🔥BTC/USDT

Quantum research keeps 2035 encryption phaseout timeline

The U.S. timetable for retiring encryption systems vulnerable to quantum attacks remains centered on 2035, even after new research sharply lowered the theoretical hardware needed to break elliptic curve cryptography, the mathematical foundation used across major blockchains, secure websites and digital identity systems.

A 2026 circuit-design study reduced the projected requirement for a cryptographically relevant quantum computer from about 317 million physical qubits to roughly 500,000. The figure marks a major revision in long-term security expectations, but it does not mean Bitcoin, Ethereum or today’s internet encryption systems face an immediate practical threat.

The gap between theory and working hardware remains enormous. Current operational quantum processors can run algorithms with about 105 functional qubits, far below the hundreds of thousands of stable, error-corrected qubits that would be needed to break elliptic curve cryptography at scale. The largest functioning superconducting chips, including systems comparable to the Willow processor, still meaningfully operate below 110 qubits.

The National Institute of Standards and Technology and the National Security Agency have kept their migration target anchored at 2035, when vulnerable public-key encryption systems are expected to be phased out across federal and critical public infrastructure. That timetable reflects the belief that quantum risk is serious enough to require planning now, but not yet advanced enough to represent an immediate attack tool.

Quantum-risk forecaster Drake has estimated a 10% chance that a workable quantum system capable of threatening modern public-key encryption could appear before 2030 and a 50% likelihood by 2032. Even under that more urgent outlook, the practical rollout of post-quantum protections remains aligned with the 2035 transition window.

For cryptocurrency traders, the central message is clear: a machine capable of cracking standard cryptographic locks does not exist today. However, the long-term risk is no longer theoretical enough to ignore, especially for wallets whose public keys have already been exposed on-chain.

Why the new qubit estimate matters

The 2026 study is important because it changes the scale of the problem. Earlier estimates suggested that hundreds of millions of physical qubits would be needed to break elliptic curve cryptography. That placed the threat far beyond any realistic engineering horizon.

The new estimate of about 500,000 physical qubits is still extremely demanding, but it brings the target into a range that researchers can describe with more concrete architecture, error correction and circuit-design assumptions. It does not show that such a computer can be built now. It shows that the theoretical path to one may be more efficient than previously believed.

The study found that a successful attack on elliptic curve protections would require around 1,200 logical qubits connected across approximately 90 million Toffoli gates. Logical qubits are not the same as physical qubits. They are built from many physical qubits working together to detect and correct errors, which is essential because quantum information is fragile and easily disrupted by noise.

To make those 1,200 logical qubits function for cryptanalysis, researchers estimated that roughly 500,000 stable physical qubits would need to operate continuously for several minutes. The machine would also need extremely low error rates, close to one failure in every 90 million operations.

That requirement remains far beyond current machines. While scientific progress has been rapid, quantum processors are still small, noisy and difficult to scale. Better designs have improved efficiency, but the underlying hardware has not yet reached the size or reliability needed for real-world codebreaking.

Current hardware is improving but still far behind

Quantum hardware has improved in several important areas. Two-qubit operation fidelity now exceeds 99.9% in leading systems, and coherence times have extended from microseconds toward milliseconds. These numbers matter because higher fidelity and longer coherence increase the chance that quantum operations can run accurately before information is lost.

Even so, the total number of usable qubits in a single working machine has barely expanded compared with what cryptographic attacks would require. A device with roughly 105 functional qubits is thousands of times smaller than a system capable of threatening Bitcoin, Ethereum or conventional secure internet protocols.

Researchers have also made progress in error correction. Tests using 101 physical qubits have shown that logical error rates can be reduced by about half compared with smaller clusters. That is a meaningful scientific result, but it remains several orders of magnitude short of the reliability required to run Shor’s algorithm against strong elliptic curve systems.

Shor’s algorithm is the quantum method that could, in principle, break widely used public-key encryption by solving mathematical problems that classical computers cannot solve efficiently. For elliptic curve cryptography, the algorithm would need to run across large, error-corrected qubit arrays capable of detecting faults and fixing them in real time.

That is the core obstacle. It is not enough to build many qubits. They must remain stable, interact accurately and be corrected continuously while the computation runs. The system must also process a huge stream of error data quickly enough to prevent small mistakes from spreading through the calculation.

