Expertise Matrix & Threat Model

1. The Convergence Problem

Popular discourse reduces the quantum threat to a single question: "When will Shor's algorithm break Bitcoin?" This framing is dangerously simplistic. A cryptographically relevant quantum computer (CRQC) capable of solving the 256-bit Elliptic Curve Discrete Logarithm Problem (ECDLP) on secp256k1 requires simultaneous, independent breakthroughs across mathematics, physics, computer science, materials science, experimental physics, systems engineering, and cryogenic engineering.

No single team, company, or nation commands expertise across all seven domains. The matrix below maps the existential bottleneck in each domain — the specific, quantifiable constraint that must be overcome — and projects three scenarios for resolution based on current research trajectories.

Mosca's Theorem: The Migration Inequality

Mosca's inequality formalizes the urgency: if x is the security shelf-life of your data, y is the time to migrate to post-quantum cryptography, and z is the time until a CRQC exists, then you must act when x + y > z. For Bitcoin, x is effectively infinite (UTXOs never expire), y is unknown (no consensus on a migration path), making the inequality alarm perpetually ringing. The question is not if but when z becomes small enough to matter.

\[ \text{If } \underbrace{x}_{\text{shelf life}} + \underbrace{y}_{\text{migration}} > \underbrace{z}_{\text{CRQC timeline}} \implies \text{Act NOW} \]

2. Quantifying the Target

Before examining each domain, we must precisely define what "breaking secp256k1" means in concrete computational terms. The attack requires solving the ECDLP: given a public key $Q = k \cdot G$ on the curve secp256k1, recover the private key $$ k $$ . Shor's quantum algorithm achieves this in polynomial time via quantum period-finding.

Logical Qubits Required

1,285 – 2,330

Roetteler et al. (2017) estimated 2,330 logical qubits. The ecdsa.fail open-source compilation challenge currently holds the world record at 1,285 logical qubits via aggressive windowing and ancilla reuse, surpassing Google's published benchmarks.

Non-Clifford Gates (Toffoli)

1.38M – 126B

Original baseline was ~1.26 × 10¹¹ Toffolis. The ecdsa.fail community has shattered this via crowdsourced heuristic circuit optimization, achieving an unprecedented 1,384,984 Toffolis — far ahead of Google's ~70M Toffoli achievement.

Space-Time Volume Score

1.77 Billion

The ultimate metric (Qubits × Toffolis). The current ecdsa.fail world record stands at a Space-Time Volume score of 1,779,704,440. This proves that classical compilation algorithms can drastically pull forward the CRQC timeline.

Continuous Runtime

Minutes

With the Toffoli count slashed to 1.38M, the continuous runtime requirement on a "fast-clock" 1µs superconducting architecture drops from months to mere minutes — easily fast enough to execute a real-time mempool attack on transiently exposed public keys.

3. Threat Projection Timeline

The following timeline projects three scenarios based on the aggregate resolution trajectory across all seven domains. Each milestone assumes simultaneous progress across the full stack — a delay in any single domain cascades into the entire projection.

Quantum Threat Projection Timeline

Three scenarios for when a cryptographically relevant quantum computer (CRQC) could threaten secp256k1. Click a scenario to explore its milestones.

2025–2028

NISQ Plateau

Noisy intermediate-scale devices remain below 1,500 physical qubits. Gate fidelities stall at 99.5% (2Q) due to TLS defect density floors. Below-threshold QEC demonstrated only at d=7 (Google Willow) with logical error rate 0.143%/cycle — still 12 orders of magnitude from the 10⁻¹⁵ needed for cryptanalysis.

2028–2033

First Logical Qubits

Early fault-tolerant demonstrations on 5–10 logical qubits using surface codes at d=5–7. Correlated cosmic-ray errors and frequency-crowding crosstalk prevent scaling beyond ~100k physical qubits.

2033–2040

Scalability Wall

Dilution refrigerator cooling power and wiring density hit fundamental thermodynamic limits. Cryo-CMOS heat dissipation at 4K exceeds the ~1W budget. No viable optical-to-microwave transduction demonstrated at scale.

2040–2050+

CRQC Remains Distant

Without breakthroughs in materials (TLS elimination), interconnects (optical transduction), or codes (qLDPC hardware realization), a Cryptographically Relevant Quantum Computer remains >20 years away. secp256k1 is safe.

2025–2027

Below-Threshold Operation & Open Source Compilation

Google Willow demonstrates Λ ≈ 2.14 error suppression (d=5→d=7, logical error rate 0.143%/cycle). IBM Heron achieves 99.9% ECR gates. Meanwhile, the ecdsa.fail crowdsourced circuit challenge shatters Google's theoretical compilation benchmarks, slashing the secp256k1 attack footprint to 1.38M Toffolis and pulling the threat horizon closer by decades.

