Author: Derrick Cui
Translation: Shenchao TechFlow
Shenchao Guide: Although theoretical advancements have reduced the quantum hardware requirements for cracking elliptic curve cryptography from 317 million physical qubits (2022) to under 500,000 (2026), the number of qubits that current quantum computers can actually run algorithms on is only about 105, leaving us several orders of magnitude away from practical attacks. This article analyzes what conditions are needed to crack ECC and how far we are from that day.
Key Points
The table below compares the theoretical conditions for cracking ECC (Elliptic Curve Cryptography, used in TLS, Bitcoin, and HTTPS) by 2026 with the current real progress. The conclusion is: we are far from close.
The largest progress comes from theoretical aspects, such as the algorithm and error correction designs reducing the number of required operations and qubits from about 317 million physical qubits (2022) to below 500,000 (2026). Hardware improvements have also been made (the fidelity of two-qubit gates has improved from about 90% in 2005 to over 99.9% today, and coherence time has increased from about 1 microsecond to about 1 millisecond). However, the most critical hardware metric – the number of available qubits in a single machine – has seen almost no growth: about 105 are able to run real algorithms, while the required amount is approximately 500,000.

Estimated Q Day (the day quantum computing breaks cryptography):
Justin Drake estimates a 10% probability by 2030 and a 50% probability by 2032
The US National Institute of Standards and Technology/National Security Agency aims to exit vulnerable cryptography by 2035
There is no equivalent of Moore's Law for quantum computing. The required conditions have decreased by about 600 times in four years, while machine scale has only increased by about 10 times over the past decade. Therefore, it is impossible to know what the real timetable is.
The Current Frontier of Quantum Computing Progress
Definitions:
Physical Qubit: The total number of qubits in a quantum computer
Logical Qubit/Error-Corrected Qubit: The number of qubits available after error correction (the corresponding concept in classical computers is the ratio of information bits to total bits). For example, a distance-5 code in quantum computing means storing information of 1 logical qubit using about 49 physical qubits
Non-Clifford Gates: Computations performed on qubits that are hard for classical machines to simulate. Includes T gates
T Gate: An operation applying a 45-degree phase rotation to a single qubit. The implementation of the T gate depends on the hardware of the quantum computer; for superconducting quantum computers, microwave pulses are used to induce this effect
Magic State: Pre-fabricated, one-time-use qubits that have non-Clifford gates baked in. Since non-Clifford gates cannot be applied directly to error-corrected qubits, you apply them indirectly by consuming magic states — through entanglement + measurement + correction (a process called "gate teleportation")
Toffoli Gate: Acts on 3 qubits (2 control qubits, 1 target qubit) and flips the target qubit only when both control qubits are 1. It is built using about 7 T gates (optimized to 4) plus Clifford gates. The only way to apply a Toffoli gate on an error-corrected qubit is to consume a magic state
Shor's Algorithm: Invented in 1994 as a method for quantum computers to break RSA and ECC (by solving the periodicity problem)
Check Bits: Qubits used to detect whether the data qubits have errors (results generated by "check qubits")
Purification: The process of combining many noisy magic states, consuming 15 noisy states to output a much cleaner state
Cracking ECC with Shor's Algorithm:
In 2026, a paper introduced a new circuit design and "preprocessing" of Shor's algorithm, requiring less computation to break ECC (this would break Bitcoin, Ethereum, SSH, TLS, HTTPS)
The paper theorizes that cracking ECC on a superconducting quantum computer is possible, requiring about 1,200 logical qubits to be error-free linked to about 90 million Toffoli gates. At the current error correction level, this means roughly 500,000 physical qubits and several minutes of runtime
Computational Pipeline
General flow: Place physical qubits on chip → Bundle many physical qubits into each error-corrected logical qubit → Run algorithm gates on the logical qubits, consuming magic states for difficult (non-Clifford) gates → Measure and post-process on classical computers.
Starting with noisy physical qubits
Challenges: Physically placing enough qubits into a single machine (control lines, decoder chips, laser beams, wiring, etc.)
