Ae如果没有量子升级的计划,即将在几年内量子来临时“归零”。
If there is no plan for quantum upgrades, AE will “reset to zero” when quantum technology arrives in a few years.
只要你用某个AE 地址发起过一笔转出交易(即对外发送过AE),这个地址的公钥就已经在链上永久暴露了,未来量子计算机成熟后,这个地址的私钥理论上会被破解,资金会被偷走。
As long as you initiate a withdrawal transaction using a certain AE address (i.e., send AE externally), the public key of this address is permanently exposed on the chain. Once quantum computers mature, the private key of this address could theoretically be cracked, leading to the theft of funds.
为什么转出就会暴露公钥?
Aeternity 跟Bitcoin、Ethereum早期一样,交易结构里直接包含了完整的32字节公钥(不是只放地址)
区块浏览器随便点开一笔AE转账就能看到:public_key:Oxak_2…(前缀)+完整的32字节公钥
Why does transferring funds expose the public key? Like Bitcoin and Ethereum in their early stages, Aeternity’s transaction structure directly includes the full 32-byte public key (not just the address). Simply open any AE transfer in a block explorer, and you’ll see: public_key: Oxak_2… (prefix) + the complete 32-byte public key
例子(真实链上数据):
https://explorer.aeternity.io/transactions/th 2XXXXXX
XXXXXXXXXXXXXXXXXXXXXXXX
里面明文就有64字符十六进制公钥。
Example (real on chain data):
https://explorer.aeternity.io/transactions/th 2XXXXXX
XXXXXXXXXXXXXXXXXXXXXXXX
There is a 64 character hexadecimal public key in the plaintext.
量子计算机能拿这个公钥做什么?
1.输入:链上已经公开的32字节Ed25519公钥
2.工具:足够规模的容错量子计算机(估算2000-
4000个逻辑qubit)运行Shor算法
3.输出:几分钟到几小时内算出对应的私钥
4.结果:攻击者直接构造一笔转账,把你这个地址里所有AE转走
What can a quantum computer do with this public key? 1. Input: The publicly available 32 byte Ed25519 public key on the chain. 2. Tool: A fault-tolerant quantum computer of sufficient scale (estimated to have 2000-4000 logical qubits) to run the Shor algorithm. 3. Output: The corresponding private key is calculated within a few minutes to hours. 4. Result: The attacker directly constructs a transfer and transfers all AEs in your address
时间预估(2025年主流观点)
·2028-2032年:极大概率出现能破解Ed25519的量子机(Vitalik、Google、IBM路线图一致)
·一旦出现,链上所有曾经转出过的AE地址都变成“随时可被偷”的状态,哪怕你现在余额是0,未来别人再转进来也会立刻被扫走。
Time estimation (mainstream view by 2025) · 2028-2032: There is a high probability of a quantum machine that can crack Ed25519 (Vitalik, Google, IBM roadmap is consistent) · Once it appears, all AE addresses that have been transferred out on the chain will become “stolen at any time”, even if your current balance is 0, others who transfer in in in the future will be immediately swept away.
结论(一句话)
只要你这个AE地址转出过一次,公钥就已经永久暴露在链上,未来量子计算机100%能破解出私钥,资金随时会被偷光。
Conclusion (in one sentence): As long as your AE address has been transferred out once, the public key has been permanently exposed on the chain. In the future, quantum computers will be 100% able to crack the private key, and funds can be stolen at any time.
我们和BTC对比一下
Let’s compare it with BTC
一定不要用Legacy(1开头,例1…)
一定不要用SegWit(bc1q开头,例bc1b…)
只能用Taproot(bc1p开头,例bc1p…)
用Legacy/SegWit花币=会暴露,进入量子倒计时
量子计算机可怕的地方:只要它在链上看到你的完整公钥,就能用Shor算法几分钟内算出私钥→把你的币偷光。
Never use legacy (starting with 1, example 1 …)
Do not use segwit (beginning with bc1q, example bc1b …).
You can only use taproot (beginning with bc1p, for example, bc1p …)
Using Legacy/SegWit to spend money = will be exposed and enter the quantum countdown.
The terrible thing about quantum computer is that as long as it sees your complete public key on the chain, it can calculate the private key in a few minutes with Shor algorithm → steal all your coins.
