TBW - Charles Guillemet (Ledger): "Trust in cryptography is eroded, blockchains must migrate now"
The Big Whale: Google just published a research paper that is generating a lot of buzz in the crypto ecosystem. Can you explain in simple terms what it's about?
Charles Guillemet: Google has introduced a new algorithm that, in theory, can break ECDSA, i.e. elliptic curve cryptography, more efficiently. This algorithm builds on Shor's algorithm, one of the two major algorithms designed to break asymmetric cryptography using a quantum computer. Until now, Shor had mostly been studied in the context of attacking RSA, which is not used in blockchains. What we use is elliptic curve cryptography, and research on applying Shor to this type of cryptography was less advanced. What Google is showing is an even better algorithm, which would theoretically allow a quantum computer to break ECDSA and elliptic curve cryptography in general.
Except that this quantum computer still doesn't exist...
It's always the same issue. Research is progressing on two fronts simultaneously. On one side, the theoretical algorithms: what is the best algorithm, the best implementation, to efficiently attack elliptic curves. On the other, the hardware: building a quantum computer with a sufficient number of qubits, and above all a stable system. Both fronts are advancing. Will we eventually be able to break everything? It's a gamble, nobody knows. Those who claim it will happen in two or five years are often people who have something to sell. But for me, that's not the point. The real issue is trust in cryptography, in mathematics. The moment there is doubt about that trust, it's time to solve the problem.
Which blockchains are affected by this threat?
Virtually all of them. Very few post-quantum blockchains exist among current projects. Algorand has done some work, there are blockchains positioning themselves on the PQC front from a marketing standpoint. Then there are Layer 2s and protocols based on STARKs, such as StarkNet, which are resistant by design, with some caveats. But overall, there are very few. All the major blockchains are vulnerable: Bitcoin, Ethereum, and the rest.
You mentioned StarkNet among the best-prepared blockchains. A word on that?
StarkNet, from a technological standpoint, is doing very interesting things that advance research well beyond blockchains. STARKs are a genuine scientific breakthrough, efficient and post-quantum resistant, with some caveats. However, StarkNet's usage remains very low today. It's a textbook case of a successful technology with low adoption. Meanwhile, other projects that are technically less accomplished enjoy far greater success.
What is your stance on migrating blockchains to quantum-resistant systems?
We need to migrate as quickly as possible. Even if we are not at all certain that a functional quantum computer will arrive soon, the question is no longer about certainty: it's about trust. Trust is eroded, so we need to migrate. The real difficulty is reaching consensus on how to migrate and to what, especially on Bitcoin.
A particularly original point in Google's paper: they provide a proof without revealing their algorithm. How is that possible?
That is the most fascinating aspect of their paper. It's the first time I've seen this in a research article: the authors claim to have a result that surpasses the state of the art, but they don't explain how. However, they provide a mathematical proof, based on zero-knowledge, that their result is indeed what they claim. Nobody can refute what they assert, but nobody knows how they achieve it. It's both elegant and completely unprecedented.
"It's the first time I've seen this in a research article: they have a fascinating result, but they don't tell you how it works. And yet, nobody can refute it"
Can we trust them? Does Google have an interest in spreading fear about blockchain?
The paper has not yet been fully validated by the scientific community, the peer review process needs to run its course. But at first glance, I have no doubts. Google is behind it, and Dan Boneh is among the signatories; he is one of the most respected cryptographers in the world. As for a potential conflict of interest: Google does not have a post-quantum blockchain to sell. This is not like the PQC-specialized startups announcing armageddon in two years, where you have to question their commercial motives. For Google, it's less obvious. In any case, they announced just a few days ago that they plan to migrate their own systems by 2029, and this paper is published right after. It all points in the same direction.
We often hear that the quantum computer will be a universal supercomputer. Is that a misconception?
Completely. People think a quantum computer is just a classical computer but much faster. Not at all. Most problems will continue to be solved more efficiently by classical computers. Quantum algorithms are superior for a few very specific tasks, and the main one is breaking cryptography. That's why this topic is so central.
Where do things actually stand on quantum hardware? Google mentions 2029...
In reality, we don't know much. What we can observe is that both fronts are making progress: theoretical algorithms are improving, and so is hardware, with many different technologies exploiting various quantum phenomena. The main difficulty remains achieving a large number of qubits that are stable over time. To maintain entanglement between qubits, you need an environment with minimal noise, especially thermal noise, which means working at temperatures close to absolute zero. The large golden rigs you see in photos are refrigerators. The computer itself is a small chip at the bottom. The challenge is that the circuit produces a few microwatts of heat, and that heat generates noise that destroys quantum coherence. The more qubits you add, the harder it is to maintain that coherence. These are real physics problems.
"Even if we are not at all certain that a functional quantum computer will arrive soon, the question is no longer about certainty: it's about trust"
Could this kind of publication dampen institutional appetite for blockchain and tokenization?
Every time there is a result like this one, it erodes trust in cryptography a little more. And blockchains fundamentally rely on that trust, all the more so because in a decentralized system, there is no trusted third party; all security rests on cryptography. So yes, it raises questions. But solutions exist: migration solutions are available.
How is Ledger preparing in practice?
