量子電腦能破解比特幣嗎？證據揭示的時間表、威脅與解方

2025年10月初，一則現已刪除的社群貼文震撼了加密貨幣社群。前華爾街交易員Josh Mandell發表驚人言論：量子電腦已被用來竊取長期閒置錢包中的比特幣，特別是那些已停用或擁有者過世的錢包。Mandell稱，一個「大玩家」已找到方法，能直接從上述錢包提取比特幣，無須經過公開市場，僅剩區塊鏈分析師可追蹤此舉。

這項指控極具爆炸性。若屬實，將動搖比特幣安全模型的根基，挑戰私鑰掌控即資產專屬權的原則。短短數小時內，該傳言在加密論壇、社群媒體及產業出版物上激起激烈辯論。有些人感到警覺，有些則懷疑，更多人則困惑：這個討論多年的量子威脅，難道真的成真了？

比特幣領域專家及更廣泛的加密貨幣社群迅速給出明確回應：這沒發生。Hot Pixel Group創辦人Harry Beckwith直言：「這目前發生的機率根本為零。」Bitcoin Policy Institute的Matthew Pines則斥為「不實」，並批評其毫無證據。技術專家的共識清楚明確——雖然量子運算將來確實對比特幣構成理論風險，但現有量子電腦無論在量子位元數、錯誤修正能力或運算能力上，都還遠不足以發動密碼攻擊。

不過，Mandell的病毒言論即便被揭穿，卻揭示了一點：量子威脅已進入主流意識，合理擔憂與無端驚恐的界線變得危險地模糊。隨著Google於2024年12月發表105量子位元Willow晶片、IBM規劃2029年前實現容錯型量子電腦，及資產管理巨頭BlackRock於2025年5月在比特幣ETF文件中加入量子運算風險警示，問題已不再是量子電腦是否會對加密貨幣帶來威脅，而是何時，以及產業該如何因應。

本文將深入探討量子科技與比特幣的真實關係，撇清炒作與現實。與其簡單說量子電腦「摧毀比特幣」或根本「毫無威脅」，我們更要檢視實際時間表、技術門檻、經濟利害、道德爭議，甚至量子運算給加密貨幣生態帶來的潛在好處。真相，往往介於恐慌與自滿之間。

給加密讀者的量子運算101

要理解比特幣面臨的量子威脅，首先必須明白量子電腦與過去70年推動數位革命的傳統電腦有何根本差異。

量子運算的誕生

量子運算的故事起點並非電腦，而是光。1905年，愛因斯坦發表光電效應的突破性論文，證明光不僅是波動，也可視為一顆顆能量包（光子）。這項發現奠定了量子力學的基石——一種全新理解極小尺度自然界的理論，它告訴我們粒子可同時存在多重狀態、觀測會改變實體，且距離遙遠的粒子之間也能神秘糾纏。

數十年間，量子力學主要是物理學家理論上的探討。一直到1994年，數學家Peter Shor提出革命性演算法，使一切為之改觀。Shor演算法證明，只要量子電腦足夠強大，就能以指數級速度分解大數，遠超傳統電腦。這對密碼學意味深遠，因現代加密多仰賴分解大質數或解離散對數問題的困難度。

量子運算於是從學術議題躍升為國家安全與經濟核心。各國政府與科技公司投入大量資源，只為爭取率先打造可用的量子電腦，搶占未來主流加解密防線可能失效的時代。

量子電腦的運作原理

量子運算的核心是「量子位元」（qubit）。傳統位元只會出現在0或1兩種明確狀態；但量子位元則能同時處於0與1的「疊加態」，直到被測量的那一刻才「塌縮」成單一結果。這不是比喻，而是量子力學最基礎的本質。

當數個量子位元結合時，組合可能性指數提升。兩個傳統位元能表示四種狀態，但每次只能有一種實現；兩個量子位元則可「同時」表示這四種狀態，更多量子位元時，計算空間呈爆炸式增長：10個qubit可同時表示1024種狀態，50個超過一千兆兆狀態，300個更遠超可觀測宇宙中的原子數量。

這種龐大的平行性還有「糾纏」與「干涉」兩大量子現象輔助。糾纏讓量子位之間產生無可比擬的關聯，一個被測量，其他也同步受影響，且無視距離遠近。干涉則能加強正確答案、消除錯誤結果，讓量子電腦計算更快速收斂至解。

靠這些特性，量子電腦得以用嶄新方式解決特定問題：無論模擬分子行為、優化複雜系統，還是——最關鍵——破解特定類型密碼學，都能遠勝傳統超級電腦。

量子硬體現況

然而，理論與實際間的鴻溝仍十分巨大。正是這些讓量子位強大的特性，同時也令其極度脆弱。量子位對環境干擾——熱、電磁波、震動——極為敏感，稍有不慎就會產生錯誤，或讓計算所需的細緻量子態瞬間崩潰，此「退相干」現象甚至以微秒為單位發生。

2024年12月，Google發表Willow量子晶片，成為當前技術尖端。Willow具備105個實體量子位元，平均連結度為3.47。該晶片帶來量子錯誤修正的突破，單一qubit邏輯閘錯誤率僅剩0.035%。更厲害的是，Willow首次證明增加量子位可以讓錯誤率下降，這個所謂「低於臨界值」的錯誤修正問題，科學家苦等接近三十年才有成果。

Willow進行的某項計算，僅耗時五分鐘，而現今最快超級電腦據估需十澗（10^24）年才能完成——時間甚至遠超宇宙年齡。雖然批評者指出該計算只是「隨機電路取樣」的專項基準，並非實用型應用，但此成就已顯示量子電腦真正具備超越傳統運算的能力。

IBM則描繪了更宏大的藍圖：2025年將推出擁有120量子位元、可運行五千邏輯閘的Nighthawk處理器；2028年目標連結多個模組，打造超過一千量子位系統。終極目標，是2029年發表IBM Quantum Starling，大型容錯量子電腦，能以200個邏輯量子位搭配一億量子閘運算。

這些成就固然令人驚嘆，也形象凸顯現階段量子電腦距能威脅比特幣的實力還有多遠。目前系統大多僅達百到千實體量子位，欲破解比特幣密碼學，未來所需規模將天差地遠。

比特幣加密機制與量子威脅

unnamed (1).png

要判斷比特幣是否易受量子電腦攻擊，必須認識其確保網絡與資金安全的密碼基礎。

雙重防線：ECDSA與SHA-256

比特幣採用兩大密碼系統，各自負責不同的安全職能。首先是橢圓曲線數位簽章演算法（ECDSA），特別是secp256k1曲線。ECDSA建立用戶的私鑰（必須保密）與公開金鑰（可公開）之聯繫。當你花費比特幣時，會用私鑰製作簽章證明擁有權，任何人皆可透過公開金鑰驗證此簽章，而由公開金鑰反推出私鑰則被認為以傳統電腦來說近乎不可能。

ECDSA的安全性來自橢圓曲線離散對數難題。已知曲線起點與某個私鑰乘法運算所得的結果，要回推出該私鑰極為困難。以256位元安全性來計算，約有2^256種私鑰，即使全世界所有傳統電腦合力暴力破解，也遠遠不及宇宙年齡。

比特幣第二道密碼防線則是SHA-256雜湊函數，既用於挖礦（此處描述未完，請補充）。 miners compete to find specific hash values) and in generating addresses (public keys are hashed to create shorter, more convenient addresses). Hash functions are one-way: it's easy to compute the hash of any input, but virtually impossible to reverse the process and find an input that produces a specific hash.

礦工們彼此競爭以找到特定的雜湊值）以及在產生地址（公鑰會經過雜湊處理，以產生更短、更便利的地址）時都會使用到雜湊函數。雜湊函數是單向的：計算任意輸入的雜湊值很容易，但幾乎不可能反向推導，找到可以產生特定雜湊值的輸入。

Shor's Algorithm: The Quantum Sword

Here's where quantum computers enter the picture. In 1994, Peter Shor demonstrated that a sufficiently powerful quantum computer running his algorithm could solve the discrete logarithm problem - and by extension, break elliptic curve cryptography - in polynomial time. Instead of needing exponential computational resources that would take eons, Shor's algorithm could potentially crack a 256-bit ECDSA key in hours or even minutes, given adequate quantum hardware.

在這裡，量子電腦正式進場。1994年，Peter Shor 展示了只要運算能力足夠的量子電腦，運行他的演算法，就能在多項式時間內解出離散對數問題——也就是說，得以破解橢圓曲線密碼學。Shor 演算法不需要耗費天文級的指數運算成本，有了合適的量子硬體，它理論上可以在幾小時、甚至幾分鐘內破解 256 位元的 ECDSA 金鑰。

The mechanism is elegant but complex. Shor's algorithm transforms the discrete logarithm problem into a period-finding problem, which quantum computers can solve efficiently using the quantum Fourier transform. By exploiting superposition and interference, the algorithm can simultaneously explore many potential solutions and extract the correct period, which then yields the private key.

這個機制優雅而複雜。Shor 的演算法將離散對數問題轉化為周期尋找問題，而量子電腦可以藉由量子傅立葉轉換高效求解。透過運用疊加與干涉，演算法可以同時探索大量潛在解並擷取正確的周期，進而推算出私鑰。

This isn't theoretical handwaving - Shor's algorithm has been successfully implemented on small quantum computers to factor modest numbers. In 2019, researchers used a quantum computer to factor the number 35 (5 × 7). While this is trivially easy for classical computers, it demonstrated that the algorithm works in principle. The challenge lies in scaling up to cryptographically relevant sizes.

這並非紙上談兵——Shor 演算法已在小型量子電腦上成功實作過，可以分解不大的整數。2019年，研究人員用量子電腦分解了 35（5 × 7）。雖然對傳統電腦來說這微不足道，但證明了該演算法確實可行。挑戰在於如何規模化，應用於具有實際密碼學意義的數字。

The Qubit Threshold Problem

How many qubits would actually be needed to break Bitcoin's ECDSA encryption? This question sits at the heart of timeline debates, and the answer is more nuanced than a single number suggests.

到底需要多少個量子位元（qubit）才能破解比特幣的 ECDSA 加密機制？這個問題正是現今各種時間線爭議的核心，答案遠不只是單一數字那麼簡單。

Research suggests that breaking a 256-bit elliptic curve key like Bitcoin's secp256k1 using Shor's algorithm would require approximately 2,000 to 3,000 logical qubits. One frequently cited estimate places the requirement at around 2,330 logical qubits, capable of performing roughly 126 billion quantum gates.

研究指出，使用 Shor 演算法破解像比特幣 secp256k1 這類的 256 位元橢圓曲線金鑰，約需 2,000 至 3,000 個「邏輯量子位元」。常見的估算認為大約需要 2,330 個邏輯 qubit，且能執行約 1,260 億個量子邏輯閘。

However, the crucial distinction lies between logical qubits and physical qubits. A logical qubit is an error-corrected computational unit - the stable, reliable qubit that Shor's algorithm requires. Each logical qubit must be constructed from many physical qubits working together to detect and correct errors. Current error correction schemes might require anywhere from hundreds to thousands of physical qubits to create a single logical qubit, depending on the error rates and the correction codes used.

然而，關鍵分野在於「邏輯 qubit」與「實體 qubit」的差異。邏輯 qubit 是經過錯誤修正後、能夠穩定運作的計算單位，而這正是 Shor 演算法所需。要造出一個邏輯 qubit，得靠數以百計甚至千計的實體 qubit 通力合作進行錯誤偵測與修正。目前的錯誤修正架構，視錯誤率與編碼方式，往往需數百到數千實體 qubit 才能構建出一個邏輯 qubit。

When accounting for error correction overhead, estimates for breaking Bitcoin's ECDSA climb dramatically. Various studies suggest anywhere from 13 million to 317 million physical qubits might be necessary, depending on the desired attack timeframe and the quality of the quantum hardware. For context, Google's Willow chip has 105 physical qubits - meaning we would need systems roughly 100,000 to 3 million times larger than current cutting-edge hardware.

