{ "@context": { "@vocab": "http://schema.org/", "sec": "https://schema.org/section", "hasPart": { "@id": "schema:hasPart", "@type": "@id" }, "position": "schema:position", "about": "schema:about", "author": "schema:author", "publisher": "schema:publisher", "image": "schema:image", "video": "schema:video", "audio": "schema:audio", "mainEntity": "schema:mainEntity", "question": "schema:question", "acceptedAnswer": "schema:acceptedAnswer", "termCode": "schema:termCode", "termDefinition": "schema:termDefinition", "termSet": "schema:termSet", "HowToStep": "schema:HowToStep", "HowTo": "schema:HowTo" }, "@type": "TechArticle", "headline": "Securing Elliptic Curve Cryptocurrencies against Quantum Vulnerabilities: Resource Estimates and Mitigations", "author": [ { "@type": "Person", "name": "Ryan Babbush", "email": "babbush@google.com", "affiliation": { "@type": "Organization", "name": "Google Quantum AI" } }, { "@type": "Person", "name": "Adam Zalcman", "email": "viathor@google.com", "affiliation": { "@type": "Organization", "name": "Google Quantum AI" } }, { "@type": "Person", "name": "Craig Gidney", "email": "craiggidney@google.com", "affiliation": { "@type": "Organization", "name": "Google Quantum AI" } }, { "@type": "Person", "name": "Michael Broughton", "affiliation": { "@type": "Organization", "name": "Google Quantum AI" } }, { "@type": "Person", "name": "Tanuj Khattar", "affiliation": { "@type": "Organization", "name": "Google Quantum AI" } }, { "@type": "Person", "name": "Hartmut Neven", "affiliation": { "@type": "Organization", "name": "Google Quantum AI" } }, { "@type": "Person", "name": "Thiago Bergamaschi", "affiliation": [ { "@type": "Organization", "name": "Google Quantum AI" }, { "@type": "Organization", "name": "University of California Berkeley" } ] }, { "@type": "Person", "name": "Justin Drake", "affiliation": { "@type": "Organization", "name": "Ethereum Foundation" } }, { "@type": "Person", "name": "Dan Boneh", "affiliation": { "@type": "Organization", "name": "Stanford University" } } ], "datePublished": "2026-03-30", "publisher": { "@type": "Organization", "name": "Google Quantum AI" }, "abstract": "This whitepaper elucidates quantum computing implications on blockchain vulnerabilities, providing new resource estimates for breaking 256-bit ECDLP on secp256k1, distinguishing fast-clock and slow-clock quantum architectures, surveying vulnerabilities in major cryptocurrencies, and urging urgent migration to post-quantum cryptography.", "articleBody": "Quantum computers threaten elliptic curve cryptography underlying cryptocurrencies. Updated resource estimates show fast-clock quantum computers can break secp256k1 ECDLP in minutes, enabling on-spend attacks. Slow-clock architectures enable at-rest attacks. Bitcoin, Ethereum, and other blockchains have distinct vulnerabilities. Migration to post-quantum cryptography is urgent. Dormant assets pose policy challenges.", "sec": [ { "@type": "WebPageElement", "name": "Introduction", "position": 1, "articleBody": "Quantum computers threaten ECDLP-based cryptography used in cryptocurrencies. Bitcoin and Ethereum have distinct vulnerabilities. Migration to post-quantum cryptography is urgent." }, { "@type": "WebPageElement", "name": "Quantum Attacks on the Elliptic Curve Discrete Logarithm Problem", "position": 2, "articleBody": "Quantum attacks are classified as on-spend, at-rest, and on-setup attacks. Fast-clock quantum computers can launch on-spend attacks; slow-clock ones only at-rest. Responsible disclosure with zero-knowledge proofs validates resource estimates without revealing attack details.", "hasPart": [ { "@type": "DefinedTermSet", "name": "Quantum Attack Types", "termCode": "QAT", "termDefinition": [ { "@type": "DefinedTerm", "name": "On-Spend Attack", "description": "Attack on transactions in transit requiring key recovery within transaction settlement time." }, { "@type": "DefinedTerm", "name": "At-Rest Attack", "description": "Attack