Quantum computing is about to crack BTC? The truth is, it won't happen until at least 2035
- Core Viewpoint: Although quantum computing theory has significantly lowered the required quantum hardware threshold for cracking Elliptic Curve Cryptography (ECC) (from 317 million physical qubits to 500,000), the actual number of qubits currently capable of running algorithms is only about 105. There remains an order-of-magnitude gap before constituting a real threat. The precise date of "Q-Day," when Bitcoin and Ethereum can actually be broken, remains uncertain.
- Key Elements:
- Significant theoretical breakthroughs: A 2026 paper used a new circuit design to reduce the number of physical qubits needed to crack ECC from 317 million (in 2022) to approximately 500,000, with a requirement of about 1,200 logical qubits.
- The hardware bottleneck is scale: The largest chip currently capable of running algorithms has only about 105 physical qubits (Google Willow, 2026), while the required scale is about 500,000 – growth is slow.
- Bitcoin risk is limited but urgent: Shor's algorithm can steal private keys based on exposed public keys, but addresses are hashes of public keys. Approximately 6.7 million BTC have been exposed through historical transactions, posing a risk of theft via quantum computing.
- Ethereum risk is greater: Ethereum account addresses can be reused. Any wallet that has ever sent a transaction has its public key exposed, making it vulnerable to quantum takeover. The entire community would need to migrate to quantum-safe keys.
- Industry estimated timeline: Expert Justin Drake assesses a 10% probability before 2030 and a 50% probability before 2032; the US National Institute of Standards and Technology/National Security Agency aims to phase out vulnerable cryptography by 2035.
Original Author: Derrick Cui
Original Translation: TechFlow
Introduction: Although theoretical advancements have reduced the quantum hardware requirements for cracking elliptic curve cryptography from 317 million physical qubits (2022) to 500,000 (2026), current quantum computers can only operate with about 105 qubits capable of running algorithms, leaving a gap of several orders of magnitude before a practical attack is feasible. This article breaks down exactly what is needed to crack ECC and how far we are from that day.
Key Points
The table below compares the theoretical requirements for cracking ECC (elliptic curve cryptography, used in TLS, Bitcoin, and HTTPS) as per a 2026 paper against current practical progress. The conclusion is: we are far from it.
The biggest strides have been theoretical, such as algorithm and error correction designs reducing the required operations and qubits from about 317 million physical qubits (2022) to under 500,000 (2026). Hardware has also improved (two-qubit fidelity rising from about 90% in 2005 to over 99.9% today, coherence times extending from about 1 microsecond to about 1 millisecond). However, the most critical hardware metric—the number of available qubits in a single machine—has barely grown: about 105 can run real algorithms, while about 500,000 are needed.

Estimates for Q-Day (the day quantum computing cracks cryptography):
Justin Drake estimates a 10% probability before 2030 and a 50% probability before 2032.
The U.S. National Institute of Standards and Technology/National Security Agency target the phase-out of vulnerable cryptography by 2035.
There is no equivalent of Moore's Law in quantum computing. The required conditions have dropped by about 600 times in four years, while machine scale may have only grown by 10 times over the past decade. Therefore, knowing the true timeline is impossible.
Current Frontier of Quantum Computing Progress
Definitions:
Physical qubit: The total number of qubits in a quantum computer.
Logical qubit/error-corrected qubit: The number of effectively usable qubits after error correction (the classical counterpart is the ratio of information bits to total bits). For example, a distance-5 code in quantum computing means using about 49 physical qubits to store 1 qubit of information.
Non-Clifford gate: An operation on qubits that is difficult for classical machines to simulate. Includes the T gate.
T gate: An operation applying a 45-degree phase rotation to a single qubit. Inducing a T gate depends on the quantum computer's hardware; for superconducting quantum computers, microwave pulses are used to induce the effect.
Magic state: A pre-fabricated, one-time qubit with a pre-baked non-Clifford gate. Since non-Clifford gates cannot be directly applied to error-corrected qubits, you consume the magic state to indirectly apply the gate—through entanglement + measurement + correction (a process called gate "teleportation").
Toffoli gate: Operates on 3 qubits (2 control bits, 1 target bit), flipping the target bit only if both control bits are 1. It is constructed from about 7 T gates (optimized to 4) plus Clifford gates. On error-corrected qubits, the only way to apply a Toffoli gate is by consuming a magic state.
