Why the Quantum Attack on ECC Keeps Getting Cheaper, and Where It Stops

On a public scoreboard called ecdsa.fail, researchers and AI agents are competing to shrink a quantum circuit for breaking secp256k1, the elliptic curve under every Bitcoin and Ethereum signature. Submissions are scored on the product of two numbers, the logical qubits the circuit needs and the Toffoli gates it consumes, and both have been falling for weeks. The peak qubit count for one point addition, the operation at the heart of the attack, has come down from 2,330 under the 2017 academic baseline into the high 1,100s, and the descent has not stopped.

I have been expecting this, and not as a hunch. In my analysis of how ECC became the easiest quantum target, I argued that elliptic-curve attack circuits were badly underexplored next to factoring, and that a single wave of optimization could vault the curves forward with no new hardware at all. 2026 is that wave. It opened with Google’s March resource estimate for secp256k1, continued through André Schrottenloher’s open reproduction of those withheld circuits two months later, and is now running in public on the ecdsa.fail leaderboard. Three major ECDLP papers landed in a single quarter, from France and China as much as from Google. The rebalancing toward ECC that I called overdue is here.

The headline number is closing on a floor set by the arithmetic of the problem, near 500 logical qubits, and the gap between today’s circuits and that floor is now small enough to estimate. No machine can run such a circuit yet, and a leaner circuit makes the hardware harder to build rather than easier. That is not a reason to relax. It is the shape of the threat: the resources an attack needs and the hardware that can supply them are two separate curves, one now flattening against its floor and the other still climbing, and a CRQC exists the moment they cross. The algorithmic curve is the one that moves without warning, and in 2026 it moved. The migration you have to finish is longer than the warning you are going to get.

A scoreboard for one quantum operation

ecdsa.fail is a project from Eigen Labs, and its scope is narrower than the name suggests. It is not a live exploit, and nobody’s keys are being broken on it. It is an optimization arena for a single primitive. Point addition is the inner loop of Shor’s algorithm applied to the elliptic-curve discrete logarithm problem (ECDLP): to recover a private key, the algorithm repeats a controlled point addition a few dozen times in a windowed circuit inside a phase-estimation wrapper. The peak number of qubits live during that point addition is, to a good approximation, the logical-qubit size of the whole machine, and the Toffoli count sets how many magic states the magic-state factories must produce. Shrink the point addition and you shrink the attack.

The challenge repository makes the rules unusually strict, which is what gives the leaderboard credibility. Every submission is a reversible circuit checked over 9,024 test cases. Ancilla qubits must be uncomputed back to the zero state before they are freed. The global phase has to come out clean, with no leftover kickback from sloppy uncomputation. Running the circuit and then its inverse must restore the original state exactly. A Toffoli saving that comes from skipping uncomputation or leaking phase does not score lower; it fails. The result is a benchmark that rewards real circuit improvements and rejects accounting tricks.

What pushed this into public view was a piece of scientific theater. On March 31, 2026, Google’s quantum team published a secp256k1 resource estimate that improved on the prior state of the art, and withheld the actual circuits, releasing only a zero-knowledge proof that circuits achieving the claimed counts exist. Their stated concern was responsible disclosure. The secret lasted 63 days. Schrottenloher reconstructed the central technique from Google’s own earlier work and published open circuits that match Google on qubits and beat them on gates; Craig Gidney, who designed the originals, conceded on his blog that open publication was the better path. The open challenge launched in the same window, and contributors, including AI “autoresearch” agents and at least one teenager, have been pushing the product below the published baselines since.

The numbers now agree across independent groups, which is the strongest signal that they are real rather than provisional. Schrottenloher’s reproduction reports two operating points for secp256k1: about 1,192 logical qubits in the space-optimized version and 1,446 in the gate-optimized one, with the qubit cost scaling as $$4.355n + O(\sqrt{n})$$ for an n-bit prime. Those sit right on top of Google’s own pair, 1,175 and 1,425, and undercut Google’s gate counts by roughly 10 percent. The width-minimized record, from the EUROCRYPT 2026 construction of Clémence Chevignard, Pierre-Alain Fouque, and Schrottenloher, reaches about 1,193 qubits, though it pays a gate penalty of roughly three orders of magnitude to get there. Run the full algorithm in the gate-optimized regime and it comes to about 1,460 logical qubits and 56 million Toffoli gates, against the roughly 200 million the same full algorithm needed under Litinski’s 2023 construction: about twice fewer qubits and three times fewer gates in a single year. The leaderboard figure in the high 1,100s is one more point in that band.

How the count got this low

The number people quote is the qubit count, but the quantity that has actually improved is the product, and the gap between those two is worth pinning down. In 2017, Martin Roetteler, Michael Naehrig, Krysta Svore, and Kristin Lauter published the reference estimate: an n-bit ECDLP needs at most

$$$9n + 2\lceil \log_2 n \rceil + 10$$$

logical qubits and at most

$$$448\,n^3 \log_2 n + 4090\,n^3$$$

Toffoli gates. For secp256k1 that is 2,330 qubits and roughly $$1.3 \times 10^{11}$$ Toffolis. Every result since has traded along the curve between those two costs, and the trades do not always run the same way.

