Google paper sharply lowers hardware estimate for quantum attacks on elliptic-curve crypto

Google’s quantum computing team has sharply lowered the bar for breaking one of the internet’s most widely used forms of encryption — and the warning shot is already echoing through cybersecurity circles and crypto markets.

In a new white paper posted March 30 to the online preprint server arXiv, Google Quantum AI researchers estimate that a future quantum computer could crack 256-bit elliptic-curve cryptography — the digital signature system that secures many blockchains and much of the web — using fewer than half a million physical qubits and finishing the job in minutes.

That is “nearly a 20 fold reduction over prior estimates” of the quantum hardware needed for such an attack, the paper states.

Elliptic-curve schemes, including secp256k1, Ed25519 and P-256, underpin the signatures that prove you own a cryptocurrency wallet and authenticate many secure internet connections. They are considered safe against today’s classical supercomputers, but vulnerable in principle to Shor’s algorithm, a quantum method that can unwind the math behind public-key cryptography on a powerful enough machine.

Until now, most public estimates suggested that a quantum computer capable of breaking 256-bit elliptic curves would require millions of physical qubits and daunting amounts of computation. Google’s team says it can do better.

In the paper, titled “Securing Elliptic Curve Cryptocurrencies against Quantum Vulnerabilities: Resource Estimates and Mitigations,” the authors write that “we publish a ZK proof that we have compiled two quantum circuits for solving the 256-bit ECDLP: one with 1200 logical qubits and 90 million Toffoli gates and one with 1450 logical qubits and 70 million Toffoli gates.”

Logical qubits are error-corrected qubits built from many underlying physical qubits. Translating those circuits into a “standard superconducting architecture” protected by a surface code — a leading method for error correction — and assuming a physical error rate of about 1 in 1,000 operations, the team estimates that “these computations could be realized with fewer than half a million physical qubits.”

In a companion Google Research blog post, lead author Ryan Babbush and Hartmut Neven write that “we show that future quantum computers may break the elliptic curve cryptography that protects cryptocurrency and other systems with fewer qubits and gates than previously realized.”

Because fully specified attack circuits could be misused, the researchers do not reveal all the technical details. Instead, they use a cryptographic zero-knowledge proof so others can verify their resource estimates without learning how to reconstruct the attack. Google presents this as a form of “responsible disclosure” for a potential vulnerability in widely deployed cryptography.

The threat model is concrete. The paper analyzes “on-spend” attacks in which a quantum computer, once a user broadcasts a blockchain transaction, tries to derive that user’s private key and steal funds before the transaction is permanently recorded. The authors note that fast quantum architectures, such as superconducting or photonic systems, could in principle carry out such an attack within typical block times.

The resource reductions arrive alongside physical progress. In late 2024, Google reported in Nature that its Willow processor had achieved “below-threshold” error correction for logical qubits using the surface code — a step toward the kind of large, fault-tolerant machines the new paper assumes. Today’s publicly known devices have on the order of 1,000 noisy physical qubits, far short of the hundreds of thousands envisioned, but the new work narrows the gap on paper.

To many in the security community, that is enough to shift the conversation from whether to migrate away from vulnerable cryptography to how quickly.

“The upshot of this paper is that it shows that a quantum computer would be able to break some of the cryptography that is most widely used, especially in blockchains and cryptocurrencies, with much, much fewer resources than had previously been established,” said Chris Peikert, chief scientific officer at the Algorand Foundation and a professor of computer science and engineering at the University of Michigan, in an interview with IEEE Spectrum.

“It’s a kind of a win-win situation from the quantum computing perspective, but a lose-lose situation for cryptography,” he said.

Peikert emphasized that the sky is not falling in the immediate term. He told IEEE Spectrum that “the chance of a cryptographic attack by quantum computers being successful in the next three years is extremely low, maybe less than a percent.” But he added that over “5, 6, or 10 years, one has to seriously consider a probability, maybe 5% or 10% or more.”

“I think what this paper did was really the loudest alarm yet that these kinds of quantum attacks might not be as far off as some have suspected, or hoped, in recent years,” he said.

Governments have already started planning for this shift. A 2022 directive from the White House, National Security Memorandum 10, set around 2035 as the target for migrating U.S. national security systems to quantum-resistant cryptography. The National Institute of Standards and Technology finalized its first such standards in August 2024, including ML-KEM for key establishment and ML-DSA and SLH-DSA for digital signatures.

“The US government has put 2035 as its target for migrating all of the national security systems to post quantum cryptography,” Peikert said. “That seems like a prudent date, given the timelines that it takes to upgrade cryptography.”

Those timelines are long because cryptographic transitions are rare and fraught.

“Cryptography is very hard to change,” Peikert said. “We’ve only had one or maybe two major transitions in cryptography since the early 1980s or late 1970s when the field first was invented.”

Post-quantum algorithms, many of them based on mathematical structures called lattices, typically have larger keys, ciphertexts and signatures even if the underlying computations can be fast. That is especially challenging for blockchains, where on-chain data is limited and expensive. U.S. cybersecurity agencies have also warned about “harvest now, decrypt later” threats, in which adversaries store encrypted traffic today to unlock once quantum computers mature — another reason to move early.

The new Google paper shows how quickly that technical work can move markets. In a short section on “Post-Quantum Blockchains,” the authors single out Algorand, a proof-of-stake blockchain, as a project that has already deployed post-quantum tools. They note that Algorand has added Falcon, a post-quantum signature scheme, and recorded its first post-quantum-secured transaction in 2025. They also highlight Algorand’s “state proofs,” which Peikert described in IEEE Spectrum as “a mixture of ordinary post-quantum cryptography and also some more fancy cryptography” to protect the integrity of the chain’s history.

Peikert said Algorand has addressed some major issues but does not yet claim to be “fully post-quantum secure.”

Still, being named in Google’s warning paper coincided with a sudden repricing of Algorand’s own token. In the days after Google released its white paper and blog post, the price of the ALGO token jumped roughly 40% to 50%, with several crypto-market outlets describing the gain as about 44% and linking the rally in part to Google’s explicit mention of Algorand’s post-quantum work.

For Peikert, the message is less about any single blockchain and more about the global infrastructure that still runs on quantum-vulnerable cryptography.

“I tend to be an optimist about these things,” he said, but “we can’t be complacent about it, and we can’t kick the can down the road much longer.”