Error correction remains the main barrier

The most difficult barrier is not only qubit count, but fault tolerance. A cryptographically relevant quantum computer would need to perform a very long sequence of operations with almost no accumulated failure.

Research groups have demonstrated faster decoding tools and scalable control designs. Some experimental systems use FPGA-based hardware capable of processing fault information within one-microsecond cycles. Faster decoding is necessary because error correction must keep pace with the quantum processor as it operates.

Magic-state generation, readout speed and decoding throughput have all improved. These are essential components for building a machine capable of running complex quantum circuits. However, the throughput of these systems still trails the level required to support 500,000 physical qubits running in a coordinated, corrected environment.

The challenge is comparable to moving from a laboratory engine to a full-scale power grid. Individual components can show strong performance, but the integrated system must work continuously, reliably and at scale. That has not yet been demonstrated.

As a result, estimates still point to cryptographically relevant quantum hardware being out of reach within the current decade. The revised qubit requirement makes the target less distant than before, but it does not make it near.

Bitcoin’s exposure is concentrated in visible public keys

Bitcoin’s design creates a specific kind of quantum-risk profile. The network does not expose every public key immediately. Standard Bitcoin addresses are derived from hashes of public keys, meaning coins that have never been spent do not reveal the raw public key on the blockchain.

That structure gives unspent coins an additional layer of protection against Shor’s algorithm. A quantum attacker would need the public key to try to derive the private key. If the public key has not been revealed, the attacker cannot directly run the relevant attack against that coin.

The risk appears when a Bitcoin holder broadcasts a transaction. To authorize a transfer, the owner reveals the public key associated with the address. Once that key is visible, a sufficiently powerful quantum computer could theoretically attempt to calculate the private key before or after the transaction is confirmed.

Researchers estimate that about 6.7 million Bitcoin are connected to public keys already visible from past transactions. These coins are considered more exposed in a future quantum scenario than coins held in addresses that have never spent.

That does not mean those coins are vulnerable now. It means that, if a cryptographically relevant quantum computer becomes available before the network has migrated to quantum-resistant signatures, visible public keys would be among the first targets.

Ethereum faces broader account-based risk

Ethereum has a different exposure because of its account model. Ethereum addresses are reused more naturally, and any wallet that has previously sent a transaction has exposed the public key needed to verify signatures.

That makes Ethereum’s long-term quantum-risk surface broader than Bitcoin’s. A wallet that has interacted with smart contracts, transferred tokens or paid gas has already placed relevant cryptographic information into the public record.

The transition path is also more complex. Ethereum would need to support post-quantum signature schemes and give users a way to migrate funds from older private keys into new quantum-resistant accounts. Dormant wallets that never update would remain a challenge.

This issue is not limited to Ethereum. Any blockchain that relies on elliptic curve signatures and exposes public keys during normal use faces some version of the same problem. The exact level of risk depends on account structure, address reuse, signature design and the speed of any future migration.

A successful transition would require protocol upgrades, wallet support, exchange-independent infrastructure support, user education and enough time for inactive holders to move funds. The technical fix exists in principle, but wide deployment across a global network is operationally difficult.

Store-now, decrypt-later concerns are growing

The more immediate concern for the broader internet is not instant codebreaking, but “store now, decrypt later” activity. Under this model, attackers collect encrypted traffic today and hold it until future quantum computers can decrypt it.

Security specialist Walker has warned that malicious actors are already copying secure internet traffic for possible future use. A 2026 global security report from Thales found that 61% of technology professionals viewed this delayed attack method as their main worry.

The logic is straightforward. Sensitive material that must remain confidential for many years is vulnerable if it is intercepted now and decrypted later. Financial records, government communications, legal files, health data, identity credentials and corporate secrets could all be affected if old encryption becomes breakable in the future.

For blockchains, the equivalent concern is the permanent public ledger. Transaction histories cannot be erased. If public keys, wallet behavior and high-value addresses are visible today, they can be cataloged long before quantum hardware becomes capable of attacking them.

That is why some security professionals recommend that active trading wallets be separated from long-term storage. The goal is to reduce the amount of public information linked to high-value reserves.

Practical steps for cryptocurrency traders

Market participants who buy and sell digital assets are increasingly being advised to review how they separate active funds from long-term holdings. The immediate goal is not to defend against a quantum computer that exists today, but to reduce future exposure from public transaction history.

