The $740B Prize

Forty-two months ago I wrote The $65B Prize citing Divesh Aggarwal et al's 2019 paper Quantum attacks on Bitcoin, and how to protect against them. They noted that:

the elliptic curve signature scheme used by Bitcoin is much more at risk, and could be completely broken by a quantum computer as early as 2027, by the most optimistic estimates.

It is time to re-visit the "optimistic estimates", so follow me below the fold.

NIST has been driving the standardization of post-quantum cryptography since 2016, and approved algorithms are now available. Google's Craig Gidney and Sophie Schmieg posted Tracking the Cost of Quantum Factoring:

The initial public draft of the NIST internal report on the transition to post-quantum cryptography standards states that vulnerable systems should be deprecated after 2030 and disallowed after 2035. Our work highlights the importance of adhering to this recommended timeline.

Gidney Figure 1

The point of Gidney and Schmieg's post and their paper is that:

2048-bit RSA encryption could theoretically be broken by a quantum computer with 1 million noisy qubits running for one week. This is a 20-fold decrease in the number of qubits from our previous estimate, published in 2019. Notably, quantum computers with relevant error rates currently have on the order of only 100 to 1000 qubits

They don't provide an estimate for Bitcoin's ECDSA but, like RSA, the ECDSA algorithm is a derivative of Schor's algorithm.

So there's nothing to worry about, right? NIST has specified the algorithms, quantum computers need to get 1000 times better before they can crack a single RSA key in a week, and NIST says we have 5 years before there's a problem.

At least as regards cryptocurrencies, I think this is a rather pessimistic estimate. The point of The $65B Prize was that at least Bitcoin's transition to post-quantum cryptography faced a particular problem:

Senator Everett Dirksen is famously alleged to have remarked "a billion here, a billion there, pretty soon you're talking real money". There are a set of Bitcoin wallets containing about a million Bitcoins that are believed to have been mined by Satoshi Nakamoto at the very start of the blockchain in 2008. They haven't moved since and, if you believe the bogus Bitcoin "price", are currently "worth" $65B. Even if you're skeptical of the "price", that is "real money".

I assume that the fact that Nakamoto's stash hasn't moved means that he no longer has access to the keys, either through death, destruction or accident. As I write, the stash is "worth" about $107B. I also assume that the stash is included in Chainalysis' estimate that:

about 20% of all Bitcoins have been "lost", or in other words are sitting in wallets whose keys are inaccessible. ... These coins need to be protected from theft by some public-sprited person with a "sufficiently large quantum computer" who can transfer them to post-quantum wallets he owns.

The point is that, without access to the keys for the vulnerable wallets, there is no way to transfer their contents to new wallets protected by post-quantum cryptography. Thus 20% of all Bitcoins or 4.2M BTC, currently "worth" almost $450B, is the reward for the first to build a "sufficiently powerful quantum computer". It is generally thought that VCs need to see the prospect of at least a 10x return on their investment, so that is enough for $45B of R&D.

Source

There may now be a viable runner in this race. Psi Quantum is a Palo Alto based startup that is building a million-qubit optical quantum computer. They had raised $1.2B by 2021 and "at least $750M this year" from investors including Nvidia. Their website claims:

In 2024, PsiQuantum announced two landmark partnerships with the Australian Federal and Queensland State governments, as well as the State of Illinois and the City of Chicago, to build its first utility-scale quantum computers in Brisbane and Chicago. Recognizing quantum as a sovereign capability, these partnerships underscore the urgency and race towards building million-qubit systems. In 2025, PsiQuantum will break ground on Quantum Compute Centers at both sites, where the first utility-scale, million-qubit systems will be deployed.

Investors have put in about $2B so far. They stand to make a notional 225x return just from Bitcoin, apart from all the other uses of a "utility-scale quantum computer".

