Holy crap … yesterday I was elected to the US National Academy of Sciences! If you don’t believe me, click the link and keep scrolling down until you hit the name “Aaronson.” But then continue scrolling to see 144 other inductees, including my IAS postdoctoral classmate Maria Chudnovsky, my longtime friend and colleague Salil Vadhan, and even Janet Yellen. I’m humbled to be in such company.
Years ago, somewhere on this blog, I mused that, if I were ever invited to join NAS, I hoped I’d follow the wisdom of Richard Feynman, who famously resigned his NAS membership, comparing it to an honor society back at his high school that spent most of its time debating who should be a member of the honor society. Feynman was also annoyed at having to pay dues.
But now that I’m actually faced with the choice, it’s like, dude! At my advanced age of 44, I’ve encountered so many people who dislike me or even sneer at me, and so many clubs that won’t have me as a member, that I feel mostly gratitude and warmth toward a fine club like NAS that will have me as a member. Anyway, I’ll certainly try it out to see what it’s like—even Feynman did that!
A few hours after I started getting congratulatory emails, for which I was thankful, someone from UT Austin’s press office asked me how I feel about this “culmination” and “capstone” of my entire research career. I replied, look, I know I’ve slowed down a lot since my nubile twenties, but I still hold out the hope that this isn’t any kind of “capstone”!
In any case, I’m ridiculously grateful to all the friends, family, colleagues, and readers who believed in me and helped me reach wherever this is.
Now for a totally different topic, but that will ultimately loop back to the first one:
Last week, I did an Ask Me Anything about quantum computing and blockchain for stacker.news, a forum devoted to bitcoin. Thanks to Will Scoresby for organizing it.
As a longer-term commitment, I also collaborated with my colleagues Dan Boneh, Justin Drake, Sreeram Kannan, Yehuda Lindell, and Dahlia Malkhi, in a panel convened by Coinbase, to put out a detailed position paper about the quantum threat to cryptocurrencies and how best to respond to it. Take a look!
Notably, the situation evolved even while we were writing our position paper—for example, with the major recent papers from Google and Caltech/Oratomic that I blogged about a month ago.
I’d now like to add a few words of my own, not presuming to speak for my fellow Coinbase panelists.
See, some of the most reputable people in quantum hardware and quantum error-correction—people whose judgment I trust more than my own on those topics—are now telling me that a fault-tolerant quantum computer able to break deployed cryptosystems ought to be possible by around 2029.
Maybe they’re overoptimistic. Maybe it will take longer. I dunno. I’m not a timing guy.
But here’s what I do know: the companies racing to scale up fault-tolerant QC, have no plans to slow down in order to “give cybersecurity time to adapt” or whatever. The way they see it, cryptographically relevant QCs will plausibly be built sometime soon: indeed, it’s ultimately unavoidable, even if people’s only interest in QC was to do quantum simulations for materials science and chemistry. So, given that reality, isn’t it better that it be done first by mostly US-based companies in the open, than by (let’s say) Chinese or Russian intelligence in secret? And besides, haven’t there already been years of warnings and meetings about the quantum threat to RSA, Diffie-Hellman, and elliptic curve cryptography? Aren’t many in cybersecurity still in denial about the threat?
Haven’t these slumberers shown that won’t wake up until dramatic achievements in fault-tolerant QC roust them—the way Anthropic’s Mythos model has now jolted even the most ostrich-like about the cybersecurity risks of AI? So, mixing metaphors, mightn’t we just as well rip this Band-Aid off ASAP, rather than giving foreign intelligence agencies extra years to catch up? Indeed, when you think about it that way, isn’t racing to build a cryptographically relevant QC, as quickly as possible, the most ethical, socially responsible thing for an American QC company to do?
Is the above line of reasoning suspiciously self-serving and convenient? Does it remind you of the galaxy-brained arguments that AI company after AI company offered over the last decade for why “really, if you think about it, accelerating toward dangerous superintelligence is the safest course that we could possibly take”? I.e., the arguments that underpinned the current frenzied AI race, which some believe is imperiling all life on earth?
It’s not my place here to answer such questions; I leave all further ethical and geopolitical debate to the comment section! My point here is simply: whether or not anyone likes it, this is how some of the leading QC companies are now thinking about the Shor of Damocles that they genuinely believe now hangs over the Internet.
And I’d say that that makes my own moral duty right now ironically simple and clear: namely, to use my unique soapbox, as the writer of The Internet’s Most Trusted Quantum Computing Blog Since 2005TM, to sound the alarm.
So, here it is: if quantum computers start breaking cryptography a few years from now, don’t you dare come to this blog and tell me that I failed to warn you. This post is your warning. Please start switching to quantum-resistant encryption, and urge your company or organization or blockchain or standards body to do the same.
