Scott Aaronson is very good on quantum computing news and I enjoy his blog. Here is his take on the Google paper (#1462657) as well as a CalTech paper on quantum computing that came out this week.
Bitcoin signatures for example certainly look vulnerable to quantum attack earlier than was previously known! In particular, the Caltech group estimates that a mere 25,000 physical qubits might suffice for this, where a year ago the best estimates were in the millions. How much time will this save — maybe a year? Subtracting, of course, off a number of years that no one knows.
I read this to mean that he thinks that it was previously going to take n years for quantum computers to become advanced enough to crack bitcoin keys, and now he thinks maybe it will take n-1 years.
n is not known.
He goes on to say:
these results provide an even stronger impetus for people to upgrade now to quantum-resistant cryptography. They—meaning you, if relevant—should really get on that!
He also had some interesting notes to add about Google's choice to publish a ZK proof of their discovery, rather than the circuit itself. Aaronson compares it to some historical examples that are interesting. Check out his blog for the full read.
ETH-tards started this bullshit quantum mania.
Gulible bitcoiners react in panic.
Such a stupid world...
failure to fill blocks with monetary transactions looks bad, feeds luke jr spam paranoia (even though its bullshit), and could eventually impact bitcoin price via doubts on hashtate.
Massive signatures make this problem even worse. They would make more use of the witness discount and thereby bloat blocks to 3-4 MB, thereby making it harder to run a node.
The aim has always been to scale Bitcoin while using as little space as possible (Segwit, Taproot, and hopefully CISA soon). I have no interest in crippling Bitcoin transaction throughput with massive signatures because some people like to spread FUD.
I really wonder about point number 2. Perhaps it is a way to market a quantum resistant upgrade, but it seems short-sighted to fix the security budget problem (if there is one, I'm still on the fence about this) by making transactions bigger.
I think bitcoin should aim for the maximum throughput of transactions constrained only by security and ease of ability to run a node. if there's "too much" blockspace and miners aren't making enough, that seems to be a sign of weak interest in Bitcoin. I don't think that gets fixed by making transactions bigger.
Besides, the trend seems to be that quantum resistant signatures are getting smaller. I don't doubt that by the time we actually implement something like that in Bitcoin, they will be much smaller than the current size.
For instance, I saw this from @lightcoin
source
https://twiiit.com/lightcoin/status/2039536572408701301
Visa, Mastercard, banks and shitcoins shoult worry more the bitcoin
https://xcancel.com/giacomozucco/status/2039029248762024162#m
Bitcoiners are underestimating the threat. People knowledgable of cryptography need to at least start discussing possible post quantum cryptography implementatons in bitcoin.
Btw why aren't hashed taproot key addresses a thing? It's atrivially easy thing that while not solving, will limit the time where a quantum computer has to break a specific address.
The 25,000 physical qubit estimate from Caltech is genuinely concerning if you take it at face value. A year ago the best estimates were in the millions. That's not a small revision.
But here's what I think matters more than the timeline: the migration problem. Even if quantum computers that can crack ECDSA are 10 years away, migrating every Bitcoin UTXO to quantum-resistant signatures is a governance and coordination challenge that makes the BIP process look simple.
Think about it. Lost wallets with exposed public keys (every address that's ever sent a transaction has its pubkey on chain) can never be migrated. Satoshi's coins are sitting there with exposed keys. You'd need a soft fork to add quantum-resistant signature types, then convince every active holder to move their funds. How long does that take? The blocksize war took years over a parameter change. This would be bigger.
Aaronson is right that people should "get on" quantum-resistant crypto. But for Bitcoin specifically, the hardest part isn't the cryptography. It's the coordination. The math is solvable. The politics might not be.