量子计算即将攻破BTC?真相是最早也要2035年
- 核心观点:尽管量子计算理论已大幅降低破解椭圆曲线密码(ECC)所需的量子硬件门槛(从3.17亿物理量子比特降至50万),但当前实际可运行算法的量子比特数仅约105个,距离构成实际威胁仍有数量级差距,真正能破解比特币和以太坊的“Q日”尚不确定。
- 关键要素:
- 理论突破显著:2026年论文通过新电路设计,将破解ECC所需物理量子比特数从2022年的3.17亿降至约50万,逻辑量子比特需求为约1,200个。
- 硬件瓶颈为规模:当前最大可运行算法的芯片仅约105个物理量子比特(谷歌Willow,2026年),而所需量级约为50万个,增长缓慢。
- 比特币风险有限但急迫:Shor算法可基于暴露的公钥窃取私钥,但地址为公钥哈希值。已有约670万枚BTC因历史交易暴露,存在被量子计算盗取风险。
- 以太坊风险更大:以太坊账户地址可重复使用,任何发送过交易的钱包一旦公钥暴露即可被量子计算接管,需全社区迁移至量子安全密钥。
- 业界预估时间表:专家Justin Drake认为2030年前概率为10%,2032年前概率为50%;美国国家标准与技术研究院/国家安全局目标为2035年淘汰易受攻击密码。
Original Author: Derrick Cui
Translated and Compiled by: TechFlow
TechFlow Introduction: Although theoretical advancements have reduced the quantum hardware requirements to break elliptic curve cryptography from 317 million physical qubits (2022) to 500,000 (2026), current quantum computers only have about 105 qubits capable of running actual algorithms, leaving a gap of several orders of magnitude before a practical attack becomes feasible. This article breaks down exactly what is needed to crack ECC and how far we are from that day.
Key Takeaways
The table below compares the theoretical requirements to crack ECC (Elliptic Curve Cryptography, used in TLS, Bitcoin, and HTTPS) as per a 2026 paper with current practical progress. The conclusion: We are nowhere close.
The biggest progress has been theoretical, such as algorithmic and error-correction designs reducing the required number of operations and qubits from approximately 317 million physical qubits (2022) to less than 500,000 (2026). Hardware has also improved (two-qubit gate fidelity increased from about 90% in 2005 to over 99.9% today, coherence time extended from about 1 microsecond to about 1 millisecond). However, the most critical hardware metric—the number of usable qubits in a single machine—has barely grown: about 105 can run real algorithms, while the requirement is roughly 500,000.

Estimates for Q-Day (the day quantum computers break cryptography):
Justin Drake believes there is a 10% probability before 2030 and a 50% probability before 2032.
The U.S. National Institute of Standards and Technology / National Security Agency targets the phasing out of vulnerable cryptography by 2035.
There is no equivalent of Moore's Law for quantum computing. The required conditions have dropped about 600-fold in four years, while machine scale may have only increased 10x in the past decade. Therefore, it is impossible to know the real timeline.
Current Frontier of Quantum Computing Progress
Definitions:
Physical Qubit: The total number of qubits in a quantum computer.
Logical Qubit / Error-Corrected Qubit: The number of effectively usable qubits after error correction (the classical computer analogy is information bits vs. total bits). For example, a distance-5 code in quantum computing means using about 49 physical qubits to store the information of 1 qubit.
Non-Clifford Gate: An operation on qubits that is difficult for classical machines to simulate. Includes the T gate.
T Gate: An operation that applies a 45-degree phase rotation to a single qubit. Inducing a T gate depends on the quantum computer's hardware; for superconducting quantum computers, microwave pulses are used to induce the effect.
Magic State: A pre-made, disposable qubit with a non-Clifford gate pre-baked in. Since non-Clifford gates cannot be directly applied to error-corrected qubits, you consume a magic state to indirectly apply the gate—through a process of entanglement + measurement + correction (a process called gate "teleportation").
Toffoli Gate: Operates on 3 qubits (2 control bits, 1 target bit), flipping the target bit only if both control bits are 1. It is constructed from approximately 7 T gates (4 after optimization) plus Clifford gates. On error-corrected qubits, the only way to apply a Toffoli gate is by consuming a magic state.
Shor's Algorithm: Invented in 1994 as a method for quantum computers to break RSA and ECC (by solving the period-finding problem).