你现在用AirGap Vault生成一个全新的Taproot地址(bc1p…):
1.你把这个地址发给别人→别人给你转了1BTC→链上永远只有地址(哈希),完整公钥一次都没出现→量子机完全看不见
2.过几年你想花掉0.5BTC,转给别人
→如果你用最普通的单人单签名方式(Key-path spend)→链上仍然只显示一个Schnorr 签名,完整公钥依然不暴露!→量子机还是偷不了
You now use AirGap Vault to generate a brand-new Taproot address (bc1p …):
-
You send this address to others → Others transfer it to you for 1BTC→ There is always only the address (hash) in the chain, and the complete public key never appears once → The quantum machine is completely invisible.
-
In a few years, you want to spend 0.5BTC and transfer it to others.
→ If you use the most common Key-path spend)→ Only one Schnorr signature is displayed on the chain, and the complete public key is still not exposed! → Quantum machine still can’t steal.
3.只有极少数复杂情况才会暴露(99.9%的人一辈子都不会碰到)
•你用了多签
•你用了复杂的LightningChannel开关
•你用了Script-path(很少人用)
Only a few complicated situations will be exposed (99.9% people will never encounter them).
You used too many signatures.
You used a complicated LightningChannel switch.
You used Script-path (rarely used)
用AirGap Vault生成Taproot地址(bc1p.)
→别人转给你 BTC
→你以后每次都只用最最最普通的单人单签名方式花钱
→不碰多签、不碰闪电网络、不碰复杂脚本
那么从诞生到死亡,这笔BTC的完整公钥永远不会出现在链上
量子计算机来了也偷不走
普通用户用Taproot+单签=实际量子免疫
Generating Taproot address with AirGap Vault (bc1p.)
→ someone else transfers it to you BTC.
In the future, you will only spend money by the most common single signature method.
→ Don’t touch multi-signing, lightning network and complicated scripts.
Then from birth to death, the complete public key of BTC will never appear on the chain.
Quantum computers can’t be stolen when they come.
Ordinary users use Taproot+ single sign = actual quantum immunity
我们再和ETH对比一下
Let’s compare it with ETH again
以太坊(ETH)的公钥暴露规则和比特币完全不一样,比比特币残酷得多。
一句话结论:只要你这笔ETH动过一次(转出、调用合约、approve、甚至只是从这个地址往外发一笔0ETH的交易),你的完整公钥就永远暴露在链上,量子计算机随时可以拿走这笔钱和它的所有后代币。
The public key exposure rules of Ethereum (ETH) are completely different from those of Bitcoin, and much more cruel than Bitcoin.
Bottom line: As long as you move this ETH once (transfer out, call the contract, approve, or even just send a 0ETH transaction from this address), your complete public key will always be exposed on the chain, and the quantum computer can take the money and all its back tokens at any time.
不过即使量子计算机已经拿到了你某个ETH地址的完整公钥→算出了这个ETH地址的私钥,它也无法反推出你的24位助记词,也无法算出同一个助记词派生的BTC地址的私钥。
However, even if the quantum computer has obtained the complete public key of one of your ETH addresses → calculated the private key of this ETH address, it cannot deduce your 24-bit mnemonic, nor can it calculate the private key of the BTC address derived from the same mnemonic.
V神(VitalikButerin)对Ethereum量子升级的计划
V God’s Plan for the Quantum Upgrade of Ethereum
Vitalik Buterin(V神)长期关注量子威胁,自2017年起就开发量子抵抗账户抽象钱包代码(如基于哈希阶梯签名的验证)。在2025年Devconnect会议上,他强调量子计算机可能在2028年美国总统选举前破解椭圆曲线加密(ECC),给Ethereum约3-4年(至2028-2029年)迁移到量子抵抗加密的窗口。 这不是恐慌,而是基于20%概率的“最坏情景”评估,假设量子比特稳定性和纠错进步按预期推出。
Vitalik Buterin(V God) has long been concerned about quantum threats, and since 2017, it has developed abstract wallet codes of quantum resistance accounts (such as verification based on hash ladder signature). At the Devconnect conference in 2025, he emphasized that quantum computers may crack elliptic curve encryption (ECC) before the US presidential election in 2028, and give Ethereum about 3-4 years (to 2028-2029) to migrate to the window of quantum resistance encryption. This is not a panic, but a “worst case” assessment based on 20% probability, assuming that quantum bit stability and error correction progress are introduced as expected.
