are mostly SPACs as well.
Here's hoping that my stock for D-Wave ends up being worth something.
Quantum computing seems super cool, but I've been a little skeptical of it actually ever yielding anything useful. I would love to be wrong, it seems neat, and I have read through a few books on the subject and played with simulators, so I'm not completely talking out of my ass here, but quantum as a whole has kind of felt like vaporware to me.
As I said, I have stock in D-Wave, obviously it would be in my best interest for quantum to end up as cool as it seems.
I got some too. Obviously the principles behind quantum computing are perfectly sound. It's just those pesky engineering obstacles.
One of the companies around today or in the near future will be the one who makes it work at a practical scale. It will have enormous impact, but I think it will be a slow-burn kind of thing as making effective use of quantum computers will take a long time to evolve, IMHO.
Unfortunately, Google and IBM are also working on this stuff and they have deep pockets. They might do it, but even if they don't they may very well decide to acquire whoever does.
These stocks (IONQ, RGTI, QBTS, XNDU) are a sort of thinking-man's LOTTO ticket which will have its numbers called anytime within the next 5 to 20 years (probably closer to 20). I think they're worthwhile to hold in affordable quantities to see what happens. It might hit big, or it might fizzle out for a variety of reasons. There will also be some hype-driven market sugar-rushes along the way that are an opportunity to rake in a modest profit. This has happened already with IONQ, RGTI and QBTS earlier this year. It will certainly happen again when the patagonia-vest people get jazzed about something.
The P2SH precommitment approach is clever but the 24-hour latency concern is real. Wonder if you could batch rescue operations to amortize the delay, similar to how lightning channels batch settlements.
One thing I find rather amazing about all of this is the degree to which the Bitcoin community has tried, for years, to claim that quantum computers will be another other than a complete break.
Sure, it takes a pretty nice quantum computer or a pretty good algorithm or a degree of malice on the part of miners to break pay-to-script-hash if your wallet has the right properties, but that seems like a pretty weak excuse for the fact that the entire scheme is broken, completely, by QC.
Does there even exist a credible post-quantum proof protocol that could be used to “rescue” P2SH wallets?
Call me crazy, but I think if bitcoin is ever broken they're more likely to move to a centralized ledger than a more secure decentralized ledger. Roughly nobody invested in bitcoin cares about the original mission, they just care about their asset prices.
The best proposal I have heard for rescuing P2SH wallets after cryptographically relevant quantum computers exist is to require vulnerable wallets to precommit to transactions a day ahead of time. The precommitment doesn't reveal the public key. When the public key must be exposed as part of the actual transaction, an attacker cannot redirect the transaction for at least one day because they don't have a valid precommitment to point to yet.
You are assuming that progress on factoring will be smooth, but this is unlikely to be true. The scaling challenges of quantum computers are very front-loaded. I know this sounds crazy, but there is a sense in which the step from 15 to 21 is larger than the step from 21 to 1522605027922533360535618378132637429718068114961380688657908494580122963258952897654000350692006139 (the RSA100 challenge number).
Consider the neutral atom proposal from TFA. They say they need tens of thousands of qubits to attack 256 bit keys. Existing machines have demonstrated six thousand atom qubits [1]. Since the size is ~halfway there, why haven't the existing machines broken 128 bit keys yet? Basically: because they need to improve gate fidelity and do system integration to combine together various pieces that have so far only been demonstrated separately and solve some other problems. These dense block codes have minimum sizes and minimum qubit qualities you must satisfy in order for the code to function. In that kind of situation, gradual improvement can take you surprisingly suddenly from "the dense code isn't working yet so I can't factor 21" to "the dense code is working great now, so I can factor RSA100". Probably things won't play out quite like that... but if your job is to be prepared for quantum attacks then you really need to worry about those kinds of scenarios.
If QC gets to the point where breaking RSA and ECC in the real world is actually going to happen, I'd imagine you will find a consensus rather quickly.
This is a good question, and currently the answer is no. Quantum computers can only run very short, simple algorithms right now, because the qubits they're built out of are noisy. You need a lot of error correction, which the community is working on.
The thing is, unlike ordinary computers, quantum computers can factor numbers about as easily as they can multiply them. So as soon as they can multiply two large integers, they'll also be able to factor the result and break RSA encryption based on keys of that size.
This blog post gives a good sense of the state of the art and what progress might look like:
Maybe it's a good time to start promoting my 5 year old, lightweight, hand-crafted, battle-tested, quantum-resistant blockchain: https://capitalisk.com/
It's about 5000 lines of custom code. Crypto signature library written from scratch.
