arxiv: 2603.28846 · v2 · submitted 2026-03-30 · 🪐 quant-ph · cs.CR

Recognition: 3 theorem links

· Lean Theorem

Securing Elliptic Curve Cryptocurrencies against Quantum Vulnerabilities: Resource Estimates and Mitigations

Ryan Babbush , Adam Zalcman , Craig Gidney , Michael Broughton , Tanuj Khattar , Hartmut Neven , Thiago Bergamaschi , Justin Drake

show 1 more author

Dan Boneh

Authors on Pith no claims yet

Pith reviewed 2026-05-14 21:25 UTC · model grok-4.3

classification 🪐 quant-ph cs.CR

keywords Shor's algorithmelliptic curve discrete logquantum resource estimationblockchain securitypost-quantum cryptographycryptocurrencyquantum vulnerability

0 comments

The pith

Shor's algorithm can break 256-bit elliptic curve cryptography using under 1200 logical qubits.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

The paper calculates the quantum resources needed to solve the elliptic curve discrete logarithm problem that secures many cryptocurrencies. It shows that a quantum computer with a few hundred thousand physical qubits could run Shor's algorithm in minutes on certain architectures, enabling attacks on exposed transactions. This leads to recommendations for migrating to post-quantum cryptography and policy measures for handling vulnerable assets. The estimates are validated via zero-knowledge proofs to avoid revealing attack details.

Core claim

Shor's algorithm for the 256-bit Elliptic Curve Discrete Logarithm Problem can execute with either fewer than 1200 logical qubits and 90 million Toffoli gates or fewer than 1450 logical qubits and 70 million Toffoli gates. On superconducting architectures with physical error rates of 10^{-3} and planar connectivity, these circuits execute in minutes using fewer than half a million physical qubits. The estimates are validated using a zero-knowledge proof to confirm the counts without revealing optimizations.

What carries the argument

Optimized implementation of Shor's algorithm for the elliptic curve discrete log problem, with resource counts verified by zero-knowledge proof.

If this is right

Fast-clock quantum computers would enable on-spend attacks on public mempool transactions in some cryptocurrencies.
Blockchains using smart contracts, Proof-of-Stake, and Data Availability Sampling face heightened systemic risks.
Abandoned or dormant assets remain permanently vulnerable to quantum attacks.
Technical mitigations should be paired with public policy frameworks for digital salvage of vulnerable assets.
The migration to post-quantum cryptography must accelerate across all vulnerable cryptocurrency communities.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

Similar quantum vulnerabilities likely extend to other digital assets and tokenized securities beyond cryptocurrencies.
Slow-clock quantum architectures like ion traps may allow more time for mitigation compared to fast-clock ones.
Examples of successful PQC transitions in other systems can guide cryptocurrency implementations.
Future tokenization efforts should incorporate quantum-safe cryptography from the design stage.

Load-bearing premise

The mapping from logical to physical resources assumes a 10^{-3} physical error rate and planar connectivity on superconducting hardware.

What would settle it

Demonstration of a quantum processor executing a comparable circuit size for ECDLP in under an hour with around 400,000 physical qubits would validate the estimates.

Figures

Figures reproduced from arXiv: 2603.28846 by Adam Zalcman, Craig Gidney, Dan Boneh, Hartmut Neven, Justin Drake, Michael Broughton, Ryan Babbush, Tanuj Khattar, Thiago Bergamaschi.

**Figure 1.** Figure 1: Comparison of logical quantum resources (number of logical qubits and Toffoli gates) required to break 256-bit [PITH_FULL_IMAGE:figures/full_fig_p008_1.png] view at source ↗

**Figure 2.** Figure 2: Logical resources required to break n-bit ECDLP for curves with bit lengths of n = 32, 64, 128, 256. one primed machine performing 208, a 6.5x speedup. Executing 70 million Toffolis in 9 minutes would require the generation of half a million T states per second. A T state of sufficiently low error can be produced in 50,000 qubit-rounds [102]. In a fast-clock architecture with 1 microsecond error correction… view at source ↗

**Figure 3.** Figure 3: These figures, which first appeared in [ [PITH_FULL_IMAGE:figures/full_fig_p010_3.png] view at source ↗

**Figure 4.** Figure 4: Evolution of Protocol Usage Over Time: The relative market share of transaction output scripts over time, highlighting [PITH_FULL_IMAGE:figures/full_fig_p013_4.png] view at source ↗

**Figure 5.** Figure 5: Evolution of BTC supply over time by protocol type. Quantum vulnerable balances are shown in shaded regions for [PITH_FULL_IMAGE:figures/full_fig_p014_5.png] view at source ↗

