My Takeaways from Google’s and Oratomic’s Quantum Resource Estimate papers
Disclosure: As everyone on the planet knows, CIV is an investor in Project Eleven, and I am on the board. P11 is a startup doing fundamental research to facilitate the post-quantum transition and protect user assets. CIV and I are long various cryptoassets that are exposed to quantum risks.
On Monday two major papers on resource estimation for theoretical quantum computing attacks on ECC-256 via Shor were released. (If this is gibberish to you, read this blog as a primer.) Shor’s algorithm is possible with as few as 10,000 reconfigurable atomic qubits by a group of scientists at Caltech and UC Berkeley (some of whom announced a startup Oratomic) and The Quantum Threat to Elliptic Curve Cryptocurrencies: Resource Estimates, Vulnerabilities, and Mitigations by the Google Quantum AI team (featuring Craig Gidney!), plus Stanford cryptographer Dan Boneh and Justin Drake of Ethereum.
Both papers offer landmark estimates of what it would cost (in terms of qubits, Toffoli gates, error rates, runtime) to build a quantum computer capable of breaking ECC256, which virtually all blockchains rely on. Neither set of academics claims to have broken Bitcoin or to have a working quantum computer – that’s not the point – they are simply proposing new improved algorithmic constructions and compilation techniques for two different quantum modalities. In other words, they’re showing how much easier the problem could become if hardware catches up, not that it’s solvable today.
As far as I know, no one is saying a quantum break of Bitcoin’s cryptography is imminent. I certainly am not. But these papers both accelerated my personal timeline for Q-day (the day in which a quantum computer first breaks a major cryptographic function like ECC256 or RSA2048). They accelerated Google’s timeline too: these papers were the reason the internet behemoth brought their full PQ deadline forward to 2029, a mere 2.7 years away.
The Google paper looks at superconducting qubits (the most mature subset of QC hardware) and the Oratomic paper considers a neutral atom architecture. They are not directly comparable and the different tradeoffs taken have to be appreciated. However, both papers improve on the state of the art in terms of resource estimates for attacks on ECC.
Though I recommend reading the source material directly, I appreciate that the implications may not be immediately obvious to all of you (though the Google paper is surprisingly readable, and covers a huge amount of ground). These are my main takeaways from the pair of papers:
Resource estimates for CRQCs are now within the realm of engineering plausibility
“On-spend” or short range attacks on Bitcoin must be incorporated into your threat model
We may not have the luxury of a “soft takeoff”
Scientists have begun self-censoring out of concern
Experts are bringing forward their Q-day expectations in response
This is a serious and uniquely qualified group of academics
First of all, just so you get a sense of who we’re dealing with, the Google paper (Babbush et al) is basically an all-star team consisting of Google Quantum AI researchers alongside cryptographers with a blockchain focus. The paper lists 7 members of the Google Quantum AI team, including Hartmut Neven, the project lead. Google Quantum AI is arguably the most important quantum lab on the planet – they brought us the Willow result that demonstrated that error correction was scalable. Craig Gidney is a name anyone familiar with the literature will know – he is in my view the most important QC researcher when it comes to resource estimation and has written some of the most cited papers in the field. Ryan Babbush is another leading figure in the field of quantum resource estimation.
Interestingly, these academics are joined by Justin Drake, a well-known Ethereum researcher, and Dan Boneh, one of the most respected cryptographers on the planet, also no stranger to crypto(currency). (He is the B in BLS signatures.) The paper combines the views of bleeding edge experts on resource estimation with specific expertise in how these cryptographic breaks could threaten Bitcoin and Ethereum.
As for the Oratomic paper, the author group is just as credentialed. John Preskill helped found the field of quantum error correction. Dolev Bluvstein has prior work demonstrating below-threshold error correction for a neutral atom processor. Caltech hosts one of the most well-reputed QC programs in the country.
1. Resource estimates keep collapsing
The way to think about the race to build a scaled quantum computer is in terms of resource requirements versus physical capabilities (the literal arrays of logical qubits themselves). In recent years, the software side has been advancing faster than the hardware, and it seems like there are still more gains to come in terms of algorithmic efficiency.
Generally speaking, the physical capabilities of quantum processors are improving, while the resource requirements are dropping. When they meet, you get an ECC-256 break. So if you wanted to estimate Q-day, you would project out the declining resource requirement curve and the growing capabilities of QCs and see where they intersect.
Pierre-Luc Dallaire has the best chart on this (updated with the latest results).
