The Algorithm That Changed Everything
In 1994, a mathematician at Bell Labs named Peter Shor published a paper describing an algorithm that could solve two of the hardest problems in classical computing in polynomial time. Those two problems, integer factorization and the discrete logarithm, are the mathematical foundations of RSA encryption and elliptic-curve cryptography respectively. Every major blockchain in existence today relies on one of these two primitives to secure user funds.
Shor's algorithm does not just make these problems easier. It makes them fundamentally tractable for a computer with enough qubits. The difference between "computationally hard" and "computable in hours" is the difference between a secure system and a broken one.
This is why quantum computing gets discussed in the same sentence as blockchain security. It is not because quantum computers are faster at everything. They are not. It is because of this one specific algorithm and what it does to the math that most of the blockchain world is standing on.
A Brief Detour Into Why the Math Matters
To understand why Shor's algorithm is threatening, you need to understand what problem it is solving and why that problem is hard for classical computers.
The security of elliptic-curve cryptography, the signature scheme used by Bitcoin, Ethereum, and most other blockchains, rests on a problem called the elliptic curve discrete logarithm problem. Here is the intuition.
You start with a point G on an elliptic curve, a well-defined mathematical structure. You pick a secret number k, which is your private key. You compute a second point Q by adding G to itself k times, which in the notation of elliptic curve math is written as Q = k times G. Q is your public key.
The operation of going from k and G to Q is fast and easy. You can do it on a pocket calculator. The operation of going from Q and G back to k, that is, figuring out how many times you added G to get Q, is computationally hard. For the curve parameters used in Bitcoin and Ethereum (the secp256k1 curve with a 256-bit key size), the best known classical algorithms would take longer than the current age of the universe to solve this problem by brute force.
This asymmetry is the entire basis of security. The key generation is easy, the key recovery is impossible, and the gap between them is what lets you publish your public key without worrying about someone deriving your private key from it.
Shor's algorithm collapses that asymmetry.
How Shor's Algorithm Actually Works
Shor's algorithm does not brute force the discrete logarithm. It uses quantum mechanics to find a periodicity in a mathematical function related to the problem, and then uses that periodicity to compute the answer efficiently.
The high-level structure of the algorithm has three parts. First, it converts the discrete logarithm problem into a problem of finding the period of a certain function. Second, it uses a quantum circuit to find that period using a technique called the Quantum Fourier Transform, which exploits quantum superposition and interference to identify periodicity in a way no classical algorithm can match. Third, it uses the period to compute the discrete logarithm through classical post-processing.
The quantum magic happens in the second step. A quantum computer can evaluate a function at many different inputs simultaneously, in superposition. The Quantum Fourier Transform then amplifies the probability of measuring states that reveal the period of the function while canceling out states that do not. The result is that you measure the period with high probability after a polynomial number of operations, rather than the exponential number required for classical approaches.
For elliptic curve cryptography with a 256-bit key size, Shor's algorithm runs in roughly O(n cubed) time, where n is the bit size of the key. That is polynomial, meaning the compute time grows manageably as the key size increases. Classical attacks run in roughly O(2 to the power of n/2) time, which is exponential and effectively infinite for 256-bit keys.
The practical result: a quantum computer with enough logical qubits can recover the private key from a published public key in hours. A classical computer would take longer than the universe is old.
What It Takes to Actually Run This Attack
Shor's algorithm is real and the theory is solid. But running it against Bitcoin's secp256k1 curve requires hardware that does not exist yet in the form the attack needs. Understanding the gap between the algorithm and the hardware is essential for accurate risk assessment.
The fundamental issue is that quantum computers are noisy. Physical qubits are fragile. They decohere, meaning they lose their quantum state due to interactions with the environment. They make errors at rates that would cause any computation to produce garbage before it finished. Running Shor's algorithm against a 256-bit elliptic curve key requires holding a large quantum state coherent through millions of gate operations without errors accumulating to the point of failure.
The solution to this is quantum error correction. By encoding one logical qubit in many physical qubits, you can detect and correct errors as they occur, making the logical qubit reliable even though the underlying physical qubits are noisy. But error correction has a cost: it multiplies the qubit count dramatically.