Yea, heed my warning, for it comes not from some WordPress-using rando, but from the inventor of BosonSampling and PostBQP and shadow tomography, the Schlumberger Centennial Chair and Founding Director of the Quantum Information Center at the University of Texas at Austin, and (wait for it) new member of the US National Academy of Sciences, that august and distinguished body brought into being by President Abraham Lincoln in 1863.
Because, you know, none of this is about me. It’s only about you. And whether you’ll listen to me.
This entry was posted on Wednesday, April 29th, 2026 at 3:11 am and is filed under Announcements, Quantum. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.
Shor of Damocles is good. I even wondered if it was original and it is. At least this what Gemini is saying:The phrase “Shor of Damocles” is a punning metaphor used in the field of quantum computing, coined by researcher Scott Aaronson on his blog Shtetl-Optimized.
Let me be honest: What worries me about current approaches to quantum-resistant encryption is that they are (mostly) based on mathematical problems involving dihedral groups instead of abelian groups. And dihedral groups don’t feel very different from abelian groups. In fact, one could even say that dihedral groups are the non-abelian groups closest to abelian groups.
And this feeling has provided motivation in the past for “generalizing” descriptive complexity results (https://cstheory.stackexchange.com/questions/47932/is-descriptive-complexity-dead) from abelian groups to dihedral groups. Here I am thinking especially about https://arxiv.org/abs/2010.12182 (Canonization for Bounded and Dihedral Color Classes in Choiceless Polynomial Time)
gentzen #3: Dihedral groups are “so close to abelian, yet so far.” The project of generalizing Shor’s algorithm to the hidden subgroup problem over the dihedral group has now been stalled for 30 years—ie, the majority of the way back to the invention of RSA and Diffie-Hellman themselves. I’m not saying it’s impossible—in the current state of complexity theory, every cryptographic hardness assumption is ultimately a leap of faith—but the decades of failure by excellent mathematicians have to put some lower bound on the difficulty of the problem, don’t they?
Congratulations, very nice honor. I imagine the endeavor for conversion to quantum computing resistant cryptography will be extremely gratifying. A right place at the right time synchronicity.
I looked at resignations from NAS, following your comment about Feynman. The first departure (Josiah Whitney resigned 1874) was interesting. His career was marked by strident disagreements with other geologists and he was inevitably on the losing side.
He certified a human skull found by miners as genuine and 50 million years old but it was found to be a hoax perpetrated by the miners. He was adamant that California had low prospects for oil production just prior to a California oil boom. He opposed John Muir’s explanation for the origin of Yosemite Valley due to glacial scour just before Muir’s model was widely adopted as the correct interpretation of the data. No surprise that he resigned.
I first thought capstone was a euphemism for gravestone and was associated with a vow of silence for the secret handshake but then settled on a more prosaic interpretation. 🙂
But Scott, doesn’t the technology in question accelerate research in biochemistry, medical science and life extension? Every year the technology is delayed costs millions of lives — if we develop it quickly enough we might even become immortal!
Scott #4: “but the decades of failure by excellent mathematicians have to put some lower bound on the difficulty of the problem, don’t they?”
Yes, but I would worry even less if there were something similar to Joshua Grochow’s evidence that Graph Isomorphism is not in P (https://cstheory.stackexchange.com/a/32168/20340) back in 2015. Joshua Grochow himself would still be a good candidate to provide such evidence. But Pascal Schweitzer or Moritz Lichter might be even better candidates, because they actually succeeded to beat dihedral groups into submission. I guess that was the point in 2015, that there was somebody who was not just an excellent mathematician in general, but one who worked on the specific problem and proved his excellency by related successes with “the most critical group structure” blocking further progress.
Also, the decades of failure might be misleading, because the importance of dihedral groups only became apparent much later.
Phillip #6: I don’t know whether you’re serious or trolling, but certainly people often make that argument for AI, and one could indeed also imagine making it for quantum simulation. How to balance that with the risk of breaking the Internet is a question I’ll leave for the commentariat!
Let me add one thing, though: when Leonid Levin emailed me yesterday to congratulate me on the National Academy thing, he reaffirmed that, for him, quantum computing remains 100% a hoax and garbage, and none of the experimental progress of the past quarter-century has moved him even a nanometer.
For me, then, what really needs to be balanced against the risk of destroying the Internet, is the sheer joy of Leonid Levin living to see a quantum computer factor 2048-bit integers.
I think you’re worrying too much. Once we achieve AGI we’re going to be living in a utopian post scarcity society where money won’t matter anymore. So we won’t need cryptocurrency.