2027–2030

Early Fault Tolerance

100–500 logical qubits via surface codes (d=13–17). Magic state distillation factories consume 60–80% of chip area. Real-time FPGA/ASIC decoders achieve sub-µs latency. Cryo-CMOS controllers at 4K reduce cable count by 10×.

2030–2034

Scaling Regime

qLDPC codes (Bivariate Bicycle) reduce physical overhead from ~1000:1 to ~50:1. Multi-chip modular architectures via superconducting or photonic interconnects reach 10⁵–10⁶ physical qubits. Tantalum qubits achieve T₁ > 500µs routinely.

2035–2040

CRQC Threshold

System reaches ~4,000 logical qubits with T-gate depth sufficient for Shor's on 256-bit ECC. Optimized Gidney-Ekeråa circuits require ~2,330 logical qubits and ~1.26 × 10¹¹ Toffoli gates. Full attack within hours to days of continuous operation.

2025–2026

Rapid Fidelity Gains

Tantalum transmons on high-resistivity silicon achieve T₁ up to 1.68ms (Princeton 2025). Double-transmon couplers reach 99.93% CZ fidelity. Intel Pando Tree operates cryo-CMOS at 10–20mK, co-located with qubits. IBM Condor (1,121 qubits) and Atom Computing (1,180 atoms) demonstrate 1000+ qubit processors.

2027–2028

Algorithmic Breakthroughs

Regev-style quantum factoring algorithms (2023) reduce qubit requirements by √n. Novel T-gate synthesis and distillation-free architectures (e.g., color codes with transversal T) slash overhead by 10–100×.

2029–2031

Modular Scaling

Photonic interconnects enable distributed quantum computing across multiple cryostats. AI-driven compilation reduces circuit depth by orders of magnitude. qLDPC hardware achieves code rates R > 1/10.

2032–2034

CRQC Operational

A purpose-built cryptanalytic quantum computer executes optimized Shor's algorithm against secp256k1 within hours. Exposed keys with long-dwell public keys are vulnerable. "Harvest now, decrypt later" archives become decryptable.

Key Institutional Projections

NIST (2024): Recommends 2035 as the earliest plausible CRQC date for planning purposes. All NIST-standardized post-quantum algorithms (ML-KEM, ML-DSA, SLH-DSA) finalized in FIPS 203/204/205.

BSI Germany (2025): Critical infrastructure must migrate to PQC by December 31, 2030. General organizations by December 31, 2032. Classical-only key agreement sunset by 2031. Strongly mandates hybrid cryptography (classical + PQC) during transition.

Global Risk Institute (2026): Annual expert survey reports 28–49% probability of a CRQC within 10 years — the highest in the report's history, driven by rapid hardware progress and massive algorithmic improvements (e.g., the ecdsa.fail open-source compilation breakthrough shattering previous space-time volume limits).

NSA CNSA 2.0 (2022): National Security Systems must migrate to quantum-resistant algorithms by 2035. Software and firmware updates required by 2025.

4. The Expertise Matrix

The matrix below synthesizes the analysis from all eight technical chapters of this documentation. Each row represents a distinct academic discipline with fundamentally different expertise, tooling, and research culture. The existential bottleneck in each domain is the specific, quantifiable constraint that — if left unresolved — independently blocks the construction of a CRQC.

Academic Domain

Existential Bottlenecks

Pessimistic
2045+

Realistic
2035–2040

Aggressive
2029–2034

Pure Mathematics & Number Theory

Elliptic Curves ECDLP Shor's Algorithm Regev (2023)

ECDLP Circuit Complexity

Roetteler et al. (2017) estimate that Shor's algorithm for the 256-bit ECDLP on secp256k1 requires 2,330 logical qubits and approximately 1.26 × 10¹¹ Toffoli gates. The dominant cost is modular arithmetic over 𝔽ₚ — specifically, the iterated elliptic curve point addition requiring O(n³) reversible modular multiplications where n = 256.

T_{\text{Toffoli}} \approx 1.26 \times 10^{11}, \quad n_\text{logical} \approx 2{,}330

Alternative Algorithms

Regev's 2023 factoring algorithm reduces qubit count by a factor of √n relative to textbook Shor, at the cost of increased circuit depth. For ECC, Banegas et al. (2021) explored van Oorschot–Wiener-style quantum collision search, but these remain asymptotically inferior. No sub-exponential quantum speedup beyond Shor's O(n³) has been demonstrated for ECDLP.