Research by Webber et al. published in 2022 estimated that breaking the elliptic curve cryptography used by Bitcoin requires approximately 2,330 fault-tolerant logical qubits running Shor's algorithm. At current surface code error correction overhead, approximately 1,000 physical qubits per logical qubit, that translates to roughly 2.3 million physical qubits operating at low error rates.
The largest quantum processors available today have fewer than 1,200 physical qubits, and they operate at error rates that are orders of magnitude too high for the sustained computation Shor's algorithm requires. We are not there yet. But the trajectory of the hardware improvements matters as much as the current state of the hardware.
The Hardware Progress Curve
Quantum computing hardware has been advancing on a curve that is uncomfortable to extrapolate casually. IBM's public roadmap has targeted successively larger qubit counts and lower error rates at each generation. Google's quantum computing division has published a series of papers demonstrating improving error correction performance. Startups including IonQ, Quantinuum, and PsiQuantum are pursuing alternative physical approaches including trapped ions and photonic qubits that may offer different scaling characteristics.
The QuanChain Quantum Threat Calculator uses a simple exponential model to project timelines across three scenarios: conservative, moderate, and aggressive. In the moderate scenario, with logical qubit capacity doubling approximately every 20 months from a 2024 baseline of around 5 fault-tolerant logical qubits, the 2,330 logical qubit threshold required to attack ECC-256 is crossed around 2039. The aggressive scenario, assuming 14-month doubling driven by nation-state investment or algorithmic improvements, puts the threshold crossing closer to 2033.
These are not precise predictions. Quantum computing progress has been uneven, with periods of rapid advancement followed by engineering plateaus. The doubling model is a simplification. What the model is useful for is giving planners a defensible range: somewhere between 8 and 15 years, with real probability mass at both ends.
For anyone holding crypto assets or building infrastructure that needs to remain secure for that time horizon, this range is not comfortable.
What Shor's Algorithm Can and Cannot Break
Shor's algorithm is specifically targeted at problems based on integer factorization and discrete logarithms. This covers RSA encryption and elliptic-curve cryptography, which means it threatens:
- Bitcoin (secp256k1 ECDSA)
- Ethereum (secp256k1 ECDSA)
- Most other blockchains using ECDSA or EdDSA signature schemes
- RSA-based encryption used in traditional internet infrastructure
- Diffie-Hellman key exchange
What Shor's algorithm cannot break are hash functions. SHA-256, SHA-3, BLAKE3, and similar constructions are not vulnerable to Shor's algorithm because they are not based on the mathematical structures that give the algorithm its advantage. Hash functions are vulnerable to a different quantum algorithm called Grover's algorithm, but Grover's impact is much more limited: it provides a quadratic speedup against hash preimage finding, effectively halving the bit security of a hash function. AES-256 drops to 128-bit equivalent security, which remains computationally infeasible to brute force. SHA-256 drops to 128-bit equivalent security for preimage attacks, which is still very strong.
This distinction matters for how blockchains are affected. Bitcoin's block hashing and the hash-based Merkle tree structure are relatively safe from quantum attacks. The vulnerable part is the ECDSA signature scheme used to authorize transactions. Specifically, the moment you spend from an address, you publish a signature that mathematically exposes your public key. That public key is what Shor's algorithm needs as input.
The Specific Vulnerability Window on Chain
There is a precise window during which a Bitcoin or Ethereum transaction is maximally vulnerable to a Shor-based attack. Understanding this window matters for thinking about what the attack looks like in practice.
When you broadcast a Bitcoin transaction, it enters the mempool, a pool of unconfirmed transactions waiting to be included in a block. Your transaction includes your ECDSA signature, which mathematically reveals your public key. Your transaction is visible in the mempool from the moment it is broadcast until the moment it is confirmed in a block, a window of somewhere between 10 minutes and several hours depending on network conditions and fee rates.
During this window, an attacker who can run Shor's algorithm fast enough could potentially derive your private key from your public key before the transaction confirms, use the derived private key to sign a conflicting transaction that redirects your funds to their own address, and broadcast that conflicting transaction with a higher fee to ensure it confirms first.