Progress: Improvements in algorithm design have reduced the demand from about 317 million qubits (2022) to about 9 million (Litinski 2023) down to 500,000 (2026). Caltech fixed 6,100 qubits using optical tweezers in 2025 (fixing them rather than computing). IBM's Condor chip can accommodate 1,121 qubits but is too noisy to run real algorithms. The largest chip that has run real algorithms is about 105 (Google Willow, March 2026)
Bundle them into reliable logical qubits through error correction
Challenges: The 2026 paper requires about 90 million Toffoli gates to be linked in sequence with each being successful, each operation's logical error rate must be below about 1/90,000,000. In reality, the target ("North Star") is a logical error rate of around 10⁻⁹ or lower
Progress: In 2024, Google demonstrated a single logical qubit (distance-7) constructed from 101 physical qubits with an error rate 2.14 times lower than that of 49 physical qubits (distance-5), which is itself 2.14 times lower than that of 17 physical qubits (distance-3). This paper demonstrates that as physical qubits increase, errors continue to decrease. The error rate of 101 qubits (distance-7) is 1.4×10⁻³ per cycle; that's about a million times too high
Maintain error correction to keep them alive
Challenges: Decoding becomes more difficult as the number of qubits increases. Superconducting quantum computers emit a round of check bit data every about 1 microsecond, and classical decoders must completely process each round in less than about 1 microsecond, continuously. Decoding must keep up with the number of qubits added to the computer
Progress: Riverlane's local clustering decoder ("Nature Communications," December 2025) is the first to achieve every round under 1 microsecond and with adaptive hardware (FPGA) decoding. Google's AlphaQubit 2 (March 2026) conducts real-time neural decoding to distance 11 at under 1 microsecond per cycle; simulations suggest a TPU can achieve distance 25. We are still far from the 500,000 qubit scale
Consume magic states to execute difficult gates
Challenges: Each difficult gate (Toffoli) consumes one magic state, while ECC requires about 90 million. Manufacturing and purifying magic states quickly enough is a major throughput bottleneck. A purification factory is a block of logical qubits + routing channels, idle during computation. At scale, the factory typically occupies about 2-10% or more of total physical qubits
Progress: Magic state cultivation (2024) has significantly reduced the cost of each magic state. QuEra demonstrated logical level purification using just 5 logical qubits in 2024
Measurement → Classical computer completes the mathematical calculations
Not a bottleneck. Measuring logical qubits and running classical post-processing (measurement results → cycles → private keys) is well understood and inexpensive.
Some research frontiers I have not discussed:
Fast clock vs slow clock architectures
Modular/multi-chip architectures
Threshold error-correcting codes
Surface codes and qLDPC codes: I have not discussed IBM's progress in qLDPC, as they have only demonstrated storing qubits (memory), not computing on them
Magic state costs
Magic state routing/compilation
Coherence times
Running storage and computation on qubits
Low-temperature controlled electronics
Leakage and Associated Errors
Risks to Bitcoin
There is a lot of panic talk about Bitcoin using ECC being cracked. What does cracking ECC actually mean for Bitcoin?
Shor's algorithm allows an attacker to recover your private key k if they have your public key Q. Once they do this, they become you. They can sign a transaction that transfers your coins to themselves, and that is a fully valid transaction.
However, a Bitcoin address is not your public key but a hash of your public key (the public key is first processed through SHA-256 then through RIPEMD-160). Hashing is a different mathematical operation that Shor's algorithm cannot break.
However, to authorize a transaction, you must disclose the public key Q, which will remain on the chain permanently. Thus, any address that has ever sent Bitcoin could potentially be compromised. Modern wallets transfer the entire balance to a new address each time they send Bitcoin, protecting users.
About 6.7 million BTC are already exposed and could potentially be stolen via quantum computing.
Justin Drake also wrote about the risks of private keys being stolen within the 10-minute Bitcoin block time. The papers he listed show this could be done in 9 minutes. This issue is not nearly as severe as the loss of the already exposed 6.7 million BTC.
The only real solution to this problem is to get everyone to switch to quantum-safe keys (the technology is already available) and to destroy untransferred Bitcoin after a certain time. Getting the Bitcoin community to agree to do this will be a daunting task.
Risks to Ethereum
Ethereum uses the same curve (secp256k1) and the same signature scheme (ECDSA) as Bitcoin, so the underlying cracking method is the same: given a public key, Shor's algorithm recovers the private key, making the private key holder the owner of the account.