若計入錯誤修正的額外負擔，破解比特幣 ECDSA 所需的實體 qubit 數目會急劇飆升。各方研究指稱，實際上可能需要 1,300 萬到 3.17 億個實體 qubit，具體數目取決於攻擊所需時間與硬體品質。作為對照，目前 Google 的 Willow 晶片只有 105 個實體 qubit——換言之，實際所需系統規模約為當前最先進硬體的 10 萬到 300 萬倍。

There's another critical factor: speed. Bitcoin addresses with funds in them only expose their public keys when transactions are broadcast to the network. In modern Bitcoin usage, those transactions typically get confirmed into a block within 10 to 60 minutes. An attacker using quantum computers to extract private keys from public keys would need to complete this computation within that narrow window - before the legitimate transaction gets confirmed and the funds are no longer accessible.

還有一個關鍵因素：速度。只要比特幣地址裡有資金，公鑰只會在進行交易廣播時才會暴露。現今多數比特幣交易通常會在 10 到 60 分鐘內被打包確認。想要用量子電腦從公鑰推算私鑰的攻擊者，必須在這個窄小的時間視窗內完成運算——得趕在合法交易被確認、資金無法再動用之前。

This time constraint dramatically increases the hardware requirements. To crack an ECDSA key within one hour rather than one day multiplies the qubit requirements further, potentially pushing the number well above 300 million physical qubits for any realistic attack scenario.

這種嚴格的時限會讓所需硬體規模暴增。若要在一小時（而非一天）內破解一組 ECDSA 金鑰，qubit 所需數量將進一步爆炸，現實可行的攻擊情境中，實體 qubit 甚至可能要超過 3 億顆。

Which Wallets Are Most Vulnerable?

Not all Bitcoin addresses face equal quantum risk. The level of vulnerability depends primarily on one factor: whether the public key has been exposed.

並非所有比特幣地址都同樣面臨量子風險。脆弱程度主要取決於一個因素：該地址的公鑰是否已經曝光。

The most vulnerable are Pay-to-Public-Key (P2PK) addresses, the original Bitcoin address format that Satoshi Nakamoto used extensively. These addresses contain the public key directly in the blockchain, visible to anyone. Approximately 1.9 million Bitcoin (about 9 percent of the total supply) sit in P2PK addresses, including an estimated 1 million Bitcoin attributed to Satoshi. These coins are immediately vulnerable to anyone with a quantum computer powerful enough to run Shor's algorithm.

最脆弱的是 Pay-to-Public-Key (P2PK) 地址，這是 Satoshi Nakamoto 最初設計並大量使用的比特幣地址格式。這種地址會將公鑰直接寫死在鏈上，人人可見。約有 190 萬顆比特幣（約佔總供應量 9%）存放在 P2PK 地址，其中包含據信屬於中本聰本人的 100 萬顆。這些幣對於能運行 Shor 演算法的量子電腦完全沒有防禦力。

Next are Pay-to-Public-Key-Hash (P2PKH) addresses where the public key has been revealed through spending transactions. Once you spend from a P2PKH address, the public key becomes visible on the blockchain. Best practice dictates using each address only once, but many users reuse addresses, leaving remaining funds vulnerable if quantum computers materialize. Industry analysis suggests as much as 25 percent of Bitcoin's circulating supply could be at risk due to exposed public keys - roughly 4 million Bitcoin worth tens of billions of dollars.

再來是那些 Pay-to-Public-Key-Hash (P2PKH) 地址，已經因為花費行為而使公鑰曝光。只要用 P2PKH 地址進行消費，公鑰就會攤在區塊鏈上。最佳實踐是每個地址只用一次，但有許多用戶重複使用地址，導致剩下的資金如果量子電腦出現就處於危險之中。業界分析估計，因為公鑰暴露，最多有 25% 的比特幣流通量可能面臨風險——約 400 萬顆，相當於數百億美元。

Modern address formats offer more protection. Segregated Witness (SegWit) and Taproot addresses provide better quantum resistance not through different cryptography, but through improved address reuse practices and, in Taproot's case, through alternative spending paths. However, even these addresses eventually expose public keys when funds are spent.

較新的地址格式提供更多保護。隔離見證（Segregated Witness, SegWit）和 Taproot 地址本身不是靠不同的加密法強化抗量子性，而是靠改進的「一次性地址」實踐，以及 Taproot 可以使用替代花費路徑。但即使如此，這些地址在資金被花費時，最終還是會讓公鑰曝光。

The safest Bitcoin addresses are those that have never been used - where the public key remains hidden behind a hash and no transaction has ever revealed it. For these addresses, a quantum attacker would need to break SHA-256, which is considerably more resistant to quantum attack than ECDSA.

最安全的比特幣地址是那些從未用過的——其公鑰還藏在雜湊值背後，從未有過公開花費。對這些地址而言，量子攻擊者必須直接破解 SHA-256，這種情況下 SHA-256 的抗量子強度遠高於 ECDSA。

SHA-256 and Grover's Algorithm

While Shor's algorithm threatens ECDSA, a different quantum algorithm called Grover's algorithm affects hash functions like SHA-256. Unlike Shor's exponential speedup, Grover's algorithm provides only a quadratic speedup for searching unstructured databases.

雖然 Shor 演算法威脅 ECDSA，但對雜湊函數（像 SHA-256）則是另一種量子演算法——Grover 演算法——產生影響。與 Shor 的指數級加速不同，Grover 只能以二次方優勢，提昇搜尋無結構資料庫的效率。

In practical terms, Grover's algorithm effectively halves the security level of SHA-256, reducing it from 256-bit security to 128-bit security. This sounds dramatic, but 128-bit security remains extraordinarily strong - far beyond what any classical or near-term quantum computer could break. Attacking SHA-256 even with Grover's algorithm would require astronomical computational resources, likely including billions of logical qubits.

實務上，Grover 演算法等於將 SHA-256 的安全等級對半削減，從 256 位元變為 128 位元。這雖然看似大砍一刀，但 128 位元安全性依然超乎強大——比傳統電腦或短期內可及的量子電腦遠難破解。即便用 Grover 演算法攻擊 SHA-256，所需資源仍是天文數字，可能要數十億個邏輯 qubit。

The consensus among cryptographers is that SHA-256 is not the immediate concern. The real vulnerability lies in ECDSA and the exposed public keys that make quantum attacks feasible.

密碼學界共識認為，SHA-256 並不是眼下的重點問題。真正的弱點是 ECDSA，以及那些已經曝光的公鑰讓量子攻擊變成現實。

Mandell's Quantum Theft Allegation: Dissecting the Claim

Josh Mandell's October 2025 claim represented the latest - and perhaps most viral - entry in a long history of quantum FUD (fear, uncertainty, and doubt) targeting Bitcoin. Let's examine his specific allegations and the evidence against them.

Mandell 量子竊盜指控：拆解這個說法

Josh Mandell 在 2025 年 10 月發表的說法，是長期以來針對比特幣量子 FUD（恐懼、不確定、懷疑）歷史中最新、也許是最具病毒性的一則。讓我們仔細檢視一下他的具體指控以及反駁證據。

The Allegation in Detail

According to multiple reports, Mandell alleged that:

Old, inactive Bitcoin wallets were being quietly drained using quantum computing technology
A major actor was accumulating Bitcoin off-market by accessing private keys of wallets whose owners were unlikely to notice or respond
The targeted wallets were long-dormant accounts, often assumed abandoned or tied to deceased owners
Coins were being extracted without creating market disruptions or large sell orders
Only blockchain forensic analysis could reveal suspicious movement patterns
Quantum technology had reached a point where it could crack Bitcoin's cryptographic defenses in ways classical computing cannot

Mandell 依據多方報導，所指控的內容包括：

舊的、不再活動的比特幣錢包，正被量子運算技術悄悄掏空
某個大勢力，透過取得那些主人不太可能察覺或因故無法回應的錢包的私鑰，在場外大量吸收比特幣
受害錢包都是很久沒動靜的帳戶，常被認為已被遺棄或屬於早已過世者
幣被偷走時，沒有引起市場波動或大宗賣單
只有區塊鏈鑑識分析才能看出可疑的移動模式
量子科技已經強大到足以破解比特幣密碼學防禦，遠超傳統運算威力

Crucially, Mandell offered no hard evidence for these claims. His position was that the scenario was technically possible and might already be unfolding, but this remained unverified and speculative.

關鍵在於，Mandell 對這些指控並未提供任何實質證據。他的立場是，這種情境在技術上有可能發生，也許已經悄悄展開——但一切尚未被驗證，純屬推測。

Why the Claim Resonated

Mandell's allegation gained traction because it tapped into several real concerns within the Bitcoin community. First, the timing coincided with legitimate advances in quantum computing. Google had just announced its Willow chip, and IBM was publicizing its roadmap to fault-tolerant quantum computing by 2029. The quantum threat suddenly felt more concrete and imminent than it had in previous years.

這種說法之所以引起廣泛回響，是因為觸動了比特幣圈內的多項真實擔憂。首先，這個時間點正好碰上量子運算領域的重大進展。Google 剛公佈了 Willow 晶片，IBM 也發表了 2029 年前要達成「容錯量子計算」的路線圖。這讓量子威脅比往年更具體、急迫得多。

Second, Bitcoin's mystique around "lost coins" creates a narrative opening for such claims. Between 2.3 million and 3.7 million Bitcoin are estimated to be permanently lost due to forgotten private keys, deceased owners without proper estate planning, or wallets created in Bitcoin's early days and subsequently abandoned. That represents anywhere from 11 to 18 percent of Bitcoin's fixed 21 million supply - hundreds of billions of dollars in value, sitting dormant and potentially vulnerable.

再來，比特幣「失落幣」的神祕色彩，為這類說法添了許多想像空間。分析估算，有 230 萬到 370 萬顆比特幣因私鑰遺失、持有者過世未妥善規畫，或是早期挖礦後棄用等原因，永遠沉睡。這翻成整體供應比例約在 11%～18% 間，價值數千億美元，完全處於休眠且潛在的風險之中。

The idea that someone with advanced quantum technology could recover these lost coins before their rightful owners (if they still exist) carries a certain plausibility to those unfamiliar with the technical requirements. It also plays into narratives about secretive state actors, well-funded corporations, or shadowy entities with access to classified technology far beyond what's publicly known.

對技術細節一知半解的人來說，假如有人靠頂尖量子技術在合法持有人（如果還健在）的前一步搶回這些失落幣，確實帶有幾分道理。這也讓不少人聯想起神祕國家勢力、有錢集團或掌握極機密科技的黑暗組織等陰謀敘事。

The Technical Rebuttals

Experts quickly identified numerous problems with Mandell's claim. The most fundamental issue is hardware capability. As we've established, breaking Bitcoin's ECDSA encryption would require anywhere from 13 million to 300 million physical qubits, depending on various factors. Current systems have around 100 to 1,000 qubits - a gap of five to six orders of magnitude.

專家很快就發現 Mandell 說法的多處技術破綻。最根本的問題就是硬體差距。如前所述，破解比特幣 ECDSA 加密機制現實上需要 1,300 萬到 3 億顆實體 qubit，依細節而定。當前的系統僅有 100 至 1,000 qubit——這是五到六個數量級的落差！

Google's Willow chip, impressive as it is, operates at 105 physical qubits. Even if we assume extraordinary progress in qubit quality and error correction, the jump to millions of qubits represents not an incremental advance but a transformational breakthrough that would revolutionize not just quantum computing but manufacturing, cooling systems, control

即使 Google 的 Willow 晶片夠讓人驚艷，也僅僅到 105 個實體 qubit。就算我們假設 qubit 品質和錯誤修正在未來有突破性進步，從目前規模提升到數百萬 qubit，絕不是線性成長，而需整個行業（包括製造、冷卻、控制等等）天翻地覆的革命性跨越。electronics, and fundamental physics research. Such a breakthrough happening secretly, without any public indication, strains credibility.