Windowed Arithmetic Optimization

Häner et al. (2020) demonstrated that windowed modular exponentiation (processing w bits per iteration) reduces the Toffoli count to O(n³/w) with only O(w·n) additional ancilla qubits — a practical 5–8× improvement that directly reduces the space-time volume for the full secp256k1 attack.

No mathematical shortcuts are found. Shor's algorithm remains the only viable quantum attack path, requiring the full O(n³) Toffoli depth. secp256k1's 256-bit key space demands >10¹¹ non-Clifford gates — each requiring costly magic state distillation.

Windowed arithmetic and Karatsuba multiplication yield a cumulative 10–20× reduction in logical gate count. Optimized Gidney–Ekeråa-style circuits bring the Toffoli budget to ~10¹⁰, compatible with realistic distillation factories.

A novel quantum algorithm (e.g., extending Regev 2023 to elliptic curves) reduces scaling from O(n³) to O(n²), requiring only ~500 logical qubits and ~10⁸ T-gates — bringing ECC within range of near-term fault-tolerant devices.

Theoretical Physics & QEC

Surface Code qLDPC Bivariate Bicycle Willow (2024)

Surface Code Overhead

The surface code encodes 1 logical qubit in O(d²) physical qubits, where d is the code distance. For the error rates needed by Shor's algorithm (p_L < 10⁻¹⁵ per logical operation), distances d ≥ 27 are required, implying ~1,500 physical qubits per logical qubit. Google's Willow (2024) demonstrated Λ ≈ 2.14 error suppression per unit distance at d=5→d=7.

P_L \approx C \left(\frac{p}{p_{\text{th}}}\right)^{(d+1)/2}, \quad p_{\text{th}} \approx 0.5\%{-}1\%

qLDPC: Beyond Surface Codes

Bravyi et al. (2024) introduced Bivariate Bicycle (BB) qLDPC codes that achieve encoding rates R = k/n > 0 with bounded-weight stabilizers. These codes can encode k logical qubits in n physical qubits with constant overhead, potentially reducing the physical-to-logical ratio from ~1000:1 to ~50:1. However, they require non-local connectivity that conflicts with planar superconducting architectures.

R = k/n \approx 1/12 \text{ (BB codes)}, \quad \text{vs. } R = 1/d^2 \text{ (surface)}

Correlated Error Catastrophes

McEwen et al. (2022) proved that high-energy particle impacts (cosmic rays, gamma rays) create phonon bursts in superconducting substrates that simultaneously flip O(100) qubits within a ~1mm radius. This breaks the Independent and Identically Distributed (IID) error model that underpins all threshold theorems, reducing effective code distance to d_eff ≈ 1 during burst events.

Decoding Latency Budget

Syndrome extraction cycles run at ~1µs on superconducting hardware. The classical decoder must process the full syndrome graph and return corrections within this window. Union-Find decoders achieve O(n·α(n)) complexity (near-linear), but at d=27 with a full 3D matching problem, even FPGA-accelerated decoders consume ~400ns — leaving <600ns for data transport and correction application.

Correlated errors from cosmic rays remain fundamentally unmitigable in superconducting platforms. The IID threshold theorem breaks down at scale. Break-even for logical qubits beyond toy demonstrations never materializes in real hardware.

Phonon-absorbing moat structures and burst-aware decoders (belief propagation + MWPM hybrid) recover 80% of the IID threshold. qLDPC codes on neutral-atom hardware (with native long-range connectivity) reduce overhead to 50–100:1 by 2032.

AI-driven real-time decoders using neural-network syndrome processors at 4K eliminate the decoding latency bottleneck. Hardware-native qLDPC implementations on reconfigurable atom arrays achieve R > 1/10, making surface codes obsolete.

Computer Science & Compilation

Space-Time Volume T-Factories Litinski (2023) Circuit Depth

Space-Time Volume

The total computational cost of Shor's algorithm is measured in Space-Time Volume: V = N_logical × N_cycles. Litinski (2023) estimates V ≈ 2.07 × 10¹³ logical qubit-cycles for 256-bit ECDLP. At a 1µs cycle time, this implies ~240 days of continuous fault-tolerant operation — assuming zero hardware downtime and perfect state preservation.

V_{\text{total}} = N_\text{logical} \times N_\text{cycles} \approx 2.07 \times 10^{13}

Magic State Distillation Dominance

Non-Clifford T-gates cannot be implemented transversally in the surface code and must be realized via magic state distillation. Each T-gate consumes ~15 noisy |T⟩ states to produce one clean state (at the 15-to-1 distillation protocol). For the ~10¹¹ T-gates in Shor's circuit, the distillation factories consume 70–90% of the total physical qubit footprint.