Daniel Litinski’s 2023 construction is the clean illustration. He cut the Toffoli count by orders of magnitude with windowed arithmetic, precomputing a lookup table of point multiples and adding them in chunks rather than bit by bit, building on Häner, Jaques, Naehrig, Roetteler, and Soeken, and he did it partly by spending more qubits, not fewer. The tables cost width and buy back gates. So the qubit coordinate went up while the product came down. Anyone reading the leaderboard as a simple qubit countdown is missing that contestants can move in either direction on the qubit axis, as long as the product drops.

Three forces drive the product down, and they differ in kind.

The first is better field arithmetic. A point addition over a prime field is dominated by modular multiplications and one modular inversion, and the inversion is the expensive part. Most of the early gains came from windowing the multiplications and reorganizing the curve arithmetic to spread or avoid per-addition inversions. This is incremental, well-understood engineering of reversible circuits.

The second, and the larger recent lever, is approximate and measurement-based circuitry, and the 2026 wave is its clearest expression. The threads that cut RSA’s qubit count, Gidney’s 2025 factoring result and the work before it, established that the arithmetic need not be exact: the circuit may fail with bounded probability, because Shor only needs to succeed on random inputs often enough to read the period out of the measurement statistics. The ECC version is sharper. The expensive modular inversion inside point addition is normally computed with the Extended Euclidean algorithm; the new circuits split it into a forward pass that records its branch decisions into a compressed bit-vector and a Bézout reconstruction that replays them, which lets the modular multiplication run in place with no separate inversion register. That single restructuring, drawn from a method Google had already published in an October 2025 paper on decoded quantum interferometry, is most of why the leading qubit constant fell from Roetteler’s $$9n$$ toward $$4.355n$$. A trick specific to secp256k1 helps further: its prime, $$2^{256} – 4294968273$$, is pseudo-Mersenne, so modular reductions collapse into small constant additions.

The third force is the one ecdsa.fail exists to harvest: brute-force search over the constant factors. Once the conceptual moves are public, a long tail of micro-optimizations remains, a gate removed in one subroutine, an ancilla freed in another, a tighter adder somewhere else, that no single researcher would chase but that a crowd of contributors and automated agents, filtered by the challenge’s verifier, can grind out in aggregate. These are known ideas being squeezed for their last few percent, which is a different activity from the conceptual jumps that produced the orders of magnitude.

Where the floor is

Two separate floors bound how far any circuit rewrite can go, and the current best work is close to both.

Start with qubits. The data the algorithm must hold in superposition is an elliptic-curve point, and a point is two coordinates over a 256-bit field. That sets the information-theoretic minimum for the data register, in the standard two-coordinate representation, at about $$2n$$, or 512 qubits for secp256k1. The factor-of-two relationship to RSA is old: Proos and Zalka noted in 2003 that ECC needs roughly twice the data-register width of an equivalent factoring problem, because RSA carries one number through modular exponentiation while ECC carries a two-coordinate point through repeated addition. That $$2n$$ is the wall. Today’s circuits sit near $$4.3n$$, so the visible gap, from roughly 1,175 down toward 512, is almost entirely ancilla: scratch space for the field arithmetic that the RSA side has already learned to shed and the ECC side, newer and less optimized, has not. Porting the full RSA ancilla-elimination toolkit to the curves, on the arithmetic alone, would drive the count from roughly $$4.3n$$ toward roughly $$2n$$. That is where the 500-ish figure comes from. It is not a guess about a specific machine; it is the data-register floor of the problem, and it requires no new physics, only the existing techniques applied harder.

The reason ECC has this much slack left, while RSA does not, is the asymmetry I have written about before. Factoring circuits absorbed two decades of optimization effort; the curves did not get comparable attention until 2026. Gidney’s RSA-2048 estimate already sits around 1,400 logical qubits, roughly $$0.7n$$ for a 2,048-bit modulus, having pushed below the naive single-register width through short-exponent methods and approximate residue arithmetic. ECC is walking the same path a few years behind.

The second floor is on gates, and it is harder. Roetteler’s Toffoli bound scales as $$n^3$$, and that cubic is not an artifact of a particular circuit. Shor on an n-bit curve needs on the order of n point additions; each point addition needs several modular multiplications; each modular multiplication has an irreducible cost that grows with n. Multiply those together and the total Toffoli count cannot drop below a cubic envelope, no matter how the gates are rearranged. The recent gains show where we sit against that envelope: Schrottenloher’s reproduction improved Google’s gate count by 6.5 to 10 percent, and the community circuits are improving the product by single-digit percentages that compound slowly. Those are constant-factor refinements. The era of order-of-magnitude jumps, from $$10^{11}$$ Toffolis down to the tens of millions, came from the conceptual shifts of the last few years, and those shifts have largely been spent. What remains is the constant in front of the cubic, and constants asymptote.