電子學與基礎物理研究。如此重大的突破若在毫無公開跡象的情況下暗中發生，實在令人難以置信。

There's also the error correction problem. Current quantum computers have error rates that make extended computations impossible without sophisticated error correction. Google's achievement with Willow was demonstrating "below threshold" error correction for the first time - showing that errors can decrease as you add more qubits. But the logical error rates achieved (around 0.14 percent per cycle) remain orders of magnitude above the 0.0001 percent or better believed necessary for running large-scale quantum algorithms like Shor's.

還有誤差修正的問題。目前的量子電腦誤差率極高，若無高度複雜的誤差修正，就無法進行長時間的運算。Google 的 Willow 電腦首次展示了「低於門檻」的誤差修正——證明隨著加入更多量子位，錯誤可逐步降低，但所實現的邏輯誤差率（每循環約 0.14%），仍遠高於運行如 Shor 演算法等大規模量子算法所需的 0.0001% 或更低的門檻。

Industry experts note that transitioning from laboratory demonstrations of quantum error correction to fault-tolerant machines capable of running Shor's algorithm at cryptographically relevant scales remains a monumental engineering challenge, likely requiring at least another decade of intensive development.

業界專家指出，從實驗室量級的量子誤差修正，進步到可在密碼學層級運行 Shor 演算法的容錯量子電腦，仍是巨大的工程挑戰，極可能還需要至少十年的密集研發。

The Blockchain Evidence (or Lack Thereof)

區塊鏈證據（或其缺乏）

Perhaps most damning to Mandell's claim is the absence of supporting evidence on the blockchain itself. Bitcoin's transparency means all transactions are publicly visible and extensively monitored by blockchain analytics firms, academic researchers, and curious individuals with the technical skills to analyze movement patterns.

對 Mandell 指控最具殺傷力的，或許是區塊鏈本身缺乏佐證。比特幣的透明性意味著所有交易都能公開查看，且長期被區塊鏈分析公司、學術研究人員以及懂技術的好奇人士密切監控其資金流向。

If quantum computers were systematically draining dormant wallets, we should see specific signatures:

Sudden, simultaneous movements from multiple old P2PK addresses that had been inactive for years
Funds moving in coordinated patterns suggesting a single actor with privileged access to multiple wallets
A statistical anomaly in the rate of "reawakening" wallets that can't be explained by normal factors

如果量子電腦真的大規模竊取休眠錢包，應會出現特定跡象：

多個多年未動的早期 P2PK 地址出現突發、同步的資金轉移
資金移動呈現配合、協調的特徵，顯示單一行為者同時控制多個錢包
「重新激活」錢包的比率出現無法用常規因素解釋的統計異常

What blockchain analysts actually observe is quite different. Old wallets do occasionally become active again, but these movements align with expected patterns: estate settlements after owners' deaths, long-term holders finally deciding to sell, users recovering old hardware wallets, or security-conscious users migrating funds to new address types.

區塊鏈分析師實際觀察到的則大不相同。舊錢包偶爾會再被啟用，但這些資金流動符合預期模式：如持有者過世後的遺產分配、長期持有者決定出售、用戶找回丟失的硬體錢包、或資安意識較高者轉移資產至新格式地址。

Importantly, these reactivations typically involve wallets with known histories and plausible explanations. There's no wave of mysterious, coordinated movements from the oldest, most vulnerable addresses that would indicate quantum-powered theft.

重要的是，這些重新啟動的地址通常都有已知歷史與合理解釋。並未出現來自最早、最脆弱地址的神祕且協同的資金大規模異動，這並不符合可能的量子竊盜行為。

Blockchain analytics firm Chainalysis and others have examined movement patterns from early Bitcoin addresses and found no evidence of anomalous activity that would suggest quantum attacks. The dormant coins remain dormant.

區塊鏈分析公司，如 Chainalysis 等，曾仔細研究早期比特幣地址的資金流動，未發現任何可疑異常，支持量子攻擊的證據。休眠資金依然保持休眠。

The Economic Logic Problem

經濟邏輯問題

There's also an economic argument against current quantum theft. If a state actor or well-funded organization had successfully developed quantum computers capable of breaking Bitcoin's cryptography, would they really deploy this capability in a manner that might be detected?

從經濟邏輯來看，即使有人現階段真的掌握可破解比特幣加密的量子電腦，這樣的國家或機構會真的冒險以容易被察覺的方式施展此等能力嗎？

Such technology would be one of the most valuable secrets in the world, with applications far beyond cryptocurrency. It could break government communications, compromise military systems, undermine financial infrastructure, and render trillions of dollars worth of encrypted data vulnerable. Using it to steal Bitcoin - and risking detection that would alert the world to this capability - makes little strategic sense.

這種技術應是全世界最重要的絕密之一，其用途遠遠超越加密貨幣，可截聽政府通訊、破解軍事系統、破壞金融基礎設施，令價值數兆美元的加密資料一夕間脆弱不堪。單純為了竊取比特幣而暴露技術、甚至引來全球警覺，其實非常不符合理性的戰略思維。

A rational actor with quantum capability would more likely wait, accumulate as much intelligence and economic advantage as possible under the radar, and only reveal the technology when absolutely necessary or when doing so advances a larger strategic objective. Stealing Bitcoin from dormant wallets, while potentially profitable, would risk exposing the quantum capability for relatively modest gains compared to the technology's full potential.

理性的量子能力擁有者，更可能選擇潛伏，靜靜累積情報及經濟優勢，唯有在必須或實現更大戰略利益時，才會公開亮相。僅僅為了竊取休眠錢包的比特幣，便冒著暴露量子機密的危險，相對於技術潛能，實在收益有限。

Economic and Ethical Dimensions: The Lost Bitcoin Problem

經濟與倫理層面：「丟失比特幣」問題

While Mandell's specific claim of current quantum theft lacks evidence, his allegation raises profound questions about Bitcoin's future in a post-quantum world. What happens if - or when - quantum computers become powerful enough to recover "lost" Bitcoin? The economic and ethical implications deserve serious consideration.

儘管 Mandell 關於現階段量子竊盜的指控缺乏證據，他所提出的質疑卻引發更深層的思考：當量子電腦日益強大到足以破解「丟失的比特幣」時，比特幣的未來走向將如何？這當中的經濟與倫理影響，值得深思。

The Magnitude of Lost Bitcoin

丟失比特幣的規模

Current estimates suggest between 2.3 million and 3.7 million Bitcoin are permanently lost. This includes:

Coins in wallets where private keys were lost or never properly backed up
Bitcoin sent to wallets of deceased individuals whose heirs lack access
Coins in early P2PK addresses from Bitcoin's first years, when the cryptocurrency had little value and security practices were lax
Bitcoin in addresses that have shown no activity for over a decade, suggesting abandonment

目前估計，有 230 萬至 370 萬顆比特幣已永久丟失。包括：

私鑰遺失或未適當備份的錢包內的幣
發送到已故人士錢包、繼承人無法取用的比特幣
早期無人問津、保密措施鬆散的 P2PK 地址所持有之幣
超過十年以上毫無動靜、極可能遭棄置的地址中的比特幣

The most famous potentially lost Bitcoin belongs to Satoshi Nakamoto. The Bitcoin creator is estimated to have mined around 1 million Bitcoin in the network's first year, all stored in early P2PK addresses. Satoshi has never moved any of these coins, and the creator's identity remains unknown. Whether Satoshi still has access to these wallets, chose to permanently lock them away, or lost the keys entirely is one of Bitcoin's greatest mysteries.

最著名的丟失比特幣，就是中本聰的資產。據估計，比特幣創始人在網絡第一年曾挖出約 100 萬顆比特幣，全部保存在早期P2PK地址。這些幣從未被移動過，創辦人身分至今成謎，是中本聰有意鎖死、主動棄用、還是真的遺失私鑰，都是比特幣史上最大謎團之一。

Then there's the Mt. Gox hack. In 2014, the then-largest Bitcoin exchange collapsed after losing approximately 850,000 Bitcoin to theft. While some coins were recovered, a wallet associated with the hack still holds nearly 80,000 Bitcoin - about 0.4 percent of Bitcoin's total supply - sitting dormant on the blockchain.

再如 Mt. Gox 駭客事件。2014 年，當時最大比特幣交易所遭駭，丟失約 85 萬顆比特幣。雖有部分追回，仍有一個駭客錢包持有近 8 萬顆比特幣，約佔全網供應量 0.4%，至今閒置於區塊鏈上。

These lost coins have become, in effect, deflationary forces. They reduce Bitcoin's practical circulating supply, making each remaining coin slightly more valuable. Many Bitcoiners view this as a feature rather than a bug - a natural consequence of a truly decentralized system where no authority can recover lost funds.

這些丟失的幣，實際上成為通縮力量，減少比特幣的有效流通量，使其餘存幣價值相對提升。許多比特幣支持者甚至將其視為去中心化系統自然而然的特性，而非缺陷——畢竟沒有人有權力追回遺失的資金。

The Quantum Recovery Scenario

量子恢復情境

Now imagine quantum computers advance to the point where they can efficiently crack ECDSA encryption. Suddenly, those millions of lost Bitcoin become accessible - not to their original owners (who lack the private keys) but to whoever has the quantum capability to derive private keys from the exposed public keys.

假設某天量子電腦發展到足以高效破解 ECDSA 加密，數百萬丟失的比特幣便瞬間重現世間——但不是回到原主（因其手上沒有私鑰），而是落入能以量子科技由公開金鑰推導私鑰之人手中。

This creates an unprecedented situation. Bitcoin that markets have essentially written off as permanently lost could flood back into circulation. The price impact would be severe. Even the possibility of such a recovery could trigger panic selling as investors try to front-run the hypothetical flood of supply.

這將產生前所未有的局面。原本已被市場視作「永遠消失」的比特幣，突然大批回到市場流通，價格或將劇烈震盪。甚至僅僅是恢復可能性的出現，也會引發恐慌拋售，投資人搶先逃離以迴避供給暴增帶來的衝擊。

In May 2025, BlackRock added explicit warnings about quantum computing to its iShares Bitcoin Trust (IBIT) filing, one of the most popular Bitcoin ETFs. The filing warned that advances in quantum computing could threaten Bitcoin's cryptographic security and undermine the integrity of the network itself. This represents a significant moment - traditional financial institutions now view quantum risk as material enough to disclose to investors.

2025 年 5 月，全球大型資管公司貝萊德在其熱門比特幣 ETF「iShares Bitcoin Trust」（IBIT）申報文件中，首度明確加入關於量子運算的警示，提醒量子電腦的進展有可能威脅比特幣密碼安全並破壞其系統完整性。這是一大指標：傳統金融界已將量子風險視為值得告知投資人的重大議題。

The economic disruption wouldn't be limited to price volatility. Bitcoin's value proposition depends heavily on its perceived scarcity and security. If millions of previously inaccessible coins suddenly become accessible to quantum attackers, it raises questions about whether any Bitcoin is truly secure. Trust in the network could erode rapidly, potentially creating a cascade of selling pressure that goes beyond the immediate impact of the recovered coins themselves.

