If the Quantum Canary Sings, It’s Too Late
Why we can't rely on early warning systems for an ECDLP break
Disclaimer: CIV is an investor in Project Eleven, and I am on the board. This post reflects my own personal views, not those of P11, or anyone else.
There are three types of canaries1 that people talk about in the context of quantum computing and Bitcoin risk, in the hopes that we get meaningful advanced warning. A challenge ladder of increasingly large keys; canary funds; and Satoshi’s coins themselves. But they all carry the same fatal flaw: by the time the canary is tripped, it’s already too late. Bitcoiners will have to act on the information available to them today.
On breaking larger and larger keys
It’s very tempting to say something like “well, why don’t we just have a ladder of challenges from a 10-bit ECDLP instance all the way up to 256 bits, and we agree to get concerned when someone solves N bits (where N is your threshold of worry).” This was the idea around the Q-day Prize, which some people are very upset about.2 I have seen some other well-intentioned Bitcoiners wonder about such prizes.
But unfortunately they don’t work, for a simple reason:
Quantum results below 120 bits will always be clouded by accusations of classical cheating, and when a quantum computer unambiguously surpasses classical capabilities, the warning window will be too short.
To put this into syllogism format:
Classical computers can solve ECDLP up to around 120 bits today3
Quantum results below the classical threshold provide little informational signal as they are vulnerable to accusations of cheating
The gap between 117 and 256 bits is prohibitively large for a classical computer but relatively shallow for a QC running Shor, which scales polynomially
Thus, by the time you get an unambiguous quantum break, a CRQC may only be months, not years away
The required time to deploy a PQ signature scheme on Bitcoin and transition all vulnerable coins is on the order of years
Thus, we cannot rely on a quantum break of an intermediate-size ECDLP instance to give us sufficient advance notice
Let me quickly defend the first three premises:
1. Classical computers can solve ECDLP to around 120 bits today
Classical computers are actually quite good at solving ECDLP, with the general record standing at 117.35 bits as of 2016. Of course, there is nothing to worry about classically, since secp256k1 is still about 2^69 times harder to solve using Pollard rho-type attacks.
For the secp256k1 curve specifically, a 130-bit ECDLP key was broken in September 2024 as part of the Bitcoin Puzzle challenge. The reason 130 bits are possible versus the state of the art of 117 bits otherwise is because the design of the Bitcoin Puzzle challenge allowed the attacker to use the more performant Pollard’s kangaroo, compared to the less efficient Pollard’s rho used in the 117 bit break. (I know this is confusing, but the two results measure different things, while requiring similar amounts of work. I’ll refer to the more general 117 bit result in this piece.)
2. Quantum results below the classical threshold provide little informational signal as they are vulnerable to accusations of cheating
Quantum breaks below the 117 bit classical state of the art can therefore be undermined via accusations of “priming” or effectively embedding the answer in the circuit construction – effectively feeding the QC the answer derived classically and pretending that it was achieved quantumly.
This is, it seems, what happened with the winner of last week’s Q-day prize, which claimed to break a 15-bit ECDLP instance. As summarized by Craig Gidney: “You make a correct circuit, you get the expected result, you celebrate… but you got the right answer for the wrong reason.”
Anyone that has taken an epistemology class in college will recognize this as something akin to a Gettier problem – a situation where you have a belief which is true and supported by evidence – but your logical explanation of how you acquired that knowledge is insufficient.4 You were right… by accident.
There are some proposed techniques designed to make priming harder. However, none are in widespread use. As long as we are under the threshold of classical possibility, all quantum results will be clouded by suspicion in the minds of skeptical onlookers. So these challenges will not succeed at their stated objective, which is creating urgency in the technical community.
3. The gap between 117 and 256 bits is relatively shallow for a QC running Shor, which scales polynomially
Classical algorithms for solving ECDLP like Pollard’s rho scale as O(2^(n/2)), meaning each additional bit roughly doubles the difficulty. This is why the chasm between 117 bits and 256 is practically impossible to cross. So we are not worried at all about classical attacks on secp256k1, at least with known techniques.
Shor running on a QC scales in O(n^3) in gate operations. Going from 117 to 256 bits with Shor would require a measly 10.5 times more. Gate ops are a proxy for runtime, so you can think of the progression from 117 to 256 bits as unimaginable in classical terms, but as simple as running your computation 10 times as long for a QC. The scaling story for logical qubits is even simpler, it’s roughly linear. Using Google’s Babbush et al (2026) paper, we can see that the difference between 117 and 256 bits is a matter of 548 logical qubits (my interpolation) versus 1200 logical qubits.