Ethereum has persistent accounts, meaning addresses will be reused. This means if quantum computing becomes available today, every wallet that has ever sent a transaction could potentially be taken over.
Replacing ECDSA is straightforward. The problem lies in that post-quantum signatures are much larger than ECDSA, meaning nodes must store more memory. This is also why Ethereum is moving towards zk while changing signature schemes.
It also requires every user to actively migrate from old keys to new keys. Accounts that people do not transfer must be destroyed so that hackers cannot control them.
Technical Explanation
Public key cryptography allows two people to communicate securely over an untrusted network (like the public internet) without needing to share a secret in advance.
There are many different protocols (you can think of them as end-use tools suitable for specific use cases). For example, Diffie-Hellman key exchange, ECDSA signatures, RSA encryption. Their underlying hard problems are discrete logarithms, EC discrete logarithms, and integer factorization, respectively. The core mathematical bottleneck that classical computers find difficult is periodicity.
Quantum computers can do practical mathematical operations regarding periodicity.
What is ECC
ECC (used in TLS, Bitcoin, and HTTPS) is based on a one-way street. Starting from a public point G on the curve, "jump" k times to reach a new point Q. Forward jumps are quick. But if someone shows you the start point (G) and end point (Q), figuring out how many jumps were made is practically impossible.
The number of jumps k is your private key; the end point Q is your public key. Everyone can see your start and end points, but only you know the steps between them.
The mathematical explanation is:
Elliptic curves are simply sets of points on a finite field that satisfy the equation y² = x³ + ax + b
G is the base point (publicly available, fixed by standards). For the private key k, the public key is the point Q = kG
Calculating Q from k using doubling adds requires O(log k) group operations
Recovering k from (G, Q) is the ECDLP (Elliptic Curve Discrete Logarithm Problem), which classical methods tackle through trial and error, making it very slow
Shor's algorithm solves ECDLP in polynomial time by reducing it to finding periodicity in the group generated by G

This is an elliptic curve.

A chart demonstrating EC point multiplication on y² ≡ x³ + 7 (mod 17). The curve and the base point G are public, and the end point Q is also public. The secret is k = 6, the number of jumps from G to Q. Forward calculation (computing Q = kG) is quick; recovering k from G and Q has no known classical shortcut. This example uses mod 17, so you can count the jumps — real ECC uses about 2²⁵⁶ mod space
How Shor's Algorithm Breaks ECC
Cracking ECC reduces to a seemingly simple function: f(x, y) = xG + yQ, where G is the public generator, and Q is the public key you want to attack. Since Q = kG, this is effectively f(x, y) = (x + ky)G.
This leads to a consequence: Input stepping (k, -1) will never change the output since (x + k) + k(y - 1) = x + ky. Therefore, f repeats along parallel diagonals that pass through (x, y), and these diagonals' directions encode k (the private key).
Finding this direction requires two different (x, y) pairs producing the same output. Classical methods must search for such collisions through brute force.
Quantum computers allow you to:
Evaluate all (x, y) pairs' f in a superposition at once, so the whole stripe grid exists simultaneously in the machine
But you still cannot observe — measurement will collapse to a random point, telling you nothing
The Fourier transform cancels everything except the repeated directions, resulting in a frequency peak from which k can be derived through some classical mathematics

Each golden cell represents an input pair (x, y) that yields the same output point. They repeat at a fixed step — k to the right, 1 down — so the private key is encoded in the diagonal direction. (Toy example: k = 2, n = 13. At real scale, the grid has 2²⁵⁶ columns, and you can check only one cell at a time, which is why this pattern is not visible classically.)
Let’s take an example: consider the curve y² = x³ + 2x + 2 over integers mod 17. (This problem is simple because it is in mod 17. Generally, it would be in mod 2²⁵⁶.) It has exactly n = 19 points, with G = (5, 1) generating all points. Suppose my public key is Q = (0, 6). Your task: find k such that Q = kG. (The answer is k = 7 since G, 2G, 3G, ... lead sequentially through (5,1), (6,3), (10,6), (3,1), (9,16), (16,13), reaching (0,6) at the 7th step.)
