Quantum threat to ECDSA
ECDSA is broken in principle by quantum computing. Its security rests on the elliptic curve discrete logarithm problem, which Shor's algorithm solves in polynomial time on a large fault-tolerant quantum computer. For the secp256k1 curve used by Bitcoin and Ethereum, published circuit estimates start at about 2330 logical qubits, far beyond any machine disclosed as of early 2026, but well within what fault-tolerant roadmaps target.
The problem ECDSA relies on
ECDSA is a digital signature scheme scheme built on public-key cryptography over elliptic curves. A private key is a random 256-bit integer k, and the public key is the curve point Q = kG, where G is a fixed generator. Recovering k from Q is the elliptic curve discrete logarithm problem (ECDLP). The best classical attacks, variants of Pollard's rho method, take about 2^128 group operations for a 256-bit curve, which places secp256k1 at the 128-bit classical security level (see NIST security levels) and comfortably out of reach of any classical computer.
What Shor's algorithm changes
Peter Shor showed in 1994 that a quantum computer can factor integers and compute discrete logarithms in polynomial time using quantum period finding. Proos and Zalka adapted the algorithm to elliptic curve groups in 2003 and observed that elliptic curve discrete logarithms need smaller quantum circuits than factoring RSA moduli of comparable classical strength. The attack is generic: it works against every curve, so neither switching curves nor enlarging parameters restores security. The collapse is qualitative, from exponential classical difficulty to polynomial quantum difficulty, which is why ECDSA cannot be patched and must eventually be replaced.
Resource estimates for a 256-bit curve
Roetteler, Naehrig, Svore, and Lauter gave precise circuit estimates in 2017: computing a discrete logarithm on an n-bit curve needs at most 9n + 2 log2(n) + 10 logical qubits, which comes to about 2330 logical qubits for n = 256, together with roughly 130 billion Toffoli gates. The same line of work puts factoring an RSA-2048 modulus at about 4100 logical qubits and RSA-3072 at about 6150.
| Target | Classical security | Logical qubits (approximate) |
|---|---|---|
| secp256k1 (256-bit ECDLP) | 128-bit | 2330 |
| RSA-2048 | 112-bit | 4100 |
| RSA-3072 | 128-bit | 6150 |
Logical qubits are error-corrected constructions, each consuming hundreds to thousands of physical qubits. Webber and coauthors converted the elliptic curve attack into physical requirements in 2022, assuming surface code error correction, a physical error rate near 10^-3, and microsecond code cycles: breaking a 256-bit key within 1 day would need about 13 million physical qubits, within 1 hour about 317 million, and within 10 minutes about 1.9 billion. For comparison, Gidney and Ekera estimated in 2019 that factoring RSA-2048 would take 20 million noisy qubits and 8 hours. As of early 2026, the largest publicly disclosed quantum processors hold on the order of 1000 physical qubits, and error-corrected experiments demonstrate tens of logical qubits.
Why ECC falls before RSA
At matched classical security, elliptic curve keys are much smaller than RSA keys, and the quantum circuit scales with the key size. A 256-bit curve offers the same 128-bit classical security as RSA-3072, yet the quantum attack on the curve needs roughly 2330 logical qubits against roughly 6150 for the RSA modulus. The compactness that made elliptic curve cryptography attractive for constrained devices and blockchains is exactly what makes it the earlier quantum target: the first cryptographically relevant machines are expected to threaten deployed ECC before deployed RSA of comparable strength.
Exposure depends on when the key is visible
Shor's algorithm takes the public key as input, so systems differ enormously in practical exposure even when they share the same mathematics. Bitcoin hides many keys behind hashes until first spend, while taproot outputs publish keys directly; is Bitcoin quantum safe? and taproot and quantum key exposure work through the details. Ethereum addresses are hashes of public keys, but sending any transaction reveals the key, so every account that has ever transacted is exposed at rest. TLS certificates carry public keys outright. Because a blockchain is a permanent public record, key exposure there never expires: an attacker can wait years between seeing a key and gaining the hardware to break it, a signature-side parallel to harvest now, decrypt later.
Affected systems and replacements
Bitcoin, Ethereum, and most other chains sign with ECDSA over secp256k1, and many newer chains use Ed25519, which rests on the same discrete logarithm problem and falls to the same algorithm. The standardized replacements are the NIST post-quantum signatures: ML-DSA (lattice-based), SLH-DSA (hash-based, see hash-based signatures), and FN-DSA / Falcon (lattice-based, compact). Symmetric ciphers and hash functions are not affected by Shor's algorithm; they face only the quadratic speedup of Grover's algorithm, which key and output sizes already absorb (see symmetric cryptography). The quantum threat to ECDSA is therefore specific, well quantified, and answered by existing standards; what remains open is the timeline of the hardware and the pace of migration.
Frequently asked questions
Does Shor's algorithm also break Ed25519?
Yes. Ed25519 rests on the same discrete logarithm problem, only on a different curve, so chains and protocols using it face the same quantum threat as ECDSA users.
Would a larger elliptic curve be quantum safe?
No. Shor's algorithm runs in polynomial time in the key size, so even a 521-bit curve raises the attack cost only modestly; real resistance requires different mathematics.
Sources
- Polynomial-time algorithms for prime factorization and discrete logarithms on a quantum computer (arXiv, 1995)
- Shor's discrete logarithm quantum algorithm for elliptic curves (arXiv, 2003)
- Quantum resource estimates for computing elliptic curve discrete logarithms (arXiv, 2017)
- The impact of hardware specifications on reaching quantum advantage in the fault tolerant regime (arXiv, 2022)
- How to factor 2048 bit RSA integers in 8 hours using 20 million noisy qubits (arXiv, 2019)
Cite this entry
"Quantum threat to ECDSA." postquantum.wiki. Updated July 11, 2026. https://postquantum.wiki/quantum-threat-to-ecdsa@misc{pqwiki-quantum-threat-to-ecdsa,
title = {Quantum threat to ECDSA},
howpublished = {\url{https://postquantum.wiki/quantum-threat-to-ecdsa}},
year = {2026},
note = {postquantum.wiki, updated 2026-07-11}
}