You can clearly see the declining resource estimates for RSA2048 and ECC256 set against the demonstrated qubit counts of various labs and their published roadmaps. We don’t know the future, but the curves intersect uncomfortably soon. My personal guess is sometime in the 2030-2035 range.
The Google paper proposes two resource estimates for an ECDLP break, one optimized to minimize logical qubits, the other targeting Toffoli gates (the quantum version of an AND gate). For the low-qubit variant, they estimate 1200 logical qubits and 90 million Toffoli gates; the low gate variant requires 1450 logical qubits and 70 million Toffoli gates. Based on standard assumptions for superconducting qubit processors, they estimate that these attacks would take 23 and 18 minutes respectively. However, by precomputing the first half of the algorithm, they can halve the attack time, getting the 70m gate variant down to 9 minutes. (This is a very important threshold as I’ll explain later.) The authors believe that these attacks might be possible with fewer than 500k physical qubits. This is well within the published roadmaps of several leading quantum labs. Because there has been relatively little work optimizing Shor for ECDLP, their physical qubit estimate is a 20-fold reduction versus the previous state of the art (Litinski 2023).
Babbush et al explore the tradeoff space to demonstrate how attackers can account for various constraints (say in hardware, or runtime) but still pull off a successful attack. Here’s a table showing how their estimates compare to other prior work on the topic (Google paper at the bottom in bold):
As you can see, the Google paper is the most economical in terms of logical qubits, T-gates needed, and wall-clock runtime. With the exception of Chevignard on the logical qubit side which also came out this year, but requires many more runs and a vastly greater runtime (months/years versus minutes).
Here’s a chart from the paper which puts the Google result in context visually:
You can see that there is a kind of “efficient frontier” where various approaches have made tradeoffs effectively “buying” qubits with T-gates and vice versa. The Google paper simply burst through the frontier. The huge optimization gains they were able to find by focusing on ECDLP suggests that there are probably more to come. Historically, most security researchers have focused on RSA and it was the “standard” algorithm against which QC progress was measured. It looks to me like this is changing with ECC becoming the biggest target. Additionally, these results imply that an ECC break might actually be easier in terms of resource requirements than RSA.
As for the Oratomic (Cain et al) paper, it’s not directly comparable to Google’s work because the papers focus on different modalities; superconducting and neutral atom respectively. Superconducting qubits (the more conventional approach pursued by Google, IBM, Rigetti and others) are much faster in terms of gate operations but seem to have difficulties scaling due to the simple fact that it’s hard to maintain extremely cold temperatures (millikelvin – colder than outer space) for very large qubit arrays. Neutral atom architectures (a newer approach taken by QuEra, Pasqal, and others) are longer-lived, seem to scale much more cleanly, but are less mature and have lower fidelities. Some of the QC experts I talk to seem to think that neutral atom is the most credible approach to get to real scale, though the clock speed remains an issue – neutral atoms are 100-1000x slower per operation, which might end up being prohibitive for commercial applications. Neutral atoms already have an impressive scaling track record and the authors note that arrays up to 6k qubits have been demonstrated, though not at fidelities necessary for the Cain et al result.
Cain et al, like Babbush et al, explore different tradeoffs, offering “space efficient” and “time-efficient” approaches to an ECC-256 break with Shor.
Their space-efficient approach is prohibitive in terms of runtime, although in keeping with tradition in this literature, it does provide justification for the flashy title of the paper: “Shor’s algorithm is possible with approximately 10,000 reconfigurable atomic qubits”.
The important figures are the time-efficient approaches which they estimate are achievable with 19k and 26k physical qubits with runtimes of between 52 and 10 days, respectively. They lean on parallelism by executing Toffoli gates in batches within the algorithm’s subroutines.
Cain et al publish this chart summarizing the accelerating reduction in physical qubits required to crack ECC-256 and RSA-2048. If you turn the chart upside down, you get a curve that looks exponential. The “foom” moment seems to have happened in 2025. (Note that the blue dots and squares correspond to “slow clock” neutral atom approaches.) In my earlier work on this topic, I warned that orders of magnitude could collapse very quickly, and this chart seems to show that – a four order of magnitude reduction in physical qubits required in the last year alone. This is not something that Bitcoiners should take lightly.
