Thread

PSA: The quantum apocalypse isn't coming A cryptographically-relevant quantum computer is physically impossible: real hardware hits a fundamental back-reaction limit at a few hundred high-fidelity logical qubits due to size-dependent noise from the error-correction process itself. Shor on 256-bit ECDSA requires thousands to tens of thousands of near-perfect ones. The gap is physical and insurmountable. The actual use-cases for β€œquantum computers” are: - Gassing up investors with science jargon - Building a regulatory moat - Scaring people away from battle-tested open-source cryptography Implementing quantum resistance would be very bad for Bitcoin: - Dilithium2 / Dilithium3 in P2TR - Falcon-512 / Falcon-1024 in P2TR - SPHINCS+-128f in P2TR - ECDSA + Dilithium2 hybrid (legacy/SegWit/Taproot) - ECDSA + Falcon-512 hybrid (legacy/SegWit/Taproot) - New lattice or hash-based spend paths - New QR address formats / commitments - Signature size 9–240Γ— larger - Pubkey size 27–40Γ— larger - Typical spend 15–50Γ— higher fees forever - Witness data 15–50Γ— bigger - UTXO set 10–20Γ— larger within years - Validation time 5–20Γ— slower - Far more complex code, not battle tested - Permanently higher fees (15–50Γ— per tx) - Lightning channel closes 15–50Γ— more expensive - Pruning nodes die (UTXO bloat kills them) - Full-node storage +10–20Γ— in a few years - Increased centralization pressure - Permanent consensus & DoS risk increase - New critical bugs and side-channels Some of the work people are doing to show that we COULD add QR, IF we needed to, is probably helpful to fight the FUD. But don't buy the hype and don't get bullied by the quantum mafia hype machine. #Bitcoin View quoted note β†’

Replies (25)

