Show description
QUANTUM THREAT BRIEFING — ECDLP VULNERABILITY REPORT 2026
QUANTUM THREAT BRIEFING — ECDLP VULNERABILITY REPORT 2026
↑ Top
Threat Brief
ECDLP · Quantum Vuln · 2026
Overview
Key Findings
The Numbers
Attack Types
By Chain
Bitcoin
Ethereum
Other Chains
Policy
Dormant Assets
PQC Migration
Reference
Glossary
Authors
Source Paper
Public Disclosure — March 30, 2026
Quantum Computers Will Break Blockchain Cryptography. Here's What We Now Know.
A plain-language guide to the most consequential cryptographic threat assessment ever published for cryptocurrency — by Google Quantum AI, Stanford, and the Ethereum Foundation.
Authors
Babbush, Zalcman, Gidney et al.
Institution
Google Quantum AI + Stanford + ETH Foundation
Published
March 30, 2026
Threat Level
Critical — Near-Term
01 — Key Findings
What This Paper Actually Proved
This isn't theoretical. Google's team built quantum circuits that can crack Bitcoin's cryptography and proved it with cryptographic evidence — a zero-knowledge proof that the circuits exist and work, without publishing the blueprints. Here are the five things that make this paper different from everything that came before it.
1. The qubit count dropped by 20x
Every previous estimate said you needed millions of physical qubits to break Bitcoin's encryption. The best prior work (Litinski 2023) needed roughly 9 million. Google got it down to under 500,000 — on standard superconducting hardware with realistic error rates. That's not a minor improvement. That's the threat moving from "maybe in 20 years" to "when someone builds the machine."
2. Active transactions are at risk, not just stored funds
This is the new finding nobody saw coming. At 9 minutes per private key derivation, a quantum attacker has a 41% chance of stealing your Bitcoin before your transaction even confirms. You broadcast a transaction. Your public key is now visible in the public mempool. The attacker grabs it, cracks it, broadcasts their own transaction with a higher fee, and beats you to the block. This is called an "on-spend attack" — and it changes everything about how you think about the threat.
3. They used a zero-knowledge proof to disclose without weaponizing
For the first time in cryptanalysis history, a team published a cryptographic proof that their attack circuits are real and meet their claimed resource specs — without publishing the actual circuits.…
QUANTUM THREAT BRIEFING — ECDLP VULNERABILITY REPORT 2026
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>QUANTUM THREAT BRIEFING — ECDLP VULNERABILITY REPORT 2026</title>
<link rel="preconnect" href="https://fonts.googleapis.com">
<link href="https://fonts.googleapis.com/css2?family=Syne:wght@400;600;700;800&family=IBM+Plex+Mono:wght@300;400;500;600&family=Libre+Baskerville:ital,wght@0,400;0,700;1,400&display=swap" rel="stylesheet">
<style>
:root {
--bg: #08080b;
--bg2: #0d0d12;
--bg3: #111118;
--border: #1c1c26;
--border2: #252530;
--text: #d4d0c8;
--text-dim: #6b6878;
--text-muted: #3a3848;
--amber: #e8920a;
--amber-dim: #7a4c05;
--cyan: #00c9a0;
--cyan-dim: #005c49;
--red: #e83a3a;
--red-dim: #5c1515;
--white: #f0ede6;
--mono: 'IBM Plex Mono', monospace;
--display: 'Syne', sans-serif;
--serif: 'Libre Baskerville', serif;
}
*, *::before, *::after { box-sizing: border-box; margin: 0; padding: 0; }
html { scroll-behavior: smooth; }
body {
background: var(--bg);
color: var(--text);
font-family: var(--mono);
font-size: 14px;
line-height: 1.7;
overflow-x: hidden;
}
/* ── SCANLINE OVERLAY ── */
body::before {
content: '';
position: fixed;
inset: 0;
background: repeating-linear-gradient(
0deg,
transparent,
transparent 2px,
rgba(0,0,0,0.08) 2px,
rgba(0,0,0,0.08) 4px
);
pointer-events: none;
z-index: 1000;
}
/* ── NOISE TEXTURE ── */
body::after {
content: '';
position: fixed;
inset: 0;
background-image: url("data:image/svg+xml,%3Csvg viewBox='0 0 256 256' xmlns='http://www.w3.org/2000/svg'%3E%3Cfilter id='noise'%3E%3CfeTurbulence type='fractalNoise' baseFrequency='0.9' numOctaves='4' stitchTiles='stitch'/%3E%3C/filter%3E%3Crect width='100%25' height='100%25' filter='url(%23noise)' opacity='0.04'/%3E%3C/svg%3E");
pointer-events: none;
z-index: 999;
opacity: 0.4;
}
/* ── LAYOUT ── */
.page-wrap {
max-width: 1100px;
margin: 0 auto;
padding: 0 24px;
}
/* ── NAV SIDEBAR ── */
.sidebar {
position: fixed;
left: 0;
top: 0;
width: 220px;
height: 100vh;
background: var(--bg2);
border-right: 1px solid var(--border);
padding: 32px 0;
overflow-y: auto;
z-index: 100;
}
.sidebar-logo {
padding: 0 20px 28px;
border-bottom: 1px solid var(--border);
margin-bottom: 20px;
}
.sidebar-logo .sig {
font-family: var(--display);
font-size: 11px;
font-weight: 800;
letter-spacing: 0.15em;
color: var(--amber);
text-transform: uppercase;
}
.sidebar-logo .sub {
font-size: 9px;
color: var(--text-dim);
letter-spacing: 0.1em;
margin-top: 3px;
}
.nav-section {
padding: 0 20px;
margin-bottom: 6px;
}
.nav-label {
font-size: 9px;
letter-spacing: 0.2em;
color: var(--text-muted);
text-transform: uppercase;
margin-bottom: 8px;
margin-top: 16px;
}
.nav-link {
display: block;
font-size: 11px;
color: var(--text-dim);
text-decoration: none;
padding: 5px 8px;
border-radius: 3px;
transition: all 0.15s;
letter-spacing: 0.03em;
}
.nav-link:hover {
color: var(--white);
background: var(--border);
}
.nav-link.danger { color: var(--red); }
.nav-link.danger:hover { background: var(--red-dim); color: #ff7777; }
/* ── MAIN CONTENT ── */
.main {
margin-left: 220px;
min-height: 100vh;
}
/* ── HERO ── */
.hero {
border-bottom: 1px solid var(--border);
padding: 80px 60px 60px;
position: relative;
overflow: hidden;
background: linear-gradient(180deg, rgba(232,146,10,0.04) 0%, transparent 60%);
}
.hero::before {
content: 'CRQC';
position: absolute;
right: -20px;
top: -30px;
font-family: var(--display);
font-size: 260px;
font-weight: 800;
color: var(--amber);
opacity: 0.03;
pointer-events: none;
line-height: 1;
}
.classification-bar {
display: inline-flex;
align-items: center;
gap: 10px;
border: 1px solid var(--amber-dim);
padding: 5px 12px;
border-radius: 2px;
margin-bottom: 32px;
background: rgba(232,146,10,0.05);
}
.classification-bar .dot {
width: 6px;
height: 6px;
border-radius: 50%;
background: var(--amber);
animation: pulse 2s infinite;
}
@keyframes pulse {
0%, 100% { opacity: 1; }
50% { opacity: 0.3; }
}
.classification-bar span {
font-size: 10px;
letter-spacing: 0.2em;
color: var(--amber);
text-transform: uppercase;
font-weight: 600;
}
.hero h1 {
font-family: var(--display);
font-size: clamp(32px, 5vw, 58px);
font-weight: 800;
color: var(--white);
line-height: 1.05;
letter-spacing: -0.02em;
margin-bottom: 20px;
max-width: 720px;
}
.hero h1 em {
font-style: normal;
color: var(--amber);
}
.hero .subtitle {
font-family: var(--serif);
font-size: 17px;
color: var(--text-dim);
max-width: 600px;
line-height: 1.6;
font-style: italic;
margin-bottom: 40px;
}
.meta-row {
display: flex;
gap: 32px;
flex-wrap: wrap;
}
.meta-item {
display: flex;
flex-direction: column;
gap: 3px;
}
.meta-label {
font-size: 9px;
letter-spacing: 0.2em;
color: var(--text-muted);
text-transform: uppercase;
}
.meta-value {
font-size: 12px;
color: var(--cyan);
}
/* ── SECTIONS ── */
.section {
padding: 60px 60px;
border-bottom: 1px solid var(--border);
}
.section:last-child { border-bottom: none; }
.section-tag {
font-size: 9px;
letter-spacing: 0.25em;
color: var(--amber);
text-transform: uppercase;
margin-bottom: 14px;
display: flex;
align-items: center;
gap: 10px;
}
.section-tag::after {
content: '';
flex: 1;
height: 1px;
background: var(--border);
max-width: 60px;
}
.section h2 {
font-family: var(--display);
font-size: clamp(24px, 3vw, 36px);
font-weight: 700;
color: var(--white);
line-height: 1.15;
letter-spacing: -0.02em;
margin-bottom: 24px;
}
.section h3 {
font-family: var(--display);
font-size: 18px;
font-weight: 600;
color: var(--white);
margin: 32px 0 12px;
letter-spacing: -0.01em;
}
.section p {
color: var(--text);
max-width: 720px;
margin-bottom: 16px;
font-size: 13.5px;
}
/* ── STAT CARDS ── */
.stat-grid {
display: grid;
grid-template-columns: repeat(auto-fit, minmax(200px, 1fr));
gap: 1px;
background: var(--border);
border: 1px solid var(--border);