Shor's algorithm: Invented in 1994 as a method for quantum computers to crack RSA and ECC (by solving the period-finding problem).
Syndrome: The resulting stream from qubits (check qubits) used to detect errors in data qubits.
Distillation: The process of combining many noisy magic states, consuming 15 noisy states to output one much cleaner state.
Cracking ECC using Shor's algorithm:
In 2026, a paper introduced new circuit designs and "pre-processing" for Shor's algorithm, requiring fewer calculations to crack ECC (which would break Bitcoin, Ethereum, SSH, TLS, HTTPS).
The paper theorized it is possible to crack ECC on a superconducting quantum computer, requiring about 1,200 logical qubits linking about 90 million Toffoli gates without error. At current error correction levels, this means about 500,000 physical qubits and a runtime of several minutes.
Computation Pipeline
Rough process: Place physical qubits on a chip → Bundle many physical qubits into each error-corrected logical qubit → Run algorithm gates on logical qubits, consuming magic states for difficult (non-Clifford) gates → Measure and post-process on a classical computer.
Start with noisy physical qubits.
Challenge: Physically placing enough qubits into one machine (control wiring, decoding chips, laser beams, routing, etc.).
Progress: Algorithm design improvements have reduced requirements from about 317 million qubits (2022) to about 9 million (Litinski 2023) down to 500,000 (2026). In 2025, Caltech used optical tweezers to hold 6,100 qubits (holding them, not computing). IBM's Condor chip can hold 1,121 qubits but is too noisy to run real algorithms. The largest chip to run a real algorithm has about 105 qubits (Google Willow, March 2026).
Bundle them into reliable logical qubits through error correction.
Challenge: The 2026 paper requires about 90 million Toffoli gates linked sequentially, each of which must succeed. The logical error rate per operation must be below about 1/90,000,000. In practice, the target ("North Star") is a logical error rate of about 10⁻⁹ or lower.
Progress: In 2024, Google demonstrated that one logical qubit composed of 101 physical qubits (distance-7) had an error rate 2.14 times lower than one with 49 physical qubits (distance-5), which in turn was 2.14 times lower than one with 17 physical qubits (distance-3). This paper proved that errors continue to decrease as physical qubits increase. The error rate for 101 qubits (distance-7) is 1.4×10⁻³ per cycle; about one million times too high.
Keep error correction running to maintain them.
Challenge: Decoding becomes harder as the number of qubits increases. Superconducting quantum computers emit a round of syndrome data about every 1 microsecond. The classical decoder must fully process each round in less than about 1 microsecond, continuously. Decoding must keep pace with the number of qubits added to the computer.
Progress: Riverlane's Local Clustering Decoder (Nature Communications, December 2025) is the first hardware (FPGA) decoder to achieve sub-1 microsecond per round with adaptivity. Google's AlphaQubit 2 (March 2026) performs real-time neural decoding to distance 11 at sub-1 microsecond per cycle; simulations suggest a TPU could reach distance 25. We are still far from the scale of 500,000 qubits.
Consume magic states to execute difficult gates.
Challenge: Each difficult gate (Toffoli) consumes a magic state, and ECC requires about 90 million of them. Manufacturing and purifying magic states quickly enough is a major throughput bottleneck. The distillation factory is a block of logical qubits + routing channels that sit idle during computation. At scale, factories typically occupy about 2-10% or more of the total physical qubits.
Progress: Magic state cultivation (2024) has significantly reduced the cost per magic state. In 2024, QuEra demonstrated logical-level distillation using only 5 logical qubits.
Measurement → Classical computer finishes the math.
Not a bottleneck. Measuring logical qubits and running classical post-processing (measurement results → period → private key) is well-understood and inexpensive.
Some research frontiers I have not discussed:
Fast-clock vs. slow-clock architectures
Modular/multi-chip architectures
Below-threshold error correction codes
Surface codes vs. qLDPC codes: I have not discussed IBM's progress on qLDPC because they have only demonstrated storing qubits (memory) so far, not computing on them.
Magic state cost
Magic state routing/compilation
Coherence time
Running storage vs. computation on qubits
Cryogenic control electronics
Leakage and Correlated Errors
Bitcoin Risk
There is a lot of panic about Bitcoin's ECC being cracked. What exactly would cracking ECC mean for Bitcoin?
Shor's algorithm allows an attacker to recover your private key k if they have your public key Q. Once they do this, they become you. They can sign a transaction transferring your coins to themselves, which would be a completely valid transaction.