\text{Distillation: } 15|T\rangle_{\text{noisy}} \rightarrow 1|T\rangle_{\text{clean}}, \quad p_\text{out} \approx 35p_\text{in}^3

Compilation & Synthesis

Translating high-level modular arithmetic into fault-tolerant Clifford+T gate sequences requires exact unitary synthesis (Ross-Selinger algorithm) and T-count optimization (phase polynomials). Current best synthesis achieves T-count of ~3·log₂(1/ε) per rotation, where ε is the per-gate synthesis error budget. For 10¹¹ rotations, ε must be ~10⁻¹⁵, demanding ~50 T-gates per rotation.

Magic state distillation overheads remain immovable. The space-time volume for secp256k1 exceeds 10¹³ logical qubit-cycles, requiring months of continuous fault-tolerant runtime even with aggressive pipelining. No practical attack is feasible.

Litinski's active-volume architecture with reactive measurements and magic state teleportation reduces V by 2–3 orders of magnitude. Gidney-Ekeråa compilation brings runtime to 8–24 hours.

Distillation-free non-Clifford gates via code switching (color codes ↔ surface codes) or gauge fixing eliminate the T-factory bottleneck entirely. Combined with AI-optimized circuit compilation, V drops below 10¹⁰.

Systems Engineering & Architecture

Cryo-CMOS FPGA/ASIC I/O Bandwidth Horse Ridge

The I/O Bandwidth Wall

Each physical qubit requires ~2–4 coaxial lines for control and readout. At 10⁶ physical qubits, this implies 2–4 million microwave lines between the ~10mK stage and room-temperature electronics. Current dilution refrigerators support ~1,000 lines before exceeding thermal budgets. The syndrome data rate scales as N_physical × f_syndrome × bits_per_syndrome ≈ 10⁶ × 10⁶ × 10 = 10¹³ bits/s.

\text{Bandwidth} = N_q \times f_s \times B \approx 10^{13} \text{ bits/s}

Cryo-CMOS Heat Dissipation

Intel's Horse Ridge II (2020) demonstrated a 4K cryo-CMOS controller capable of multiplexing 128 qubits from a single chip dissipating ~100mW. However, scaling to 10⁶ qubits would require ~800 such chips, collectively dissipating ~80W at 4K — far exceeding the ~1.5W cooling capacity of the 4K stage in current Bluefors XLD-series fridges.

Real-Time Classical Co-Processing

The quantum-classical feedback loop for QEC must complete within the coherence time budget. This requires: (1) syndrome readout → digitization (~200ns), (2) data transport to decoder (~100ns), (3) MWPM/UF decoding (~400ns), (4) correction pulse dispatch (~200ns). Total budget: ~1µs. Any component exceeding its budget causes logical errors to accumulate faster than correction.

Wiring density and thermal load cap the maximum addressable physical qubit count at ~100,000. This is insufficient for any fault-tolerant algorithm requiring >200 logical qubits at d ≥ 15. Full-scale ECC attack is architecturally impossible.

Cryogenic photonic links (optical-to-microwave transduction at 10⁻² efficiency) replace coaxial bundles for readout. Tightly coupled ASIC decoders at 4K perform syndrome processing on-chip. Multi-cryostat modular architectures interconnected by microwave-optical links reach 10⁶ physical qubits.

In-situ superconducting single-flux-quantum (SFQ) logic operating natively at 10mK performs all control, readout digitization, and syndrome decoding co-located with the quantum array — eliminating the room-temperature electronics rack entirely.

Materials Science & Fabrication

TLS Defects Tantalum Quasiparticles Josephson Junctions

Two-Level System (TLS) Defects

Amorphous aluminum oxide (AlOₓ) in Josephson junctions harbors microscopic TLS defects — atomic-scale tunneling states that resonantly absorb and re-emit qubit energy. TLS density of ~10⁴ GHz⁻¹µm⁻³ in standard tunnel barriers is the dominant source of energy relaxation (T₁ limit) and frequency instability in transmon qubits. Place et al. (2021) demonstrated that tantalum-based transmons achieve T₁ > 300µs by reducing surface oxide participation.

\frac{1}{T_1} = \frac{1}{T_1^{\text{TLS}}} + \frac{1}{T_1^{\text{QP}}} + \frac{1}{T_1^{\text{rad}}}

Quasiparticle Poisoning

High-energy particle impacts (cosmic rays, ambient radioactivity) break Cooper pairs in the superconducting ground plane, creating non-equilibrium quasiparticles. The resulting quasiparticle tunneling rate across the Josephson junction causes excess T₁ relaxation and correlated multi-qubit errors. Wang et al. (2014) measured burst rates of ~0.04 Hz per qubit in surface-level labs.

