https://community.isc2.org/t5/Tech-Talk/A-New-Algorithm-Shrinks-the-Quantum-Attack-Surface-for-ECC/m-p/88908#M5398 <P>Hi All</P><P>&nbsp;</P><P><SPAN class=""><SPAN>A new EUROCRYPT 2026 paper just proved both points.<BR /><BR />Chevignard, Fouque, and Schrottenloher have cut the logical qubit count for breaking elliptic curve crypto nearly in half.<BR /><BR />The numbers:<BR /><BR />- P-256: 1,193 logical qubits. Down from 2,124. That's now 42% fewer qubits than breaking RSA-3072 at equivalent classical security.<BR /><BR />- P-224: just 1,098 qubits - 21.5% less than RSA-2048.<BR /><BR />- Asymptotically: 3.12n + o(n) qubits, down from 5n + o(n).<BR /><BR />This is exactly the trajectory I flagged. When I wrote "How ECC Became the Easiest Quantum Target" (<A class="" href="https://lnkd.in/dK2UhKqA" target="_blank" rel="noopener">https://lnkd.in/dK2UhKqA</A></SPAN></SPAN></P><DIV><DIV class="">&nbsp;</DIV></DIV><P><SPAN class=""><SPAN>), the qubit counts for P-256 and RSA-3072 were roughly comparable. Now ECC is decisively easier - and the gap is widening.<BR /><BR />When I wrote "Bitcoin's Quantum Risk Is Closer Than You Think" (<A class="" href="https://lnkd.in/ea9_gTCT" target="_blank" rel="noopener">https://lnkd.in/ea9_gTCT</A></SPAN></SPAN></P><DIV><DIV class="">&nbsp;</DIV></DIV><P><SPAN class=""><SPAN>), it was argued that using RSA qubit estimates as a proxy for Bitcoin's secp256k1 curve was dangerously misleading. This paper confirms it: the quantum threshold for 256-bit ECC is now well below RSA-2048's.<BR /><BR />The tradeoff is a ~1,000× increase in gate count. But qubit count has consistently been the binding hardware constraint, and if the RSA optimization pipeline repeats - where Gidney compressed the gate count 100× within months - those numbers will shrink fast.<BR /><BR />What security leaders should take from this:<BR /><BR />If your quantum risk model benchmarks against RSA estimates, you're overestimating the time available for ECC-dependent systems. Which is most systems.<BR /><BR />The HNDL calculus for ECDH-protected traffic just shifted - a lower qubit threshold means adversaries' expected quantum payoff arrives sooner.<BR /><BR />ML-KEM is standardized Hybrid deployments work today. The migration window is finite and the target keeps moving.<BR /><BR />Full analysis: <A class="" href="https://lnkd.in/ew-4Dpru" target="_blank" rel="noopener">https://lnkd.in/ew-4Dpru</A></SPAN></SPAN></P><P>&nbsp;</P><P><SPAN class=""><SPAN><A href="https://postquantum.com/security-pqc/algorithm-quantum-ecc/" target="_blank" rel="noopener">https://postquantum.com/security-pqc/algorithm-quantum-ecc/</A></SPAN></SPAN></P><P>&nbsp;</P><P><SPAN class=""><SPAN>Thanks to Marin Ivezic</SPAN></SPAN></P><P>&nbsp;</P><P><SPAN class=""><SPAN>Regards</SPAN></SPAN></P><P>&nbsp;</P><P><SPAN class=""><SPAN>Caute_Cautim</SPAN></SPAN></P><DIV><DIV class="">&nbsp;</DIV></DIV> Tue, 31 Mar 2026 05:19:12 GMT Caute_cautim 2026-03-31T05:19:12Z https://community.isc2.org/t5/Tech-Talk/A-New-Algorithm-Shrinks-the-Quantum-Attack-Surface-for-ECC/m-p/88908#M5398 <P>Hi All</P><P>&nbsp;</P><P><SPAN class=""><SPAN>A new EUROCRYPT 2026 paper just proved both points.<BR /><BR />Chevignard, Fouque, and Schrottenloher have cut the logical qubit count for breaking elliptic curve crypto nearly in half.<BR /><BR />The numbers:<BR /><BR />- P-256: 1,193 logical qubits. Down from 2,124. That's now 42% fewer qubits than breaking RSA-3072 at equivalent classical security.<BR /><BR />- P-224: just 1,098 qubits - 21.5% less than RSA-2048.<BR /><BR />- Asymptotically: 3.12n + o(n) qubits, down from 5n + o(n).<BR /><BR />This is exactly the trajectory I flagged. When I wrote "How ECC Became the Easiest Quantum Target" (<A class="" href="https://lnkd.in/dK2UhKqA" target="_blank" rel="noopener">https://lnkd.in/dK2UhKqA</A></SPAN></SPAN></P><DIV><DIV class="">&nbsp;</DIV></DIV><P><SPAN class=""><SPAN>), the qubit counts for P-256 and RSA-3072 were roughly comparable. Now ECC is decisively easier - and the gap is widening.<BR /><BR />When I wrote "Bitcoin's Quantum Risk Is Closer Than You Think" (<A class="" href="https://lnkd.in/ea9_gTCT" target="_blank" rel="noopener">https://lnkd.in/ea9_gTCT</A></SPAN></SPAN></P><DIV><DIV class="">&nbsp;</DIV></DIV><P><SPAN class=""><SPAN>), it was argued that using RSA qubit estimates as a proxy for Bitcoin's secp256k1 curve was dangerously misleading. This paper confirms it: the quantum threshold for 256-bit ECC is now well below RSA-2048's.<BR /><BR />The tradeoff is a ~1,000× increase in gate count. But qubit count has consistently been the binding hardware constraint, and if the RSA optimization pipeline repeats - where Gidney compressed the gate count 100× within months - those numbers will shrink fast.<BR /><BR />What security leaders should take from this:<BR /><BR />If your quantum risk model benchmarks against RSA estimates, you're overestimating the time available for ECC-dependent systems. Which is most systems.<BR /><BR />The HNDL calculus for ECDH-protected traffic just shifted - a lower qubit threshold means adversaries' expected quantum payoff arrives sooner.<BR /><BR />ML-KEM is standardized Hybrid deployments work today. The migration window is finite and the target keeps moving.<BR /><BR />Full analysis: <A class="" href="https://lnkd.in/ew-4Dpru" target="_blank" rel="noopener">https://lnkd.in/ew-4Dpru</A></SPAN></SPAN></P><P>&nbsp;</P><P><SPAN class=""><SPAN><A href="https://postquantum.com/security-pqc/algorithm-quantum-ecc/" target="_blank" rel="noopener">https://postquantum.com/security-pqc/algorithm-quantum-ecc/</A></SPAN></SPAN></P><P>&nbsp;</P><P><SPAN class=""><SPAN>Thanks to Marin Ivezic</SPAN></SPAN></P><P>&nbsp;</P><P><SPAN class=""><SPAN>Regards</SPAN></SPAN></P><P>&nbsp;</P><P><SPAN class=""><SPAN>Caute_Cautim</SPAN></SPAN></P><DIV><DIV class="">&nbsp;</DIV></DIV> Tue, 31 Mar 2026 05:19:12 GMT https://community.isc2.org/t5/Tech-Talk/A-New-Algorithm-Shrinks-the-Quantum-Attack-Surface-for-ECC/m-p/88908#M5398 Caute_cautim 2026-03-31T05:19:12Z