這場經濟衝擊絕不僅止於幣價波動。比特幣之所以有價值，很大程度就是因稀缺性和安全性廣被認可。若數百萬顆本不可動用的幣，一夕之間被量子駭客奪取，將引發「所有比特幣是否真正安全」的疑問，網絡信任基礎將迅速瓦解，可能引起一連串恐慌性拋售，後座力甚至遠超恢復流通的失竊幣本身。

The Ethical Dilemmas

道德兩難

The quantum recovery scenario creates thorny ethical questions without clear answers. If quantum computers can access lost Bitcoin, what should happen to those coins?

量子恢復情境也帶來難解的道德兩難。如果量子電腦有能力取得這些遺失比特幣，這些資產該如何處置？

One camp, led by prominent voices like Bitcoin developer Jameson Lopp, argues these coins should be burned - deliberately destroyed to prevent anyone from claiming them. Lopp contends that allowing quantum adversaries to claim funds that rightfully belong to other users represents a failure to protect property rights. In a February 2025 essay, Lopp wrote: "If the entire Bitcoin ecosystem just stands around and allows quantum adversaries to claim funds that rightfully belong to other users, is that really a 'win' in the 'protecting property rights' category? It feels more like apathy to me."

有一派代表如比特幣開發者 Jameson Lopp，主張這些幣應該「銷毀」，故意燒掉來防止任何人據為己有。Lopp 認為，如果比特幣生態圈坐視量子攻擊者奪取本屬於其他用戶的資產，就是徹底侵犯財產權的失敗。他在 2025 年 2 月的文章中寫道：「如果整個比特幣體系只是袖手旁觀，讓量子敵手奪走本屬於其他使用者的資產，這還算是在保護財產權嗎？我覺得這只是冷漠而已。」

From this perspective, burning vulnerable coins is the lesser evil. It prevents ill-gotten gains, protects Bitcoin's scarcity, and demonstrates the network's commitment to security over short-term convenience. The counterargument is that burning coins represents a form of confiscation - punishing users whose only "crime" was adopting Bitcoin early, before quantum-resistant best practices existed.

在這角度來看，「燒掉」這些高風險資產是兩害取其輕，既阻止不當得利，也維護比特幣的稀缺價值，並展現出社群對長遠安全性的承諾。反方則認為這就是變相沒收，等同懲罰當初早期採用、卻無法預料日後量子威脅的始祖用戶。

Another camp suggests attempting to return recovered Bitcoin to their rightful owners. This sounds noble but creates enormous practical problems. How do you prove ownership of Bitcoin when the defining characteristic of being lost is that you no longer have the private keys? Estate settlements already face legal challenges when cryptocurrency is involved. Now imagine trying to adjudicate ownership claims for coins that haven't moved in a decade, where the original owner might be deceased, unknown, or impossible to verify.

另一派認為，應設法讓恢復的比特幣重回合法原主手中。聽起來很理想，但陷入龐大的實務困難——既然「已遺失」的比特幣定義正是沒人有私鑰，該怎麼舉證誰才是真正持有者？即使在現今，僅涉及加密貨幣的遺產繼承訴訟都已相當棘手，遑論追回那些十年一動不動的幣，原主可能已經過世、不知下落、或完全無法造證。

Any recovery system would necessarily involve trusted third parties to verify claims - exchanges, government agencies, or newly created institutions. This runs counter to Bitcoin's ethos of trustlessness and censorship resistance. It would also create intense pressure for fraud, as bad actors impersonate rightful owners or manufacture false claims to valuable Bitcoin addresses.

任何這類恢復制度，勢必需導入可信賴的第三方——如交易所、政府機關、甚或新成立的認證機構，這與比特幣「無需信任、抗審查」精神背道而馳，也將誘發大量欺詐壓力，不法分子可冒充持有者或編造謊言索取巨額資產。

A third option is to redistribute recovered coins. Some have proposed using recovered Bitcoin to fund network development, reward miners, or even distribute equally among all current Bitcoin holders. This transforms lost coins into a kind of communal asset. However, it amounts to changing Bitcoin's social contract after the fact - altering the rules for coins that were secured under a different set of assumptions.

第三種方案則主張分配這些恢復幣。有人建議用來資助比特幣網絡開發、獎勵礦工、或平均發給當前所有持幣者。這使「失而復得」成為社群共有資產。但這等於賽後更改比特幣社群契約，以新準則重寫過去本為舊規範所「保障」的幣之歸屬。

Perhaps the starkest ethical question involves Satoshi's million Bitcoin. If these coins could be

或許，最尖銳的倫理問題，就是中本聰的那一百萬顆比特幣：如果這些幣真的被……recovered via quantum computing, should they be? Satoshi's anonymity means we can't ask the creator's wishes. Many in the community consider these coins sacred - a permanent part of Bitcoin's mythology that should remain untouched regardless of technical capability. Others argue that leaving such a massive supply sitting vulnerable to quantum attack poses systemic risk to the network.

透過量子運算恢復這些比特幣，真的應該這麼做嗎？中本聰的匿名身份讓我們無法詢問創建者的意願。社群中許多人認為這些幣對比特幣而言具有神聖意義——是比特幣神話中永久且不可動搖的一部分，無論技術上是否可行都不應碰觸。也有人認為，讓這麼大量的供應暴露於量子攻擊之下，對整個網路都構成系統性風險。

The Institutional Response

BlackRock's decision to add quantum warnings to its Bitcoin ETF filing signals that institutional finance is taking these questions seriously. The filing states explicitly that quantum computing advances could "threaten the security of the network" and potentially lead to "significant losses" for investors.

這反映出機構資金正日益重視這些風險。BlackRock（貝萊德）在其比特幣ETF申請文件中加入量子相關警示，說明機構財經界已經嚴肅對待此議題。文件中明確指出，量子運算的進展可能「威脅網路安全」，甚至可能導致投資人「重大損失」。

This reflects a broader pattern of institutional adoption bringing increased scrutiny of risks that the crypto community might have previously dismissed or downplayed. Pension funds, endowments, and financial advisors considering Bitcoin exposure want clarity on tail risks, including quantum computing. The fact that quantum risk now appears in regulated financial products' disclosure documents transforms it from a theoretical concern to a quantifiable investment consideration.

這也反映出機構參與帶來更嚴格的風險審查，一些加密圈以往可能忽視或輕視的問題會被重新檢視。退休基金、捐款基金和理財顧問在評估比特幣曝險時，希望對各類極端（尾部）風險有清楚交代，包括量子運算等。量子風險出現在受監管金融產品的重要聲明文件中，讓其從理論層面上升為可量化的投資考量。

Other major institutions are watching. If quantum capabilities advance faster than expected, we could see institutional capital flee cryptocurrency markets unless clear mitigation strategies exist. This creates pressure on Bitcoin developers and the broader community to implement quantum-resistant solutions before the threat materializes, rather than waiting for a crisis.

其他主要機構也在密切觀察。如果量子技術進展快於預期，而又沒有明確的因應策略，不排除大批機構資金撤離加密貨幣市場。這使比特幣開發者與整個社群都受到壓力，必須在威脅成真之前，及早完善量子防禦方案，而不是等到危機發生後才補救。

Security Roadmap: How Bitcoin Can Evolve

The encouraging news is that Bitcoin's quantum vulnerability is neither surprising nor unaddressed. Cryptographers have known about Shor's algorithm since 1994, and the Bitcoin development community has been discussing quantum resistance for years. Multiple research directions and practical strategies exist for hardening Bitcoin against quantum attack.

可喜的是，比特幣面臨量子威脅並不令人意外，相關討論與應對措施已經展開多年。自1994年Shor's演算法被提出，密碼學家就已經意識到量子電腦所帶來的風險，比特幣開發圈長期持續討論量子抵禦方案，目前已有多種研究方向和實用策略可強化比特幣的量子安全性。

Current Best Practices for Users

Even before any protocol-level changes, individual Bitcoin users can take steps to minimize their quantum exposure. The most important practice is avoiding address reuse. When you spend from a Bitcoin address, the public key becomes visible on the blockchain. Best practice is to treat each address as single-use - after spending from it, move any remaining funds to a new address, ensuring the old public key is no longer associated with unspent coins.

即使協議層還未升級，個別比特幣用戶也可以主動降低量子風險。最重要的做法就是避免重複使用地址。當你使用比特幣地址進行支付時，該地址的公開金鑰就會暴露在區塊鏈上。最佳做法是把每個地址視為一次性使用——消費後就立即把剩餘比特幣轉到新地址，確保舊金鑰不再綁定任何未花費錢包餘額。

Modern wallet software has increasingly adopted this practice automatically. Hardware wallets and full-node wallets typically generate new change addresses for each transaction, implementing single-use addresses without requiring users to understand the underlying security logic. Users with older wallet software or those who manually manage addresses should audit their practices and upgrade to quantum-safer habits.

現代錢包軟體大多已自動落實這個作法。硬體錢包與全節點錢包通常每筆交易都會自動產生新找零地址，讓「一次用完即棄」變為默認行為，用戶無需理解其中的資安細節。使用舊型錢包軟體或手動管理地址的用戶，應重新檢視並升級自己的管理習慣，採用更有量子防護意識的用法。

Another protective step is migrating funds to more modern address formats. Segregated Witness (SegWit) and especially Taproot addresses provide marginally better quantum resistance through improved address hygiene and, in Taproot's case, alternative script paths that might enable quantum-resistant signatures in future soft forks. While these formats use the same underlying elliptic curve cryptography, they reflect more quantum-conscious design philosophy.

另一項保護措施，是將資金轉移到較新的地址格式。隔離見證（SegWit）甚至Taproot地址，因更嚴謹的位址設計和Taproot提供的多重腳本路徑，略為提升量子防禦潛力，未來軟分叉有空間導入量子安全簽章。儘管底層還是橢圓曲線密碼學，但這些格式體現了更注重量子威脅的設計理念。

For long-term holders, the advice is simple: use new addresses for each receive transaction, never reuse addresses after spending, and keep funds in addresses whose public keys have never been exposed. This doesn't eliminate quantum risk entirely but significantly reduces the attack surface.

對長期持有者而言，建議很簡單：每次收款都用新地址，支出後不要重複使用地址，把幣放在「公開金鑰從未曝光」的地址中。這不能徹底移除量子風險，但可大幅降低潛在攻擊面。

Post-Quantum Cryptography Standards

The broader cryptographic community has been working toward quantum-resistant alternatives for over a decade. In 2016, the U.S. National Institute of Standards and Technology (NIST) launched a project to standardize post-quantum cryptography (PQC) - cryptographic algorithms believed to be secure against both classical and quantum computers.

密碼學界致力於發展量子安全替代方案已逾十年。2016年，美國國家標準與技術研究院（NIST）正式啟動後量子密碼學（PQC）標準化計畫——尋找同時安全於經典電腦及量子電腦的加密演算法。

After years of analysis and competition, NIST announced its first set of PQC standards in 2024. The selected algorithms include:

CRYSTALS-Kyber for key encapsulation (replacing systems like RSA for securely exchanging keys)
CRYSTALS-Dilithium, FALCON, and SPHINCS+ for digital signatures (replacing systems like ECDSA and RSA signatures)

經多年評選與研究，NIST於2024年公布首批PQC標準，入選演算法包括：

CRYSTALS-Kyber，用於金鑰包裹（可取代RSA等金鑰交換系統）
CRYSTALS-Dilithium、FALCON、SPHINCS+，用於數位簽章（可取代ECDSA與RSA簽章系統）

These algorithms rely on different mathematical problems than current cryptography. Lattice-based schemes like Dilithium are based on the difficulty of finding short vectors in high-dimensional lattices. Hash-based schemes like SPHINCS+ are built on the security of cryptographic hash functions, which are already believed to be relatively quantum-resistant. Multivariate cryptography uses systems of quadratic equations over finite fields.