The vast reduction in physical qubits (compare with Gidney and Ekera 2019 requiring 20m physical – a 10,000x physical:logical exchange rate) is due to their significantly reduced 10x physical:logical exchange rate. Of course, the paper assumes great feats of engineering, which is why no one is claiming this will actually be implemented anytime soon. Cain et al assume 10^-3 error rates, high connectivity, and high parallel throughput. None of these are trivial, and the state of the art labs have not demonstrated these features at scale. The most credible result that is “Cain-level quality” so far is Bluvstein (2026)’s 500-qubit array. Atom computing has demonstrated a 1000-qubit array but it had insufficient fidelity, among other problems.
So the SOTA quantum computing labs are still very far off the ~20-25k physical qubit arrays necessary for Cain et al to work, but this number is squarely inside their near term (late 2020s) roadmaps. Of course, unlike Babbush et al, the runtimes in Cain et al are exclusively slow – so the threat model is different. We would “only” have to worry about long-range attacks on exposed public keys (like Satoshi’s coins). If neutral atoms end up winning, we might not have to worry about short range attacks at all, and our roadmap to mitigate this risk could be significantly more relaxed.
2. We need to incorporate short-range attacks into threat models
The main contribution of Babbush et al in my view was them opening the Overton window and introducing the possibility of short-range attacks or “on spend” as they call them. Under one of their models, they posit that keys could be cracked in as little as nine minutes, shorter than Bitcoin’s average block time. As they say in the paper:
[O]ur resource estimates give the first clear indication that superconducting qubits could launch attacks within the average block time of Bitcoin and Bitcoin Cash, thus enabling “on-spend” attacks whereby a transaction is intercepted, the key is broken, and a fraudulent transaction is syndicated in the brief period of time before it is recorded on the blockchain. This prospect highlights the importance of migrating to post-quantum cryptography and of mitigation measures that thwart on-spend attacks, such as private mempools and commit-reveal schemes
This does something previously thought impossible by quantum-watchers like myself: opens Bitcoin up to short range attacks, that is, deciphering private keys from public keys in the time between when a transaction is posted and it is confirmed in the blockchain. Previously most of us – even the most “doomer” quantum watchers – had felt that while a quantum break might one day be possible, the first attacks would take months or weeks for a single key, making short range attacks implausible for a matter of decades.
The difference between a short range and long range attack threat model is considerable.
In the long-range world, it’s sufficient for all coins to rotate into quantum-invulnerable address types (ordinary hashed addresses) and to avoid address reuse. In a world where short-range attacks are possible, your keys are not safe even if stored in an address with perfect hygiene, because public keys are revealed at the time of spend.
If you take Babbush et al seriously, you should avoid half measures and simply begin the full transition to native PQ signature verification as soon as possible.
3. We may well get a “fast takeoff” quantum scenario
The thing many AI safety theorists worry about most is a “fast takeoff” situation in which an AI recursively self-improves and reaches a superintelligent state well ahead of our capacity to wrangle it and ensure its alignment.
In the quantum world, there is a similar concern. If we indeed get a “fast takeoff” in which a quantum computer factors 35 and then next month factors a 256-bit number, we will not have the warning that most Bitcoiners expect. Upgrading Bitcoin will require a lead time of years – Chaincode has estimated 2 years at the absolute minimum in an emergency scenario, asking for 7 years in the happier case.
In the wake of the publication of the Google paper I have seen those resistant to upgrading Bitcoin object time and again insisting that we will have plenty of notice. This belief should better be described as “wishcasting”. There is no evidence we will have slow, gradual, linear and easily legible progress on quantum computing that allows us to forecast the pace of progress ten years out. In fact, the experts are telling us otherwise. I’m going to quote Babbush et al at length here:
It has been observed that technological change tends to occur in a two-stage evolutionary process in which an initial “era of ferment” characterized by high degree of innovation and technical variation eventually leads to the emergence of a “dominant design” and is followed by a period of gradual technological improvement. For example, the car industry’s “era of ferment” (during the late 19th century) saw rapid innovation across a wide variety of cars powered by the steam engine, electric batteries and the internal combustion engine before the latter became the “dominant design”. In the stage of incremental improvement progress can be measured in terms of gradually increasing performance metrics, such as miles per gallon or the number of integrated circuit components in Moore’s law.
By contrast, quantum computing, with its broad variety of hardware platforms, is still in the “era of ferment” where simple models, such as counting physical qubits, fail to adequately capture technological progress. Instead, progress comes in discrete jumps corresponding to development of new internal capabilities and overcoming scaling challenges, e.g., by getting device error rates below the threshold for an error-correcting code or implementing coherent interconnects for modular architectures. Therefore, progress in quantum computing is better understood using a threshold model rather than in terms of the number of physical qubits.
