@soggycakes posted about this yesterday (#1481655), but I didn't read through it till today...and there's a SN reference!

There has been some discussion of canary addresses that could be sniped more easily than normal Bitcoin addresses.

In the long run, Satoshi's coins are also a canary as they are a large pile of coins that a quantum attacker might do well to grab as soon as possible (lest some other attacker get them first).

But Nic Carter doesn't think so:

by the time the canary is tripped, it’s already too late.

First off, Carter tackles the idea of canaries like Project Eleven's recent Q-Day prize (#1478176 series of increasingly difficult to crack keys, says Carter, will be susceptible to this problem:

Quantum results below 120 bits will always be clouded by accusations of classical cheating, and when a quantum computer unambiguously surpasses classical capabilities, the warning window will be too short.

This is because Carter believes

The gap between 117 and 256 bits is prohibitively large for a classical computer but relatively shallow for a QC running Shor, which scales polynomially.

Carter elaborates on this property:

Shor running on a QC scales in O(n^3) in gate operations. Going from 117 to 256 bits with Shor would require a measly 10.5 times more operations. Gate ops are a proxy for runtime, so you can think of the progression from 117 to 256 bits as unimaginable in classical terms, but a simple matter of running your computation 10 times longer for a QC. The scaling story for logical qubits is roughly linear in bit size. Using Google’s Babbush et al (2026) paper, we can see that the difference between 117 and 256 bits is a matter of 548 logical qubits (my interpolation) versus 1200 logical qubits.

if a quantum processor is able to solve 120-bit ECDLP, the version that solves 256 bits is either the same machine or its successor. Your intuitions regarding classical security simply do not apply with Shor: bridging that 136-bit gap is a matter of merely doubling logical qubits and increasing runtime by 10x. A QC that can surmount the error-correction and qubit coherence problems to solve an intermediate-size circuit is close to one that can empty a Bitcoin address.

As far as the motivations of an entity possessing a quantum computer, Carter has this to say:

The problem, of course, is that the motives of the first owner of a CRQC are completely inscrutable. We simply don’t know if they are altruistic, commercially minded, nation-state affiliated, or anything really. If I had to guess, I expect that it will be either a private firm in the US or a firm affiliated with the Chinese government, but even then, that isn’t really cause for comfort. We have no reason to believe that the first owner of a scaled QC would choose to reveal themselves by claiming a (likely smallish) designated bounty. They might go for the Satoshi coins. Or the Binance coldwallet. They might ignore Bitcoin completely. We just don’t know.

Carter believes that someone, especially the first someone, to have a quantum computer would be enticed by a small bounty:

If I had to guess, I would imagine that the first owner of a QC would keep it a secret for as long as possible, given the enormous strategic value of having your geopolitical adversaries (who you would like to spy on) in the dark regarding your ability to decrypt their traffic.

I don’t think they would tip their hand by claiming a relatively small bounty.

I think this is a reasonable take: even Satoshi's coins may not be as valuable as having an effective quantum computer nobody knows about.

Carter then references SN:

Scott Aaronson gave a sobering answer to the question in a recent Stacker News AMA, when he was asked about evidence that quantum computers can genuinely outperform classical counterparts:

I’m already looking ahead to the next milestone, which is when condensed-matter physicists, materials scientists, etc. who don’t “intrinsically” care about quantum computing at all, are nevertheless using it as a tool to help answer the questions they do care about, which they weren’t able to answer using high-performance classical computing. And then commercially relevant quantum simulations are a next milestone after that.

Perhaps, this will be the best canary we have.