這些新算法建立於和傳統加密截然不同的數學困難。例如，Dilithium等基於格的方案，難以在高維度格中尋找短向量；SPHINCS+等基於雜湊的方案，則依賴密碼雜湊函數的安全性，這已被認為相對抗量子安全。多變數密碼學則利用有限域上的二次方程組。

The crucial insight is that while Shor's algorithm efficiently solves discrete logarithm and factoring problems, it doesn't provide similar advantages against these new mathematical structures. As far as current knowledge extends, quantum computers offer no practical shortcut to breaking properly implemented lattice-based or hash-based cryptography.

關鍵觀察是：Shor's算法對離散對數與質因數分解等現有密碼體系具顯著破解優勢，但對上述新型數學架構則無法帶來類似的高效攻擊。就目前所知，量子電腦尚無實用方法破解正確實作的格基或雜湊基密碼學。

Bitcoin-Specific Research: QRAMP

In early 2025, Bitcoin developer Agustin Cruz proposed a radical framework called QRAMP (Quantum-Resistant Asset Mapping Protocol). QRAMP represents one of the most comprehensive approaches to Bitcoin's quantum problem, though it remains controversial and far from consensus.

2025年初，比特幣開發者Agustin Cruz提出一套激進框架「QRAMP」（Quantum-Resistant Asset Mapping Protocol，量子抵禦資產對應協議），被認為是處理比特幣量子問題最全面的方案之一，雖然充滿爭議，距離共識仍然很遠。

QRAMP proposes a mandatory migration period where all funds in legacy quantum-vulnerable addresses must be moved to quantum-resistant addresses by a specific block height deadline. After that deadline, transactions from old ECDSA addresses would be rejected by the network, effectively burning any coins that weren't migrated.

QRAMP主張強制遷移方案：所有存在於老式、易受量子攻擊地址的資產，必須在指定區塊高度前轉移到量子安全地址。截止時間後，來自舊型ECDSA地址的交易會被全網拒絕，未遷移資產等同於銷毀。

The protocol would work through several mechanisms:

Identifying vulnerable addresses: QRAMP would scan for Bitcoin addresses with exposed public keys, particularly older P2PK formats
Burn and replace: Users send coins from vulnerable addresses to a special "quantum burn" address, permanently removing them from circulation
Post-quantum security: In return, equivalent amounts of Bitcoin secured by quantum-resistant cryptography (like hash-based or lattice-based signatures) would be issued
Proof-based verification: Only verified burns result in new quantum-resistant coins, maintaining a strict 1:1 ratio to prevent inflation

QRAMP運作有幾個步驟：

識別易受攻擊地址：尋找曾經曝光公開金鑰的比特幣地址，尤其是早期P2PK格式
銷毀與重鑄：用戶將資產從脆弱地址轉進「量子銷毀地址」，永久將其移出流通
兌換量子安全幣：作為交換，用量子安全加密（如雜湊型或格基簽章）的新比特幣等值發行
驗證與配額：只有經過驗證的銷毀行動才能產生新量子幣，嚴格一比一兌換，避免通膨

QRAMP also aims to enable cross-chain Bitcoin functionality. Rather than relying on custodians (like wrapped Bitcoin solutions), QRAMP would use cryptographic attestations - mathematical proofs derived from Bitcoin's blockchain that other networks can verify. This would allow Bitcoin balances to be reflected on other blockchains without actually moving the underlying Bitcoin, maintaining both security and Bitcoin's 21 million supply cap.

此外，QRAMP也設想支援跨鏈比特幣操作。不同於依賴託管的「包裝比特幣」等方案，QRAMP會利用密碼學證明（即基於比特幣區塊鏈生成的數學證明，可供其他網路驗證），讓比特幣餘額在其他鏈上映射、轉移而不需移動原始比特幣本身，同時維持安全性與2,100萬供給上限。

The proposal has sparked intense debate. Proponents argue it provides a clear, systematic path to quantum resistance with unambiguous deadlines that force timely migration rather than dangerous complacency. Critics contend that mandatory burns represent a form of confiscation, punishing early adopters and potentially destroying millions of Bitcoin including Satoshi's coins.

這項提案引起激烈爭論。支持者認為它提供明確、系統性的量子防禦升級路徑，有明確時限可督促用戶及時遷移資產，避免危險的拖延心態。反對者批評，強制銷毀等於沒收財產，將懲罰早期用戶，甚至可能導致數百萬顆比特幣（包括中本聰的比特幣）被永久消滅。

The timeline concerns are also significant. QRAMP would require a hard fork - a non-backward-compatible protocol change requiring consensus from miners, node operators, and the broader community. Bitcoin's history shows that controversial hard forks are difficult to achieve and risk chain splits. Implementing QRAMP would require convincing the ecosystem that quantum threats are imminent enough to justify such drastic action while also being early enough that users have time to migrate.

時間點問題也備受關注。QRAMP勢必需要進行硬分叉——這類不向下兼容的協議變動得仰賴礦工、節點運營者與整個生態社群形成新共識。比特幣歷史證明，有爭議的硬分叉往往難以實現並且存在鏈分裂風險。若要實作QRAMP，需說服整體生態：量子威脅已逼在眉睫，必須大動作因應，同時時機還要「夠早」以讓用戶有時間完成遷移。

As of October 2025, QRAMP remains a draft proposal without a formal BIP (Bitcoin Improvement Proposal) number and lacking community consensus to move forward.

截至2025年10月，QRAMP仍僅為草案，尚未有正式BIP（比特幣改進提案）編號，也尚未獲得社群共識推進。

Alternative Approaches

Not all quantum-resistant proposals are as radical as QRAMP. Other researchers are exploring gradual migration strategies that would introduce quantum-resistant signature schemes alongside existing ECDSA, allowing users to voluntarily upgrade over time.

並非所有量子防禦提案都像QRAMP一樣激進。其他研究人員正在探討漸進式方案，可讓量子安全簽章與現有ECDSA共存，用戶可自願逐步升級。

Adam Back, CEO of Blockstream and a respected cryptographer, has suggested incorporating quantum-resistant cryptography into Bitcoin's existing address and script system. One approach would use Schnorr signatures (already implemented in Taproot) combined with SLH-DSA (SPHINCS+) tapleafs. This would allow users to gradually move funds to quantum-safe addresses without requiring a contentious hard fork or burning vulnerable coins.

Blockstream執行長、資深密碼學家Adam Back曾建議，應將量子防禦密碼學融入現有地址和腳本架構。可以在Taproot下，結合Schnorr簽章與SLH-DSA（SPHINCS+）tapleaf方案，讓用戶資金可逐步遷往量子防禦地址，無需激烈的硬分叉與銷毀行為。

The advantage of gradual migration is flexibility. Users who are confident in their address security could continue using existing wallets while more cautious users migrate to quantum-resistant formats. As quantum capabilities advance, social pressure and market forces would naturally encourage migration without requiring protocol enforcement.

漸進式過渡的優點是彈性高。對地址安全有信心的用戶可繼續沿用舊錢包，更謹慎者則可提前升級量子安全格式。隨著量子威脅增加，既有的社會壓力和市場機制也會自然推動更多人轉型，無需強制執行。

The disadvantage is that voluntary migration might happen too slowly. If quantum computers advance faster than expected, vulnerable coins could be attacked before users migrate, defeating the purpose. There's also the problem of lost or abandoned wallets - coins whose owners no longer have access would remain perpetually vulnerable.

缺點則是自願遷移進度可能過慢。如果量子電腦速度超乎預期，部分用戶還來不及遷移就會讓資產遭攻擊，導致改革目標失敗。此外，還有遺失錢包或無人管理錢包的老問題——那些幣永遠都處於量子脆弱狀態。

Other research directions include:

Quantum-safe multi-signature schemes that combine multiple post-quantum algorithms, providing redundant security even if one algorithm is broken
Hybrid systems that use both classical ECDSA and quantum-resistant signatures, requiring attackers to break both
Zero-knowledge proofs that could enable quantum-resistant verification without exposing public keys

其他潛在研究方向還包括：

量子安全多簽機制，結合多種後量子演算法，即使某一種被破解，也能有其他備援防線
混合式系統，把經典ECDSA與量子安全簽章雙保險，攻擊者需同時破解
零知識證明，在不暴露公開金鑰的情況下進行量子安全驗證

The Ethereum community has been researching post-quantum cryptography through account abstraction and STARKs (Scalable Transparent Arguments of Knowledge), which use hash functions and are inherently quantum-resistant. Some of these innovations might eventually

以太坊社群也正透過帳戶抽象化與STARK（可擴展透明知識論證）等技術來投入後量子密碼學研究，這些方案大量運用雜湊函數，原生即具備量子防禦特性。其中部分創新，也有可能未來——inform Bitcoin's approach. inform Bitcoin 的方法。

The Challenge of Quantum-Resistant Signatures

量子抗性簽章的挑戰

One challenge with post-quantum cryptography is that signatures are typically much larger than ECDSA signatures. A CRYSTALS-Dilithium signature can be 2-3 kilobytes, compared to 64-71 bytes for an ECDSA signature. This has implications for blockchain efficiency, transaction costs, and scalability. 量子時代密碼學的一大挑戰是，其簽章通常比 ECDSA 簽章大得多。例如，CRYSTALS-Dilithium 簽章可能高達 2 至 3 KB，而 ECDSA 簽章僅為 64 至 71 字節。這對區塊鏈的效率、交易成本與擴展性有顯著影響。

Hash-based signatures like SPHINCS+ are even larger - potentially tens of kilobytes per signature. While these sizes aren't prohibitive, they represent a meaningful increase in data that must be stored and transmitted by every node on the network. In a blockchain where efficiency and scalability are already concerns, adding larger signatures could exacerbate existing challenges. 例如 SPHINCS+ 這種基於雜湊的簽章甚至更大——每個簽章可能多達數十 KB。雖然這樣的尺寸還不至於到無法接受，但這確實會讓每個節點必須儲存與傳輸更多資料。在區塊鏈本已面臨效率與擴展性的挑戰下，更大的簽章可能讓現有問題加劇。

Various optimizations are being researched to minimize signature sizes while maintaining security. Some schemes use Merkle trees to amortize signature size across multiple transactions. Others explore threshold signatures where multiple parties collaboratively sign, reducing the per-transaction overhead. 許多優化方法正被研究，以在維持安全性的情況下盡量減少簽章大小。有些方案利用 Merkle 樹，將簽章大小分攤到多筆交易上；也有研究探索「門檻簽章」，讓多人共同簽署，進而降低每筆交易的負擔。

The Bitcoin community will need to balance security, efficiency, and backward compatibility when ultimately selecting which post-quantum algorithms to implement. 比特幣社群在最終選擇要實作哪一種後量子演算法時，必須在安全性、效率與向後相容性之間取得平衡。

Beyond Threats: Quantum Opportunities for Crypto

超越威脅：量子科技帶來的新機會

Discussions about quantum computing and cryptocurrency overwhelmingly focus on threats - the looming danger of quantum computers breaking cryptography. But this framing misses a crucial aspect of the story. Quantum computing isn't merely a weapon pointed at blockchain technology; it's also a tool that could enhance, strengthen, and advance the entire cryptocurrency ecosystem in unexpected ways. 大眾討論量子運算與加密貨幣時，往往聚焦於威脅——量子電腦破解密碼學的迫切風險。但這樣的論述忽略了另一個關鍵面向。量子運算不只是一種對著區塊鏈技術瞄準的武器——它同時也有可能成為強化、增進甚至推進整個加密貨幣生態系的工具，帶來意想不到的發展。