Accordingly, other gradual measures of progress, such as the challenge ladder of increasingly difficult ECDLP instances ranging from 6-bit to 256-bit modulus and group order proposed in [74], also fail to adequately measure progress towards a CRQC and may fail to provide a reliable early warning. Indeed, if a leading quantum architecture encounters and overcomes all its scaling challenges before producing a device able to solve (for example) 32-bit ECDLP, then there may be little time between the breaking of 32-bit ECDLP and the breaking of 256-bit ECDLP. Furthermore, the community should not expect to see published demonstrations of the most advanced quantum error-correction architectures and quantum algorithms deployed to cryptanalytic problems. Thus, a successful public demonstration of Shor’s algorithm on a 32-bit elliptic curve should not be seen as a wake-up call to adopt PQC as much as a potential signal that PQC adoption has already failed.
We also argue that the finish line may become progressively more blurry and the current state of quantum capabilities increasingly more opaque as we approach CRQCs. Indeed, as progress in quantum computing lowers the barriers to entry, the final stages of the race to build a large fault-tolerant quantum computer may see “late-joiners” attempting a rapid breakout toward a CRQC, possibly accelerated by intellectual property theft or industrial espionage. Simultaneously, transparency of quantum computing research and development programs is likely to decrease as they get closer to large-scale commercially viable quantum computers. These factors may increase the uncertainty regarding the arrival time and the nature of the first CRQCs. Thus, it is conceivable that the existence of early CRQCs may first be detected on the blockchain rather than announced. As we will argue throughout this piece, the safest course of action for the cryptocurrency community is to begin preparing itself against quantum attacks immediately.
More precisely, the number of Toffoli gates and logical qubits required to run Shor’s to crack ECC scale polylogarithmically with the number of bits. This means that cracking ECC256 is not substantially harder than cracking ECC128. This is kind of the whole point of Shor. Hard as it may be to accept, Shor doesn’t adhere to Bitcoiners’ traditional assumptions about the security assurances of adding bits. Because it doesn’t brute force elliptic curve point multiplication. It genuinely reverse-engineers the problem. Here’s the relationship in simple chart form:
This should put to rest the objection that “QCs haven’t factored 35 yet!”. Because of the nature of Shor, when they do factor it, 256-bit numbers won’t be far behind. And Bitcoiners will not get the 10-year notice period they need to plan a leisurely upgrade. For what it’s worth, Cloudflare’s chief post-quantum mathematician and Blockstream’s Jonas Nick (probably the leading Bitcoiner doing PQ research) have expressed a similar sentiment.
I want to zoom in on this because it’s the biggest epistemic gap between even smart Bitcoiners and QC practitioners – and it’s the sole reason many Bitcoiners think we can delay implementation of a PQ upgrade.
Look at this chart courtesy of Cloudflare’s Bas Westerbaan:
Look how close the lines are. Once you below a certain threshold of error rate and have a sufficient number of physical qubits, the game is won, whether it’s a tiny 4-bit key or a 2048 bit one (note that this chart is about RSA, but the same principle applies to ECC). As Bas says,
The day a quantum computer beats a classical computer on factoring, heck the day it factors a 32-bit number, we’re uncomfortably close to Q-day already. So: don’t wait for quantum computer factoring records; you’ll be too late.
Or take it from Scott Aaronson:
Once you understand quantum fault-tolerance, asking “so when are you going to factor 35 with Shor’s algorithm?” becomes sort of like asking the Manhattan Project physicists in 1943, “so when are you going to produce at least a small nuclear explosion?”
4. Scientists have begun self-censoring
One interesting new development in the Babbush et al paper is their unwillingness to publish the actual mechanics of their attack on ECC256. Instead, they published a zero-knowledge proof attesting to existence of the quantum circuits they describe without revealing it directly. They explain why:
Traditionally, the gold standard for quantum resource estimation has been full transparency: publishing algorithmic innovations, logical circuits, and error-correction optimizations to ensure results are openly verifiable. Our team has historically adhered to this standard — for instance, in establishing the most efficient quantum algorithms and circuits for breaking 2048-bit RSA. However, the escalating risk that detailed cryptanalytic blueprints could be weaponized by adversarial actors necessitates a shift in disclosure practices. Accordingly, we believe it is now a matter of public responsibility to share refined resource estimates while withholding the precise mechanics of the underlying attacks. Transparency regarding the overall resource costs of quantum attacks is essential; if the community overestimates the resources required, the perceived “safety margin” may lead to a dangerous “wait-and-see” attitude. Given the unfortunate technical trade-offs of Post-Quantum Cryptography (PQC), such delays could make it difficult for vulnerable cryptocurrencies to achieve the consensus necessary for an orderly transition.
