This is a reasonable take on quantum computing and well worth the read. Hunter Beast (@cryptoquick) is the main author behind one of the quantum resistance BIPs (BIP 360). Emphasis added.

Okay, so here's the deal with quantum.Okay, so here's the deal with quantum.

@Snowden leaked in 2013 the existence of a program called Penetrating Hard Targets. The NSA was working with defense contractors and the University of Maryland to build a quantum computer for the purposes of breaking public key cryptography. They've likely spent billions on this program in all its years of existence, though we can't know if that's true unless we have more patriots like Snowden step forward to call out the deep state on their evil shenanigans.

NIST has also been working on post-quantum cryptography. The shield against the sword. No cryptography gets published by NIST that doesn't also get approval from the NSA. They're joined at the hip.

It's possible that the NSA spent billions breaking cryptography just to give us cryptography to replace it.

They want to create the disease and sell the cure.

This is your deep state tax dollars at work. The spooks are at it again fellas. And quantum computing is not sovereign computing, they cost billions to make and millions to run, so good luck with that "don't trust, verify" principle.

What does this mean?What does this mean?

Well, for one, Bitcoin will be under threat someday. Could be that one day PsiQuantum or someone like them will be approached to fill the SBR with Satoshi's coins. Or maybe China wants to get in on the action after being late to the party.

The NSA is infamous in Bitcoin circles because Satoshi famously used the lesser-known and less popular secp256k1 curve despite the existence of the more widespread secp256r1, aka P256. P256 turns out to use hardcoded "random" constants that may have been suspiciously chosen. We can't prove they were randomly chosen. secp256k1 used the Koblitz curve as its starting constant, which is just simple multiplication and doesn't look suspiciously chosen.

This is part of a larger concern around kleptography, where cryptography is introduced that deliberately compromises secrets. They have in the past supported the distribution of a deliberately flawed RNG (Dual_EC_DRBG) and as far as I'm concerned, as a result, NIST has zero trustworthiness.

So what do we do? Well, we can't cargo cult NIST cryptography, for one. I think SLH-DSA is better because we can base it on SHA-256, which is not what the NSA recommends but Bitcoiners know it works perfectly fine and isn't anywhere near being broken, either cryptanalytically or via Grover's algorithm (@dallairedemers says we would need a quantum computer bigger than the Moon to run Grover's over a 256 bit hash). So, it makes sense to base signatures on them using hash-based cryptography approaches like SLH-DSA.

Fortunately we've had people like @n1ckler, @roasbeef, and @conduition_io have done deep dives into SLH-DSA and have found it to be solid. Also, it's worth noting that it was partly designed by the goat, DJB, @hashbreaker, who also built the curve used to secure Monero and Signal, and lots of other good and useful stuff.

Anyway, that's why I think the good "gold standard" case for cryptography we understand well and can use to our advantage is for SLH-DSA (also known as SPHINCS) to be used with BIP 360 in a tapleaf, along with a hybrid approach where we do not stop using secp256k1. We would base it on SHA-2 because we know that works well. We would probably not modify other security parameters in order to maintain hardware compatibility and acceleration. For NIST I level security, which is the same level of security that secp256k1 offers (@_weidai says it offers only 128 bits of security, despite its name), if used with BIP 360 and accounting for the witness discount, pk+sig size in the witness will be about 2,000 vB. For comparison, pk+sig for Schnorr is about 25 vB.

Yes, this will reduce the throughput of Bitcoin. We are actively planning how to handle the problem of scaling post-quantum cryptography on Bitcoin, but that's a separate problem, and judging by the mempool these days, I'm certain Bitcoin can handle that for some time. Besides, there's no reason to select a PQC option before Q-day is confirmed. Long exposure attacks will occur before short exposure attacks, and PQC is only necessary to protect against short exposure attacks. (For more on these definitions, please see the glossary for BIP 360 on http://bip360.org)

I think we have a solid strategy around this and we will be working hard to execute and communicate it next year. Basically we want to get BIP 360 finalized, then come up with an SLH-DSA BIP, and deploy that to secure real money on the Anduro sidechain that leverages a specially designed quantum resistant bridge. We will also work on what to do about coins held in exposed public keys, fleshing out the Hourglass BIP more, also linked on http://bip360.org. There's a ton of work left to do, but we have a solid and talented team and have received a lot of support from the community and among Core devs. If you want to help now, please read the recently rewritten version of BIP 360 that now has a third co-author, @isabelfoxenduke. You can find it on http://bip360.org. More updates and info coming soon! Thanks to everyone involved for their help and support and please enjoy the holidays! Merry Christmas, everyone!

Also, I realize there are lots of conspiratorial claims in this post that don't always have a lot of evidence. Consider it part of a threat model with plausible incentive structures and reasoned speculation. Also remember, the spooks probably know a lot more than we know. That's just how spooks are. Additionally, it's also fair to disclose that I now earn a living working on solving this problem that the NSA had a part in creating. I work for @andurobtc, which is incubated by @MARA. They have 5% of the hashrate and run Slipstream, which is essential for the design of a quantum resistant sidechain bridge, which is why I joined them a year ago. They've been incredibly supportive of my work so far, I even lead a small team of devs to help build all these solutions.

I remain a contractor and not an employee so that I can speak up if I see something I disagree with and I do not have a stake in the company itself so that I can maintain neutrality. Stocks are a boomer meme anyway (although I do appreciate the enthusiasm of the "MARA pigs" who sometimes pop up in my mentions). I'm a Bitcoin only guy and if I ever want to retire, then Bitcoin must surmount this threat, and the next.

Bitcoin is antifragile and a civilizational imperative.

Stay prepared, not scared, my friends.