a16z's 10,000-word article (Part 1): The Misunderstood "Quantum Supremacy"—You Don't Need to Panic Before 2030

This article from a16z clarifies widespread misconceptions about the quantum computing threat to cryptography, arguing against panic and for a nuanced, risk-based migration strategy.

Key Points:

  • Quantum Threat Timeline is Overstated: The emergence of a "Cryptography-Relevant Quantum Computer" (CRQC) capable of breaking current encryption (like RSA-2048) is unlikely before 2030. Current hardware is far from the required scale of thousands of error-corrected logical qubits needed to run Shor's algorithm effectively.
  • Different Cryptographic Primitives, Different Urgency:
    • Encryption requires immediate action due to "Harvest Now, Decrypt Later" (HNDL) attacks. Sensitive data encrypted today could be harvested and decrypted later when CRQCs exist.
    • Digital Signatures (used in blockchains) face a different logic. They are not vulnerable to HNDL attacks. An attacker cannot retroactively forge a signature made before a CRQC exists. Therefore, migration to post-quantum signatures can be more deliberate.
  • Costs of Premature Migration: Hastily adopting post-quantum signatures (which are larger, slower, and less mature) introduces performance overhead and new risks, potentially distracting from more immediate security threats like code bugs.
  • Clarifying Common Misconceptions:
    • "Quantum advantage" demonstrations are for tailored tasks, not practical cryptanalysis.
    • Claims of thousands of qubits often refer to annealers, not the gate-model machines needed for cryptography.
    • The term "logical qubit" is frequently misused; true fault-tolerant logical qubits for cryptanalysis require hundreds to thousands of physical qubits each.
  • Impact on Blockchain & ZK-Proofs:
    • Blockchain signatures are safe from HNDL, only vulnerable to forgery after a CRQC exists.
    • zkSNARKs' zero-knowledge property remains secure even against quantum computers. Proofs generated before a CRQC exists cannot be "decrypted" later to reveal secrets, making them immune to HNDL attacks. Only the ability to forge new, false proofs emerges post-CRQC.

Conclusion: The migration to post-quantum cryptography should be risk-aligned. While post-quantum encryption should be prioritized now, a more measured, cost-benefit approach is warranted for signatures and related technologies like zkSNARKs, as the existential quantum threat to them is not immediate.

Summary

Today, market predictions about when a “cryptography-related quantum computer (CRQC)” will be born are often too radical and exaggerated—leading to calls for an immediate and comprehensive migration to post-quantum cryptography.

However, these calls often overlook the costs and risks of premature migration, as well as the drastically different risk attributes between different cryptographic primitives:

  • Post-quantum encryption does indeed need to be deployed immediately, despite its high cost: "Hunter-first-decryption" (HNDL) attacks are already occurring. Sensitive data encrypted today may still be valuable even decades from now when quantum computers exist. While implementing post-quantum encryption incurs performance overhead and execution risks, it offers no alternative to data requiring long-term confidentiality in the face of HNDL attacks.
  • Post-quantum signatures face a completely different computational logic: they are not affected by HNDL attacks. Moreover, the costs and risks of post-quantum signatures (larger size, worse performance, immature technology, and potential bugs) dictate that we need to adopt a thoughtful, rather than hasty, migration strategy.

Clarifying these distinctions is crucial. Misunderstandings can distort cost-benefit analyses, causing teams to overlook more critical security risks—such as code bugs.

In the migration to post-quantum cryptography, the real challenge lies in aligning the sense of urgency with actual threats. The following section clarifies common misconceptions about the quantum threat by covering encryption, signatures, and zero-knowledge proofs (especially their impact on blockchain).

How far are we from the quantum threat?

Despite the hype, the likelihood of a “cryptography-related quantum computer (CRQC)” emerging in the 2020s is extremely low.

By "CRQC," I mean a fault-tolerant, error-corrected quantum computer large enough to run Shor's algorithm within a reasonable timeframe to attack elliptic curve cryptography or RSA (e.g., cracking secp256k1 or RSA-2048 within a month at most).

A reasonable reading of public milestones and resource estimates shows we are still a long way from building such a machine. While some companies claim CRQC could be available by 2030 or 2035, currently known progress does not support these claims.

Objectively speaking, looking at all current technological architectures—ion traps, superconducting qubits, neutral atom systems—no platform today comes close to the hundreds of thousands to millions of physical qubits required to run Shor's algorithm (depending on the error rate and error correction scheme).

Limiting factors include not only the number of qubits, but also gate fidelities, qubit connectivity, and the depth of the continuous error correction circuitry required to run deep quantum algorithms. While some systems now have more than 1,000 physical qubits, simply looking at the number is misleading: these systems lack the connectivity and fidelity required for cryptographic computations.

Recent systems are beginning to approach the threshold for quantum error correction to take effect in terms of physical error rate, but no one has yet demonstrated more than a few logical qubits with sustained error-correcting circuit depth… let alone the thousands of high-fidelity, deep-circuit, fault-tolerant logical qubits actually required to run Shor's algorithm. The gap between “proving that quantum error correction is feasible in principle” and “achieving the scale required for cryptanalysis” remains enormous.