This recalls what happened in the physics community in the lead up to the development of the atomic bomb. In 1933, Leo Szilard conceived of the nuclear chain reaction idea but filed his patent secretly as he didn’t want to tip others off. In 1939, nuclear fission was empirically demonstrated, and the field was set alight. Mindful of the looming war and the risk of heling the Nazis, Szilard began lobbying his colleagues to self-censor the publication of subsequent implementation details. In 1940, the National Academy of Sciences voluntarily adopted a self-censorship regime. Once the Manhattan Project began, all formal publications ceased. In July 1945, the first fission bomb was detonated in the White Sands missile range, New Mexico.
Due to the national security dynamics, the NSA is kept apprised of major quantum computing developments. If in the coming years we see less and less research published, it should be a sign that development is accelerating, not decelerating. This, again, is something Bitcoiners should consider when they assume they will have ample warning.
5. The papers meaningfully accelerated Q-day expectations among experts
The papers were arguably the most important in terms of how exposed organizations reacted. Google, of course, brought forward their full post-quantum preparedness deadline to 2029. They did this before the Babbush paper came out, and quite a few people wondered “what Google saw”. Once the paper came out, it was obvious. They explained that:
This new timeline reflects migration needs for the PQC era in light of progress on quantum computing hardware development, quantum error correction, and quantum factoring resource estimates.
It’s not just about resource estimates. Error correction and hardware continue to improve. Other major experts chimed in too. Filipo Valsorda, the maintainer of the Go cryptography standard library, former security lead at Google, and former Cloudflare cryptographer, brought forward his Q-day estimate, saying:
My position on the urgency of rolling out quantum-resistant cryptography has changed compared to just a few months ago.
Overall, it looks like everything is moving: the hardware is getting better, the algorithms are getting cheaper, the requirements for error correction are getting lower.
The bet is not “are you 100% sure a CRQC will exist in 2030?”, the bet is “are you 100% sure a CRQC will NOT exist in 2030?” I simply don’t see how a non-expert can look at what the experts are saying, and decide “I know better, there is in fact < 1% chance.” Remember that you are betting with your users’ lives.
Bitcoin developers would do well to heed his warning. They are currently wagering the existence of a trillion-dollar network on the bet that technology does not advance. That is an enormously reckless attitude for a set of individuals who are meant to be a model of paranoia and security-first thinking.
Scott Aaronson, one of the most well known theoretical computer scientists working on QC, and particularly renowned for his skepticism, had a marked reaction to the papers. In a blog post “Quantum computing bombshells that are not April Fools”, he wrote:
Neither of the [Google and Oratomic] results change the basic principles of QC that we’ve known for decades, but they do change the numbers.
When you put both of them together, Bitcoin signatures for example certainly look vulnerable to quantum attack earlier than was previously known!
In particular, the Caltech group estimates that a mere 25,000 physical qubits might suffice for this, where a year ago the best estimates were in the millions. How much time will this save — maybe a year?
Neha Narula, the director of the MIT Media Lab, a respected academic with a PHD in CompSci, and one of the highest-profile Bitcoiners, shared her view in a post “Bitcoin and Quantum Computing”
Her full post is worth reading – it’s mainly about how to compute the expected value of a CRQC on Bitcoin and why every Bitcoiner should run this analysis – but her conclusion is stark:
Let me make my position clear: I think [the likelihood of a CRQC appearing] is high enough to warrant prioritizing designing, implementing, and evaluating post-quantum signature schemes and consensus upgrades in Bitcoin now.
This is the clearest statement on the urgency to consider a PQ upgrade for Bitcoin from any high profile Bitcoin tastemaker. I’m not sure how any Bitcoiner can realistically disagree with her analysis. If you think there’s any nonzero chance of a CRQC appearing in the next decade, you have to start work on preparedness now.
And lastly, Cloudflare threw its hat into the ring, announcing that they, too, were moving up their own PQ deadline to 2029. Cloudflare has been a model of quantum preparedness (soundly debunking the Bitcoiner point that “a QC will destroy the internet”), as 65% of their traffic already flows through post-quantum encrypted channels. Cloudflare had this to say:
What happened? Last week, Google announced they had drastically improved upon the quantum algorithm to break elliptic curve cryptography, which is widely used to secure the Internet. They did not reveal the algorithm, but instead provided a zero-knowledge proof that they have one.