Quantum-Enhanced Cryptography

量子加強密碼學

The arms race between quantum attackers and quantum defenders will eventually produce cryptography that is stronger than anything possible with classical computation. Quantum key distribution (QKD) already enables provably secure communication channels, protected by the laws of physics rather than computational assumptions. While implementing QKD in decentralized blockchain systems faces significant technical challenges, research continues into adapting quantum communication protocols for cryptocurrency applications. 量子攻防軍備競賽最終將促生出比傳統計算更強悍的密碼學。量子密鑰分配（QKD）已能實現理論上絕對安全的通道，藉由物理定律而非數學假設進行保護。即使 QKD 要在去中心化區塊鏈系統中落地仍面臨重大技術門檻，針對加密貨幣應用的量子通訊協議的研究仍不斷進行。

Post-quantum cryptography developed in response to quantum threats will create the foundation for a new generation of cryptographic systems. These algorithms aren't just quantum-resistant; many offer additional security properties like forward secrecy, smaller keys for equivalent security levels, and resistance to side-channel attacks that plague some current implementations. 因應量子威脅而開發的後量子密碼學，將成為新一代密碼系統的基礎。這些演算法不僅具備抗量子能力，許多還提供前向保密、等效安全等級下更小的金鑰、以及對側信道攻擊的抵抗等額外安全性。

Lattice-based cryptography, in particular, enables powerful new capabilities like fully homomorphic encryption - the ability to perform arbitrary computations on encrypted data without decrypting it. While computationally expensive today, quantum computers might eventually make homomorphic encryption practical at scale, enabling privacy-preserving smart contracts and confidential transactions without sacrificing auditability. 特別是格基密碼學，讓全同態加密成為可能，也就是能夠在不解密的情況下對加密資料執行任意運算。雖然目前運算成本高昂，但未來若量子電腦普及，同態加密或許能實用化，進而實現保護隱私的智能合約與保密交易，同時不失稽核能力。

Improved Scalability Solutions

更優化的擴展性解決方案

Quantum computers excel at certain optimization problems that currently limit blockchain scalability. Route finding in payment channel networks like Bitcoin's Lightning Network involves searching through a vast space of possible paths to find optimal routes for payments. Quantum algorithms could potentially find better routes faster, improving payment success rates and reducing channel capital requirements. 量子電腦擅長解決部分現行侷限區塊鏈擴展性的優化問題。例如，比特幣閃電網路等支付通道網絡路徑搜尋，需在眾多可能路徑中找出最佳支付路線。量子演算法或許能以更快速度找到更優解，提升支付成功率並降低通道資本需求。

Zero-knowledge proof systems, which enable privacy and scalability solutions like ZK-Rollups, require extensive cryptographic computations. Quantum computers might accelerate proof generation while maintaining security, enabling more sophisticated privacy-preserving applications without the computational overhead that currently limits their adoption. 零知識證明系統（如 ZK-Rollups）帶來隱私和擴展性，但需大量密碼學運算。量子電腦未來可能讓證明生成大幅加速，同時維持安全，促成更複雜的隱私應用落地、不受目前運算負載的限制。

Even mining could eventually benefit from quantum computation. While quantum computers using Grover's algorithm could theoretically search for proof-of-work solutions more efficiently than classical miners, the same technology would be available to all participants, creating a new equilibrium rather than an attack vector. Some researchers have proposed quantum-secured consensus mechanisms that leverage quantum properties for Byzantine fault tolerance. 就連挖礦也可能受惠於量子計算。理論上，量子電腦利用 Grover 演算法能比傳統礦工更有效率地搜尋工作量證明結果，但這種技術會對所有參與者開放，產生新的均衡，而不是攻擊途徑。部分學者也提出利用量子特性的拜占庭容錯共識機制，帶來新一波量子安全保護。

Quantum-Secured Smart Contracts

量子安全的智能合約

The combination of quantum computing and cryptocurrency could enable entirely new classes of smart contracts and decentralized applications. Quantum random number generation provides truly unpredictable randomness - crucial for gambling applications, cryptographic protocols, and fair leader election in consensus mechanisms. Current blockchain-based randomness must rely on complicated protocols to prevent manipulation; quantum randomness would be provably fair. 量子運算結合加密貨幣，將催生全新類型的智能合約和去中心化應用。量子隨機數產生器提供真正無法預測的隨機性——這對賭博、密碼學協議和共識機制造公平選舉等用途至關重要。目前區塊鏈上的隨機性需仰賴複雜協議避免被操控，而量子級隨機數則能以物理方式保證公平。

Quantum sensing and quantum communication could enable new types of oracle systems - the bridges between smart contracts and real-world data. Quantum sensors can measure physical phenomena with unprecedented precision, potentially creating more reliable data feeds for decentralized finance applications that depend on accurate price feeds, weather data, or supply chain verification. 量子感測與量子通訊有機會催生新型 Oracle 系統——即連結智能合約與現實世界資料的橋樑。量子感測器可以極高精度測量物理現象，將為需仰賴精準價格、市況、供應鏈驗證等資料的去中心化金融應用帶來更可靠訊息流。

Post-quantum cryptographic protocols could enable more sophisticated multi-party computation, allowing multiple parties to jointly compute functions over their private data without revealing that data to each other. This opens possibilities for decentralized financial products, privacy-preserving auctions, and confidential voting systems that are currently impractical. 後量子密碼協議還能推進更精密的多方安全計算，讓多方能在不透露個資之下，共同運算目標函數。這將讓新型去中心化金融產品、保護隱私的拍賣與保密投票等現階段難以實現的應用有望成真。

Academic and Industry Collaboration

學界與產業的合作

The quantum threat has catalyzed unprecedented collaboration between the cryptocurrency community and mainstream computer science research. NIST's post-quantum cryptography standardization effort included input from blockchain researchers and cryptocurrency companies. Academic conferences increasingly feature sessions on quantum-safe blockchain design. 量子威脅驅動加密貨幣社群與主流電腦科學研究展開前所未有的合作。NIST 的後量子密碼標準化歷程中，也有區塊鏈研究者與加密貨幣企業參與。學術會議也日益重視量子安全區塊鏈設計主題。

This collaboration benefits both sides. Cryptocurrency's real-world deployment provides testing grounds for post-quantum algorithms under adversarial conditions with actual economic value at stake. Meanwhile, blockchain systems benefit from cutting-edge cryptographic research that might otherwise take years to filter into production systems. 這種合作令雙方都受惠。加密貨幣在實際經濟環境下部署，替後量子密碼學演算法提供了具經濟誘因與敵意條件的測試場；而區塊鏈則可更快地獲得密碼學界前沿成果，省下原本要等多年才能應用於生產環境的等待。

Major technology companies including Google, IBM, Microsoft, and Amazon are investing billions in quantum computing research while simultaneously developing quantum-safe cryptography and consulting with blockchain projects. This creates a rare alignment of interests where the same companies advancing quantum capabilities also contribute to defending against quantum threats. Google、IBM、Microsoft、Amazon 等科技巨頭正投入數十億美元於量子運算研究，同時開發量子安全密碼技術，並與區塊鏈專案合作。這形成了難得的利益一致——推動量子技術進步的同時，也協助建立抵禦量子威脅的防線。

Reframing the Narrative

重新定義量子議題

Perhaps most importantly, viewing quantum computing purely as a threat misses the opportunity to reshape cryptocurrency's security model for the better. Every cryptographic transition - from DES to AES, from SHA-1 to SHA-256, from RSA to elliptic curves - has ultimately strengthened systems by forcing migrations to better algorithms. 最重要的是，單純將量子運算視為威脅，將錯失改善加密貨幣安全模型的大好契機。每一次密碼學演進——從 DES 過渡到 AES、從 SHA-1 轉向 SHA-256、從 RSA 走向橢圓曲線——都驅動系統遷移至更優秀的演算法，最終帶來安全升級。

Bitcoin's eventual adoption of post-quantum cryptography will create an opportunity to address other protocol limitations simultaneously. A coordinated upgrade could implement not just quantum resistance but also signature aggregation, better privacy features, improved scripting capabilities, and efficiency improvements that have been long desired but difficult to deploy through isolated soft forks. 比特幣最終導入後量子密碼學時，亦能同步解決其它協議侷限。有組織、有策略的協同升級將不僅僅是抗量子，還能順帶推動簽章聚合、更隱私的功能、更強的腳本與效率優化，這些改進原本難以透過單獨軟分叉落地。

The quantum transition might also resolve ongoing debates about Bitcoin's rigid conservatism versus pragmatic evolution. When quantum computers demonstrably threaten ECDSA, even the most conservative community members will recognize the need for substantial protocol changes. This creates political cover for upgrades that might be desirable for other reasons but lack consensus under normal circumstances. 量子轉型也可能終結比特幣內部「守舊」與「務實演進」之間的爭論。當量子電腦確實威脅到 ECDSA 時，即便是最保守的社群成員亦會意識到必須做出重大協議轉變。屆時，許多平時因共識不足難以推進的升級，就有了「正當理由」取得社群政治共識。

Expert Forecasts and Diverging Views

專家預測與分歧觀點

The quantum computing timeline remains one of the most contentious aspects of the Bitcoin security debate, with expert opinions ranging from "decades away" to "possibly within 10 years." Understanding these divergent perspectives provides crucial context for evaluating how urgently Bitcoin needs quantum-resistant upgrades. 量子運算何時來臨，一直是比特幣安全性辯論中最具爭議的話題之一。專家看法分歧：有人認為還有數十年、有人則認為「十年內可能實現」。理解這些不同意見，對於評估比特幣需要多迫切導入抗量子升級，極為重要。

The Optimists: Decades of Safety

樂觀派：安全還有數十年

Adam Back, CEO of Blockstream and a highly respected cryptographer, represents the conservative view on quantum timelines. Back has consistently argued that quantum computers capable of threatening Bitcoin remain decades away, not years. In a June 2025 interview, Back acknowledged that quantum computing could eventually become relevant but emphasized that the timeline spans "decades, not years" and that proactive but gradual measures provide adequate protection. Blockstream 執行長、知名密碼學者 Adam Back 代表較保守的量子時間表觀點。他一再表示，足以威脅比特幣的量子電腦還要幾十年才會出現，而非幾年。2025 年 6 月的一次訪問中，Back 承認量子計算終將變得相關，但強調這件事「是幾十年，不是幾年」的尺度，主張採取積極但逐步的措施就能充分防禦。

Back's perspective is informed by deep understanding of both the theoretical requirements and practical engineering challenges. He notes that quantum computers must not only achieve the raw qubit count necessary for Shor's algorithm but also maintain error rates low enough for fault-tolerant computation throughout the extended calculation period. Current systems are orders of magnitude away from meeting these requirements simultaneously. Back 的立場建立在他對理論需求及工程難題的深刻理解。他指出，量子電腦不僅要有足夠多的邏輯量子比特以執行 Shor 演算法，還必須將錯誤率壓得足夠低，能讓長時運算中保持容錯。現今的量子系統離解決這兩項條件，還有好幾個數量級的距離。

Michael Saylor, executive chairman of Strategy (formerly MicroStrategy) and one of Bitcoin's most prominent institutional advocates, has been even more dismissive of near-term quantum threats. In multiple interviews throughout 2025, Saylor characterized quantum concerns as "mainly marketing from people that want to sell you the next quantum yo-yo token." Strategy 執行董事（前 MicroStrategy）、比特幣最具代表性的機構推手之一 Michael Saylor，對量子短期威脅甚至更加不以為意。他在 2025 年多次受訪時表示，量子議題「大多是想賣你下一個量子溜溜球幣的人的宣傳」。

Saylor's argument rests on institutional alignment. He points out that major tech companies like Google and Microsoft have more to lose than gain from quantum computers that can break encryption. These companies rely on the same cryptographic systems that secure Bitcoin. If quantum computers threaten ECDSA and RSA, they threaten cloud services, email, e-commerce, and every other encrypted communication on the internet. Saylor 的理由在於產業利害一致。他指出，像 Google 和 Microsoft 這樣的大企業，若真有能破解加密技術的量子電腦，損失遠大於收穫。因為這些企業同樣仰賴於保護比特幣的加密系統。倘若量子電腦威脅 ECDSA 和 RSA，就連雲端服務、電子郵件、電子商務以及所有線上加密通訊都受到威脅。

"Google and Microsoftaren't going to sell you a computer that cracks modern cryptography because it would destroy Google and Microsoft - and the U.S. government and the banking system," Saylor said in a June 2025 CNBC interview. His view is that when quantum threats do materialize, Bitcoin will upgrade its cryptography just like every other major software system, without catastrophic disruption.