**Figure 6.** Figure 6: Risk that an on-spend quantum attack using a superconducting qubit CRQC taking approximately 9 minutes to [PITH_FULL_IMAGE:figures/full_fig_p016_6.png] view at source ↗

**Figure 7.** Figure 7: BTC Balance of Top 100,000 Vulnerable addresses. The graph displays the BTC balance of the top 100,000 Bitcoin [PITH_FULL_IMAGE:figures/full_fig_p019_7.png] view at source ↗

**Figure 8.** Figure 8: Account Vulnerability of Top 1000 accounts by ETH balance. The graph displays the ETH balance of the top 1000 [PITH_FULL_IMAGE:figures/full_fig_p024_8.png] view at source ↗

**Figure 9.** Figure 9: Admin Vulnerability of Top 500 smart contracts by ETH balance. Contracts were classified as “Subject to Admin [PITH_FULL_IMAGE:figures/full_fig_p025_9.png] view at source ↗

**Figure 10.** Figure 10: Admin Vulnerability exposure across distributed Real World Assets (RWAs). The chart details the market capi [PITH_FULL_IMAGE:figures/full_fig_p026_10.png] view at source ↗

**Figure 11.** Figure 11: Breakdown of Total Value Secured (TVS) across major scaling protocols, categorized by their underlying security [PITH_FULL_IMAGE:figures/full_fig_p027_11.png] view at source ↗

**Figure 12.** Figure 12: Historical accumulation of ETH in the Beacon Chain deposit contract (0x0...05fa). The green line represents the [PITH_FULL_IMAGE:figures/full_fig_p029_12.png] view at source ↗

**Figure 13.** Figure 13: Similar to [PITH_FULL_IMAGE:figures/full_fig_p037_13.png] view at source ↗

**Figure 14.** Figure 14: Cumulative amount of money harvested in a quantum salvage operation. We consider a single fast-clock quantum [PITH_FULL_IMAGE:figures/full_fig_p038_14.png] view at source ↗

read the original abstract

This whitepaper seeks to elucidate implications that the capabilities of developing quantum architectures have on blockchain vulnerabilities and mitigation strategies. First, we provide new resource estimates for breaking the 256-bit Elliptic Curve Discrete Logarithm Problem, the core of modern blockchain cryptography. We demonstrate that Shor's algorithm for this problem can execute with either <1200 logical qubits and <90 million Toffoli gates or <1450 logical qubits and <70 million Toffoli gates. In the interest of responsible disclosure, we use a zero-knowledge proof to validate these results without disclosing attack vectors. On superconducting architectures with 1e-3 physical error rates and planar connectivity, those circuits can execute in minutes using fewer than half a million physical qubits. We introduce a critical distinction between fast-clock (such as superconducting and photonic) and slow-clock (such as neutral atom and ion trap) architectures. Our analysis reveals that the first fast-clock CRQCs would enable on-spend attacks on public mempool transactions of some cryptocurrencies. We survey major cryptocurrency vulnerabilities through this lens, identifying systemic risks associated with advanced features in some blockchains such as smart contracts, Proof-of-Stake consensus, and Data Availability Sampling, as well as the enduring concern of abandoned assets. We argue that technical solutions would benefit from accompanying public policy and discuss various frameworks of digital salvage to regulate the recovery or destruction of dormant assets while preventing adversarial seizure. We also discuss implications for other digital assets and tokenization as well as challenges and successful examples of the ongoing transition to Post-Quantum Cryptography (PQC). Finally, we urge all vulnerable cryptocurrency communities to join the ongoing migration to PQC without delay.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Desk Editor's Note private letter to a colleague

The paper gives tighter logical resource estimates for Shor's on 256-bit ECC plus a fast/slow clock distinction that matters for mempool attacks, but the physical qubit and runtime claims rest on specific 1e-3 error rate and planar connectivity assumptions.

read the letter

The main thing to take away is that the authors report two concrete trade-off points for running Shor's algorithm on 256-bit elliptic curves: under 1200 logical qubits and 90 million Toffolis, or under 1450 logical qubits and 70 million Toffolis, with the counts backed by a zero-knowledge proof. They also separate fast-clock architectures such as superconducting from slow-clock ones such as ion traps, and show that the fast ones could hit unconfirmed mempool transactions first.

