Disclaimer: This is not financial advice. Anything stated in this article is for informational purposes only and should not be relied upon as a basis for investment decisions. Triton may maintain positions in any of the assets or projects discussed on this website.
TL;DR
Crypto Compendium – Part XI - Quantum Computers: Theory or Threat?
Every year or two it seems like one of the tech giants announces a ‘game changing’ new breakthrough with their quantum computing efforts, most recently Google’s new superconducting Willow chip or Microsoft’s topological Majorana 1 chip. Inevitably, alarm bells or “I told you so’s” start popping up within the crypto and crypto-adjacent communities. Most often, this is accompanied by a short-term panic around why the latest quantum computing breakthrough obviously means that Bitcoin’s (and generally crypto’s) days are numbered; that quantum computing is an insurmountable and existential threat and as such, all crypto is going straight to zero.
So, that naturally begs the question – is that true?
Having worked closely with one of the big tech companies on their quantum computing strategy back in the day, this is another topic near and dear to your author’s heart, so let’s dive in.
What is Quantum Computing Anyway?
We’ll start from the top. Quantum computing is an exciting approach to computing that, if (medium-sized ‘if’) and when it becomes practical, essentially blows open the doors in terms of what computation and modeling will be capable of in certain domains. Conventional computers today use binary bits in order to perform calculations and generally have to generally process instructions in a sequential manner. To improve upon this, modern systems implement multiple cores and parallelization in order to boost speed and performance. This is why GPUs from companies like Nvidia are so powerful and heavily used in AI, gaming and other computation-heavy workloads – they consist of thousands of cores (e.g. over 20,000) designed for parallel processing and thus can handle tasks that a standard CPU simply cannot handle.
Quantum computers, on the other hand, take advantage of a few quantum mechanical properties (superposition, entanglement and interference) in order to build far more powerful computing units, called qubits. In essence, whereas CPUs and GPUs rely on classical bits that can only be either 0 or 1, a qubit can be in a state of 0, 1, or any linear combination of 0 and 1 at the same time. Because of this superposition, quantum computers can in theory perform certain calculations in seconds that would take a classical computer thousands, if not millions of years to perform. The technology is that powerful for specific use cases.
Source: Google
Now, quantum computers are likely never going to replace your desktop PC. They are highly specialized and incredibly expensive, requiring extensive supporting infrastructure just to establish and maintain the specific conditions necessary to enable qubits to work. How specialized? Well, Google’s quantum computers require the chips to be cooled down to sub-1 kelvin by a multi-tiered dilution refrigeration system. In the image below, just about everything you see is to cool and protect the chip; the actual chip itself would fit in the palm of your hand. For those who do not remember their high school chemistry, sub-1 kelvin is less than -272 degrees Celsius, or a few degrees colder than the deepest parts of outer space (2.7 K). Keep in mind, absolute zero – the lowest theoretical temperature possible – is 0 kelvin and the point where all thermal motion stops being possible.
Source: IOT World Today – good luck fitting that into a 13” Macbook
And whereas with classical computers you can pick them up and move them around while they continue to run with no problems, quantum computers have to be protected from electromagnetic noise and even cosmic rays collapsing their qubit states. Because these quantum mechanical phenomena are so difficult to establish, maintain and use in any truly deterministic way (overcoming this is a holy-grail-type field referred to as error correction and development of a fault-tolerant QC), it is incredibly difficult to perform calculations of real value today. Any headline you see about achieving quantum supremacy is based on an incredibly narrow, intentionally selected calculation specifically chosen to showcase the theoretical capabilities of a quantum computer.
While quantum computers are theoretically incredibly powerful in a future practical state, they are nowhere near being ready for prime time today. Development continues in earnest at the largest companies in the world as well as across dozens of startups; Google, Microsoft, IBM and Amazon, for example, all have long-running dedicated QC programs. Though proponents often claim fault-tolerant QCs are ‘just a few years away’, whether they will reach a state of true usefulness in 5 years or 20, if ever, is anyone’s guess.
All of that is to say: quantum computers are a very exciting development that have the potential to unlock amazing capabilities, but they are still several, at minimum, years away from being a practical reality.
