Willow quantum chip demonstrates verifiable quantum advantage on hardware

SO... BTC goes to zero?

no, not really, PQC is already being discussed in pretty much every relevant crypto thing for couple years alearady and there are multiple PQC algos ready to protect important data in banking etc as well

No, we're still not much closer to that event.

If quantum computers crack digital crytography, traditional bank account goes to zero too because regular 'ol databases also use crytography techniques for communication.

If all else fails, banks can generate terabytes of random one-time pad bytes, and then physically transport those on tape to other banks to set up provably secure communication channels that still go over the internet.

It would be a pain to manage but it would be safe from quantum computing.

I don’t see why bitcoin wouldn’t update its software in such a case. The majority of minors just need to agree. But why wouldn’t they if the alternative is going to zero?

Let's say I give you a function you can call to crack any RSA key. How are you hacking banks?

Sir Alexander Dane: MINERS, not MINORS.

I'll tell you right now, no way my kids would agree until they're at least adults. They don't even know what asymmetric cryptography is.

They could also use pre-shared keys with symmetric cryptography. AES-256-GCM is secure against quantum attack, no need to bother with one-time pads.

I don’t really understand the threat to banking. Let’s say you crack the encryption key used in my bank between a java payment processing system and a database server. You can’t just inject transactions or something. Is the threat that internal network traffic could be read? Transactions all go to clearing houses anyway. Is it to protect browser->webapp style banking? those all use ec by now anyway, and even if they don’t how do you mitm this traffic?

Where is the exact threat?

How could updating the software possibly make a difference here? If the encryption is cracked, then who is to say who owns which Bitcoin? As soon as I try to transfer any coin that I own, I expose my public key, your "Quantum Computer" cracks it, and you offer a competing transaction with a higher fee to send the Bitcoin to your slush fund.

No amount of software fixes can update this. In theory once an attack becomes feasible on the horizon they could update to post-quantum encryption and offer the ability to transfer from old-style addresses to new-style addresses, but this would be a herculean effort for everyone involved and would require all holders (not miners) to actively update their wallets. Basically infeasible.

Fortunately this will never actually happen. It's way more likely that ECDSA is broken by mundane means (better stochastic approaches most likely) than quantum computing being a factor.

I’m confused, are your kids major Bitcoin miners?

Not major miners, but minor miners (if you count Minecraft).

The big threat is passively breaking TLS, so it’s browser traffic. Or, any internet traffic?

GGP used the term "minors," GP is running with the typo.

That actually confused me. I thought he he meant "the majority of the minority" while I was pretty sure it's just a simple majority

As you alluded to, network can have two parallel chains where wallets can be upgraded by users asynchronously before PQC is “needed” (a long way away still) which will leave some wallets vulnerable and others safe. It’s not that herculean as most wallets (not most BTC) are in exchanges. The whales will be sufficiently motivated to switch and everyone else it will happen in the background.

A nice benefit is it solves the problem with Satoshi’s (of course not a real person or owner) wallet. Satoshi’s wallet becomes the defacto quantum advantage prize. That’s a lot of scratch for a research lab.

> this would be a herculean effort for everyone involved and would require all holders (not miners) to actively update their wallets. Basically infeasible.

Any rational economic actor would participate in a post-quantum hard fork because the alternative is losing all their money.

If this was a company with a $2 trillion market cap there'd be no question they'd move heaven-and-earth to prevent the stock from going to zero.

Y2K only cost $500 billion[1] adjusted for inflation and that required updating essentially every computer on Earth.

[1]https://en.wikipedia.org/wiki/Year_2000_problem#Cost

Firstly I'd want to see them hash the whole blockchain (not just the last block) with the post-quantum algo to make sure history is intact.

But as far as moving balances - it's up to the owners. It would start with anybody holding a balance high enough to make it worth the amount of money it would take to crack a single key. That cracking price will go down, and the value of BTC may go up. People can move over time as they see fit.

Not even needed you can just copy network state of a specific moment in time and encrypt with a new algorithm that will be used from then on

Okay, but breaking that TLS (device->bank) would allow you to intercept the session keys and then decrypt the conversation. Alright, so now you can read I logged in and booked a transaction to my landlord or whatever. What else can you do? OTP/2FA code prevents you from re-using my credentials. Has it been demonstrated at all that someone who intercepts a session key is able to somehow inject into a conversation? It seems highly unlikely to me with TCP over the internet.

So we are all in a collective flap that someone can see my bank transactions? These are pretty much public knowledge to governments/central banks/clearing houses anyway -- doesn't seem like all that big a deal to me.

(I work on payment processing systems for a large bank)

> those all use ec by now anyway

As far as i am aware, eliptic curve is also vulnerable to quantum attacks.

The threat is generally both passive eavesdropping to decrypt later and also active MITM attacks. Both of course require the attacker to be in a position to eavesdrop.

> Let’s say you crack the encryption key used in my bank between a java payment processing system and a database server.

Well if you are sitting in the right place on the network then you can.

> how do you mitm this traffic?

Depends on the scenario. If you are government or ISP then its easy. Otherwise it might be difficult. Typical real life scenarios are when the victim is using wifi and the attacker is in the physical vicinity.

Like all things crypto, it always depends on context. What information are you trying to protect and who are you trying to protect.

All that said, people are already experimenting with PQC so it might mostly be moot by the time a quantum computer comes around. On the other hand people are still using md5 so legacy will bite.

> Has it been demonstrated at all that someone who intercepts a session key is able to somehow inject into a conversation? It seems highly unlikely to me with TCP over the internet.

if you can read the TLS session in general, you can capture the TLS session ticket and then use that to make a subsequent connection. This is easier as you dont have to be injecting packets live or make inconvinent packets disappear.