Referee Report

2 major / 2 minor

Summary. The manuscript presents new resource estimates for Shor's algorithm applied to the 256-bit Elliptic Curve Discrete Logarithm Problem, offering two configurations: fewer than 1200 logical qubits with under 90 million Toffoli gates, or fewer than 1450 logical qubits with under 70 million Toffoli gates, validated using a zero-knowledge proof. It maps these to physical resources on superconducting quantum architectures with 10^{-3} error rates and planar connectivity, claiming execution times in minutes using fewer than 500,000 physical qubits. The paper distinguishes fast-clock and slow-clock quantum architectures, analyzes vulnerabilities in various cryptocurrencies including smart contracts and Proof-of-Stake, and recommends migration to post-quantum cryptography supported by policy frameworks.

Significance. If the estimates hold, this work supplies concrete, verifiable bounds on the quantum resources needed to threaten elliptic-curve cryptocurrencies and responsibly discloses them via zero-knowledge proof without revealing circuit details. The explicit separation of fast- versus slow-clock architectures and the survey of blockchain-specific attack surfaces (mempool on-spend, abandoned assets, smart-contract exposure) provide actionable guidance for both the quantum-computing and cryptocurrency communities. These elements, together with the call for coordinated PQC migration, give the paper practical significance beyond pure resource counting.

major comments (2)

[§4] §4 (Physical Resource Mapping): The central claim that the circuits run in minutes with <500 000 physical qubits rests on a fixed 10^{-3} physical error rate and planar connectivity. Early fault-tolerant hardware may operate at higher error rates or non-planar graphs, inflating the overhead factor and invalidating both the qubit count and runtime bound. A sensitivity analysis over error-rate and connectivity assumptions is required to support the headline physical-resource numbers.
[§3.2] §3.2 (Logical Resource Derivation): The two trade-off points (<1200 qubits/90 M Toffolis vs. <1450 qubits/70 M Toffolis) are asserted via ZKP, yet the manuscript provides no explicit statement of the underlying circuit-construction assumptions (e.g., window size, modular-multiplication strategy) that generate these particular numbers. Without that information, readers cannot assess whether the quoted counts are near-optimal or merely one possible point in a larger design space.

minor comments (2)

[Abstract] The abstract introduces 'on-spend attacks' without a one-sentence definition; a brief parenthetical gloss would aid readers outside the cryptocurrency literature.
[Table 1] Table 1 (architecture comparison) lists gate times but omits the precise clock-frequency values used to convert logical gate counts into wall-clock minutes; adding those numbers would make the runtime claim reproducible from the table alone.

Simulated Author's Rebuttal

2 responses · 0 unresolved

We are grateful to the referee for their insightful comments, which have helped us identify areas for improvement. We respond to each major comment in turn and indicate the changes we plan to implement in the revised manuscript.

read point-by-point responses

Referee: [§4] §4 (Physical Resource Mapping): The central claim that the circuits run in minutes with <500 000 physical qubits rests on a fixed 10^{-3} physical error rate and planar connectivity. Early fault-tolerant hardware may operate at higher error rates or non-planar graphs, inflating the overhead factor and invalidating both the qubit count and runtime bound. A sensitivity analysis over error-rate and connectivity assumptions is required to support the headline physical-resource numbers.

Authors: We agree that a sensitivity analysis would strengthen the physical-resource claims. In the revised manuscript we will add an appendix with explicit bounds obtained by varying the physical error rate between 10^{-4} and 10^{-3} and by considering both planar and limited non-planar connectivity models. Updated qubit-count and runtime ranges under these assumptions will be reported. revision: yes
Referee: [§3.2] §3.2 (Logical Resource Derivation): The two trade-off points (<1200 qubits/90 M Toffolis vs. <1450 qubits/70 M Toffolis) are asserted via ZKP, yet the manuscript provides no explicit statement of the underlying circuit-construction assumptions (e.g., window size, modular-multiplication strategy) that generate these particular numbers. Without that information, readers cannot assess whether the quoted counts are near-optimal or merely one possible point in a larger design space.

Authors: Because the results are validated only via zero-knowledge proof to enable responsible disclosure, we cannot release the precise circuit parameters (window sizes, multiplication strategies, etc.). In the revision we will add a concise high-level paragraph stating that both configurations derive from standard Shor implementations for ECDLP that employ optimized Toffoli-based modular arithmetic and point-addition circuits, with the two points chosen to illustrate the qubit–gate-count trade-off surface. This statement will not compromise the ZKP. revision: partial

Circularity Check

0 steps flagged

No significant circularity; resource estimates validated externally via ZKP and standard hardware models

full rationale

The paper's derivation chain for Shor's algorithm resource estimates on the 256-bit ECDLP relies on standard quantum circuit constructions for the discrete logarithm problem. Logical qubit and Toffoli counts (<1200 qubits/<90M gates or <1450/<70M) are asserted via zero-knowledge proof, which serves as external validation without revealing circuit details or fitting to the target result. Physical estimates on superconducting architectures use published parameters (1e-3 physical error rates, planar connectivity) to map to <500k physical qubits and minute-scale runtimes; these are not derived from the logical counts by construction but are standard overhead calculations. No self-definitional steps, fitted inputs renamed as predictions, or load-bearing self-citations appear in the provided derivation. The chain remains self-contained against external benchmarks.

