Quantum computing is about to crack BTC? The truth is it won't happen until at least 2035
- Core Thesis: Although quantum computing theory has significantly reduced the quantum hardware threshold required to break Elliptic Curve Cryptography (ECC) (from 317 million physical qubits to 500,000), the number of qubits currently capable of running algorithms is only about 105. There remains an orders-of-magnitude gap before constituting a real-world threat, making the true "Q-Day" – when Bitcoin and Ethereum can be broken – still uncertain.
- Key Factors:
- Significant Theoretical Breakthroughs: A 2026 paper, through new circuit designs, reduced the number of physical qubits needed to break ECC from 317 million (per 2022 estimates) to approximately 500,000, with the logical qubit requirement at about 1,200.
- Hardware Bottleneck is Scale: The current largest chip capable of running algorithms has only about 105 physical qubits (Google Willow, 2026), while the required scale is around 500,000, representing slow growth.
- Bitcoin Risk is Limited but Urgent: Shor's algorithm could potentially steal private keys from exposed public keys, but addresses are hashes of the public key. Approximately 6.7 million BTC, exposed through historical transactions, are at risk of being stolen by quantum computing.
- Ethereum Faces Higher Risk: Ethereum account addresses can be reused. Any wallet that has sent a transaction exposes its public key, allowing it to be taken over by quantum computing. This necessitates a community-wide migration to quantum-safe keys.
- Industry Timeline Estimates: Expert Justin Drake puts the probability at 10% before 2030 and 50% before 2032. NIST/NSA targets phasing out vulnerable cryptography by 2035.
Original Author: Derrick Cui
Original Compilation: TechFlow
TechFlow Introduction: Although theoretical advancements have reduced the quantum hardware requirements for breaking elliptic curve cryptography from 317 million physical qubits (2022) to 500,000 (2026), current quantum computers can only run real algorithms with about 105 qubits, leaving a gap of several orders of magnitude before a practical attack becomes feasible. This article deconstructs exactly what is needed to break ECC and how far away that day truly is.
Key Points
The table below compares the theoretical requirements for breaking ECC (Elliptic Curve Cryptography, used in TLS, Bitcoin, and HTTPS) according to a 2026 paper versus current actual progress. The conclusion: we are far from there.
The biggest progress has been theoretical, such as algorithm and error correction designs reducing the required number of operations and qubits from approximately 317 million physical qubits (2022) to under 500,000 (2026). Hardware has also improved (two-qubit gate fidelity increased from about 90% in 2005 to over 99.9% today, coherence time extended from about 1 microsecond to about 1 millisecond). However, the most critical hardware metric—the number of usable qubits in a single machine—has barely grown: about 105 qubits capable of running real algorithms, while the requirement is roughly 500,000.

Q-Day (the day quantum computing breaks cryptography) estimates:
Justin Drake estimates a 10% probability before 2030 and a 50% probability before 2032.
The US National Institute of Standards and Technology / National Security Agency target the deprecation of vulnerable cryptography by 2035.
Quantum computing has no equivalent of Moore's Law. Requirements dropped by a factor of about 600x in four years, while machine scale may have only increased by 10x over the past decade. Therefore, it's impossible to know the real timeline.
Current Frontiers in Quantum Computing Progress
Definitions:
Physical Qubits: Total number of qubits in a quantum computer.
Logical Qubits / Error-Corrected Qubits: Qubits practically usable after error correction (the classical computing analog is the ratio of information bits to total bits). For example, a distance-5 code in quantum computing uses approximately 49 physical qubits to store 1 qubit of information.
Non-Clifford Gates: Computations applied to qubits that are difficult for classical machines to simulate. Includes T gates.
T Gate: An operation that applies a 45-degree phase rotation to a single qubit. Inducing a T gate depends on the quantum computer's hardware; for superconducting quantum computers, microwave pulses are used to induce this effect.
Magic States: Pre-fabricated, single-use qubits that have a non-Clifford gate pre-baked into them. Since non-Clifford gates cannot be directly applied to error-corrected qubits, you consume a magic state to indirectly apply the gate—via entanglement + measurement + correction (a process known as gate "teleportation").
Toffoli Gate: Acts on 3 qubits (2 control bits, 1 target bit), flipping the target bit only if both control bits are 1. It is constructed from about 7 T gates (optimized to 4) plus Clifford gates. On error-corrected qubits, the only way to apply a Toffoli gate is by consuming a magic state.
