量子電腦能破解比特幣嗎？證據如何揭示時間表、威脅與解決方案

2025年10月初，一個已經被刪除嘅社交媒體貼文，令加密貨幣社群一陣譁然。前華爾街交易員Josh Mandell 聲稱：量子電腦已經被用嚟抽走長時間無活動比特幣錢包入面嘅幣，尤其係啲已經唔再用或持有人已身故嘅帳戶。Mandell指出有“大戶”識得直接由呢啲錢包攞走比特幣，無需經公開市場，只能靠區塊鏈分析師追蹤發現。

呢個指控震撼一時。如果屬實，就會動搖比特幣安全模型嘅根基，質疑只要有私鑰，資產就絕對安全呢個信念。數小時之內，呢個話題就喺各大加密論壇、社交平台同行業媒體引發激烈討論。有啲人擔心，有啲懷疑，仲有唔少人對傳聞中講咗好多年嘅量子威脅，究竟係咪真係到咗感到疑惑。

不過比特幣專家同整個加密社群的回應好快好清晰：呢啲事暫時並無發生。Hot Pixel Group創辦人Harry Beckwith直言“依家發生嘅機會係零。”比特幣政策研究所Matthew Pines就話呢個理論“係錯誤”，亦批評欠缺證據。技術專家普遍認同——雖然量子運算將來理論上對比特幣有威脅，但目前嘅量子電腦無論係量子位數量、錯誤修正能力或運算力都遠遠唔足夠破解現時密碼學。

然而，Mandell呢個雖然已被拆穿的消息，顯示一個重大改變：量子威脅已經進入主流視野，合理擔憂同無理恐慌之間界線變得模糊。隨住Google 2024年12月發佈105量子位Willow晶片、IBM公布2029年前實現容錯量子運算路線圖，而BlackRock資產管理於2025年5月亦就比特幣ETF遞交文件時提到量子威脅警告，問題已經唔再係“量子電腦會唔會帶來風險”，而係何時會出現、而業界應該點應對。

本文會剖析量子科技同比特幣嘅真正關係，分辨現實與炒作。我哋唔會只以“量子電腦要滅比特幣”或者“完全無影響”這啲簡單說法，而係會深入探討技術時間表、實際突破障礙、經濟利害、道德爭議，甚至量子科技對加密生態帶來可能好處。事實一如以往，常常喺恐慌同自滿之間。

加密迷必讀：量子運算基礎

要明白量子電腦對比特幣的威脅，首先要認識量子電腦同傳統電腦（過去70年推動數碼革命主角）有咩根本分別。

量子電腦誕生

量子運算的故事，起點唔係電腦，而係光。1905年，愛因斯坦發表光電效應論文，證明光唔止係波，仲可以作為一粒粒被稱為「光子」的能量單位存在。呢個發現奠定咗量子力學研究基礎——喺微觀世界，粒子可以同時處於多重狀態，觀察會改變實物，甚至相隔遙遠的粒子都可以神秘地維持連繫。

數十年間，量子力學都係物理學家理論上的範疇。但到1994年，數學家Peter Shor設計咗一個演算法，改變一切。Shor’s Algorithm證明，如果有足夠強大嘅量子電腦，就可以遠比傳統電腦快得多地分解大素數——而現代加密技術，正正係靠分解大素數或解離散對數難題這種數學困難維持安全。

於是，量子運算由學術好奇心一躍成國家安全及經濟重點。各國政府及科企爭相投入資源，開發實用量子電腦，預備迎接一個現行加密技術隨時變廢紙的未來。

量子電腦點運作

量子電腦的核心係量子位（qubit）。同一般電腦只可以係0或1，量子位卻可以同時係0同1嘅「疊加狀態」。呢唔係比喻，係量子力學最根本特色。

當你多幾個量子位，計算組合次方數字式上升。2個普通bit可以有4種狀態（但同一時間只代表其中1種），而2個qubit可以同時處於4種疊加狀態。如果增至10個qubit就同時代表1,024種狀態；50個，已經超過1000兆種組合；理論上300個qubit組合多到，比全宇宙原子數量仲大。

咁巨大的「平衡處理」仲可以結合2個獨有量子現象——糾纏（entanglement）同干涉（interference）。糾纏令量子位關連起嚟，無論距離幾遠，只要量度其中一個，另外果啲都即時被影響。干涉就幫電腦過濾正確答案，消除錯誤，引導計算向最終結果靠攏。

呢啲特徵令量子電腦以全新方法處理特定問題，例如分子模擬、複雜優化運算，或者——最關鍵——破解特定加密方式，效能大幅拋離當今最強的超級電腦。

量子硬件現狀

不過，量子運算由理論到實用化，仍然仲有好大差距。正因為量子位咁強大，亦變得極度脆弱，對外界干擾（如熱能、電磁、震動）極為敏感，隨時出錯，量子狀態幾乎即時消失（退相干現象），時間以微秒計。

2024年12月，Google公開自家Willow量子晶片，代表目前業界最先進水平。Willow有105粒實體qubit，平均每粒連線3.47條，單一量子門錯誤率僅0.035％。最亮眼係首次證明加多啲qubit竟然可以減少整體錯誤——即科研界近30年夢寐以求的「低於臨界點」錯誤修正。

Willow以不到五分鐘時間完成一個原本要現時最快超級電腦行10^24年（遠超宇宙年齡）的計算。雖然批評者指出只係某種極端基準測試（隨機量子電路取樣），並非實際應用，但足證量子電腦已經做緊超越傳統電腦既事情。

IBM定下更進取路線圖。到2025年，計劃推出擁有120個量子位並可執行5,000個門的Nighthawk處理器；2028年再連接多塊運算模組，組合過千量子位。終極目標係到2029年，IBM Quantum Starling達至大規模容錯量子電腦——支援200個邏輯qubit、執行一億量子門。

呢啲突破雖然震撼，亦顯示同足以威脅比特幣的量子機械，差距仍然非常遠。今日主流系統，只係百至千粒實體量子位；要破解比特幣密碼學，需要完全級數不同的系統。

比特幣密碼學同量子威脅

unnamed (1).png

要理解比特幣面對量子電腦嘅脆弱位，先要由基礎密碼學原理講起——即究竟係邊啲技術保障到比特幣網絡同用戶資產安全。

雙重保護：ECDSA同SHA-256

比特幣用二大密碼學系統，各有功能。第一個係橢圓曲線數碼簽名算法（ECDSA），指定secp256k1曲線。ECDSA建立用戶私鑰（需要極保密）同公鑰（可隨意分享）嘅對應關係。當你消費比特幣，用私鑰製作一個數碼簽名證明擁有權，任何人都可用公開密碼驗證，卻幾乎不可能從公鑰推出私鑰（對傳統電腦來說）。

ECDSA的安全性，建基於橢圓曲線離散對數難題。即知道一個橢圓曲線某點，以及佢經仔細計算（經由私鑰）後得到另一點，要由結果反推秘密（私鑰）就算用全世界所有傳統電腦, 都需要超越宇宙年齡嘅時間，因為私鑰有256 bit, 代表有2^256 個可能組合。

比特幣第二層安全係SHA-256雜湊函數，同時應用喺挖礦同網絡安全。 miners compete to find specific hash values) and in generating addresses (public keys are hashed to create shorter, more convenient addresses). Hash functions are one-way: it's easy to compute the hash of any input, but virtually impossible to reverse the process and find an input that produces a specific hash.

礦工互相競爭去搵出特定 hash 數值，同時亦用喺產生地址（將公開金鑰 hash 成一個更短、更方便嘅地址）。Hash 函數係單向嘅：由任何輸入計算 hash 非常簡單，但要倒返轉由 hash 搵返原本嘅輸入基本上係冇可能。

Shor's Algorithm: The Quantum Sword

Here's where quantum computers enter the picture. In 1994, Peter Shor demonstrated that a sufficiently powerful quantum computer running his algorithm could solve the discrete logarithm problem - and by extension, break elliptic curve cryptography - in polynomial time. Instead of needing exponential computational resources that would take eons, Shor's algorithm could potentially crack a 256-bit ECDSA key in hours or even minutes, given adequate quantum hardware.

呢度就輪到量子電腦上場。早喺1994年，Peter Shor 就證明咗如果有一部足夠強大嘅量子電腦運行佢設計嘅演算法，可以喺多項式時間內解到離散對數問題——而且仲可以打破橢圓曲線加密法（ECC）。Shor 演算法唔再需要天文數字咁多嘅運算資源去破解，要硬解 256-bit ECDSA 金鑰可能幾個鐘甚至幾分鐘就搞掂，前提係有足夠嘅量子硬件。

The mechanism is elegant but complex. Shor's algorithm transforms the discrete logarithm problem into a period-finding problem, which quantum computers can solve efficiently using the quantum Fourier transform. By exploiting superposition and interference, the algorithm can simultaneously explore many potential solutions and extract the correct period, which then yields the private key.

嗰個原理精妙但都幾複雜。Shor 演算法將離散對數問題轉化成一個週期尋找問題，而量子電腦可以靠量子傅立葉變換好高效咁解決到。透過利用量子疊加同干涉，演算法可以一次過探索好多潛在解，搵出啱嘅週期，繼而計出私鑰。

This isn't theoretical handwaving - Shor's algorithm has been successfully implemented on small quantum computers to factor modest numbers. In 2019, researchers used a quantum computer to factor the number 35 (5 × 7). While this is trivially easy for classical computers, it demonstrated that the algorithm works in principle. The challenge lies in scaling up to cryptographically relevant sizes.

呢啲唔係淨係理論吹水——Shor 演算法已經喺細型量子電腦上成功應用過，好似2019年科研人員用量子電腦分解咗35（即5 x 7）。雖然呢個對傳統電腦嚟講係小兒科，但最少證明到原理 work。真正難度係點樣 scale 到密碼學所需嘅規模。

The Qubit Threshold Problem

How many qubits would actually be needed to break Bitcoin's ECDSA encryption? This question sits at the heart of timeline debates, and the answer is more nuanced than a single number suggests.

要破解比特幣嘅 ECDSA 加密，實際上要幾多 qubit？呢條問題就係大家爭議幾時會出現「量子危機」嘅核心，答案唔只一個簡單數字咁簡單。

Research suggests that breaking a 256-bit elliptic curve key like Bitcoin's secp256k1 using Shor's algorithm would require approximately 2,000 to 3,000 logical qubits. One frequently cited estimate places the requirement at around 2,330 logical qubits, capable of performing roughly 126 billion quantum gates.

研究話，用 Shor 演算法去破解比特幣 secp256k1 呢種 256-bit 橢圓曲線金鑰，大約要 2000 至 3000 個邏輯 qubits。有一個成日引用嘅估算指，大約需要 2330 個邏輯 qubits，並可以做大約 1260 億個量子閘。

However, the crucial distinction lies between logical qubits and physical qubits. A logical qubit is an error-corrected computational unit - the stable, reliable qubit that Shor's algorithm requires. Each logical qubit must be constructed from many physical qubits working together to detect and correct errors. Current error correction schemes might require anywhere from hundreds to thousands of physical qubits to create a single logical qubit, depending on the error rates and the correction codes used.

但重點係分清乜嘢係「邏輯 qubit」同「物理 qubit」。邏輯 qubit 係經過糾錯嘅運算單元——只計啲穩定可靠、可以真係用嚟運行 Shor 演算法嘅 qubit。每一個邏輯 qubit 其實係由好多個物理 qubit 一齊負責糾錯先砌得出嚟。現時嘅糾錯技術，可能要幾百到幾千個物理 qubit 先做到一個邏輯 qubit，視乎出錯率同所用嘅錯誤修正碼。

When accounting for error correction overhead, estimates for breaking Bitcoin's ECDSA climb dramatically. Various studies suggest anywhere from 13 million to 317 million physical qubits might be necessary, depending on the desired attack timeframe and the quality of the quantum hardware. For context, Google's Willow chip has 105 physical qubits - meaning we would need systems roughly 100,000 to 3 million times larger than current cutting-edge hardware.

