In fewer than twelve months, three research papers sharply reduced the quantum resources required to break the cryptographic systems that protect the global digital economy. What once required 20 million qubits now requires fewer than one million, potentially fewer than 100,000, and the time to break cryptocurrency encryption collapsed from days to minutes.
Every digital signature, every encrypted message, every cryptocurrency wallet relies on mathematical problems that classical computers cannot solve in any reasonable timeframe. Quantum computers can.
Two problems underpin nearly all public-key cryptography in use today: the difficulty of factoring large integers (RSA) and the difficulty of computing discrete logarithms on elliptic curves (ECC). Shor's algorithm, published in 1994, showed that a sufficiently powerful quantum computer could solve both in polynomial time.
RSA relies on the assumption that given a large number N = p * q, finding the prime factors p and q is computationally infeasible. The best classical algorithms run in sub-exponential time. Shor's algorithm factors integers in polynomial time on a quantum computer, making RSA breakable once quantum hardware reaches sufficient scale.
Elliptic Curve Cryptography (ECC) relies on the Elliptic Curve Discrete Logarithm Problem: given points P and Q = kP on a curve, finding the scalar k is infeasible classically. ECC is used by Bitcoin (secp256k1), Ethereum, and virtually every major blockchain for transaction signing.
The critical distinction is between key size and security level. ECC achieves equivalent security to RSA with far smaller keys: a 256-bit elliptic curve key provides roughly the same classical security as a 3072-bit RSA key. But this efficiency becomes a liability in the quantum threat model. ECC requires roughly 100x fewer Toffoli gates to break than RSA-2048 (70-90 million versus 6.5 billion), which is why the runtime for breaking cryptocurrency encryption collapses from a week to minutes.
The physical-to-logical qubit ratio is dominated by error correction overhead. Surface codes at distance d = 25 require approximately 2(d+1)^2 = 1,352 physical qubits per active logical qubit, while yoked surface codes achieve approximately 430 physical qubits per idle logical qubit through tripled storage density.
The question is no longer whether quantum computers will break current encryption. It is when.
Each paper delivered roughly a 10-20x reduction in estimated quantum resources. Together, they represent the most significant shift in quantum threat assessment since Shor published his factoring algorithm in 1994.
Craig Gidney showed that a quantum computer with fewer than one million noisy physical qubits could factor a 2048-bit RSA integer in less than a week. His previous estimate from 2019 required 20 million qubits. The improvement is purely algorithmic: approximate residue arithmetic, yoked surface codes for denser storage, and magic state cultivation for more efficient fault-tolerant gates.
The algorithm decomposes modular exponentiation across approximately 25,000 small primes of 22 bits each, using truncated residue arithmetic. This avoids storing full n-bit registers. The Toffoli count dropped from over 600 billion (2019) to 6.5 billion. Expected runtime: 9.2 shots of 12.07 hours each, totaling under 5 days.
Key innovations: (1) Discrete logarithm replacement converts modular multiplications to additions by precomputing discrete logs modulo each small prime. (2) Windowing processes exponent bits in chunks of w = 6. (3) Uncomputation merging transitions between residues by adding precomputed differences. Physical layout: 7x18 grid of hot patches (170,352 qubits), six magic state factories, three columns of lattice surgery workspace.
Assumptions: square grid topology, nearest-neighbor connectivity, uniform depolarizing noise at 0.1%, surface code cycle time 1 microsecond, reaction time 10 microseconds, logical error target 10-15 per round. Hot storage: distance-25 surface codes at 1,352 physical qubits per logical qubit. Cold storage: yoked surface codes at ~430 physical qubits per logical qubit. Peak logical qubits: 1,409. Failure probability from approximation: 1.25%. Gidney explicitly notes no obvious path to another order-of-magnitude reduction under these assumptions.
Iceberg Quantum unveiled the Pinnacle architecture using quantum low-density parity-check (QLDPC) codes instead of surface codes. Result: RSA-2048 factoring achievable with fewer than 100,000 physical qubits. They're already working with PsiQuantum, Diraq, IonQ, and Oxford Ionics, several of which project systems at this scale within three to five years.