Axiom & Free-Parameter Ledger

1 free parameters · 2 axioms · 0 invented entities

The estimates depend on standard assumptions about quantum error correction overhead and hardware error rates that are taken from the broader literature rather than derived here.

free parameters (1)

physical error rate = 1e-3
Set to 1e-3 for superconducting architectures to convert logical to physical qubit counts

axioms (2)

domain assumption Shor's algorithm for ECDLP can be compiled to the stated logical gate counts under standard quantum circuit optimizations
Invoked when stating the <1200 qubit / <90M Toffoli bound
domain assumption Planar connectivity and surface-code error correction overheads apply to the target hardware
Used to reach the <500k physical qubit figure

pith-pipeline@v0.9.0 · 5634 in / 1536 out tokens · 30025 ms · 2026-05-14T21:25:05.443729+00:00 · methodology

discussion (0)

Lean theorems connected to this paper

Citations machine-checked in the Pith Canon. Every link opens the source theorem in the public Lean library.

IndisputableMonolith/Foundation/RealityFromDistinction.lean reality_from_one_distinction unclear

?

unclear
Relation between the paper passage and the cited Recognition theorem.

Shor’s algorithm for this problem can execute with either ≤1200 logical qubits and ≤90 million Toffoli gates or ≤1450 logical qubits and ≤70 million Toffoli gates... On superconducting architectures with 10^{-3} physical error rates and planar connectivity
IndisputableMonolith/Cost/FunctionalEquation.lean washburn_uniqueness_aczel unclear

?

unclear
Relation between the paper passage and the cited Recognition theorem.

surface code error correction... yokes... reaction-limited fashion... 10 microseconds reaction time
IndisputableMonolith/Foundation/AlexanderDuality.lean alexander_duality_circle_linking unclear

?

unclear
Relation between the paper passage and the cited Recognition theorem.

fast-clock (superconducting and photonic) and slow-clock (neutral atom and ion trap) architectures

What do these tags mean?

matches: The paper's claim is directly supported by a theorem in the formal canon.
supports: The theorem supports part of the paper's argument, but the paper may add assumptions or extra steps.
extends: The paper goes beyond the formal theorem; the theorem is a base layer rather than the whole result.
uses: The paper appears to rely on the theorem as machinery.
contradicts: The paper's claim conflicts with a theorem or certificate in the canon.
unclear: Pith found a possible connection, but the passage is too broad, indirect, or ambiguous to say the theorem truly supports the claim.

Forward citations

Cited by 5 Pith papers

Reviewed papers in the Pith corpus that reference this work. Sorted by Pith novelty score.

The true cost of factoring: Linking magic and number-theoretic complexity in Shor's algorithm
quant-ph 2026-05 unverdicted novelty 6.0

Shor's algorithm generates and consumes magic resources in direct proportion to the difficulty of the underlying factoring problem.
Factoring $2048$ bit RSA integers with a half-million-qubit modular atomic processor
quant-ph 2026-05 unverdicted novelty 6.0

A modular atomic processor with 500,000 qubits factors 2048-bit RSA numbers in roughly the same time as a single large module when inter-module Bell-pair communication runs at 10^5 per second.
Fault-Tolerant Quantum Computing with Trapped Ions: The Walking Cat Architecture
quant-ph 2026-04 unverdicted novelty 6.0

A trapped-ion architecture based on LDPC codes and cat-state factories achieves 110 logical qubits and one million T gates per day using 2514 physical qubits, with estimates for Heisenberg model simulation on 100 site...
GreenPeas: Unlocking Adaptive Quantum Error Correction with Just-in-Time Decoding Hypergraphs
quant-ph 2026-04 unverdicted novelty 6.0

GreenPeas delivers a just-in-time GPU compiler for decoding hypergraphs that achieves >10x speedup on surface and bivariate bicycle codes, unlocking circuit-level decoding for adaptive quantum error correction.
Space-Efficient Quantum Algorithm for Elliptic Curve Discrete Logarithms with Resource Estimation
quant-ph 2026-04 conditional novelty 6.0

A space-efficient quantum ECDLP algorithm uses 5n + 4⌊log₂n⌋ + O(1) logical qubits and O(n³) Toffoli gates, lowering the 256-bit estimate from 2124 to 1333 qubits.