\Gamma_{\text{QP}} = \frac{8 E_J}{\pi \hbar} \sqrt{\frac{2\Delta}{\pi k_B T}} \cdot x_{\text{QP}}

Fabrication Uniformity at Scale

Josephson junction critical current (Iₒ) sets the qubit frequency via ω₀₁ ∝ √(8EⱼEᴄ) − Eᴄ. A ±1% variation in Iₒ across a million-qubit chip shifts frequencies by ~30MHz, creating frequency collisions that make simultaneous two-qubit gates impossible. Current best-in-class fabrication achieves ±2–3% variation using Dolan bridge evaporation.

TLS defect density reaches a thermodynamic floor in amorphous oxides — no process engineering can eliminate the oxide layer entirely. T₁ plateaus at ~500µs. Quasiparticle poisoning rates in surface-level facilities remain incompatible with >1 hour computations without underground shielding.

Epitaxial tantalum capacitors (Wang et al. 2022) and crystalline AlN tunnel barriers reduce TLS participation by 10×. Active quasiparticle trapping (vortex-based) and underground lab placement suppress burst errors. T₁ routinely exceeds 1ms. Laser-annealing achieves ±0.5% Iₒ uniformity.

Topological superconductors or entirely TLS-free crystalline junction technologies eliminate surface participation entirely. T₁ > 10ms achieved. Directed self-assembly nanolithography enables sub-nm junction uniformity at wafer scale.

Experimental Physics & Control

Gate Fidelity Crosstalk Leakage Tunable Couplers

Two-Qubit Gate Fidelity

The surface code error threshold demands p_physical < 0.5–1.0%. Current state-of-the-art: Google (2023) achieved 99.64% CZ fidelity, IBM Heron (2024) reached 99.9% ECR gates, and Quantinuum (2024) demonstrated 99.8% on trapped ions. However, these are isolated benchmarks — maintaining >99.9% across a large array of simultaneously operated gates with frequency crowding and residual ZZ coupling is qualitatively harder.

Parasitic ZZ Crosstalk

Static ZZ coupling between always-on transmon pairs causes a frequency-dependent conditional phase accumulation ζ_ZZ that entangles idling qubits. For a typical transmon-transmon detuning of ~300MHz with coupling g=30MHz, ζ_ZZ ≈ 50–200 kHz. Over a 1µs QEC cycle, this accumulates ~0.05–0.2 rad of parasitic phase — comparable to the error budget for individual gates.

\zeta_{ZZ} \approx \frac{2g^4}{\Delta^2(\Delta + \alpha)} \sim 50{-}200 \text{ kHz}

Leakage to Non-Computational States

The transmon's weakly anharmonic spectrum (α/2π ≈ −330MHz) means that fast gate pulses (< 30ns) excite the |2⟩ state at a rate proportional to (Ω/α)². Leaked population is invisible to standard surface code syndrome checks, causing undetected error propagation. Leakage rates of 0.1–0.5% per gate are typical; the Leakage-Reduction Circuit (LRC) protocol must flush |2⟩ population every QEC cycle.

Frequency Collision Problem

In a fixed-frequency lattice with random fabrication variations, the probability of two adjacent qubits having frequencies within a collision window (~17MHz for CZ gates) grows polynomially with array size. For a 1,000-qubit chip, ~15% of edges are expected to suffer collisions requiring post-fabrication frequency trimming (laser annealing) or routing workarounds.

ZZ crosstalk and frequency crowding in large fixed-frequency arrays prevent simultaneous high-fidelity gates beyond ~1,000 qubits. Leakage errors in the transmon's weakly anharmonic spectrum impose a fundamental per-gate error floor of ~10⁻³. Achieving 10⁻⁴ error rates across a full mega-qubit chip is physically impossible with transmon technology.

Tunable couplers achieve residual ZZ < 1 kHz, and parametric gates reach 99.95% fidelity across arrays of >10,000 qubits. DRAG-based leakage suppression and per-cycle LRC flush bring leakage below 0.01%. Laser-annealing resolves >90% of frequency collisions post-fabrication.

Fluxonium or 0-π qubits with >10GHz anharmonicity eliminate leakage entirely. AI-driven optimal control achieves 99.999% gate fidelity. Dynamic frequency tuning on every qubit provides collision-free operation at any scale.