Saylor 也說過，你不會被賣到一台能破解現代密碼學的電腦，因為那會毀掉 Google 和 Microsoft——還有美國政府與整個銀行體系。」他在 2025 年 6 月接受 CNBC 專訪時表示。他的看法是，當量子威脅真的出現時，比特幣會像其他所有主流軟體一樣升級其密碼演算法，不會發生災難性破壞。

Saylor also argues that quantum-resistant tokens being marketed as "Bitcoin killers" are mostly opportunistic projects capitalizing on fear rather than offering genuine solutions. From his perspective, quantum threats to Bitcoin are not immediate, and when they do arrive, Bitcoin's robust development community and strong incentives for maintaining security will enable effective responses.

Saylor 也認為，市場上主打「抗量子」的代幣被包裝成「比特幣殺手」，多數其實是趁機利用大家恐懼心理的投機項目，而非真正的解決方案。在他的觀點裡，量子對比特幣的威脅並非迫在眉睫，且即使真的發生，比特幣強大的開發者社區及維護安全性的高誘因都能帶來有效應對。

The Pragmatists: Start Preparing Now

務實派：現在就該準備

Not all experts share this sanguine view. Jameson Lopp, chief technology officer at Casa and a prominent Bitcoin security researcher, occupies a middle position. In his February 2025 essay "Against Allowing Quantum Recovery of Bitcoin," Lopp argues that while quantum computers aren't an immediate crisis, the Bitcoin community has less than a decade to implement contingency plans.

不是所有專家都這麼樂觀。Casa 技術長暨知名比特幣安全研究者 Jameson Lopp 持較中立的立場。他在 2025 年 2 月「反對允許量子恢復比特幣」一文中主張，雖然量子電腦尚非立即危機，但比特幣社群只剩不到十年來部署應變方案。

Lopp's concern focuses less on the precise quantum timeline and more on Bitcoin's slow governance and the difficulty of achieving consensus on controversial changes. Even if quantum computers capable of breaking ECDSA don't arrive until 2035, Bitcoin needs to start implementing changes now because:

Reaching consensus on quantum-resistant schemes requires years of debate and testing
Users need time to migrate funds to new address types
Lost or abandoned wallets represent a systemic risk if left vulnerable
Waiting until quantum computers are demonstrably threatening ECDSA might be too late

Lopp 更關心的不是量子攻擊何時來臨，而是比特幣治理緩慢與重大爭議改革難以達成共識的問題。即使可破解 ECDSA 的量子電腦要到 2035 年才問世，比特幣也必須現在就開始規劃，原因包括：

達成對抗量子新方案的共識，需經多年辯論與測試
用戶需要時間將資產遷移到新型地址
遺失或被遺棄的錢包如果曝露於風險，是系統性危機
等到量子電腦已足夠威脅 ECDSA 時，恐怕已經太晚

Lopp advocates for burning coins in vulnerable addresses rather than attempting recovery - a position that has generated significant controversy. He argues this approach best protects property rights by preventing quantum adversaries from claiming funds while also addressing the lost coin problem decisively.

Lopp 主張應該直接銷毀易受攻擊地址中的幣，而不是嘗試恢復——這種主張引發不少爭議。他認為這能最佳保護財產權，既防止量子對手奪取資金，又果斷解決遺失幣的問題。

BlackRock's May 2025 IBIT filing warning represents another pragmatic voice. By including quantum computing as a material risk factor in a regulated financial product, BlackRock signals that institutional investors should consider quantum threats as part of their risk assessment, even if the timeline remains uncertain. This reflects a precautionary principle: the potential consequences are severe enough that waiting for certainty might be imprudent.

貝萊德於 2025 年 5 月 IBIT 申請文件中的警告，則是另一個務實的聲音。列入「量子計算」為該金融商品之重大風險，意味著機構投資人即使面臨未知時程，也應把量子威脅納入風險評估。這反映了預防原則：只要潛在後果嚴重，就不該等到完全確定才行動。

The Concerned: Sooner Than We Think

擔憂派：威脅可能比想像更早來

Some researchers and organizations believe quantum threats could materialize faster than the consensus estimates suggest. NIST experts have stated that quantum computers capable of breaking current cryptographic standards could arrive within 10 to 20 years, with some private forecasts suggesting it could happen even sooner.

有學者與機構則認為，量子威脅現身的時間表可能比主流共識還要快。NIST 專家表示，有能力破解現行密碼標準的量子電腦可能 10 至 20 年內就會出現，部分私人預測甚至認為會更早。

In 2025, researchers from Project Eleven launched a quantum challenge offering one Bitcoin to anyone who can break elliptic curve cryptography using a quantum computer. Their assessment is that around 2,000 logical (error-corrected) qubits may be enough to break a 256-bit ECC key - something they believe is achievable within the next decade.

2025 年，Project Eleven 的研究團隊發起量子挑戰，只要運用量子電腦破解橢圓曲線密碼學者可得 1 枚比特幣。他們評估，只需約 2,000 個邏輯（即具備糾錯）量子位元，理論上就能破解 256 位元的 ECC 金鑰——且這在未來十年有可能達成。

Google researcher Craig Gidney published work in May 2025 suggesting that RSA-2048 could be factored with fewer than 1 million qubits in under a week - a 20-fold decrease from previous estimates. While RSA and ECC aren't identical, the algorithmic improvements demonstrated for one problem often apply to the other. If quantum algorithms continue improving while hardware scales up, the timeline could compress significantly.

Google 研究員 Craig Gidney 於 2025 年 5 月發表研究指出，只要不到 100 萬個量子位元，一週內就足以分解 RSA-2048，這比先前估計的數字少了 20 倍。儘管 RSA 與 ECC 並非完全相同，但一方的算法突破往往對另一方同樣有效。如果量子算法持續進步且硬體持續擴大規模，時間表可能會大幅壓縮。

IBM's concrete roadmap to fault-tolerant quantum computing by 2029 with 200 logical qubits represents another data point suggesting quantum threats might materialize in the early 2030s rather than the 2040s or 2050s. IBM Quantum Starling, scheduled for 2029, won't have enough logical qubits to threaten Bitcoin immediately. But if IBM successfully demonstrates fault-tolerant quantum computing at that scale, scaling to the 2,000+ logical qubits needed for cryptanalysis might happen relatively quickly - perhaps within another 5-10 years.

IBM 制訂的量子電腦發展藍圖，計劃於 2029 年達到 200 個邏輯量子位元的容錯技術，提供另一項數據點，顯示量子威脅可能在 2030 年代初現身，而非 2040、2050 年代。IBM Quantum Starling 預定於 2029 年推出，其邏輯量子位元數尚不足以立刻威脅比特幣。但若 IBM 屆時順利完成容錯量子計算展示，要擴展到破解密碼學所需的 2,000+ 邏輯量子位元，或許只需再花 5-10 年。

At CES 2025, Nvidia CEO Jensen Huang stated that a major breakthrough in quantum computing is likely 15 to 30 years away, with 20 years being the most realistic estimate. This puts quantum threats to cryptography somewhere between 2040 and 2055 - a timeframe that seems comfortable but could arrive faster if Huang's estimate proves conservative.

Nvidia 執行長黃仁勳在 2025 年 CES 表示，量子計算重大突破可能還要 15 至 30 年，20 年是最實際的預估。以此推算，密碼學遭量子威脅的時間約落在 2040 至 2055 年，這表面看來還很遙遠，但若黃的估算過於保守，威脅可能更早到來。

Interpreting the Divergence

對分歧意見的解讀

Why do expert opinions diverge so widely? Several factors contribute to the uncertainty:

專家意見為何分歧這麼大？不確定性來自多方面：

Defining the Threat Threshold: Different experts use different metrics for when quantum computers become "threatening." Some focus on demonstrating Shor's algorithm on any cryptographically relevant problem. Others require quantum computers that can break Bitcoin's specific ECDSA implementation within the narrow time window of unconfirmed transactions. These represent vastly different capability levels.

威脅門檻定義差異：不同專家對何時「構成威脅」的標準不一。有些只看能否在任何密碼相關問題上演示 Shor 演算法；有些則要求量子電腦必須在未確認交易那窄短時段內破解比特幣用的 ECDSA 方案。這些需求背後的能力落差極大。

Secret vs. Public Development: Public quantum computing efforts through companies like IBM, Google, and academic institutions are transparent, allowing detailed assessment. But classified government programs at agencies like NSA, GCHQ, or their Chinese and Russian equivalents operate in secret. Some experts suspect classified programs might be years ahead of publicly known capabilities, though evidence for this remains speculative.

公開與祕密研發落差：IBM、Google 等公司和學界的量子研究都很透明，外界可詳細分析。但像 NSA、GCHQ 或中俄類似情報單位的政府研究則完全機密。有些專家懷疑這些祕密項目的進展可能領先公開水準多年，雖然目前並無明確證據。

Algorithmic Unknowns: Current estimates assume Shor's algorithm and existing error correction schemes. A breakthrough in quantum algorithms that further reduces qubit requirements could dramatically accelerate timelines. Conversely, fundamental barriers to scaling quantum computers might emerge that push timelines back.

演算法變數未知：現有評估都假設使用現有的 Shor 演算法和糾錯技術。若量子演算法重大突破，能進一步減少所需量子位元，時間表將大幅縮短。反之，也可能出現基礎物理障礙，拖延進展。

Engineering vs. Theory: Computer science theory and practical engineering often diverge. Theoretically, we understand how to build quantum computers with millions of qubits. Engineering systems that actually work at that scale - maintaining coherence, implementing error correction, and integrating with classical control systems - presents challenges that might prove much harder or easier than current extrapolations suggest.

理論與工程落差：電腦科學理論和實際工程常有差距。理論上我們知道怎麼造出百萬量子位元的量子電腦，但實際要讓這麼大的系統「能穩定運作」——包括保持相干、糾錯與與傳統系統整合等——可能比現今預期難得多，或也可能出奇地快。

The prudent interpretation is that quantum threats to Bitcoin are not immediate but also not safely distant. A realistic timeline suggests the late 2020s to mid-2030s as the period when quantum computers might begin posing credible threats to elliptic curve cryptography, with significant uncertainty in both directions.

審慎解讀下，量子威脅對比特幣既非當前威脅，也不能說高枕無憂。較為實際的預測是，最快 2020 年代末、慢則 2030 年代中期，量子電腦就可能對橢圓曲線密碼學帶來實質威脅，且時間表上下都存在高度不確定性。

The Road Ahead: Preparing for a Post-Quantum Bitcoin

未來之路：為「後量子時代」比特幣作準備

As quantum computing advances and timelines compress, the cryptocurrency community faces crucial decisions about when and how to implement quantum-resistant upgrades. The path forward requires technical preparation, community consensus, and vigilant monitoring of both quantum computing progress and on-chain activity.

