Chinese Researchers Cut ECC Qubit Requirements to 1,333 with Open-Source Circuits

April 23, 2026 – A team of researchers from Tsinghua University and Peking University has published a space-efficient quantum algorithm for the elliptic curve discrete logarithm problem (ECDLP) that reduces the logical qubit count for attacking ECC-256 to 1,333. That is a 37% reduction from the previous best explicit circuit implementation by Häner et al. (2020), which required 2,124 logical qubits.

The paper, authored by Han Luo, Ziyi Yang, Ziruo Wang, Yuexin Su, and Tongyang Li, achieves its improvement through a redesigned modular inversion subroutine based on the Extended Euclidean Algorithm (EEA). Modular inversion is the most expensive component when implementing Shor’s algorithm for ECDLP on a quantum computer, and it dominates both the qubit count and the gate count of the overall circuit.

At the circuit level, the central innovation is a refined register-sharing strategy that allows intermediate variables from the EEA to be stored compactly across shared quantum registers. The approach builds on a 2003 theoretical proposal by Proos and Zalka, which outlined an attractive 5n + O(√n) qubit bound but never provided explicit circuit constructions. Luo et al. close that gap: their algorithm achieves 5n + 4⌊log₂n⌋ + O(1) qubits with a fully reversible, exactly correct circuit implementation, and they have open-sourced the code on GitHub.

Across standard curve sizes, the reductions are consistent:

For a full ECDLP attack, the total Toffoli gate count scales as 976n³ + O(n³/log₂n), where n is the bit-length of the curve’s prime field.

The work was posted as an arXiv preprint on April 2, 2026, with a revised version on April 18.

My Analysis

This paper sits in a rapidly converging field. In the past four months, three independent research teams have published ECDLP resource estimates that represent major reductions over the Häner et al. baseline that had stood since 2020. Understanding what each one contributes requires looking at the qubit-gate tradeoff alongside the headline qubit count.

Chevignard, Fouque, and Schrottenloher’s EUROCRYPT 2026 paper, which I analyzed in detail, achieves the lowest asymptotic qubit count at 3.12n + o(n), translating to approximately 1,193 logical qubits for P-256. That is roughly 10% fewer qubits than the Luo et al. result. But the Chevignard approach pays for that width reduction with a gate count that scales as O(n⁴(log n)²), which the authors themselves acknowledged is approximately 1,000× higher than previous implementations. Luo et al.’s gate count of O(n³) is orders of magnitude more efficient on the depth axis.

Google’s Babbush et al. paper, which I covered when it dropped in March, claims to thread this needle, achieving fewer than 1,200 logical qubits and roughly 90 million Toffoli gates for ECDLP-256. If those numbers hold, that would represent the best combined width-depth performance. The Luo et al. paper notes, however, that “their technical details are not disclosed,” making independent verification impossible. By contrast, Luo et al. provide complete algorithm pseudocode, explicit circuit diagrams, numerical gate counts validated through IBM Qiskit transpilation, and an open-source repository. This transparency matters. In a field where resource estimates directly inform threat models and migration timelines, verifiable results carry more weight than claims.

The convergence from different mathematical directions is itself informative. Chevignard et al. used residue number systems and projective coordinates to avoid modular inversion entirely. Luo et al. kept modular inversion but made the operation radically cheaper through register sharing and algorithmic optimization of the EEA. These two approaches are orthogonal, and as the paper’s authors note, future work could potentially combine elements of both.

For CRQC timeline assessment, the width-depth tradeoff is a critical detail. Logical qubit count determines how large the quantum computer must be. Gate count determines how long the computation runs, and longer runtimes demand higher-quality error correction, which in turn demands more physical qubits per logical qubit. The Chevignard circuit, despite its low qubit count, would run far longer on any realistic hardware, inflating the physical resource overhead. The Luo et al. approach, while using ~12% more logical qubits, would complete far faster. When these algorithms are compiled down to physical resources under realistic error correction assumptions, the difference in total physical qubit count between the two approaches may be much smaller than the logical qubit numbers suggest.

This paper also warrants attention for where the researchers are based. Tsinghua and Peking University are China’s two most elite research institutions, and Tongyang Li’s group at Peking University has been producing steady output in quantum algorithm design. As I have documented in my China’s Quantum Ambition series, China’s quantum research ecosystem is deeper and more productive than Western coverage typically acknowledges. This paper, with its meticulous circuit-level detail and public code repository, is a case in point.

The bottom line: ECDLP resource estimates are compressing faster than many in the security community expected, with three distinct research groups producing three distinct paths to breaking ECC-256 with roughly 1,100–1,350 logical qubits. The hardware to execute any of these circuits does not exist yet, and will not for years. But the algorithmic side of the CRQC Quantum Capability Framework is no longer the binding constraint it once was. Organizations calibrating their PQC migration timelines against Q-Day estimates should treat the algorithm track as increasingly mature, and focus their uncertainty modeling on the engineering layers: error correction, decoder performance, continuous operation, and manufacturability.

For security teams that have been tracking these resource estimates: this paper does not change the practical threat timeline. It validates the trajectory. Every few months, the logical qubit requirements for ECDLP drop, and the algorithmic community is now optimizing ECDLP circuits with the same intensity previously reserved for RSA. That trend will continue.