As long as Bitcoin, Ethereum, and the major blockchains remain vulnerable, no matter how much we secure our devices, if someone can steal coins directly on the blockchain, the wallet won't make a difference. That said, we also use cryptography for our own systems: device updates, proof of authenticity, and so on. We are working on migrating these building blocks to post-quantum solutions. We also have an embedded operating system on our devices and our HSMs, which exposes cryptographic services to the applications running on top. What we are doing right now is adding new post-quantum cryptographic services.
>> IPO: Can Ledger build on BitGo's success?
Is there a single standard everyone is converging toward?
No, and that's one of the difficulties. There are several standards, and the debates differ across ecosystems. Broadly speaking, two major families of algorithms stand out. On one side, hash-based schemes: you build cryptographic primitives, notably signatures, from hash functions, which are one-way functions that have been very well studied for a long time. We have a high level of confidence in their security. On the other hand, the keys and signatures are large, which creates practical challenges. On the other side, there are lattice-based schemes, founded on a different type of mathematical problem. The principle remains the same: it is easy to derive a public key from a private key, but the reverse is very difficult. It is less studied, the mathematics are complex and mastered by few people. But it's more elegant, which enables more efficient constructions.
And Bitcoin and Ethereum aren't making the same choice?
Ethereum is leaning more toward lattices, advanced mathematical constructions. Bitcoin leans more toward hash-based approaches. It's quite telling: a new fault line between the two ecosystems, extending even into cryptographic choices.
"If Bitcoin is broken, it will be a real problem; we need to migrate as quickly as possible"
A seemingly simple question: how do you migrate a blockchain?
It's certainly much simpler in a centralized world. One entity decides, and it executes. On a blockchain, you need to find consensus. But the difficulty of migrating the centralized world should not be underestimated either. There is cryptography everywhere: in telecommunications, payments, the internet, finance, defense. Implementations are in hardware, on servers, written in old languages, scattered across entire stacks. And at every cryptographic touchpoint, there are two parties: the one who signs and the one who verifies. This migration will be a massive undertaking, everywhere.
Concretely, what does the Bitcoin community need to agree on?
The central question is the new signature algorithm. We consider ECDSA to present a risk, so it needs to be replaced, either by a hash-based or a lattice-based scheme. And as soon as you change that, you trigger a cascade of problems. The new signatures are larger, they need to be stored on-chain, so each block contains fewer transactions. The cost of verifying a signature also increases, which is a problem for Bitcoin, where being able to run a node on modest hardware has always been a foundational principle.
And the migration of existing funds?
That's the thorniest problem. All the bitcoins that exist today are on addresses tied to the old cryptography. Every user would need to create a new post-quantum address and transfer their funds to it. Except Bitcoin processes roughly 7 transactions per second. If you filled every block exclusively with migration transactions, it would take approximately 8 months just to migrate the existing UTXOs. We clearly cannot afford to wait until the last moment.
What about the bitcoins that don't move? Those whose holders have lost their keys, or that belong to defunct entities?
That's the hardest question. You define a migration period, let's say several years at a minimum. At the end of that period, for those that haven't moved, you don't have many options. Either you leave them as they are, waiting for someone to break them one day, which is not satisfactory. Or you declare them lost: there are no longer 21 million bitcoins, there are 16 million, for instance. Or you reissue the remaining bitcoins, which is not a bad idea in itself, it would also partly address the long-term security budget problem for miners. But it raises a sovereignty issue. There is no good solution; every option has major drawbacks.
"Most relevant people in the Bitcoin community are convinced there won't be a quantum computer anytime soon. Maybe they're right. Maybe not"
Is the Bitcoin community aware of what's at stake?
It's a fairly recent awakening. Most of the people I've spoken with, who are truly at the core of the Bitcoin community and knowledgeable on these topics, are convinced there won't be a quantum computer anytime soon and that it's a non-issue. Maybe they're right. Maybe not. The problem is that nobody knows, and trust is at stake right now. We are already in a phase of doubt, and the progress will continue.
And on the Ethereum side, how would it play out?
At the start of the discussions, there was an idea that I did not support at all: since Ethereum is programmable, it would be enough to put your tokens and your ETH into a smart contract, a smart wallet, whose spending condition would be the verification of a post-quantum signature. In theory, you could implement a post-quantum wallet on Ethereum right now.
That sounds promising. Why doesn't it convince you?
Because it's not efficient, verification consumes a lot of gas, and above all, it's not a sustainable solution. It's a band-aid. You can't say that all signatures are broken, but it's fine because we have this piece of duct tape holding the system together. So there are real discussions underway about which algorithm to adopt and what changes to make at the protocol level. There is a call every two weeks with the Ethereum Foundation in which we participate and share our views.
Does a Bitcoin hard fork seem inevitable to you?
I think it's the only possibility. Someone will launch a new chain, claim it's Bitcoin, and offer a post-quantum resistant Bitcoin with higher throughput to solve the migration problem. That's one possibility. Then, whether people will recognize that blockchain as being Bitcoin remains to be seen. There are also other approaches, such as adding a new opcode that would allow STARK proofs to be verified directly on Bitcoin, which would revive interest in the protocol beyond the quantum question alone.
>> Charles Guillemet (Ledger): "Wallets will replace passwords"