Because the leaderboard scores the product of the two, the floors interact in a way worth stating plainly. You can keep trading qubits for gates along the Pareto frontier more or less indefinitely, which is why the leaderboard will keep producing new “best” qubit numbers for a while. What you cannot do is push the product below the envelope the arithmetic fixes. The leaderboard is charting the approach to an asymptote. It will descend, then flatten.

Levers that could push it lower

If $$2n$$ is the data-register floor, the obvious question is what it takes to reach it, and whether anything could go beneath it. Four levers are on the table, and each one stops in a different place.

The first is measurement-based uncomputation pushed to its limit. Rather than retaining scratch registers and reversing them at the end, the circuit measures ancilla mid-computation, applies classical phase corrections, and recomputes intermediate values from scratch whenever they are needed again. Gidney’s work and the residue-arithmetic line are built on this. It keeps the peak live-qubit count near the data floor and pays for it in Toffoli count and depth, because the same field multiplications get recomputed many times over. This is the lever that takes ECC from $$4.3n$$ to roughly $$2n$$, and it is mostly a matter of engineering effort.

The second is qubit recycling through mid-circuit measurement and reset, the literal multi-step version of the same idea. You stage the computation so a register is measured, reset to the zero state, and reused for the next sub-step, holding peak logical width down while total qubit-operations climb. Trapped-ion and neutral-atom hardware handle high-fidelity measure-and-reset well, which is part of why those platforms recur in the most aggressive low-qubit estimates. The ceiling on this lever is the data you cannot discard: the accumulator point itself has to persist, so recycling thins the ancilla but cannot touch the $$2n$$ core.

The third lever is the one that could go beneath $$2n$$, and it is open research territory rather than a known result. A point’s y-coordinate is determined by its x-coordinate through the curve equation, up to a sign. Classical elliptic-curve software already exploits this: the Montgomery ladder and the arithmetic under Curve25519 carry only the x-coordinate and never store y. A quantum point addition that maintained only x would roughly halve the data register, from $$2n$$ toward $$n$$, which would put the floor near 256 plus a handful of bookkeeping qubits. The obstacle is that Shor’s algorithm for ECDLP needs a double-scalar operation, computing $$[a]P + [b]Q$$ over two independent base points, and x-only differential addition is built for single-base ladders. Whether a clean x-only double-scalar point addition exists is open. If someone constructs one, the sub-300 regime becomes conceivable; until then, $$n$$ is reachable in principle but unproven.

The fourth lever sits outside the quantum circuit. The Ekerå–Håstad approach extracts the discrete logarithm not from one long quantum run but from many short ones, each producing a noisy linear relation that classical lattice reduction combines afterward. Shrinking what each quantum run must compute shrinks the control register and shifts work onto repetitions and classical post-processing. This is already standard practice for keeping factoring circuits small, and applied to the curves it pulls the same way as everything above: less quantum width, more of something else.

Why a leaner circuit raises the hardware bar

Every lever above swaps the one number that makes headlines, peak logical qubits, for numbers that do not: Toffoli count, circuit depth, repetition count, classical compute, wall-clock time. The total spacetime volume of the attack barely moves. A 500-qubit circuit is the same attack as an 1,100-qubit one, folded into a narrower and longer shape.

And the fold runs the wrong way for the part of the problem that is actually binding. A circuit that recomputes everything and recycles registers runs far longer than one that holds its scratch space. That raises the bar on continuous operation and real-time decoding, two of the capabilities furthest from being demonstrated, because the machine has to stay coherent and error-corrected across the entire run with classical decoders keeping pace. Fault-tolerant compilation always offers this dial: spend qubits to finish in hours, or save qubits and finish in months. The space-efficient end of that dial, for a 256-bit curve, lands in the latter. A 500-qubit attack would demand a longer flawless run on hardware that cannot yet sustain a short one.

Which returns the whole exercise to hardware, where it belongs. The public verified-logical-qubit record is about 96, set by QuEra in January 2026. Whether the algorithmic target is 1,100 or 500 or, someday, 300, nobody is within an order of magnitude of running it, and the leaner the circuit, the longer and more stable the run it demands. The CRQC Quantum Capability Framework I maintain treats this as two curves: an algorithmic-requirement curve that falls as cryptanalysis improves, and a hardware-capability curve that rises as engineering matures. What ecdsa.fail is showing, in real time and in public, is the algorithmic curve flattening as it nears its floor. The uncertainty in Q-Day for ECC now sits almost entirely on the other curve.

This is the asymmetric risk I have been describing, now closed on the numbers. ECC, the classically stronger and more modern choice, secures nearly every TLS handshake, mobile authentication flow, code-signing chain, and digital-asset wallet, and it is the easiest cryptographic target a quantum computer will face. The cost of attacking it has fallen to within sight of its theoretical minimum, and the scoreboard will keep descending for a while before it flattens against the floor that arithmetic fixed years ago.