Background primer
The signatures that prove who owns which Bitcoin and Ether rest on a math problem that ordinary computers cannot solve. A large enough quantum computer, running an algorithm from 1994, could. Here is how that works, and what my project has to do with it.
The lock
When you own cryptocurrency, what you really own is a secret number called a private key. From that secret, a bit of math produces a matching public key, which you can share freely. Think of the public key as an open padlock you hand out to the world, and the private key as the only key that closes it.
To spend coins, you sign the transaction with your private key. Anyone can then use your public key to check that the signature is genuine, without ever seeing the secret itself. That signing-and-checking scheme is ECDSA (the Elliptic Curve Digital Signature Algorithm), and it is what proves ownership across Bitcoin, Ethereum, and most major cryptocurrencies. Break it, and you could forge someone's signature and move their coins as if they were yours.
The one-way street
The whole scheme relies on a math operation that is easy to do forward and, as far as anyone knows, practically impossible to undo. It runs on a curve. Bitcoin and Ethereum both use the same one, an elliptic curve named secp256k1, and the curve comes with a rule for “adding” two of its points to get a third (there is a live picture of that rule you can drag).
Here is the actual mechanism, and it is simpler than it sounds. Everyone using this curve shares one fixed, public point on it, called the generator G. It is not secret and not chosen per person; it is the same published point for every wallet. Your private key is just an enormous secret number, d. Your public key is the point you reach by adding d copies of G together, written Q = dG. Going forward, from d to Q, is fast even when d is astronomically large, because you can double your way there. Going backward, recovering the secret count d from the two public points G and Q, is the discrete logarithm problem.
These are the standard letters from the cryptography literature: G for the shared generator, d for the private key, Q for the public key. One more, k, appears only when you sign a message. It is a nonce, short for “number used once”: a throwaway secret picked fresh at random for every single signature, and it is not your private key. The two are tied together in a risky way, though. The signing math mixes d and k, so a k that is ever repeated or guessable lets an attacker work backward to your permanent key d. That is a weakness in how a signature gets made, not in the one-way curve lock this page is about, and it is how real wallets have still lost coins even while the curve itself held.
For an ordinary computer, that backward step would take longer than the age of the universe. It is the same idea as mixing two paint colors: combining them takes a second, but separating the mixture back into the exact originals is hopeless. That gap, easy one way and hopeless the other, is the entire reason your coins stay yours.
The threat
In 1994 the mathematician Peter Shor found a method that, on a quantum computer, undoes exactly this kind of one-way problem efficiently. Shor's algorithm is one of the foundational results of quantum computing: the textbook example of a task where a quantum machine has a decisive advantage over every ordinary computer. It is why people started taking quantum computing seriously in the first place.
It works by using quantum interference to find a hidden repeating pattern in the math, the kind of pattern that would take an ordinary computer astronomically long to find but that reveals the private key almost immediately once found. Point it at a public key Q on secp256k1, and out comes the matching private key d, the exact secret number the discrete logarithm problem was built to hide. The one-way street becomes a two-way street.
That is the whole prize. The private key d is the one number that controls the coins, so recovering it from the public key is what “breaking ECDSA” means, and it is what this project is ultimately about. My part is not running that attack; it is measuring how large a quantum computer it would take, by building the leanest possible circuit for the point addition Shor's algorithm leans on.
There is one catch, and it is the only reason your coins are safe today: Shor's algorithm needs a quantum computer far bigger than any that exists. The algorithm itself is finished and waiting. Give it a machine with enough qubits and it runs, and ECDSA falls. So the whole threat comes down to a single number: how many qubits is enough?
The catch
When people count the qubits an attack would need, they mean logical qubits: flawless, perfectly behaved ones. Real qubits are nothing like that. They are fragile and noisy, losing their state in a fraction of a second and making frequent errors.
The way around this is error correction: you gang together many noisy physical qubits and run constant checks so that together they behave like one reliable logical qubit. In the mainstream designs that today's estimates assume, one logical qubit for a computation this long takes on the order of a thousand physical ones, though the exact ratio depends on the error-correction scheme. So a design that needs 1,200 logical qubits really needs a machine with hundreds of thousands of physical qubits. This is the gap between the estimate and the engineering.