一加埋啲錯誤修正開支，破解比特幣 ECDSA 所需嘅 qubit 數量就暴升。有啲研究話，可能要一千三百萬至三億一千七百萬個物理 qubit，視乎你想幾快完成攻擊同硬件有幾好。做比較，Google 嘅 Willow 晶片得 105 個物理 qubit——即係話，我哋要嘅硬件要比依家頂尖硬件起碼大 10 萬倍至 300 萬倍。

There's another critical factor: speed. Bitcoin addresses with funds in them only expose their public keys when transactions are broadcast to the network. In modern Bitcoin usage, those transactions typically get confirmed into a block within 10 to 60 minutes. An attacker using quantum computers to extract private keys from public keys would need to complete this computation within that narrow window - before the legitimate transaction gets confirmed and the funds are no longer accessible.

仲有一個重要因素：時間。喺現代比特幣用法下，帶錢嘅地址只會喺交易廣播出網絡時先暴露公開金鑰，而交易一般 10 至 60 分鐘就入咗區塊。如果有攻擊者想用量子電腦由公開金鑰提取私鑰，就要喺呢個極之短暫嘅時間窗內完成——即正規轉帳入咗區塊、錢唔再喺原來地址之前。

This time constraint dramatically increases the hardware requirements. To crack an ECDSA key within one hour rather than one day multiplies the qubit requirements further, potentially pushing the number well above 300 million physical qubits for any realistic attack scenario.

呢個時間壓力會令硬件需求再急升。要喺一小時內（而唔係一日）破解 ECDSA 金鑰，所需 qubit 數目會再倍增，可能要超過三億個物理 qubit 以上，先真係做得到現實中嘅攻擊。

Which Wallets Are Most Vulnerable?

Not all Bitcoin addresses face equal quantum risk. The level of vulnerability depends primarily on one factor: whether the public key has been exposed.

唔係所有比特幣地址都一樣咁易受量子攻擊。最大關鍵係睇個地址嘅公開金鑰有冇曾經暴露過。

The most vulnerable are Pay-to-Public-Key (P2PK) addresses, the original Bitcoin address format that Satoshi Nakamoto used extensively. These addresses contain the public key directly in the blockchain, visible to anyone. Approximately 1.9 million Bitcoin (about 9 percent of the total supply) sit in P2PK addresses, including an estimated 1 million Bitcoin attributed to Satoshi. These coins are immediately vulnerable to anyone with a quantum computer powerful enough to run Shor's algorithm.

最危險係「付款到公開金鑰」（P2PK）地址，呢種係中本聰最早期用嗰種地址格式。啲地址將公開金鑰直接寫喺區塊鏈，任何人都可以見到。大概有 190 萬枚比特幣（約佔總供應 9%）仲喺 P2PK 地址，包括傳說中本聰自己擁有嗰 100 萬枚。呢堆幣只要有夠勁嘅量子電腦就即刻可以拎走。

Next are Pay-to-Public-Key-Hash (P2PKH) addresses where the public key has been revealed through spending transactions. Once you spend from a P2PKH address, the public key becomes visible on the blockchain. Best practice dictates using each address only once, but many users reuse addresses, leaving remaining funds vulnerable if quantum computers materialize. Industry analysis suggests as much as 25 percent of Bitcoin's circulating supply could be at risk due to exposed public keys - roughly 4 million Bitcoin worth tens of billions of dollars.

其次係「付款到公開金鑰雜湊」（P2PKH）地址，當從呢啲地址花過錢，公開金鑰就會喺鏈上暴露出嚟。理論上應該每個地址用一次就算，但現實好多用戶會重用剩返地址，如果真係有量子電腦，就有風險。業界分析預計有多達 25% 嘅比特幣流通量，因為公開金鑰暴露而有危險——大約 400 萬枚，價值數百億美元。

Modern address formats offer more protection. Segregated Witness (SegWit) and Taproot addresses provide better quantum resistance not through different cryptography, but through improved address reuse practices and, in Taproot's case, through alternative spending paths. However, even these addresses eventually expose public keys when funds are spent.

而現代地址格式就安全啲，例如 Segregated Witness（隔離見證，SegWit）同 Taproot 地址，佢哋主要靠減少重用同可選支出路徑（Taproot），嚟對抗量子攻擊，唔係靠密碼學本身變更。不過用呢啲地址去花錢時，最後都會將公開金鑰暴露。

The safest Bitcoin addresses are those that have never been used - where the public key remains hidden behind a hash and no transaction has ever revealed it. For these addresses, a quantum attacker would need to break SHA-256, which is considerably more resistant to quantum attack than ECDSA.

最安全嘅比特幣地址，係啲未試過用—即係公開金鑰仲埋喺 hash 裡面，冇交易漏過出嚟。對於呢啲地址，量子攻擊者要破解 SHA-256，難度遠遠高過破解 ECDSA。

SHA-256 and Grover's Algorithm

While Shor's algorithm threatens ECDSA, a different quantum algorithm called Grover's algorithm affects hash functions like SHA-256. Unlike Shor's exponential speedup, Grover's algorithm provides only a quadratic speedup for searching unstructured databases.

Shor 演算法針對 ECDSA，但對 hash 函數（例如 SHA-256）造成威脅嘅係另一種量子演算法，叫 Grover 演算法。唔同於 Shor 指數級提速，Grover 只能做到二次方（平方根）級加速，主要用嚟攪亂 unstructured 資料庫搜查。

In practical terms, Grover's algorithm effectively halves the security level of SHA-256, reducing it from 256-bit security to 128-bit security. This sounds dramatic, but 128-bit security remains extraordinarily strong - far beyond what any classical or near-term quantum computer could break. Attacking SHA-256 even with Grover's algorithm would require astronomical computational resources, likely including billions of logical qubits.

實際門檻係咁：Grover 演算法將 SHA-256 效用縮減一半，即本來 256 bit 安全下降到 128 bit 安全。聽落好似好嚇人，不過 128-bit 安全其實仲超級堅固——係依家同可預見未來所有傳統或量子電腦都無法破解嘅。即使用 Grover 去拗 SHA-256，都要天文數字咁多計算資源，估計要數十億個邏輯 qubit。

The consensus among cryptographers is that SHA-256 is not the immediate concern. The real vulnerability lies in ECDSA and the exposed public keys that make quantum attacks feasible.

密碼學界普遍認同 SHA-256 未係即時要擔心嘅重點。最大風險反而係 ECDSA 同啲已經曝光咗公開金鑰。

Mandell's Quantum Theft Allegation: Dissecting the Claim

Josh Mandell's October 2025 claim represented the latest - and perhaps most viral - entry in a long history of quantum FUD (fear, uncertainty, and doubt) targeting Bitcoin. Let's examine his specific allegations and the evidence against them.

Mandell 量子盜幣指控：拆解個說法

Josh Mandell 2025 年 10 月嘅指控，係歷來眾多圍繞比特幣嘅量子 FUD（恐懼、不確定、疑慮）中最新、可能最廣泛流傳之一。以下我哋詳細檢視下佢嘅指控內容，仲有反駁證據。

The Allegation in Detail

According to multiple reports, Mandell alleged that:

Old, inactive Bitcoin wallets were being quietly drained using quantum computing technology
A major actor was accumulating Bitcoin off-market by accessing private keys of wallets whose owners were unlikely to notice or respond
The targeted wallets were long-dormant accounts, often assumed abandoned or tied to deceased owners
Coins were being extracted without creating market disruptions or large sell orders
Only blockchain forensic analysis could reveal suspicious movement patterns
Quantum technology had reached a point where it could crack Bitcoin's cryptographic defenses in ways classical computing cannot

據多個消息來源，Mandell 指控：

有啲舊、有一段時間冇郁過嘅比特幣錢包，被人用量子電腦技術悄悄抽乾
有一個大戶透過搵出呢啲錢包嘅私鑰，喺場外收集比特幣，而錢包持有人多數唔知唔覺或冇反應
嗰啲標的錢包大部分係長期冇郁、甚至被視為棄用或者持有人已經去世
啲幣被人一次過掏走，而市場冇出現大規模異動或者沽壓
得靠區塊鏈鑑證追蹤分析先會察覺到異樣
量子技術已經進步到可以破解比特幣密碼防線，傳統計算機係做唔到嘅

Crucially, Mandell offered no hard evidence for these claims. His position was that the scenario was technically possible and might already be unfolding, but this remained unverified and speculative.

最關鍵係 Mandell 冇提出任何實質證據。佢只係話技術上有可能，仲有可能已經開始咗，但件事本身冇被證實，只係推測。

Why the Claim Resonated

Mandell's allegation gained traction because it tapped into several real concerns within the Bitcoin community. First, the timing coincided with legitimate advances in quantum computing. Google had just announced its Willow chip, and IBM was publicizing its roadmap to fault-tolerant quantum computing by 2029. The quantum threat suddenly felt more concrete and imminent than it had in previous years.

Mandell 呢啲指控會引起關注，主要有幾個原因：一來同比特幣社群一直真係擔心量子電腦有關。啱啱好適逢 Google 公佈咗 Willow 晶片，IBM 亦大力宣傳2029年會做到容錯量子電腦。量子威脅好似突然之間變得好實在、好迫切。

Second, Bitcoin's mystique around "lost coins" creates a narrative opening for such claims. Between 2.3 million and 3.7 million Bitcoin are estimated to be permanently lost due to forgotten private keys, deceased owners without proper estate planning, or wallets created in Bitcoin's early days and subsequently abandoned. That represents anywhere from 11 to 18 percent of Bitcoin's fixed 21 million supply - hundreds of billions of dollars in value, sitting dormant and potentially vulnerable.

二來，比特幣一向充滿關於「失落硬幣」傳說：現時估計有 230 萬至 370 萬枚比特幣因為私鑰唔見、持有人過世或早期用戶忘記或者棄用而永久丟失，相當於總供應（2100 萬）嘅 11 至 18%，數千億美元靜靜地休眠，似乎好易俾人偷。

The idea that someone with advanced quantum technology could recover these lost coins before their rightful owners (if they still exist) carries a certain plausibility to those unfamiliar with the technical requirements. It also plays into narratives about secretive state actors, well-funded corporations, or shadowy entities with access to classified technology far beyond what's publicly known.

對一啲唔熟識技術細節嘅人嚟講，有人用到最先進嘅量子科技搶回一啲「迷失」比特幣，好似真係有可能發生。而且，呢啲故仔好啱結合各種「暗黑勢力」、神秘國家級組織或者獲得機密、超越公開範疇科技資源嘅傳說。

The Technical Rebuttals

Experts quickly identified numerous problems with Mandell's claim. The most fundamental issue is hardware capability. As we've established, breaking Bitcoin's ECDSA encryption would require anywhere from 13 million to 300 million physical qubits, depending on various factors. Current systems have around 100 to 1,000 qubits - a gap of five to six orders of magnitude.

