Tick Tock Goes the ECDSA, April 2026

Quantum Doom Clock Countdown

GM frens, this is the Quantum Doom Clock with Colton Dillion and Rick Carback, the founders of Quip Network, the worldwide quantum computer. If you appreciate the blog, check out our open-source post-quantum wallets on Ethereum, Solana, and Bitcoin L2s, which can help you access quantum resources on the network. Code and docs available here.

Two papers hit arXiv this last month that demand your attention. A new resource estimate for breaking 256-bit elliptic curve cryptography — co-authored by researchers from Google Quantum AI, the Ethereum Foundation’s Justin Drake, and Stanford’s Dan Boneh — shows Shor’s algorithm can break ECDSA with fewer than 500,000 physical qubits and fewer than 70 million Toffoli gates on superconducting hardware. The paper says this "can execute in minutes." We ran the numbers on the stated parameters and estimate roughly 8-9 minutes. Separately, a team from Oratomic, Caltech, and UC Berkeley demonstrated that Shor’s algorithm can operate at cryptographically relevant scales with as few as 10,000 neutral-atom qubits — trading speed for a dramatic reduction in qubit count. Together, these results shatter even our rather aggressive narrative.

Minutes, Not Hours — Everything Changes

We predicted the qubit resource drop. We published it in January 2025 and updated our estimates to be more aggressive in April. The reduction from millions of physical qubits to under half a million is expected, but the speed is the surprise. Our previous hardware estimates put the attack window at roughly 8 hours to several weeks, with costs north of $100,000. We need to fully parse the paper, but we definitely will be updating the doom clock because executing in minutes rewrites the threat model entirely.

Neither paper mentions Bitcoin by name, though both target 256-bit elliptic curve cryptography, which is the same ECDSA that secures every Bitcoin transaction. The Google/EF/Stanford paper specifically states that "first fast-clock CRQCs would enable attacks on public mempool transactions." Our original advice for Bitcoin holders, notably keeping less than $100k in your wallet while rotating to a fresh public key hash after every transaction, had assumed an attacker would need at least hours or days of compute time to crack an exposed key. That window just slammed shut. If an attacker can derive your private key in minutes, that’s faster than most transactions confirm. The mempool becomes a hunting ground and miner extracted value (MEV) will now take on a whole new meaning!

It is also worth noting who authored the Google paper. Justin Drake is a senior researcher at the Ethereum Foundation who just last month elevated post-quantum security to a top strategic priority. Dan Boneh is one of the most cited cryptographers alive. These are the people who built the systems they are now explaining how to break.

Galaxy, We Have a Problem

Not two weeks before this paper dropped, Galaxy published a report claiming 66% of Bitcoin was not vulnerable to quantum attack. You can throw that analysis in the bin. Galaxy’s assumptions made the same assumption we did about time to crack a key. The calculus changes not just for exposed legacy keys but for every Bitcoin holder when the attack time collapses to the point where mempool transactions are live targets.

The ZK "Disclosure" — A Press Release Wrapped in Cryptography

The authors wrapped their findings in a zero-knowledge proof, stating that they "use a zero-knowledge proof to validate these results without disclosing attack vectors." An interesting choice, but we find it ultimately more marketing than substance. First, the US government can trivially compel disclosure under existing law. Second, without the underlying details, it is a barrier to evaluate the efficacy of the algorithm on real hardware. Third, this is not a zero-day exploit. We are years from a machine that can execute this attack. Unless the authors believe a government already has access to a cryptographically relevant quantum computer (which is unlikely) hiding the algorithm does not fit any reasonable definition of responsible disclosure. Publish it, let the community fully vet it, and let defenders prepare.

Our Stance: March 2028, Not 2029

Google has updated their roadmap to achieve full quantum security by 2029. We are sticking with our March 2028 estimate and our recommendation for everyone to have a post-quantum security solution in place by then. The probability of a cryptographically relevant quantum computer (CRQC) arriving by March 28, 2028 is low, maybe 5%, but well above what any reasonable risk analyst worried about black swan events would use to justify an upgrade. Craig Gidney is now saying he would not bet against a cryptographically relevant quantum computer by 2030 as he places chances at 10% (very much in line with our thinking over a year ago). If you have loans, contracts, or custody arrangements that need to last past 2030, it is incumbent on you to upgrade now, not later.

ALL THAT SAID, we still think bitcoin, and crypto more generally, is going to be fine. BIP-360 is looking good and Project Eleven is tracking and messaging the problem (and was cited by Google). We feel the majority of the community will upgrade with plenty of time before it becomes a macro problem, even if specific wallets are not upgradeable and may be stolen in the future. We are cautiously optimistic, and you should be too.

Architecture Matters: The 10k-Qubit Result

The Oratomic/Caltech/Berkeley paper is really an exposé on how much architecture can impact resource requirements. Using a neutral-atom architecture with high-rate quantum error-correcting codes — achieving ~30% encoding rates versus ~4% for conventional surface codes — Cain et al. show that Shor’s algorithm "can be executed at cryptographically relevant scales with as few as 10,000 reconfigurable atomic qubits." For ECC-256, that’s 10,000 to 26,000 physical qubits with execution times "as few as 10 days." For RSA-2048, it’s 11,000 to 14,000 physical qubits.

