原文 · 未翻译
March 31, 2026
Ryan Babbush, Director of Research, Quantum Algorithms, and Hartmut Neven, VP of Engineering, Google Quantum AI, Google Research
We’re exploring a new model for how to elucidate the code breaking capabilities of future quantum computers and outlining steps that should be taken to mitigate their consequences.
Google has led the responsible transition to post-quantum cryptography since 2016. In a new whitepaper, we show that future quantum computers may break the elliptic curve cryptography that protects cryptocurrency and other systems with fewer qubits and gates than previously realized. We want to raise awareness on this issue and are providing the cryptocurrency community with recommendations to improve security and stability before this is possible, including transitioning blockchains to post-quantum cryptography (PQC), which is resistant to quantum attacks.
To share this research responsibly, we engaged with the U.S. government and developed a new method to describe these vulnerabilities via a zero-knowledge proof, so they can be verified without providing a roadmap for bad actors. We urge other research teams to do the same to keep people safe. We look forward to continuing our work across the industry following our 2029 timeline alongside others working on responsible approaches, like Coinbase, the Stanford Institute for Blockchain Research, and the Ethereum Foundation. Quantum resource estimates
Quantum computers promise to solve otherwise impossible problems, including examples in chemistry, drug discovery, and energy. However, large-scale cryptographically relevant quantum computers (CRQCs) will also be able to break current, widely used public-key cryptography that protects things like people’s confidential information. Governments and others, including Google, have been preparing for this security challenge for many years. With continued scientific and technological progress, CRQCs are getting closer to reality, requiring a transition to PQC, which is why we recently introduced our 2029 migration timeline.
In our whitepaper, we share updated estimates of the quantum computing “resources” (i.e., qubits and gates) necessary to break the 256-bit elliptic curve discrete logarithm problem (ECDLP-256) on which elliptic curve cryptography is based. We express our resource estimates in terms of the number of logical qubits (error-corrected qubits composed of hundreds of physical qubits) and Toffoli gates (expensive elementary operations on qubits that are the primary driver of the time needed to execute many algorithms). Specifically, we have compiled two quantum circuits (a sequence of quantum gates) that implement Shor's algorithm for ECDLP-256: one that uses less than 1,200 logical qubits and 90 million Toffoli gates and one that uses less than 1,450 logical qubits and 70 million Toffoli gates. We estimate that these circuits can be executed on a superconducting qubit CRQC with fewer than 500,000 physical qubits in a few minutes, given standard assumptions about hardware capabilities that are consistent with some of Google’s flagship quantum processors. This is an approximately 20-fold reduction in the number of physical qubits required to solve ECDLP-256 and a continuation of a long history of gradual optimization in compiling quantum algorithms to fault-tolerant circuits. Protecting cryptocurrencies with post-quantum cryptography