Syndrome: The stream of results produced by qubits used to detect errors in data qubits ("check qubits").
Distillation: The process of combining many noisy magic states, consuming 15 noisy states to output a much cleaner one.
Breaking ECC with Shor's Algorithm:
In 2026, a paper introduced new circuit designs and "pre-processing" for Shor's Algorithm, requiring fewer computations to break ECC (which would compromise Bitcoin, Ethereum, SSH, TLS, HTTPS).
The paper theorizes that breaking ECC on a superconducting quantum computer is possible, requiring approximately 1,200 logical qubits to flawlessly link about 90 million Toffoli gates. At current error correction levels, this implies about 500,000 physical qubits and several minutes of runtime.
Computational Pipeline
Rough Process: Place physical qubits on a chip → Bundle many physical qubits into each error-corrected logical qubit → Run the algorithm's gates on logical qubits, consuming magic states for difficult (non-Clifford) gates → Measure and post-process on a classical computer.
Starting from Noisy Physical Qubits
Challenge: Physically fitting enough qubits into a single machine (control wiring, decoding chips, laser beams, cabling, etc.).
Progress: Algorithmic design improvements have reduced requirements from ~317 million qubits (2022) to ~9 million (Litinski 2023) to 500,000 (2026). Caltech in 2025 used optical tweezers to trap 6,100 qubits (holding them steady, not computing). IBM's Condor chip can hold 1,121 qubits, but is too noisy to run real algorithms. The largest chip to have run a practical algorithm is about 105 qubits (Google Willow, March 2026).
Bundling them into Reliable Logical Qubits through Error Correction
Challenge: The 2026 paper requires ~90 million Toffoli gates linked in sequence, each of which must succeed. The logical error rate per operation must be lower than about 1/90,000,000. In practice, the target ("North Star") is a logical error rate of approximately 10⁻⁹ or lower.
Progress: In 2024, Google demonstrated that 1 logical qubit made from 101 physical qubits (distance-7) had an error rate 2.14x lower than one made from 49 physical qubits (distance-5), which in turn was 2.14x lower than one from 17 physical qubits (distance-3). This paper showed that errors consistently decrease as physical qubits increase. The error rate for 101 qubits (distance-7) was 1.4 × 10⁻³ per cycle; roughly a million times higher than the target.
Keeping Error Correction Running to Maintain Them
Challenge: Decoding becomes harder as the number of qubits increases. Superconducting quantum computers produce a round of syndrome data about every 1 microsecond. A classical decoder must fully process each round in under about 1 microsecond, continuously. Decoding must keep pace with the number of qubits added to the computer.
Progress: Riverlane's local clustering decoder (Nature Communications, December 2025) was the first hardware (FPGA) decoder to achieve sub-1 microsecond per round with adaptivity. Google's AlphaQubit 2 (March 2026) performed real-time neural decoding up to distance 11 in under 1 microsecond per cycle; simulations suggest a TPU could reach distance 25. Still far from the scale of 500,000 qubits.
Consuming Magic States to Perform Difficult Gates
Challenge: Each difficult gate (Toffoli) consumes one magic state, and ECC requires about 90 million of them. Manufacturing and distilling magic states fast enough is a major throughput bottleneck. A distillation factory is a block of logical qubits + routing channels, sitting idle during computation. At scale, factories typically account for about 2-10% of total physical qubits.
Progress: Magic state cultivation (2024) significantly reduced the cost per magic state. QuEra demonstrated logical-level distillation in 2024 using only 5 logical qubits.
Measurement → Classical Computer Finishes the Math
Not a bottleneck. Measuring logical qubits and running classical post-processing (measurement results → period → private key) is well-understood and inexpensive.
Some research frontiers I haven't discussed:
Fast clock vs. slow clock architectures
Modular/multi-chip architectures
Below-threshold error-correcting codes
Surface codes vs. qLDPC codes: I haven't discussed IBM's progress on qLDPC because they have so far only demonstrated storing qubits (memory), not performing computations on them.
Magic state costs
Magic state routing/compilation
Coherence time
Running storage vs. computation on qubits
Cryogenic control electronics
Leakage and Related Errors
Bitcoin Risk
There is much panicked talk about Bitcoin's ECC being broken. What does breaking ECC actually mean for Bitcoin?
Shor's algorithm allows an attacker to recover your private key k if they have your public key Q. Once they do this, they become you. They can sign a transaction transferring your coins to themselves, and it is a fully valid transaction.
