Hi All

A new EUROCRYPT 2026 paper just proved both points.

Chevignard, Fouque, and Schrottenloher have cut the logical qubit count for breaking elliptic curve crypto nearly in half.

The numbers:

- P-256: 1,193 logical qubits. Down from 2,124. That's now 42% fewer qubits than breaking RSA-3072 at equivalent classical security.

- P-224: just 1,098 qubits - 21.5% less than RSA-2048.

- Asymptotically: 3.12n + o(n) qubits, down from 5n + o(n).

This is exactly the trajectory I flagged. When I wrote "How ECC Became the Easiest Quantum Target" (https://lnkd.in/dK2UhKqA

), the qubit counts for P-256 and RSA-3072 were roughly comparable. Now ECC is decisively easier - and the gap is widening.

When I wrote "Bitcoin's Quantum Risk Is Closer Than You Think" (https://lnkd.in/ea9_gTCT

), it was argued that using RSA qubit estimates as a proxy for Bitcoin's secp256k1 curve was dangerously misleading. This paper confirms it: the quantum threshold for 256-bit ECC is now well below RSA-2048's.

The tradeoff is a ~1,000× increase in gate count. But qubit count has consistently been the binding hardware constraint, and if the RSA optimization pipeline repeats - where Gidney compressed the gate count 100× within months - those numbers will shrink fast.

What security leaders should take from this:

If your quantum risk model benchmarks against RSA estimates, you're overestimating the time available for ECC-dependent systems. Which is most systems.

The HNDL calculus for ECDH-protected traffic just shifted - a lower qubit threshold means adversaries' expected quantum payoff arrives sooner.

ML-KEM is standardized Hybrid deployments work today. The migration window is finite and the target keeps moving.

Full analysis: https://lnkd.in/ew-4Dpru

https://postquantum.com/security-pqc/algorithm-quantum-ecc/

Thanks to Marin Ivezic

Regards

Caute_Cautim