什麼是 Q-Day？解析量子運算對 Bitcoin 的威脅

📄完整原文· 由 trafilatura 自動擷取11442 字

In brief - Today’s quantum computers are far too small and unstable to threaten real-world cryptography. - Early Bitcoin wallets with exposed public keys are most at risk in the long term. - Developers are exploring post-quantum signatures and potential migration paths. Quantum computers can’t break Bitcoin’s cryptography today, but new advances in the field suggest the gap is closing faster than expected. Progress toward fault-tolerant quantum systems raises the stakes for “Q-Day,” the moment when a sufficiently powerful machine could crack older Bitcoin addresses and expose more than $711 billion in vulnerable wallets. Long seen as a distant threat on the horizon, Q-Day snapped into sharp focus in March 2026, with multiple research papers suggesting that quantum computers could break cryptographic systems sooner than expected. Upgrading Bitcoin to a post-quantum state will take years, which means the work has to begin long before the threat arrives. The challenge, experts say, is that no one knows when that will be, and the community has struggled to agree on how best to move forward with a plan. This uncertainty has led to a lingering dread that a quantum computer that can attack Bitcoin may come online before the network is ready. In this article, we will look at the quantum threat to Bitcoin and what needs to change to make the number one blockchain ready. How a quantum attack would work A successful attack would not look dramatic. A quantum-enabled thief would start by scanning the blockchain for any address that has ever revealed a public key. Old wallets, reused addresses, early miner outputs, and many dormant accounts fall into that category. The attacker copies a public key and runs it through a quantum computer using Shor’s algorithm. Developed in 1994 by mathematician Peter Shor, the algorithm gives a quantum machine the ability to factor large numbers and solve the discrete logarithm problem far more efficiently than any classical computer. Bitcoin’s elliptic-curve signatures rely on the difficulty of those problems. With enough error-corrected qubits, a quantum computer could use Shor’s method to calculate the private key tied to the exposed public key. As Justin Thaler, research partner at Andreessen Horowitz and associate professor at Georgetown University, told Decrypt, once the private key is recovered, the attacker can move the coins. “What a quantum computer could do, and this is what’s relevant to Bitcoin, is forge the digital signatures Bitcoin uses today,” Thaler said. “Someone with a quantum computer could authorize a transaction taking all the Bitcoin out of your accounts, or however you want to think of it, when you did not authorize it. That’s the worry.” The forged signature would look real to the Bitcoin network. Nodes would accept it, miners would include it in a block, and nothing on-chain would mark the transaction as suspicious. If an attacker hit a large group of exposed addresses at once, then billions of dollars could move within minutes. Markets would start reacting before anyone ever confirmed that a quantum attack was happening. In March 2026, research papers by Caltech and Google suggested that future quantum computers could break elliptic curve cryptography using fewer qubits and computational steps than previously expected. The papers sparked consternation among the crypto community, with Bitcoin security researcher Justin Drake tweeting that "there's at least a 10% chance that by 2032 a quantum computer recovers a secp256k1 ECDSA private key from an exposed public key" by that date. Today is a monumentous day for quantum computing and cryptography. Two breakthrough papers just landed (links in next tweet). Both papers improve Shor's algorithm, infamous for cracking RSA and elliptic curve cryptography. The two results compound, optimising separate layers of… — Justin Drake (@drakefjustin) March 31, 2026 Where quantum computing stands in 2026 From 2025, quantum computing finally started to feel less theoretical and more practical. - November 2025: IBM announced new chips and software aimed at quantum advantage in 2026 and fault-tolerant systems by 2029. - January 2025: Google’s 105-qubit Willow chip showed steep error reduction and a benchmark beyond classical supercomputers. - February 2025: Microsoft rolled out its Majorana 1 platform and reported record logical-qubit entanglement with Atom Computing. - April 2025: NIST extended superconducting qubit coherence to 0.6 milliseconds. - June 2025: IBM set targets of 200 logical qubits by 2029 and more than 1,000 in the early 2030s. - September 2025: Caltech unveiled a neutral-atom quantum computer operating 6,100 qubits at 99.98% accuracy. - October 2025: IBM entangled 120 qubits; Google confirmed a verified quantum speed-up. - March 2026: Research papers from Caltech and Google suggest that quantum computers could threaten Bitcoin's cryptography sooner than expected, with Bitcoin security researchers putting a 10% chance on a quantum computer recovering a Bitcoin private key by 2032. - April 2026: The BIP-361 proposal aims to address the risk of quantum attacks through freezing quantum-vulnerable coins, sparking a split in the Bitcoin community. Why Bitcoin has become vulnerable Bitcoin’s signatures use elliptic-curve cryptography. Spending from an address reveals the public key behind it, and that exposure is permanent. In Bitcoin’s early pay-to-public-key format, many addresses published their public keys on-chain even before the first spend. Later pay-to-public-key-hash formats kept the key hidden until the first use. Because their public keys were never hidden, these oldest coins, including roughly 1 million Satoshi-era Bitcoin, are exposed to future quantum attacks. Switching to post-quantum digital signatures, Thaler said, takes active involvement. “For Satoshi to protect their coins, they’d have to move them into new post-quantum-secure wallets,” he said. “The biggest concern is abandoned coins, about $180 billion worth, including roughly $100 billion believed to be Satoshi’s. Those are huge sums, but they’re abandoned, and that’s the real risk.” Adding to the risk are coins tied to lost private keys. Many have sat untouched for more than a decade, and without those keys, they can never be moved into quantum-resistant wallets, making them viable targets for a future quantum computer. No one can freeze Bitcoin directly on-chain. Practical defenses against future quantum threats focus on migrating vulnerable funds, adopting post-quantum addresses, or managing existing risks. However, Thaler noted that post-quantum encryption and digital signature schemes come with steep performance costs, since they’re far larger and more resource-intensive than today’s lightweight 64-byte signatures. “Today’s digital signatures are about 64 bytes. Post-quantum versions can be 10 to 100 times larger,” he said. “In a blockchain, that size increase is a much bigger issue because every node must store those signatures forever. Managing that cost, the literal size of the data, is far harder here than in other systems.” Paths to protection Developers have floated several Bitcoin Improvement Proposals to prepare for future quantum attacks. They take different paths, from light optional protections to full network migrations. - BIP-360 (P2QRH): Creates new “bc1r…” addresses that combine today’s elliptic-curve signatures with post-quantum schemes like ML-DSA or SLH-DSA. It offers hybrid security without a hard fork, but the bigger signatures mean higher fees. - Quantum-Safe Taproot: Adds a hidden post-quantum branch to Taproot. If quantum attacks become realistic, miners could soft-fork to require the post-quantum branch, while users operate normally until then. - Quantum‑Resistant Address Migration Protocol (QRAMP): A mandatory migration plan that moves vulnerable UTXOs to quantum-safe addresses, likely through a hard fork. - Pay to Taproot Hash (P2TRH): Replaces visible Taproot keys with double-hashed versions, limiting the exposure window without new cryptography or breaking compatibility. - Non-Interactive Transaction Compression (NTC) via STARKs: Uses zero-knowledge proofs to compress large post-quantum signatures into a single proof per block, lowering storage and fee costs. - Commit-Reveal Schemes: Rely on hashed commitments published before any quantum threat. - Helper UTXOs attach small post-quantum outputs to protect spends. - “Poison pill” transactions let users pre-publish recovery paths. - Fawkescoin-style variants stay dormant until a real quantum computer is demonstrated. - BIP-361: The "Post Quantum Migration and Legacy Signature Sunset" proposal would phase out the network’s existing signature schemes, implementing a protocol-enforced freeze on quantum-vulnerable legacy coins. - Canary Fund: Proposed by BitMEX Research as an alternative to BIP-361, this would generate a quantum-vulnerable “canary” address whose public key would be published; a valid spend from the address would activate a soft fork banning quantum-vulnerable spends. - QSB: Proposed by StarkWare researcher Avihu Mordechai Levy, the “Quantum-Safe Bitcoin” transaction scheme would see elliptic-curve signatures replaced with hash-based cryptography and Lamport signatures, an early signature scheme considered resistant to quantum attacks. Taken together, these proposals sketch a step-by-step path to quantum safety: quick, low-impact fixes like P2TRH now, and heavier upgrades like BIP-360 or STARK-based compression as the risk grows. All of them would need broad coordination, and many of the post-quantum address formats and signature schemes are still early in discussion. Comminuty alignment One key issue facing efforts to implement quantum resistance on Bitcoin is aligning the community around a single solution. Thaler noted that Bitcoin’s decentralization—its greatest strength—also makes major upgrades slow and difficult, since any new signature scheme would need broad agreement across miners, developers, and users. “Two major issues stand out for Bitcoin. First, upgrades take a long time, if they happen at all. Second, there are the abandoned coins. Any migration to post-quantum signatures has to be active, and owners of those old wallets are gone,” Thaler said. “The community must decide what happens to them: either agree to remove them from circulation or do nothing and let quantum-equipped attackers take them. That second path would be legally gray, and the ones seizing the coins likely wouldn’t care.” That was thrown into sharp relief following the BIP-361 proposal, with its mandatory freeze on quantum-vulnerable coins proving contentious among the Bitcoin community. Bitcoin OG Adam Back called for an alternative approach involving optional upgrades, while Cardano founder Charles Hoskinson argued that some 1.7 million BTC would remain vulnerable under the proposal. What do I need to do? Most Bitcoin holders don’t need to do anything right away. A few habits go a long way in reducing long-term risk, including avoiding reusing addresses so your public key stays hidden until you spend, and sticking with modern wallet formats. Today’s quantum computers aren’t close to breaking Bitcoin, and predictions of when they will vary wildly. Some researchers see a threat within the next five years, others push it into the 2030s, but continued investments could speed up the timeline.