Reference graph

Works this paper leans on

298 extracted references · 298 canonical work pages · cited by 5 Pith papers · 12 internal anchors

[1]

R. P. Feynman, Simulating physics with computers, International Journal of Theoretical Physics21(1982)

work page 1982
[2]

Schleich, L

P. Schleich, L. M. Calder´ on, C. Sun, M. Bagherimehrab, A. Aldossary, J. S. Kottmann, and A. Aspuru-Guzik,Quantum Computing for Quantum Chemistry(American Chemical Society, Washington, DC, USA, 2025)

work page 2025
[4]

Montanaro, Quantum algorithms: an overview, npj Quantum Information2, 15023 (2016)

A. Montanaro, Quantum algorithms: an overview, npj Quantum Information2, 15023 (2016)

work page 2016
[5]

J. Chou, J. Manyika, and H. Neven, The race to lead the quantum future, Foreign Affairs (2025)

work page 2025
[6]

D. J. Bernstein and T. Lange, Post-quantum cryptography, Nature549, 188 (2017)

work page 2017
[7]

Joseph, R

D. Joseph, R. Misoczki, M. Manzano, J. Tricot, F. D. Pinuaga, O. Lacombe, S. Leichenauer, J. Hidary, P. Venables, and R. Hansen, Transitioning organizations to post-quantum cryptography, Nature605, 237 (2022)

work page 2022
[9]

R. C. Merkle, Secure communications over insecure channels, Commun. ACM21, 294 (1978)

work page 1978
[10]

R. L. Rivest, A. Shamir, and L. Adleman, A method for obtaining digital signatures and public-key cryptosystems, Communications of the ACM21, 120 (1978)

work page 1978
[11]

V. S. Miller, Use of elliptic curves in cryptography, inAdvances in Cryptology — CRYPTO ’85 Proceedings, edited by H. C. Williams (Springer Berlin Heidelberg, Berlin, Heidelberg, 1986) pp. 417–426

work page 1986
[12]

Koblitz, Elliptic curve cryptosystems, Mathematics of Computation48, 203 (1987)

N. Koblitz, Elliptic curve cryptosystems, Mathematics of Computation48, 203 (1987)

work page 1987
[13]

P. W. Shor, Polynomial-time algorithms for prime factorization and discrete logarithms on a quantum computer, SIAM Journal on Computing26, 1484 (1997). 44

work page 1997
[14]

AMD, Google, Meta, Microsoft, and NVIDIA,OCP GPU FW Update Specification, Tech. Rep. (Open Compute Project, 2023)

work page 2023
[15]

Schneider, L

K. Schneider, L. Auer, and A. Wagner, Fault attacks on ECC signature verification, IACR Transactions on Cryptographic Hardware and Embedded Systems2025, 1010 (2025)

work page 2025
[16]

Rescorla, The Transport Layer Security (TLS) Protocol Version 1.3, RFC 8446 (2018)

E. Rescorla, The Transport Layer Security (TLS) Protocol Version 1.3, RFC 8446 (2018)

work page 2018
[17]

Marlinspike and T

M. Marlinspike and T. Perrin, The X3DH key agreement protocol (2016)

work page 2016
[18]

J. W. Bos, J. A. Halderman, N. Heninger, J. Moore, M. Naehrig, and E. Wustrow, Elliptic curve cryptography in practice, Cryptology ePrint Archive, Paper 2013/734 (2013). [19]YubiKey Technical Manual, Yubico (2026)

work page 2013
[19]

Stebila and J

D. Stebila and J. Green, Elliptic Curve Algorithm Integration in the Secure Shell (SSH) Transport Layer, RFC 5656 (2009)

work page 2009
[20]

Hoffman and W

P. Hoffman and W. Wijngaards, Elliptic Curve Digital Signature Algorithm (DSA) for DNSSEC, RFC 6605 (2012)

work page 2012
[21]

N. Gura, A. Patel, A. Wander, H. Eberle, and S. C. Shantz, Comparing elliptic curve cryptography and RSA on 8-bit CPUs, inCryptographic Hardware and Embedded Systems - CHES 2004, edited by M. Joye and J.-J. Quisquater (Springer Berlin Heidelberg, Berlin, Heidelberg, 2004) pp. 119–132

work page 2004
[22]