Cryogenic & Electrical Engineering

Dilution Refrigerators Cooling Power Optical Transduction Thermodynamics

The Cooling Power Ceiling

The mixing chamber of a dilution refrigerator achieves ~15mK base temperature with a cooling power of ~20µW at 20mK. Active dissipation from qubit control pulses and parametric operations is estimated at ~10 fW per qubit. At 10⁶ qubits, this yields ~10nW of active dissipation — within budget. But passive heat loads from microwave cables (~1µW per coax at 20mK) dominate: 1,000 cables already consume the entire cooling budget.

\dot{Q}_{\text{cable}} = \frac{A}{L} \int_{T_C}^{T_H} \kappa(T)\, dT \approx 1\,\mu\text{W/cable}

Dilution Refrigerator Scale Limits

The Bluefors KIDE system (2024) represents the largest cryogenic platform, with a 1.4m-diameter mixing chamber plate. Even at this scale, thermal modeling suggests a maximum of ~10,000 superconducting qubits per cryostat before cable heat loads exceed the cooling budget. Reaching 10⁶ physical qubits requires either massive parallelism across 100+ cryostats or a fundamental rearchitecture of the control paradigm.

Optical-to-Microwave Transduction

Replacing coaxial cables with optical fibers (zero thermal conductivity, massive bandwidth) requires bidirectional conversion between microwave (~5–8 GHz) and telecom optical (~1550nm / ~193 THz). Current best results: electro-optic transduction achieves ~10⁻² photon conversion efficiency with added noise of ~0.5 photons, far below the >50% efficiency needed for deterministic quantum state transfer.

The 'Tyranny of Cables' cannot be physically circumvented with current technology. Mega-qubit processors violate the Wiedemann-Franz law constraints on thermal conductivity through metallic interconnects. Multi-cryostat architectures introduce inter-fridge latency that exceeds the QEC decoding budget.

Hybrid architectures with cryo-CMOS multiplexing at 4K reduce cable count by 100×. Optical readout links (classical, not quantum) eliminate the thermal bottleneck for syndrome data. Multiple large-bore cryostats connected by superconducting microwave waveguides enable 10⁶-qubit systems.

High-efficiency (>50%) quantum transducers enable all-optical inter-cryostat entanglement distribution. Superconducting single-flux-quantum (SFQ) logic at 10mK replaces all room-temperature electronics. Cooling systems achieve >100µW at 20mK through novel ³He circulation designs.

5. Cross-Domain Failure Cascades

The seven domains are not independent — they form a tightly coupled dependency graph where failure in one domain cascades to block progress in others. Understanding these couplings is essential for accurate threat assessment.

Materials → Physics → QEC

Cascade: TLS defects in junction oxides limit T₁ → limited T₁ caps achievable gate fidelity → gate error rates above threshold prevent surface code scaling → logical qubits cannot be constructed → Shor's algorithm cannot execute.

Quantified: Every 2× improvement in T₁ enables roughly one additional unit of code distance before the threshold is reached.

Cryogenics → Systems → Scale

Cascade: Dilution fridge cooling power limits cable count → cable count limits addressable qubits → qubit count limits available logical qubits → logical qubit count determines maximum algorithm size.

Quantified: Current ~20µW at 20mK supports ~1,000 coax lines = ~500 qubits. Need 3–4 orders of magnitude improvement.

QEC → Compilation → Runtime

Cascade: Surface code overhead determines physical qubit count per logical qubit → this determines the T-factory throughput → throughput determines how fast T-gates can be consumed → this sets the minimum runtime for Shor's algorithm.

Quantified: At 1 T-gate per µs per factory × 20 factories, consuming 10¹¹ T-gates takes ~5 × 10⁹ seconds ≈ 58 days. Need 1,000× parallelism.

Math → CS → Everything

Cascade: Mathematical algorithm design determines logical qubit count → this determines physical qubit count → this determines cryogenic requirements → this determines engineering feasibility. A 10× improvement in Toffoli count propagates as a 10× reduction in every downstream metric.

Quantified: Regev's algorithm trades qubits for depth: √n fewer qubits but n^(3/2) more depth. Net effect on space-time volume is context-dependent.

6. Bitcoin's Specific Vulnerability

Bitcoin's exposure to quantum attack is uniquely complex. The protocol uses ECDSA on secp256k1 for transaction signing. The public key is exposed in two scenarios:

Pay-to-Public-Key (P2PK) — Permanent Exposure

Early Bitcoin transactions (2009–2012, including Satoshi's coins) used P2PK, where the public key is directly embedded in the output script. These ~4 million BTC (~$250B at current prices) have public keys permanently visible on the blockchain. A CRQC could derive private keys at leisure — there is no time constraint.

