 |
| PsiQuantum's computer |
Chainalysis estimates that about 20% of all Bitcoins have been "lost", or in other words are sitting in wallets whose keys are inaccessible. That is around another 3.6 million stranded Bitcoin or at the current "price" about $234B.So the potential prize was almost $300B.
Nearly a year ago I followed up with The $740B Prize. There are two reasons why the prize was then bigger but is now smaller than that:
- Bitcoin's "price" had then increased from about $65K to around $107K, but it is now around $76K.
- Because the "market cap" of Michael Saylor's Strategy was 1.6 times the "market cap" of its stash of Bitcoin, it was possible to use Saylor's algorithm to amplify the prize. But the factor has decreased from 1.6 to 0.81, so the algorithm no longer works.
Ryan Babbush et 8 al's 57-page Securing Elliptic Curve Cryptocurrencies against Quantum Vulnerabilities: Resource Estimates and Mitigations is a comprehensive overview of, and an improvement to, the state of the art in Cryptographically Relevant Quantum Computers (CRQC), that is quantum computing applied to breaking the Elliptic Curve Discrete Logarithm Problem (ECDLP) underlying the cryptography used by most cryptocurrencies:
This whitepaper seeks to elucidate specific implications that the capabilities of developing quantum architectures have on blockchain vulnerabilities and potential mitigation strategies. First, we provide new resource estimates for breaking the 256-bit Elliptic Curve Discrete Logarithm Problem over the secp256k1 curve, the core of modern blockchain cryptography. We demonstrate that Shor’s algorithm for this problem can execute with either ≤ 1200 logical qubits and ≤ 90 million Toffoli gates or ≤ 1450 logical qubits and ≤ 70 million Toffoli gates. ... On superconducting architectures with 10−3 physical error rates and planar connectivity, those circuits can execute in minutes using fewer than half a million physical qubits. We introduce a critical distinction between “fast-clock” (such as superconducting and photonic) and “slow-clock” (such as neutral atom and ion trap) architectures. ... We survey major cryptocurrency vulnerabilities through this lens, identifying systemic risks associated with advanced features in some blockchains such as smart contracts, Proof-of-Stake consensus, and Data Availability Sampling mechanism, as well as the enduring concern of “abandoned” assets.They identify three classes of attacks that such a CRQC would enable:
Some quantum computer architctures will be capable of all three, but some will not be fast enough for On-Spend attacks:
- On-Spend Attacks: Attacks targeting transactions in transit. When a blockchain user broadcasts a transaction, an attacker must derive the private key within the window of time allowed before the transaction is recorded on the blockchain. This requires a quantum computer fast enough to solve ECDLP within the transaction settlement time of the target blockchain which ranges from hundreds of milliseconds to a few minutes (e.g., about 400 milliseconds for Solana, about 12 seconds for Ethereum, about 10 minutes on average for Bitcoin). On-spend attacks are also known as “short-range” or “just-in-time” attacks
- At-Rest Attacks: Attacks targeting public keys that remain exposed onchain or offchain for long periods of time, such as dormant wallets with reused keys. The attacker has days (or more) to derive the private key. At-rest attacks are also known as “long-range” or “long-exposure” attacks
- On-Setup Attacks: Attacks targeting fixed public protocol parameters that produce a universal reusable backdoor into a cryptographic protocol. The backdoor is created by means of a one-time off-line quantum computation on a CRQC and subsequent attacks utilizing it are executed on a classical computer. For example, an on-setup attack may involve the use of Shor’s algorithm to recover the so-called “toxic waste” discarded in a powers-of-tau trusted setup ceremony. While the Bitcoin blockchain is immune to on-setup attacks, some scaling solutions, such as Ethereum’s Data Availability Sampling mechanism, and privacy protocols, such as Tornado Cash, are vulnerable to this especially insidious attack mode.