C. A. Lara-Nino, A. Diaz-Perez, and M. Morales-Sandoval, Elliptic curve lightweight cryptography: A survey, IEEE Access6, 72514 (2018)

work page 2018
[23]

Barker,NIST SP 800-57 Part 1 Rev

E. Barker,NIST SP 800-57 Part 1 Rev. 5: Recommendation for Key Management: Part 1 – General, NIST Special Publication 800-57 Part 1 Rev. 5 (National Institute of Standards and Technology, Gaithersburg, MD, USA, 2020)

work page 2020
[24]

Milton and C

A. Milton and C. Shikhelman,Bitcoin and Quantum Computing: Current Status and Future Directions, Research Report (Chaincode Labs, New York, NY, 2025) accessed: 2026-03-22

work page 2025
[25]

Liet al.,The Quantum Threat to Bitcoin, Human Rights Research Report (Human Rights Foundation, 2025) informed by technical insights from the 2025 Presidio Bitcoin Quantum Summit

A. Liet al.,The Quantum Threat to Bitcoin, Human Rights Research Report (Human Rights Foundation, 2025) informed by technical insights from the 2025 Presidio Bitcoin Quantum Summit

work page 2025
[26]

Deegan, Quantum vulnerability of bitcoin addresses, Project Eleven Blog (2025)

C. Deegan, Quantum vulnerability of bitcoin addresses, Project Eleven Blog (2025)

work page 2025
[27]

J. J. Pont, J. J. Kearney, J. Moyler, and C. A. Perez-Delgado, Downtime required for bitcoin quantum-safety, arXiv:2410.16965 (2024)

work page arXiv 2024
[28]

Aggarwal, G

D. Aggarwal, G. Brennen, T. Lee, M. Santha, and M. Tomamichel, Quantum attacks on bitcoin, and how to protect against them, Ledger3, 10.5195/ledger.2018.127 (2018)

work page doi:10.5195/ledger.2018.127 2018
[29]

Ruffing, The post-quantum security of bitcoin’s taproot as a commitment scheme, Cryptology ePrint Archive, Paper 2025/1307 (2025)

T. Ruffing, The post-quantum security of bitcoin’s taproot as a commitment scheme, Cryptology ePrint Archive, Paper 2025/1307 (2025)

work page 2025
[30]

Holmes and L

S. Holmes and L. Chen, Assessment of quantum threat to bitcoin and derived cryptocurrencies, Cryptology ePrint Archive, Paper 2021/967 (2021)

work page 2021
[31]

Fukuda, S

K. Fukuda, S. Matsuo, Y. Suga, and T. Ito, The grand challenge of PQC migration: Analysis of modern blockchain and intertwined human egoisms, Cryptology ePrint Archive, Paper 2025/1626 (2025)

work page 2025
[32]

D. B. C. Costa,Post-Quantum Financial Infrastructure Framework (PQFIF): A Roadmap for the Quantum-Safe Transi- tion of Global Financial Infrastructure, Regulatory Submission (U.S. Securities and Exchange Commission (SEC), 2025) prepared for the U.S. Crypto Assets Task Force – SEC

work page 2025
[33]

Maurushat,Disclosure of Security Vulnerabilities: Legal and Ethical Issues(Springer London, 2013)

A. Maurushat,Disclosure of Security Vulnerabilities: Legal and Ethical Issues(Springer London, 2013)

work page 2013
[34]

ISO/IEC,ISO/IEC 29147:2018 Information technology — Security techniques — Vulnerability disclosure, Standard (In- ternational Organization for Standardization and International Electrotechnical Commission, Geneva, Switzerland, 2018)

work page 2018
[35]

D. C. North, Institutions, Journal of Economic Perspectives5, 97–112 (1991)

work page 1991
[36]

D. C. North,Institutions, Institutional Change and Economic Performance, Political Economy of Institutions and Deci- sions (Cambridge University Press, 1990)

work page 1990
[37]

CoinMarketCap, FUD, CoinMarketCap Glossary (2021), accessed 2026-03-28

work page 2021
[38]

BTSE,Crypto Trading Psychology: Dealing with FUD and FOMO in the Cryptocurrency Market, Special Report (BTSE,

work page
[39]

Accessed March 28, 2026

BTSE Trading Psychology Series. Accessed March 28, 2026

work page 2026
[40]

Harris and A

R. Harris and A. McIntyre,The Complete Sales Letter Book: Model Letters for Every Selling Situation, Sharpe Professional (Sharpe Professional, 1998)

work page 1998
[41]