But wait! There is an even better way to monetize a "sufficiently powerful quantum computer". Matt Levine has been writing about Crypto Perpetual Motion Machines for some time, for example:

MicroStrategy Inc. is, among other things, a proof of concept. The concept is: “If you buy $100 of Bitcoin and put it in a pot, you can slice the pot into shares and sell them for $200.” (MicroStrategy owns about $49 billion of Bitcoin and has a market capitalization of about $94 billion, because people will buy its shares for more than the value of the underlying Bitcoin.) This is a very appealing concept, because: free money! A “perpetual motion machine,” I sometimes call it: The more shares you sell, the more Bitcoin you can buy, and the more your shares are worth.

To do this you need a public company, but as Levine explains,they aren't expensive:

If you have a big pot of Bitcoin or Ethereum or Solana or Dogecoin or Trumpcoin or anything else, you should wrap it in a US public company and sell it to stock investors for twice its actual value. But to wrap it in a public company, you need a public company. There are only so many of those, and they are busy. If you called, like, Apple Inc. and said “hey we’d like to merge our big pot of Dogecoin with you so that our coins are worth more,” Apple would say no. The trick is to call a company that is (1) a public company but (2) only barely. Those companies’ phones are ringing off the hook.

So the monetization strategy for the owner of the first "sufficiently powerful quantum computer" is:

1. Buy a cheap public company.
2. Lend it enough money to pay for the quantum computer time to crack the keys of the 20% of frozen BTC.
3. Transfer the 20% of BTC to post-quantum wallets.
4. Announce that your company now controls 20% of BTC and can prove it by signing messages with the post-quantum keys of your wallets.
5. Since MicroStrategy holds about 580K BTC and MSTR is valued at 1.6 times their "price", by analogy your 4.2M BTC would give your company's stock a "market cap" of around $740B,
6. Now you use (Michael) Saylor's algorithm:
   

   float btc = 4,200,000.0; // Initial HODL-ing
   float factor = 1.6; // Market Cap inflator
   float fraction = 1.0; // % Market Cap to use as collateral
   float over = 200; // % Over-collateralization
   while (factor > 1.0) {
       float price = btc_price();
       float pre_mkt_cap = btc * price * factor;
       float cash = borrow((pre_mkt_cap * fraction) / over);
       btc += cash / price;
       // Each time round Market Cap increases by cap_gain
       float cap_gain = cash * factor;
   }
   

It is really hard to think of a better way to monetize a "sufficiently powerful quantum computer" than this way, with its at least 370x return!

You may think that the market is irrational in valuing MSTR at 1.6 times its BTC HODL-ings. But, Levine writes, that's small potatoes:

SharpLink’s planned $425 million stash of Ethereum is worth $2.5 billion on the stock market.

Note that SharpLink apparently doesn’t own any Ether. The investors are contributing $425 million in dollars, not Ethereum. This is not “we’ve got a stash of Ethereum and might as well sell it on the stock exchange”; it’s “man the stock exchange is paying $2 for $1 of Ethereum, we’d better do that arb.” Or, in this case, $6 for every $1 of Ethereum.

SharpLink is an el-cheapo public company that Consensys bought to run Saylor's algorithm. It is a shame that an actual pot of BTC isn't valued like a planned pot of ETH. If it were the post-quantum company would be valued at around $2.8B, almost as much as APPL. Levine takes this lesson:

This is not investment advice but honestly what am I doing with my life. Right now, if you have a few hundred million dollars lying around, you can buy any crypto you like with it, and the US stock market will give you an immediate 500+% paper profit. All you need — besides the startup cash — is a little public company to put your crypto in.

And, of course, you need to remember to cash out without crashing the stock price before someone with a "sufficiently powerful quantum computer" steals the little public company's stash. Helpfully, Levine suggests a way to do it:

In crypto, if you have magic beans that are currently priced at $1 billion, maybe someone will lend you $500 million of real money against them, with no recourse to you. In the stock market … look you’re going to have a hard time borrowing 50%, or 10%, of the market value of a 97% stake in a crypto treasury company whose market cap has increased 100,000% in a week, but, man, I would try.

We just have to hope that the current infatuation with crypto treasury companies lasts long enough for PsiQuantum to build the "sufficiently powerful quantum computer".