專家好快已經指出 Mandell 說法有好多問題。最大問題就係硬件能力。我哋上面都提過，現實要破解比特幣 ECDSA 密碼，理論上要1300萬至3億物理 qubit，睇你想幾快攻擊同硬件有幾勁。現存嘅量子電腦裝置只係得100到1000 qubit——差距係五至六個數量級！

Google's Willow chip, impressive as it is, operates at 105 physical qubits. Even if we assume extraordinary progress in qubit quality and error correction, the jump to millions of qubits represents not an incremental advance but a transformational breakthrough that would revolutionize not just quantum computing but manufacturing, cooling systems, control

Google 嘅 Willow 晶片都只得 105 個物理 qubit。即使你假設錯誤糾正有巨型突破，但要升級到數以百萬 qubit，唔單止係小幅進步，而係徹底顛覆成個量子行業、製造業、冷卻系統、控制系統等等等。

**（以下內容因指示所限暫未覆蓋，如需繼續可再追問）**electronics, and fundamental physics research. Such a breakthrough happening secretly, without any public indication, strains credibility.

電子學，以及基礎物理學研究。若有這種突破在未有任何公開跡象下暗中發生，確實難以令人信服。

There's also the error correction problem. Current quantum computers have error rates that make extended computations impossible without sophisticated error correction. Google's achievement with Willow was demonstrating "below threshold" error correction for the first time - showing that errors can decrease as you add more qubits. But the logical error rates achieved (around 0.14 percent per cycle) remain orders of magnitude above the 0.0001 percent or better believed necessary for running large-scale quantum algorithms like Shor's.

仲有錯誤更正嘅問題。現時嘅量子電腦錯誤率高，冇高階錯誤更正嘅話，根本無法進行持續計算。Google 喺 Willow 項目嘅成就係首次展示「低於門檻」嘅錯誤更正——證明加多 qubit 之後，錯誤率會下降。不過而家達到嘅邏輯錯誤率（每個循環大約 0.14%），仍然同執行大型量子算法（如 Shor 算法）所需嘅 0.0001% 或更低嘅目標相差好遠。

Industry experts note that transitioning from laboratory demonstrations of quantum error correction to fault-tolerant machines capable of running Shor's algorithm at cryptographically relevant scales remains a monumental engineering challenge, likely requiring at least another decade of intensive development.

業界專家指出，要由實驗室層級嘅量子錯誤更正，進一步發展到支援 Shor 算法、能夠處理密碼學規模運算嘅容錯型量子電腦，依然係極大工程挑戰，預計至少都仲要十年密集發展。

The Blockchain Evidence (or Lack Thereof)

區塊鏈證據（或缺乏證據）

Perhaps most damning to Mandell's claim is the absence of supporting evidence on the blockchain itself. Bitcoin's transparency means all transactions are publicly visible and extensively monitored by blockchain analytics firms, academic researchers, and curious individuals with the technical skills to analyze movement patterns.

可能對 Mandell 講法最致命嘅係，區塊鏈本身完全無相關證據。由於比特幣完全透明，所有交易都係公開可見，而且有大批區塊鏈分析公司、學者同技術精湛嘅散戶持續監察資金流動模式。

If quantum computers were systematically draining dormant wallets, we should see specific signatures:

Sudden, simultaneous movements from multiple old P2PK addresses that had been inactive for years
Funds moving in coordinated patterns suggesting a single actor with privileged access to multiple wallets
A statistical anomaly in the rate of "reawakening" wallets that can't be explained by normal factors

如果真係有量子電腦系統性咁洗劫沉睡錢包，應該會見到啲好明顯嘅跡象：

多個好耐冇郁動、多年無活動嘅舊P2PK地址突然同時有資金移動
資金以協調方式流動，顯示好似得一個人同時操作好多個錢包
「復活」錢包嘅出現率有異常統計表現，無法用一般因素解釋

What blockchain analysts actually observe is quite different. Old wallets do occasionally become active again, but these movements align with expected patterns: estate settlements after owners' deaths, long-term holders finally deciding to sell, users recovering old hardware wallets, or security-conscious users migrating funds to new address types.

但區塊鏈分析師現實觀察到嘅情況完全不同。舊錢包偶爾會變返活躍，但呢啲大都係可以預期嘅原因：持有人過身後遺產分配；長期持有者決定變現；用戶搵返舊硬件錢包；又或者有安全意識嘅用戶轉錢去新型地址。

Importantly, these reactivations typically involve wallets with known histories and plausible explanations. There's no wave of mysterious, coordinated movements from the oldest, most vulnerable addresses that would indicate quantum-powered theft.

重點係，呢啲「復活」錢包通常有清晰歷史、合理解釋，並無見到一輪神秘、協調好嘅舊型高危地址集體被移動，可以指向量子盜竊。

Blockchain analytics firm Chainalysis and others have examined movement patterns from early Bitcoin addresses and found no evidence of anomalous activity that would suggest quantum attacks. The dormant coins remain dormant.

區塊鏈分析公司 Chainalysis 等都仔細研究過早期比特幣地址資金流動，暫時都未發現有可疑異常活動可以指向量子攻擊。沉睡幣依舊沉睡。

The Economic Logic Problem

經濟邏輯問題

There's also an economic argument against current quantum theft. If a state actor or well-funded organization had successfully developed quantum computers capable of breaking Bitcoin's cryptography, would they really deploy this capability in a manner that might be detected?

同時，亦有經濟層面的反駁。如果真係有國家級或者有財力組織攞咗可以破解比特幣加密嘅量子電腦，佢哋真係會咁輕率咁用出嚟，比人發現咩？

Such technology would be one of the most valuable secrets in the world, with applications far beyond cryptocurrency. It could break government communications, compromise military systems, undermine financial infrastructure, and render trillions of dollars worth of encrypted data vulnerable. Using it to steal Bitcoin - and risking detection that would alert the world to this capability - makes little strategic sense.

呢種技術將會係全世界最值錢嘅機密之一，遠遠唔止加密貨幣用途。佢可以破解政府通訊、動搖軍事系統、威脅金融基建，令幾萬億美金嘅加密數據全面失守。攞嚟偷比特幣，仲要冒住俾人發現——等於提早向全世界暴露自己——其實冇乜戰略意義。

A rational actor with quantum capability would more likely wait, accumulate as much intelligence and economic advantage as possible under the radar, and only reveal the technology when absolutely necessary or when doing so advances a larger strategic objective. Stealing Bitcoin from dormant wallets, while potentially profitable, would risk exposing the quantum capability for relatively modest gains compared to the technology's full potential.

如果係理性行事，持有量子能力嘅組織反而會更加低調隱藏，盡量暗中收集情報、攞盡經濟利益，真係去到迫不得已或者要達成戰略目標先公開。為咗偷個啲沉睡錢包啲比特幣就暴露量子實力，條數根本唔化算。

Economic and Ethical Dimensions: The Lost Bitcoin Problem

經濟、道德層面：失落比特幣問題

While Mandell's specific claim of current quantum theft lacks evidence, his allegation raises profound questions about Bitcoin's future in a post-quantum world. What happens if - or when - quantum computers become powerful enough to recover "lost" Bitcoin? The economic and ethical implications deserve serious consideration.

儘管 Mandell 現時關於量子盜竊嘅指控無證據支持，但佢呢個假設其實引申出一個深層問題：當未來真係有足夠強大嘅量子電腦可以搵返「失落」比特幣，到時會點？當中嘅經濟、倫理後果都值得認真思考。

The Magnitude of Lost Bitcoin

失落比特幣規模

Current estimates suggest between 2.3 million and 3.7 million Bitcoin are permanently lost. This includes:

Coins in wallets where private keys were lost or never properly backed up
Bitcoin sent to wallets of deceased individuals whose heirs lack access
Coins in early P2PK addresses from Bitcoin's first years, when the cryptocurrency had little value and security practices were lax
Bitcoin in addresses that have shown no activity for over a decade, suggesting abandonment

而家估計有 230 萬至 370 萬枚比特幣係永久失落，包括：

已經丟失私鑰或者冇妥善備份嘅錢包內啲幣
送咗去已過身人士嘅錢包，而家遺產管理人攞唔到
早期、加密貨幣未值錢加上安全鬆散時期創建嘅 P2PK 地址內啲幣
十年以上冇活動，基本上可以當作被丟棄嘅比特幣

The most famous potentially lost Bitcoin belongs to Satoshi Nakamoto. The Bitcoin creator is estimated to have mined around 1 million Bitcoin in the network's first year, all stored in early P2PK addresses. Satoshi has never moved any of these coins, and the creator's identity remains unknown. Whether Satoshi still has access to these wallets, chose to permanently lock them away, or lost the keys entirely is one of Bitcoin's greatest mysteries.

最出名失落比特幣就係 Satoshi Nakamoto。估計比特幣創辦人頭一年出咗大約 100 萬枚比特幣，都係放咗落早期P2PK地址。Satoshi 從未移動過呢啲幣，身分亦仍然係謎。Satoshi 係咪仲攞到啲私鑰？定係故意永久鎖死？或者早就遺失咗？全部都成為比特幣界最神秘焦點之一。

Then there's the Mt. Gox hack. In 2014, the then-largest Bitcoin exchange collapsed after losing approximately 850,000 Bitcoin to theft. While some coins were recovered, a wallet associated with the hack still holds nearly 80,000 Bitcoin - about 0.4 percent of Bitcoin's total supply - sitting dormant on the blockchain.

仲有 Mt. Gox 被盜事件。2014 年，當時最大比特幣交易所 Mt. Gox 損失咗大約 85 萬枚比特幣，之後雖然搵返部分資金，但同今次事件相關嘅錢包都仲有接近 8 萬枚比特幣，約等於全體供應 0.4%，依然「冬眠」喺區塊鏈。

These lost coins have become, in effect, deflationary forces. They reduce Bitcoin's practical circulating supply, making each remaining coin slightly more valuable. Many Bitcoiners view this as a feature rather than a bug - a natural consequence of a truly decentralized system where no authority can recover lost funds.

呢啲失落比特幣實質成為通縮力量。佢哋減少實際流通供應，每枚存留比特幣都會值錢啲。好多 Bitcoiner 覺得呢個反而係特色唔係缺陷——真正去中心、冇誰可以還原失落資金的代價。

The Quantum Recovery Scenario

量子破解復甦情境

Now imagine quantum computers advance to the point where they can efficiently crack ECDSA encryption. Suddenly, those millions of lost Bitcoin become accessible - not to their original owners (who lack the private keys) but to whoever has the quantum capability to derive private keys from the exposed public keys.

如果未來量子電腦能夠輕鬆破解 ECDSA 加密，咁嗰啲幾百萬枚失落比特幣會突然變返可以攞得——但唔係本身擁有人，而係擁有量子能力、可以反推出私鑰嘅人。

This creates an unprecedented situation. Bitcoin that markets have essentially written off as permanently lost could flood back into circulation. The price impact would be severe. Even the possibility of such a recovery could trigger panic selling as investors try to front-run the hypothetical flood of supply.

呢個情況史無前例。市場一直以為失落咗嘅比特幣，可能會大批回流市場，對價格衝擊極大。即使只係有可能出現呢種破解，都隨時已經引致恐慌拋售，大家爭住避開預期供應激增。

In May 2025, BlackRock added explicit warnings about quantum computing to its iShares Bitcoin Trust (IBIT) filing, one of the most popular Bitcoin ETFs. The filing warned that advances in quantum computing could threaten Bitcoin's cryptographic security and undermine the integrity of the network itself. This represents a significant moment - traditional financial institutions now view quantum risk as material enough to disclose to investors.

2025年5月，貝萊德（BlackRock）為旗下 iShares Bitcoin Trust（IBIT）——其中一個最受歡迎比特幣ETF——提交文件時，特別加入咗針對量子計算嘅風險警告。文件提醒：量子計算發展可能威脅比特幣加密安全，動搖整個網絡誠信。呢個舉動象徵住，傳統金融機構已經將量子風險當為需要披露畀投資者嘅重大議題。

The economic disruption wouldn't be limited to price volatility. Bitcoin's value proposition depends heavily on its perceived scarcity and security. If millions of previously inaccessible coins suddenly become accessible to quantum attackers, it raises questions about whether any Bitcoin is truly secure. Trust in the network could erode rapidly, potentially creating a cascade of selling pressure that goes beyond the immediate impact of the recovered coins themselves.