升级时间线:
•短期(2025-2026年):聚焦ZK友好升级、可扩展性和审查抵抗。Ethereum 的“The Splurge”路线图阶段已纳入量子研究,包括多维gas和账户抽象(EIP-4337),允许无缝切换到POC签名,而无需移动资金。
•中期(2026-2027年):集成BLS签名替换、哈希基签名(对验证者)和多曲线支持。V神建议使用递归STARK协议作为基础(已存在构建块),并确保所有决策“向前兼容”量子时代。
•长期(2028年后):全面“量子抵抗处处”(quantum resistance everywhere),采用NIST标准PQC如Kyber(密钥封装)和Dilithium(签名)。这可能通过硬分叉实现,类似于Prague升级,但强调生态协调(钱包、L2、dApp)。
Upgrade Timeline: Short-term (2025-2026): Focus on ZK friendly upgrade, scalability and censorship resistance. Ethereum’s “The Splurge” roadmap stage has been incorporated into quantum research, including multidimensional gas and account abstraction (EIP-4337), which allows seamless switching to POC signature without moving funds. Mid-term (2026-2027): integrating BLS signature replacement, hash-based signature (for verifier) and multi-curve support. V God suggested using recursive STARK protocol as the foundation (existing building blocks) and ensuring that all decisions are “forward compatible” with the quantum age. Long-term (after 2028): Fully “quantum resistance everywhere”, adopting NIST standard PQC such as Kyber (key encapsulation) and Dilithium (signature). This may be achieved through hard bifurcation, similar to Prague upgrade, but emphasizing ecological coordination (wallet, L2, dApp).
Ethereum 已经准备充分:
Ethereum is ready:
现有防御:地址是公钥哈希,减少暴露;账户抽象允许动态旋转密钥。
社区行动:Ethereum开发者领先于行业,已有EIP提案集成PQC。V神强调“只需大量有才华的开发者社区”,而非从零开始。
Existing defense: the address is a public key hash to reduce exposure; Account abstraction allows dynamic key rotation. Community action: Ethereum developers are ahead of the industry, and there are EIP proposals to integrate PQC. V God emphasizes “only a large number of talented developer communities” rather than starting from scratch.
V神的计划是主动的:不是“如果”量子来临,而是“何时”。这强化了Ethereum的长期韧性,但用户应避免地址重用,并关注 Pectra 升级(预计 2025年底)。如果量子突破加速,整个加密行业(包括银行和军事)将同步响应。
V God’s plan is proactive: not ‘if’ quantum arrives, but ‘when’. This strengthens Ethereum’s long-term resilience, but users should avoid address reuse and pay attention to Pectra upgrades (expected by the end of 2025). If quantum breakthroughs accelerate, the entire encryption industry (including banks and the military) will respond synchronously.
假设量子突破2028年发生,AE市值(当前约1亿美元)可能损失80%以上(类似于2018年交易所黑客事件放大版》高价值地址(whales)首当其冲;“收获攻击”已可能在进行,攻击者囤积2020-2025年交易数据。
Assuming that the quantum breakthrough occurs in 2028, the market value of AE (about $100 million at present) may lose more than 80% (similar to the enlarged version of the hacking incident of the exchange in 2018), and high-value addresses (whales) bear the brunt; A “harvest attack” may already be going on, with attackers hoarding transaction data from 2020 to 2025.
Aeternity当前无法对抗量子,其ECDSA基础注定脆弱,面临2028年前的生存危机。但作为可升级平台(Erlang的热代码替换优势),AE有潜力通过NISTPQC转型,成为量子时代的中型Layer1领导者。这需基金会领导、社区推动和~2000万美元投资。若拖延,AE可能像2018年上币所delist事件般边缘化;若行动,将强化其“永恒技术”(aeternity)承诺,吸引企业dApp。最终,量子不是末日,而是升级催化剂——AE能否抓住窗口,决定其在Web3的永恒地位。
Aeternity is currently unable to resist quantum, and its ECDSA foundation is destined to be fragile, facing a survival crisis before 2028. But as an upgradable platform (Erlang’s hot code replacement advantage), AE has the potential to transform through NISTPQC and become a medium-sized Layer1 leader in the quantum era. This requires foundation leadership, community promotion, and a $20 million investment. If delayed, AE may be marginalized like the delist event on the cryptocurrency exchange in 2018; If action is taken, it will strengthen its commitment to “eternal technology” and attract enterprise dApps. Ultimately, quantum is not the end of the world, but an upgraded catalyst - whether AE can seize the window will determine its eternal position in Web3.
Ae如果没有量子升级的计划,即将在几年内量子来临时“归零”。
If there is no plan for quantum upgrades, AE will “reset to zero” when quantum technology arrives in a few years.