Quantum computing will break BTC's ECDSA before it breaks SHA-256. So even if quantum computers cause BTC to lose 90%+ value, this is a losing bet because it won't be due to cracking SHA256

I believe given the currently known quantum algorithms, quantum computers don't really break hashing algorithms like sha256, but they do effectively halve the key size. So the block difficulty would need to go up significantly to compensate. Seems like that would be fine, and it would happen gradually as the first quantum computers would be really slow even if they were more efficient per hash checked.

@chrisjbillington does this apply to double-sha256 that bitcoin uses?

@JonathanRay Yes I believe so. Grover's algorithm allows brute force searches to be done in O(sqrt(N)) time vs O(N) for classical computers. It shouldn't matter what hashing algorithm is used (and double-sha256 is just another hashing algorithm), as long as it's not one where quantum computers can do better than a brute force search, like something involving discrete logarithms or prime factorisation (which sha256 doesn't).

@chrisjbillington It's true that quantum advantage might happen gradually, but I would say the real issue is more likely to be related to the way that Grover mining changes the incentives of the miners.

@BoltonBailey If grover's algorithm is ever successfully used on single-SHA256 I will be very surprised. It requires a lot of state that needs to be perfectly accurate, but qubits are inherently noisy.

@BoltonBailey Huh, so if I understand correctly, Grover's algorithm can be used in such a way such that the probability per unit time of breaking a given hash is not constant, but grows. It was an unexamined assumption of mine that this would not be the case, so I defer to the article's authors on the consequences of this as it's not something I have considered.

@JonathanRay but that's the primary problem with quantum computers generally. If scalable quantum computers become a reality at all, it will be because scalable quantum error correction was achieved (which is the current approach and seems to be working).

@JonathanRay

If grover's algorithm is ever successfully used on single-SHA256 I will be very surprised. It requires a lot of state that needs to be perfectly accurate, but qubits are inherently noisy.

Seems like if you believe this, you don't believe in quantum error correction, and you should probably buy NO shares in the markets on RSA-2048 being factored (which actually, I see you have, kudos to you).

@BoltonBailey For further reading on the economic viability of Grover mining, this recent paper is super good. The takeaway is that the price of a Grover iteration has to be at most the cost of a classical hash times the number of iterations per block time.

@BoltonBailey All this being said, I still think NO is the right buy on this market.

• Fault-tolerant Quantum computers might not exist in 2053

• Even if they do, they might not be cost-effective enough to mine.

• Even if it would be cost-effective to mine under the current setup, the Bitcoin network might simply switch to another hash function where there is less advantage for quantum computers.

• Even if they don't, attackers might not want to invest money in an attack that they know will destroy the value of their mining equipment.

@BoltonBailey And one more:

• Even if all this happens and one miner somehow comes to dominate the hashrate, the price of Bitcoin might not even go down by 90%.

It will die regardless.