It's a very simple signature algorithm. They're welcome to try and crack it. If there is an issue with it, it shouldn't be hard to identify within those few hundred lines. Nobody found any issues in the last 5 years though.
Isn't it a good thing that there exists at least one blockchain in the world which isn't based on the same crypto library used by every other project? What if those handful of libraries have a backdoor? What if the narrative that "you shouldn't roll out your own crypto" is a psyop to get every project to depend on the same library in order to backdoor them all at once at some future date?
Strange how finance people always talk about hedging but in tech, nobody is hedging tech.
To be (an actual) hedge, something needs to be very solidly understood (by the purchaser), a very solid investment in its own right, and either reverse correlated or independently correlated specifically with a particular asset being hedged.
And not based on analysis of one "hedging" scenario, because both are going to be owned over a huge distribution of scenarios.
Probably the worst indicator of an investment being credible, is a promoter who has to stoop to the floor to ask "What's wrong with hedging?", as if that manipulative bon mot was ever in question, or was the relevant question.
If a motivated promoter can only make a very bad case, believe them.
And, if an "expert" attempts to get respect for their work from non-experts, instead of from other experts, there is something very wrong. Because the former makes no sense.
--
If you don't know how to get respect from experts, study more, and figure out how to trash what you have. Counterintuitive. But if you have anything original right, thats how to find it. Identify it. Purify it. And be in a better position to build again, with just a little more leverage, and repeat. Or communicate it clearly to someone qualified to judge it.
You won't have to persuade anyone.
If you have to persuade someone, either you don't have something, or you don't understand what you have well enough to properly identify and communicate it.
You have ambition. You have motivation. You have interest. You follow through and build. That is it. Don't stop. Ego derails ambition. Kill your darlings. Keep going.
Why would experts care about my product? There's no big money behind it. The big money has to come in first, then the experts come later to tell the big money whatever they want to hear. Maybe they want to hear the truth maybe not... Either way the paymaster always hears what they want.
Besides, I am an expert. I studied cryptography at university as part of my degree. I have 15 years of experience as a software engineer including 2 years leading a major part of a $300 million dollar cryptocurrency project which never got hacked... I know why the experts were not interested in my project and after careful analysis, I believe it has nothing to do with flaws in my work.
If anything, it might be because my project doesn't have enough flaws...
At this stage, I hope you're right. I hope I will find the flaws in my projects that I've been looking for after 5 years.
You are leaving something out then. Which you allude to.
Bravo on five years! I recently solved a problem that took me over 30. I originally thought, 3-5 months maybe, then 3-5 years, ... I am happy it didn't take 50.
Well apparently you know what you are doing, I am sure you have something.
I have found the best language models are great at attacking things. You may have already done that, but if not its worth a try. Free brutality.
ms paper: https://arxiv.org/abs/2211.07629
I’ve made two attempts to explain the work we’ve been doing and to explain the current realistic state of the industry:
1. A talk at PyCon: https://youtu.be/tT1YLP5T71Y
2. A free ebook “ Quantum Computing For Software Engineers” https://leanpub.com/quantum-computing-for-software-engineers
The company I left a few months ago is planning its IPO this year. Like almost all other quantum companies, it’s gonna be a SPAC merger, not a pure IPO. Those traded companies mentioned in the other comments are mostly SPACs as well.
Quantum computing seems super cool, but I've been a little skeptical of it actually ever yielding anything useful. I would love to be wrong, it seems neat, and I have read through a few books on the subject and played with simulators, so I'm not completely talking out of my ass here, but quantum as a whole has kind of felt like vaporware to me.
As I said, I have stock in D-Wave, obviously it would be in my best interest for quantum to end up as cool as it seems.
One of the companies around today or in the near future will be the one who makes it work at a practical scale. It will have enormous impact, but I think it will be a slow-burn kind of thing as making effective use of quantum computers will take a long time to evolve, IMHO.
Unfortunately, Google and IBM are also working on this stuff and they have deep pockets. They might do it, but even if they don't they may very well decide to acquire whoever does.
These stocks (IONQ, RGTI, QBTS, XNDU) are a sort of thinking-man's LOTTO ticket which will have its numbers called anytime within the next 5 to 20 years (probably closer to 20). I think they're worthwhile to hold in affordable quantities to see what happens. It might hit big, or it might fizzle out for a variety of reasons. There will also be some hype-driven market sugar-rushes along the way that are an opportunity to rake in a modest profit. This has happened already with IONQ, RGTI and QBTS earlier this year. It will certainly happen again when the patagonia-vest people get jazzed about something.
https://www.ibm.com/quantum/products
https://quantum.cloud.ibm.com/docs/en/guides/plans-overview
I have NOT used it, but the idea is interesting.