Webber et al. estimated that this attack, running Shor's algorithm fast enough to complete in the Bitcoin mempool window, would require approximately 13 million physical qubits. That is a much higher bar than the 2.3 million needed for a patient attack on a stored public key. It also requires running the algorithm in under 60 minutes for most blocks.
The more practical near-term attack is not the mempool race. It is the patient attack on addresses that already exposed their public keys years ago. Those addresses have no time constraint. An attacker can take days or weeks to run the computation. All they need is the public key, which is already recorded forever on the public blockchain.
Post-Quantum Alternatives to ECDSA
The good news is that cryptographers have known about Shor's algorithm for thirty years and have been working on alternatives. The most significant result of this work is the NIST Post-Quantum Cryptography standardization process, which concluded its first round in 2024 with the publication of three primary standards.
CRYSTALS-Dilithium, now standardized as ML-DSA, is a lattice-based signature scheme. Its security rests on the hardness of problems in mathematical lattices, which do not have known polynomial-time quantum algorithms. Shor's algorithm cannot be applied to them.
FALCON, another lattice-based signature scheme with smaller signatures than Dilithium at comparable security levels.
SPHINCS+, a hash-based signature scheme that relies only on the security of hash functions, which are already relatively quantum-safe. The downside is large signature sizes, up to 50 kilobytes for the highest security parameter sets.
QuanChain uses both Dilithium-5 and SPHINCS+-256f in a composite AND-construction for the Level 20 parent identity, requiring both signatures to be valid simultaneously. Child wallets at lower security levels use various combinations of post-quantum and hybrid classical/post-quantum schemes calibrated to the value at risk.
The challenge for existing blockchains is not that these alternatives are technically inadequate. It is that deploying them requires changing the core signature scheme, which means a protocol-level migration that needs to coordinate across the entire validator and user ecosystem. That is a governance challenge as much as a technical one, and it is harder than the technical part.
The Real-World Milestone Timeline
It is helpful to have a sense of where the actual hardware stands against the thresholds that matter for blockchain security. Not the headlines about quantum supremacy, which often refer to highly specific and narrow demonstrations that have no direct cryptographic relevance, but the specific capabilities needed to run Shor's algorithm against production elliptic curve parameters.
The 2022 Webber et al. paper established the clearest public benchmark: 2,330 fault-tolerant logical qubits, running for approximately one hour, to break the secp256k1 curve used by Bitcoin and Ethereum. At current surface code overhead ratios, that means roughly 2.3 million physical qubits operating at error rates below approximately 0.1 percent per gate.
As of 2024, the most capable publicly disclosed quantum processors have physical qubit counts in the hundreds to low thousands range, with error rates that are still one to two orders of magnitude too high for fault-tolerant logical qubit operation at the required scale. IBM's Condor processor reached 1,121 qubits in 2023. Google's Willow chip, announced in late 2024, demonstrated significant improvements in error correction performance at 105 qubits but is still far from the logical qubit counts needed.
The trajectory, however, is not comforting. Each generation of hardware has shown meaningful improvements in both qubit count and error rates. The engineering challenges are hard but they are being attacked with increasing resources. Both the US and Chinese governments have made quantum computing a national priority, with investment levels that suggest these are being treated as strategic capability races rather than basic research programs.
The realistic planning position is not "this is impossible." It is "we do not know exactly when, but the range of plausible timelines overlaps significantly with the lifespan of infrastructure being built today." That is the honest framing that security planners, developers, and asset holders should be working from.
Why Architecture Matters as Much as Algorithms
Replacing ECDSA with Dilithium on an existing blockchain solves the forward security problem for new transactions. But it does not solve the historic exposure problem for addresses that have already spent. The public keys are already on chain. The old signature scheme was used. Those records are permanent.
This is why the architectural approach to quantum security matters as much as the choice of cryptographic algorithm. A system that never exposes public keys on chain eliminates the harvest now, decrypt later attack surface entirely. The algorithm used for signing is still important, but the most critical design question is whether the public key ever needs to be published.