on public keys exposed for long periods, such as dormant wallets." }, { "@type": "DefinedTerm", "name": "On-Setup Attack", "description": "Attack targeting fixed public protocol parameters to create reusable backdoors." } ] }, { "@type": "HowTo", "name": "Zero-Knowledge Proof Generation for Quantum Resource Estimates", "description": "Steps to generate a zero-knowledge proof validating quantum circuit resource estimates without revealing attack details.", "hasPart": [ { "@type": "HowToStep", "position": 1, "name": "Commit to secret quantum circuit via SHA-256 hash", "description": "Generate a cryptographic hash of the secret quantum circuit to commit to it." }, { "@type": "HowToStep", "position": 2, "name": "Generate random test inputs using SHAKE256 XOF", "description": "Use SHAKE256 extendable-output function seeded with circuit bytes to generate pseudo-random test inputs." }, { "@type": "HowToStep", "position": 3, "name": "Simulate circuit on test inputs using Rust program", "description": "Run the secret circuit on generated inputs to verify correctness on most inputs." }, { "@type": "HowToStep", "position": 4, "name": "Produce Groth16 zk-SNARK proof using SP1 zkVM", "description": "Generate a zero-knowledge proof attesting to the circuit's correctness and resource bounds." } ] } ] }, { "@type": "WebPageElement", "name": "Attacks on Bitcoin’s Digital Signature Scheme", "position": 3, "articleBody": "Bitcoin’s ECDLP-based digital signatures expose vulnerabilities via public key exposure in various script types. On-spend attacks exploit mempool latency; at-rest attacks exploit public key reuse and dormant keys.", "hasPart": [ { "@type": "Question", "name": "What are the main Bitcoin script types vulnerable to quantum attacks?", "acceptedAnswer": { "@type": "Answer", "text": "P2PK and P2TR scripts expose public keys onchain and are vulnerable to at-rest and on-spend attacks. P2PKH and P2WPKH hide public keys behind hashes, vulnerable only on-spend. Address reuse increases vulnerability." } }, { "@type": "Question", "name": "How do on-spend quantum attacks on Bitcoin work?", "acceptedAnswer": { "@type": "Answer", "text": "Attackers extract public keys from mempool transactions, use quantum computers to derive private keys within block time, and broadcast fraudulent transactions with higher fees to steal coins." } }, { "@type": "Question", "name": "Why is Bitcoin’s Proof-of-Work consensus not threatened by quantum computers?", "acceptedAnswer": { "@type": "Answer", "text": "Grover’s algorithm offers only quadratic speedup, which is negated by quantum error correction overhead and poor parallelization. ASIC miners outperform quantum miners by orders of magnitude." } } ] }, { "@type": "WebPageElement", "name": "Quantum Vulnerabilities of Other ECDLP-Based Cryptographic Protocols", "position": 4, "articleBody": "Advanced cryptographic primitives like BLS signatures, ECDH key exchange, commitment schemes, and zkSNARKs introduce new quantum vulnerabilities, including on-setup attacks exploiting trusted setups.", "hasPart": [ { "@type": "DefinedTermSet", "name": "ECDLP-Based Cryptographic Primitives", "termDefinition": [ { "@type": "DefinedTerm", "name": "BLS Signature Aggregation", "description": "Aggregates multiple signatures using pairing-friendly elliptic curves, vulnerable to quantum attacks." }, { "@type": "DefinedTerm", "name": "ECDH Key Exchange", "description": "Enables shared secret establishment but vulnerable to quantum adversaries." }, { "@type": "DefinedTerm", "name": "Commitment Schemes", "description": "Hide values in transactions; quantum attacks can break hiding or binding properties." }, { "@type": "DefinedTerm", "name": "Zero-Knowledge Proofs (ZK)", "description": "Allow proving statements without revealing secrets; underlying cryptography may be quantum vulnerable." } ] } ] }, { "@type": "WebPageElement", "name": "Quantum Vulnerabilities of the Ethereum Blockchain", "position": 