Securing Elliptic Curve Cryptocurrencies against Quantum Vulnerabilities: Resource Estimates and Mitigations

Abstract

This whitepaper seeks to elucidate implications that the capabilities of developing quantum architectures have on blockchain vulnerabilities and mitigation strategies. First, we provide new resource estimates for breaking the 256-bit Elliptic Curve Discrete Logarithm Problem, the core of modern blockchain cryptography. We demonstrate that Shor's algorithm for this problem can execute with either <1200 logical qubits and <90 million Toffoli gates or <1450 logical qubits and <70 million Toffoli gates. In the interest of responsible disclosure, we use a zero-knowledge proof to validate these results without disclosing attack vectors. On superconducting architectures with 1e-3 physical error rates and planar connectivity, those circuits can execute in minutes using fewer than half a million physical qubits. We introduce a critical distinction between fast-clock (such as superconducting and photonic) and slow-clock (such as neutral atom and ion trap) architectures. Our analysis reveals that the first fast-clock CRQCs would enable on-spend attacks on public mempool transactions of some cryptocurrencies. We survey major cryptocurrency vulnerabilities through this lens, identifying systemic risks associated with advanced features in some blockchains such as smart contracts, Proof-of-Stake consensus, and Data Availability Sampling, as well as the enduring concern of abandoned assets. We argue that technical solutions would benefit from accompanying public policy and discuss various frameworks of digital salvage to regulate the recovery or destruction of dormant assets while preventing adversarial seizure. We also discuss implications for other digital assets and tokenization as well as challenges and successful examples of the ongoing transition to Post-Quantum Cryptography (PQC). Finally, we urge all vulnerable cryptocurrency communities to join the ongoing migration to PQC without delay.

Figures (14)

• Figure 1: Comparison of logical quantum resources (number of logical qubits and Toffoli gates) required to break 256-bit ECDLP for the secp256k1 curve, as reported by various prior works. The arrows illustrate the application of two algorithmic optimizations adopted from Litinski Litinski2023to: state reuse and div batching. State reuse refers to deriving multiple (here: nine) private keys from public keys in a single execution by reusing the initial phase estimation state. Div batching refers to running multiple (here: two for the visible point and nine for the point offscreen which corresponds to $2.7\times 10^4$ logical qubits) instances of the algorithm in parallel and merging the modular division (inversion) operation across those instances; this is known as "Montgomery's trick" in the cryptography literature Montgomery1987speeding. Note that the main resource estimates for our approach quoted throughout this work apply to a single instance and do not include such optimizations. The plot represents resource estimates found in Chevignard2026reducingLitinski2023toKim2026newHaner2020improvedRoetteler2017quantumProos2003shorsGouzien2023performanceDallaireDemers2025brace.
• Figure 2: Logical resources required to break $n$-bit ECDLP for curves with bit lengths of $n = 32, 64, 128, 256$.
• Figure 3: These figures, which first appeared in Babbush2025 illustrate that algorithms and error-correction research have dramatically decreased the resources required to solve important problems on quantum computers over the last decade. (Left) The number of physical qubits required of a superconducting qubit architecture running the surface code in the most advanced resource estimates for breaking 2048-bit RSA encryption, as a function of the year the manuscript was published. We note that some papers have claimed even fewer physical qubits by more aggressively changing hardware assumptions (e.g., by analyzing devices with higher connectivity or lower error rates) but here we elect to compare estimates that make comparable hardware assumptions. (b) Number of Toffoli gates required by the most advanced resource estimates for computing the ground state energy of the FeMoco molecule to chemical accuracy, as a function of the year the manuscript was published. Here, resource estimates are reported for the Reiher ("small") Reiher2017Elucidating and Li ("large") Li2019Electronic FeMoco active space Hamiltonians. The left plot includes Refs. jones2012layeredfowler2012surfaceo2017quantumgheorghiu2019benchmarkingGidney2025Factoring and the right plot includes Refs. Reiher2017ElucidatingLee2020hypercontractionvonBurg2021Quantumrocca2024reducingLow2025Fast.
• Figure 4: Evolution of Protocol Usage Over Time: The relative market share of transaction output scripts over time, highlighting the network's migration through major protocol upgrades. The early "Satoshi Era" (2009--2010) is defined by the Pay-to-Public-Key (P2PK, orange), which was rapidly superseded by the industry-standard Pay-to-Public-Key-Hash (P2PKH, grey). The distinct inflection points in 2017 and 2021 correspond to the activation of the Segregated Witness and Taproot soft forks, respectively. The rapid expansion of P2WPKH (dark grey) and P2TR (red) demonstrates the ecosystem's adoption of modern, weight-efficient cryptographic standards. Plot generated using data from bigquery-public-data.crypto_bitcoinDay2018bitcoin.
• Figure 5: Evolution of BTC supply over time by protocol type. Quantum vulnerable balances are shown in shaded regions for each protocol. P2PK, P2TR and P2MS are considered 100% vulnerable. The remaining script types are considered vulnerable from having re-used keys if (Addresses that have appeared in an Input) AND (Currently hold a balance in Unspent Outputs). In the case of P2SH and P2WSH, we make the simplifying assumption that if one compromises the script, that it will ultimately equate to being able to steal the bitcoin (in some small number of cases this may not be true). At the time of writing $\sim$6.9M total bitcoin across all protocols are vulnerable. Plot generated using data from bigquery-public-data.crypto_bitcoinDay2018bitcoin.