border-radius: 4px;
overflow: hidden;
margin: 32px 0;
}
.stat-card {
background: var(--bg2);
padding: 24px;
transition: background 0.2s;
}
.stat-card:hover { background: var(--bg3); }
.stat-number {
font-family: var(--display);
font-size: 36px;
font-weight: 800;
line-height: 1;
margin-bottom: 8px;
}
.stat-number.amber { color: var(--amber); }
.stat-number.cyan { color: var(--cyan); }
.stat-number.red { color: var(--red); }
.stat-number.white { color: var(--white); }
.stat-label {
font-size: 11px;
color: var(--text-dim);
line-height: 1.4;
}
.stat-sub {
font-size: 9px;
color: var(--text-muted);
margin-top: 4px;
letter-spacing: 0.05em;
}
/* ── ATTACK TYPE CARDS ── */
.attack-grid {
display: grid;
grid-template-columns: repeat(auto-fit, minmax(280px, 1fr));
gap: 16px;
margin: 28px 0;
}
.attack-card {
border: 1px solid var(--border);
border-radius: 4px;
padding: 24px;
background: var(--bg2);
position: relative;
overflow: hidden;
transition: border-color 0.2s;
}
.attack-card::before {
content: '';
position: absolute;
top: 0;
left: 0;
right: 0;
height: 2px;
}
.attack-card.red::before { background: var(--red); }
.attack-card.amber::before { background: var(--amber); }
.attack-card.cyan::before { background: var(--cyan); }
.attack-card:hover { border-color: var(--border2); }
.attack-card .type-label {
font-size: 9px;
letter-spacing: 0.2em;
text-transform: uppercase;
margin-bottom: 10px;
font-weight: 600;
}
.attack-card.red .type-label { color: var(--red); }
.attack-card.amber .type-label { color: var(--amber); }
.attack-card.cyan .type-label { color: var(--cyan); }
.attack-card h4 {
font-family: var(--display);
font-size: 20px;
font-weight: 700;
color: var(--white);
margin-bottom: 12px;
}
.attack-card p {
font-size: 12.5px;
color: var(--text-dim);
line-height: 1.6;
margin-bottom: 0;
}
.attack-card .timing {
display: inline-block;
margin-top: 14px;
font-size: 10px;
padding: 4px 10px;
border-radius: 2px;
font-weight: 600;
letter-spacing: 0.05em;
}
.attack-card.red .timing { background: var(--red-dim); color: #ff8888; }
.attack-card.amber .timing { background: var(--amber-dim); color: #ffb855; }
.attack-card.cyan .timing { background: var(--cyan-dim); color: #55ffdd; }
/* ── VULNERABILITY TABLE ── */
.vuln-table {
width: 100%;
border-collapse: collapse;
margin: 24px 0;
font-size: 12px;
}
.vuln-table th {
text-align: left;
padding: 10px 14px;
font-size: 9px;
letter-spacing: 0.15em;
text-transform: uppercase;
color: var(--text-muted);
border-bottom: 1px solid var(--border);
font-weight: 500;
}
.vuln-table td {
padding: 12px 14px;
border-bottom: 1px solid var(--border);
vertical-align: middle;
color: var(--text);
}
.vuln-table tr:hover td { background: var(--bg2); }
.tag {
display: inline-block;
padding: 2px 8px;
border-radius: 2px;
font-size: 9px;
font-weight: 600;
letter-spacing: 0.1em;
text-transform: uppercase;
}
.tag.high { background: var(--red-dim); color: #ff9999; }
.tag.med { background: var(--amber-dim); color: #ffbb66; }
.tag.low { background: var(--cyan-dim); color: #66ffdd; }
.tag.safe { background: #0f2a1c; color: #55cc88; }
.tag.unknown { background: #1c1c26; color: var(--text-dim); }
/* ── CALLOUT BOXES ── */
.callout {
border-left: 3px solid;
padding: 18px 22px;
border-radius: 0 4px 4px 0;
margin: 24px 0;
background: var(--bg2);
}
.callout.amber { border-color: var(--amber); background: rgba(232,146,10,0.04); }
.callout.red { border-color: var(--red); background: rgba(232,58,58,0.04); }
.callout.cyan { border-color: var(--cyan); background: rgba(0,201,160,0.04); }
.callout .callout-label {
font-size: 9px;
letter-spacing: 0.2em;
text-transform: uppercase;
font-weight: 600;
margin-bottom: 8px;
}
.callout.amber .callout-label { color: var(--amber); }
.callout.red .callout-label { color: var(--red); }
.callout.cyan .callout-label { color: var(--cyan); }
.callout p {
font-size: 13px;
margin-bottom: 0;
max-width: none;
}
/* ── TIMELINE ── */
.timeline {
position: relative;
padding-left: 32px;
margin: 28px 0;
}
.timeline::before {
content: '';
position: absolute;
left: 8px;
top: 6px;
bottom: 6px;
width: 1px;
background: var(--border2);
}
.timeline-item {
position: relative;
margin-bottom: 28px;
}
.timeline-item::before {
content: '';
position: absolute;
left: -28px;
top: 6px;
width: 8px;
height: 8px;
border-radius: 50%;
background: var(--border2);
border: 2px solid var(--bg);
}
.timeline-item.active::before { background: var(--amber); }
.timeline-item.warning::before { background: var(--red); }
.timeline-item .tl-label {
font-size: 9px;
letter-spacing: 0.15em;
color: var(--amber);
text-transform: uppercase;
margin-bottom: 4px;
}
.timeline-item.warning .tl-label { color: var(--red); }
.timeline-item h4 {
font-family: var(--display);
font-size: 16px;
font-weight: 600;
color: var(--white);
margin-bottom: 6px;
}
.timeline-item p {
font-size: 12.5px;
color: var(--text-dim);
margin-bottom: 0;
}
/* ── ETH VULNERABILITY MAP ── */
.eth-grid {
display: grid;
grid-template-columns: 1fr 1fr;
gap: 1px;
background: var(--border);
border: 1px solid var(--border);
border-radius: 4px;
overflow: hidden;
margin: 28px 0;
}
@media (max-width: 700px) { .eth-grid { grid-template-columns: 1fr; } }
.eth-cell {
background: var(--bg2);
padding: 22px;
transition: background 0.2s;
}
.eth-cell:hover { background: var(--bg3); }
.eth-cell .cell-num {
font-family: var(--display);
font-size: 48px;
font-weight: 800;
color: var(--border2);
line-height: 1;
margin-bottom: 6px;
letter-spacing: -0.04em;
}
.eth-cell .cell-title {
font-family: var(--display);
font-size: 15px;
font-weight: 700;
color: var(--white);
margin-bottom: 8px;
}
.eth-cell .cell-amount {
font-size: 22px;
font-weight: 700;
color: var(--cyan);
font-family: var(--display);
margin-bottom: 6px;
}
.eth-cell p {
font-size: 12px;
color: var(--text-dim);
margin-bottom: 0;
}
/* ── GLOSSARY ── */
.glossary-grid {
display: grid;
gap: 1px;
background: var(--border);
border: 1px solid var(--border);
border-radius: 4px;
overflow: hidden;
}
.glossary-item {
background: var(--bg2);
padding: 20px 24px;
display: grid;
grid-template-columns: 220px 1fr;
gap: 24px;
align-items: start;
transition: background 0.15s;
}
@media (max-width: 700px) {
.glossary-item { grid-template-columns: 1fr; gap: 8px; }
}
.glossary-item:hover { background: var(--bg3); }
.glossary-term {
font-family: var(--display);
font-size: 14px;
font-weight: 700;
color: var(--amber);
line-height: 1.3;
}
.glossary-term .abbr {
display: block;
font-family: var(--mono);
font-size: 9px;
font-weight: 400;
color: var(--text-muted);
letter-spacing: 0.1em;
margin-top: 3px;
}
.glossary-def {
font-size: 12.5px;
color: var(--text);
line-height: 1.65;
}
.glossary-def .quantum-note {
display: inline-block;
margin-top: 8px;
font-size: 10px;
padding: 3px 8px;
border-radius: 2px;
background: var(--red-dim);
color: #ff9999;
}
.glossary-def .pq-note {
display: inline-block;
margin-top: 8px;
font-size: 10px;
padding: 3px 8px;
border-radius: 2px;
background: var(--cyan-dim);
color: #66ffcc;
}
/* ── CODE/INLINE MONO ── */
code {
font-family: var(--mono);
background: var(--border);
padding: 1px 6px;
border-radius: 2px;
font-size: 11.5px;
color: var(--cyan);
}
/* ── FOOTER ── */
.footer {
padding: 40px 60px;
border-top: 1px solid var(--border);
background: var(--bg2);
display: flex;
justify-content: space-between;
align-items: center;
flex-wrap: wrap;
gap: 16px;
}
.footer .footer-sig {
font-family: var(--display);
font-size: 11px;
font-weight: 700;
color: var(--text-muted);
letter-spacing: 0.1em;
text-transform: uppercase;
}
.footer p {
font-size: 11px;
color: var(--text-muted);
max-width: none;
margin: 0;
}
/* ── SCROLL ANIMATION ── */
.fade-in {
opacity: 0;
transform: translateY(16px);
transition: opacity 0.5s ease, transform 0.5s ease;
}
.fade-in.visible {
opacity: 1;
transform: translateY(0);
}
/* ── MOBILE ── */
@media (max-width: 900px) {
.sidebar { display: none; }
.main { margin-left: 0; }
.hero, .section { padding: 40px 24px; }
.footer { padding: 32px 24px; }
}
/* ── PROGRESS BAR ── */
.progress-bar {
position: fixed;
top: 0;
left: 220px;
right: 0;
height: 2px;
background: var(--border);
z-index: 200;
}
.progress-fill {
height: 100%;
background: var(--amber);
width: 0%;