5, "articleBody": "Ethereum’s account model, smart contracts, and Proof-of-Stake consensus introduce multiple at-rest quantum vulnerabilities. Fast-clock CRQCs unlikely to launch on-spend attacks due to short block times and private mempools.", "hasPart": [ { "@type": "DefinedTermSet", "name": "Ethereum Quantum Vulnerabilities", "termDefinition": [ { "@type": "DefinedTerm", "name": "Account Vulnerability", "description": "Public key exposure after first transaction makes accounts vulnerable to quantum attacks." }, { "@type": "DefinedTerm", "name": "Admin Vulnerability", "description": "Smart contract admin keys with elevated privileges are vulnerable due to infrequent rotation." }, { "@type": "DefinedTerm", "name": "Code Vulnerability", "description": "Smart contracts rely on quantum-vulnerable cryptographic primitives without PQC precompiles." }, { "@type": "DefinedTerm", "name": "Consensus Vulnerability", "description": "Proof-of-Stake validators use BLS signatures vulnerable to quantum attacks." }, { "@type": "DefinedTerm", "name": "Data Availability Vulnerability", "description": "Ethereum’s Data Availability Sampling uses KZG commitments vulnerable to on-setup quantum attacks." } ] } ] }, { "@type": "WebPageElement", "name": "Quantum Vulnerabilities of Other Blockchains", "position": 6, "articleBody": "Bitcoin and Ethereum derivatives inherit vulnerabilities with adaptations. Privacy-preserving blockchains like Zcash and Mimblewimble face quantum risks including retroactive privacy degradation. Some blockchains deploy PQC, e.g., QRL, Algorand, Solana experimental deployments.", "hasPart": [ { "@type": "Question", "name": "How do Bitcoin derivatives differ in quantum vulnerability?", "acceptedAnswer": { "@type": "Answer", "text": "Derivatives like Litecoin and Dogecoin have varying block times and script support affecting on-spend attack feasibility. Hard forks like Bitcoin Cash inherit early vulnerabilities." } }, { "@type": "Question", "name": "What quantum vulnerabilities affect privacy-preserving blockchains?", "acceptedAnswer": { "@type": "Answer", "text": "Protocols like Mimblewimble and Zcash use ECDLP-based commitments and key exchanges vulnerable to quantum attacks, risking privacy and monetary integrity." } }, { "@type": "Question", "name": "Which blockchains have deployed post-quantum cryptography?", "acceptedAnswer": { "@type": "Answer", "text": "QRL, Mochimo, Abelian launched with PQC. Algorand deployed Falcon signatures. Solana and XRP Ledger have experimental PQC deployments." } } ] }, { "@type": "WebPageElement", "name": "Risks and Challenges in Migrating to Post-Quantum Cryptography", "position": 7, "articleBody": "Migration to PQC is essential but faces challenges: newness of PQC schemes, higher resource costs, lack of signature aggregation, and long asset migration times. User education and UI updates are critical. Transition must start immediately.", "hasPart": [ { "@type": "Question", "name": "What are the main challenges in migrating blockchains to PQC?", "acceptedAnswer": { "@type": "Answer", "text": "PQC schemes are newer, less scrutinized, have larger signatures, and increase resource requirements. Migration is slow and complex, requiring years of preparation." } }, { "@type": "Question", "name": "How can PQC migration affect blockchain performance?", "acceptedAnswer": { "@type": "Answer", "text": "Larger PQC signatures reduce transaction throughput unless mitigated by layer 2 scaling, signature aggregation, or succinct proofs." } }, { "@type": "Question", "name": "Why is early migration to PQC critical?", "acceptedAnswer": { "@type": "Answer", "text": "Asset migration to PQC addresses takes months or years; starting early avoids network congestion and security risks from lingering quantum-vulnerable assets." } } ] }, { "@type": "WebPageElement", "name": "Dormant Digital Assets", "position": 8, "articleBody": "Dormant assets, such as lost-key P2PK coins, pose a critical quantum