A team of researchers from the California Institute of Technology (Caltech) and the startup Oratomic presented a study that drastically reduces the hardware needed to run Shor’s algorithm, the quantum method capable of breaking the cryptography that protects Bitcoin. The publication occurred almost in parallel with the study published by Google and the quantum threat towards cryptocurrencies.
According to the studyonly 10,000 atomic qubits would be enough to do it, compared to the millions that were estimated to be necessary until recently.
He paper It was published this March 30 and is signed by nine researchers, including John Preskill, one of the most recognized names in quantum computing worldwide.
The milestone of the study was that it was theoretically reduced by two orders of magnitude —that is, about 100 times— the amount of physical hardware required to run Shor’s algorithm at a cryptographically relevant scale, through advances on three fronts: new types of error-correcting codes, more efficient logical operations, and optimized circuit design.
The temporal coincidence with the Google study is not minor. The Google Quantum AI team published its own research, estimating that a quantum computer with fewer than 500,000 physical qubits could break the elliptic curve cryptography that uses Bitcoin in a matter of minutes, a nearly 20-fold reduction from previous estimates. Both works point in the same direction: The computational cost of a quantum attack on Bitcoin is falling faster than projected.
What makes this study different?
The technical key of paper from Caltech and Oratomic is in the type of codes they use to correct quantum errors. Quantum computers constantly make errors, and to compensate for them many physical qubits are needed to protect each logical qubit (the useful computing unit). Conventional methods, based on so-called surface codes, require hundreds of physical qubits for each logical qubit. The authors of the new study used high-rate codes—called qLDPC—that manage to protect about 30 logical qubits per 100 physical ones, compared to the 4% allowed by traditional codes. That is what allows the total number of qubits needed to be reduced so radically.
The platform chosen for this design is neutral atoms, a type of quantum hardware that allows qubits to be moved and rearranged during computing, making it easier implement those high efficiency codes. Recent experiments have already demonstrated the operation of arrays with more than 6,000 qubits of this type.
The estimated times of the attack
The study presents different scenarios depending on how many qubits and how much time is available. With 11,961 qubits, the ECC-256 elliptic curve crypto — the same one used by Bitcoin — could be broken in about 264 days. With 26,000 qubits and a more parallel architecture, that time would be reduced to about 10 days. For RSA-2048, the standard that protects much of Internet traffic, the times are one to two orders of magnitude longer (about 20 times less) with similar configurations.
These numbers assume measurement cycles of one milliseconda conservative condition. The authors themselves point out that hardware improvements—such as faster readings or faster atomic transport—could reduce these times to hours or even minutes.
What is still missing
The study is a theoretical analysis, not an experiment. Oratomic does not have a 10,000 qubit machine operating at this scale today. The authors recognize that substantial engineering challenges remain to integrate into a single system all the capabilities that have today been demonstrated separately. The measurement cycle speed assumed in the paperof one millisecond, also requires additional technological developments to be achieved in practice.
Pressure on post-quantum migration intensifies
What this study and Google’s add to the debate is not a specific date for the attack, but confirmation that the cost of the hardware needed to execute it is falling rapidly. The NIST of the United States already published the first post-quantum cryptography standards in 2024, and in Bitcoin there is the BIP-360 proposal, which proposes a new type of address capable of hiding public keys against attacks at rest. However, this proposal still does not have consensus in the community.
Researchers like Adam Back, co-founder of Blockstream, put the risk a decade or two away. Vitalik Buterin, co-founder of Ethereum, has estimated that it could materialize as soon as 2028. What is changing, with studies like these, is the variable that matters most to that equation: how much hardware is actually needed for the threat to be concrete.