Shor's Algorithm: Invented in 1994 as a method for quantum computers to break RSA and ECC (by solving the period-finding problem).
Syndrome: The stream of results produced by qubits used to detect whether errors have occurred in data qubits ("check qubits").
Distillation: The process of combining many noisy magic states, consuming 15 noisy states to output a much cleaner state.
Breaking ECC with Shor's Algorithm:
In 2026, a paper introduced new circuit designs and "pre-processing" for Shor's algorithm, requiring fewer computations to break ECC (which would compromise Bitcoin, Ethereum, SSH, TLS, HTTPS).
This paper theorizes that breaking ECC is possible on a superconducting quantum computer, requiring approximately 1,200 logical qubits to chain about 90 million Toffoli gates error-free. At current error correction levels, this implies approximately 500,000 physical qubits and several minutes of runtime.
Computational Pipeline
General flow: Place physical qubits on a chip → Bundle many physical qubits into each error-corrected logical qubit → Run the algorithm's gates on the logical qubits, consuming magic states for difficult (non-Clifford) gates → Measure and post-process on a classical computer.
Starting from noisy physical qubits
Challenge: Physically fitting enough qubits into a single machine (control wiring, decoding chips, laser beams, wiring, etc.).
Progress: Improvements in algorithm design have reduced requirements from about 317 million qubits (2022) to about 9 million (Litinski 2023) to 500,000 (2026). Caltech used optical tweezers to fix 6,100 qubits in 2025 (fixing them, not computing). IBM's Condor chip can hold 1,121 qubits, but is too noisy to run real algorithms. The largest chip that has run actual algorithms has about 105 qubits (Google Willow, March 2026).
Bundling them into reliable logical qubits via error correction
Challenge: The 2026 paper requires approximately 90 million Toffoli gates to be chained sequentially, and each must succeed. The logical error rate per operation must be lower than about 1/90,000,000. In practice, the target ("North Star") is a logical error rate of about 10⁻⁹ or lower.
Progress: In 2024, Google demonstrated that 1 logical qubit (distance-7) made from 101 physical qubits had an error rate 2.14x lower than one made from 49 physical qubits (distance-5), which in turn was 2.14x lower than 17 physical qubits (distance-3). This paper proved that errors continue to decrease as physical qubits increase. The error rate for 101 qubits (distance-7) is 1.4×10⁻³ per cycle; approximately one million times too high.
Keeping error correction running to keep them alive
Challenge: Decoding becomes harder as the number of qubits increases. Superconducting quantum computers emit rounds of syndrome data approximately every 1 microsecond. Classical decoders must fully process each round in less than about 1 microsecond, continuously. Decoding must keep pace with the number of qubits added to the computer.
Progress: Riverlane's local clustering decoder (Nature Communications, December 2025) is the first hardware (FPGA) decoder to achieve sub-1 microsecond per round with adaptivity. Google's AlphaQubit 2 (March 2026) performs real-time neural decoding up to distance 11 in under 1 microsecond per cycle; simulations suggest one TPU could reach distance 25. Still a long way from the 500,000-qubit scale.
Consuming magic states to execute difficult gates
Challenge: Each difficult gate (Toffoli) consumes a magic state, and ECC requires about 90 million of them. Manufacturing and purifying magic states fast enough is a major throughput bottleneck. A distillation factory is a block of logical qubits + routing channels that sit idle during computation. At scale, factories typically comprise about 2-10% of total physical qubits.
Progress: Magic state cultivation (2024) significantly reduced the cost per magic state. QuEra demonstrated logical-level distillation using only 5 logical qubits in 2024.
Measurement → Classical Computer completes the math
Not a bottleneck. Measuring logical qubits and running classical post-processing (measurement results → period → private key) is well-understood and low-cost.
Some research frontiers I haven't discussed:
Fast clock vs. slow clock architectures
Modular/multi-chip architectures
Sub-threshold error-correcting codes
Surface codes vs. qLDPC codes: I haven't discussed IBM's progress on qLDPC because they have only demonstrated storing qubits (memory) so far, not performing computations on them.
Magic state costs
Magic state routing/compilation
Coherence times
Running storage vs. computation on qubits
Cryogenic control electronics
Leakage and Related Errors
Bitcoin Risk
There is much fear-mongering about breaking Bitcoin's ECC. What does breaking ECC actually mean for Bitcoin?
Shor's algorithm allows an attacker to recover your private key k given your public key Q. Once they achieve this, they become you. They can sign a transaction moving your coins to themselves, which would be a perfectly valid transaction.