The caveat is speed — days instead of minutes. But the point stands: the qubit threshold for cryptographic relevance is not a fixed number. It is a design parameter. Oratomic reduced it by an order of magnitude compared to small-code architectures and two orders of magnitude compared to planar surface codes. Clever engineering keeps pushing the number down, and we expect it to keep falling.

QPUs Continue to Scale

The hardware race is accelerating across every qubit modality. Iceberg Quantum launched its Pinnacle Architecture using QLDPC codes, claiming RSA-2048 factorization with fewer than 100,000 physical qubits — down from millions in prior estimates. Physicists outlined techniques to scale neutral-atom systems beyond 100,000 qubits, and QuEra’s 256-qubit system is already powering Berkeley Lab research into quantum defect formation.

On the superconducting side, Alice and Bob showcased advances in cat-qubit fault tolerance with their "elevator codes" slashing error rates, while Argonne and Intel deployed a 12-qubit silicon quantum dot processor — a small step but meaningful for the silicon pathway. Equal1 raised $60 million for a rack-mounted silicon quantum computer designed to slot into existing data center infrastructure like a GPU. Even Moscow State University and Rosatom deployed a 72-qubit neutral-atom prototype, signaling that the global qubit race now spans every major power.

Quantum had a significant presence at the recent NVIDIA GTC — over 40 ecosystem partner announcements and nine companies on the expo floor. This thread has a good rundown.

Quantum Advantage Takes Shape

The debate over whether quantum advantage has been achieved continues shifting from "if" to "what counts". On the applications front, Infleqtion achieved a 12-logical-qubit milestone for biomarker discovery with 0.04% error rates — one of the first demonstrations of logical qubits doing useful science. Xanadu and AMD executed hybrid quantum CFD simulations for aerospace, and IBM Research ran quantum machine learning against antibiotic resistance data with results at parity with 60-qubit experiments.

Phasecraft joined DARPA’s Quantum Benchmarking Initiative to audit utility-scale timelines — a sign that the US government is now demanding receipts, not just roadmaps. Meanwhile, researchers demonstrated that quantum computing can predict photosynthetic protein structures with potential to transform medicine, and South Korea opened its first commercial quantum-AI data center focused on drug discovery.

The Steady March from Lab to Market

The quantum computing market is projected to reach $2 billion in 2026. That number will look quaint in hindsight. IonQ crossed $100M in revenue. Xanadu raised $275M with AMD as a strategic investor. Quantonation Ventures closed a €220 million second fund, more than double their first. The money is following the qubits.

On the application side, hybrid quantum-classical workflows are gaining traction. IBM is pushing quantum-centric supercomputing as a near-term architecture. It is not replacing classical compute, but accelerating specific workloads. South Korea, Taiwan, and Switzerland all launched or expanded national quantum strategies with investments in the hundreds of millions. This is no longer a research curiosity. It is infrastructure.

Quantum Computing Quick Hits

Frequently Asked Questions

Have a question? Just e-mail us at team at quantumdoomclock dot com.

Below are the top questions we have received since our last update.

Does the Google paper mean Bitcoin can be broken today?

No. The paper describes an algorithm that could break ECDSA with fewer than 500,000 physical qubits. The largest quantum computer today has only a few thousand qubits depending on how you count. The news is that the requirements dropped dramatically, from millions of qubits to under half a million, and from hours to minutes.

Should I move my Bitcoin to a new wallet right now?

If your Bitcoin is in a modern wallet that does not reuse addresses and uses hashed public keys (P2PKH, P2SH, or P2TR formats), your keys are not exposed on-chain until you spend. The immediate risk is to legacy P2PK addresses where public keys are permanently visible. That said, the mempool attack vector means any transaction exposes your key briefly. The best practice remains: do not hold more than you can afford to lose in any single address, and watch for post quantum wallets as they become available.

What about Ethereum?

The Ethereum Foundation, led by Justin Drake (who co-authored the Google paper), has elevated post-quantum security to a top strategic priority with $2 million in research prizes and a dedicated PQ team. Coinbase formed a quantum advisory board. Ethereum is moving faster than Bitcoin on this front, which is one advantage of having a more centralized development process.

The Clock is Ticking

The pattern from this month is unmistakable: the distance between "theoretical threat" and "engineering problem" just collapsed. Google, the Ethereum Foundation, and Stanford published an algorithm. Oratomic, Caltech, and Berkeley showed the architecture. Galaxy’s report aged like milk in two weeks. The qubit counts keep falling, the timelines keep shrinking, and the people building quantum computers are now publishing papers on how to use them to break cryptography.

We have been saying this for over a year. We will keep saying it until everyone is ready. The clock is ticking but, if the community moves, and we believe it will, the story ends well.

The Quantum Doom Clock is brought to you by Richard Carback and Colton Dillion, the cofounders of Quip Network.

The Quantum Doom Clock is a monthly mailing list that summarizes news for Quantum Computing and its effects on the cryptography and cryptocurrency spaces. We do not sell your e-mail.

You are receiving this email because you opted-in to receive updates from Quantum Doom Clock, Richard Carback, 51 Pleasant St # 846 Malden, MA 02148

Unsubscribe    View in browser