You can get a visual sense of this here:
The Google paper is quite explicit about this. They describe quantum computing progress as nonlinear and threshold-based, with the number of logical qubits in SOTA processors being a poor guide to general quantum progress.
On the topic of quantum canaries, they say:
Accordingly, other gradual measures of progress, such as the challenge ladder of increasingly difficult ECDLP instances ranging from 6-bit to 256-bit modulus and group order proposed in [90], also fail to adequately measure progress towards a CRQC and may fail to provide a reliable early warning. Indeed, if a leading quantum architecture encounters and overcomes all its scaling challenges before producing a device able to solve (for example) 32-bit ECDLP, then there may be little time between the breaking of 32-bit ECDLP and the breaking of 256-bit ECDLP. Furthermore, the community should not expect to see published demonstrations of the most advanced quantum error-correction architectures and quantum algorithms deployed to cryptanalytic problems.
In other words, if a quantum processor is able to solve 120-bit ECDLP, the version that solves 256 bits is either the same machine or its successor. Your intuitions regarding classical security simply do not apply with Shor: bridging that 136-bit gap is a matter of merely doubling logical qubits and increasing runtime by 10x. A QC that can surmount the error-correction and qubit coherence problems to solve an intermediate-size circuit is close to one that can empty a Bitcoin address.
If you accept the first three premises, and acknowledge that Bitcoin’s required upgrade time is years, the argument clears.
On quantum canary funds
One popular idea in the quantum preparedness literature involving creating a bounty or incentive for a would-be quantum attacker to reveal themselves. A recent formulation of this comes courtesy of BitMEX Research. They propose creating a valid address with an unknown private key, such that it could only be recovered by an entity possessing a CRQC. Indeed, the Bitcoin community could even tie a post-quantum soft fork freezing vulnerable coins (like Satoshi’s p2pk coins) to a successful spend from the canary address. This avoids the problem of unnecessarily deprecating vulnerable coins. Bitcoiners concerned about quantum risk could donate funds to the address and increase the bounty.
The problem, of course, is that the motives of the first owner of a CRQC are completely inscrutable. We simply don’t know if they are altruistic, commercially minded, nation-state affiliated, or anything really. If I had to guess, I expect that it will be either a private firm in the US or a firm affiliated with the Chinese government, but even then, that isn’t really cause for comfort. We have no reason to believe that the first owner of a scaled QC would choose to reveal themselves by claiming a (likely smallish) designated bounty. They might go for the Satoshi coins. Or the Binance coldwallet. They might ignore Bitcoin completely. We just don’t know.
If I had to guess, I would imagine that the first owner of a QC would keep it a secret for as long as possible, given the enormous strategic value of having your geopolitical adversaries (who you would like to spy on) in the dark regarding your ability to decrypt their traffic.
I don’t think they would tip their hand by claiming a relatively small bounty.
On Satoshi’s coins moving
What about Satoshi’s coins? There is a school of thought that the roughly 1.7m presumed abandoned BTC held in legacy p2pk outputs are themselves a canary. Hunter Beast popularized this idea, dubbing it “Satoshi’s shield”. The Satoshi (and other early miner) coins buy us time, the thinking goes, because a quantum attacker would presumably invest their first efforts in those 30 thousand or so lots of 50 BTC, rather than focusing on regular folks with 0.2 BTC. The runtime estimates for quantum computers suggest that the first attacks (especially if on slow-clock hardware like neutral atom) will take weeks rather than minutes. As such, it would take a long time to grind through all the vulnerable p2pk addresses, giving everyone else due notice and time to upgrade. If you are ok with the roughly 1.7m+ presumed abandoned and quantum-vulnerable coins eventually ending up in the hands of the quantum attacker, this could be a relatively elegant scenario.
However, this isn’t necessarily the case either.
First of all, if I were a misaligned quantum attacker (think North Korea tier), I might simply try to hack the largest vulnerable address and represent it as an ordinary, classical hack. Imagine that a CRQC emerges and Bitcoin hasn’t completed transitioning to PQ address types. In that case, if you were an attacker, and wanted to maximize your takings (and ability to monetize your winnings), you would want to exploit a large vulnerable address while trying to persuade people you didn’t have a QC. You would go for the Binance coldwallet or something similar. Remember that a signature produced by a QC looks just the same as any ordinary signature, from the network’s perspective. So there’s no way to tell just by looking at the transaction that it was the product of a quantum exploit.
Now let’s imagine by the time a CRQC emerges, all live addresses have indeed transitioned to PQ, and the only ones left are the addresses that didn’t transition, because their owners lost the keys or abandoned them. Even then, we might not get any meaningful warning out of the p2pk addresses.
