Post-quantum migration toolkit for blockchains

Important not to scaremonger here about quantum timelines. Running Shor's algorithm is not the same thing as breaking an actual 256-bit ECC key. You can use Shor's algorithm to factor a number—that will be impressive—but will take a huge degree of scaling and engineering to factor a number with hundreds of digits. @metaculus is projecting first RSA number gets factored using Shor's algorithm in 2034. That gives us median estimate ~10 years before modern public key crypto is definitively broken. (That said, can happen sooner! It's not a point estimate, but a distribution, fuzzy on both the downside and upside.) Also worth noting that this estimate has significantly come down in the last 3 years. In 2022, Metaculus was forecasting 2052, so the timer has come down by almost 20 years since then. Progress is certainly ahead of schedule. Important to take seriously. But not imminent by any means. All blockchains will need to adapt to post-quantum cryptography. An orderly transition probably needs at least 4 years, which means we have the next few years to decide on a viable upgrade path.

@hosseeb We don't need to panic, but we need to get serious. I wish people would stop referencing metaculus. It's just a random survey platform without any mechanism to filter people w/ authority from randos on the internet. And there aren't enough votes in there for the results to be meaningful anyway. (@dallairedemers and I single-handedly moved the timeline down a few months back with our votes) Here's what we know to be fact: 1) Quantum computers at sufficient scale will break crypto at the most fundamental level imaginable.. 2) Experts like Scott (who advises the EF and has spent his whole career in this field) are striking a different tone about the timeline than ever before. 3) Resource estimates for running Shor's Algorithm have dropped by 20x over the course of this year, reflecting progress in error correction kicked off a year ago by Google's Willow Chip: https://t.co/XBvTkknwd1 (this doesn't even account for the 10x improvement of LDPC codes over surface codes)