The resource estimates we describe below indicate that superconducting, photonic, and silicon spin qubit CRQCs, with their fast gates and short quantum error correction cycles, will be able to solve ECDLP in the span of a few minutes and thus, to launch on-spend attacks. By contrast, the elementary operations on neutral atom and ion trap devices are about two to three orders of magnitude slower. As a consequence, we do not expect CRQCs in these slower architectures to be able to launch on-spend attacks. We will refer to the former as fast-clock CRQCs and to the latter as slow-clock CRQCs
 |
| Babbush et al Fig. 1 |
We are reporting here that our team has developed logical circuits to break ECDLP on elliptic curves over finite fields with n-bit prime modulus and n-bit group order requiring approximately 4.5n space. ... At n = 256 bits, the circuits use either 1200 logical qubits and 90 million Toffoli gates or 1450 logical qubits and 70 million Toffoli gates. In terms of the spacetime volume (a key resource which in particular drives the quantum error correction overhead), these estimates represent roughly an order of magnitude improvement over the most efficient prior work when applied to a single ECDLP instance. ... Our findings apply directly to ECDLP on secp256k1 — an elliptic curve widely used in digital signatures on popular blockchains, such as Bitcoin and Ethereum.And hardware design:
The physical resource estimates we have discussed here (e.g., half a million physical qubits) assume relatively benign hardware capabilities, such as a planar architecture with degree-four connectivity and 10−3 physical gate error rates (i.e., consistent with a scaled up version of Google’s quantum processors that have been demonstrated experimentally). More aggressive hardware assumptions — such as the “bicycle” architecture used for 2-gross qLDPC codes — could drop qubit counts closer to one hundred thousand physical qubits, but this approach requires non-local degree-seven connectivity that has yet to be demonstrated in actual superconducting qubit devices.There are now many companies trying to turn the designs into working fast- and slow-clock hardware:
Google Quantum AI, IBM Quantum, Amazon, D-Wave, Rigetti and IQM are developing superconducting qubit architectures; PsiQuantum and Xanadu are building photonic quantum computers while Diraq and Intel are working on spin qubit devices. ... Simultaneously, many companies, including IonQ, Quantinuum (a subsidiary of Honeywell) and Alpine Quantum Technologies are pursuing ion trap quantum processors while others, such as QuEra, Infleqtion, Atom Computing, Pasqal, and Logiqal are developing neutral atom devices.Babbush et al thus argue that, if the first CRQC is fast-clock, all three attack types will arrive simultaneously:
These facts imply that a superconducting CRQC capable of performing at-rest attacks against static holdings recorded on the blockchain would likely also be capable of executing on-spend attacks against active transactions. As we discuss in more detail later on, we do not expect meaningful scaling challenges between a quantum computer with 1200 logical qubits and one with 1450, so, in order to focus and simplify subsequent discussion, we assume that first-generation fast-clock CRQCs may be able to solve ECDLP on secp256k1 and similar elliptic curves in about 9 minutes on average.A major problem with current techniques for stealing cryptocurrency is that the proceeds need to be rapidly laundered because the thefts are detectable. But if the contents of a vulnerable wallet move to an invulnerable one, it is likely that the "owner" of the private key was taking a sensible precaution, not that some CRQC cracked the key. This is especially true of dormant assets; no-one is watching the wallet.
Although the paper's analysis of On-Spend and Setup attacks is fascinating and important, much of this post will focus on the At-Rest attacks on Bitcoin that my previous posts discussed. Babbush et al summarize the problem:
Dormant digital assets, including those abandoned or inaccessible due to lost private keys, pose a distinct and critical challenge. We highlight the example of Bitcoin’s Pay-to-Public-Key (P2PK) locking scripts, which secure over 1.7 million BTC. The total amount of dormant quantum-vulnerable bitcoin may reach 2.3 million BTC when all script types are considered. Unlike active wallets that can migrate to new standards, dormant assets cannot be “fixed” via forks that enable PQC protocols for future transactions. They represent a fixed target — tens or hundreds of billions of dollars in value that will eventually become accessible to a quantum attacker. The community will soon face difficult, unprecedented decisions regarding the fate of these assets, forcing tradeoffs between the immutability of cryptographic property rights and the economic stability of the network.
 |
| Babbush et al Fig. 4 |
A transaction contains an unlocking script, proving that the private key owns the wallet, and a locking script that transfers coins to the recipient. Some script types reveal the public key and are thus vulnerable to an At-Rest attack, some reveal only its hash and are thus immune unless the script is re-used.
 |
| Babbush et al Fig. 5 |
As I have been writing, the part of the problem that cannot be solved by upgrading to post-quantum cryptography is what Babbush et al call "Dormant Digital Assets":
Inevitably, some vulnerable assets will not migrate to post-quantum protocols in time or possibly ever, perhaps because their owners do not learn of the threat until it is too late or perhaps because they have lost their private keys. The Ethereum blockchain’s contract accounts present similar long-tail migration issues. Thus, in addition to planning and executing upgrades to cryptographic protocols, each cryptocurrency community also faces challenges regarding quantum-vulnerable assets and smart contracts that may linger on public blockchains for an extended or indefinite period of time.
Despite lack of unambiguous precedent, many jurisdictions could classify accessing abandoned cryptographic assets, such as the P2PK coins, without authorization as theft. However, we maintain that if protocol changes are not made, vulnerable assets will eventually be cracked by quantum computers and taken irrespective of the law. In the absence of a clear resolution, these assets are likely to become a lucrative target for bad actors. We quantify the scale of some of the dormant assets at stake in Figure 13.
 |
| Babbush et al Fig. 13 |
Bitcoiners have identified three responses to the problem that they could take, if it were possible to achieve consensus on which:
- Do Nothing: accept that the 2.,3M BTC would be stolen and become part of the circulating supply, thus putting downward pressure on the "price".