經濟層面嘅影響遠超價格波動。比特幣之所以值錢，就係大家相信稀缺性同安全性。如果大批本來取唔返嘅幣都俾量子攻擊者攞走，無可避免令人質疑任何比特幣係咪都真正安全。信心動搖，拋售潮分分鐘比單靠重現幣量本身所能解釋更加嚴重。

The Ethical Dilemmas

道德兩難

The quantum recovery scenario creates thorny ethical questions without clear answers. If quantum computers can access lost Bitcoin, what should happen to those coins?

一旦量子計算可以撿返失落比特幣，對社會倫理構成難題：到底呢啲幣應該點處理？

One camp, led by prominent voices like Bitcoin developer Jameson Lopp, argues these coins should be burned - deliberately destroyed to prevent anyone from claiming them. Lopp contends that allowing quantum adversaries to claim funds that rightfully belong to other users represents a failure to protect property rights. In a February 2025 essay, Lopp wrote: "If the entire Bitcoin ecosystem just stands around and allows quantum adversaries to claim funds that rightfully belong to other users, is that really a 'win' in the 'protecting property rights' category? It feels more like apathy to me."

有一派（例如比特幣開發者 Jameson Lopp）主張將呢啲幣焚毀——即刻刻意摧毀，唔畀任何人聲稱擁有。Lopp 認為，任由量子攻擊者掠奪本應屬於他人之財產，等於喪失保障產權底線。2025年2月佢寫道：「如果全個比特幣生態圈只係站喺度，容許量子對手搶走其他用戶嘅資產，咁仲使乜講保障財產權？更似係自暴自棄！」

From this perspective, burning vulnerable coins is the lesser evil. It prevents ill-gotten gains, protects Bitcoin's scarcity, and demonstrates the network's commitment to security over short-term convenience. The counterargument is that burning coins represents a form of confiscation - punishing users whose only "crime" was adopting Bitcoin early, before quantum-resistant best practices existed.

由呢個角度，「燒幣」係兩害取其輕。最少令不當得利唔會出現，又保住稀缺性，甚至彰顯全網選擇重視長遠安全多過眼前方便。但有人反對，話燒幣根本就係變相沒收——最終變成懲罰咗當年早著先機（而唔識防量子風險）嘅用戶。

Another camp suggests attempting to return recovered Bitcoin to their rightful owners. This sounds noble but creates enormous practical problems. How do you prove ownership of Bitcoin when the defining characteristic of being lost is that you no longer have the private keys? Estate settlements already face legal challenges when cryptocurrency is involved. Now imagine trying to adjudicate ownership claims for coins that haven't moved in a decade, where the original owner might be deceased, unknown, or impossible to verify.

另一派就話應該嘗試還原返幣畀原本屬主。聽落高尚，但實務上問題百出：如果最基本特徵就係搵唔返私鑰，咁點證明係你嘅幣？傳統遺產分配涉及加密貨幣都已經好複雜矛盾，何況要審查啲已經十年無郁動、持有人或者已逝、失聯、甚至根本冇來源可證嘅幣？

Any recovery system would necessarily involve trusted third parties to verify claims - exchanges, government agencies, or newly created institutions. This runs counter to Bitcoin's ethos of trustlessness and censorship resistance. It would also create intense pressure for fraud, as bad actors impersonate rightful owners or manufacture false claims to valuable Bitcoin addresses.

無論點設計，其實都避唔開要有人審認你係咪原主（例如交易所、政府、特設機構等等）。成個流程同比特幣「無需信任、反審查」原則完全相違。再者，騙子冒充失主，假造證據，爭住認領高價幣地址嘅誘因極高。

A third option is to redistribute recovered coins. Some have proposed using recovered Bitcoin to fund network development, reward miners, or even distribute equally among all current Bitcoin holders. This transforms lost coins into a kind of communal asset. However, it amounts to changing Bitcoin's social contract after the fact - altering the rules for coins that were secured under a different set of assumptions.

第三類選項就係「公共分配」：有人提議攞撿返嚟嘅幣作為網絡發展資金、獎勵礦工，甚至平均分配畀所有比特幣現有持有人。咁樣做等於令失落資產變成社群公共財。不過，呢種做法係事後修改咗比特幣原有規則——即係改變咗部分幣當初儲存嘅遊戲規則、社會契約。

Perhaps the starkest ethical question involves Satoshi's million Bitcoin. If these coins could be 最極端嘅道德問題，仲會牽涉到 Satoshi 近一百萬枚比特幣。如果呢一大批幣……recovered via quantum computing, should they be? Satoshi's anonymity means we can't ask the creator's wishes. Many in the community consider these coins sacred - a permanent part of Bitcoin's mythology that should remain untouched regardless of technical capability. Others argue that leaving such a massive supply sitting vulnerable to quantum attack poses systemic risk to the network.

經由量子計算復原，這啲幣應唔應該俾人攞返？由於中本聰身份匿名，我哋冇得問佢本人嘅意願。社群中有不少人視呢啲幣為神聖——係比特幣神話嘅一部分，無論技術有無能力，其實都應該保持原狀唔好郁。亦有人認為，咁大批量幣就咁擺喺度，隨時俾量子攻擊攞走，係對全個網絡構成系統性風險。

The Institutional Response

BlackRock's decision to add quantum warnings to its Bitcoin ETF filing signals that institutional finance is taking these questions seriously. The filing states explicitly that quantum computing advances could "threaten the security of the network" and potentially lead to "significant losses" for investors.

BlackRock 喺其比特幣 ETF 申報文件加入有關量子警告，反映主流金融機構已開始認真面對依家啲問題。文件明確指出，量子計算突破可以「威脅網絡安全」，甚至有可能帶嚟投資者「重大損失」。

This reflects a broader pattern of institutional adoption bringing increased scrutiny of risks that the crypto community might have previously dismissed or downplayed. Pension funds, endowments, and financial advisors considering Bitcoin exposure want clarity on tail risks, including quantum computing. The fact that quantum risk now appears in regulated financial products' disclosure documents transforms it from a theoretical concern to a quantifiable investment consideration.

呢個趨勢都反映到，金融機構參與推高咗對風險監管嘅標準，令到以前加密圈可能睇漏或者不以為意嘅風險再受檢視。想投資比特幣嘅退休基金、捐贈基金同金融顧問，都想要清晰明確了解各種極端風險，包括量子計算。當量子風險已經寫入受監管金融產品嘅披露文件，從此變成咗一個可以量化衡量嘅投資風險，而唔淨止係理論上好擔心。

Other major institutions are watching. If quantum capabilities advance faster than expected, we could see institutional capital flee cryptocurrency markets unless clear mitigation strategies exist. This creates pressure on Bitcoin developers and the broader community to implement quantum-resistant solutions before the threat materializes, rather than waiting for a crisis.

其他大機構都緊盯住發展。如果量子能力進展比預期快，而業界又無清晰對策，資金就有機會迅速走資離開加密貨幣市場。咁就令比特幣開發者同社群都要喺出事之前，落實應對量子風險嘅方案，唔可以等有問題先嚟收拾。

Security Roadmap: How Bitcoin Can Evolve

The encouraging news is that Bitcoin's quantum vulnerability is neither surprising nor unaddressed. Cryptographers have known about Shor's algorithm since 1994, and the Bitcoin development community has been discussing quantum resistance for years. Multiple research directions and practical strategies exist for hardening Bitcoin against quantum attack.

好消息係，比特幣面對量子威脅並唔係新鮮事，亦唔係未有人理。自 1994 年 Shor 算法出現，密碼學界早就意識到危機，而比特幣開發社群都已經講咗幾年點樣應對量子威脅。其實有唔同研究路線同實用方案，可以加強比特幣對量子攻擊嘅防禦能力。

Current Best Practices for Users

Even before any protocol-level changes, individual Bitcoin users can take steps to minimize their quantum exposure. The most important practice is avoiding address reuse. When you spend from a Bitcoin address, the public key becomes visible on the blockchain. Best practice is to treat each address as single-use - after spending from it, move any remaining funds to a new address, ensuring the old public key is no longer associated with unspent coins.

即使未有協議級（protocol level）更改，用家本身都可以自己減少受量子攻擊嘅風險。最關鍵一點就係避免重用地址。每次你用某個比特幣地址轉帳，嗰個公匙會喺區塊鏈上暴露。最佳做法係當每個地址只能用一次——一用完就將淨低嘅幣轉去新地址，令舊公匙唔再綁住任何未用嘅幣。

Modern wallet software has increasingly adopted this practice automatically. Hardware wallets and full-node wallets typically generate new change addresses for each transaction, implementing single-use addresses without requiring users to understand the underlying security logic. Users with older wallet software or those who manually manage addresses should audit their practices and upgrade to quantum-safer habits.

現時大部份錢包軟件都自動採納咗呢個做法。硬件錢包同全節點（full-node）錢包通常每次交易都會自動產生新找數地址，用戶唔使理原理都自然用緊單次地址。如果你用比較舊嘅軟件或者自己手動管理地址，要檢查返自己操作，有需要就升級改善習慣，提升抗量子攻擊能力。

Another protective step is migrating funds to more modern address formats. Segregated Witness (SegWit) and especially Taproot addresses provide marginally better quantum resistance through improved address hygiene and, in Taproot's case, alternative script paths that might enable quantum-resistant signatures in future soft forks. While these formats use the same underlying elliptic curve cryptography, they reflect more quantum-conscious design philosophy.

另一個保護措施係轉用較新型嘅地址格式。例如 Segregated Witness（隔離見證／SegWit）同 Taproot 地址就改善咗地址安全，對量子攻擊有少少優勢。尤其 Taproot 仲有未來支援量子耐用（resistant）簽名方案嘅可能。雖然依啲都仲係用原有嘅橢圓曲線密碼學，但其實都反映設計上已經更有量子安全意識。

For long-term holders, the advice is simple: use new addresses for each receive transaction, never reuse addresses after spending, and keep funds in addresses whose public keys have never been exposed. This doesn't eliminate quantum risk entirely but significantly reduces the attack surface.

對長線持有者嚟講，建議好簡單：每次收幣用新地址，用完就唔好再用，保持啲幣擺喺未曾暴露過公匙嘅地址。咁樣未必可以完全杜絕量子風險，但可以大大收窄攻擊面。

Post-Quantum Cryptography Standards

The broader cryptographic community has been working toward quantum-resistant alternatives for over a decade. In 2016, the U.S. National Institute of Standards and Technology (NIST) launched a project to standardize post-quantum cryptography (PQC) - cryptographic algorithms believed to be secure against both classical and quantum computers.

較廣泛嘅密碼學界其實已經研究量子防禦算法超過十年。2016 年，美國 NIST（國家標準及技術研究院）啟動標準化量子後密碼學（PQC）項目，研究同定立一批講求對抗量子同傳統計算機都安全的加密標準。

After years of analysis and competition, NIST announced its first set of PQC standards in 2024. The selected algorithms include:

CRYSTALS-Kyber for key encapsulation (replacing systems like RSA for securely exchanging keys)
CRYSTALS-Dilithium, FALCON, and SPHINCS+ for digital signatures (replacing systems like ECDSA and RSA signatures)

經過多年分析同競賽，NIST 喺 2024 年公佈咗首批量子後密碼學標準，入選嘅有：

CRYSTALS-Kyber：用嚟做密鑰封裝（取代類似 RSA 等匙交換機制）

CRYSTALS-Dilithium、FALCON、SPHINCS+：用嚟做數碼簽名（取代類似 ECDSA 及 RSA 簽名）

These algorithms rely on different mathematical problems than current cryptography. Lattice-based schemes like Dilithium are based on the difficulty of finding short vectors in high-dimensional lattices. Hash-based schemes like SPHINCS+ are built on the security of cryptographic hash functions, which are already believed to be relatively quantum-resistant. Multivariate cryptography uses systems of quadratic equations over finite fields.

