Is there any field with as big of gap between theory and experiment than QC? You read papers like this and think they will be harvesting all Satoshi's coins in a couple years and then you remember that nobody has even factored 21 yet on a real quantum computer.
Retr0id 1 days ago [-]
Fusion power comes to mind.
nostrademons 1 days ago [-]
It's interesting, solar panels were in this category in the 1980s and self-driving cars were in the 2010s, and both have had the gap between theory and practice significantly narrowed since.
PowerElectronix 24 hours ago [-]
With fusion it's gonna be harder, I think. First you need to pump energy into it to get the fusion itself. This involves energising supermagnets, vacuum pumps and heating and controlling the plasma. We are not even here yet.
And once you get to that point, you need to harness the output energy of a million degrees plasma through something that yields a pretty high efficiency (so that pumping energy into the plasma is not only worthwhile, but makes financial sense) and requires a reasonably low maintenance.
I see fusion more practical as a rocket technology (which is just basically impossible) than as an actual energy facility asset.
tagrun 14 hours ago [-]
What big gap are you referring to that you believe exists between the theory of any quantum computing platform (which is device physics) and the experiment?
You seem to be conflating the theory with pitches to investors?
The number of qubits is increasing exponentially, and the error rates are getting lower.
People have factored numbers larger than 21 (not that Shor's algorithm is commonly used benchmarks by experimentalists at this point but people with little knowledge about quantum computers and device physics love it, https://link.springer.com/chapter/10.1007/978-3-032-12983-3_... did 221 and and in fact, you can do it yourself using Qiskit on IBM's publicly available devices [or on a local simulator for few qubits] following their tutorial https://qiskit.qotlabs.org/docs/tutorials/shors-algorithm if memory serves the largest instance for public is ibm_kingston with 156 qubits https://quantum.cloud.ibm.com/computers?limit=25&system=ibm_...) but it will take more time until we have millions of good qubits to harvest your Satoshis.
For the programmer folks here, as a physicists working on the device side of things for many years now, the best analogy I have is: we didn't get from a few hand-made vacuum tubes to billions of transistors with 18A manufacturing process overnight, and we won't get from hundreds to millions of better qubits overnight either. A realistic expectation would be thousands within this decade, but keep in mind that the growth has so far been exponential in various types of qubits, much like Moore's law, so reaching to millions of qubits shouldn't take us 10 millenia.
scorpionfeet 1 days ago [-]
Y2K
Oh wait: thousands of programmers started working on this in the early 90s so that there would be so few failures people thought it was a scam.
The entire financial and government infrastructure was based on ecdsa until the shift to pqc. The consequences of not preparing are literal threats to global economy. That can’t be understated. The cost to switch to (hybrid) pqc is essentially zero when compared to the costs for not doing it.
0xdeafbeef 20 hours ago [-]
Cost is 100+ times bigger signature size and more cpu usage. If you process several k per second it matters
scorpionfeet 20 hours ago [-]
Key is 2600 bytes for mldsa 87. Your fav icon is 10x bigger than that. Verify time and encapsulation is a few hundred microseconds for one verify and encaps. Your scary proportions are minuscule in practice. Even cortex m class can handle it. Not sure you have an argument when you put it up against a typical browser session. Plus 50% of all web traffic already uses pqc ciphersuites sooooo….
0xdeafbeef 13 hours ago [-]
I was thinking about transaction processing, eg visa/blockchain. And here storing and sending almost full packet for signature instead of 32 bytes matters. For sessions this shouldn't matter
scorpionfeet 4 hours ago [-]
Oh good point. Thanks. I don’t think about cryptocurrency at all. But yes the sigs are now 4.6k. Thats a huge block. Yeah that sure throws a wrench into blockchain. But the alternative is that blockchains based on ecdsa go away. Seems like a win to me. But I despise cryptocurrency.
xhkkffbf 1 days ago [-]
And it's worse than that. In order to "factor" 15=3x5, they designed the circuit knowing that the factors were three and five. In other words, they just validated it. And that's something you can do with a regular CPU.
jryio 1 days ago [-]
Here's an interesting discussion from Section 8 - Dormant Wallets:
If a nation state develops a sufficiently powerful quantum computer. Seizure of the Satoshi-era bitcoin wallets without post quantum protections would fund either rogue actors or nation states.