Pinnacle uses generalised bicycle (GB) codes with parameters like [254,14,16] (860 physical qubits per processing block). Processing units employ beta code blocks encoding kappa logical qubits. The architecture is modular: units can split and join during computation via "Clifford frame cleaning" that costs at most 4|K'| logical Pauli product measurements.
QLDPC codes achieve higher encoding rates than surface codes but require connectivity beyond nearest-neighbor grids. Error rate fitting: p_L = A(p/B)^(d/2+C) with A=6.2, B~0.0158, C~0.47. Achieves logical error rates of 3x10-11 per qubit per cycle at d=16. Validated through numerical simulation, not hardware. Decoder reaction time assumptions for QLDPC are harder to meet than for surface codes.
Google Quantum AI, with Justin Drake (Ethereum Foundation) and Dan Boneh (Stanford), showed that ECC protecting Bitcoin, Ethereum, and virtually every major cryptocurrency could be broken with fewer than 500,000 physical qubits in minutes. The previous best estimate required roughly 9 million physical qubits.
Shor's algorithm can be "primed": the first half of the computation depends only on fixed curve parameters and can be precomputed. Once a public key is revealed (when you send a Bitcoin transaction), the remaining computation takes approximately 9 minutes. Bitcoin's average block time is 10 minutes. Under idealized conditions, Google estimates a roughly 41% probability that a primed quantum computer could derive a private key before a transaction is confirmed.
Two optimized circuits for 256-bit ECDLP: (1) 1,200 logical qubits + 90M Toffoli gates, (2) 1,450 logical qubits + 70M Toffoli gates. On superconducting architecture with 10 microsecond reaction time and 50% overhead per Toffoli, 70M gates resolves in 18 minutes, 90M in 23 minutes. Primed attack from key revelation: ~9 minutes.
Three attack categories: (1) On-spend: intercept transaction, derive private key before confirmation. Requires fast-clock architecture. (2) At-rest: target long-exposed public keys on dormant wallets. (3) On-setup: recover trusted setup "toxic waste" to create reusable classical backdoors. Bitcoin immune, but Ethereum's DAS and Tornado Cash are vulnerable.
Google chose not to publish the actual circuits. Instead: a zero-knowledge proof built using SP1 zkVM and Groth16 SNARK. A Rust program checks the secret circuit against 9,000 random elliptic curve point additions, committed via SHA-256 hash, with test inputs generated by SHAKE256 XOF (Fiat-Shamir heuristic). The irony: the ZK proof itself relies on pairing-friendly elliptic curves (BLS12-381) that would ultimately fall to the same class of quantum attack.
Slow-clock architectures (neutral atoms, ion traps) with ~100 microsecond rounds need 2.5 million physical qubits for T-state production alone, making on-spend attacks unlikely on those platforms. Multiple primed machines provide linear speedup: 11 machines reduce to ~32 point additions each, a 6.5x improvement.
The trajectory is unmistakable.
Each step represents roughly a 10-20x reduction, driven not by hardware improvements but by better algorithms, better error correction, and better compilation.
Each reduction came from purely algorithmic and architectural innovation, not from building better hardware. The machines assumed in these papers don't exist yet. But the bar for the hardware keeps dropping. Roadmaps from IBM, IonQ, Google, and others target systems of hundreds of thousands of qubits by the late 2020s and early 2030s.
The chain of innovation: Regev (NYU, Aug 2023) published the first fundamental improvement to Shor's algorithm in 30 years. Ragavan and Vaikuntanathan (MIT, CRYPTO 2024) resolved both of Regev's bottlenecks. Chevignard, Fouque, and Schrottenloher (Rennes/Inria/CNRS) demonstrated approximate modular arithmetic with ~1,730 logical qubits. Gidney synthesized these with magic state cultivation (2024) and yoked surface codes (2025). Google's Willow chip demonstrated error correction below the surface code threshold in December 2024.