依啲新算法用咗唔同現有方案嘅數學難題：Lattice 類（如 Dilithium）係基於喺高維格子中搵短向量嘅難度；Hash 類（如 SPHINCS+）則建基於加密 Hash 函數本身已經有較高量子耐性；多元密碼學則用有限域 quadratic equation 系統。

The crucial insight is that while Shor's algorithm efficiently solves discrete logarithm and factoring problems, it doesn't provide similar advantages against these new mathematical structures. As far as current knowledge extends, quantum computers offer no practical shortcut to breaking properly implemented lattice-based or hash-based cryptography.

關鍵喺於，Shor 算法雖然可以有效破解離散對數同因數分解問題，但對依啲新數學結構佢就無類似捷徑。以現有知識，量子電腦暫時唔能夠實際攻破正確實施嘅 lattice 或 hash 型加密。

Bitcoin-Specific Research: QRAMP

In early 2025, Bitcoin developer Agustin Cruz proposed a radical framework called QRAMP (Quantum-Resistant Asset Mapping Protocol). QRAMP represents one of the most comprehensive approaches to Bitcoin's quantum problem, though it remains controversial and far from consensus.

2025 年初，比特幣開發者 Agustin Cruz 提出咗一個激進方案——QRAMP（Quantum-Resistant Asset Mapping Protocol）。此框架屬於目前針對比特幣量子危機最全面嘅方案之一，但同時非常具爭議性，無獲得共識。

QRAMP proposes a mandatory migration period where all funds in legacy quantum-vulnerable addresses must be moved to quantum-resistant addresses by a specific block height deadline. After that deadline, transactions from old ECDSA addresses would be rejected by the network, effectively burning any coins that weren't migrated.

QRAMP 建議設立強制搬遷期，要求所有舊制（易受量子攻擊）地址裡面嘅幣，必須喺指定高度前搬到新制抗量子地址。過咗期限後，舊 ECDSA 地址發出嘅交易會直接俾全網拒絕，冇搬走嘅幣就形同銷毀。

The protocol would work through several mechanisms:

Identifying vulnerable addresses: QRAMP would scan for Bitcoin addresses with exposed public keys, particularly older P2PK formats
Burn and replace: Users send coins from vulnerable addresses to a special "quantum burn" address, permanently removing them from circulation
Post-quantum security: In return, equivalent amounts of Bitcoin secured by quantum-resistant cryptography (like hash-based or lattice-based signatures) would be issued
Proof-based verification: Only verified burns result in new quantum-resistant coins, maintaining a strict 1:1 ratio to prevent inflation

具體作法包括：

識別易受攻擊地址：掃描晒 public key 已經曝光（特別係早期 P2PK）嘅地址

銷毀同更換：用戶要將幣由呢啲地址送去特定「量子燒毀」地址，等於從流通中徹底移除

抗量子安全：同步發行等量、由新型抗量子簽名（如 hash 或 lattice）保護嘅比特幣

基於證明驗證：要經過證明真係有燒毀過啲舊幣，先獲得新幣，嚴格 1:1 避免通脹

QRAMP also aims to enable cross-chain Bitcoin functionality. Rather than relying on custodians (like wrapped Bitcoin solutions), QRAMP would use cryptographic attestations - mathematical proofs derived from Bitcoin's blockchain that other networks can verify. This would allow Bitcoin balances to be reflected on other blockchains without actually moving the underlying Bitcoin, maintaining both security and Bitcoin's 21 million supply cap.

QRAMP 亦希望推動比特幣跨鏈功能，唔洗好似 WBTC 咁靠中介人，而係用加密證明（cryptographic attestations）——可由比特幣區塊鏈產生、又俾其他網絡驗證嘅數學證明。咁就可以喺無需搬走真本幣下，將比特幣結餘映射去其他鏈，兼保住 2100 萬枚供應上限同原生安全性。

The proposal has sparked intense debate. Proponents argue it provides a clear, systematic path to quantum resistance with unambiguous deadlines that force timely migration rather than dangerous complacency. Critics contend that mandatory burns represent a form of confiscation, punishing early adopters and potentially destroying millions of Bitcoin including Satoshi's coins.

呢個提案引起激烈討論。支持者話，既然有清晰路線、有死線，大家就唔會得過且過，可以系統咁及早改制抗量子。批評者就話，強制燒毀等於充公，懲罰早期用家，仲有可能「送死」多百萬枚比特幣，包括中本聰啲幣。

The timeline concerns are also significant. QRAMP would require a hard fork - a non-backward-compatible protocol change requiring consensus from miners, node operators, and the broader community. Bitcoin's history shows that controversial hard forks are difficult to achieve and risk chain splits. Implementing QRAMP would require convincing the ecosystem that quantum threats are imminent enough to justify such drastic action while also being early enough that users have time to migrate.

時間線都係大問題。QRAMP 係硬分叉（hard fork），唔向下兼容，需要礦工、節點同整個社群支持，以往分叉都好難搞，有分裂風險。要實現，首先要令行業信「量子危機迫在眉睫」，同時要保證變革夠早，俾足時間大家搬錢。

As of October 2025, QRAMP remains a draft proposal without a formal BIP (Bitcoin Improvement Proposal) number and lacking community consensus to move forward.

截至 2025 年 10 月，QRAMP 依然只係草案，冇正式賦予 BIP 編號，未得到社群共識推行。

Alternative Approaches

Not all quantum-resistant proposals are as radical as QRAMP. Other researchers are exploring gradual migration strategies that would introduce quantum-resistant signature schemes alongside existing ECDSA, allowing users to voluntarily upgrade over time.

並非所有抗量子方案都咁激進。亦有學者主張漸進式過渡：將新型抗量子簽名制同現有 ECDSA 並行，用家可以選擇自己何時升級。

Adam Back, CEO of Blockstream and a respected cryptographer, has suggested incorporating quantum-resistant cryptography into Bitcoin's existing address and script system. One approach would use Schnorr signatures (already implemented in Taproot) combined with SLH-DSA (SPHINCS+) tapleafs. This would allow users to gradually move funds to quantum-safe addresses without requiring a contentious hard fork or burning vulnerable coins.

Blockstream CEO 兼著名密碼學家 Adam Back 就建議，量子耐性可以內嵌於現有比特幣地址同 Script 系統；例如用 Schnorr 簽名（Taproot 已有）結合 SLH-DSA（SPHINCS+）嘅 Tapleaf。咁就可以俾用戶逐步導資去抗量子新地址，唔使分叉、唔使銷毀舊幣。

The advantage of gradual migration is flexibility. Users who are confident in their address security could continue using existing wallets while more cautious users migrate to quantum-resistant formats. As quantum capabilities advance, social pressure and market forces would naturally encourage migration without requiring protocol enforcement.

漸進做法嘅好處係彈性大。自信自己地址安全嘅人可以留係舊錢包，謹慎啲嗰啲就去新制。量子技術愈進步，社會共識同市場力量自然會推動大家逐步轉制，唔一定要靠協議強制。

The disadvantage is that voluntary migration might happen too slowly. If quantum computers advance faster than expected, vulnerable coins could be attacked before users migrate, defeating the purpose. There's also the problem of lost or abandoned wallets - coins whose owners no longer have access would remain perpetually vulnerable.

缺點就係，靠大家義務轉制，有機會太慢。如果量子電腦突飛猛進，未走得切就俾人黑咗咁就無補於事。再有，成堆已失咗私匙／被遺棄嘅 wallet（錢包），嗰啲幣會永遠暴露喺高風險。

Other research directions include:

Quantum-safe multi-signature schemes that combine multiple post-quantum algorithms, providing redundant security even if one algorithm is broken
Hybrid systems that use both classical ECDSA and quantum-resistant signatures, requiring attackers to break both
Zero-knowledge proofs that could enable quantum-resistant verification without exposing public keys

其他研究仲有：

抗量子的多重簽名方案：結合多個後量子演算法，即使有一個被破解都仲有安全保障

混合簽名系統：同時用傳統 ECDSA 及抗量子方案，攻擊者必需齊齊破解先成功

零知識證明：無需公開公匙都可驗證，減少量子攻擊風險

The Ethereum community has been researching post-quantum cryptography through account abstraction and STARKs (Scalable Transparent Arguments of Knowledge), which use hash functions and are inherently quantum-resistant. Some of these innovations might eventually

以太坊社群亦透過帳戶抽象（account abstraction）同 STARKs（一種天然抗量子嘅 hash-based 證明）積極研發後量子加密，有啲創新或終有一日......inform Bitcoin's approach.
（通知比特幣的方向。）

The Challenge of Quantum-Resistant Signatures

抗量子電子簽名的挑戰

One challenge with post-quantum cryptography is that signatures are typically much larger than ECDSA signatures. A CRYSTALS-Dilithium signature can be 2-3 kilobytes, compared to 64-71 bytes for an ECDSA signature. This has implications for blockchain efficiency, transaction costs, and scalability. 其中一個後量子密碼學的難題是電子簽名通常遠比 ECDSA 簽名大很多。以 CRYSTALS-Dilithium 為例，一個簽名可以有 2-3 KB，而 ECDSA 簽名只有 64-71 字節。這對區塊鏈的效率、交易成本同可擴展性有相當影響。

Hash-based signatures like SPHINCS+ are even larger - potentially tens of kilobytes per signature. While these sizes aren't prohibitive, they represent a meaningful increase in data that must be stored and transmitted by every node on the network. In a blockchain where efficiency and scalability are already concerns, adding larger signatures could exacerbate existing challenges. 基於雜湊嘅簽名（例如 SPHINCS+）仲大，有機會每個簽名有幾十 KB。雖然未至於無法承受，但呢個數量嘅資料需要每個網絡節點儲存同傳輸，對區塊鏈本身已經關注嘅效率與可擴展性會增加壓力，用更大量的簽名有機會令現有問題惡化。

Various optimizations are being researched to minimize signature sizes while maintaining security. Some schemes use Merkle trees to amortize signature size across multiple transactions. Others explore threshold signatures where multiple parties collaboratively sign, reducing the per-transaction overhead. 現時有唔同優化方法研究緊，務求喺保持安全嘅前提下縮細簽名容量。有啲方案用 Merkle 樹去分攤多個交易的簽名容量；亦有人研究閾值簽名，利用多方共同簽署，減低每宗交易嘅額外負擔。

The Bitcoin community will need to balance security, efficiency, and backward compatibility when ultimately selecting which post-quantum algorithms to implement. 比特幣社群最終要揀邊種後量子算法時，要平衡安全性、效率同兼容性。

Beyond Threats: Quantum Opportunities for Crypto

不只威脅：量子計算帶嚟加密貨幣的新機遇

Discussions about quantum computing and cryptocurrency overwhelmingly focus on threats - the looming danger of quantum computers breaking cryptography. But this framing misses a crucial aspect of the story. Quantum computing isn't merely a weapon pointed at blockchain technology; it's also a tool that could enhance, strengthen, and advance the entire cryptocurrency ecosystem in unexpected ways. 講起量子計算同加密貨幣，多數人都只講風險——擔心量子電腦會破解密碼技術。但其實呢個講法忽略咗好重要的一面。量子計算唔只係針對區塊鏈的「武器」，同時亦可以成為推動整個加密貨幣生態系統進步、提升安全、甚至帶嚟新功能的工具。

