←back to thread

Willow quantum chip demonstrates verifiable quantum advantage on hardware

(blog.google)
429 points AbhishekParmar | 2 comments | 22 Oct 25 15:16 UTC | HN request time: 0.506s | source
Show context
Imnimo ◴[22 Oct 25 15:37 UTC] No.45670761[source]
As with any quantum computing news, I will wait for Scott Aaronson to tell me what to think about this.
replies(6): >>45670868 #>>45670978 #>>45671067 #>>45671079 #>>45671833 #>>45672034 #
lisper ◴[22 Oct 25 15:50 UTC] No.45670978[source]
Why wait? Just go read the paper:

https://www.nature.com/articles/s41586-025-09526-6

In the last sentence of the abstract you will find:

"These results ... indicate a viable path to practical quantum advantage."

And in the conclusions:

"Although the random circuits used in the dynamic learning demonstration remain a toy model for Hamiltonians that are of practical relevance, the scheme is readily applicable to real physical systems."

So the press release is a little over-hyped. But this is real progress nonetheless (assuming the results actually hold up).

[UPDATE] It should be noted that this is still a very long way away from cracking RSA. That requires quantum error correction, which this work doesn't address at all. This work is in a completely different regime of quantum computing, looking for practical applications that use a quantum computer to simulate a physical quantum system faster than a classical computer can. The hardware improvements that produced progress in this area might be applicable to QEC some day, this is not direct progress towards implementing Shor's algorithm at all. So your crypto is still safe for the time being.

replies(4): >>45671003 #>>45671037 #>>45671611 #>>45671618 #
ransom1538 ◴[22 Oct 25 15:51 UTC] No.45671003[source]
SO... BTC goes to zero?
replies(5): >>45671041 #>>45671043 #>>45671120 #>>45671360 #>>45672639 #
bilsbie ◴[22 Oct 25 16:13 UTC] No.45671360[source]
I don’t see why bitcoin wouldn’t update its software in such a case. The majority of minors just need to agree. But why wouldn’t they if the alternative is going to zero?
replies(6): >>45671436 #>>45671437 #>>45671613 #>>45672053 #>>45672248 #>>45674763 #
andrewla ◴[22 Oct 25 16:30 UTC] No.45671613[source]
How could updating the software possibly make a difference here? If the encryption is cracked, then who is to say who owns which Bitcoin? As soon as I try to transfer any coin that I own, I expose my public key, your "Quantum Computer" cracks it, and you offer a competing transaction with a higher fee to send the Bitcoin to your slush fund.

No amount of software fixes can update this. In theory once an attack becomes feasible on the horizon they could update to post-quantum encryption and offer the ability to transfer from old-style addresses to new-style addresses, but this would be a herculean effort for everyone involved and would require all holders (not miners) to actively update their wallets. Basically infeasible.

Fortunately this will never actually happen. It's way more likely that ECDSA is broken by mundane means (better stochastic approaches most likely) than quantum computing being a factor.

replies(4): >>45671867 #>>45671886 #>>45671904 #>>45672761 #
iwontberude ◴[22 Oct 25 16:50 UTC] No.45671867[source]
As you alluded to, network can have two parallel chains where wallets can be upgraded by users asynchronously before PQC is “needed” (a long way away still) which will leave some wallets vulnerable and others safe. It’s not that herculean as most wallets (not most BTC) are in exchanges. The whales will be sufficiently motivated to switch and everyone else it will happen in the background.

A nice benefit is it solves the problem with Satoshi’s (of course not a real person or owner) wallet. Satoshi’s wallet becomes the defacto quantum advantage prize. That’s a lot of scratch for a research lab.

replies(1): >>45671934 #
jwpapi ◴[22 Oct 25 16:54 UTC] No.45671934[source]
Not even needed you can just copy network state of a specific moment in time and encrypt with a new algorithm that will be used from then on
replies(1): >>45672174 #
1. strbean ◴[22 Oct 25 17:14 UTC] No.45672174[source]
The problem is that the owner needs to claim their wallet and migrate it to the new encryption. Just freezing the state at a specific moment doesn't help; to claim the wallet in the new system I just need the private key for the old wallet (as that's the sole way to prove ownership). In our hypothetical post-quantum scenario, anyone with a quantum computer can get the private key and migrate the wallet, becoming the de-facto new owner.

I think this is all overhyped though. It seems likely we will have plenty of warning to migrate prior to achieving big enough quantum computers to steal wallets. Per wikipedia:

> The latest quantum resource estimates for breaking a curve with a 256-bit modulus (128-bit security level) are 2330 qubits and 126 billion Toffoli gates.

IIRC this is speculated to be the reason ECDSA was selected for Bitcoin in the first place.

replies(1): >>45678614 #
2. cubic_prism ◴[23 Oct 25 05:57 UTC] No.45678614[source]
Note, the 126 billion Toffoli gates are operations, so that's more about how many operations you need to be able to reliably apply without error.

It should be noted that according to IonQ's roadmap, they're targeting 2030 for computers capable of that. That's only about 5 years sooner than when the government has said everyone has to move to post quantum.