Each qubit count reduction shifts difficulty to harder engineering problems. Sustaining fault-tolerant computation across hundreds of thousands of qubits for minutes or days, with real-time decoding of terabytes of measurement data, remains unsolved at scale. Gidney notes no path to another 10x under his current model. Iceberg changed assumptions by moving to QLDPC codes, but introduces unsolved problems around connectivity, decoding latency, and fabrication.
Cryptocurrencies stand out among quantum-vulnerable systems for two reasons: they depend on smaller keys (256-bit ECC vs 2048+ bit RSA), and they offer no recourse against fraudulent transactions.
Google's paper provides the first clear indication that superconducting quantum computers could launch "on-spend" attacks: intercepting a transaction, deriving the private key, and submitting a fraudulent replacement before the original is confirmed. Bitcoin's 10-minute block time. 9-minute primed attack. The math is uncomfortably close.
On-spend attacks target transactions in transit. When you broadcast a Bitcoin transaction, your public key is revealed. An attacker has until confirmation (10 min Bitcoin, 12 sec Ethereum, 400ms Solana) to derive your private key and steal your funds.
At-rest attacks target wallets with exposed public keys. Over 1.7 million BTC sits in Pay-to-Public-Key scripts with permanently exposed keys. The attacker has unlimited time.
On-setup attacks target cryptographic ceremonies whose secrets produce reusable classical backdoors. Ethereum's Data Availability Sampling and Tornado Cash are vulnerable.
The critical architectural distinction: fast-clock (superconducting, photonic, silicon spin) vs slow-clock (neutral atom, ion trap) quantum computers. Fast-clock devices have ~1 microsecond error correction cycles and can launch on-spend attacks. Slow-clock devices are 2-3 orders of magnitude slower and can likely only mount at-rest attacks. The identity of the first CRQC builder determines which mitigations are urgent.
Ethereum's vulnerabilities extend beyond signing: compromising enough BLS12-381 validator keys enables deep chain reorganizations. Smart contract admin keys provide permanent backdoor access. Quantum attacks on KZG commitments could forge data availability proofs.
The Google whitepaper introduces "digital salvage" as a policy framework. Over 2.3 million BTC may be quantum-vulnerable and unrecoverable by owners. Governments may classify quantum recovery as regulated activity analogous to recovering sunken treasure. The alternative: rogue actors or hostile states seize the assets first. Google engaged with the U.S. government prior to publication and recommends the Bitcoin community "burn" all salvageable coins preemptively.
The window for orderly migration is open. It will not stay open indefinitely.
These technical breakthroughs are landing on an increasingly active policy landscape. Governments are not waiting.
Trump's June 2025 executive order explicitly references Biden's NSM-10 as the foundation for PQC transition: rare bipartisan continuity. The EU Cyber Resilience Act is evolving toward "Quantum-Safe-by-Design." This is not partisan, not regional.
The migration has already begun.
"Harvest now, decrypt later" is no longer hypothetical. State actors are already collecting encrypted data expecting to decrypt it when quantum computers arrive. Any data that must remain confidential into the 2030s is at risk today.
Conduct a cryptographic inventory. Identify RSA, ECC, Diffie-Hellman. Prioritize data with long confidentiality horizons. Pilot NIST PQC algorithms. Build crypto-agility into new designs.
Stop reusing wallet addresses. Avoid exposing public keys. Support BIP-360 (Pay-to-Merkle-Root). Advocate for private mempools. Push for post-quantum transaction signing.
Some blockchains have already begun. QRL, Mochimo, and Abelian rely exclusively on PQC. Algorand, XRP Ledger, and Solana have early experimental PQC deployments. The technology exists. The question is whether migration happens on a timeline set by defenders or attackers.
PQC is not a free upgrade. ML-DSA signatures are 2,420-4,627 bytes versus 64 bytes for ECDSA. This impacts blockchain throughput, storage, and bandwidth. In Bitcoin, proposals increasing node bandwidth have historically caused hard forks. The migration will be technically clear but socially difficult.