In short: CRQC remains a long way off unless both the number of qubits and the fidelity increase by several orders of magnitude.

However, people can easily get confused by corporate press releases and media reports. Here are some common sources of misunderstanding:

  • Demonstrations claiming "quantum advantage": These demonstrations currently target man-made tasks. These tasks are chosen not because they are practical, but because they can run on existing hardware and exhibit huge quantum speedups—a fact often obscured in the announcements.
  • Companies claiming to possess thousands of physical qubits: This usually refers to quantum annealers, not the gate model machines needed to run Shor's algorithm to attack public-key cryptography.
  • The misuse of the term "logical qubit": Quantum algorithms (such as Shor's algorithm) require thousands of stable logical qubits. Through quantum error correction, we can implement a single logical qubit using many physical qubits—typically hundreds to thousands. However, some companies have misused this term to an absurd degree. For example, a recent announcement claimed to have implemented 48 logical qubits using only two physical qubits per logical qubit. This low-redundancy code can only detect errors, not correct them. True fault-tolerant logical qubits used for cryptanalysis require hundreds to thousands of physical qubits each.
  • Playing with definitions: Many roadmaps use "logical qubit" to refer to qubits that only support Clifford operations. These operations can be efficiently simulated by classical computers and are therefore simply insufficient for running Shor's algorithm.

Even if a roadmap's goal is "to achieve thousands of logical qubits in year X," it doesn't mean the company expects to be able to run Shor's algorithm to break classical cryptography in that year.

These marketing tactics have severely distorted the public's (and even some seasoned observers') perception of the imminent threat of quantum mechanics.

Nevertheless, some experts are indeed excited about the progress. Scott Aaronson recently stated that, given the pace of hardware advancements, he believes it is "possible to have a fault-tolerant quantum computer running Shor's algorithm before the next US presidential election." However, he also explicitly stated that this is not the same as CRQC, which could threaten cryptography: even simply factoring 15 = 3 × 5 in a fault-tolerant system would be considered a "successful prediction." This is clearly not on the same scale as breaking RSA-2048.

In fact, all quantum experiments involving "decomposition 15" use simplified circuits instead of the full fault-tolerant Shor's algorithm; while decomposition 21 requires additional hints and shortcuts.

In short, there is no publicly available progress to prove that we can build a quantum computer that can crack RSA-2048 or secp256k1 within the next 5 years.

Even within ten years, this remains a very aggressive prediction.

The US government has proposed completing the post-quantum migration of its government system by 2035. This is the timeline for the migration project itself, not a prediction that CRQC will emerge at that time.

Which cryptographic systems are HNDL attacks applicable to?

"HNDL (Harvest Now, Decrypt Later)" refers to an attacker storing encrypted communications now, to be decrypted later when quantum computers are available.

Nation-level adversaries may already be archiving encrypted communications of the U.S. government on a large scale for future decryption. Therefore, encryption systems need to be migrated immediately, especially in scenarios where the confidentiality period is 10–50 years or more.

However, digital signatures, on which all blockchains rely, differ from encryption: they do not contain confidential information that can be traced for attack.

In other words, when quantum computers come into existence, it is indeed possible to forge signatures from that moment on, but past signatures will not be affected—because they have no secrets to reveal, and as long as it can be proven that the signature was generated before the advent of CRQC, it cannot be forged.

Therefore, the urgency of migrating to post-quantum signatures is far less than that of cryptographic migration.

Mainstream platforms have also adopted corresponding strategies:

  • Chrome and Cloudflare have deployed the X25519+ML-KEM in hybrid mode for TLS.
  • Apple iMessage (PQ3) and Signal (PQXDH, SPQR) also deploy hybrid quantum encryption.

However, the deployment of post-quantum signatures on critical web infrastructure has been deliberately delayed—it will only take place when CRQC is really close, because the current performance regression of post-quantum signatures is still significant.

The situation is similar for zkSNARKs (a zero-knowledge concise non-interactive knowledge proof technique). Even when using elliptic curves (non-PQ secure), its zero-knowledge property still holds in a quantum environment.

Zero-knowledge guarantees that proofs do not reveal any secret witnesses, thus preventing attackers from "collecting proofs now and decrypting them later." Therefore, zkSNARKs are not vulnerable to HNDL attacks. Just as signatures generated today are secure, any zkSNARK proof generated before the advent of quantum computers is credible—even if the zkSNARK uses elliptic curve cryptography. Only after the advent of CRQC can attackers forge proofs with false statements. Value exchange will occur day and night, constructing a completely new digital world far exceeding the scale of human economic activity.

Share to:

Author: Conflux

This article represents the views of PANews columnist and does not represent PANews' position or legal liability.

The article and opinions do not constitute investment advice

Image source: Conflux. Please contact the author for removal if there is infringement.

Follow PANews official accounts, navigate bull and bear markets together
Telegram Discussion Group
Telegram News Channel
@PANews
Recommended Reading
11 hour ago
11 hour ago
12 hour ago
12 hour ago
14 hour ago
14 hour ago

Popular Articles

Industry News
Market Trends
Curated Readings
Subscribe

Curated Series

App内阅读