Will Quantum Computing Break Crypto?

IBM's Heron processor achieved 133 physical qubits with improved error rates in late 2023; their roadmap targets 100,000 physical qubits by 2033. Google's Willow chip (2024) demonstrated 105 qubits with a landmark error correction milestone. However, breaking Bitcoin's secp256k1 elliptic curve via Shor's algorithm requires approximately 4,000 error-corrected logical qubits. The overhead ratio for current error correction codes (surface codes) requires roughly 1,000-10,000 physical qubits per logical qubit — meaning Bitcoin-threatening capability requires 4 million to 40 million physical qubits. At current roadmap trajectories, this is a 2040+ problem at earliest.

NIST finalized the first post-quantum cryptographic standards in August 2024: CRYSTALS-Kyber (ML-KEM) for key encapsulation, CRYSTALS-Dilithium (ML-DSA) for digital signatures, and SPHINCS+ (SLH-DSA) as a backup signature scheme. These algorithms are based on mathematical problems believed to be hard for both classical and quantum computers (lattice problems, hash-based signatures). The US government mandated federal agencies begin PQC migration planning immediately. Ethereum researchers and Bitcoin developers have both published quantum resistance upgrade proposals. The cryptography defense layer is well ahead of the quantum attack threat.

Bitcoin uses two cryptographic primitives: SHA-256 for proof-of-work mining (Grover's algorithm could halve effective security to 128 bits — still computationally infeasible to attack) and ECDSA for transaction signatures (Shor's algorithm could theoretically break in polynomial time given sufficient qubits). The ECDSA signature scheme is the more vulnerable component — it exposes public keys at transaction broadcast time, giving a quantum attacker a brief window to derive private keys. Crucially, Bitcoin addresses are SHA-256 hashes of public keys until spending, providing one layer of quantum resistance for unspent coins that have never revealed their public key.

IBM's quantum roadmap targets 100,000 physical qubits by 2033 and outlines a path to error-corrected quantum advantage. Google's 2023 paper in Nature on qubit error correction showed a reduction in error rates as qubit count scaled — a crucial proof-of-concept for practical quantum computing. China's quantum program (USTC, through Jiuzhang and Zuchongzhi processors) is less transparent but reportedly well-funded, with 66-qubit systems demonstrated. Microsoft is pursuing topological qubits (announced breakthrough in 2025) which would offer inherently lower error rates if the approach scales, potentially accelerating timelines.

Bitcoin's historically conservative upgrade process (requiring broad consensus among miners, developers, and node operators) is a double-edged sword for quantum resistance. SegWit (2017) and Taproot (2021) demonstrated the network can implement significant cryptographic changes. A quantum-resistant signature scheme (e.g., CRYSTALS-Dilithium) could be implemented via a similar soft fork, with a multi-year transition period. The Bitcoin development community has multiple active proposals (e.g., BIP-360) for post-quantum upgrade paths. The key question is whether Bitcoin's community can achieve consensus before quantum threat materializes — a governance risk rather than a technical one.

Security researchers use the term 'Cryptographically Relevant Quantum Computer' (CRQC) to describe a quantum system powerful enough to break current encryption. The US Department of Homeland Security, NSA, and GCHQ all published advisories in 2023-2024 projecting CRQC feasibility no earlier than the 2030s, with most estimates centering on 2035-2040. The 'harvest now, decrypt later' attack — where adversaries collect encrypted data today to decrypt once CRQC is available — is considered a real threat to long-lived secrets (government communications, long-term identity) but less relevant to time-limited cryptocurrency transactions.

“The NSA's Commercial National Security Algorithm Suite 2.0 (CNSA 2.0) mandated federal agencies begin PQC migration immediately, with deadlines of 2025-2033 depending on system type. The advisory explicitly stated that 'the threat from a cryptographically relevant quantum computer is not imminent' but that migration timelines for large organizations require immediate planning. NSA's public posture suggests the agency's internal assessment places CRQC arrival at 2030s-2040s, not earlier.”

来源: NSA (National Security Agency)

“Neven, director of Google's quantum AI lab, described the December 2024 Willow chip milestone as demonstrating that quantum error rates decrease as chip scales — historically the opposite was true. He projected that practically relevant quantum advantage (outperforming classical computers on useful tasks) is achievable within the 2020s, though he was careful to distinguish 'quantum advantage' from 'breaking cryptography.' Neven's timeline is aggressive; most independent experts consider the jump from quantum advantage on specific tasks to CRQC capability substantial.”

来源: Google Quantum AI (Hartmut Neven)

“Buterin published a detailed analysis on EIP-7560 (abstract accounts for quantum resistance) noting that Ethereum's account abstraction roadmap provides a natural migration path to post-quantum signatures. He assessed that Ethereum has years of runway before quantum threat is realistic and that a hard fork to quantum-resistant signatures, while disruptive, is technically feasible. He particularly noted that wallets that have never sent a transaction expose only their public key hash — not the underlying public key — providing meaningful quantum resistance for long-term holdings.”

来源: Vitalik Buterin, Ethereum Co-founder

“NIST's finalization of ML-KEM, ML-DSA, and SLH-DSA represents the culmination of a 6-year competition involving 69 initial submissions from global cryptographers. The standards are designed to be conservative — providing security margins well beyond current quantum capabilities. NIST explicitly noted these standards are intended for systems protecting data with 30+ year sensitivity requirements, providing a substantial buffer against near-term quantum threats.”

来源: NIST Computer Security Division

“A January 2023 paper caused alarm when Chinese researchers claimed RSA-2048 could be broken with only 372 qubits using a hybrid quantum-classical algorithm. Independent review found the paper made optimistic assumptions that did not hold under rigorous analysis — the algorithm likely requires millions of qubits in practice, consistent with prior estimates. The episode highlighted both the vigilance required in monitoring quantum advances and the risk of premature alarm from incompletely reviewed claims.”

来源: Chinese Academy of Sciences Research Team