2025比特币与量子计算报告：现状与未来方向

Bitcoin and Quantum Computing:Current Status and Future Directions Dr. Anthony MiltonDr. Clara Shikhelman The authors would like to thank Ethan Heilman,Gloria Zhao, Shai (Deshe) Wyborski, Alan Szepieniec andStephen DeLorme for their time and efforts in review. 1. Executive Summary.........................................3Upgrade Timeline................................................4 7. Migration Pathways Overview.......................32 UTXO Migration.................................................32Migration Mechanisms.....................................32Soft Fork Activation Methods..........................36 2. Introduction.....................................................5 3. Quantum Computing......................................7State of Quantum Computing in 2025..............7 8. Path Forward..................................................38Short-Term Contingency Measures...............38Long-Term Comprehensive Path....................39 4. Threat Model: Quantum Risk to Bitcoin.........9 Public Key Vulnerability and Bitcoin Theft......9Vulnerability Classification by Bitcoin ScriptType......................................................................10Other Avenues for Public Key Exposure.........12 9. Conclusion.....................................................44 I. CRQC Timeline Assessment........................44II. Scope of Vulnerable Funds..........................44III. Immediate Protective Measures................45IV. Considerations for Bitcoin Mining.............45V. Burn vs. Steal Dilemma.................................45VI. Migration Pathways.....................................45 5. Post-Quantum Cryptography........................17Post-Quantum Cryptography..........................17NIST’s Post-Quantum CryptographyStandardization Process...................................19Government Post-Quantum Initiatives andTimelines.............................................................19 10. References....................................................47 Post-Quantum Cryptography Efforts in Bitcoin24Philosophical Dilemma: Burn vs. Steal...........29Size and Ownership of Quantum-Vulnerable 1. Executive Summary Cryptographically relevant quantum computers (CRQCs) pose a significant threat toBitcoin, potentially enabling the theft of ~6.26 million BTC (~US$650 billion) and destabilizingthe entire ecosystem. Funds most vulnerable to CRQCs are large institutional and exchange Quantum computing’s potential impact on Bitcoin mining appears limited by its lack ofeffective parallelism, along with inherent algorithmic, economic, and hardware constraints,unlike its clear threat to Bitcoin’s cryptography.Still, there is the potential for network Preparing Bitcoin for the quantum era will demand community-wide decisions rootedin philosophical and ideological questions, including the question of whether quantum- Several leading cryptographers and Bitcoin developers - such as Tim Ruffing, Jonas Nick,and Ethan Heilman - are actively working on Bitcoin’s quantum readiness, joined by anumber of new and enthusiastic contributors.Current strategies include quantum-resistantsignature approaches such as Lamport signatures, quantum-secure Taproot scripts, andpay-to-quantum-resistant-hash, and migration approaches such as commit-delay-reveal.Discussions about these efforts are ongoing across GitHub, the Bitcoin Development Mailing Expert and governmental estimates regarding the pace of quantum computing developmentsuggest CRQCs could arrive within the next decade.We propose a dual-track strategy foraction that balances urgent security needs with thorough research: rapidly developingcontingency measures (within approximately 2 years) that can be quickly deployed if Upgrade Timeline Here are estimated timelines for short-term contingency measures as well as a long-termcomprehensive solution. With this dual track strategy, each track can be worked on in parallel. Short-term Contingency Measures (~2 Years) Long-Term Comprehensive Path (~7 Years) 2. Introduction Bitcoin relies on a cryptographic assumption long regarded as computationally infeasibleto break with current technology and approaches. However, the arrival of CryptographicallyRelevant Quantum Computers (CRQC), potentially within the next decade, threatens toundermine this assumption. This report examines the nature of this threat, investigates the A key component of Bitcoin’s cryptographic foundation is Elliptic Curve Digital SignatureAlgorithm (ECDSA) and, since 2021, Schnorr signatures. Both rely on the computationaldifficulty of the Elliptic Curve Discrete Logarithm Problem (ECDLP), which presents anasymmetric challenge: deriving a public key from a private key is computationally simple, While no quantum computer today poses an immediate risk to Bitcoin, a third of therespondents in a recent survey of global experts indicated a likelihood of 50% or more thatCRQCs capable of breaking Bitcoin’s cryptography