Security specialists often recommend routing day-to-day transfers through temporary intermediary wallets rather than repeatedly using the same long-term addresses. The purpose is to prevent main reserves from becoming easy targets through repeated ledger monitoring.

Long-term holdings are generally safer when they do not interact with external contracts, public apps or frequent transfers. Once an address becomes active, it can reveal more information about ownership patterns, counterparties and public keys.

This practice does not eliminate all risk. It also does not replace the need for eventual post-quantum upgrades at the protocol level. But it can reduce the amount of data available to attackers building long-term databases of high-value targets.

The strongest protection will come from network-wide migration to quantum-resistant signatures. Until then, safer wallet hygiene can limit unnecessary exposure.

Post-quantum upgrades could raise costs

Moving blockchains to post-quantum security will likely affect performance and fees. Many quantum-resistant signature schemes require larger signatures, larger public keys or heavier verification demands than current elliptic curve signatures.

A May 2026 study published in the Journal of the British Blockchain Association calculated that some future security upgrades could triple transaction fees while reducing network speed by more than half. Those estimates depend on the specific signature scheme and how each blockchain implements the transition.

The trade-off is clear. Stronger cryptographic protection may require more data per transaction and more processing by network nodes. That could increase congestion, raise transaction costs and reduce throughput unless developers find efficient compression, aggregation or layer-two solutions.

Engineers are already testing new mathematical structures on secondary network layers to evaluate how systems handle heavier data loads. Closed testing environments are examining transaction models designed for quantum-resistant security, though full public deployment remains years away.

Layer-two networks may play a major role because they can process activity away from the base chain while posting compressed proofs or settlement data later. However, those systems must also be designed with quantum resistance in mind, or they could simply move the vulnerability from one layer to another.

A growing hardware and security race

The race to build larger quantum systems is also driving broader growth across the computing industry. The quantum computing market reached an estimated size of $1.82 billion in 2026, supported by public research funding, private capital spending and national security programs.

Governments are treating quantum computing as a strategic technology because it has implications for encryption, materials science, drug discovery, logistics and defense. At the same time, cybersecurity agencies are pushing organizations to prepare for the post-quantum era before large-scale quantum machines arrive.

NIST has already advanced post-quantum cryptography standards designed to replace vulnerable public-key systems. The NSA has also directed national security systems toward quantum-resistant algorithms over the coming decade.

The central challenge is timing. If migration happens too slowly, sensitive systems could remain exposed when capable hardware arrives. If migration happens too early without mature standards and tested infrastructure, networks could create new security and performance problems.

That is why the 2035 deadline remains important. It gives governments, companies and open-source networks a fixed planning horizon while acknowledging that the technical threat could accelerate.

The risk is future-facing, not immediate

The latest research does not show that Bitcoin, Ethereum or secure internet protocols can be broken today. It shows that the hardware threshold may be lower than earlier estimates suggested, and that organizations should treat post-quantum migration as a necessary long-term project.

Current quantum machines remain far too small and too error-prone to crack elliptic curve cryptography. They are still experimental systems, not working codebreaking engines. The leap from about 105 functional qubits to 500,000 stable, continuously corrected physical qubits remains one of the hardest engineering challenges in computing.

For now, practical threats to ECC-based systems remain hypothetical. But the direction of travel is clear. Quantum hardware is improving, cryptographic standards are changing, and permanent public ledgers create long-lived exposure that cannot be ignored.

The 2035 phase-out target remains the key date for public infrastructure, while blockchain networks face their own migration decisions. Traders do not need to assume immediate quantum theft, but they do need to understand that today’s public transaction history could matter in a future where quantum computers are no longer confined to the laboratory.


Concerned about crypto’s quantum risk? Learn how secure storage works in this detailed guide.

Disclaimer: The content on this page is provided for general informational purposes only and does not represent the views or financial advice of Toobit. We make no guarantees regarding the accuracy or completeness of this information and shall not be held liable for any errors, omissions, or outcomes resulting from its use. Investing in digital assets involves risk; users should independently evaluate their financial situation and the risks involved. For further details, please consult our Terms of Service and Risk Disclosure.

Sign up and trade to earn over 15,000 USDT
Sign up