Pay-to-Public-Key-Hash (P2PKH/P2SH) — Transient Exposure

Modern transactions use hashed public keys (via RIPEMD-160 + SHA-256). The full public key is only revealed when a transaction is broadcast and enters the mempool. A CRQC must solve the ECDLP and broadcast a competing transaction within the ~10-minute block confirmation window. This is a dramatically harder real-time constraint than the P2PK case.

Address Reuse — The Silent Risk

Any address that has ever sent a transaction has its public key permanently exposed. As of 2024, approximately 5.5 million BTC reside in addresses with exposed public keys (combining P2PK and reused P2PKH). These funds are vulnerable to a CRQC without any time constraint.

Post-Quantum Migration Status

NIST PQC (2024): ML-KEM (Kyber), ML-DSA (Dilithium), and SLH-DSA (SPHINCS+) standardized in FIPS 203/204/205. These are drop-in replacements for key exchange and digital signatures in TLS, SSH, and PKI. However, Bitcoin's scripting language (Script) has no native support for lattice-based or hash-based signatures.

Bitcoin-specific challenges: (1) No consensus on migration mechanism (soft fork vs. hard fork), (2) signature sizes increase 10–100× (Dilithium: 2.4KB vs. ECDSA: 72 bytes), bloating the blockchain, (3) Satoshi's coins cannot be migrated without the original private key, creating a permanent vulnerability class.

Skepticism & Counter-points

"Quantum computers will never scale beyond NISQ" This argument underestimates the compounding effect of industrial investment. Google, IBM, Microsoft, Amazon, and state actors (China, EU) are collectively investing >$30B annually in quantum computing. The argument that fundamental physics prevents scaling must explain why superconducting qubit coherence has improved ~10,000× in 20 years (from ~1ns in 2000 to ~300µs in 2024), a trajectory comparable to early transistor scaling. However, the historical comparison is imperfect: transistor scaling leveraged well-understood semiconductor physics, while qubit scaling faces qualitatively different barriers (quantum decoherence, correlated errors) with no analogous Moore's Law guarantee.
"Post-quantum cryptography solves everything" PQC protects future communications but cannot retroactively protect data already harvested in "store now, decrypt later" campaigns. For Bitcoin specifically, ~5.5 million BTC in P2PK and reused P2PKH addresses have permanently exposed public keys that no migration can protect unless the private key holders act first. Furthermore, PQC algorithms themselves face potential vulnerabilities: lattice-based schemes rely on the hardness of Learning With Errors (LWE), which may yet prove to have unexpected classical or quantum attacks.
"The timeline is at least 20+ years away, so there's no urgency" This ignores three critical factors: (1) Harvest now, decrypt later — adversaries are already collecting encrypted traffic for future decryption. (2) Migration inertia — the Y2K remediation took >5 years even with universal urgency; PQC migration is more complex. (3) Non-linear breakthroughs — a single algorithmic advance (like Regev's 2023 factoring algorithm) can compress timelines by decades. The prudent approach applies the precautionary principle: begin migration now, regardless of the exact CRQC timeline.
"Alternative qubit modalities (neutral atoms, trapped ions) bypass superconducting limitations" This is partially true. Neutral-atom platforms (QuEra, Atom Computing) offer native long-range connectivity ideal for qLDPC codes, and trapped-ion platforms (Quantinuum) achieve superior gate fidelities (~99.8%). However, both face their own existential bottlenecks: neutral atoms suffer from atom loss during multi-qubit gates (~0.1% per gate), and trapped ions face secular frequency crowding limits at ~50–100 ions per trap. No modality has yet demonstrated a clear path to 10⁶ physical qubits.

7. Synthesis & Verdict

The seven-domain analysis reveals that no single bottleneck is a permanent showstopper, but the requirement for simultaneous resolution across all domains creates an enormous aggregate challenge. The most defensible projection:

Most Likely CRQC Window: 2035–2045

The convergence of qLDPC codes, improved materials (tantalum, crystalline junctions), modular multi-cryostat architectures, and optimized Shor's compilation will likely enable a CRQC capable of attacking 256-bit ECC within this window. The primary wildcards are: (1) whether qLDPC codes can be physically realized with sufficient connectivity, and (2) whether cryogenic engineering can support >10⁶ physical qubits.

Required Action: Begin Migration Now

Regardless of the exact CRQC timeline, Mosca's inequality demands immediate action for long-lived secrets. For Bitcoin, this means: (1) Stop reusing addresses, (2) Move funds from P2PK outputs, (3) Begin designing a PQC-compatible Script extension, and (4) Develop a community consensus on migration mechanisms — preferably via soft fork introducing quantum-resistant signature verification.

