Grover’s Algorithm isn’t useless - change my mind

Quick disclaimer up front:
This is not a post claiming Grover’s algorithm makes it practical to break SHA‑256 or any modern hash function. That’s not the point.

What I am saying is that Grover applies to problems that are fundamentally meant to be solved, like Proof of Work (PoW), and in those contexts, it might actually be useful. Or at the very least, not “useless.” While its quadratic advantage is far less impressive than the exponential speed up of Shor’s it has a much wider range of potential uses.

I’m the author of the two papers this post is based on:

• “Quantum advantage on proof of work” (Array, 2022)
• “Quantum Blockchain Miners Provide Massive Energy Savings” (arXiv, 2023)

Both take a close look at what happens when you apply Grover’s algorithm, combined with some realistic engineering assumptions, to Bitcoin-style PoW.

A few more disclaimers:

• Do I think this is the biggest threat facing Bitcoin? No.
• Do I think it could become a concern one day (e.g. the 2047 date we mention in the first paper)? Probably not, and even then, it would only take some honest quantum miners to join the network to neutralise the threat.
• Do I think this is a realistic medium-term use case for quantum computers? Possibly.

There’s even a built-in self-reinforcing loop: as quantum miners join, they increase difficulty, which increases quantum advantage, which makes it more attractive for others to join.

graph2_page-0001947×674 78.6 KB

What Grover does and doesn’t do

Grover gives a quadratic speedup for search problems. That’s well-known. The common pushback is that quadratic isn’t “enough”, especially for cryptographic tasks.

But that assumes the problem is supposed to be hard. PoW isn’t.

PoW problems are deliberately solvable. The goal isn’t to make them impossible, it’s to make them costly. Miners find valid blocks every 10 minutes. When the problem is meant to be solved regularly, even a square-root speedup matters.

So Grover is a surprisingly natural fit here. It’s not doing something magical, it’s just reducing the search space more efficiently in a setting where that actually helps.

Where this is a real attack vector

This isn’t a theoretical doomsday for Bitcoin, but it could be a serious issue for smaller PoW chains with low hash rates.

For example, Ethereum Classic, which has already suffered 51% attacks, could be vulnerable well before Bitcoin is. In those cases, a quantum miner doesn’t need to outpace the entire network, just a small portion of it.

Where else Grover might be useful (at a high level)

Grover’s algorithm doesn’t just apply to PoW, it can be useful anywhere you’re searching a large space for an answer, and you can check if the answer is correct. A few examples:

• Password cracking (in theory): If a password is hashed without salting or rate limits, Grover can speed up brute-force attacks. It’s not a major threat to well-designed systems, but the structure fits.
• Drug discovery or materials search: Trying to find a molecule that binds to a target or meets certain properties? Grover can reduce the number of test cases you need to run.
• Route or schedule optimisation: If you’re trying to find the best solution out of millions of combinations (e.g. shortest delivery route or most efficient shift rota), Grover helps narrow the field faster.
• Searching large databases or logs: Say you’re trying to find one record in a sea of data that meets a specific condition, Grover gives a consistent speedup.

These are all cases where brute-force search is expensive, but still feasible, which is exactly where Grover is meant to help.

Why this might matter for mining

In our second paper, we model the energy costs of running Grover-based PoW miners, not just in theory, but with real-world numbers for ASICs and quantum hardware.

We look at three quantum setups:

• A basic, non-error-corrected (NISQ) quantum miner
• A miner with one layer of error correction
• A miner with two layers of error correction

Even with basic setups, the potential energy savings are enormous, in the order of 10¹¹ to 10²¹ times lower energy use per block compared to a classical miner. This is largely because Grover takes fewer steps, and quantum hardware (especially reversible computation) has a much lower theoretical energy floor.

Add to that the fact that mining doesn’t require perfect success. Even a noisy quantum miner with a low success rate could still be profitable, as long as it runs faster or cheaper than classical hardware.

So why might Grover still be impractical?