> Indeed, some governments will have the option of using CRQCs (or paying a bounty to companies) to acquire these assets (possibly to burn them by sending them to the unspendable OP RETURN address [321]) as a national security matter. As before, blockchain’s loss of the
ability to reliably identify asset owners combined with the laches doctrine [319] enables governments to argue that
the original owners, through years of inaction, have failed to assert their property rights
lifis 20 hours ago [-]
I don't think you can steal Bitcoin with a quantum computer because the blockchain only stores the 256-bit hash of the public key, so you need to reverse that, which costs 2^128 with grover's algorithm
tigereyeTO 19 hours ago [-]
You’re right that P2PKH addresses use the hashed public key, but there are other address types.
The very early days of Bitcoin had addresses created using the now-deprecated P2PK address variant—Pay To Public Key. These addresses are simple encoded secp256k1 public keys with no hashing.
There are still > 1.5 million BTC stored in P2PK UTXOs as of this post, all of which are up for grabs to the first person who can derive the private keys for the known public keys
PowerElectronix 1 days ago [-]
As soon as activity is detected and reasonably atributable to sha256 being broken, bitcoin goes to zero.
some_furry 1 days ago [-]
What?
Quantum computers don't break SHA256, nor would this attack be "reasonably attributable" to a SHA256 break.
In fact, if you have funds in a wallet that has never spent a transaction before (only received), it's still reasonably difficult for a CRQC to steal your funds. The trick is, the moment you've ever spent a transaction, now your public key is known (and therefore breakable).
(Yes, I'm aware of the literature on quantum search vs hash functions, but it's not a complete break like RSA or ECC.)
18 hours ago [-]
22 hours ago [-]
upofadown 23 hours ago [-]
You can save time by first looking at the required noise performance of these schemes. From the abstract of the paper:
>On superconducting architectures with 10−3 physical error rates...
So good old 0.1% noise performance again. That seems to have come from the "20 million noisy qubits to break RSA" scheme[1] from back in 2019. That level of noise performance is still wildly out of reach and for all we know might be physically impossible.
> [0.1% gate error rate] is still wildly out of reach
This is false. When Fowler et al assumed 0.1% gate error rates would be reached for his estimates in 2012 [0], that was ostentatious. Now it's frankly a bit overly conservative. All the big architectures are approaching or surpassing 0.1% gate error rates.
From 2022 to 2024, the google team improved mean two qubit gate error rate from 0.6% [1] to 0.4% [2]. Quantinuum's Helios has a two qubit gate error rate of 0.08% [3]. IBM has Heron processors available on their cloud service with two qubit gate error rates ranging from 0.2% to 0.7% [4]. Neutral atom machines have demonstrated 0.5% gate error rates [5].
> That level of noise performance is still wildly out of reach
It's only ~1 order of magnitude away from current capability. current gen QCs are around 1% gate error rate, and a decade ago SOTA was ~10% error rate, so if progress continues it should be achievable relatively soon.
api 23 hours ago [-]
People don't understand the exponential function.
Let's say you start adding water to a fish tank drop by drop, and double the number of drops each time. One drop, two, four, eight, and so on. When is the fish tank half full? When it's like 1/16 of the way full, or something like that.
Quantum Cryptanalysis feels like the Y2K problem all over again.
vibe42 1 days ago [-]
Will be pretty wild when mass migration of accounts begin.
The analytics of thousands of accounts sending tokens to new accounts. Better use a VPN a migrate on an unusual hour in your time zone :D
gosub100 1 days ago [-]
'Code is law' doesn't exclude quantum code.
jditu 1 days ago [-]
[flagged]
meling 1 days ago [-]
Call me when they have broken ECC with a real quantum computer.
alphager 21 hours ago [-]
That would be about 10-15 years after the moment it would have been wise to migrate to PQC. You won't have the time to migrate before breach when you start after ECC is broken.
nh23423fefe 1 days ago [-]
Why is your use case interesting?
rvz 1 days ago [-]
There is a $2T dollar use-case.
Rendered at 20:06:59 GMT+0000 (Coordinated Universal Time) with Vercel.
And once you get to that point, you need to harness the output energy of a million degrees plasma through something that yields a pretty high efficiency (so that pumping energy into the plasma is not only worthwhile, but makes financial sense) and requires a reasonably low maintenance.
I see fusion more practical as a rocket technology (which is just basically impossible) than as an actual energy facility asset.
You seem to be conflating the theory with pitches to investors?