資料狀態✓ 已擷取全文閱讀原文（Decrypt）

🔍歷史類似事件· 關鍵字 + 標的比對6 則

2026-04-20

量子威脅即將衝擊 Bitcoin 與加密貨幣——XRP Ledger 正如何準備應對

相似度 380%標的 BTC關鍵字 threat/bitcoin/quantum

2026-04-17

當量子電腦來襲時：傳統財產法對您的 Bitcoin 會如何處置

相似度 380%標的 BTC關鍵字 what/bitcoin/quantum

2026-04-20

BTC 日漲幅近 3%，股市無視 US-Iran 戰爭威脅，油價下跌

相似度 330%標的 BTC關鍵字 threat/bitcoin

2026-04-20

量子鴻溝：為何 BTC 與 ETH 在安全性上採取不同路徑

相似度 330%標的 BTC關鍵字 bitcoin/quantum

2026-04-18

量子電腦如何能在「9 分鐘」內真正竊取您的 Bitcoin

相似度 330%標的 BTC關鍵字 bitcoin/quantum

2026-04-17

Bitcoin Derivatives 是量子級拋售的最早訊號：Joshua Lim

相似度 330%標的 BTC關鍵字 bitcoin/quantum

💡 目前用關鍵字 + 標的比對（MVP）· 之後會升級為 embedding 語意搜尋

原始資訊

ID：9123d8c8f0

來源：Decrypt

發佈：2026-04-18 14:53:16

分類：一般 · 導出分類 neutral

標的：BTC

社群投票：+0 / −0 · ⭐ 0 重要 · 💬 0 留言