transition: width 0.1s;
}
@media (max-width: 900px) {
.progress-bar { left: 0; }
}
/* ── BACK TO TOP ── */
.back-top {
position: fixed;
bottom: 24px;
right: 24px;
background: var(--bg2);
border: 1px solid var(--border2);
color: var(--text-dim);
padding: 10px 14px;
font-size: 10px;
letter-spacing: 0.1em;
text-transform: uppercase;
text-decoration: none;
border-radius: 3px;
transition: all 0.2s;
opacity: 0;
z-index: 300;
}
.back-top.show {
opacity: 1;
}
.back-top:hover {
color: var(--white);
border-color: var(--amber);
}
</style>
</head>
<body>
<div class="progress-bar"><div class="progress-fill" id="progress"></div></div>
<a href="#top" class="back-top" id="backTop">↑ Top</a>
<!-- SIDEBAR -->
<nav class="sidebar">
<div class="sidebar-logo">
<div class="sig">Threat Brief</div>
<div class="sub">ECDLP · Quantum Vuln · 2026</div>
</div>
<div class="nav-section">
<div class="nav-label">Overview</div>
<a class="nav-link" href="#findings">Key Findings</a>
<a class="nav-link" href="#numbers">The Numbers</a>
<a class="nav-link" href="#attacks">Attack Types</a>
</div>
<div class="nav-section">
<div class="nav-label">By Chain</div>
<a class="nav-link" href="#bitcoin">Bitcoin</a>
<a class="nav-link" href="#ethereum">Ethereum</a>
<a class="nav-link" href="#other">Other Chains</a>
</div>
<div class="nav-section">
<div class="nav-label">Policy</div>
<a class="nav-link" href="#dormant">Dormant Assets</a>
<a class="nav-link" href="#migration">PQC Migration</a>
</div>
<div class="nav-section">
<div class="nav-label">Reference</div>
<a class="nav-link" href="#glossary">Glossary</a>
</div>
<div class="nav-section">
<div class="nav-label">Authors</div>
<a class="nav-link" href="#source">Source Paper</a>
</div>
</nav>
<!-- MAIN -->
<div class="main" id="top">
<!-- HERO -->
<section class="hero">
<div class="classification-bar">
<div class="dot"></div>
<span>Public Disclosure — March 30, 2026</span>
</div>
<h1>Quantum Computers <em>Will Break</em> Blockchain Cryptography. Here's What We Now Know.</h1>
<p class="subtitle">A plain-language guide to the most consequential cryptographic threat assessment ever published for cryptocurrency — by Google Quantum AI, Stanford, and the Ethereum Foundation.</p>
<div class="meta-row">
<div class="meta-item">
<span class="meta-label">Authors</span>
<span class="meta-value">Babbush, Zalcman, Gidney et al.</span>
</div>
<div class="meta-item">
<span class="meta-label">Institution</span>
<span class="meta-value">Google Quantum AI + Stanford + ETH Foundation</span>
</div>
<div class="meta-item">
<span class="meta-label">Published</span>
<span class="meta-value">March 30, 2026</span>
</div>
<div class="meta-item">
<span class="meta-label">Threat Level</span>
<span class="meta-value" style="color: var(--red);">Critical — Near-Term</span>
</div>
</div>
</section>
<!-- KEY FINDINGS -->
<section class="section fade-in" id="findings">
<div class="section-tag">01 — Key Findings</div>
<h2>What This Paper Actually Proved</h2>
<p>This isn't theoretical. Google's team built quantum circuits that can crack Bitcoin's cryptography and proved it with cryptographic evidence — a zero-knowledge proof that the circuits exist and work, without publishing the blueprints. Here are the five things that make this paper different from everything that came before it.</p>
<h3>1. The qubit count dropped by 20x</h3>
<p>Every previous estimate said you needed millions of physical qubits to break Bitcoin's encryption. The best prior work (Litinski 2023) needed roughly 9 million. Google got it down to under 500,000 — on standard superconducting hardware with realistic error rates. That's not a minor improvement. That's the threat moving from "maybe in 20 years" to "when someone builds the machine."</p>
<h3>2. Active transactions are at risk, not just stored funds</h3>
<p>This is the new finding nobody saw coming. At 9 minutes per private key derivation, a quantum attacker has a <strong style="color:var(--red)">41% chance</strong> of stealing your Bitcoin before your transaction even confirms. You broadcast a transaction. Your public key is now visible in the public mempool. The attacker grabs it, cracks it, broadcasts their own transaction with a higher fee, and beats you to the block. This is called an "on-spend attack" — and it changes everything about how you think about the threat.</p>
<h3>3. They used a zero-knowledge proof to disclose without weaponizing</h3>
<p>For the first time in cryptanalysis history, a team published a cryptographic proof that their attack circuits are real and meet their claimed resource specs — without publishing the actual circuits. You can mathematically verify the claim is true without learning anything useful about how to replicate the attack. This is responsible disclosure adapted for quantum threats.</p>
<h3>4. Ethereum has five separate attack surfaces Bitcoin doesn't have</h3>
<p>Bitcoin is vulnerable. Ethereum is more vulnerable and in more complex ways. The account model, smart contracts, admin keys, validator signatures, and the Data Availability Sampling mechanism each introduce distinct quantum attack vectors. Some of them don't require a live quantum computer at all — one successful attack creates a reusable exploit that works forever on classical hardware.</p>
<h3>5. ~6.9 million BTC is already exposed — and there's no clean policy answer</h3>
<p>That's roughly a third of circulating supply. 2.3 million of it is dormant — hasn't moved in five years. Probably lost keys. Possibly Satoshi's coins. If nothing changes, a quantum attacker eventually takes all of it. If you change the protocol to destroy those coins, you're confiscating private property. There's no elegant solution and the paper says so explicitly.</p>
</section>
<!-- THE NUMBERS -->
<section class="section fade-in" id="numbers">
<div class="section-tag">02 — The Numbers</div>
<h2>Resource Estimates at a Glance</h2>
<div class="stat-grid">
<div class="stat-card">
<div class="stat-number amber"><500K</div>
<div class="stat-label">Physical qubits needed to break 256-bit ECDLP</div>
<div class="stat-sub">Previous best estimate: ~9 million qubits</div>
</div>
<div class="stat-card">
<div class="stat-number cyan">9 min</div>
<div class="stat-label">Time to derive a private key on a fast-clock CRQC</div>
<div class="stat-sub">Primed machine: ~4.5 min from public key reveal</div>
</div>
<div class="stat-card">
<div class="stat-number amber">70M</div>
<div class="stat-label">Toffoli gates in the low-gate circuit variant</div>
<div class="stat-sub">Prior best: ~200M gates (Litinski 2023)</div>
</div>
<div class="stat-card">
<div class="stat-number red">41%</div>
<div class="stat-label">Probability of successful on-spend attack against Bitcoin</div>
<div class="stat-sub">Assuming ~9 min key derivation vs 10 min avg block time</div>
</div>
<div class="stat-card">
<div class="stat-number red">6.9M</div>
<div class="stat-label">BTC currently vulnerable to at-rest attacks</div>
<div class="stat-sub">~33% of circulating supply — exposed public keys</div>
</div>
<div class="stat-card">
<div class="stat-number amber">2.3M</div>
<div class="stat-label">Dormant BTC — haven't moved in 5+ years</div>
<div class="stat-sub">Includes ~1M BTC attributed to Satoshi Nakamoto</div>
</div>
<div class="stat-card">
<div class="stat-number cyan">1,200</div>
<div class="stat-label">Logical qubits in the low-qubit circuit variant</div>
<div class="stat-sub">With 90M Toffoli gates — space-time tradeoff</div>
</div>
<div class="stat-card">
<div class="stat-number white">37M</div>
<div class="stat-label">ETH staked on Ethereum's consensus layer — all vulnerable</div>
<div class="stat-sub">BLS12-381 curve used for validator signatures is at-risk</div>
</div>
</div>
<div class="callout amber">
<div class="callout-label">Why this is a 20x improvement</div>
<p>The reduction in physical qubit count comes from two innovations: a more efficient logical circuit for elliptic curve point addition (the mathematical bottleneck), and better use of surface code error correction with "yoked" qubit configurations for dense logical storage. The paper validates this with a zero-knowledge proof — verifiable by anyone without revealing the circuit details.</p>