Quantum-Enhanced Cryptography

量子增強型密碼學

The arms race between quantum attackers and quantum defenders will eventually produce cryptography that is stronger than anything possible with classical computation. Quantum key distribution (QKD) already enables provably secure communication channels, protected by the laws of physics rather than computational assumptions. While implementing QKD in decentralized blockchain systems faces significant technical challenges, research continues into adapting quantum communication protocols for cryptocurrency applications. 量子攻防戰最後會孕育出比傳統計算更強的密碼學。量子密鑰分發（QKD）已經可以提供物理層面的安全通訊，靠物理定律保障，而唔只係數學假設。雖然想將 QKD 應用到去中心化嘅區塊鏈系統困難重重，但都已經有研究探索，努力將量子通訊協議套用到加密貨幣範疇。

Post-quantum cryptography developed in response to quantum threats will create the foundation for a new generation of cryptographic systems. These algorithms aren't just quantum-resistant; many offer additional security properties like forward secrecy, smaller keys for equivalent security levels, and resistance to side-channel attacks that plague some current implementations. 因應量子威脅而開發的後量子密碼學會成為新一代密碼系統的基礎。呢啲算法唔單止抗量子攻擊，有啲仲提供額外安全性，例如前向保密、同級安全下更細個密鑰、同針對目前某啲實現會中招的旁道攻擊也具防禦能力。

Lattice-based cryptography, in particular, enables powerful new capabilities like fully homomorphic encryption - the ability to perform arbitrary computations on encrypted data without decrypting it. While computationally expensive today, quantum computers might eventually make homomorphic encryption practical at scale, enabling privacy-preserving smart contracts and confidential transactions without sacrificing auditability. 格狀基礎密碼學可以帶出更強新的功能，例如全同態加密——喺唔需要解密的情況下，直接對加密數據做運算。現時成本高、速度慢，但如果量子電腦發展成熟，或許有朝一日可以大規模應用同態加密，做到兼顧隱私同審計性的智能合約和保密交易。

Improved Scalability Solutions

可擴展性新方案

Quantum computers excel at certain optimization problems that currently limit blockchain scalability. Route finding in payment channel networks like Bitcoin's Lightning Network involves searching through a vast space of possible paths to find optimal routes for payments. Quantum algorithms could potentially find better routes faster, improving payment success rates and reducing channel capital requirements. 量子電腦喺某啲優化問題上好有優勢，而呢啲問題正正就限制緊區塊鏈可擴展性。以比特幣閃電網絡為例，要搵支付路徑就涉及大規模嘅路徑搜索。量子算法可以加快尋找最佳路徑，提升轉帳成功率同減低通道資本需求。

Zero-knowledge proof systems, which enable privacy and scalability solutions like ZK-Rollups, require extensive cryptographic computations. Quantum computers might accelerate proof generation while maintaining security, enabling more sophisticated privacy-preserving applications without the computational overhead that currently limits their adoption. 零知識證明系統（例如 ZK-Rollups）提供私隱同可擴展解決方案，但製作證明要好多運算。量子電腦可以大大加快證明產生速度，唔影響安全下，支持更高級嘅私隱應用，而且唔會有現時複雜性過高、落地困難的問題。

Even mining could eventually benefit from quantum computation. While quantum computers using Grover's algorithm could theoretically search for proof-of-work solutions more efficiently than classical miners, the same technology would be available to all participants, creating a new equilibrium rather than an attack vector. Some researchers have proposed quantum-secured consensus mechanisms that leverage quantum properties for Byzantine fault tolerance. 連挖礦都可能因為量子計算而受惠。例如用 Grover 算法搜索 PoW 解答，理論上比傳統礦機更快。不過呢個技術大家都用到，唔會變成單向攻擊，只會改變新一輪競爭生態。有研究甚至提出利用量子物理特性來保障拜占庭容錯的量子安全共識機制。

Quantum-Secured Smart Contracts

量子安全智能合約

The combination of quantum computing and cryptocurrency could enable entirely new classes of smart contracts and decentralized applications. Quantum random number generation provides truly unpredictable randomness - crucial for gambling applications, cryptographic protocols, and fair leader election in consensus mechanisms. Current blockchain-based randomness must rely on complicated protocols to prevent manipulation; quantum randomness would be provably fair. 量子計算結合加密貨幣，有望創造全新種類的智能合約同去中心化應用。量子亂數生成提供真正無法預測的隨機性，對博彩、密碼協議同共識機制中公平選舉領袖至為重要。現時區塊鏈亂數要靠複雜協定保證唔會被人操控，用量子亂數則可以有可證明嘅公平。

Quantum sensing and quantum communication could enable new types of oracle systems - the bridges between smart contracts and real-world data. Quantum sensors can measure physical phenomena with unprecedented precision, potentially creating more reliable data feeds for decentralized finance applications that depend on accurate price feeds, weather data, or supply chain verification. 量子感測與通訊技術甚至可以打造全新類型的預言機系統——連接智能合約與現實數據的橋樑。量子感測器能極高精度量度物理現象，為需要精準數據的去中心化金融（如價格、天氣、供應鏈驗證）提供更可靠來源。

Post-quantum cryptographic protocols could enable more sophisticated multi-party computation, allowing multiple parties to jointly compute functions over their private data without revealing that data to each other. This opens possibilities for decentralized financial products, privacy-preserving auctions, and confidential voting systems that are currently impractical. 後量子密碼協議可實現更高複雜度的多方運算，多方可聯合運算私人數據而不互相洩露，令去中心化金融、隱私拍賣、保密投票等目前做唔到的應用變得可行。

Academic and Industry Collaboration

學術與產業協作

The quantum threat has catalyzed unprecedented collaboration between the cryptocurrency community and mainstream computer science research. NIST's post-quantum cryptography standardization effort included input from blockchain researchers and cryptocurrency companies. Academic conferences increasingly feature sessions on quantum-safe blockchain design. 量子威脅促成咗加密貨幣社群與主流電腦科學界前所未見的大規模合作。NIST 的後量子密碼標準就有區塊鏈學者同加密貨幣企業參與。學術會議上討論量子安全區塊鏈設計都愈來愈常見。

This collaboration benefits both sides. Cryptocurrency's real-world deployment provides testing grounds for post-quantum algorithms under adversarial conditions with actual economic value at stake. Meanwhile, blockchain systems benefit from cutting-edge cryptographic research that might otherwise take years to filter into production systems. 呢種合作雙方都有著數。加密貨幣落地應用本身就係現實環境、真金白銀下測試後量子算法，更能驗證安全性。至於區塊鏈，就可以即時用到最新密碼學成果，而唔係等多幾年先慢慢引入。

Major technology companies including Google, IBM, Microsoft, and Amazon are investing billions in quantum computing research while simultaneously developing quantum-safe cryptography and consulting with blockchain projects. This creates a rare alignment of interests where the same companies advancing quantum capabilities also contribute to defending against quantum threats. Google、IBM、微軟、Amazon 等科技巨頭一邊砸重金研究量子計算，一邊發展量子安全密碼技術，同時為區塊鏈項目提供顧問。上述企業既推動量子科技發展，亦一齊參與構建抗量子防線，形成難得同盟利益。

Reframing the Narrative

重新定位量子危機

Perhaps most importantly, viewing quantum computing purely as a threat misses the opportunity to reshape cryptocurrency's security model for the better. Every cryptographic transition - from DES to AES, from SHA-1 to SHA-256, from RSA to elliptic curves - has ultimately strengthened systems by forcing migrations to better algorithms. 最重要嘅，將量子計算淨係當成威脅，其實錯失咗改善加密貨幣安全模式的契機。每次密碼學世代轉移——由 DES 轉 AES、SHA-1 轉 SHA-256，RSA 轉橢圓曲線——最後都係令系統變得更加強壯。

Bitcoin's eventual adoption of post-quantum cryptography will create an opportunity to address other protocol limitations simultaneously. A coordinated upgrade could implement not just quantum resistance but also signature aggregation, better privacy features, improved scripting capabilities, and efficiency improvements that have been long desired but difficult to deploy through isolated soft forks. 比特幣最終過渡到後量子密碼學，可以順勢解決好多協議層面的舊問題。如果大家協調好次升級，唔止可抗量子，仲可以加簽名聚合、更好私隱功能、改善腳本功能，以及提升效率——啲功能平時要靠小規模 soft fork未必推得成。

The quantum transition might also resolve ongoing debates about Bitcoin's rigid conservatism versus pragmatic evolution. When quantum computers demonstrably threaten ECDSA, even the most conservative community members will recognize the need for substantial protocol changes. This creates political cover for upgrades that might be desirable for other reasons but lack consensus under normal circumstances. 量子轉型仲有機會解決比特幣長久以來「保守 or 靈活」的紛爭。如果量子電腦真威脅到 ECDSA，就算最保守嗰班人都會支持大規模協議修訂，到時其他一啲一向得唔到共識的升級都可以順理成章一併推行。

Expert Forecasts and Diverging Views

專家前瞻與不同觀點

The quantum computing timeline remains one of the most contentious aspects of the Bitcoin security debate, with expert opinions ranging from "decades away" to "possibly within 10 years." Understanding these divergent perspectives provides crucial context for evaluating how urgently Bitcoin needs quantum-resistant upgrades. 幾時會有真正威脅比特幣的量子電腦，是圈內最大爭議問題之一。專家意見從「至少幾十年」到「十年內都可能發生」都有。了解這些不同視點，就能掌握比特幣需唔需要緊急升級到量子安全的背景。

The Optimists: Decades of Safety

樂觀派：安全仲有幾十年

Adam Back, CEO of Blockstream and a highly respected cryptographer, represents the conservative view on quantum timelines. Back has consistently argued that quantum computers capable of threatening Bitcoin remain decades away, not years. In a June 2025 interview, Back acknowledged that quantum computing could eventually become relevant but emphasized that the timeline spans "decades, not years" and that proactive but gradual measures provide adequate protection. Blockstream CEO、資深密碼學家 Adam Back 代表著保守、樂觀的觀點。他一直主張：真係會威脅比特幣的量子電腦，距離至少還有幾十年，不是幾年咁短。在 2025 年 6 月一次訪問中，他承認量子計算最終會對比特幣有影響，但強調係「幾十年，而唔係幾年」；只要主動、漸進式采取措施就足夠應對。

Back's perspective is informed by deep understanding of both the theoretical requirements and practical engineering challenges. He notes that quantum computers must not only achieve the raw qubit count necessary for Shor's algorithm but also maintain error rates low enough for fault-tolerant computation throughout the extended calculation period. Current systems are orders of magnitude away from meeting these requirements simultaneously. Back 的判斷係基於深厚嘅理論與實務雙重理解。他指出，要用 Shor 算法破解比特幣，量子電腦唔只是要夠多 qubit，仲要長時間保持低錯誤率，做到容錯計算。依家嘅量子系統距離同時達標，尚差幾個數量級。

Michael Saylor, executive chairman of Strategy (formerly MicroStrategy) and one of Bitcoin's most prominent institutional advocates, has been even more dismissive of near-term quantum threats. In multiple interviews throughout 2025, Saylor characterized quantum concerns as "mainly marketing from people that want to sell you the next quantum yo-yo token." Strategy（前身為 MicroStrategy）執行主席、比特幣最著名機構支持者之一的 Michael Saylor 仲更唔當近年量子風險一回事。2025 年多次接受訪問時，Saylor 形容量子危機主要都係「啲人想sell新一代 quantum yo-yo token 嘅市場宣傳」。

Saylor's argument rests on institutional alignment. He points out that major tech companies like Google and Microsoft have more to lose than gain from quantum computers that can break encryption. These companies rely on the same cryptographic systems that secure Bitcoin. If quantum computers threaten ECDSA and RSA, they threaten cloud services, email, e-commerce, and every other encrypted communication on the internet. Saylor 嘅理據係，最大既利害關係就係大公司嗰邊。他話 Google、Microsoft 等一旦真有量子電腦可以破解加密，他們損失比任何人更大。呢啲大公司都依賴同比特幣一樣的密碼技術——一旦 ECDSA、RSA 崩潰，雲服務、電郵、電子商貿同其他互聯網加密通訊全部出事。

"Google and Microsoft （Google 和 Microsoft ...）aren't going to sell you a computer that cracks modern cryptography because it would destroy Google and Microsoft - and the U.S. government and the banking system," Saylor said in a June 2025 CNBC interview. His view is that when quantum threats do materialize, Bitcoin will upgrade its cryptography just like every other major software system, without catastrophic disruption.