- Burn: implement a soft-fork that renders the content of vulnerable wallets unspendable after a certain date. Provided the date is before the first CRQC, this removes them from the circulating supply and avoids downward pressure on the "price". It does conform to the "not your keys, not your coins" mantra.
- Hourglass: accept that the 2.3M BTC would be stolen but mitigate the effect on the "price" by limiting the rate at which these assets could be spent and thus enter the circulating supply.
Those who consider digital property rights fundamental tend to have strong objections to the Burn proposal. Large Bitcoin holders are likely concerned about a potential supply shock and its effect on Bitcoin price. Miners may welcome Do Nothing and Hourglass proposals due to potential increase in transaction fees and volumes. The diversity and complexity of the Bitcoin community makes the ultimate outcome of these ongoing debates hard to predict. Indeed, an informal poll at 2025 Presidio Bitcoin Quantum Summit in San Francisco saw roughly equal support for each of the three categories of solutions.Babbush et al add a fourth option, one or more sidechains to which public-spirited CRQC operators could, for a fee, send the contents of wallets they compromised, and other sidechains holding holding cryptographic proofs of ownership of the dormant assets in question. These sidechains would form a somewhat complex and thus risky ecosystem, and would be costly. Operating an early CRQC will be expensiuve, so the public-spritied operators would need to charge significant fees. Figure 13 shows that the bulk of the value is in the first 1000 wallets, so it is likely that this solution would leave something like 100K dormant wallets uneconomic to compromise.
The authors also review threats to other cryptocurrencies. One obvious threat is:
the objective of preserving transaction confidentiality on privacy-preserving blockchains, such as Zcash and Monero, cannot be fully achieved due to retroactive degradation of ECDLP-protected privacy of known addresses by quantum-capable adversaries.Ethereum is by far the largest of the systems that are already taking proactive quantum-proofing steps. This is important because Etereum is far more exposed than Bitcoin to quantum attacks, as Babbush et al recount:
The account model uses vulnerable elliptic curves as a core component of onchain identity, putting all accounts that have carried out transactions at risk including high value accounts, such as exchange hot wallets. Smart contracts with exposed admin keys that cannot be easily rotated (without draining and replacing the contracts themselves) create a logistical bottleneck for security upgrades that puts “low ether, high leverage” accounts and contracts responsible for tokenized real-world assets, oracles, bridges, guardians, etc. at risk. Moreover, the potential compromise of validators threatens the integrity of the Proof-of-Stake consensus mechanism itself, creating an existential risk to the chain’s continued operation. Finally, the vulnerability of Data Availability Sampling mechanism opens it up to on-setup attacks that can be launched without a quantum computer using a reusable exploit created once on a CRQC.For example, Tornado Cash is a smart contract whose administrative public key is 0x0000, which indicates that adminstrative control has been relinquished. The Presumably it will continue to function unless and until Ethereum decides to stop executing contracts with this key. Or, possiby, a CRQC could find the priovate key for 0x0000. Tornado's wallets have exposed keys, so could be drained unless each user removes their funds before the attack.
Babbush et al have a section addressing Public Policy Options for the Challenge of Dormant Assets. They start by arguing that government action to protect the "price" of BTC and similar cryptocurrencies by mandating the Burn option would be highly unlikely to succeed. They then argue that one approach would be to use existing laws on lost, abandoned and unclaimed assets:
if an owner of dormant coins has known for years that their assets are at risk and has failed to transact them to a post-quantum address, then they may be deemed to have failed to assert their rights through inaction.But they point out many difficulties with this approach. For example, in the US the Revised Uniform Unclaimed Property Act (2016) is a model for relevant state laws on abandoned property, allowing it to be transferred to the custody of the state. The law assumes that the assets are in the custody of a "holder", a business such as a bank, but:
no party involved in the operation of the Bitcoin blockchain clearly meets the legal requirements to be the “holder” of the dormant coins. Indeed, none of them possess or control the coins since none of them know the private key.They also discuss the:
spectre of dormant assets falling to rogue actors as a national security riskand suggest that some governments will decide to use CRQCs to grab and maybe burn dormant assets. What they mean is the US is worried that the North Koreans might acquire a CRQC. They are the masters of stealing cryptocurrency via conventional techniques, as we apparently see with the recent compromise of Kelp DAO.
As regards Bitcoin, the authors recommend that governments establish a legal framework for dormant digital assets similar to that for conventional abandoned assets, and that the Bitcoin community decide to implement the Burn option. Given the current difficulty of passing stablecoin legislation and the history of consensus in the Bitcoin community, I would expect that neither will happen in time.
As regards Ethereum, the more sophisticated technology and governance, combined with the absolutely catastrophic effects a CRQC could have on the ecosystem, give some confidence that timely mitigations are possible.
No comments:
Post a Comment