Okay – Let’s Get to the Crypto Part
One rarely hears any consternation about what quantum computing means for their Citibank checking account or for their Visa card. But you regularly see headline stories suggesting quantum computing is an existential threat to Bitcoin. Why is that? Why is there so much fear specifically about what quantum computing means for crypto? In all honesty most of that likely stems from a lack of understanding about why crypto may be at risk, and then that is naturally coupled with the historical aversion that many have held (or even still do hold) against crypto more generally.
The truth is, should quantum computing break through tomorrow, almost every critical system that the world relies on today would be at risk, from your Gmail account to the US treasury and nuclear command and control systems. Encryption today relies on complex math problems that are nearly impossible for conventional computers to solve on any reasonable timeframe. Fault-tolerant quantum computers, on the other hand, can potentially break current encryption in just a few minutes. This is why the US and other governments around the world are actively working on developing ‘post-quantum’ encryption standards in order to future-proof systems against any possible quantum-computer-based cyber attacks. Once developed and finalized, one can expect systems around the world to start adopting these quantum-resistant standards.
This is relevant because crypto relies on the same encryption standards that the US government does, using algorithms like elliptic curve cryptography/ECDSA. And as such, because cryptocurrencies are simply software they can upgrade their cryptography to quantum-secure algorithms if and when they are ready and/or required. Importantly though, it is not as easy as just flipping a switch. Encryption is obviously core to ‘crypto’ and any upgrades will be extensive and complicated to implement, requiring major initiatives on both the technical side and far more importantly, on the social side. We mentioned in an earlier article on Bitcoin that the community is zealously defensive about any changes being made to the codebase and as such, any upgrade to something as profoundly important to Bitcoin as its core encryption algorithms will be taken incredibly seriously. These discussions are already happening, with debates about proposals like BIP-360 already well underway. Other chains like Ethereum and Solana are more nimble than Bitcoin and already have plans in motion to provide quantum security – Ethereum’s roadmap has quantum resistance laid out (e.g. lattice-based cryptography and now potentially via a new RISC-V replacement of the EVM) and the Solana community has begun implementing quantum secure aspects with Winternitz One-Time Signatures vaults. As such, we’ll largely focus on Bitcoin here.
Bitcoin’s Quantum Exposure
The crux of the exposure for most blockchain systems is the use of elliptic curve cryptography to manage addresses (specifically, ECDSA). Without going too deep, ECC is a very common, highly secure (against conventional computers) form of public key cryptography that relies on the use of a ‘trap-door’ function that is easily computable in one direction, but impossible to reverse. That is, from a private key one can easily produce a public key, but from a given public key, it is impossible to go the other direction and produce the associated private key. This form of cryptography is used by the US government, Apple’s iMessage, anonymous browsing with Tor, and enables core internet protocols such as DNS, SSL/TLS, HTTPS. In short, it touches just about everything. A quantum computer has the potential to easily break this, specifically using Shor’s Algorithm to turn this one-way trap door function into an easily reversible 2-way door. Said another way, with quantum computers, one can easily derive private keys from public keys.
For Bitcoin, address creation is generally a 4-step process (some differences depending on address type):
The above process can (and has) changed over time with upgrades such as Segwit and Taproot. Random number generation (step 1) remains a brute-force game, and QCs do not provide much pick-up there compared to conventional computers. Steps 3 and 4 change depending on which address type is used (e.g. Taproot uses Shnorr signatures), but this flow provides an adequate enough framework to use for now. While hashing functions (e.g. steps 3 and 4) like SHA-256 can be impacted by quantum computing, they are not at existential threat from it as QC’s only provide a quadratic speed up here, not exponential. The core vulnerability lies around step 2 – deriving the public key using ECDSA.
For Bitcoin, this means that if someone has access to a fault-tolerant quantum computer and a specific public address (remember – one’s public address is based on their public key of their key pair), they can derive the associated private key and thus have control over that Bitcoin. However, the address generation flow means that the public key itself is not visible on-chain until you spend from the address. Up to that point, only the relatively-quantum resistant irreversible hash of the public key is visible.
