Two independent research teams have released preprints indicating that the quantum resources required to break elliptic‑curve cryptography (ECC) may be orders of magnitude lower than estimates from only a few years ago. Since ECC underpins the security of Bitcoin, Ethereum, TLS certificates, and many digital signature schemes, this shift significantly impacts how long today’s cryptography can be considered safe.
Why breaking elliptic‑curve cryptography matters for cybersecurity
Elliptic‑curve cryptography is widely used because it provides strong security with relatively small key sizes, such as 256‑bit keys, which are common in blockchains and modern secure protocols. Its core hardness assumption is the elliptic‑curve discrete logarithm problem (ECDLP) — given a point on a curve, it should be infeasible to recover the private key that generated it.
On a classical computer, breaking a 256‑bit ECC key is effectively impossible with current technology. However, Shor’s algorithm shows that a sufficiently powerful quantum computer could solve ECDLP efficiently, completely undermining ECC and RSA. Until now, the number of error‑corrected qubits and quantum gates required was thought to be so high that these attacks were a distant, long‑term concern.
Neutral‑atom quantum architecture: attacking 256‑bit ECC in days
The first preprint proposes a quantum computer built on neutral atoms held in arrays of “optical tweezers”. Unlike superconducting qubits, which are fixed on a rigid two‑dimensional grid with limited connectivity, neutral atoms can be dynamically rearranged. This flexible connectivity simplifies implementing complex quantum circuits and large‑scale quantum error correction.
According to the authors, such a platform could, in principle, break a 256‑bit ECC key in roughly ten days using fewer than 30,000 physical qubits. They argue that the overhead for error correction is about 100 times lower than earlier theoretical estimates for attacking the same ECC parameters with less flexible architectures.
Experimental progress supports the plausibility of this direction. Multiple groups have already demonstrated neutral‑atom arrays exceeding 6,000 qubits, albeit with error rates far above what is needed for real cryptanalytic attacks. Still, the work reinforces a clear trend: resource estimates for quantum attacks on ECC are consistently moving downward.
Google Quantum AI optimizes quantum attacks on ECDLP‑256
The second preprint, from Google Quantum AI, focuses on optimizing quantum circuits specifically for the elliptic‑curve discrete logarithm problem over 256‑bit curves (ECDLP‑256). This problem is the mathematical foundation of digital signatures used in Bitcoin, Ethereum and many blockchain wallets, as well as in numerous authentication and key‑exchange protocols based on ECC.
The researchers present two circuit designs. One requires fewer than 1,200 logical qubits and about 90 million Toffoli gates (a standard measure of quantum gate complexity). The alternative design uses fewer than 1,450 logical qubits but reduces the count to around 70 million Toffoli gates. When translated into a realistic fault‑tolerant architecture with error correction, they estimate that an attack on ECDLP‑256 would need approximately 500,000 physical qubits.
This is roughly half of some well‑known estimates for breaking RSA‑2048 and about 20 times less resource‑intensive than several 2023 assessments for attacking ECC. If such a fault‑tolerant quantum computer existed today, the authors suggest that a single 256‑bit ECC key could be compromised in under nine minutes — short enough for targeted, stealthy attacks on high‑value keys, such as cryptocurrency wallets or certificate authorities.
Zero‑knowledge proofs and “responsible disclosure” of quantum attacks
One of the most notable aspects of the Google work is its disclosure model. The authors intentionally withhold the full algorithmic details that yield the improved resource estimates. Instead, they provide a zero‑knowledge proof — a cryptographic mechanism that mathematically proves their complexity claims without revealing the underlying optimizations.
According to the preprint, this approach was developed in coordination with US government agencies as a template for responsible disclosure of potentially dangerous advances in quantum cryptanalysis. The authors argue that the current pace of progress justifies limiting detailed publication of attack techniques to reduce the risk of misuse once large‑scale quantum hardware becomes available.
Real risk or premature alarm? Evaluating the quantum threat horizon
The publications have triggered debate within the cryptographic community. Many experts stress that algorithms requiring hundreds of thousands of fully error‑corrected qubits remain a long‑term threat. No existing quantum platform comes close to this scale, and most public roadmaps suggest that large, fault‑tolerant systems are still years away.
At the same time, the implications extend far beyond cryptocurrencies. The same ECC primitives are used in TLS/HTTPS, public key infrastructure (PKI), code‑signing, and electronic signature services such as DocuSign. For these systems, the so‑called “harvest now, decrypt later” strategy is already a practical concern: adversaries can store encrypted traffic or signed data today and decrypt or forge it once capable quantum computers arrive.
Standards bodies, including NIST, have repeatedly warned that organizations with data requiring confidentiality or integrity over decades should begin migration to post‑quantum cryptography (PQC) well before large quantum computers exist. Many industries — finance, healthcare, government archives, and critical infrastructure — retain sensitive information for 10–30 years or more, aligning uncomfortably with typical projections for large‑scale quantum hardware.
Although both studies are still unreviewed preprints and no hardware currently exists to mount such attacks, the direction is consistent: the quantum cost of breaking ECC is falling, not rising. For security teams, this is a clear signal to accelerate PQC readiness: inventory where ECC and RSA are used; reduce long‑term storage of sensitive data under quantum‑vulnerable schemes; pilot post‑quantum algorithms as they are standardized; and update key‑management and protocol infrastructures. Organizations that start this transition early will be far better positioned when quantum attacks move from theoretical to practical reality.