↩ replying to sitting at an airport bar
I've been learning on the job for 25 years ... I don't really remember where I started. Play with tools. Old stuff like GPG. @npub10vlh...sp42 's Programming Bitcoin has an elegant explanation of finite field eliptic curves from the ground up and other goodies. Maybe work through that. Start picking at things on the Internet. See something you don't understand, just go shave yacks until you get to the bottom of it. Rinse and relepeat. Just don't be intimidated and keep going. There's a lot to learn, but none of it is too mysterious, once you get under the hood. Applied cryptography is more about wisdom and rigorous systems thinking than exotic math. Have fun!
More reading - Gil Kalai: noise kills large entangled states β†’ - Mikhail Dyakonov: you can’t control 10³⁰⁰ parameters β†’ https://spectrum.ieee.org/the-case-against-quantum-computing - Robert Alicki: thermodynamics forces classical structure on big systems β†’
arXiv.org
The Role of Measurement in Quantum Games
The game of Prisoner Dilemma is analyzed to study the role of measurement basis in quantum games. Four different types of payoffs for quantum games...
 - Gil Kalai 2025 summary of the skeptics β†’
Combinatorics and more
Computational Complexity and Explanations in Physics
The title of this post is taken from a recent interesting lecture (judging from the slides) by Scott Aaronson at Columbia University. The lecture e...
Maybe QC can work at scale, rendering current cryptography useless. Maybe it cannot. But, lets assume QC can work. Let us also assume some country currently has a QC. What do you do with it? Because, if anyone knows you have it, the world economy tanks. This is not like a nuclear weapon. Knowledge of its existence cannot be used for deterrance. No one is going to trust that it is not being used. So trust in our communication systems completely fails with knowledge of its existence. Commerce and cooperation fail. Social structures disintegrate. Order turns to disorder, which reduces the value of the QC itself. Instead, you want to very, very quietly use it to simply stop anyone else from achieving QC, all while encouraging quick adoption of quantum resistant cryptography. You want to convince everyone that QC cannot exist for a long period of time, but still hold out its threat in the future. And if someone does figure it out alongside you, you join forces and work together to hide its existence. But you want quantum resistance in place before you announce your QC achievement, such that you can monetize the value of the QC computing without destroying the economy which is needed to do so. In the interim, you quietly accumulate secrets. Whether bitcoin survives this transition, as a communication system with a monetary use case, is unknown. Quantum resistance maybe bloats the blockchain and is a bridge too far, etc. IDK. Not everything will survive. So interesting to see China lean into gold, while the US leans increasingly into bitcoin. View quoted note β†’
> A cryptographically-relevant quantum computer is physically impossible Lord Kelvin : "Heavier-than-air flying machines are impossible." As bitcoiners, we can't be bearish on tech. Why not simply ADD quantum resistance? Not removing the current scheme, just adding quantum resistance as an optional extra for those who are willing to pay the extra fee. For small amounts, I'm okay with receiving and sending a hot potato. But when moving sats to my cold storage "pension fund", I'd be more than willing to pay more in fees to cover the extra quantum resistance. As a bitcoiner, I don't feel like risking my family's financial future on your mathematical assurances of impossibility of the quantum threat. #quantum #bitcoin #btc #QC
↩ replying to npub1ugtc...xyvc
Lord Kelvin had never seen a bird, I guess? πŸ•ŠοΈ Him being laughably wrong about airplanes doesn’t mean nature has no laws. Physics is not a market. It’s not bearish or bullish to notice that some things simply don’t exist in the universe. You’re coming from a good place β€” protecting your family sats. That’s exactly what I’m doing too. QC FUD is the real threat to those sats, not a quantum computer that has never appeared in 40 years. Pushing QR into Bitcoin right now doesn’t β€œadd safety.” It does three concrete, permanent things: 1. **Security risk** β€” every PQ algo is new, complex, and nowhere near the battle-testing ECC has survived for decades. 2. **Fee explosion** β€” 15–50Γ— higher fees forever (yes, even β€œoptional” eventually prices normal users out). 3. **Centralization** β€” massive witness bloat kills pruning, kills cheap nodes, kills decentralization. That’s why miners and big-blockers quietly love QC FUD β€” it’s free advertising for bigger blocks and higher fees. These hype cycles are just part of the fiat world. We can't fall for them when they don't make sense, or we will get played. Your cold-storage pension fund is safest exactly as it is today. Let's let Bitcoin get screwed up and/or captured because of a ghost story. The safe move for Bitcoin is to ignore this FUD. You need QR changes to Bitcoin like you need a COVID jab. Tick tock next block.
↩ replying to Zsubmariner
On (1) : absolutely, and I wouldn't want bitcoin to replace ECC with PQ algos. I would want PQ algos added. So, if I choose to transfer to an address that also uses a PQ algo, I would then need to sign with ECC *and* with that PQ algo. For big amounts, I wouldn't want to risk it being at the mercy of a technological advancement. On (2) : higher fees : if bitcoin Core wants to consider that, there is a lot of work to do in making it harder for spam data to price out actual monetary transactions. The higher fees argument might have hit harder last year but v30 changed that (on top of what taproot and segwit did). They even changed the definition of bitcoin to make it into a jpg network instead of p2p money. On (3) : on killing cheap nodes : again, same as with (2), v30 pretty much affirms that Core doesn't care about that. They'll have us relay whatever spam spammers want to spam us with. Pruning is not an interesting option because it kills archival nodes and kills electrum servers. If we fix the bad incentives to spam the network with non-monetary transactions (thereby limiting the undue competition for blockspace), we can afford to protect the network by giving the option (for those who prefer that) to also have a PQ algo in addition to ECC. That might actually make blockspace more competitive, while keep bitcoin a p2p money network, and might be good long-term for the network when the mining needs to run only on miner fees. Many serious people are saying that quantum will be a threat. I'm not technically competent enough to know one way or the other. But giving what's at stake, adding an optional (additional) PQ seems to be the way to go.
↩ replying to npub1ugtc...xyvc
We agree: Bitcoin is money, spam is bad. Adding PQ support is a perfect new spam vector. 15–50Γ— bigger signatures, un-filterable. Spammers will mint them at industrial scale the day it lands. Execution risk is massive: new opcodes, new algos, new consensus rules = new bugs, new side-channels, new attack surface. Security risk: PQ algos are brand-new, nowhere near ECC’s decades of battle-testing. Centralization risk: permanent chain bloat, pruning dies, cheap nodes die. Even if it starts β€œoptional,” the signal is deafening: Bitcoin no longer trusts ECC. Panic spreads. Everyone β€” in Bitcoin and across the entire crypto space β€” rushes to abandon ECC. Chaotic consolidation waves, dust storms, tax headaches, for years. And scaring people away from ECC sets the broader crypto wars back years. People ditch the best proven, private, efficient public-key system we have for a bloated, untested replacement because of a ghost story. Have you seen that meme going around showing the 40 years of developing cryptography that it took to create Bitcoin? Taking cryptography off track is seriously bad for the world. If we do this we will hand the control system a critical propaganda win and drive the whole ecosystem away from the strongest tool we actually possess. All for a threat based on idea that this market bubble can somehow defeat the laws of physics. We’re getting played.
↩ replying to npub1ugtc...xyvc
I hear you. If it was just that easy, it would be fine. But the problem is that adding the option is just not as easy as it sounds. It would be a massive, dangerous, detrimental change to Bitcoin. And it would be a huge setback for our fight against the system of surveillance and control, which is also dangerous to Bitcoin and our families. And there is no evidence that the core problem of QC is touchable. All the scientists have done is improve isolation. They have never budged the scaling law of QM itself. So it would be based on pure speculation and hype... Coming from people who stuff their bags on that hype. Or people grifting off of it. We've got to hold the line. It's just FUD.