隨著量子計算發展加速，時程壓縮，加密社群將面臨重要抉擇：要如何、何時實施抗量子升級？未來之路需要技術準備、社群共識，並持續警覺監控量子科技進展與鏈上動態。

Signals to Watch For

應注意的警訊

Several indicators would signal that quantum threats are transitioning from theoretical to practical:

有幾項指標顯示量子威脅正從理論危害轉為實際威脅：

Large Movements from Vulnerable Addresses: The clearest warning sign would be sudden, coordinated movements from multiple old P2PK addresses, particularly those dormant for many years. While individual reactivations have innocent explanations, a pattern of simultaneous movements from addresses with no prior relationship would suggest a quantum attacker systematically targeting vulnerable coins.

易受攻擊地址的大額移動：最直觀的警訊，就是多個久未啟用的 P2PK 舊地址突然又同步動用資金、移動幣。個別活化有無害理由，但如果許多地址同時移動且彼此無交集，很可能是量子攻擊者系統性搜尋脆弱幣。

Real-Time Key Extraction: If funds move from an address immediately after its public key is revealed during transaction broadcasting - faster than blockchain confirmation times - this would indicate an attacker can extract private keys in real-time. This represents the nightmare scenario for Bitcoin security and would demand immediate emergency protocol changes.

即時金鑰破解：若某地址只要一對外廣播公開金鑰、資金立刻被移動——比區塊鏈確認時間還快——就代表有攻擊者能「即時」破解私鑰。這會是比特幣安全性的噩夢，必須啟動緊急協議應變。

Quantum Computing Milestones: Announcements of quantum computers achieving certain capability thresholds should trigger heightened concern:

Quantum computers demonstrating 1,000+ logical qubits with low error rates
Successful implementation of Shor's algorithm on problems approaching cryptographic scales
Demonstrations of quantum systems maintaining coherence through calculations requiring billions of gates

量子計算重大里程碑：只要量子電腦達到某些門檻，社群即應高度警戒：

能證明有 1,000 個以上邏輯量子位元且錯誤率低
成功用 Shor 演算法解決接近密碼強度等級的問題
展示量子系統能在經過數十億個閘門計算後仍維持相干

Academic Breakthroughs: Papers demonstrating significant reductions in the qubit requirements for breaking ECDSA, improvements in quantum error correction, or novel algorithms that accelerate cryptanalysis would all warrant attention. The quantum computing literature should be monitored for results that compress timelines.

學術突破：任何能顯著降低破解 ECDSA 所需量子位元數、改進量子糾錯機制、或加速密碼分析的新算法，本文論文都必須高度留意。需密切監測量子計算領域文獻裡壓縮時間表的新發現。

Technical Preparations

技術性準備

The Bitcoin development community should continue several preparatory efforts even before quantum threats become immediate:

即使量子威脅尚未迫在眉睫，比特幣開發社群就該展開多項準備：

Standardization and Testing: Selecting which post-quantum algorithms Bitcoin should adopt requires extensive analysis, testing, and community review. NIST's standardized algorithms provide a starting point, but Bitcoin's specific requirements - decentralization, open-source auditability, signature size constraints, and computational efficiency for node operators - might favor different choices than traditional cryptographic applications.

標準化與測試：比特幣要採用哪種「後量子」演算法，需經充分分析、測試與社群審查。NIST 標準為現成起點，但比特幣有去中心化、開放審計、簽名體積和節點運算效能等特殊需求，可能與傳統加密應用不同。

Wallet Infrastructure: Wallet software needs to implement support for quantum-resistant signature schemes before they're required at the protocol level. This allows early adopters to begin using quantum-safe addresses voluntarily, creating a template for eventual mandatory migration. Hardware wallet manufacturers must update firmware to support new algorithms.

錢包基礎建設：錢包軟體要在協議層面強制抗量子簽名之前就加以支援，讓先行者可自願啟用抗量子地址，也為日後全面遷移奠定範例。硬體錢包廠商也需更新韌體以支援新演算法。

Transaction Format Design: Quantum-resistant transactions will likely require different data structures than current Bitcoin transactions. Designing these formats with consideration for efficiency, privacy, and potential future upgrades will prevent technical debt. Script opcodes for post-quantum signature verification must be carefully designed.

在測試網上測試：在將任何抗量子的變更部署到比特幣主網之前，必須在測試網和signet網絡上廣泛測試，以驗證實作能否正確運作、節點能否有效驗證新的交易類型，以及是否有意料之外的互動會與現有協議規則產生新的弱點。

建立社群共識

也許比特幣量子轉型最具挑戰性的層面，就是在有爭議的議題上取得共識：

硬分叉 VS. 軟分叉：有些抗量子的變更也許可以透過軟分叉（向下相容的升級）來實現，而其他變更可能需要硬分叉（不相容於舊版本的變更）。比特幣社群一向偏好軟分叉以維持網路團結，但量子抗性可能會需要更具破壞性的變革。

強制 VS. 自願遷移：比特幣應否強制要求用戶在期限前將資產遷移到抗量子地址（如QRAMP方案提案），還是讓遷移變得自願且漸進？強制遷移能帶來明確的安全保障，但有燒毀遺失幣的風險，也會遭遇社群政治阻力。自願遷移雖然較溫和，但若採納太慢，網路仍會暴露於風險。

如何處理遺失幣：對於位於容易受量子攻擊的地址內的幣，應該燒毀、救回或重新分配，至今沒有共識。這個問題涉及財產權、比特幣的哲學與實際風險管理等根本議題。解決這個問題需要大量的社群討論，且很可能得做出妥協。

行動時程：比特幣應該什麼時候推動抗量子升級？動作太早的話，可能讓尚未成熟的演算法成為標準，或讓開發人力資源被浪費在尚未必要的解決方案上。若動作太晚，則有遭受毀滅性攻擊的風險。要尋找最佳時機，需要持續進行風險評估，並在量子技術進展快於預期時具備加速應變的彈性。

產業更廣泛的影響

比特幣面對的量子挑戰其實延伸到整個加密貨幣產業。以太坊在治理上更有彈性、在帳戶抽像化與STARKs等領域研究積極，因此有可能比比特幣更早導入量子抗性。這會產生有趣的市場動態——以太坊可能打出量子安全招牌，而比特幣卻還在處理舊有弱點。

穩定幣同樣面對量子弱點，因為它們常依賴於多重簽章及智慧合約、而底層公鏈未必抗量子。Tether及USDC的發行方必須嚴肅考量量子風險，以符合網路安全要求，這或許會加快對抗量子區塊鏈基礎設施的市場需求。

各國央行開發中的數位貨幣（CBDC）一開始就納入後量子加密技術，並從現有加密貨幣的難題中學習經驗教訓。這讓CBDC在安全性上具備相對優勢，政府也可能以此作為推動CBDC、對抗去中心化加密貨幣的理由。

像Monero和Zcash等隱私幣則面臨特殊的量子挑戰。Monero的環簽名（ring signature）和隱身地址可能被量子電腦破解；Zcash的zkSNARKs可能需要更換為STARKs或其他抗量子的零知識證明系統。保護隱私的加密貨幣領域，勢必要與量子威脅一同進化。

教育的重要性

量子準備工作中經常被忽略的環節就是教育。比特幣社群、加密貨幣用戶以及普羅大眾，都需要更深入了解量子運算——它究竟是什麼，它不是什麼，真正的威脅是什麼，現實的時間表又是如何。

像Mandell這樣的言論之所以能散播FUD（恐懼、不確定與懷疑），很大原因在於多數加密貨幣用戶缺乏技術背景，無法批判性評估量子相關主張。教育工作可以採取以下措施：

以清晰易懂的方式解釋量子運算基礎
定期公布有公信力的量子技術進展
提供用戶現階段能採取的量子安全措施指引
比特幣開發者需對規劃與時程維持透明溝通

一個知情良好的社群將能做出更好的抗量子決策，不會落入無謂恐慌，也能避免自滿而導致的險境。

最後的思考

量子運算與比特幣的關係，比悲觀者或樂觀者的說法都來得複雜。量子電腦不會像有些聳動標題所言，讓「比特幣一夜滅亡」。但量子運算也不是沒關係的背景雜音，比特幣絕不能掉以輕心。

Josh Mandell於2025年10月聲稱量子電腦已經開始竊取比特幣的說法是錯誤的——既無證據，也不合現有硬體能力，實際鏈上數據亦加以否認。然而這個謠言能夠爆紅，反映出整個加密社群對量子威脅的真實焦慮，因此必須以事實、準備和理性的行動來正視。

技術上，要破解比特幣的ECDSA加密，需要遠強於目前存在的量子電腦。不但必須有數百萬個實體量子位元、容錯錯誤修正能力、還要能執行數十億個量子閘——這些能力依據大多數專家估計，至少距離我們還有十年以上，甚至更久。

不過量子技術確實持續進步。Google的Willow晶片已經展現臨界值以下的錯誤修正能力。IBM提出到2029年達到200個邏輯量子位元的具體資金計畫。學術界也不斷改良量子演算法並降低量子資源需求。在「量子電腦無法威脅比特幣」和「量子電腦正主動攻擊比特幣」之間，這個安全窗口可能會意外地狹窄。

比特幣的弱點是真實存在的，但仍可控。加密社群自1994年就瞭解Shor演算法的風險。後量子加密領域已發展出可行的替代方案，例如格基（lattice-based）與雜湊式簽章技術，可取代ECDSA。像QRAMP這樣的方案提議系統性地規劃遷移路徑，雖然仍有爭議。

此外，經濟與倫理層面的複雜性更甚於純技術難題。數百萬比特幣存放於潛在的量子弱點地址，包括中本聰的百萬枚傳奇存款。如果這些幣將來被解鎖，將引爆諸多難題——財產權、網路安全、市場穩定、以及比特幣最根本的價值觀。

即便如此，專家們也有理由保持樂觀。帶來威脅的量子革命，同時也能催生更強加密保護、更複雜協定，以及傳統計算方式無法實現的新能力。後量子加密意味的不僅是抵禦威脅，更象徵加密安全性的全面升級。

加密產業現在有機會提前做好準備，甚至從量子變革中獲益——前提是大家願意以適當的急迫感行動。真正的挑戰不是「量子對決比特幣」，而是整個加密生態系能否比破解技術發展更快進化。

這需要幾項工作：持續監控量子進展、同步研究抗量子協定、加強教育以對抗錯誤資訊、針對遷移時程與遺失幣等困難議題建立社群共識，以及明智地區分什麼是需要行動的真實威脅，什麼又只是炒作的煙幕。

從2009年中本聰挖出創世區塊以來，比特幣歷經多次危機。挺過了交易所被駭、監管打壓、擴容之爭，以及數不清的「比特幣死了」預言。這次量子威脅的不同之處在於——這是針對比特幣加密基礎的挑戰，不是外部攻擊或治理爭議，而是運算可能性的根本質變。

但比特幣的歷史同時也展現出其超凡的適應力。即使以保守見稱，社群還是推動了像SegWit和Taproot這樣重大的升級。當威脅明確、解方成熟時，社群總能共同克服考驗。只要及早預備，不讓危機逼出倉促決策，量子過渡其實也可以迎刃而解。

量子時代終將到來——不是今天，也不是明天，但可能比許多人的想像還早。屆時比特幣必須進化，而新生的比特幣將會比今天更安全、更成熟、更經得起考驗。量子威脅只要妥善管理，就能變成強化比特幣基石的新契機，助其未來十年持續壯大。

比特幣社群現在面臨的選項，不是「要不要為量子做準備」，而是「要多快、做多完全地行動」。在那些因為任何量子動態就立即恐慌的人，以及那些認為量子風險還早得很、置之不理的人之間，還有一條理性中道——循證為本、專業引導，並肩負比特幣終極目標：「無論未來計算範式如何變革，都要守護人類史上最堅實的貨幣」。