</div>
</section>
<!-- ATTACK TYPES -->
<section class="section fade-in" id="attacks">
<div class="section-tag">03 — Attack Taxonomy</div>
<h2>Three Types of Quantum Attacks</h2>
<p>Not all quantum attacks are the same. They differ in how much time the attacker needs and whether they need the quantum computer to be running during the attack. This distinction determines which assets are at risk and what mitigations actually work.</p>
<div class="attack-grid">
<div class="attack-card red">
<div class="type-label">Attack Type 01</div>
<h4>On-Spend Attack</h4>
<p>Targets transactions while they're sitting in the public mempool waiting to be confirmed. The public key is visible. The attacker has a race window — crack the key before a miner includes the original transaction in a block.</p>
<p style="margin-top:10px;">Requires a fast-clock CRQC capable of solving ECDLP in minutes. Currently possible against Bitcoin. Practically impossible against Ethereum (12s blocks) or Solana (400ms).</p>
<span class="timing">Window: ~10 min avg (Bitcoin)</span>
</div>
<div class="attack-card amber">
<div class="type-label">Attack Type 02</div>
<h4>At-Rest Attack</h4>
<p>Targets public keys that are permanently recorded on-chain — either from P2PK scripts that store the key directly, Taproot addresses, or addresses where a previous spend transaction revealed the key.</p>
<p style="margin-top:10px;">The attacker has unlimited time. Days, weeks, months. Works with slower quantum hardware (ion traps, neutral atoms). This is the threat to dormant wallets and Satoshi-era coins.</p>
<span class="timing">Window: Unlimited — key is permanently on-chain</span>
</div>
<div class="attack-card cyan">
<div class="type-label">Attack Type 03</div>
<h4>On-Setup Attack</h4>
<p>The most insidious type. Some protocols require a trusted setup ceremony that generates a secret scalar — called "toxic waste" — which must be destroyed. A CRQC can recover this secret from public parameters.</p>
<p style="margin-top:10px;">One successful attack creates a permanent, reusable backdoor. No quantum computer needed for subsequent attacks. Affects Ethereum's Data Availability Sampling (KZG), Tornado Cash, Zcash's Sapling pool, and Mimblewimble.</p>
<span class="timing">One-time quantum attack → unlimited classical exploit</span>
</div>
</div>
<h3>Fast-Clock vs Slow-Clock Architectures</h3>
<p>This distinction is unique to this paper. Not all quantum computers threaten the same things.</p>
<table class="vuln-table">
<thead>
<tr>
<th>Architecture</th>
<th>Gate Speed</th>
<th>Examples</th>
<th>On-Spend</th>
<th>At-Rest</th>
</tr>
</thead>
<tbody>
<tr>
<td><strong>Fast-Clock</strong></td>
<td>~1 microsecond</td>
<td>Superconducting (Google, IBM), Photonic, Silicon spin</td>
<td><span class="tag high">Capable</span></td>
<td><span class="tag high">Capable</span></td>
</tr>
<tr>
<td><strong>Slow-Clock</strong></td>
<td>~100 microseconds+</td>
<td>Ion trap (IonQ, Quantinuum), Neutral atom (QuEra)</td>
<td><span class="tag safe">Not capable</span></td>
<td><span class="tag high">Capable</span></td>
</tr>
</tbody>
</table>
</section>
<!-- BITCOIN -->
<section class="section fade-in" id="bitcoin">
<div class="section-tag">04 — Bitcoin</div>
<h2>Bitcoin's Vulnerability Breakdown</h2>
<p>Bitcoin's risk comes down to one question: is the public key visible? Different address types handle this differently. But address reuse — which is extremely common — collapses all these distinctions.</p>
<table class="vuln-table">
<thead>
<tr>
<th>Script Type</th>
<th>Prefix</th>
<th>Key Exposed?</th>
<th>At-Rest Risk</th>
<th>On-Spend Risk</th>
<th>Notes</th>
</tr>
</thead>
<tbody>
<tr>
<td><code>P2PK</code></td>
<td>—</td>
<td><span class="tag high">Always</span></td>
<td><span class="tag high">High</span></td>
<td><span class="tag high">High</span></td>
<td>Satoshi era. 1.7M BTC. Key in locking script from day 1.</td>
</tr>
<tr>
<td><code>P2PKH</code></td>
<td>1...</td>
<td><span class="tag med">On first spend</span></td>
<td><span class="tag safe">Low (if never spent)</span></td>
<td><span class="tag high">High</span></td>
<td>Most used legacy type. Safe until any spend transaction.</td>
</tr>
<tr>
<td><code>P2TR</code> (Taproot)</td>
<td>bc1p...</td>
<td><span class="tag high">Always</span></td>
<td><span class="tag high">High</span></td>
<td><span class="tag high">High</span></td>
<td>Security regression vs P2PKH. Key exposed in locking script.</td>
</tr>
<tr>
<td><code>P2WPKH</code></td>
<td>bc1q...</td>
<td><span class="tag med">On first spend</span></td>
<td><span class="tag safe">Low (if no reuse)</span></td>
<td><span class="tag high">High</span></td>
<td>Current standard. Safest widely-used type today.</td>
</tr>
<tr>
<td><code>P2SH</code></td>
<td>3...</td>
<td><span class="tag med">On first spend</span></td>
<td><span class="tag safe">Low (if no reuse)</span></td>
<td><span class="tag high">High</span></td>
<td>Script hidden behind hash until spend.</td>
</tr>
<tr>
<td><code>P2MR</code> (BIP-360)</td>
<td>bc1z...</td>
<td><span class="tag low">Never at-rest</span></td>
<td><span class="tag safe">None</span></td>
<td><span class="tag med">Medium</span></td>
<td>Proposed. Removes vulnerable key path from Taproot.</td>
</tr>
</tbody>
</table>
<div class="callout red">
<div class="callout-label">The Address Reuse Problem</div>
<p>Address reuse is everywhere — exchanges, merchants, DeFi protocols — because it's convenient. But once any spend transaction exists for an address, the public key is permanently on-chain and all remaining funds at that address are as vulnerable as P2PK. The "safer" address types only protect you if you never reuse an address. In practice, roughly 6.9 million BTC has been compromised by reuse alone.</p>
</div>
<div class="callout cyan">
<div class="callout-label">What's NOT vulnerable: Proof-of-Work</div>
<p>There's a persistent myth that quantum computers could dominate Bitcoin mining via Grover's algorithm. The paper is clear: this is not a credible threat for decades. Grover's quadratic speedup is all but eliminated by quantum error correction overhead, and Bitcoin mining's massive parallelization advantage makes classical ASICs far superior. A quantum miner would achieve a hashrate roughly 10 orders of magnitude below a modern ASIC.</p>
</div>
</section>
<!-- ETHEREUM -->
<section class="section fade-in" id="ethereum">
<div class="section-tag">05 — Ethereum</div>
<h2>Ethereum's Five Attack Vectors</h2>
<p>Ethereum has a broader attack surface than Bitcoin. Its account model, smart contracts, Proof-of-Stake consensus, and data availability infrastructure each introduce vulnerabilities that don't exist in Bitcoin. All of these are at-rest attacks — a fast-clock CRQC is not needed.</p>
<div class="eth-grid">
<div class="eth-cell">
<div class="cell-num">01</div>
<div class="cell-title">Account Vulnerability</div>
<div class="cell-amount">20.5M ETH</div>
<p>Every Ethereum account that has ever sent a transaction has its public key permanently exposed — because the first transaction reveals it to validate the ECDSA signature. Unlike Bitcoin, you can't rotate keys without abandoning your account entirely (losing your DeFi positions, governance history, reputation). An attacker with a fast-clock CRQC could crack the top 1,000 Ethereum accounts in under 9 days.</p>
</div>
<div class="eth-cell">
<div class="cell-num">02</div>
<div class="cell-title">Admin Vulnerability</div>
<div class="cell-amount">~$200B in RWAs</div>
<p>Smart contracts frequently grant admin privileges to specific accounts — the ability to pause execution, upgrade code, mint tokens, or drain funds. These admin keys are rarely rotated and often publicly visible from governance transactions. Cracking 70 such accounts with a fast-clock CRQC would take under 15 hours — and could give an attacker control over stablecoin minting, bridge liquidity, and oracle price feeds simultaneously.</p>
</div>
<div class="eth-cell">
<div class="cell-num">03</div>
<div class="cell-title">Code Vulnerability</div>
<div class="cell-amount">15M ETH in L2s</div>