TADEQS answers that question by ensuring it never does. The network validates spending against hash commitments, not raw public keys. The public key is used to generate a signature that proves knowledge of the private key, but the key itself is not what gets recorded on chain. When an adversary with a future quantum computer looks at the blockchain record, they find hash outputs rather than public keys. Shor's algorithm requires a public key as input. Without one, the attack cannot start.
Understanding Shor's algorithm at this level of detail makes it clear that the right response to the quantum threat is not just adopting post-quantum signature schemes. It is rethinking what information needs to be public at all, and designing wallet and transaction architectures that minimize the cryptographic surface area that quantum attacks can target.
Frequently Asked Questions
Does Shor's algorithm affect all blockchains equally?
Any blockchain using ECDSA or EdDSA signature schemes is vulnerable to Shor's algorithm once sufficient quantum hardware exists. This covers Bitcoin, Ethereum, Solana, Cardano, Avalanche, and the vast majority of blockchain networks. Blockchains that use hash-based signature schemes or post-quantum algorithms like Dilithium are not directly vulnerable to Shor's algorithm. The threat level also depends on whether the blockchain's architecture exposes public keys on chain. Systems where public keys are never published have no Shor-vulnerable material to attack, regardless of what signature algorithm they use internally.
Can Shor's algorithm break AES encryption?
No. AES is a symmetric cipher that does not rely on the mathematical structures that make Shor's algorithm effective. The relevant quantum threat to AES comes from Grover's algorithm, which provides a quadratic speedup for search problems. Grover's algorithm effectively halves the bit security of AES: AES-128 drops to approximately 64-bit equivalent security, which is marginal. AES-256 drops to 128-bit equivalent security, which remains very strong. The standard recommendation for data that needs to remain secure past the quantum era is to use AES-256, not AES-128.
What is the difference between Shor's algorithm and Grover's algorithm?
Shor's algorithm solves problems based on integer factorization and discrete logarithms, specifically the mathematical structures underlying RSA and elliptic-curve cryptography. It provides an exponential speedup over classical approaches for these specific problems, making them computationally tractable where they were previously infeasible. Grover's algorithm is a general-purpose quantum search algorithm that provides a quadratic speedup for searching unsorted databases. It affects symmetric ciphers and hash functions, but only modestly. A quadratic speedup against AES-256 still leaves the cipher very strong. An exponential speedup against ECDSA makes it broken. These are categorically different levels of threat.
Could classical computers eventually become fast enough to run Shor-like attacks?
No. Shor's algorithm is not just a faster version of classical attacks. It exploits quantum mechanical properties, specifically superposition and the Quantum Fourier Transform, that have no classical equivalent. Classical computers cannot emulate these properties efficiently. The best known classical algorithm for the elliptic curve discrete logarithm problem scales exponentially with key size. No amount of classical hardware improvement changes that scaling. The only way to run Shor's algorithm is on a quantum computer with enough qubits and low enough error rates.
How many logical qubits does a quantum computer need to break Bitcoin?
Based on the 2022 analysis by Webber et al., breaking the secp256k1 curve used by Bitcoin requires approximately 2,330 fault-tolerant logical qubits running Shor's algorithm over the course of roughly an hour. At current surface code error correction ratios of approximately 1,000 physical qubits per logical qubit, this implies around 2.3 million physical qubits operating at error rates low enough to sustain the required computation. The current state of the art is well below this threshold, but the trajectory of hardware development puts this in the plausible range within the next 10 to 20 years depending on the progress scenario you assume.
What should developers building on blockchain do about Shor's algorithm right now?
At minimum, developers should be tracking the NIST post-quantum cryptography standards published in 2024 and understanding how their specific chain plans to migrate to post-quantum signature schemes. For new projects, choosing a chain that uses post-quantum cryptography from the start eliminates the migration problem. For contracts or applications that involve long-lived assets or data integrity requirements measured in decades, the choice of underlying chain is a security decision that deserves the same scrutiny as any other security-critical architectural choice. Building on infrastructure that will require a major cryptographic migration in 10 years is a technical debt that compounds in proportion to how much value that infrastructure holds.