> The majority of minors just need to agree.

That's an uncomfortably apt typo.

"Ahhhh... now you tell me" (Formerly Prince Andrew, at some point).

Flooding the system with forged messages that overwhelm the clearinghouse having to verify them sounds like a good way to bring down a banking system.

> Well if you are sitting in the right place on the network then you can.

Not really. This would be if not instantly then when a batch goes for clearing or reconciliation, be caught -- and an investigation would be immediately started.

There are safeguards against this kind of thing that can't be really defeated by breaking some crypto. We have to protect against malicious employees etc also.

One can not simply insert bank transactions like this. They are really extremely complicated flows here.

The problem is that the owner needs to claim their wallet and migrate it to the new encryption. Just freezing the state at a specific moment doesn't help; to claim the wallet in the new system I just need the private key for the old wallet (as that's the sole way to prove ownership). In our hypothetical post-quantum scenario, anyone with a quantum computer can get the private key and migrate the wallet, becoming the de-facto new owner.

I think this is all overhyped though. It seems likely we will have plenty of warning to migrate prior to achieving big enough quantum computers to steal wallets. Per wikipedia:

> The latest quantum resource estimates for breaking a curve with a 256-bit modulus (128-bit security level) are 2330 qubits and 126 billion Toffoli gates.

IIRC this is speculated to be the reason ECDSA was selected for Bitcoin in the first place.

It seems like detecting a re-use like this should be reasonably easy, it would not look like normal traffic and we could flag this to our surveillance systems for additional checks on these transactions. In a post quantum world, this seems like something that would be everywhere anyway (and presumably, we would be using some other algo by then too).

Somehow, I'm not all that scared. Perhaps I'm naive.. :}

Sure, if a bank gets compromised you could in theory DOS a clearing house, but I'd be completely amazed if it succeeded. Those kind of anomalous spikes would be detected quickly. Not even imagining that each bank probably has dedicated instances inside each clearing house.

These are fairly robust systems. You'd likely have a much better impact dossing the banks.

The problem is all the lost BTC wallets, which is speculated to be a lot and also one of the biggest reason for the current BTC price, who obviously cannot upgrade to PQ. There is currently a radical proposal of essentially making all those lost wallets worthless, unless they migrate [1]

[1] - https://github.com/jlopp/bips/blob/quantum_migration/bip-pos...

Yah, I suspect the banks pay a handsome sum to smarter people than you and me, and they've gamed this out already.

I build such systems ;)

No, I don't think so. By the time quantum supremacy is really achieved for a "Q-Day" that could affect them or things like them, the existing blockchains which have already been getting hardened will have gotten even harder. Quantum computing could be used to further harden them, as well, rather than compromise them. Supposing that Q-Day brought any temporary hurdles to Bitcoin or Ethereum or related blockchains, well...due to their underlying nature resulting in justified Permanence, we would be able to simply reconstitute and redeploy them for their functionalities because they've already been sufficiently imbued with value and institutional interest as well. These are quantum-resistant hardenings.

So I do not think these tools or economic substrate layers are going anywhere. They are very valuable for the particular kinds of applications that can be built with them and also as additional productive layers to the credit and liquidity markets nationally, internationally, and also globally/universally.

So there is a lot of institutional interest, including governance interest, in using them to build better systems. Bitcoin on its own would be reduced in such justification but because of Ethereum's function as an engine which can drive utility, the two together are a formidable and quantum-resistant platform that can scale into the hundreds of trillions of dollars and in Ethereum's case...certainly beyond $1Q in time.

I'm very bullish on the underlying technology, even beyond tokenomics for any particular project. The underlying technologies are powerful protocols that facilitate the development and deployment of Non Zero Sum systems at scale. With Q-Day not expected until end of 2020s or beginning of 2030s, that is a considerable amount of time (in the tech world) to lay the ground work for further hardening and discussions around this.

I’m not sure there’s a better alternative.

> would require all holders (not miners) to actively update their wallets. Basically infeasible.

It doesn't require all holders to update their wallets. Some people would fail to do so and lose their money. That doesn't mean the rest of the network can't do anything to save themselves. Most people use hosted wallets like Coinbase these days anyway, and Coinbase would certainly be on top of things.

Also, you don't need to break ECDSA to break BTC. You could also do it by breaking mining. The block header has a 32-bit nonce at the very end. My brain is too smooth to know how realistic this actually is, but perhaps someone could do use a QC to perform the final step of SHA-256 on all 2^32 possible values of the nonce at once, giving them an insurmountable advantage in mining. If only a single party has that advantage, it breaks the Nash equilibrium.

But if multiple parties have that advantage, I suppose BTC could survive until someone breaks ECDSA. All those mining ASICs would become worthless, though.

Hey, why are you bringing the kids into this! ;) "The majority of minors"

I meant on a technical level you could insert the data into the network. Obviously if the system as a whole does not depend on TLS for security, then no amount of breaking TLS will impact it

> It seems like detecting a re-use like this should be reasonably easy, it would not look like normal traffic

I don't see why it wouldn't look like normal traffic.

> Somehow, I'm not all that scared. Perhaps I'm naive.. :}

We're talking about an attack that probably won't be practical for another 20 years , which already has counter measures that are in testing right now. Almost nobody should be worried about it.

Note, the 126 billion Toffoli gates are operations, so that's more about how many operations you need to be able to reliably apply without error.

It should be noted that according to IonQ's roadmap, they're targeting 2030 for computers capable of that. That's only about 5 years sooner than when the government has said everyone has to move to post quantum.