<p>The smart contracts powering Layer 2 rollups and bridges use quantum-vulnerable cryptographic primitives in their validity proofs (zkSNARKs using ECDLP-based commitment schemes). Even if Ethereum's base layer upgrades to PQC, deployed L2 contracts can't be automatically recompiled. Each protocol's governance council would need to manually coordinate a migration — and in the meantime the quantum attack surface remains open.</p>
</div>
<div class="eth-cell">
<div class="cell-num">04</div>
<div class="cell-title">Consensus Vulnerability</div>
<div class="cell-amount">37M ETH staked</div>
<p>Ethereum's Proof-of-Stake consensus uses BLS signature aggregation on the BLS12-381 elliptic curve. A CRQC that breaks this can compromise validators. Controlling more than 1/3 halts finality. More than 2/3 allows rewriting chain history — an existential threat. With ~1 million validators, a concentrated attacker targeting large staking pools (Lido holds ~20%) could reach a dangerous threshold faster than targeting individual validators.</p>
</div>
<div class="eth-cell" style="grid-column: 1 / -1;">
<div class="cell-num" style="display:inline; font-size:28px; margin-right:12px;">05</div>
<span class="cell-title" style="display:inline;">Data Availability Vulnerability</span>
<div style="margin-top:12px;">
<p>This is the most insidious one. Ethereum's Data Availability Sampling (DAS) mechanism — introduced to make L2 rollups cheap and fast — uses KZG polynomial commitments on BLS12-381. These commitments require a "trusted setup" ceremony that generated a secret scalar (toxic waste) which was destroyed. A CRQC can recover that secret from publicly available parameters using Shor's algorithm. The result: a permanent, reusable backdoor that lets an attacker forge data availability proofs on classical hardware — forever — with no further need for a quantum computer. One attack, infinite classical exploits.</p>
</div>
</div>
</div>
</section>
<!-- OTHER CHAINS -->
<section class="section fade-in" id="other">
<div class="section-tag">06 — Other Blockchains</div>
<h2>Quantum Risk Across the Ecosystem</h2>
<table class="vuln-table">
<thead>
<tr>
<th>Chain</th>
<th>At-Rest Risk</th>
<th>On-Spend Risk</th>
<th>Special Vulnerabilities</th>
<th>PQC Status</th>
</tr>
</thead>
<tbody>
<tr>
<td><strong>Bitcoin Cash</strong></td>
<td><span class="tag high">High</span></td>
<td><span class="tag med">Low</span></td>
<td>Inherits P2PK coins from shared history with Bitcoin</td>
<td><span class="tag unknown">None</span></td>
</tr>
<tr>
<td><strong>Litecoin</strong></td>
<td><span class="tag high">High</span></td>
<td><span class="tag low">Very Low (3%)</span></td>
<td>Mimblewimble sidechain vulnerable to on-setup attacks via Pedersen commitments</td>
<td><span class="tag unknown">None</span></td>
</tr>
<tr>
<td><strong>Dogecoin</strong></td>
<td><span class="tag high">High</span></td>
<td><span class="tag low"><0.02%</span></td>
<td>1-min blocks make on-spend practically impossible today</td>
<td><span class="tag unknown">None</span></td>
</tr>
<tr>
<td><strong>Zcash</strong></td>
<td><span class="tag high">High</span></td>
<td><span class="tag low">Very Low</span></td>
<td>Sapling pool's trusted setup (toxic waste) recoverable by CRQC. Retroactive privacy degradation.</td>
<td><span class="tag med">Orchard protocol is safer — in progress</span></td>
</tr>
<tr>
<td><strong>Monero</strong></td>
<td><span class="tag high">High</span></td>
<td><span class="tag low">Low</span></td>
<td>BulletProofs and ECDH key exchange both quantum-vulnerable. On-setup attack on Pedersen commitments.</td>
<td><span class="tag unknown">Research stage</span></td>
</tr>
<tr>
<td><strong>Solana</strong></td>
<td><span class="tag high">High</span></td>
<td><span class="tag low">None (400ms)</span></td>
<td>Account model — all public keys permanently exposed after first tx</td>
<td><span class="tag med">Winternitz Vault (experimental)</span></td>
</tr>
<tr>
<td><strong>Algorand</strong></td>
<td><span class="tag med">Medium</span></td>
<td><span class="tag med">Medium</span></td>
<td>Ed25519 consensus vulnerable, but key rotation supported natively</td>
<td><span class="tag safe">Falcon signatures deployed (2025)</span></td>
</tr>
<tr>
<td><strong>QRL</strong></td>
<td><span class="tag safe">None</span></td>
<td><span class="tag safe">None</span></td>
<td>Post-quantum from inception (XMSS signatures)</td>
<td><span class="tag safe">Fully PQC since launch (2018)</span></td>
</tr>
</tbody>
</table>
</section>
<!-- DORMANT ASSETS -->
<section class="section fade-in" id="dormant">
<div class="section-tag">07 — Policy Crisis</div>
<h2>The Dormant Asset Problem Has No Clean Answer</h2>
<p>Roughly 2.3 million BTC hasn't moved in five years or more. Most of it is locked in old P2PK scripts — public key permanently on-chain. The keys are almost certainly lost. But there's no way to verify that. And there's no way to make them safe without changing the protocol. The paper presents three options the Bitcoin community is debating, none of which is satisfying.</p>
<div class="timeline">
<div class="timeline-item active">
<div class="tl-label">Option 01</div>
<h4>Do Nothing</h4>
<p>Leave the protocol unchanged. Quantum attackers eventually take the dormant coins. Preserves property rights and the fixed supply principle — but hands billions of dollars to whoever builds the first CRQC, potentially a rogue state or criminal organization. Supply shock when those coins re-enter circulation.</p>
</div>
<div class="timeline-item">
<div class="tl-label">Option 02</div>
<h4>Burn</h4>
<p>Protocol change that renders dormant P2PK assets unspendable after a specific date — effectively confiscating them. Prevents quantum salvage and supply shock. But it sets a confiscatory precedent, expropriates anyone who genuinely still has their keys, and is deeply controversial in the Bitcoin community. Requires broad consensus to implement.</p>
</div>
<div class="timeline-item">
<div class="tl-label">Option 03</div>
<h4>Hourglass</h4>
<p>Rate-limit how many dormant coins can be spent per block — creating a bottleneck that slows the supply shock and sets up a fee-auction dynamic where quantum attackers bid for block inclusion. Doesn't prevent theft, just slows and monetizes it for miners. Doesn't confiscate either.</p>
</div>
<div class="timeline-item active">
<div class="tl-label">Option 04 — Paper's Proposal</div>
<h4>Digital Salvage (Bad Sidechain)</h4>
<p>A regulated recovery framework — like maritime salvage law applied to crypto. A special-purpose sidechain where CRQC operators deposit recovered dormant assets. Automated and manual processes verify offchain ownership proofs (mnemonic phrases, Project 11 yellowpages registry). Rightful owners get their funds back; unclaimed assets follow a defined burn/distribution schedule. Governments legalize the salvage while recommending the Bitcoin community vote to burn. The only option that tries to return funds to real owners.</p>
</div>
<div class="timeline-item warning">
<div class="tl-label">The Hard Truth</div>
<h4>The Paper's Conclusion</h4>
<p>An informal poll at the 2025 Presidio Bitcoin Quantum Summit found roughly equal support for each of the three main options. No consensus. The paper concludes: "it is conceivable that the existence of early CRQCs may first be detected on the blockchain rather than announced." Meaning the first sign a CRQC exists might be anomalous on-chain activity — a dormant wallet draining, a statistically impossible front-run, validator keys compromised in patterns that suggest a quantum attack. We may not get advance warning.</p>
</div>
</div>
</section>
<!-- PQC MIGRATION -->
<section class="section fade-in" id="migration">
<div class="section-tag">08 — The Path Forward</div>
<h2>Migrating to Post-Quantum Cryptography</h2>
<p>The only durable solution is replacing ECDLP-based cryptography with post-quantum alternatives. NIST has standardized several candidates. The migration is technically feasible — several blockchains have already done it — but logistically hard and contentious in the Bitcoin community specifically.</p>
<h3>What PQC Actually Costs</h3>