Goldwasser, S

S. Goldwasser, S. Micali, and C. Rackoff, The knowledge complexity of interactive proof-systems, inProceedings of the Seventeenth Annual ACM Symposium on Theory of Computing, STOC ’85 (Association for Computing Machinery, New York, NY, USA, 1985) pp. 291–304

work page 1985
[42]

Quisquater, M

J.-J. Quisquater, M. Quisquater, M. Quisquater, M. Quisquater, L. C. Guillou, M. A. Guillou, G. Guillou, A.-C. Guil- lou, G. Guillou, S. Guillou, and T. A. Berson, How to explain zero-knowledge protocols to your children, inAnnual International Cryptology Conference(1989)

work page 1989
[43]

Cu’ellar Gempeler, B

S. Cu’ellar Gempeler, B. Harris, J. Parker, S. Pernsteiner, I. Sweet, and E. Tromer, Cheesecloth: Zero-knowledge proofs of real-world vulnerabilities, ACM Trans. Priv. Secur.28, 10.1145/3747589 (2025)

work page doi:10.1145/3747589 2025
[44]

Litinski, How to compute a 256-bit elliptic curve private key with only 50 million toffoli gates, arXiv:2306.08585 (2023)

D. Litinski, How to compute a 256-bit elliptic curve private key with only 50 million toffoli gates, arXiv:2306.08585 (2023)

work page arXiv 2023
[45]

Gidney and M

C. Gidney and M. Eker˚ a, How to factor 2048 bit RSA integers in 8 hours using 20 million noisy qubits, Quantum5, 433 (2021)

work page 2048
[46]

How to factor 2048 bit RSA integers with less than a million noisy qubits

C. Gidney, How to factor 2048 bit RSA integers with less than a million noisy qubits, arXiv:2505.15917 (2025)

work page internal anchor Pith review Pith/arXiv arXiv 2048
[47]

M. Habov stiak, Hashed keys are actually fully quantum secure, Bitcoin Development Mailing List (Google Groups) (2025), mailing list thread featuring contributions from Lloyd Fournier, Agustin Cruz, Antoine Poinsot, and others. Proposes a commit-reveal scheme to protect hashed pubkeys from mempool-snatching by quantum adversaries. 45

work page 2025
[48]

D. J. Bernstein, Introduction to post-quantum cryptography, inPost-Quantum Cryptography, edited by D. J. Bernstein, J. Buchmann, and E. Dahmen (Springer Berlin Heidelberg, Berlin, Heidelberg, 2009) pp. 1–14

work page 2009
[49]

Bernstein and T

D. Bernstein and T. Lange,Post-quantum cryptography: dealing with the fallout of physics success, Cryptology ePrint Archive (International Association for Cryptologic Research, 2017)

work page 2017
[50]

National Institute of Standards and Technology, Glossary: Defense-in-depth,https://csrc.nist.gov/glossary/term/ defense_in_depth(2026), CSRC Computer Security Resource Center

work page 2026
[51]

Gretz, D

P. Gretz, D. Gross, E. M. Haynes, Y. Tarek, A. Toma, A. Chitgupi, and T. Kurowski,Tokenization Standards: Taming the Regulatory Menagerie, Industry Research Report (Nethermind and PwC Germany, 2025) distributed in collaboration with Global Finance & Technology Network (GFTN)

work page 2025
[52]

Yakovenko,Solana: A New Architecture for a High Performance Blockchain, Protocol White Paper v0.8.13 (Solana Labs, 2017)

A. Yakovenko,Solana: A New Architecture for a High Performance Blockchain, Protocol White Paper v0.8.13 (Solana Labs, 2017)

work page 2017
[53]

Algorand

J. Chen and S. Micali, Algorand, arXiv:1607.01341 (2016)

work page internal anchor Pith review Pith/arXiv arXiv 2016
[54]

Lokhava, G

M. Lokhava, G. Losa, D. Mazi` eres, G. Hoare, N. Barry, E. Gafni, J. Jove, R. Malinowsky, and J. McCaleb, Fast and secure global payments with stellar, inProceedings of the 27th ACM Symposium on Operating Systems Principles, SOSP ’19 (Association for Computing Machinery, New York, NY, USA, 2019) p. 80–96

work page 2019
[55]

Mazi` eres,The Stellar Consensus Protocol: A Federated Model for Internet-level Consensus, Tech

D. Mazi` eres,The Stellar Consensus Protocol: A Federated Model for Internet-level Consensus, Tech. Rep. (Stellar Devel- opment Foundation, 2015)

work page 2015
[56]

