I consider the recent work by Mosca et al to be the most up-to-date in terms of research estimation: <a href="https://www.sciencedirect.com/science/article/pii/S0167739X24004308">https://www.sciencedirect.com/science/article/pii/S0167739X24004308</a><br /><br />The estimate he provides is approximately an order of magnitude less work required to break ECDSA (P-256) vs RSA-2048. Ironically, the longer bit-lengths of RSA seem to actually contribute to post-quantum security, even though the motivation for moving from RSA-1024 was to protect against NFS and other classical attacks against shorter RSA instances. <br /><div><br />Note that the resource estimation in the paper doesn't account for Gidney's speedup, which was 20x reduction in qubits required. It's unclear whether that same improvement factor could be applied here; as the Gidney paper showed, the earliest CRQCs will probably be hardwired for certain circuits for performance reasons. E.g. Gidney's circuit layout works for RSA-2048 and that's it. But the ideas he presents around error correction (e.g. the yoked surface code) might apply more broadly, it's hard to say. <div><br /></div><div>Also note that many of his assumptions are based on a superconducting architecture, which generally have faster runtimes but lower stability (so scaling is harder)<br /><br />Other architectures like this one <a href="https://arxiv.org/pdf/2506.20660">https://arxiv.org/pdf/2506.20660</a> from the neutral atom community have slower runtimes but greater stability. But even if you scale, it probably only works for targeted, long-range attacks vs specific PKs as a CRQC.<br /><div><br /></div><div>Lots of variables to consider here in terms of estimating the timeline for a CRQC, but the proactive approach is probably the right one, because (to quote Gidney in his conclusion) we should "<b>prefer security to not be contingent on progress being slow.</b>"</div><div><br /></div></div></div><div class="gmail_quote"><div dir="auto" class="gmail_attr">On Tuesday, August 12, 2025 at 3:04:32 AM UTC-6 ArmchairCryptologist wrote:<br/></div><blockquote class="gmail_quote" style="margin: 0 0 0 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;"><div style="font-family:Arial,sans-serif;font-size:14px"><div><br>
        <blockquote type="cite">
            
An astute observation. To clarify the quantum computing landscape:
Google&#39;s current quantum processors do not possess 50 logical qubits,
and even if they did, this would be insufficient to compromise ECDSA -
let alone RSA-2048, which would require approximately 20 million noisy
physical qubits for successful cryptanalysis [0].<br></blockquote><div><br></div></div></div><div style="font-family:Arial,sans-serif;font-size:14px"><div><div><span>That paper is pretty old. There is a recent paper from a couple of months ago by the same author (<span>Craig Gidney</span> from <span>Google Quantum AI</span>) claiming that you could break RSA-2048 with around a million noisy qubits in about a week. <span><br></span></span><div><span><br></span></div><div><span>Paper: <a rel="noreferrer nofollow noopener" href="https://arxiv.org/pdf/2505.15917" target="_blank" data-saferedirecturl="https://www.google.com/url?hl=en&amp;q=https://arxiv.org/pdf/2505.15917&amp;source=gmail&amp;ust=1755805087126000&amp;usg=AOvVaw2bLrcxCBoyk8INjFbTSM3X">https://arxiv.org/pdf/2505.15917</a><br></span></div><div>Blog post: <span><a rel="noreferrer nofollow noopener" href="https://security.googleblog.com/2025/05/tracking-cost-of-quantum-factori.html" target="_blank" data-saferedirecturl="https://www.google.com/url?hl=en&amp;q=https://security.googleblog.com/2025/05/tracking-cost-of-quantum-factori.html&amp;source=gmail&amp;ust=1755805087126000&amp;usg=AOvVaw039DcUJOm7b9UWOEsWyAvN">https://security.googleblog.com/2025/05/tracking-cost-of-quantum-factori.html</a></span></div><div><br></div><div>I
 can&#39;t say for sure whether this approach can be applied to 
ECDSA; I have seen claims before that it has less quantum resistance than RSA-2048, but I&#39;m unsure if this is still considered to be the case. And while these papers are of course largely theoretical in nature 
since nothing close to the required amount of qubits exists at this 
point, I haven&#39;t seen anyone refute these claim at this point. These is still no hard evidence I&#39;m aware of that a quantum computer capable of breaking ECDSA is inevitable, but given the rate of development, there could be some cause of concern.</div><div><br></div><div><span>Getting post-quantum addresses designed, implemented and activated by 2030 in accordance with the recommendations in this paper seems prudent to me, if this is at all possible. Deactivating inactive <span>pre-quantum </span>UTXOs with exposed public keys by 2035 should certainly be considered. But I still don&#39;t feel like deactivating pre-quantum UTXOs without exposed public keys in general is warranted, at least until a quantum computer capable of breaking public keys in the short time between they are broadcast and included in a block <span>is known to exist</span> - and even then, only if some scheme could be devised that still allows spending them using some additional cryptographic proof of ownership, ZKP or otherwise.</span></div><div><span><br></span></div><div><span>--</span></div><div><span>Best,</span></div><div><span>ArmchairCryptologist</span></div></div></div></div></blockquote></div>

<p></p>

-- <br />
You received this message because you are subscribed to the Google Groups &quot;Bitcoin Development Mailing List&quot; group.<br />
To unsubscribe from this group and stop receiving emails from it, send an email to <a href="mailto:bitcoindev+unsubscribe@googlegroups.com">bitcoindev+unsubscribe@googlegroups.com</a>.<br />
To view this discussion visit <a href="https://groups.google.com/d/msgid/bitcoindev/80005f10-e9af-4b4f-a05f-de2bd666d8ccn%40googlegroups.com?utm_medium=email&utm_source=footer">https://groups.google.com/d/msgid/bitcoindev/80005f10-e9af-4b4f-a05f-de2bd666d8ccn%40googlegroups.com</a>.<br />