Scott Aaronson did a very fun AMA on SN which I found fairly informative. And then he was elected into the national academy of sciences (for whatever that is worth).
Today he is out with a new blog post that doesn't sound very good for elliptic curve cryptography.
See, some of the most reputable people in quantum hardware and quantum error-correction—people whose judgment I trust more than my own on those topics—are now telling me that a fault-tolerant quantum computer able to break deployed cryptosystems ought to be possible by around 2029.
here’s what I do know: the companies racing to scale up fault-tolerant QC, have no plans to slow down in order to “give cybersecurity time to adapt” or whatever. The way they see it, cryptographically relevant QCs will plausibly be built sometime soon: indeed, it’s ultimately unavoidable, even if people’s only interest in QC was to do quantum simulations for materials science and chemistry. So, given that reality, isn’t it better that it be done first by mostly US-based companies in the open, than by (let’s say) Chinese or Russian intelligence in secret? And besides, haven’t there already been years of warnings and meetings about the quantum threat to RSA, Diffie-Hellman, and elliptic curve cryptography? Aren’t many in cybersecurity still in denial about the threat? Haven’t these slumberers shown that they won’t wake up until dramatic achievements in fault-tolerant QC roust them—the way Anthropic’s Mythos model has now jolted even the most ostrich-like about the cybersecurity risks of AI? So, mixing metaphors, mightn’t we just as well rip this Band-Aid off ASAP, rather than giving foreign intelligence agencies extra years to catch up? Indeed, when you think about it that way, isn’t racing to build a cryptographically relevant QC, as quickly as possible, the most ethical, socially responsible thing for an American QC company to do?
Now, it seemed like most of us were a little skeptical of Mythos and all that...yet it does seem like AI is going to cause some changes in the way vulnerabilities are discovered. So, here is Aaronson telling is that quantum is gonna wreck our shit.
And I’d say that that makes my own moral duty right now ironically simple and clear: namely, to use my unique soapbox, as the writer of The Internet’s Most Trusted Quantum Computing Blog Since 2005TM, to sound the alarm.
So, here it is: if quantum computers start breaking cryptography a few years from now, don’t you dare come to this blog and tell me that I failed to warn you. This post is your warning. Please start switching to quantum-resistant encryption, and urge your company or organization or blockchain or standards body to do the same.
He coins the term "Shor of Damacles":
It’s not my place here to answer such questions; I leave further ethical and geopolitical debate to the comment section! My point is simply: whether or not anyone likes it, this is how some of the leading QC companies are now thinking about the Shor of Damocles that they genuinely believe now hangs over the Internet.
So, think of this what you will.
Every day I wake up
Quantum is a nothing burger 😒
OMG WE NEED TO UPGRADE YESTERDAY 🚨
Somewhere in the middle the truth lies. But for me it’s physics behind it. I can get over the fact qubits need to operate at near absolute zero temps.
We can barely keep modern chips cool now I am expecting a company to solve this physics problem in three years?
It's a race though, and note that it is co-gov funded (=you're paying for your cryptographic secrets to be broken) so if you are a poor soul that is exposed to fiat (you probably are even if you aren't using it), then you also benefit if it succeeds, because then at least you weren't diluted for nothing.
I'm still in the camp of "do it right" rather than "move fast and break things", but since even NIST is focusing right now on transition w/ hybrid solutions, I'm still a fan of staging BIP-360, to at least get taproot at the same level as p2wpkh.
Maybe @Murch has knowledge about what's happening around BIP-360?
BIP360 was published a couple months ago. I thought someone might be working on a pull request to Bitcoin Core, but I haven't heard much about that
Thanks. I was thinking that maybe I missed something; I've been a bit distracted lately. But these things do take time and I'd honestly expect a bundle softfork - maybe with cleanup, maybe with GSR, both? It could make sense.
To me the huge operational cost to get one of these things running is the saving grace. Such cost will require massive investment, which is ultimately going to require public demonstration and announcements of a working model....its practically not going to happen completely in secret.
This all becomes a huge criminal / legal liability for the lab. Imagine the lawsuits if google just started trying to brute-force crack everyones servers using classical computers....its no different just because they develop QC.
