Recent research papers posted to arXiv have sharply reduced the estimated computing power a quantum machine would need to crack the encryption protecting major cryptocurrencies and other digital systems. Two separate studies published in late March describe pathways that could bring Shor’s algorithm, the theoretical basis for quantum attacks on public-key cryptography, within reach of hardware that is already on engineering roadmaps. The findings have added urgency to a migration effort that U.S. government agencies began years ago but that most private organizations have barely started.
What is verified so far
The strongest technical claim comes from a March arXiv paper estimating that Shor-style attacks against elliptic curve cryptography (ECC), the scheme used by Bitcoin and other major cryptocurrencies, would require fewer than 500,000 physical qubits under superconducting hardware with surface-code error correction. That figure sits well below earlier estimates that placed the threshold at millions of qubits, narrowing the gap between theoretical danger and plausible near-term machines.
A second study pushes the number even lower for a different hardware family. Researchers argue that Shor’s algorithm becomes feasible with as few as 10,000 reconfigurable atomic qubits when paired with high-rate quantum error correction codes and circuit-level optimizations designed for neutral-atom architectures. The paper frames this as an order-of-magnitude reduction in physical-qubit requirements compared with conventional estimates, driven by co-designing the algorithm with the hardware rather than treating them as separate problems.
Connecting these hardware-specific results is a separate preprint that introduces a compilation-driven framework for mapping quantum circuits into logical primitives with explicit physical-resource costs. That framework pays particular attention to neutral-atom systems, where atom movement and mid-circuit measurement create engineering constraints that generic compilers ignore. By automating the translation from abstract algorithm to hardware-aware resource budget, the tool makes it easier for researchers to identify the cheapest viable attack path, effectively acting as an AI-aided search engine for quantum vulnerabilities.
On the defense side, the National Institute of Standards and Technology finalized its first three post-quantum cryptography standards in August 2024: FIPS 203, FIPS 204, and FIPS 205. NIST declared all three ready for immediate use. The National Security Agency has separately released quantum-resistant algorithm requirements for National Security Systems under the Commercial National Security Algorithm Suite 2.0, or CNSA 2.0, signaling that the federal government treats the threat as concrete rather than speculative.
What remains uncertain
The qubit estimates in both arXiv papers rest on theoretical models, not demonstrated attacks. No laboratory has yet run Shor’s algorithm at a scale that threatens real-world keys. The 500,000-qubit figure assumes a specific combination of superconducting hardware and surface-code error correction; different noise profiles or gate fidelities could raise or lower the actual requirement. The 10,000-qubit neutral-atom estimate depends on high-rate error correction codes and reconfigurable architectures that are still in early experimental stages. Neither paper includes data from a working prototype at the relevant scale.
Timelines for when hardware will reach these thresholds remain contested. Major quantum hardware developers such as IBM and Google have published roadmaps projecting hundreds of thousands of qubits within the next decade, but those projections carry significant engineering uncertainty. No primary source in the available reporting provides a firm date by which a cryptographically relevant quantum computer will exist. The gap between a theoretical resource estimate and a functioning machine capable of sustained, error-corrected computation at that scale could be years or could be longer.
Equally unclear is how quickly private-sector organizations, especially cryptocurrency protocols, will adopt post-quantum standards. NIST’s transition guidance document, IR 8547, warns that organizations must begin migrating before cryptographically relevant quantum computers arrive, in part because of the “harvest now, decrypt later” risk: adversaries can intercept and store encrypted traffic today, then break it once quantum hardware matures. IR 8547 also flags risks to code signing and long-lived roots of trust, areas where delayed migration could leave software supply chains exposed for years. But no public cost assessment or implementation timeline from major cryptocurrency networks has surfaced in available primary sources.
How to read the evidence
The three arXiv papers are preprints, meaning they have not yet passed formal peer review. That does not make their findings unreliable, but it does mean the specific numbers should be treated as informed estimates subject to revision. The compilation framework paper is best understood as a methodological advance: it improves the precision of resource estimates, rather than demonstrating an actual attack. Readers should distinguish between “we now know how few qubits might be needed” and “someone has broken encryption,” because the gap between those two statements is still large.
The NIST and NSA documents sit on firmer institutional ground. FIPS 203, 204, and 205 are finalized federal standards with immediate applicability. CNSA 2.0 carries binding force for National Security Systems. The NSA’s post-quantum cybersecurity resources page, which references CNSS Policy 15 and CNSA Suite guidance, also states a preference for post-quantum cryptographic algorithms over quantum key distribution for many use cases. That preference reflects a practical judgment: software-based cryptographic upgrades can be deployed across existing networks, while quantum key distribution requires dedicated physical infrastructure.
More from Morning Overview
*This article was researched with the help of AI, with human editors creating the final content.
