Securing Elliptic Curve Cryptocurrencies against Quantum Vulnerabilities: Resource Estimates and Mitigations
Ryan Babbush, Adam Zalcman, Craig Gidney, Michael Broughton, Tanuj Khattar, Hartmut Neven, Thiago Bergamaschi, Justin Drake
Abstract
This whitepaper seeks to elucidate implications that the capabilities of developing quantum architectures have on blockchain vulnerabilities and mitigation strategies. First, we provide new resource estimates for breaking the 256-bit Elliptic Curve Discrete Logarithm Problem, the core of modern blockchain cryptography. We demonstrate that Shor's algorithm for this problem can execute with either <1200 logical qubits and <90 million Toffoli gates or <1450 logical qubits and <70 million Toffoli gates. In the interest of responsible disclosure, we use a zero-knowledge proof to validate these results without disclosing attack vectors. On superconducting architectures with 1e-3 physical error rates and planar connectivity, those circuits can execute in minutes using fewer than half a million physical qubits. We introduce a critical distinction between fast-clock (such as superconducting and photonic) and slow-clock (such as neutral atom and ion trap) architectures. Our analysis reveals that the first fast-clock CRQCs would enable on-spend attacks on public mempool transactions of some cryptocurrencies. We survey major cryptocurrency vulnerabilities through this lens, identifying systemic risks associated with advanced features in some blockchains such as smart contracts, Proof-of-Stake consensus, and Data Availability Sampling, as well as the enduring concern of abandoned assets. We argue that technical solutions would benefit from accompanying public policy and discuss various frameworks of digital salvage to regulate the recovery or destruction of dormant assets while preventing adversarial seizure. We also discuss implications for other digital assets and tokenization as well as challenges and successful examples of the ongoing transition to Post-Quantum Cryptography (PQC). Finally, we urge all vulnerable cryptocurrency communities to join the ongoing migration to PQC without delay.
AI Impact Assessments
(3 models)Scientific Impact Assessment
Core Contribution
This paper delivers three interrelated contributions: (1) new quantum resource estimates showing that 256-bit ECDLP (secp256k1) can be solved with ≤1200 logical qubits and ≤90M Toffoli gates (or ≤1450 qubits and ≤70M Toffoli gates), representing roughly an order-of-magnitude spacetime volume improvement over prior best results; (2) a novel responsible disclosure framework using zero-knowledge proofs to validate circuit claims without revealing attack details; and (3) a comprehensive vulnerability taxonomy across major blockchains with policy recommendations for dormant assets.
The resource estimates are the headline result. On superconducting architectures with 10⁻³ error rates and planar connectivity, the authors estimate execution with fewer than 500,000 physical qubits — a ~20× reduction over Litinski (2023). Critically, they show that a "primed" superconducting CRQC could derive a private key in approximately 9 minutes, placing this within Bitcoin's average 10-minute block time and enabling "on-spend" attacks for the first time in credible resource estimates.
Methodological Rigor
The cryptographic resource estimation methodology builds on well-established techniques (windowed arithmetic, measurement-based uncomputation, surface code compilation with yoked qubits). The authors provide explicit formulas relating point addition costs to full ECDLP costs (Equations A1-A2), making the bridge from verified subroutine to full algorithm transparent.
The zero-knowledge proof approach is genuinely innovative for this domain. Using SP1 zkVM to verify circuit correctness on 9,024 Fiat-Shamir-derived test inputs provides 128-bit cryptographic assurance of ≥99% correctness — sufficient given Shor's algorithm's tolerance for small error rates. The choice to commit via SHA-256 hashes and use SHAKE256-seeded CSPRNG for test generation is sound.
However, there are notable methodological limitations. The full circuits are withheld, meaning the community cannot independently verify the compilation or identify potential optimizations. The ZK proof verifies a *point addition subroutine*, not the complete ECDLP circuit — the gap is bridged by well-known constructions, but this is still an indirect verification. Physical resource estimates rely on standard but somewhat optimistic assumptions (reaction-limited execution at 10μs, surface code with yokes). The paper acknowledges but does not rigorously bound uncertainties in wall-clock time estimates.
The vulnerability analysis across blockchains, while extensive, is necessarily qualitative in many places. Figures quantifying exposed BTC and ETH are generated from BigQuery public datasets, which is reproducible, but claims about second-order effects (cascading liquidations, peg collapses) are speculative.