<p>Post-quantum signatures are not free. The tradeoffs are real and this is why migration is controversial:</p>
<div class="stat-grid" style="margin: 20px 0;">
<div class="stat-card">
<div class="stat-number white">64–73</div>
<div class="stat-label">bytes — ECDSA signature size (current Bitcoin)</div>
</div>
<div class="stat-card">
<div class="stat-number amber">~1,280</div>
<div class="stat-label">bytes — Falcon (PQC) signature size used on Algorand</div>
</div>
<div class="stat-card">
<div class="stat-number red">20x</div>
<div class="stat-label">Increase in signature size — means fewer transactions per block if block size stays constant</div>
</div>
<div class="stat-card">
<div class="stat-number cyan">Months</div>
<div class="stat-label">Time to migrate all BTC at current network transaction rate — even if everyone starts today</div>
</div>
</div>
<h3>Chains That Have Already Moved</h3>
<table class="vuln-table">
<thead>
<tr>
<th>Chain</th>
<th>PQC Scheme</th>
<th>Type</th>
<th>Status</th>
</tr>
</thead>
<tbody>
<tr>
<td><strong>QRL</strong></td>
<td>XMSS + ML-DSA</td>
<td>Hash-based</td>
<td><span class="tag safe">Live since 2018</span></td>
</tr>
<tr>
<td><strong>Algorand</strong></td>
<td>Falcon (FN-DSA)</td>
<td>Lattice-based</td>
<td><span class="tag safe">First PQC tx in 2025</span></td>
</tr>
<tr>
<td><strong>Solana</strong></td>
<td>Winternitz Vault (WOTS)</td>
<td>Hash-based</td>
<td><span class="tag med">Experimental</span></td>
</tr>
<tr>
<td><strong>XRP Ledger</strong></td>
<td>ML-DSA</td>
<td>Lattice-based</td>
<td><span class="tag med">AlphaNet deployment</span></td>
</tr>
<tr>
<td><strong>Abelian</strong></td>
<td>Lattice-based full stack</td>
<td>Lattice-based</td>
<td><span class="tag safe">Live — privacy-preserving PQC</span></td>
</tr>
</tbody>
</table>
<div class="callout cyan">
<div class="callout-label">The Window Is Still Open — For Now</div>
<p>The paper's final word: "We contend that the amount of time remaining before the arrival of CRQCs still exceeds the amount of time needed to migrate public blockchains to PQC, though the margin for error is increasingly narrow." The time to start is now, not after the first confirmed CRQC attack. By then, it's too late for a significant portion of assets.</p>
</div>
</section>
<!-- GLOSSARY -->
<section class="section fade-in" id="glossary">
<div class="section-tag">09 — Reference</div>
<h2>Glossary of Terms</h2>
<p>Every technical term used in this briefing, defined in plain language.</p>
<div style="margin-top: 28px;" class="glossary-grid">
<div class="glossary-item">
<div>
<div class="glossary-term">Elliptic Curve Discrete Logarithm Problem
<span class="abbr">ECDLP</span>
</div>
</div>
<div class="glossary-def">The mathematical problem that underlies almost all blockchain cryptography. Given a public key (a point on an elliptic curve), find the private key (the scalar that generated it). On classical computers, this is computationally infeasible. On a sufficiently large quantum computer running Shor's algorithm, it can be solved efficiently. This is the root vulnerability the entire paper revolves around.
<span class="quantum-note">⚠ Broken by quantum computers</span>
</div>
</div>
<div class="glossary-item">
<div>
<div class="glossary-term">Cryptographically Relevant Quantum Computer
<span class="abbr">CRQC</span>
</div>
</div>
<div class="glossary-def">A quantum computer large and accurate enough to actually run Shor's algorithm against real-world cryptographic key sizes (256-bit and up). Not just a quantum computer — the specific threshold of capability needed to break deployed cryptosystems. The paper estimates this requires fewer than 500,000 physical qubits with standard error rates. Does not yet exist, but the paper argues the timeline is shortening dramatically.</div>
</div>
<div class="glossary-item">
<div>
<div class="glossary-term">Shor's Algorithm
<span class="abbr">—</span>
</div>
</div>
<div class="glossary-def">A quantum algorithm invented by Peter Shor in 1994 that solves the integer factoring problem and the discrete logarithm problem (including ECDLP) in polynomial time — exponentially faster than the best classical algorithms. It's why quantum computers threaten RSA and elliptic curve cryptography. It does not help with hash functions, which is why Proof-of-Work is safe.
<span class="quantum-note">⚠ Core attack algorithm</span>
</div>
</div>
<div class="glossary-item">
<div>
<div class="glossary-term">Post-Quantum Cryptography
<span class="abbr">PQC</span>
</div>
</div>
<div class="glossary-def">Cryptographic algorithms designed to be secure against both classical and quantum computers. Does not require a quantum computer to run — these are classical algorithms with different mathematical hardness assumptions. NIST standardized the first PQC algorithms in 2024: ML-KEM (lattice-based key encapsulation), ML-DSA (lattice-based signatures), and SLH-DSA (hash-based signatures). These are larger and slower than ECDLP-based equivalents but quantum-resistant.
<span class="pq-note">✓ Quantum resistant</span>
</div>
</div>
<div class="glossary-item">
<div>
<div class="glossary-term">Toffoli Gate
<span class="abbr">CCX / CCNOT</span>
</div>
</div>
<div class="glossary-def">A specific three-qubit quantum logic gate used as the primary unit of computation in fault-tolerant quantum circuits. It's the most expensive operation in terms of error correction overhead, so researchers count Toffoli gates to measure circuit complexity — like measuring FLOPS for classical computing. The paper reduced the Toffoli count for breaking ECDLP from ~200 million (prior work) to 70-90 million.</div>
</div>
<div class="glossary-item">
<div>
<div class="glossary-term">Logical vs Physical Qubits
<span class="abbr">—</span>
</div>
</div>
<div class="glossary-def">Physical qubits are the actual hardware components — they're noisy and error-prone. Logical qubits are error-corrected "virtual" qubits built from many physical qubits, reliable enough for computation. The paper needs ~1,200–1,450 logical qubits to break ECDLP, but logical qubits require dozens to hundreds of physical qubits each to maintain through error correction — hence the ~500,000 physical qubit estimate.</div>
</div>
<div class="glossary-item">
<div>
<div class="glossary-term">Surface Code
<span class="abbr">—</span>
</div>
</div>
<div class="glossary-def">The leading quantum error correction scheme for superconducting qubits. It arranges qubits in a 2D grid where neighboring qubits monitor each other for errors. It's practical because it only requires local (nearest-neighbor) interactions, which real hardware can implement. The downside: it has a low encoding rate — many physical qubits per logical qubit. The paper's estimates assume standard surface code. More aggressive approaches (qLDPC codes) could reduce the qubit count further.</div>
</div>
<div class="glossary-item">
<div>
<div class="glossary-term">Zero-Knowledge Proof
<span class="abbr">ZKP / ZK</span>
</div>
</div>
<div class="glossary-def">A cryptographic method that lets you prove you know something without revealing what you know. Example: prove you know the private key for a Bitcoin address without revealing the key itself. The paper uses a ZK proof in a novel way — proving that a quantum attack circuit exists and meets certain resource specs, without revealing the circuit itself (which would be a weapon blueprint). Two major flavors: SNARKs (smaller proofs, require trusted setup) and STARKs (larger proofs, no trusted setup, post-quantum safe).</div>
</div>
<div class="glossary-item">
<div>
<div class="glossary-term">zkSNARK
<span class="abbr">Zero-Knowledge Succinct Non-interactive Argument of Knowledge</span>
</div>
</div>
<div class="glossary-def">A type of ZK proof that is very small and fast to verify. The "succinct" part means the proof size and verification time are tiny regardless of how complex the underlying computation was. The downside: most zkSNARKs (like Groth16, Plonk) rely on elliptic curve pairings for their efficiency — which are ECDLP-based and quantum-vulnerable. Used extensively in Ethereum L2 rollups (zkSync, Polygon zkEVM, etc.).