The number
Google Quantum AI has published a detailed resource estimate.
Their result: a quantum computer with fewer than about 1,200 logical qubits could break secp256k1, and in practice that would take under 500,000 physical qubits, running the attack in a matter of minutes. That was roughly a twentyfold drop from earlier estimates, which had put the figure in the millions. The threat did not get closer because hardware improved; it got closer because someone found a leaner way to do the math.
~1,200
logical qubits the attack circuit needs
<500,000
physical qubits that would take, in practice
~1,600
physical qubits in the largest commercial machine today
Where does that number come from, and how close are the machines to reaching it? That is the rest of this page.
Where I come in
Here is the part that connects to my project. That “1,200 logical qubits” number is not a guess. It comes from actually building the quantum circuit for the hardest step of Shor's attack, adding two points on the curve, and counting its pieces: how many qubits it uses and how many expensive operations it performs. The circuit is the estimate. A leaner circuit means a smaller machine would suffice, which means the threat arrives sooner.
The ECDSA.fail challenge is a public competition to build the leanest such circuit, and its score is exactly those two counts multiplied together. The circuit I reproduced and validated on my own laptop uses 1,152 logical qubits, close to the roughly 1,200 in Google's estimate. They are different circuits, so this is not the same number twice; it shows that two separate designs land at a similar width. The challenge measures the size of machine the attack would need; it does not carry the attack out.
The distance
Short answer: not close, and the machines that publish plans to get there disagree on when. Here it is broken down.
The largest commercial quantum computer today holds about 1,600 physical qubits, and research arrays have reached several thousand atoms, with one lab array at 6,100. Even so, a machine that could run this attack does not exist yet. The real question is how fast one might.
IonQ, which builds trapped-ion computers, lists about 1,600 logical qubits by 2028. IBM lists two larger machines: Starling in 2029 (200 logical qubits, 100 million operations) and Blue Jay in 2033 (2,000 logical qubits, a billion operations).
A newer entrant is attacking the other side of the equation. Oratomic, a Caltech spin-out launched in March 2026 with 300 million dollars in funding, is working on a leaner error-correction scheme instead of a leaner circuit. Its launch research claims the cost of error correction can drop from roughly a thousand physical atoms per logical qubit to about five, which would put a machine capable of running this attack at only 10,000 to 20,000 atoms, and it explicitly names Shor's algorithm as a target capability. It has no machine yet and no dated roadmap, and it describes the result itself as a theoretical existence proof, so this is an ambition rather than a schedule. But it is a second independent sign of the pattern this whole page is about: the threat timeline moves when someone makes the math cheaper.
The attack needs two things at once: about 1,200 logical qubits, and the ability to run tens of millions of operations in a row. IonQ's roadmap reports the qubit count but not an operation depth for that machine. IBM's reports both, though its machine with enough qubits, Blue Jay, is dated 2033. So the roadmaps show when each target number is planned to arrive; they do not settle which machine could run the full attack first.
Roadmaps are targets, not results, and quantum timelines have slipped before. The current record is 96 error-corrected logical qubits (QuEra, published in Nature in January 2026). But those are low-code-distance logical qubits, far weaker than the roughly 1,200 high-quality ones the attack circuit needs, so no machine today comes close to running it.
What happens next
Because the fix takes years, and you cannot start on time if you do not know the deadline. The world already has replacement signature schemes, called post-quantum cryptography, that no known quantum algorithm can break. Moving Bitcoin, Ethereum, banks, and the wider internet onto them is slow and has to begin well before a code-breaking machine is built.
An estimate of how big that machine needs to be is what tells people how much time they have to make the move. That is what this work produces: not a break, but a clearer measure of how much warning there is.
Source
The resource figures here are from Google Quantum AI's study, “Safeguarding cryptocurrency by disclosing quantum vulnerabilities responsibly”, which the ECDSA.fail competition builds on. The roadmap figures link to IonQ and IBM above. Nothing here is a present-day break: no wallet or coin is at risk from today's machines.
Now you know the stakes