The number of qubits is increasing exponentially, and the error rates are getting lower. People have factored numbers larger than 21 (not that Shor's algorithm is commonly used benchmarks by experimentalists at this point but people with little knowledge about quantum computers and device physics love it, https://link.springer.com/chapter/10.1007/978-3-032-12983-3_... did 221 and and in fact, you can do it yourself using Qiskit on IBM's publicly available devices [or on a local simulator for few qubits] following their tutorial https://qiskit.qotlabs.org/docs/tutorials/shors-algorithm if memory serves the largest instance for public is ibm_kingston with 156 qubits https://quantum.cloud.ibm.com/computers?limit=25&system=ibm_...) but it will take more time until we have millions of good qubits to harvest your Satoshis.
For the programmer folks here, as a physicists working on the device side of things for many years now, the best analogy I have is: we didn't get from a few hand-made vacuum tubes to billions of transistors with 18A manufacturing process overnight, and we won't get from hundreds to millions of better qubits overnight either. A realistic expectation would be thousands within this decade, but keep in mind that the growth has so far been exponential in various types of qubits, much like Moore's law, so reaching to millions of qubits shouldn't take us 10 millenia.
Oh wait: thousands of programmers started working on this in the early 90s so that there would be so few failures people thought it was a scam.
The entire financial and government infrastructure was based on ecdsa until the shift to pqc. The consequences of not preparing are literal threats to global economy. That can’t be understated. The cost to switch to (hybrid) pqc is essentially zero when compared to the costs for not doing it.
If a nation state develops a sufficiently powerful quantum computer. Seizure of the Satoshi-era bitcoin wallets without post quantum protections would fund either rogue actors or nation states.
> Indeed, some governments will have the option of using CRQCs (or paying a bounty to companies) to acquire these assets (possibly to burn them by sending them to the unspendable OP RETURN address [321]) as a national security matter. As before, blockchain’s loss of the ability to reliably identify asset owners combined with the laches doctrine [319] enables governments to argue that the original owners, through years of inaction, have failed to assert their property rights
The very early days of Bitcoin had addresses created using the now-deprecated P2PK address variant—Pay To Public Key. These addresses are simple encoded secp256k1 public keys with no hashing.
There are still > 1.5 million BTC stored in P2PK UTXOs as of this post, all of which are up for grabs to the first person who can derive the private keys for the known public keys
Quantum computers don't break SHA256, nor would this attack be "reasonably attributable" to a SHA256 break.
In fact, if you have funds in a wallet that has never spent a transaction before (only received), it's still reasonably difficult for a CRQC to steal your funds. The trick is, the moment you've ever spent a transaction, now your public key is known (and therefore breakable).
(Yes, I'm aware of the literature on quantum search vs hash functions, but it's not a complete break like RSA or ECC.)
>On superconducting architectures with 10−3 physical error rates...
So good old 0.1% noise performance again. That seems to have come from the "20 million noisy qubits to break RSA" scheme[1] from back in 2019. That level of noise performance is still wildly out of reach and for all we know might be physically impossible.
[1] https://arxiv.org/abs/1905.09749
This is false. When Fowler et al assumed 0.1% gate error rates would be reached for his estimates in 2012 [0], that was ostentatious. Now it's frankly a bit overly conservative. All the big architectures are approaching or surpassing 0.1% gate error rates.
From 2022 to 2024, the google team improved mean two qubit gate error rate from 0.6% [1] to 0.4% [2]. Quantinuum's Helios has a two qubit gate error rate of 0.08% [3]. IBM has Heron processors available on their cloud service with two qubit gate error rates ranging from 0.2% to 0.7% [4]. Neutral atom machines have demonstrated 0.5% gate error rates [5].
[0]: https://arxiv.org/abs/1208.0928
[1]: fig 1c of https://arxiv.org/pdf/2207.06431
[2]: fig 1b of https://arxiv.org/pdf/2408.13687
[3]: https://arxiv.org/abs/2511.05465
[4]: https://quantum.cloud.ibm.com/computers?processorType=Heron (numbers may vary as the website is not static)
[5]: https://arxiv.org/abs/2304.05420
It's only ~1 order of magnitude away from current capability. current gen QCs are around 1% gate error rate, and a decade ago SOTA was ~10% error rate, so if progress continues it should be achievable relatively soon.
Let's say you start adding water to a fish tank drop by drop, and double the number of drops each time. One drop, two, four, eight, and so on. When is the fish tank half full? When it's like 1/16 of the way full, or something like that.
The analytics of thousands of accounts sending tokens to new accounts. Better use a VPN a migrate on an unusual hour in your time zone :D