<span class="quantum-note">⚠ Pairing-based SNARKs are quantum-vulnerable</span>
</div>
</div>
<div class="glossary-item">
<div>
<div class="glossary-term">zkSTARK
<span class="abbr">Zero-Knowledge Scalable Transparent Argument of Knowledge</span>
</div>
</div>
<div class="glossary-def">A type of ZK proof that uses only hash functions — no elliptic curves, no pairings, no trusted setup. The "transparent" means anyone can verify the setup parameters. Hash functions are believed to be quantum-resistant (breaking them would only require Grover's algorithm, which gives a quadratic speedup that's manageable by doubling key sizes). STARKs are larger and slower to verify than SNARKs, but post-quantum safe. Used by StarkWare, Starknet, and the SP1 zkVM (which the paper itself uses).
<span class="pq-note">✓ Post-quantum safe (hash-based)</span>
</div>
</div>
<div class="glossary-item">
<div>
<div class="glossary-term">Groth16
<span class="abbr">—</span>
</div>
</div>
<div class="glossary-def">The most widely deployed zkSNARK construction, designed by Jens Groth in 2016. It produces extremely small proofs (~200 bytes) that verify cheaply on-chain. The catch: it uses the BN254 (alt_bn128) pairing-friendly elliptic curve, which is ECDLP-based and quantum-vulnerable. It also requires a trusted setup. Zcash's Sapling pool, many Ethereum L2s, and even the paper's own ZK disclosure mechanism use Groth16. The paper notes the irony that their responsible disclosure proof is itself vulnerable to quantum forgery.
<span class="quantum-note">⚠ ECDLP-based — quantum vulnerable</span>
</div>
</div>
<div class="glossary-item">
<div>
<div class="glossary-term">KZG Commitment
<span class="abbr">Kate-Zaverucha-Goldberg</span>
</div>
</div>
<div class="glossary-def">A polynomial commitment scheme that lets you commit to a polynomial and later prove evaluations of it efficiently. Used in Ethereum's Data Availability Sampling (EIP-4844) and in many zkSNARK systems. Requires a trusted setup (the "powers of tau" ceremony) and relies on the BLS12-381 elliptic curve. The paper explains that a CRQC can recover the toxic waste from the KZG trusted setup, creating a permanent backdoor. This is the on-setup attack vulnerability in Ethereum's L2 infrastructure.
<span class="quantum-note">⚠ Trusted setup recoverable by CRQC</span>
</div>
</div>
<div class="glossary-item">
<div>
<div class="glossary-term">BLS Signatures
<span class="abbr">Boneh-Lynn-Shacham</span>
</div>
</div>
<div class="glossary-def">A digital signature scheme that enables efficient aggregation — thousands of individual signatures can be compressed into a single short signature. Ethereum uses BLS to aggregate ~500,000 validator attestations per slot into a few dozen, making the consensus layer practical. It requires pairing-friendly elliptic curves (BLS12-381). The pairing computation is ECDLP-based and quantum-vulnerable. Breaking validator keys gives an attacker the ability to equivocate, halt finality, or rewrite chain history depending on how many keys are compromised.
<span class="quantum-note">⚠ Pairing-based — quantum vulnerable</span>
</div>
</div>
<div class="glossary-item">
<div>
<div class="glossary-term">ECDSA
<span class="abbr">Elliptic Curve Digital Signature Algorithm</span>
</div>
</div>
<div class="glossary-def">The signature scheme used by Bitcoin (pre-Taproot), Ethereum, and most other blockchains. Uses the secp256k1 elliptic curve (Bitcoin/Ethereum) or other ECDLP-based curves. A valid ECDSA signature proves you know the private key without revealing it. The paper's resource estimates specifically target secp256k1 ECDLP — breaking it means any ECDSA signature scheme on that curve becomes forgeable.
<span class="quantum-note">⚠ Quantum vulnerable</span>
</div>
</div>
<div class="glossary-item">
<div>
<div class="glossary-term">Schnorr Signatures
<span class="abbr">—</span>
</div>
</div>
<div class="glossary-def">An alternative to ECDSA used in Bitcoin's Taproot upgrade (BIP-340). Offers cleaner math, better security proofs, and native multisignature aggregation. Still uses secp256k1 — still ECDLP-based — still quantum-vulnerable. Taproot's signature upgrade didn't help the quantum situation; in fact it made it worse by storing the tweaked public key directly in the locking script, re-exposing keys that P2PKH-style addresses had hidden.
<span class="quantum-note">⚠ Still ECDLP — quantum vulnerable</span>
</div>
</div>
<div class="glossary-item">
<div>
<div class="glossary-term">Falcon / FN-DSA
<span class="abbr">NIST PQC Standard</span>
</div>
</div>
<div class="glossary-def">A lattice-based post-quantum digital signature scheme standardized by NIST in 2024 under the name FN-DSA. Uses NTRU lattices for its hardness assumption. Produces ~1,280-byte signatures — about 20x larger than ECDSA. Known for compact signatures relative to other PQC signature schemes. Algorand deployed Falcon for smart transactions in 2025, making it the first major blockchain to run production PQC transactions. Has known implementation challenges (Gaussian sampling can create side-channel vulnerabilities if not done carefully).
<span class="pq-note">✓ Post-quantum secure</span>
</div>
</div>
<div class="glossary-item">
<div>
<div class="glossary-term">ML-DSA / CRYSTALS-Dilithium
<span class="abbr">NIST PQC Standard</span>
</div>
</div>
<div class="glossary-def">A lattice-based digital signature scheme standardized by NIST in 2024 as ML-DSA (Module-Lattice Digital Signature Algorithm). Based on the hardness of Module LWE and Module SIS problems. Larger signatures than Falcon but simpler, safer implementation (no Gaussian sampling). XRP Ledger deployed ML-DSA on its AlphaNet. The QRL blockchain added support for Dilithium alongside its original XMSS signatures.
<span class="pq-note">✓ Post-quantum secure</span>
</div>
</div>
<div class="glossary-item">
<div>
<div class="glossary-term">XMSS / WOTS
<span class="abbr">Hash-Based Signatures</span>
</div>
</div>
<div class="glossary-def">Hash-based post-quantum signature schemes. XMSS (eXtended Merkle Signature Scheme) and WOTS (Winternitz One-Time Signatures) derive their security entirely from hash function collision resistance — no elliptic curves, no lattices. Considered the most conservative and well-understood PQC option because hash functions have been studied for 50+ years. QRL was built entirely on XMSS from launch (2018). Solana's Winternitz Vault uses WOTS experimentally. Downside: XMSS is stateful — the signer must track which keys have been used to avoid reuse, which is operationally complex at scale.
<span class="pq-note">✓ Post-quantum secure</span>
</div>
</div>
<div class="glossary-item">
<div>
<div class="glossary-term">Trusted Setup / Toxic Waste
<span class="abbr">Powers-of-Tau Ceremony</span>
</div>
</div>
<div class="glossary-def">Some cryptographic systems (KZG commitments, Groth16 SNARKs) require a one-time setup ceremony that generates a secret random value embedded in the public parameters. This secret — informally called "toxic waste" — must be destroyed after the ceremony. If it's ever recovered, the cryptographic guarantees collapse. The design of these ceremonies involves hundreds of participants, any one of whom could destroy their fragment to ensure the final secret is unknowable. A CRQC can recover toxic waste from the public parameters without going through the ceremony at all — defeating the entire security model.
