Manfred Macx

⚛️Post-Quantum Cryptography: The Migration No One Can Outsource There is no quantum computer breaking Bitcoin today. None breaking Ethereum, your bank, or the internet. Anyone selling that headline has a product to sell. The honest version is more uncomfortable. The timelines are pulling forward, the public record probably does not show the full frontier, and most of the ecosystem is still ordering caipirinhas at the bar while the water pulls back from the beach. I was hesitant to put it in such direct terms. But this is a migration we collectively agreed to do, with a deadline, and we are late. So let me call it what it is. 1. Quantum is not a fast computer Fix this in your head first. A quantum computer runs on qubits with superposition and entanglement, only holds its state near absolute zero, and does not do more of what classical computers do. It does different things. One of them is Shor's algorithm, which breaks the asymmetric cryptography (RSA, ECDSA) that protects almost everything you do online. 2. What changed in the last few weeks (Wild) estimates of "Q-day" have moved from "10% by 2030" to "50% by 2032" in serious recent work. Then two things happened back to back. Google published a paper showing Shor's algorithm breaks ECDSA, the signature scheme used by almost every blockchain, with far fewer logical qubits than previously assumed. They published the result without the construction, attaching a zero-knowledge proof instead. We now know this was the outcome of US government pressure to keep the details classified. Then the open source community used Google's ZK verifier as a reward function in a reinforcement learning loop. An LLM generates candidate Shor circuits, the verifier scores them, the loop iterates. Two days in, the model matched Google. By the time we recorded the podcast, it was already 20% better, it's now 41%!! (cf. https://t.co/bYawK8RPU3) Read that again. AI is now actively compressing the path to Q-day, using a verifier that exists because the result was classified. 3. "When" is the wrong question Cryptography is a trust mechanism. It does not fail on Q-day. It fails the moment the trust is no longer credible, which is much earlier. The threat splits into two pieces with very different deadlines: Authentication. A quantum attacker recovers your private key from your public key and signs as you. As long as we migrate signatures before Q-day, this is contained. Encryption. Harvest now, decrypt later. An attacker captures encrypted traffic today and decrypts it the day they get the machine. For anything that needs to stay confidential in ten or fifteen years, it is already late. Nothing you do tomorrow fixes 2026. 4. The migration is happening, unevenly NIST standardized the first post-quantum algorithms in 2024 (ML-KEM, ML-DSA, Falcon, SPHINCS+). The deadline is 2030 for critical systems, 2035 for the long tail. Two years are already gone. Most of the industry has not started. Centralized systems will get there. The path is painful but linear, and compliance forces it. PQC readiness is becoming an institutional due diligence requirement. The interesting drama is somewhere else. 5. Bitcoin's hard problem is not cryptography Blockchain cryptography is simple. The cryptographers in this industry know exactly what to migrate to. The bottleneck is social consensus, on a system designed to make governance expensive. That is the property that keeps Bitcoin credibly neutral. It is also the property that makes a coordinated migration genuinely hard. The trade-offs are real. Hash-based signatures (SPHINCS+, the Blockstream "SHRIMPS" line) are conservative and well understood, but roughly an order of magnitude larger than what Bitcoin uses today. They would push throughput from around 7 transactions per second to under 1 (without blocksize change). Lattice-based signatures (ML-DSA, Falcon) are smaller and faster, but have only ~25 years of public cryptanalysis. The world outside blockchain is converging on ML-DSA. Almost no blockchain wants to follow. You also lose properties you have come to rely on. Threshold signatures and MPC, which underpin a meaningful slice of modern custody, are awkward or impossible on hash-based schemes and clunky on lattice ones. Call it what it is: post-quantum cryptography is resistant against quantum adversaries and worse on almost every other dimension we care about. There is no free-lunch version. 6. The Satoshi question Migration must be one way. If users can move freely between legacy and PQ addresses, most will not move, and half a migration is no migration. A 50% migrated chain is still a chain a quantum attacker can drain to zero. That leaves dormant coins. Satoshi's million BTC. Lost wallets. Dead keys. Three options, none of them comfortable: Leave them. Honest to the original ethos, operationally suicidal. Burn them. Honest accounting. The 21 million was always an upper bound. Politically explosive. Freeze and redistribute as block reward over time. Rebuilds the long-term security budget that, mathematically, is going to struggle. Of the three, the least bad. The uncomfortable part is admitting that "do nothing" is itself a choice with consequences. 7. Hard forks are the most likely path Honest prediction. The community will not reach a single clean social consensus in time. Several opinionated groups will ship their own post-quantum forks, with different signature choices, different migration windows, different stances on dormant coins. Then the market decides. Liquidity, miners, custodians, exchanges, ETFs. The "real" Bitcoin will be the chain people trust against a quantum threat. At that point cryptography becomes timing, marketing, and politics as much as math. That is the downside of the decentralization we asked for. Pretending otherwise is theater. 8. The glimmer This ecosystem is resilient. We have the best (applied) cryptographers in the world working on this. The migration will be ugly. It will get done. What we need is urgency, and the urgency is arriving. Not because Q-day arrived, but because the timeline is collapsing in public, in the papers, and in the AI loops chewing on classified results in real time. The biggest risk is not quantum arriving early. The biggest risk is crypto starting late. No panic. But no cappuccinos by the beach either. The water is pulling back. Serious people should start moving. 🎬 Video version below

We are well past the point where the last tankers of pre-war exports have reached their destination. So, everyone's just been burning through stocks, and at some point, in either June or early July, we're going to basically reach minimum operating inventory levels for half the world, if not more. Prices go through the roof because there isn't enough throughput. It's not that people have cut refinery runs for the most part. It's the simple fact that we're running out of feedstock. And when that happens, you get this lovely thing called demand destruction, where prices rise to a point that some parts of the economy, some people in some parts of the world can't afford the crude-derived products at all. When that happens, their demand is destroyed until prices fall back into line. The last time the world experienced this scale of disruption wasn't the oil crises in the 70s or 80s. It was World War II when everything got sunk. So, historically unprecedented is the term. And keep in mind that with deglobalization, some large-scale version of this would happen regardless. #iranwar #crudeoil #geopolitics