Sure, it takes a pretty nice quantum computer or a pretty good algorithm or a degree of malice on the part of miners to break pay-to-script-hash if your wallet has the right properties, but that seems like a pretty weak excuse for the fact that the entire scheme is broken, completely, by QC.
Does there even exist a credible post-quantum proof protocol that could be used to “rescue” P2SH wallets?
...probably some people would be very inconvenienced by this. But not as inconvenienced as having the coins stolen or declared forever inaccessible.
Who specifically is claiming this? Satoshi literally mentioned the need to upgrade if QC is viable on bitcointalk in 2010.
As far as I know quantum computers still can't even honestly factor 7x3=21, so you are good. And the 5x3=15 is iffy about how honest that was either.
https://news.ycombinator.com/item?id=45082587
Bitcoin uses 256-bit encryption, it's a universe away from 5x3=15.
Consider the neutral atom proposal from TFA. They say they need tens of thousands of qubits to attack 256 bit keys. Existing machines have demonstrated six thousand atom qubits [1]. Since the size is ~halfway there, why haven't the existing machines broken 128 bit keys yet? Basically: because they need to improve gate fidelity and do system integration to combine together various pieces that have so far only been demonstrated separately and solve some other problems. These dense block codes have minimum sizes and minimum qubit qualities you must satisfy in order for the code to function. In that kind of situation, gradual improvement can take you surprisingly suddenly from "the dense code isn't working yet so I can't factor 21" to "the dense code is working great now, so I can factor RSA100". Probably things won't play out quite like that... but if your job is to be prepared for quantum attacks then you really need to worry about those kinds of scenarios.
[1]: https://www.nature.com/articles/s41586-025-09641-4
Discussion on the Google one,
Safeguarding cryptocurrency by disclosing quantum vulnerabilities responsibly
https://news.ycombinator.com/item?id=47582418
The thing is, unlike ordinary computers, quantum computers can factor numbers about as easily as they can multiply them. So as soon as they can multiply two large integers, they'll also be able to factor the result and break RSA encryption based on keys of that size.
This blog post gives a good sense of the state of the art and what progress might look like:
Why haven't quantum computers factored 21 yet? https://algassert.com/post/2500
It isn't...
It's about 5000 lines of custom code. Crypto signature library written from scratch.
That's a sentence every white hat cryptography enthusiast loves to hear lol.
Isn't it a good thing that there exists at least one blockchain in the world which isn't based on the same crypto library used by every other project? What if those handful of libraries have a backdoor? What if the narrative that "you shouldn't roll out your own crypto" is a psyop to get every project to depend on the same library in order to backdoor them all at once at some future date?
Strange how finance people always talk about hedging but in tech, nobody is hedging tech.
To be (an actual) hedge, something needs to be very solidly understood (by the purchaser), a very solid investment in its own right, and either reverse correlated or independently correlated specifically with a particular asset being hedged.
And not based on analysis of one "hedging" scenario, because both are going to be owned over a huge distribution of scenarios.
Probably the worst indicator of an investment being credible, is a promoter who has to stoop to the floor to ask "What's wrong with hedging?", as if that manipulative bon mot was ever in question, or was the relevant question.
If a motivated promoter can only make a very bad case, believe them.
And, if an "expert" attempts to get respect for their work from non-experts, instead of from other experts, there is something very wrong. Because the former makes no sense.
--
If you don't know how to get respect from experts, study more, and figure out how to trash what you have. Counterintuitive. But if you have anything original right, thats how to find it. Identify it. Purify it. And be in a better position to build again, with just a little more leverage, and repeat. Or communicate it clearly to someone qualified to judge it.
You won't have to persuade anyone.
If you have to persuade someone, either you don't have something, or you don't understand what you have well enough to properly identify and communicate it.
You have ambition. You have motivation. You have interest. You follow through and build. That is it. Don't stop. Ego derails ambition. Kill your darlings. Keep going.
Besides, I am an expert. I studied cryptography at university as part of my degree. I have 15 years of experience as a software engineer including 2 years leading a major part of a $300 million dollar cryptocurrency project which never got hacked... I know why the experts were not interested in my project and after careful analysis, I believe it has nothing to do with flaws in my work.
If anything, it might be because my project doesn't have enough flaws...
At this stage, I hope you're right. I hope I will find the flaws in my projects that I've been looking for after 5 years.
Bravo on five years! I recently solved a problem that took me over 30. I originally thought, 3-5 months maybe, then 3-5 years, ... I am happy it didn't take 50.
Well apparently you know what you are doing, I am sure you have something.
I have found the best language models are great at attacking things. You may have already done that, but if not its worth a try. Free brutality.