<span class="quantum-note">⚠ CRQC can recover toxic waste from public params</span>
</div>
</div>
<div class="glossary-item">
<div>
<div class="glossary-term">Pedersen Commitment
<span class="abbr">—</span>
</div>
</div>
<div class="glossary-def">A commitment scheme used to hide transaction amounts while allowing the network to verify that inputs and outputs balance (no coins created out of thin air). Used in Mimblewimble (Litecoin, Grin), Monero's RingCT, and older Confidential Transaction designs. Its binding property relies on ECDLP — a quantum attacker can forge commitments, enabling undetected coin inflation. Because Mimblewimble's Pedersen commitments use fixed public curve points, this is also an on-setup attack vulnerability.
<span class="quantum-note">⚠ Binding property broken by CRQC</span>
</div>
</div>
<div class="glossary-item">
<div>
<div class="glossary-term">ECDH Key Exchange
<span class="abbr">Elliptic Curve Diffie-Hellman</span>
</div>
</div>
<div class="glossary-def">A protocol that lets two parties derive a shared secret over a public channel without transmitting the secret itself. Used in Zcash (to derive encryption keys for shielded notes), Monero (stealth addresses), and Litecoin's Mimblewimble (offline transaction derivation). A quantum attacker can break ECDH retroactively — anyone who recorded encrypted on-chain data in the past can decrypt it once a CRQC is available. This is the "retroactive privacy degradation" threat for privacy coins.
<span class="quantum-note">⚠ Quantum vulnerable — enables retroactive decryption</span>
</div>
</div>
<div class="glossary-item">
<div>
<div class="glossary-term">UTXO Model
<span class="abbr">Unspent Transaction Output</span>
</div>
</div>
<div class="glossary-def">Bitcoin's accounting model. Rather than tracking account balances, Bitcoin tracks individual "coins" as unspent transaction outputs. Each UTXO is locked to a public key (or script). Spending a UTXO reveals the public key in the unlocking script. The UTXO model is more quantum-friendly than account models because you can use a new address (and new keypair) for every transaction — you don't have to reuse keys. The downside: address reuse (which happens constantly in practice) removes this protection entirely.</div>
</div>
<div class="glossary-item">
<div>
<div class="glossary-term">Account Model
<span class="abbr">—</span>
</div>
</div>
<div class="glossary-def">Ethereum, Solana, and most smart contract blockchains use an account model — persistent identities with balances, rather than discrete coins. Once an account sends its first transaction, its public key is permanently on-chain and the account is forever at-rest vulnerable to quantum attacks. Unlike Bitcoin UTXOs, you can't silently rotate to a fresh key — your DeFi positions, governance votes, and reputation are tied to that address. This is why the paper identifies Ethereum's quantum exposure as structurally worse than Bitcoin's.</div>
</div>
<div class="glossary-item">
<div>
<div class="glossary-term">Mempool
<span class="abbr">Memory Pool</span>
</div>
</div>
<div class="glossary-def">The public waiting room for unconfirmed blockchain transactions. When you broadcast a transaction, it enters the mempool and waits for a miner (Bitcoin) or validator (Ethereum) to include it in the next block. The mempool is public — anyone can see all pending transactions. This is the attack surface for on-spend quantum attacks: the moment a transaction enters the mempool, the public key is visible and the clock starts on how fast an attacker can derive the private key and broadcast a competing transaction with a higher fee.</div>
</div>
<div class="glossary-item">
<div>
<div class="glossary-term">BLS12-381 Curve
<span class="abbr">Barreto-Lynn-Scott</span>
</div>
</div>
<div class="glossary-def">A pairing-friendly elliptic curve designed specifically for applications requiring bilinear pairings — mathematical operations that enable BLS signature aggregation and KZG polynomial commitments. Used by Ethereum's consensus layer (validator BLS signatures), Zcash's Sapling pool (Groth16), and many zkSNARK systems. The curve uses 381-bit field elements — slightly larger than secp256k1's 256 bits — which means breaking it requires a somewhat larger CRQC, but the paper estimates it's still accessible to first-generation fast-clock machines.
<span class="quantum-note">⚠ ECDLP-based — quantum vulnerable</span>
</div>
</div>
<div class="glossary-item">
<div>
<div class="glossary-term">secp256k1
<span class="abbr">—</span>
</div>
</div>
<div class="glossary-def">The specific elliptic curve used for digital signatures in Bitcoin, Ethereum (execution layer), and most major blockchains. Defined by SECG (Standards for Efficient Cryptography Group). The paper's quantum resource estimates specifically target secp256k1 — the two circuit variants (1,200 logical qubits at 90M gates, or 1,450 logical qubits at 70M gates) are designed to solve ECDLP on this exact curve. Not a pairing-friendly curve, so it can't be used for BLS signatures or KZG commitments.
<span class="quantum-note">⚠ Primary target of the paper's attack circuits</span>
</div>
</div>
<div class="glossary-item">
<div>
<div class="glossary-term">Replace-By-Fee
<span class="abbr">RBF</span>
</div>
</div>
<div class="glossary-def">A Bitcoin mempool policy that allows a transaction to be replaced by a new version of the same transaction if it includes a higher fee. Originally designed for legitimate use cases like fee bumping. In the context of quantum attacks, RBF enables the "scorched earth" scenario: an attacker who has derived your private key can keep outbidding you in fee auctions, forcing you to offer increasingly high fees to get your own transaction confirmed. The paper notes this could transfer wealth from victim to miners even if the theft is technically "thwarted."</div>
</div>
<div class="glossary-item">
<div>
<div class="glossary-term">Hierarchical Deterministic Wallet
<span class="abbr">HD Wallet / BIP-32</span>
</div>
</div>
<div class="glossary-def">A wallet system that derives an infinite number of keypairs from a single master seed (usually a 12 or 24-word mnemonic phrase). Makes it easy to use a fresh address for every transaction — good for quantum safety. However, HD wallets expose a subtle quantum risk: sharing an "extended public key" (xpub) with third-party services enables those services to monitor all your addresses — but in the presence of CRQCs, knowing the xpub plus any single derived private key allows recovery of the master private key, compromising all derived keys at once.</div>
</div>
<div class="glossary-item">
<div>
<div class="glossary-term">Miner/Maximal Extractable Value
<span class="abbr">MEV</span>
</div>
</div>
<div class="glossary-def">The extra profit a miner or validator can extract by reordering, inserting, or removing transactions within the blocks they produce. Common MEV strategies include front-running DEX trades, sandwich attacks, and liquidation races. The paper introduces a new MEV dynamic: quantum attackers could participate in fee-auction wars using stolen funds they don't rightfully own, since they can rationally bid their entire stolen amount in fees — creating a new class of adversarial MEV that doesn't exist in the classical threat model.</div>
</div>
</div>
</section>
<!-- SOURCE -->
<section class="section fade-in" id="source">
<div class="section-tag">10 — Source</div>
<h2>About This Paper</h2>
<p>This briefing is a plain-language summary of the following primary research. All specific numbers, findings, and claims in this document trace directly to the original paper.</p>
<div class="callout cyan" style="margin-top: 24px;">
<div class="callout-label">Original Publication</div>
<p><strong style="color: var(--white);">Securing Elliptic Curve Cryptocurrencies against Quantum Vulnerabilities: Resource Estimates and Mitigations</strong></p>
<p style="margin-top: 8px;">Ryan Babbush, Adam Zalcman, Craig Gidney, Michael Broughton, Tanuj Khattar, Hartmut Neven, Thiago Bergamaschi (Google Quantum AI), Justin Drake (Ethereum Foundation), Dan Boneh (Stanford)</p>
<p style="margin-top: 8px; color: var(--text-dim);">Published: March 30, 2026 · arXiv / IACR ePrint · Dataset and ZK proof: Zenodo repository</p>
</div>
</section>
<!-- FOOTER -->
<footer class="footer">
<div class="footer-sig">Quantum Threat Briefing · 2026</div>
<p>Summary document. All findings attributed to Babbush et al., Google Quantum AI, 2026. Not financial advice.</p>
</footer>
</div><!-- /main -->
<script>
// Scroll progress
const fill = document.getElementById('progress');
const backTop = document.getElementById('backTop');
window.addEventListener('scroll', () => {
const h = document.documentElement;
const pct = (h.scrollTop / (h.scrollHeight - h.clientHeight)) * 100;
fill.style.width = pct + '%';
backTop.classList.toggle('show', h.scrollTop > 600);
});
// Fade-in on scroll
const obs = new IntersectionObserver((entries) => {
entries.forEach(e => { if (e.isIntersecting) e.target.classList.add('visible'); });
}, { threshold: 0.08 });
document.querySelectorAll('.fade-in').forEach(el => obs.observe(el));
</script>
</body>
</html>