Potential Impact
The impact is potentially enormous across multiple domains:
Quantum computing: This paper redefines the "finish line" for cryptographic relevance, demonstrating that a half-million-qubit superconducting device — rather than multi-million-qubit machines — could pose existential threats to cryptocurrency security. This recalibration directly affects hardware roadmaps and investment decisions.
Cryptocurrency security: The distinction between "fast-clock" (superconducting/photonic) and "slow-clock" (neutral atom/ion trap) architectures and its mapping to on-spend vs. at-rest attack capabilities is a genuinely useful framework for risk assessment. The comprehensive vulnerability taxonomy (Account, Admin, Code, Consensus, Data Availability vulnerabilities for Ethereum) provides actionable intelligence for protocol developers.
Policy: The discussion of dormant assets, digital salvage frameworks, and the "bad sidechain" proposal introduces novel policy constructs. The analogy to maritime salvage law and the analysis of why regulated destruction is infeasible are original contributions to digital asset policy discourse.
Responsible disclosure practices: The ZK proof approach to vulnerability disclosure in quantum cryptanalysis sets a precedent that could influence how the community handles future capability advances.
Timeliness & Relevance
This paper is exceptionally timely. With cryptocurrency market capitalization exceeding $2 trillion, quantum computing hardware scaling rapidly (Google's recent demonstrations, IBM's roadmaps), and NIST having just standardized PQC schemes, the intersection of these fields demands rigorous analysis. The paper fills a gap where prior work focused almost exclusively on Bitcoin with outdated resource estimates. The inclusion of Ethereum's expanded attack surface (smart contracts, PoS, DAS), stablecoins, and RWA tokenization reflects the 2024-2026 financial landscape.
Strengths
1. Authoritative team: Authors from Google Quantum AI, Ethereum Foundation, and Stanford bring deep expertise across quantum computing, cryptography, and blockchain architecture.
2. Scale of analysis: The paper covers Bitcoin, Ethereum, Zcash, Litecoin, Monero, Algorand, Solana, XRP Ledger, and others — unprecedented breadth.
3. Quantitative vulnerability mapping: Figures 5, 7, 8, 9, 13, and 14 provide concrete, data-driven risk quantification.
4. Novel conceptual frameworks: Fast-clock vs. slow-clock taxonomy, on-setup attacks creating "tradable exploits," the "bad sidechain" proposal.
5. Practical urgency calibrated to technical reality: The paper avoids both alarmism and complacency.
Limitations
1. Unverifiable core claims: Without released circuits, the community must trust the ZK proof infrastructure and the gap between verified subroutine and full algorithm.
2. Whitepaper format: At 57 pages mixing technical results with policy discussion, the paper's structure dilutes the core algorithmic contribution. The resource estimates deserve a focused technical publication.
3. Physical resource estimates are architecture-dependent: The <500K physical qubit claim assumes specific (though reasonable) hardware parameters; sensitivity analysis is limited.
4. Policy discussion is speculative: The digital salvage and national security sections, while thought-provoking, lack engagement with existing legal scholarship.
5. Potential conflicts: Authors from Google (which builds quantum computers) writing about threats quantum computers pose to cryptocurrency could be perceived as commercially motivated, though the financial disclosure is commendable.
Overall Assessment
This is a high-impact paper that will likely catalyze urgency around PQC migration in cryptocurrency communities. The resource estimates represent genuine advances, and the comprehensive vulnerability analysis is the most thorough to date. The responsible disclosure framework using ZK proofs is innovative. However, the inability to independently verify the core circuits and the paper's sprawling scope somewhat limit its scientific rigor as traditionally defined.
Generated Apr 1, 2026
Comparison History (64)
Paper 1 establishes fundamental theoretical connections between quantum resources (entanglement and magic) and algorithmic error robustness, advancing the core understanding of quantum simulation. Paper 2, while practically significant for cybersecurity and policy, functions more as an applied whitepaper focusing on resource estimation and mitigation rather than foundational scientific discovery.
Paper 2 likely has higher near-term scientific and societal impact: it provides concrete, quantitative resource estimates for breaking widely deployed ECC, ties them to realistic hardware assumptions, and proposes mitigations across technical and policy domains—directly influencing blockchain security, standards, and PQC migration. Its breadth spans quantum computing, cryptography, distributed systems, and public policy, and it is highly timely given accelerating quantum roadmaps. Paper 1 is conceptually novel and rigorous for many-body thermalization, but its applications and cross-field immediacy are narrower and more long-horizon.
