My understanding is Bitcoin unspent transaction outputs (spendable bitcoins) are spendable depending on the script (some opcodes that are agreed upon). The most common is pay to public key hash.<p>So you not only need to solve secp256k1 ecdsa, but your bitcoin utxo is also protected by the hash function which derives the address.<p>Put another way, starting with an address, you need to reverse engineer a hash collision (super difficult) to find a public key as that has not been announced yet. Then find a private key for that.<p>So you need to break two technologies.<p>Also my understanding is that quantum can only reduce complexity by sqrt, so 2^256 problem is reduced only to 2^128 which is unsolvable.<p>I think we’re safe for now.<p>And if ecdsa does get broken, it will be more like “we can generate keys in 2 years” and practically speaking, everybody can transfer their bitcoin utxo’s to a new script by only exposing their public key for a short time (tens of minutes) into the transaction mempool. Not enough time to break it.
I wonder what the timeline will look like as each thing gets broken. This is only talking about the privacy of the wallet. There's the hashing to compute the next block, when that's broken the chain is no longer secure.<p>So the important thing is the timing of these events, when they happen, who knows first and for how long.<p>If asymmetric cryptography is broken, it won't only be Bitcoin wallets we have to worry about, we'll have problems everywhere to deal with.
Counterpoint to the article's interviewee claiming that the cryptopocalyse will occur with forewarning: Nation states may seek to keep QC advances secret.<p>Also, QC breakthroughs can happen overnight.<p>Combine those two realities and we could have an institution or govt wielding a Shor's-enabled QC in private without notice nor fanfare.