Despite all that, there are still big hurdles:

• Oracle construction isn’t free: For Grover to work, you need to build a quantum version of your problem, including the full hash function circuit. That adds overhead.
• Depth and error rates: Quantum circuits need to be deep enough to run many Grover iterations. If your qubits decohere too quickly, the advantage vanishes.
• Fault tolerance is expensive: The more robust your quantum computer needs to be, the more error correction layers you need, and that adds massive complexity and physical qubit counts.
• Classical hardware is still improving: ASIC miners are already highly optimised. For Grover to win on performance or energy, it has to beat very good classical baselines.
• Return on investment may not justify the build: Even if quantum miners are technically better, the cost of building and running them might not be worth it, at least not for a while.

I’m keen to know if any of you think I’m completely out to lunch on this topic. Or whether there’s a reason I’ve missed that would mean its completely impractical to use Grover’s at all either as a PoW miner or for other limited use-cases.

The issue I have with claims that Grover’s algorithm could have an impact on mining-specific problems like Proof of Work (PoW) is that it only focuses on the potential performance benefits without addressing the costs. And the business of mining is not about performance, it is all about uptime and cost-minimization. So Grover’s practical usefulness a distant and highly uncertain prospect. In comparison, Shor’s algorithm poses a far more immediate and existential threat to crypto because its impact is exponential and not easily mitigated.

The key distinction between Shor’s and Grover’s algorithms lies in their computational speedup. Shor’s algorithm provides an exponential speedup for factoring large numbers and solving the discrete logarithm problem, which are the foundational mathematical problems of modern public-key cryptography like Elliptic Curve Cryptography (ECC) upon which Bitcoin is based. This isn’t a small improvement; it’s a fundamental change that renders these systems completely insecure. A task that would take a classical supercomputer billions of years could, in theory, be completed in a matter of hours or even minutes with a sufficiently powerful quantum computer running Shor’s. This has forced the entire cybersecurity community to develop and transition to post-quantum cryptography (PQC), a massive and costly undertaking.

On the other hand, Grover’s only provides a quadratic speedup, and comes with the costs that you cited above. I think practically you’d need economies of scale so huge as to make one of central tenets of Bitcoin (decentralization) obsolete, which could then have a negative price impact, making a decision to pursue a Grover’s-centric mining strategy negative-EV and thus invalidating it.

So Grover’s could make a marginal impact for mining in the very long-term, but the economic realities of a highly competitive market make it unlikely to matter before that, even after Q-Day. And remember, cost will only become more dominant for Bitcoin mining economics, where revenue continually shrinks due to the reducing block subsidy.

Hi @apruden thanks for the great reply! Overall I do agree with a lot of what you said. There are a lot of unknowns with it.

And the business of mining is not about performance, it is all about uptime and cost-minimization.

I agree; however, the pure computation energetic cost would be a lot lower than running a classical device, which would reduce financial cost. This could 100% be undone depending on the architecture and the cooling costs, however. I think until we know what quantum architecture becomes the leading force, we can’t assume what the up-time would be.

On the other hand, Grover’s only provides a quadratic speedup, and comes with the costs that you cited above.

I disagree with the only a quadratic speed-up statement. Yes, Shor’s is an exponential speed up, hence why it can crack classical infeasible problems. A quadratic speed up compared to a 2^n classical algorithm is still huge. I agree that it can’t be used to break RSA, ECDSA or SHA-256, however PoW mining is meant to be solved. A quadratic advantage against a solvable problem where the next best alternative is brute force is a great advantage. I think personally Grover’s gets a bad rap because it is always compared Shor’s, but it can be employed against any NP-Hard problem.

Overall, I think that it could be a great use case for NISQ devices, that run short bursts of Grover’s (not a complete set of Grover’s iterations). However, you may be correct that the economic side and also the potential costs (cost of device, cost of cooling etc) of things may not hold up, but the quadratic advantage is still huge.

Total red-herring. Any quantum miner would still be competing with the rest of the 980 quintillion hashes / second network.

In contrast, cracking just one ECC key could crash the market and do irreparable damage to the Bitcoin brand.

I think in terms breaking Bitcoin consensus I agree as I said

Do I think it could become a concern one day (e.g. the 2047 date we mention in the first paper)? Probably not, and even then, it would only take some honest quantum miners to join the network to neutralise the threat

However could it be useful as a way to improve mining possibly