Key Literature & References

Roetteler et al. (2017) — "Quantum Resource Estimates for Computing Elliptic Curve Discrete Logarithms"
The foundational resource estimate for Shor's algorithm on elliptic curves. Provides the 2,330 logical qubit and ~10¹¹ Toffoli gate counts cited throughout this analysis for the secp256k1 ECDLP.
Gidney & Ekeråa (2021) — "How to factor 2048 bit RSA integers in 8 hours using 20 million noisy qubits"
Demonstrates that aggressive compilation optimizations (windowed arithmetic, compressed Toffoli depth) can reduce the physical qubit count for RSA-2048 from billions to 20 million — establishing the template for optimized ECC attacks.
Regev (2023) — "An Efficient Quantum Factoring Algorithm"
Proposes a quantum factoring algorithm requiring only O(n^1.5) gates and O(√n) qubits. If extended to elliptic curves, could reduce logical qubit requirements by √n, potentially making ECC attacks feasible on smaller near-term devices.
Bravyi et al. (2024) — "High-threshold and low-overhead fault-tolerant quantum memory"
Introduces Bivariate Bicycle qLDPC codes with encoding rate R = k/n > 0, reducing the physical-to-logical qubit overhead from ~1000:1 (surface code) to ~50:1. Potentially the most important advance for cryptanalytic quantum computing in the 2020s.
McEwen et al. (2022) — "Resolving catastrophic error bursts from cosmic rays"
Nature Physics. Experimentally demonstrates that cosmic ray impacts create correlated multi-qubit errors in superconducting arrays, breaking the IID assumption underlying all QEC threshold theorems. Necessitates burst-aware decoders and phonon-absorbing moat structures.
Google Quantum AI — "Willow" (2024)
Demonstrates error suppression factor Λ ≈ 2.14 when scaling surface code from distance 3→5→7 on a 105-qubit processor. First convincing evidence that adding physical qubits to a topological code actually improves logical error rates in practice.
Place et al. (2021) — "New material platform for superconducting transmon qubits with coherence times exceeding 0.3 milliseconds"
Nature Communications. Demonstrates that replacing aluminum capacitors with tantalum reduces TLS participation and achieves T₁ > 300µs — a 5× improvement over standard aluminum transmons. Establishes tantalum as the preferred material for high-coherence qubits.
Acharya et al. / Google Quantum AI (2024) — "Quantum error correction below the surface code threshold"
Nature. The Willow processor achieves sub-threshold logical error rates on a distance-7 surface code, demonstrating the exponential error suppression scaling predicted by theory. The error suppression factor Λ ≈ 2.14 ± 0.02 per unit increase in code distance.
NIST FIPS 203/204/205 (2024) — Post-Quantum Cryptography Standards
Finalizes ML-KEM (CRYSTALS-Kyber), ML-DSA (CRYSTALS-Dilithium), and SLH-DSA (SPHINCS+) as the first NIST-standardized post-quantum algorithms. Provides the concrete replacement primitives for ECDSA/RSA that the cryptographic community must migrate to.
Litinski (2023) — "How to compute a 256-bit elliptic curve discrete logarithm in 9 hours with a million noisy qubits"
Provides the most aggressive realistic resource estimate: ~1M physical qubits, ~9 hours runtime, using active-volume architecture with magic state teleportation. Represents the current frontier of compilation optimization for ECC cryptanalysis.
Babbush et al. / Google Quantum AI (2026) — "Breaking Elliptic Curve Cryptography with Less Than 500,000 Physical Qubits"
The most aggressive credible resource estimate to date: <500,000 physical qubits to solve 256-bit ECDLP, using optimized point addition, magic state cultivation, and active-volume compilation. A 20× reduction from prior industry estimates, this paper significantly compressed the expert consensus on CRQC timelines.
Gidney (2025) — "Magic State Cultivation: Growing T States Instead of Distilling Them"
Introduces in-place patch growth and shallow transversal measurements for T-state preparation. Enables 20× reduction in physical qubit overhead for RSA-2048 (from 20M to <1M), with direct applicability to ECC resource estimates. Supplants traditional 15-to-1 distillation protocols.
Global Risk Institute (2026) — "Quantum Threat Timeline Report"
Annual survey of quantum computing experts reports 28–49% probability of a CRQC within 10 years — the highest in the report's history. Driven by rapid hardware progress (Willow, tantalum qubits) and algorithmic breakthroughs (Babbush et al. 2026). Provides the empirical basis for the "realistic" timeline scenario.
Banegas et al. (2021) — "Concrete quantum cryptanalysis of binary elliptic curves"
Provides refined quantum resource estimates for binary elliptic curves using optimized reversible arithmetic circuits. Demonstrates the sensitivity of total Toffoli counts to the specific curve parameters and arithmetic representation chosen.