However, a Bitcoin address is not your public key, but a hash of your public key (SHA-256 followed by RIPEMD-160). Hashing is a different mathematical operation and cannot be broken by Shor's algorithm.
But, to authorize a transaction, you must reveal the public key Q, which stays on the chain permanently. Therefore, any address that has ever sent Bitcoin to another address could potentially be compromised. Modern wallets address this by transferring the entire balance to a new address each time they send Bitcoin.
Approximately 6.7 million BTC are already exposed and could potentially be stolen via quantum computing.
Justin Drake also wrote about the risk of private keys being stolen within the 10-minute Bitcoin block time. The paper he cites suggests this could be done within 9 minutes. This problem is far less severe than the potential loss of the 6.7 million BTC already exposed.
The only real way to solve this problem is for everyone to switch to quantum-safe keys (the technology already exists) and, after a certain period, destroy any Bitcoin that hasn't been transferred. Getting the Bitcoin community to agree on this will be a monumental task.
Ethereum Risk
Ethereum uses the same curve (secp256k1) and the same signature scheme (ECDSA) as Bitcoin, so the underlying method of breaking it is identical: given the public key, Shor's algorithm recovers the private key, and the private key holder is the account owner.
Ethereum has persistent accounts, meaning addresses are reused. This means if quantum computing were viable today, every wallet that has ever sent a transaction could be taken over.
Replacing ECDSA is straightforward. The problem is that post-quantum signatures are much larger than ECDSA, meaning nodes must store more memory. This is also why Ethereum is moving to ZK while changing the signature scheme.
It also requires every user to actively migrate from old keys to new keys. Accounts that people fail to transfer must be destroyed to prevent hackers from controlling them.
Technical Explanation
Public-key cryptography allows two parties to communicate securely over an untrusted network (like the public internet) without needing to share a secret beforehand.
There are many different protocols (think of them as end-use tools suitable for specific use cases). Examples include Diffie-Hellman key exchange, ECDSA signatures, and RSA encryption. Their underlying hard problems are the discrete logarithm, the elliptic curve discrete logarithm, and factorization, respectively. The core mathematical bottleneck that makes them hard for classical computers is periodicity.
The actual mathematical operation that quantum computers are capable of is finding periods.
What is ECC
ECC (used in TLS, Bitcoin, and HTTPS) is built on a one-way street. Starting from a public point G on the curve, "jump" k times to reach a new point Q. Jumping forward is fast. However, if someone shows you the start point (G) and the end point (Q), figuring out how many jumps were taken is computationally infeasible.
The number of jumps k is your private key; the endpoint Q is your public key. Everyone can see your start and end points, but only you know the number of steps between them.
Mathematical explanation:
An elliptic curve is simply a set of points in a finite field satisfying the equation y² = x³ + ax + b.
G is the base point (public, fixed by a standard). For a private key k, the public key is the point Q = kG.
Calculating Q from k via double-and-add requires O(log k) group operations.
Recovering k from (G, Q) is the ECDLP (Elliptic Curve Discrete Logarithm Problem). The classical method is trial and error, so it is very slow.
Shor's algorithm solves the ECDLP in polynomial time, reducing it to finding the period on the group generated by G.

This is an elliptic curve. 
A diagram showing EC point multiplication on y² ≡ x³ + 7 (mod 17). The curve and base point G are public, and the endpoint Q is also public. The secret is k = 6, the number of jumps from G to Q. Computing forward (Q = kG) is fast; recovering k from G and Q has no known classical shortcut. This example uses mod 17, so you can count the jumps—real ECC uses a modulus space of about 2²⁵⁶.
How Shor's Algorithm Breaks ECC
Breaking ECC boils down to a seemingly simple function: f(x, y) = xG + yQ, where G is the public generator and Q is the public key you are attacking. Since Q = kG, this is effectively f(x, y) = (x + ky)G.
This leads to a consequence: stepping the input by (k, −1) never changes the output, because (x + k) + k(y − 1) = x + ky. So f repeats along parallel diagonals through the grid of (x, y), and the direction of these diagonals encodes k (the private key).
Finding this direction requires two different (x, y) pairs that produce the same output. Classical methods must search for such collisions via brute force.
Quantum computers allow you to:
Evaluate f for all (x, y) pairs simultaneously in superposition, so the entire striped grid exists in the machine at once.
But you still can't observe—measurement would collapse