It’s easy to imagine a situation where the first entity to build a CRQC does want to monetize via the Satoshi coins but also wants to retain their advantage for as long as possible, so they recover all of the private keys to the roughly 35k outputs corresponding to the old p2pk keys, but don’t actually broadcast the transactions. If they suspect that someone is getting close, they can suddenly broadcast all the spending transactions, which would take up about 6 blocks. I think it could happen this way, at the behest of the US government.
Of course, we don’t know how it will play out. Perhaps the coins will be frozen before any of this happens. But I do think it’s possible that “Q-day” arrives months or years before any suspicious transaction becomes visible on chain.
So what evidence should count?
So if quantum canaries are a lost cause, what indicators can we use to discern when we should transition from “vague concern” to “imminent threat”? The simplest answer is just to take a cue from experts like the Google Quantum AI team (“begin the PQ transition immediately”), or Coinbase’s quantum advisory board (“the time to start preparing is now”). The problem, of course, is you will always be able to find a number of credentialed experts who completely disagree. There are a few serious physicists or computer scientists who continue to claim (against the weight of mounting empirical evidence) that scaled, error-corrected quantum computing is theoretically impossible. So the skeptic will always be able to say “this expert says quantum computing is impossible”.
What about early, non-cryptographic applications of QCs? Unfortunately, because there’s only a few known applications of QCs, and there aren’t a lot of “miniature” ones which will become apparent well before QCs are cryptographically relevant, we simply may not have a highly legible ramp from 10 noisy qubits to 1000 error corrected qubits. Craig Gidney admits in his Q-day prize retrospective: “I don’t have an idea for how to make open benchmarking a thing”.
Scott Aaronson gave a sobering answer to the question in a recent Stacker News AMA, when he was asked about evidence that quantum computers can genuinely outperform classical counterparts:
We’re arguably already there, for example with Quantinuum’s simulation of the Fermi-Hubbard model last year, or Google’s measurement of “OTOCs” (out of time order correlators).
If we’re not there, we’ll be there extremely soon. So I’m already looking ahead to the next milestone, which is when condensed-matter physicists, materials scientists, etc. who don’t “intrinsically” care about quantum computing at all, are nevertheless using it as a tool to help answer the questions they do care about, which they weren’t able to answer using high-performance classical computing. And then commercially relevant quantum simulations are a next milestone after that.
And I think this is the best answer yet, if unsatisfying. The skeptics will always accuse anyone who works for a quantum lab of exaggerating their progress or capabilities. The real rubric of quantum success is whether a QC can do what Feynmann originally envisioned them for, which is particle simulation.
I went and looked at the literature to find out if there were commercial applications of QCs that are economically valuable and achievable at smaller scale than an ECC break. The conclusion is not encouraging:
As far as I can tell, none of the known commercial applications of QCs would serve as a useful canary for an ECDLP break. The cheap demonstrations are either not economically meaningful, not clearly beyond classical methods, or not legible enough to force consensus. Even the “small molecule” datapoint in the chart is currently classically tractable, and only quantum-relevant at larger scales. As far as I can tell, a CRQC is one of the lowest-hanging fruits on the fault-tolerant quantum computing tree.
As I said in the introduction, Bitcoin (and all other blockchains) will have to add PQ signatures to their blockchain on faith alone. And if you don’t want to hear it from me, take it from Scott Aaronson:
So, here it is: if quantum computers start breaking cryptography a few years from now, don’t you dare come to this blog and tell me that I failed to warn you. This post is your warning. Please start switching to quantum-resistant encryption, and urge your company or organization or blockchain or standards body to do the same.
AI was not used at all in the drafting of this blog. AI was employed as a research assistant and to build visualizations.
I know that this isn’t exactly how a canary works. Canaries were historically present in coal mines because they were much more sensitive to range of toxic gases, like carbon monoxide or hydrogen sulfide. They wouldn’t sing when these gases were present, they would just die. But the title didn’t sound as good with the canary dying. I would rather that they sing than die.
In hindsight, the Q-day prize was not that helpful, but I think the finger-pointing is very stupid and mostly done by Bitcoiners in denial about quantum risk. I haven’t seen any critic propose a better canary.
Depending on how you look at it, you could plausibly say 117 and 130-bit instances of ECDLP have been broken. See additional discussion
Very, very occasionally, philosophy is relevant to the real world
Yeah Canary funds don't work for the same reason that bug bounty programs don't stop North Korea from exploiting smart contracts. You've gotta be a benevolent entity in the first place.
In this case, Google, Cloudflare, Coinbase, etc. are the benevolent canaries. They already have all the incentives they need for their current messaging.
The warning system only works if people act before the warning triggers. Most wait for confirmation. By then the decision was already made by someone else. The quantum threat is real. The response will be decided by whoever acts first, not whoever sees it coming.
🕯️