However, a Bitcoin address is not your public key; it is a hash of your public key (first SHA-256, then RIPEMD-160). Hashing is a different mathematical operation and is not broken by Shor's algorithm.
But, to authorize a transaction, you must reveal the public key Q, which then remains on the chain permanently. Therefore, any address that has ever sent Bitcoin to another address could be compromised. Modern wallets mitigate this by transferring the entire balance to a new address each time they send Bitcoin.
Approximately 6.7 million BTC are already exposed and could potentially be stolen via quantum computing.
Justin Drake has also written about the risk of private key theft within the 10-minute Bitcoin block time. The papers he cites suggest this could be done in 9 minutes. This problem is far less severe than the loss of the already exposed 6.7 million BTC.
The only real way to solve this problem is for everyone to switch to quantum-safe keys (the technology already exists) and, after a certain period, destroy any Bitcoin that has not been transferred. Getting the Bitcoin community to agree to this will be a monumental task.
Ethereum Risk
Ethereum uses the same curve (secp256k1) and the same signature scheme (ECDSA) as Bitcoin, so the underlying method of breaking it is the same: given a public key, Shor's algorithm recovers the private key, and the holder of the private key is the owner of the account.
Ethereum has persistent accounts, meaning addresses are reused. This implies that if quantum computing were viable today, any wallet that has ever sent a transaction could be taken over.
Replacing ECDSA is straightforward. The problem is that post-quantum signatures are much larger than ECDSA, meaning nodes would have to store more memory. This is also why Ethereum is moving towards zk while changing its signature scheme.
It also requires every user to actively migrate from old keys to new keys. Accounts that people do not transfer must be destroyed so that hackers cannot control them.
Technical Explanation
Public-key cryptography allows two parties to communicate securely over an untrusted network (like the public internet) without needing to share a secret in advance.
There are many different protocols (which can be thought of as end-use tools for specific use cases), such as Diffie-Hellman key exchange, ECDSA signatures, and RSA encryption. Their underlying hard problems are the discrete logarithm, EC discrete logarithm, and integer factorization, respectively. The core mathematical bottleneck that makes them hard for classical computers is periodicity.
The practical mathematical operation quantum computers excel at is finding periods.
What is ECC
ECC (used in TLS, Bitcoin, and HTTPS) is built on a one-way street. Start at a public point G on the curve. "Jump" k times to reach a new point Q. Jumping forward is fast. But if someone shows you the starting point (G) and the ending point (Q), finding out how many jumps were made is effectively impossible.
The number of jumps k is your private key; the endpoint Q is your public key. Everyone can see your start and end points, but only you know the number of steps between them.
The mathematical explanation is:
An elliptic curve is simply the set of points over a finite field satisfying the equation y² = x³ + ax + b.
G is the base point (public, fixed by a standard). For a private key k, the public key is the point Q = kG.
Computing Q from k via double-and-add requires O(log k) group operations.
Recovering k from (G, Q) is the ECDLP (Elliptic Curve Discrete Logarithm Problem). The classical method is trial and error, so it is very slow.
Shor's algorithm solves the ECDLP in polynomial time, reducing it to finding the period on the group generated by G.

This is an elliptic curve.
A diagram showing EC point multiplication on y² ≡ x³ + 7 (mod 17). The curve and base point G are public, and the endpoint Q is public. The secret is k = 6, the number of jumps from G to Q. Computing forward (calculating Q = kG) is fast; recovering k from G and Q has no known classical shortcut. This example uses mod 17 so you can count the jumps; real ECC uses a modulus space of approximately 2²⁵⁶.
How Shor's Algorithm Breaks ECC
Breaking ECC boils down to a seemingly simple function: f(x, y) = xG + yQ, where G is the public generator and Q is the public key you are attacking. Since Q = kG, this is effectively f(x, y) = (x + ky)G.
This has a consequence: stepping the input by (k, -1) never changes the output because (x+k) + k(y-1) = x + ky. So f repeats along parallel diagonals through the (x, y) grid, and the direction of these diagonals encodes k (the private key).
Finding this direction requires two different (x, y) pairs that produce the same output. Classical methods must search for such collisions by brute force.
Quantum computers allow you to:
Evaluate f for all (x, y) pairs simultaneously in superposition, so the entire striped grid exists in the machine at once.
But you