Importantly, this is all just code and can be changed, as it has in the past. To date, the derivation of the public key in step 2 has stayed constant (ECDSA) while steps 3 and 4 have been changed. Thus, to create a quantum-resistant system, step 2 will need to be revisited. That is exactly what the community is discussing currently in proposals like BIP-360 that introduces a Pay to Quantum Resistant Hash (P2QRH) output type that uses post-quantum signature algorithms. This would require a soft fork but would be relatively straight forward to implement once community consensus is reached.
So, what’s the problem?
Think of Bitcoin as being in 1 of 2 states: in an active transaction in the mempool or sitting idle.
Definitionally, because with current address types a public key must be revealed to use a Bitcoin in a transaction, any Bitcoin being transacted is at risk from a quantum attack as things currently stand. That attack has to happen after a transaction is submitted but before a transaction is mined (e.g. a very short window) and thus requires a more capable QC used in a targeted way. Every existing address type is at risk here, but quantum-resistant addresses as proposed would protect against this. As such, once upgraded to e.g. P2QRH, users are protected.
The idle Bitcoin poses a bigger problem.
Let’s break down Bitcoin users into 3 cohorts. Cohort 1 is active and upgrades their addresses to be quantum resistant. They will be fine and can carry on as is, no issues. Cohort 2 doesn’t upgrade immediately but keeps their Bitcoin in an unused previous generation of addresses (e.g. Segwit). Their public keys are not revealed until they transact and are thus okay as long as they remain hashed. But once revealed (e.g. during transaction broadcasting), they open themselves up to attack as described above. But until that point, they are okay to hold that BTC idle. Finally, Cohort 3 holds their BTC in a legacy address format (such as P2PK/P2PKH) or in a reused address. This is the problematic cohort.
Even though the community can change what address types are used on a go-forward basis, they have no control over the addresses that already exist. That means that unless every BTC in every address is moved to a new quantum-resistant address, there will be some that remain at risk of quantum exploit. This can be for a number of reasons, but most importantly, there are a lot of old, abandoned or lost coins in addresses that likely will never be upgraded. For example, because they have never been moved, all of Satoshi Nakamoto’s addresses are the legacy first-generation P2PK addresses, and as such, would be at risk. As this address type was widely used in the earliest days (at a time when people had plenty of Bitcoin but that Bitcoin was worth barely anything), there is a relatively high amount held in these types of addresses but is lost or inaccessible for any number of reasons. Some estimates put the total at-risk amount at around 2-6 million BTC (10-30%, or a few hundred billion dollars’ worth at current prices).
Source: BIP360
And that is the problem. The technical upgrade to the underlying system is easy enough. It is the social layer (e.g. past and present users) that present the risk if they fail to upgrade the address type they use. And because there are so many addresses that have not, cannot, or will not upgrade, there is significant risk introduced to the network. Whichever entity creates the first capable QC will find a few hundred-billion-dollar honey pot awaiting them as things currently stand.
So, what to do?
That is the $500-billion-dollar question that the community is grappling with currently. Some argue that a soft-fork is the path forward and that whatever happens to old coins, happens – a fully fault-tolerant QC capable of breaking Bitcoin’s elliptical curve is not yet possible, and still may turn out to never be (mathematical possibilities often do not turn into practical realities, after all). Others propose a hard-fork that allows the network to outright burn the old or lost coins or to potentially recycle them to help support the network security budget (note: hard forks are incredibly difficult to gain consensus on). If the sound of any of those options makes you the reader balk, you’re in good company; these solutions rightfully do not sit well. After all, these actions all leave a big risk sitting there or blow a massive hole in the idea that Bitcoin is a truly self-sovereign digital store of value out of the reach of anybody on the planet. After all, if the community agrees to take and burn Satoshi Nakomoto’s own coins, what does that mean for you?
Conclusion
No doubt, this is a difficult dilemma to solve. The technical piece is relatively straight forward, but the social piece will be far trickier to finesse. As such, it is good that the debates are starting now, many years before any real threat from quantum emerges and a point where the decision is forced to be made with undue haste. The game theory suggests that all stakeholders in Bitcoin collectively reach a decision that best protects the long-term value of the network and there is no reason to believe otherwise. But is this a guarantee? No, and there may be some less-than-ideal paths that must be taken. But much like the question as to whether quantum computers can actually ever break ECC, only time will tell.
Exploring quantum computing's potential threat to crypto.
Revisiting stablecoins as digital financial infrastructure