Setup. Two counting registers, one for x, one for y, each holding values from 0 to 18. A working register stores curve points. The key difference from factoring: for RSA, the period r is unknown, so registers must be too large (2n qubits), and peaks are approximate. Here n = 19 is public, so we can perform QFT exactly in mod-19 arithmetic, with peaks sharp each time.
Phase 1 — Initialization. Reset everything. Set the working register to the identity point O (the "zero" of the curve).
Phase 2 — Superposition. Apply Hadamard-type superposition to the two counting registers. They now simultaneously hold all 19 × 19 = 361 pairs (x, y).
Phase 3 — Point addition (entanglement step). Classically compute the constants 2ʲG and 2ʲQ for each bit position j in advance. Then add the respective constants to the working register based on the control of each count quantum bit. After the complete sequence, the working register holds xG + yQ, entangled with each (x, y) pair.
The complete state is a large entangled sum: summing over all 361 pairs Σ |x⟩|y⟩|xG + yQ⟩. Since Q = 7G, the working register actually holds (x + 7y mod 19)G — only 19 different values. Group the pairs by working register value:
All (x, y) such that x + 7y ≡ 0 (mod 19) ⊗ |O⟩
All (x, y) such that x + 7y ≡ 1 (mod 19) ⊗ |(5, 1)⟩
All (x, y) such that x + 7y ≡ 2 (mod 19) ⊗ |(6, 3)⟩
... 19 groups, each with 19 pairs
The secret k = 7 is now encoded in the slopes of each group: each group is through the diagonal of the (x, y) grid. But you cannot read it out directly because measurement will collapse to yield a random pair, which doesn’t tell you anything about the slope.
Phase 4 — Inverse QFT + Measurement. Apply the inverse QFT to both counting registers. The amplitudes concentrate on exactly 19 pairs (u, v) that satisfy v ≡ k·u (mod 19). The Fourier transform converts the slope of the line to the slope in frequency space. Measuring randomly produces one pair from these 19.

The left grid shows the state after Phase 3. All 361 pairs (x, y) exist in a superposition, with each different working register value collecting their diagonal family. Green and orange are two groups. The right grid reflects the state after the inverse QFT. All amplitudes collapse to a single line v ≡ k·u (mod 19).
Chip outside post-processing:
Measure (u, v) = (3, 2): k = 2 · 3⁻¹ mod 19 = 2 · 13 = 26 ≡ 7 ✓ (Check: 7G = (0, 6) = Q ✓)
Measure (u, v) = (5, 16): k = 16 · 5⁻¹ mod 19 = 16 · 4 = 64 ≡ 7 ✓
Measure (u, v) = (0, 0): no information, re-running any results with u ≠ 0 is valid (18/19 runs).
We care about finding k because k is the private key. You can now send messages, and there is no distinction between you and the person whose key has been cracked.
Types of Quantum Computers
In simple terms, qubits can be manufactured in any output probabilistically existing between 1 and 0 system.
The types of qubits are:
Superconducting Circuits (Google, IBM, Rigetti, IQM) are based on LC circuits. Essentially, this is a circuit behaving very similarly to an atom ("artificial atom"). Just as electrons exist in quantized energy levels, we can manufacture quantized energy levels for circuit oscillations.
Trapped Ions (IonQ, Quantinuum). Take a single atom missing an electron, then create a superposition using lasers, shine another laser beam and take a snapshot to capture its state (either emitting light or not, two states).
Neutral Atoms (QuEra, Pasqal, Atom Computing) share the same concept as ions (two internal states of a single atom, read out by imaging), but the atoms are neutral, held by optical tweezers.
Photons (PsiQuantum, Xanadu). A single photon has properties of horizontal or vertical polarization (or follows one of two paths).
Silicon Spin Qubits (Intel, Diraq, Quantum Motion) exploit the spin of electrons; they exist between spin up or spin down.
Exercise for the Reader
As an interesting exercise, this is a homework question from my cryptography class a few years ago along with my solution.

免责声明:本文章仅代表作者个人观点,不代表本平台的立场和观点。本文章仅供信息分享,不构成对任何人的任何投资建议。用户与作者之间的任何争议,与本平台无关。如网页中刊载的文章或图片涉及侵权,请提供相关的权利证明和身份证明发送邮件到support@aicoin.com,本平台相关工作人员将会进行核查。