The counter-argument is: But this will be done by governments....yes thats probably true. But it doesn't really change much because instead of legal pushback (although there could certainly be legal fights over this), there would in fact be military response. No different if Country A discovered Country B was hacking its computing infrastructure....theres always nukes.
My point on this is: Everyone keeps assuming that these QC attacks would be cost free, but thats not realistic, there would be massive legal / criminal / military cost to just causally "cracking all public key encryption".
Honestly, i think im more worried about the btc community agreeing on anything, as opposed to the quantim threat.
Like we all know that the answer is at some point upgrading to quantum-resistant algos, but meanwhile, the community is divided and hates each other like in block wars.
Has the Mythos hype been proven to be rooted in reality?
Have any of the early-access users confirmed that Mythos is truly more than just incremental improvment?
Not the topic of this blogpost, but using Mythos as a dramatic comparison point requires more than just VC hype, especially if it is used as an argument to say QC is more than just hype.
Always interesting though to read Scott's insights.
It doesn't really matter. The danger has been for over a year:
Any increment in capabilities to any actor that is either a blackhat or an a-hole on a luck streak is an increment in danger.
At this moment with Mythos unreleased, the greatest immediate threat is that Opus 4.7 and GPT 5.5 got mainlined into subscription plans. Those are increments, yet if you ran your own adversarial analysis, you have to do it again, because the baseline changed. And pray your framework holds up (and no, plain installs of trail-of-bits skills are not holding up)
Fair enough.
I probably have been interacting with too many early-career academics who fall into this category, without the actual luck factor, dismissing the actual benefits I've been experiencing in the code I've moved with a few well-targeted prompts.
Adversarially? Because you need some pretty good sequence of prompts to get to validate/poc a real vuln, find the conditionals, and be able to dismiss sloppy findings.
Oh no, not at all. It was an acknowledgment of my unfair instinctive habit of being dismissive of even incremental improvements, forgetting that in the big picture, these incremental improvements have been stacking up quite well into consequential improvements since the first version of ChatGPT came out. In the same line of thought, I should acknowledge that in the context of security, the latest LLMs are likely quite powerful.
Yeah, that's what the early career students I work with are often unable to do
caveat noted
Caveat to the caveat is of course that you can ask the LLM to help you build the framework.
For example, I have a set of standard review instructions now for LLMs that do the preparative work I used to do manually when new releases of critical android software comes out (think: GrapheneOS itself, Signal, your LN wallet, pass/key management apps, your FOSS keyboard). I started with describing my manual process for different tech stacks (kotlin, dart+rust+bridges, react+bridges, etc) but I've also used "retro" rounds to improve specific instructions for each app, and there the LLM proposes me improvements to the prompts. Many are good (though I also get a lot of "this doesn't apply", which I edit out because it still needs to be checked in case it does apply in the future.)
Post hoc ergo propter hoc
Beyond Bitcoin, note that there is no final W3C standard (draft from March 2026) for safe PQ crypto in the browser yet, causing the rise of rust/webassembly for cryptographic solutions, which has a much higher risk profile than builtins.
This is one of my major headaches at the moment and if I had to make an implementation choice today (must implement now, can't wait) then I'd go with rust+wasm too, which is wayyyy too risky for my taste in terms of other security considerations than PQ.
fuck coinbase.
No.
Ah, you don't think you have a shor hanging by a thread above your head?
What's funny is that the sword of Damocles is supposed to represent the weight of worry that all a king's enemies impose upon him.
In a wah, doubting the threat of quantum computers is kinda like doubting that Bitcoin is valuable enough to motivate real attackers.
Perhaps we have been in our infancy and are no longer so. Whether it is quantum or something else, bitcoiners need to stay on their toes.
2029 quantum apocalypse? Cool, I’ll just tell my HODL to also be quantum-resistant.
I think the bigger concern isn't someone cracking keys in real time but the harvest now, decrypt later angle. Collecting transactions today and breaking them when the hardware is ready. Reused addresses and dormant coins are the most exposed.