This is not even the biggest breakthrough. That same day, Oratomic published a resource estimate for breaking RSA-2048 and P-256 on a neutral atom computer. For P-256, it only requires a shockingly low 10,000 qubits. Google’s motivation behind their recent announcement to also pursue neutral atoms alongside superconducting quantum computers becomes clear now. Although Oratomic explains their basic approach, they still leave out crucial details on purpose
Cloudflare point out that QC progress is not just happening in the algorithmic domain (as with the Google and Oratomic papers). Hardware and error correction are advancing too. QC isn’t really one technology, but a half-dozen different approaches (superconducting, neutral atom, trapped ion, silicon spin, photonics, and more), each with their different tradeoffs. They conclude:
The picture comes together: in 2025 neutral atoms turned out to be more scalable than expected, and now Oratomic figured out how to do much better error-correcting codes with such highly connected qubits. On top of that, breaking P-256 requires much less work. The result is that Q-Day has been pulled forward significantly from typical 2035+ timelines, with neutral atoms in the lead, and other approaches not far behind.
I’m going through these reactions to the Google and Oratomic papers in detail to demonstrate that serious cryptographers, computer scientists, and some of the biggest and most important internet companies on earth have reacted to the papers with alarm. There’s no shame in revising your view to account for new data. Bitcoiners should consider doing so.
Summing up
Despite many accusations, my objective is certainly not to spread panic or alarm among Bitcoiners or “harm the price”. I am not short Bitcoin, nor have I ever been. I am irresponsibly long Bitcoin, blockchains, and crypto through my personal exposures, my firm CIV, reputationally, and so on. Over a year ago, I realized that Bitcoin would face huge issues when and if quantum computing became a real prospect, and I then noticed that QC progress was moving much faster than anyone gave it credit for in the crypto space. On the basis of this prediction and my desire to help protect Bitcoin and blockchains generally, CIV invested in Project Eleven, and we later led the Series A. I’m proud of this and see no conflict whatsoever – my beliefs and exposures are perfectly aligned. I feel very lucky that I have a career that gives me the tools to nudge the world in a direction I think it ought to go. The reason I am speaking up is because I am long Bitcoin, and would very much like it to continue existing.
The truth is that the state of the art in quantum computing as it pertains to ECC is changing rapidly. The fact that Google brought forward their deadline for PQ readiness to 2029 speaks for itself. Cloudflare has already meaningfully begun their transition. The US Government has established a window of 2030-2035 for a full post-quantum transition. None of these initiatives or papers have anything to do with me.
My main contribution so far has been to point out that there is a discrepancy between the time Bitcoiners think they have and the necessary lead time that would be required for an orderly PQ transition. I have also pointed out that Bitcoin development is woefully sclerotic, and very little urgency is being demonstrated on this topic. (Bitcoin developers have reached out to me privately and insisted that meaningful work is happening here, but as this is not publicly legible, I discount these assertions heavily.) There is simply no comparison between the clear urgency demonstrated by the Ethereum foundation and the woeful smattering of efforts on the Bitcoin side. It’s not even clear who might have the authority in Bitcoin to push a change through. We’ve done three updates in the last decade, and there appear to be none on the horizon.
A lot of Bitcoiners seem to want to focus the debate of quantum preparedness on my own motives, exposures, and perceived conflicts. That is a mistake. I am just someone who digests and packages up information for a mass audience. What matters is the information payload itself – namely, these two papers and the growing body of academic work on the topic. A functional QC looks to be getting closer, Bitcoin is not prepared, and Bitcoin needs a lot of time to prepare. We may not have that time.
Instead of complaining about me or my firm or my investments, Bitcoiners should invest the time in reading the Babbush et al paper. It is accessibly written and it doesn’t take much to understand it. Take it from them, not me:
We have offered these specific resource estimates and analyses to provoke necessary action, urging that the migration of cryptosystems to post-quantum cryptography begin immediately to avoid catastrophic network congestion and ensure the stability of the future financial internet.
Blockchain technology and cryptocurrencies are now a significant component of the global economy, and the sooner the community takes the quantum threat seriously, the better prepared we will all be to weather the coming storm.
Wow nice work 🤙👑👑👑👌
Thanks for the writeup Nic. I would love to hear you your perspective on what the "man on the street" bitcoiner should be doing about this concern. Most folks don't have the audience you do. How does the general public exert pressure on this topic? Buy less BTC? Make the devs lives uncomfortable on Twitter? Just don't worry about it?