Saylor亦表示，業界唔會賣一部可以破解現今密碼學嘅電腦畀你，因為咁樣會摧毀Google同Microsoft——仲有美國政府同埋銀行體系。」佢喺2025年6月接受 CNBC 訪問時咁講。佢認為，一旦量子威脅真正出現，Bitcoin都會好似其他大型軟件系統咁，及時升級加密技術，唔會造成災難性影響。

Saylor also argues that quantum-resistant tokens being marketed as "Bitcoin killers" are mostly opportunistic projects capitalizing on fear rather than offering genuine solutions. From his perspective, quantum threats to Bitcoin are not immediate, and when they do arrive, Bitcoin's robust development community and strong incentives for maintaining security will enable effective responses.

Saylor仲話，市面上標榜自己係「Bitcoin殺手」兼抗量子攻擊的Token，其實大多數只係見縫插針，利用市場恐慌而推出，冇乜真正解決問題。佢認為，量子對Bitcoin嘅威脅並非迫在眉睫，到真係出現嗰陣，Bitcoin強大嘅開發者社群同維護安全嘅動力，可以俾到有效回應。

The Pragmatists: Start Preparing Now

實際派：宜早準備

Not all experts share this sanguine view. Jameson Lopp, chief technology officer at Casa and a prominent Bitcoin security researcher, occupies a middle position. In his February 2025 essay "Against Allowing Quantum Recovery of Bitcoin," Lopp argues that while quantum computers aren't an immediate crisis, the Bitcoin community has less than a decade to implement contingency plans.

唔係所有專家都咁樂觀。Casa首席技術官，同時係著名Bitcoin安全專家Jameson Lopp，持比較中立嘅睇法。佢喺2025年2月發表嘅文章《反對量子技術奪回Bitcoin》入面指出，雖然量子電腦暫時未構成即時危機，但Bitcoin社群最多只有十年時間可以制訂應變方案。

Lopp's concern focuses less on the precise quantum timeline and more on Bitcoin's slow governance and the difficulty of achieving consensus on controversial changes. Even if quantum computers capable of breaking ECDSA don't arrive until 2035, Bitcoin needs to start implementing changes now because:

Reaching consensus on quantum-resistant schemes requires years of debate and testing
Users need time to migrate funds to new address types
Lost or abandoned wallets represent a systemic risk if left vulnerable
Waiting until quantum computers are demonstrably threatening ECDSA might be too late

Lopp擔心嘅重點唔係量子電腦何時到，而係Bitcoin治理速度慢，遇到爭議變更難以達成共識。即使要到2035年量子電腦先有能力破解ECDSA，Bitcoin都需要而家就開始做改動，原因包括：

為量子抗性方案達成共識要幾年辯論同測試
用戶需要時間搬錢去新地址類型
如果唔理會，失落或棄用錢包存在系統性安全風險
等到量子電腦明顯威脅ECDSA先行動可能已經太遲

Lopp advocates for burning coins in vulnerable addresses rather than attempting recovery - a position that has generated significant controversy. He argues this approach best protects property rights by preventing quantum adversaries from claiming funds while also addressing the lost coin problem decisively.

Lopp主張，與其嘗試搶救易受攻擊地址內啲幣，不如直接「燒毀」呢啲幣，這立場好有爭議。佢認為咁做可以最好保障財產權益，因為可以防止量子攻擊者攞走啲錢，同時有效解決失幣問題。

BlackRock's May 2025 IBIT filing warning represents another pragmatic voice. By including quantum computing as a material risk factor in a regulated financial product, BlackRock signals that institutional investors should consider quantum threats as part of their risk assessment, even if the timeline remains uncertain. This reflects a precautionary principle: the potential consequences are severe enough that waiting for certainty might be imprudent.

BlackRock（貝萊德）2025年5月IBIT申報文件入面加咗量子計算風險，亦屬務實派聲音。佢哋將此納入受監管金融產品主要風險因數，提醒機構投資者即使唔知確實幾時出事，都應考慮量子威脅。呢個反映謹慎原則：既然後果夠嚴重，就唔應等到百分百確定先有行動。

The Concerned: Sooner Than We Think

憂慮派：可能比預期更快

Some researchers and organizations believe quantum threats could materialize faster than the consensus estimates suggest. NIST experts have stated that quantum computers capable of breaking current cryptographic standards could arrive within 10 to 20 years, with some private forecasts suggesting it could happen even sooner.

有啲研究人員和組織認為，量子威脅可能比普遍預期更早出現。美國國家標準技術研究院（NIST）專家表示，能破解現行加密標準的量子電腦，可能10到20年內出現；但亦有私人氣象更樂觀，認為更快都唔出奇。

In 2025, researchers from Project Eleven launched a quantum challenge offering one Bitcoin to anyone who can break elliptic curve cryptography using a quantum computer. Their assessment is that around 2,000 logical (error-corrected) qubits may be enough to break a 256-bit ECC key - something they believe is achievable within the next decade.

2025年，Project Eleven團隊發起量子挑戰賽，懸賞一個Bitcoin畀用量子電腦破解橢圓曲線密碼學的人。佢地評估，大約2,000個邏輯（糾錯後）量子比特就可以破解256位ECC鑰匙，呢目標佢哋相信未來十年有望達成。

Google researcher Craig Gidney published work in May 2025 suggesting that RSA-2048 could be factored with fewer than 1 million qubits in under a week - a 20-fold decrease from previous estimates. While RSA and ECC aren't identical, the algorithmic improvements demonstrated for one problem often apply to the other. If quantum algorithms continue improving while hardware scales up, the timeline could compress significantly.

Google研究員Craig Gidney 2025年5月發表研究，指RSA-2048可用少於一百萬量子比特、一星期內分解，呢個數字比過往估算降低咗20倍。雖然RSA同ECC唔完全一樣，但一邊有算法突破，通常對另一邊都有應用。如果量子算法繼續進步而硬件又跟得上，時間表可能會大大提前。

IBM's concrete roadmap to fault-tolerant quantum computing by 2029 with 200 logical qubits represents another data point suggesting quantum threats might materialize in the early 2030s rather than the 2040s or 2050s. IBM Quantum Starling, scheduled for 2029, won't have enough logical qubits to threaten Bitcoin immediately. But if IBM successfully demonstrates fault-tolerant quantum computing at that scale, scaling to the 2,000+ logical qubits needed for cryptanalysis might happen relatively quickly - perhaps within another 5-10 years.

IBM預計2029年前建立200個邏輯量子比特嘅容錯量子電腦，顯示量子威脅或許30年代初已經實現，而唔係等到40、50年代。IBM Quantum Starling 預計2029年面世，雖然未即時威脅到Bitcoin，但一旦IBM果個規模容錯量子計算示範成功，提升到攻擊現代密碼所需2,000+邏輯比特，可能5-10年就搞得掂。

At CES 2025, Nvidia CEO Jensen Huang stated that a major breakthrough in quantum computing is likely 15 to 30 years away, with 20 years being the most realistic estimate. This puts quantum threats to cryptography somewhere between 2040 and 2055 - a timeframe that seems comfortable but could arrive faster if Huang's estimate proves conservative.

Nvidia行政總裁黃仁勳喺2025年CES話，距離量子計算重大突破可能仲有15至30年，較現實預期係20年（即2045年左右）。咁算，密碼學嘅量子威脅睇落去仲有得喘息（大約2040至2055年），但如果黃太保守，威脅就會提早到來。

Interpreting the Divergence

點解睇法咁分歧？

Why do expert opinions diverge so widely? Several factors contribute to the uncertainty:

Defining the Threat Threshold: Different experts use different metrics for when quantum computers become "threatening." Some focus on demonstrating Shor's algorithm on any cryptographically relevant problem. Others require quantum computers that can break Bitcoin's specific ECDSA implementation within the narrow time window of unconfirmed transactions. These represent vastly different capability levels.

對威脅門檻定義唔同：有專家覺得只要量子電腦用Shor算法喺加密問題有示範就叫威脅，有啲就要求要能夠喺未確認交易嘅窄時間內破解Bitcoin ECDSA。呢啲標準差距好大。

Secret vs. Public Development: Public quantum computing efforts through companies like IBM, Google, and academic institutions are transparent, allowing detailed assessment. But classified government programs at agencies like NSA, GCHQ, or their Chinese and Russian equivalents operate in secret. Some experts suspect classified programs might be years ahead of publicly known capabilities, though evidence for this remains speculative.

公開vs秘密發展：IBM、Google同學術界等公開計劃透明度高，外界評估到。但一啲政府機關例如NSA、GCHQ或者中、俄等國機密項目就冇咁公開。部分專家懷疑呢啲項目或領先民間好多年，但暫時都係臆測。

Algorithmic Unknowns: Current estimates assume Shor's algorithm and existing error correction schemes. A breakthrough in quantum algorithms that further reduces qubit requirements could dramatically accelerate timelines. Conversely, fundamental barriers to scaling quantum computers might emerge that push timelines back.

算法未知數：依家啲估算係建基於Shor算法同現有糾錯技術。如果有新突破令所需量子比特大大減少，時間會快好多；相反，如果遇到根本性障礙，反而會拖慢。

Engineering vs. Theory: Computer science theory and practical engineering often diverge. Theoretically, we understand how to build quantum computers with millions of qubits. Engineering systems that actually work at that scale - maintaining coherence, implementing error correction, and integrating with classical control systems - presents challenges that might prove much harder or easier than current extrapolations suggest.

理論vs工程實現：計算機科學理論話可以建百萬量子比特嘅電腦，實際工程實現可能難過想像，亦可能反而比想像易，因為要解決相干性、糾錯、同傳統系統整合等技術難題。

The prudent interpretation is that quantum threats to Bitcoin are not immediate but also not safely distant. A realistic timeline suggests the late 2020s to mid-2030s as the period when quantum computers might begin posing credible threats to elliptic curve cryptography, with significant uncertainty in both directions.

較審慎嘅解讀係，Bitcoin量子風險唔係即時威脅，但又唔可以話好安全。實際時間表好可能係2020年代後期到2030年代中期，量子計算機先至會對橢圓曲線密碼產生嚴重威脅，但前後都存有極大不確定性。

The Road Ahead: Preparing for a Post-Quantum Bitcoin

前路：為「後量子」Bitcoin做準備

As quantum computing advances and timelines compress, the cryptocurrency community faces crucial decisions about when and how to implement quantum-resistant upgrades. The path forward requires technical preparation, community consensus, and vigilant monitoring of both quantum computing progress and on-chain activity.

