Role of Shor Code in Quantum Technology

Today, Google Quantum AI published a research paper that might boost the post-quantum migration. Their team has tailored Shor’s algorithm to solve the 256-bit Elliptic Curve Discrete Logarithm Problem. ECDLP is the hard mathematical problem that secures ECDSA: the signature scheme underpinning most blockchains, TLS certificates, and countless authentication systems, using fewer than 1,200 logical qubits and 90 million Toffoli gates. Translated to hardware: fewer than 500,000 physical qubits, executing in a few minutes. A few minutes. Less than a Bitcoin block time. Less than two Ethereum epochs. The long-standing argument that public keys can simply remain hidden is now moot. What exactly changed Shor's algorithm has been known since 1994 as a generic quantum approach to factoring integers and computing discrete logarithms. But "known" and "practical" are very different things. The real progress is in the engineering: how many qubits and gates you actually need once you compile the algorithm into a fault-tolerant quantum circuit. The recent algorithmic trendline is clear: every 12-18 months, the resource estimates drop significantly. And these are pure algorithmic gains: they compound on top of hardware improvements, which remain a major challenge. However, as of today, we're still far from having such a quantum computer. This didn't change. Zero Knowledge Proof Here's where it gets interesting. Google chose not to publish their optimized circuits. Instead, they released a zero-knowledge proof that their circuits achieve the claimed resource counts. We have no doubt they know how to do it, but no clue how. The reasons are likely multiple: competitive advantage, national security implications... Regardless, it establishes a powerful (and elegant) precedent. What’s ironic: Google's ZK proof is not itself post-quantum secure. What’s next? The good news is that we already have the tools: Post Quantum Cryptography, now we need to migrate. A few days ago, Google announced it is targeting 2029 for full post-quantum readiness. NIST plans to deprecate RSA signatures by 2030 and disallow all legacy algorithms by 2035. Cryptography exists to create mathematical trust in the security of systems. That trust is now being eroded, not by a working attack, but by the increasingly credible prospect of one. In security, the moment you start doubting the foundation is the moment you should be rebuilding it. What this means for blockchains For blockchain ecosystems specifically, the threat is central. ECDSA on secp256k1 (Bitcoin) and P-256 curves is the cornerstone of security. Unlike traditional systems where you can rotate certificates behind a corporate firewall, blockchain migration requires coordination across decentralized, permissionless networks. This process will likely take time. I'll be diving deeper into the concrete challenges and strategies for PQC migration on blockchains and secure systems at my keynote this Thursday at EthCC conference.

When I published my latest column in Frankfurter Allgemeine Zeitung on #quantum computing and its implications for #Bitcoin a few weeks ago (links to the German and English article in the comments), I didn't expect the next major development to arrive this quickly. Last week, two all-star research teams spanning quantum computing, cryptography, and blockchain published two papers (links in the comments) that dramatically lower the estimated resources needed to break the elliptic curve cryptography (ECC-256) securing virtually every major blockchain. 🔍 What's the issue? Bitcoin's security rests on asymmetric cryptography, specifically on elliptic curves. Put simply, it is virtually impossible for conventional computers to derive a private key (the password) from a public key (the account number). A sufficiently powerful quantum computer, however, could solve this problem using Shor's algorithm. 🔍 What did the papers find? Google's paper (Babbush et al.) shows that Shor's algorithm could break ECC-256 with fewer than 500,000 physical superconducting qubits in as little as 9 minutes. That's a 20× improvement in efficiency over prior estimates. A 9-minute window matters enormously: it means not only bitcoins sitting on already-vulnerable addresses are at risk, but so-called "on-spend" attacks become feasible too. These attacks exploit the fact that public keys are briefly exposed when bitcoins are spent and before the transaction settles (typically around 10 minutes). Oratomic's paper (Cain et al.), from Caltech and UC Berkeley, shows that same cryptography could be broken with as few as 10,000���26,000 physical qubits, albeit over days rather than minutes. While too slow for on-spend attacks, this timeframe would be more than sufficient to target bitcoins sitting on vulnerable addresses where public keys are already permanently exposed, 🔍 What this does and doesn't mean To be clear: these papers represent algorithmic and architectural breakthroughs, not hardware breakthroughs. Quantum computers powerful enough to execute these attacks are still as likely (or unlikely) to arrive by the end of this decade as they were before. What has changed is our understanding of how little computing power would actually be needed. The gap between what's required and what's being built just got a lot smaller.

Shor’s algorithm is possible with as few as 10,000 reconfigurable atomic qubits by John Preskill (Caltech) https://lnkd.in/ethGUK8B Quantum computers have the potential to perform computational tasks beyond the reach of classical machines. A prominent example is Shor's algorithm for integer factorization and discrete logarithms, which is of both fundamental importance and practical relevance to cryptography. However, due to the high overhead of quantum error correction, optimized resource estimates for cryptographically relevant instances of Shor's algorithm require millions of physical qubits. Here, by leveraging advances in high-rate quantum error-correcting codes, efficient logical instruction sets, and circuit design, we show that Shor's algorithm can be executed at cryptographically relevant scales with as few as 10,000 reconfigurable atomic qubits. Increasing the number of physical qubits improves time efficiency by enabling greater parallelism; under plausible assumptions, the runtime for discrete logarithms on the P-256 elliptic curve could be just a few days for a system with 26,000 physical qubits, while the runtime for factoring RSA-2048 integers is one to two orders of magnitude longer. Recent neutral-atom experiments have demonstrated universal fault-tolerant operations below the error-correction threshold, computation on arrays of hundreds of qubits, and trapping arrays with more than 6,000 highly coherent qubits. Although substantial engineering challenges remain, our theoretical analysis indicates that an appropriately designed neutral-atom architecture could support quantum computation at cryptographically relevant scales. More broadly, these results highlight the capability of neutral atoms for fault-tolerant quantum computing with wide-ranging scientific and technological applications.

In March 2026, Google Quantum AI showed that Shor's algorithm can break the 256-bit ECDLP securing Bitcoin and Ethereum (secp256k1) using ≤1,200 logical qubits and ≤90M Toffoli gates — about 20× cheaper in physical qubits than the best prior estimate, executable on fewer than half a million superconducting qubits in ~9 minutes from a primed state. Days later, Cain et al. at Oratomic/Caltech showed the same circuits compile onto neutral-atom arrays with high-rate qLDPC codes using as few as ~10,000 physical qubits — another ~50× reduction at the cost of days instead of minutes per attack. Take-home: the hardware gap collapsed from ~5,000× to ~2–4×. Fast-clock devices put live transactions at risk (~41% success vs Bitcoin in 9 min); slow-clock devices put ~4M BTC in dormant and key-exposed wallets at risk over days. PQC migration is no longer a long-horizon problem. Want to see exactly how it works? I built a computation-first walkthrough in the Wolfram Quantum Framework. You'll watch Shor's algorithm run end-to-end on a toy elliptic curve over GF(23) (the same pipeline as 256-bit, just smaller): elliptic-curve arithmetic from scratch, permutation-unitary oracle, 15-qubit phase estimation, continued-fractions key recovery. Then scale the resource estimates up to Google's numbers and down to Oratomic's. The exercises (with closed-form derivations) let you change the secret key, try a non-cyclic curve, watch order recovery fail when control qubits drop below the Shor–Legendre threshold, and compute the on-spend race math yourself. https://lnkd.in/gmNBSU6F #QuantumComputing #Cryptography #WolframLanguage #Bitcoin #PostQuantum