However, a Bitcoin address is not your public key; it is a hash of your public key (SHA-256 then RIPEMD-160). Hashing is a different mathematical operation, and Shor's algorithm cannot crack it.
But, to authorize a transaction, you must reveal your public key Q, which stays permanently on the chain. Therefore, any address that has ever sent Bitcoin to another address could be compromised. Modern wallets transfer the entire balance to a new address each time they send Bitcoin, which protects users.
Approximately 6.7 million BTC have already been exposed and could potentially be stolen via quantum computing.
Justin Drake has also written about the risk of private key theft within the 10-minute Bitcoin block time. The papers he cites show this could be done in 9 minutes. This problem is far less severe than losing the 6.7 million BTC already exposed.
The only real solution is for everyone to switch to quantum-safe keys (the technology already exists) and, after a period, destroy bitcoins that have not been transferred. Getting the Bitcoin community to agree to this would be a monumental task.
Ethereum Risk
Ethereum uses the same curve as Bitcoin (secp256k1) and the same signature scheme (ECDSA), so the underlying method of cracking is the same: given a public key, Shor's algorithm recovers the private key, and the private key holder is the account owner.
Ethereum has persistent accounts, meaning addresses are reused. This means that if quantum computing were possible today, every wallet that has ever sent a transaction could be taken over.
Replacing ECDSA is simple. The problem is that post-quantum signatures are much larger than ECDSA, meaning nodes have to store more memory. This is also why Ethereum is moving to zk while changing its signature scheme.
It also requires every user to actively migrate from old keys to new keys. Accounts that people have not transferred must be destroyed so that hackers cannot control them.
Technical Explanation
Public-key cryptography allows two people to communicate securely over an untrusted network (like the public internet) without needing to share a secret in advance.
There are many different protocols (think of them as end-use tools for specific use cases). Examples include Diffie-Hellman key exchange, ECDSA signatures, and RSA encryption. Their underlying hard problems are the Discrete Logarithm, EC Discrete Logarithm, and Factorization, respectively. The core mathematical bottleneck that makes these hard for classical computers is periodicity.
The actual mathematical operation that quantum computers can perform is finding periods.
What is ECC
ECC (used in TLS, Bitcoin, and HTTPS) is built on a one-way street. Starting from a public point G on the curve, "jump" k times to reach a new point Q. Jumping forward is fast. But if someone shows you the starting point (G) and the ending point (Q), finding out how many jumps were taken is effectively impossible.
The number of jumps k is your private key; the ending point Q is your public key. Everyone can see your starting and ending points, but only you know the number of steps between them.
Mathematical explanation:
An elliptic curve is simply a set of points over a finite field satisfying the equation y² = x³ + ax + b.
G is the base point (public, fixed by a standard). For a private key k, the public key is the point Q = kG.
Computing Q from k via double-and-add requires O(log k) group operations.
Recovering k from (G, Q) is the ECDLP (Elliptic Curve Discrete Logarithm Problem); the classical method is trial and error, so it is very slow.
Shor's algorithm solves ECDLP in polynomial time, reducing it to finding a period on the group generated by G.

Here is an elliptic curve.
A diagram showing EC point multiplication on y² ≡ x³ + 7 (mod 17). The curve and base point G are public, and the endpoint Q is public. The secret is k = 6, the number of jumps from G to Q. Computing forward (calculating Q = kG) is fast; recovering k from G and Q has no known classical shortcut. This example uses mod 17; you can count the jumps. Real ECC uses a modulus space of about 2²⁵⁶.
How Shor's Algorithm Cracks ECC
Cracking ECC boils down to a seemingly simple function: f(x, y) = xG + yQ, where G is the public generator and Q is the public key you are attacking. Since Q = kG, this is essentially f(x, y) = (x + ky)G.
This has a consequence: stepping the input by (k, −1) never changes the output because (x + k) + k(y − 1) = x + ky. So f repeats along parallel diagonals through the (x, y) grid, and the direction of these diagonals encodes k (the private key).
Finding this direction requires two different (x, y) pairs that produce the same output. Classical methods must brute-force search for such collisions.
A quantum computer allows you to:
Evaluate f for all (x, y) pairs simultaneously in superposition, so the entire stripe grid exists in the machine at once
But you still cannot observe it—measurement would collapse to a random point, revealing nothing
A Fourier transform causes everything except the repeating direction to