Talking about the now, here’s another piece of wisdom from Alan Watts
Congratulations, Scott! I’m really happy for you to be elected to the NAS. Though I never commented here before, I’ve been following your blog and research intermittently for over 15 years and really think that you deserve that honor. Too few fellow scientists realize that AI and QC come with a lot of risks and even dangers. Thank you for sounding the alarm! Maybe someday you’ll be an influential voice for the ethical usage of AI and QC. 😉
It’s kind of wild, looking back, how much people kept doubling down on quantum-vulnerable cryptography despite Shor’s algorithm being known. Shor published his algorithm in 1994. He showed fault tolerant quantum computation was possible in principle in 1996. Bitcoin started over a decade later, in 2009. It chose quantum-vulnerable cryptography. Ethereum started in 2015, a full two decades later. It chose quantum-vulnerable cryptography. Website certificates, satellite control systems, cpu microcode updates, on and on and on… everyone kept choosing quantum-vulnerable cryptography. There are products coming out *today* that use quantum-vulnerable cryptography! It’s maddening!
Now, to be fair, quantum-secure cryptography standards didn’t exist until 2024 (!!!). And quantum-secure cryptography is more expensive. In isolation each of those individual choose-quantum-vulnerably-crypto decisions is understandable; in some cases arguably even correct given other considerations like network effects. But I think in hindsight this will all be seen as a massive societal blunder.
And you are assuming you are not getting fired by the administration tomorrow …
John K #14: Fired by the UT administration? Why would they want to?
Fired by the Trump administration? How would they (even now) have the power, and why would I be any sort of priority for them?
That position paper is also very interesting, particularly section 1 which discusses the state of quantum computers. Quite a lot of that section will probably be familiar to any reader of this blog — but other parts, notably the taxonomy of five different approaches to QC hardware, were new to me on account of not having followed the technical details at that level. I appreciated the crisp overview.
After Watts excised the past and the future he must have found even the present to be exceedingly difficult. It is reported that he drank copious amounts of alcohol and died an alcoholic (this in addition to four packs of cigarettes per day). It was actually the cigarettes that killed him. He was cremated and considering his reported alcohol consumption his body must have burned for a few days.
I haven’t read any of his books. The only book I have read in this category (call it) was “Zen and the Art of Motorcycle Repair”. Good book in my view that is partly a discussion of quality and state of mind as it applies to quality of work.
Apparently my joke was a little too subtle and related to the administration firing of the National Science Board yesterday.
“Let me add one thing, though: when Leonid Levin emailed me yesterday to congratulate me on the National Academy thing, he reaffirmed that, for him, quantum computing remains 100% a hoax and garbage, and none of the experimental progress of the past quarter-century has moved him even a nanometer.
For me, then, what really needs to be balanced against the risk of destroying the Internet, is the sheer joy of Leonid Levin living to see a quantum computer factor 2048-bit integers.”
Pretty much the only reasons I wouldn’t say I’m not 100% confident that large scale quantum computers aren’t inevitable (barring things like nuclear war or existential risk) is that both Leonid Levin and Gil Kalai, who are both smarter than I am, and have thought much more about these things, seem so convinced that quantum computing isn’t going to be a practical thing ever. Yann LeCun occupies a similar role in reducing my confidence about where capabilities are going where AI is concerned.
For the sake of completeness, it’s “Zen and the Art of Motorcycle Maintenance” by Robert Pirsig.
Yes, agreed, a *very* good book, one that I was in awe of at at the time (1974), and one that helped conceive and then birth the publication this year of “Maintenance of Everything: Part One,” by the indefatigable Stewart Brand.
It looks as though Bitcoin is in need of some maintenance!
You can use rich HTML in comments! You can also use basic TeX, by enclosing it within $$ $$ for displayed equations or \( \) for inline equations.
After two decades of mostly-open comments, in July 2024 Shtetl-Optimized transitioned to the following policy:
All comments are treated, by default, as personal missives to me, Scott Aaronson---with no expectation either that they'll appear on the blog or that I'll reply to them.
At my leisure and discretion, and in consultation with the Shtetl-Optimized Committee of Guardians, I'll put on the blog a curated selection of comments that I judge to be particularly interesting or to move the topic forward, and I'll do my best to answer those. But it will be more like Letters to the Editor. Anyone who feels unjustly censored is welcome to the rest of the Internet.
To the many who've asked me for this over the years, you're welcome!
Δ /* <![CDATA[ */ document.getElementById( "ak_js_1" ).setAttribute( "value", ( new Date() ).getTime() ); /* ]]> */
Shtetl-Optimized is proudly powered by WordPress Entries (RSS) and Comments (RSS).