Paper 1 makes a fundamental contribution to quantum complexity theory by establishing a complete complexity classification of 2-local Hamiltonian problems with symmetric interactions, identifying phase transitions between QMA-complete, StoqMA-complete, and a new class EPR*. It introduces novel proof techniques including RG-like flows on interaction terms and Jordan-Wigner-based gadgets. This advances core theoretical computer science and quantum information. Paper 2 provides useful but incremental resource estimates for quantum attacks on elliptic curve cryptography and surveys blockchain vulnerabilities—important practically but less scientifically novel, combining known techniques (Shor's algorithm, surface codes) with policy discussion.
Paper 1 presents an experimentally demonstrated, photonic-domain compensation protocol that restores entanglement from solid-state emitters without post-selection or detector-limited timing—an innovative and broadly useful technique for scalable quantum networking and integrated photonics. Its methodological rigor (time-resolved tomography, concrete device-level implementation) and clear path to improving real entangled-photon sources suggest strong impact across quantum communication, photonics, and quantum information processing. Paper 2 is timely and practically important, but reads more like a policy/engineering-oriented whitepaper; impact depends on adoption and verification of resource estimates rather than a new general scientific method.
Paper 1 provides comprehensive new resource estimates for quantum attacks on elliptic curve cryptography, directly impacting blockchain security worth trillions of dollars. It combines novel technical contributions (improved Shor's algorithm resource estimates, architecture-specific threat analysis) with practical policy recommendations. Its breadth spans cryptography, quantum computing, blockchain, and public policy. Paper 2 demonstrates important QFT hardware improvements, but is more incremental—a benchmark result on specific hardware. Paper 1's urgency regarding cryptocurrency migration to post-quantum cryptography gives it broader and more immediate real-world impact.
Paper 1 addresses a highly urgent and practically significant problem: the vulnerability of widely used blockchain and cryptocurrency systems to emerging quantum computing capabilities. Its blend of concrete resource estimates for quantum attacks, analysis of systemic risks, and actionable policy and cryptographic mitigation strategies offers immediate, high-stakes real-world applications. While Paper 2 presents valuable theoretical advancements in quantum many-body physics, Paper 1 has a broader interdisciplinary impact spanning cybersecurity, economics, computer science, and public policy, making its overall scientific and societal impact more profound and timely.
Paper 1 is a rigorous, first-principles quantum open-systems study that addresses a well-known discrepancy between Lindblad models and experimental circuit-QED readout behavior, offering mechanistic insight (bath-spectrum dependence, filter effects) and likely influencing modeling, device design, and measurement protocols across superconducting-qubit platforms. Paper 2 is timely and application-relevant, but reads more like a security/resource-estimate whitepaper; its claims are harder to assess without methodological detail, and its impact is more contingent on assumptions and adoption. Overall, Paper 1 has stronger methodological novelty and durable cross-relevance within quantum engineering.
Paper 2 addresses the urgent, high-profile problem of quantum computing threats to blockchain cryptography with concrete new resource estimates for breaking ECDLP, practical attack timelines, and policy recommendations. Its breadth spans quantum computing, cryptography, blockchain security, and public policy, giving it wider interdisciplinary impact. The timeliness is exceptional given rapid quantum hardware advances and the trillion-dollar cryptocurrency ecosystem at stake. Paper 1, while technically sound, represents an incremental advance in quantum algorithms for finite-temperature simulation with limited near-term applicability.
Paper 2 presents a fundamental, experimental breakthrough in quantum hardware, achieving a 1-2 order of magnitude improvement in qubit reset fidelity using a novel phononic bath. This methodological innovation directly accelerates the physical realization of scalable quantum computers. While Paper 1 offers valuable threat modeling and policy analysis for blockchain security, Paper 2 provides foundational scientific advancement that enables broader downstream applications across all fields reliant on quantum computing.
Paper 2 has broader scientific and real-world impact. While Paper 1 presents a solid methodological advancement in computational quantum physics, Paper 2 addresses a critical, timely vulnerability with massive financial implications: quantum attacks on blockchain cryptography. By providing updated, optimized resource estimates for breaking the ECDLP and bridging quantum computing, cryptography, blockchain systems, and public policy, Paper 2 boasts significantly wider multidisciplinary relevance, immediate applicability, and societal importance regarding the global transition to Post-Quantum Cryptography.