隨住量子計算進步、時間表收窄，加密貨幣社群需要就何時同點樣進行抗量子升級作出重大抉擇。未來路向需要技術準備、社群共識，並密切監察量子技術發展同鏈上動態。

Signals to Watch For

要留意咩信號？

Several indicators would signal that quantum threats are transitioning from theoretical to practical:

Large Movements from Vulnerable Addresses: The clearest warning sign would be sudden, coordinated movements from multiple old P2PK addresses, particularly those dormant for many years. While individual reactivations have innocent explanations, a pattern of simultaneous movements from addresses with no prior relationship would suggest a quantum attacker systematically targeting vulnerable coins.

脆弱地址大額轉出：最明顯警號，係好多舊P2PK地址突然集體有大額幣轉出，尤其兜咗好多年冇郁。雖然個別舊地址甦醒有時都解釋到，但如果見到一堆本來冇關係嘅舊地址同步轉錢，就好大機會係量子攻擊者針對脆弱幣有組織搶走。

Real-Time Key Extraction: If funds move from an address immediately after its public key is revealed during transaction broadcasting - faster than blockchain confirmation times - this would indicate an attacker can extract private keys in real-time. This represents the nightmare scenario for Bitcoin security and would demand immediate emergency protocol changes.

即時私鑰萃取：如果有錢喺公開地址的公鑰被曝光後，即刻被提走，快過鏈上確認時間，咁就即係攻擊者可以實時攞晒私鑰。呢個係Bitcoin安全最大噩夢，要立即啟動緊急方案。

Quantum Computing Milestones: Announcements of quantum computers achieving certain capability thresholds should trigger heightened concern:

Quantum computers demonstrating 1,000+ logical qubits with low error rates
Successful implementation of Shor's algorithm on problems approaching cryptographic scales
Demonstrations of quantum systems maintaining coherence through calculations requiring billions of gates

量子計算重大突破︰有消息指量子電腦到達以下水平要提高警覺：

量子電腦實現1,000個以上低錯誤率邏輯比特
Shor算法成功應用於接近密碼學難度的問題
展示能支撐數十億邏輯門計算並維持相干性的量子系統

Academic Breakthroughs: Papers demonstrating significant reductions in the qubit requirements for breaking ECDSA, improvements in quantum error correction, or novel algorithms that accelerate cryptanalysis would all warrant attention. The quantum computing literature should be monitored for results that compress timelines.

學術突破：如果有文章證明破解ECDSA所需量子比特大減、有重大糾錯進展或新算法大幅加快密碼分析，都要高度關注。量子計算相關學術論文值得持續追蹤。

Technical Preparations

技術層面應做咩準備？

The Bitcoin development community should continue several preparatory efforts even before quantum threats become immediate:

Bitcoin開發社群，即使量子威脅未即時到，都應持續以下準備工作：

Standardization and Testing: Selecting which post-quantum algorithms Bitcoin should adopt requires extensive analysis, testing, and community review. NIST's standardized algorithms provide a starting point, but Bitcoin's specific requirements - decentralization, open-source auditability, signature size constraints, and computational efficiency for node operators - might favor different choices than traditional cryptographic applications.

標準化同測試：Bitcoin揀咩「後量子」算法，要經過詳細分析、測試同社群審議。NIST今年定嘅標準可以做起點，但Bitcoin有去中心化、開源審計、簽名長度、節點運算效率等特殊要求，可能會揀同傳統加密唔同嘅方案。

Wallet Infrastructure: Wallet software needs to implement support for quantum-resistant signature schemes before they're required at the protocol level. This allows early adopters to begin using quantum-safe addresses voluntarily, creating a template for eventual mandatory migration. Hardware wallet manufacturers must update firmware to support new algorithms.

錢包生態建設：錢包軟件要喺協議強制之前就支持抗量子算法，俾先行用家自願試用量子安全地址，為日後強制遷移打好基礎。硬件錢包商亦要及早更新韌體以支持新簽名算法。

Transaction Format Design: Quantum-resistant transactions will likely require different data structures than current Bitcoin transactions. Designing these formats with consideration for efficiency, privacy, and potential future upgrades will prevent technical debt. Script opcodes for post-quantum signature verification must be carefully

交易格式設計：抗量子新交易格式，很可能會同現時Bitcoin交易資料結構唔同。設計時要考慮效率、私隱同未來再次升級可能性，避免技術債。針對後量子簽名驗證的新script指令，要設計得小心謹慎。designed.

Testing on Testnets: (No translation for markdown links) 在將任何抗量子攻擊的變更部署到比特幣主網絡之前，必須在測試網（testnet）及 signet 網絡進行大量測試，以驗證實現方案運作正常，節點能有效驗證新交易類型，亦確保不會與現有協議規則出現未預料的互動或引發新漏洞。

建立社群共識

比特幣邁向量子安全的過程中，最具挑戰性的可能是就有爭議的議題達成共識：

硬分叉還是軟分叉：有些抗量子攻擊的變更或許可以透過軟分叉（向後兼容升級）實現，但另一些則可能需要硬分叉（非向後兼容）。比特幣社群一向偏好用軟分叉保持網絡凝聚力，但針對量子計算的威脅，或許需要更具破壞性的變更。

強制還是自願遷移：比特幣應否設置期限，強制遷移至抗量子地址（如 QRAMP 所提議），還是應以自願、逐步的方式推進？強制遷移有明確安全保障，但會令遺失私鑰的比特幣「燒毀」（無法挽回）並面對政治阻力。自願遷移雖較溫和，但如採納速度過慢，網絡隱患依然存在。

失落比特幣應如何處理：針對儲存在量子脆弱地址的比特幣，應該銷毀、回收還是再分配，社群始終無共識。這問題關乎財產權、比特幣哲學及實際風險管理。解決此問題需要社群廣泛討論與妥協。

行動時間表：比特幣應於何時實施抗量子升級？太早行動恐怕會採用尚未成熟的演算法或在太早時候消耗開發資源；太遲又會有災難性攻擊風險。要找出最佳時機，需持續評估量子風險，並保持策略彈性，以便於量子計算突飛猛進時及時應對。

更廣泛行業影響

比特幣面對量子挑戰，影響整個加密貨幣生態圈。以太坊本身治理更靈活，積極研究賬戶抽象與 STARK 等新技術，因此可能比比特幣更早實行抗量子方案。屆時，以太坊或許會以量子安全作賣點，令比特幣承受更大安全壓力。

穩定幣多靠多重簽章及智能合約，本身所依賴的區塊鏈出現量子漏洞時，亦難免受到威脅。Tether 和 USDC 發行方均須評估網絡的量子風險，有機會帶動對抗量子區塊鏈基建的需求。

全球各地央行正研發中央銀行數碼貨幣（CBDC），一般由開發初期就已引入抗量子密碼學，吸取現有加密貨幣的挑戰作為參考。這令 CBDC 在安全性上可能比舊有的區塊鏈系統具優勢，各國政府亦可能以此解釋為何應推廣 CBDC 而非去中心化加密貨幣。

保密幣如 Monero 和 Zcash 面對獨有量子挑戰。Monero 的環簽名及隱身地址在量子電腦面前可能失效，Zcash 的 zkSNARKs 亦或需由 STARKs 或其他抗量子零知識證明替代。重視保密的加密貨幣板塊必須因應量子威脅不斷演進。

教育的重要角色

量子防備常被忽略的一環是教育。比特幣社群、加密貨幣用戶及大眾均需要深化對量子計算的理解——包括其本質、不是什麼、實際威脅及合理的時間表。

由於許多加密幣用戶欠缺技術背景，未能批判性審視量子計算相關聲稱，假消息和 FUD（恐慌、不確定與懷疑），如 Mandell 的主張才會傳播得這麼快。教育措施可包括：

清晰易明地解釋量子計算基礎知識
定期由可靠來源發布量子計算進展的最新消息
向用戶指導現階段可採取的抗量子安全措施
比特幣開發者就計劃及時間表保持公開透明的溝通

資訊充足的社群，自然能在量子問題上作出更明智決定，避免毫無根據的恐慌及危險的自滿情緒。

最後思考

量子計算與比特幣的關係，比一般危言聳聽或掉以輕心的聲音所描述更為複雜。量子電腦「一夜毀滅比特幣」並非事實，如某些標題所誇大。但量子計算亦不是比特幣可以掉以輕心、毫無殺傷力的背景噪音。

Josh Mandell 於 2025 年 10 月稱量子電腦已在竊取比特幣的指控並不屬實——沒有證據，現有硬體能力不可能，區塊鏈數據亦相反。但這類言論廣泛傳播的現象，反映加密社群真切關注量子威脅，而這正需要以事實、準備和理性行動來回應。

技術層面而言，要破解比特幣 ECDSA 加密，現時已知的量子電腦遠未達標。所需的是具備數百萬實體量子位、具容錯修正、可運行數十億量子閘的大型系統——多數專家估計這至少還需要十年，甚至更久。

但量子計算正在進步。Google Willow 晶片已展示門檻下的錯誤修正。IBM 計劃於 2029 年達到 200 個邏輯量子位，已具體獲資助。學術界繼續改進量子算法，降低所需量子位數。介乎「量子電腦無法威脅比特幣」與「量子電腦正攻擊比特幣」之間的窗口期，或許比大眾想像更窄。

比特幣面臨的量子漏洞真實，但亦可控。自 1994 年 Shor 算法發表以來，加密貨幣社群早已有準備。後量子密碼學如格點基及雜湊基簽名等已屬可行替代品。QRAMP 諸如的計劃建議有系統的遷移路徑，雖然尚具爭議。

經濟與道德層面令全部問題遠非純技術那麼單純。數以百萬計的比特幣現時藏於潛在量子易受攻擊的地址，包括 Satoshi 的傳奇百萬枚。未來一旦這些資產重現流動，又會引發財產權、網絡安全、市場穩定及比特幣基本價值等難題。

不過，亦有樂觀可言。威脅到現行密碼學的正正就是量子革命，未來同樣可促使更強安全、更優協議及傳統計算所無法及的新功能。後量子密碼學不只是為防禦量子攻擊，更標誌著走向更強安全的進化。

加密產業尚有時間預備、適應，甚至受惠於量子過渡——前提是必須把握相應緊急感行動。真正挑戰不是「量子對決比特幣」，而是加密貨幣生態鏈能否快過破解它的科技演變。

這當中需要多方面努力：持續監測量子計算進展；積極研究抗量子協議；教育大眾遏止資訊失真；社群就遷移時程、失落幣處理等難題凝聚共識；同時睿智區分需要採取行動的真實威脅與純粹炒作。

自 Satoshi 於 2009 年開礦之後，比特幣歷經交易所盜竊、監管打壓、擴容之爭及「死亡論」等無數危機。這一次既不同，因為它直接威脅比特幣的密碼學根基——不再是外來攻擊或治理糾紛，而是運算能力本質的改變。

但比特幣歷史同時展現了其強大適應力。縱使社群較為保守，但如 SegWit、Taproot 等關鍵升級亦最終落實。當威脅明確及解決方法就緒時，比特幣社群一向能共度難關。既然如此，對應量子過渡又有何不可？只要未雨綢繆，毋須等到山雨欲來、唯有孤注一擲。

量子時代必將來臨——可能不是今日、明日，亦未必像很多人幻想般遙遠。到時，比特幣勢必要進化。新生的比特幣，會比今日的更安全、更精密、更有實戰驗證。量子危機處理得宜，正好強化比特幣根基，迎接未來更多成長與普及。

比特幣社群此刻面對的選擇並非「準備與否」，而是應急切度及行動徹底程度。未來道路，正夾於一些人視每個量子通告皆為迫切威脅之恐慌，與另一些人認為量子風險遙遠可忽略的自信之間——最佳路徑，是以證據為本，專家指導，並堅守比特幣終極目標：「不論將來科技如何更替，都要護衛人類史上最硬通貨的安全」。