risk. They cannot be migrated and are attractive targets for quantum attackers. Policy options include Do Nothing, Burn, Hourglass, and Bad Sidechain. Governments face challenges in regulating dormant assets.", "hasPart": [ { "@type": "Question", "name": "What are dormant digital assets and why are they risky?", "acceptedAnswer": { "@type": "Answer", "text": "Dormant assets are cryptocurrencies with lost or inaccessible private keys, vulnerable to quantum attacks and potentially worth billions." } }, { "@type": "Question", "name": "What are the Bitcoin community’s options for dormant assets?", "acceptedAnswer": { "@type": "Answer", "text": "Options include doing nothing, burning dormant coins, limiting spending rate (Hourglass), or creating a Bad Sidechain for offchain proof-based recovery." } }, { "@type": "Question", "name": "What public policy options exist for dormant assets?", "acceptedAnswer": { "@type": "Answer", "text": "Options include regulated digital salvage, national security interventions, and engagement with the cryptocurrency community to shape solutions." } } ] }, { "@type": "DefinedTermSet", "name": "Key Defined Terms", "termDefinition": [ { "@type": "DefinedTerm", "name": "Cryptographically Relevant Quantum Computer (CRQC)", "description": "A quantum computer capable of breaking widely used cryptographic schemes such as ECDLP." }, { "@type": "DefinedTerm", "name": "On-Spend Attack", "description": "Quantum attack targeting transactions in transit, requiring key recovery within the transaction settlement time." }, { "@type": "DefinedTerm", "name": "At-Rest Attack", "description": "Quantum attack targeting public keys exposed for long periods, such as dormant wallets." }, { "@type": "DefinedTerm", "name": "On-Setup Attack", "description": "Quantum attack targeting fixed public protocol parameters to create reusable backdoors." }, { "@type": "DefinedTerm", "name": "ECDLP", "description": "Elliptic Curve Discrete Logarithm Problem, the hard problem underlying elliptic curve cryptography." }, { "@type": "DefinedTerm", "name": "Post-Quantum Cryptography (PQC)", "description": "Cryptographic algorithms believed to be secure against quantum computer attacks." }, { "@type": "DefinedTerm", "name": "Zero-Knowledge Proof (ZK)", "description": "A cryptographic protocol allowing one party to prove knowledge of a secret without revealing it." }, { "@type": "DefinedTerm", "name": "Proof-of-Stake (PoS)", "description": "A blockchain consensus mechanism where validators stake assets to secure the network." }, { "@type": "DefinedTerm", "name": "Data Availability Sampling (DAS)", "description": "A protocol to verify availability of large data blobs onchain using probabilistic sampling." }, { "@type": "DefinedTerm", "name": "Miner Extractable Value (MEV)", "description": "Revenue miners or validators can extract by reordering, inserting, or censoring transactions." } ] }, { "@type": "HowTo", "name": "Mitigation of Quantum Vulnerabilities in Cryptocurrencies", "description": "Steps to mitigate quantum vulnerabilities in blockchain systems.", "hasPart": [ { "@type": "HowToStep", "position": 1, "name": "Begin Migration to Post-Quantum Cryptography", "description": "Start transitioning cryptographic protocols to PQC schemes immediately to ensure timely completion." }, { "@type": "HowToStep", "position": 2, "name": "Adopt Intermediate Mitigation Measures", "description": "Implement measures such as private mempools, commit-reveal schemes, and key rotation to reduce risk before full PQC migration." }, { "@type": "HowToStep", "position": 3, "name": "Develop Public Policy Frameworks", "description": "Governments should consider regulated digital salvage, national security responses, and community engagement to address dormant assets." } ] } ], "image": { "@type": "ImageObject", "contentUrl": "page1_image.png", "description": "Title page of the whitepaper showing the title, authors, affiliations, and abstract." } }