Analysis of the XRP Ledger Consensus Protocol

B. Chase and E. MacBrough, Analysis of the XRP Ledger Consensus Protocol, arXiv:1802.07242 (2018)

work page internal anchor Pith review Pith/arXiv arXiv 2018
[57]

Ripple Developers, rippled: XRP ledger network server, GitHub Repository (2026)

work page 2026
[58]

Algorand Foundation, Asset tokenization on Algorand: Powering a more open financial system, Official Ecosystem Portal (2026)

work page 2026
[59]

Stellar Development Foundation, RWA tokenization, Official Ecosystem Portal (2026)

work page 2026
[60]

Team RippleX,The Future of Asset Tokenization: A New Token Standard for Institutional-Grade Finance on XRP Ledger, Industry Research Report (Ripple Labs, Inc., 2025)

work page 2025
[61]

O’Brien, Protecting Chrome traffic with Hybrid Kyber KEM, Chromium Blog (2023), accessed March 26, 2026

D. O’Brien, Protecting Chrome traffic with Hybrid Kyber KEM, Chromium Blog (2023), accessed March 26, 2026

work page 2023
[62]

L. Young, Technical brief: Quantum-resistant transactions on Algorand with Falcon signatures, Algorand Developer Blog (2025), technical contributions by Giulio Pizzini, Cosimo Bassi, and Steve Ferrigno

work page 2025
[63]

The QRL Foundation, Quantum Resistant Ledger: A visionary, future-proof blockchain with unparalleled security (2026)

work page 2026
[64]

Waterland,Quantum Resistant Ledger (QRL), Technical White Paper (The QRL Foundation, 2016)

P. Waterland,Quantum Resistant Ledger (QRL), Technical White Paper (The QRL Foundation, 2016)

work page 2016
[65]

Zweil,Mochimo: Post-Quantum Currency, Protocol White Paper (Adequate Systems, LLC, 2018)

M. Zweil,Mochimo: Post-Quantum Currency, Protocol White Paper (Adequate Systems, LLC, 2018)

work page 2018
[66]

Alice, Bob, Eve, and Lambda,Abelian (ABEL) – A Quantum-Resistant Cryptocurrency Balancing Privacy and Account- ability, Cryptographic White Paper (The Abelian Foundation, 2022)

work page 2022
[67]

ForkLog, XRP Ledger implements quantum threat protection, ForkLog Magazine (2025)

work page 2025
[68]

Deegan, A look at post quantum proposals for bitcoin, Project Eleven Blog (2025)

C. Deegan, A look at post quantum proposals for bitcoin, Project Eleven Blog (2025)

work page 2025
[69]

F. Wang, S. Cohney, and J. Bonneau, SoK: Trusted setups for powers-of-tau strings, Cryptology ePrint Archive, Paper 2025/064 (2025)

work page 2025
[70]

Pertsev, R

A. Pertsev, R. Semenov, and R. Storm,Tornado Cash Privacy Solution, Technical Whitepaper Version 1.4 (Tornado Cash, 2019) accessed via Berkeley DeFi educational resources

work page 2019
[71]

Acharya, D

R. Acharya, D. A. Abanin, L. Aghababaie-Beni, I. Aleiner, T. I. Andersen, M. Ansmann, F. Arute, K. Arya, A. Asfaw, N. Astrakhantsev, J. Atalaya, R. Babbush, D. Bacon, B. Ballard, J. C. Bardin, J. Bausch, A. Bengtsson, A. Bilmes, S. Blackwell, S. Boixo, G. Bortoli, A. Bourassa, J. Bovaird, L. Brill, M. Broughton, D. A. Browne, B. Buchea, B. B. Buckley, D. ...

work page 2024
[72]

M. L. Chan, A. A. Capatos, P. Lodahl, A. S. Sørensen, and S. Paesani, Practical blueprint for low-depth photonic quantum computing with quantum dots, arXiv:2507.16152 (2025)

work page arXiv 2025
[73]

J. R. Scott and K. C. Balram, Timing constraints due to real-time graph-traversal algorithms on incomplete cluster states in photonic measurement-based quantum computing, Physical Review Applied20, 10.1103/physrevapplied.20.024019 (2023)

work page doi:10.1103/physrevapplied.20.024019 2023
[74]

Stano and D

P. Stano and D. Loss, Review of performance metrics of spin qubits in gated semiconducting nanostructures, Nature Reviews Physics4, 672 (2022)

work page 2022
[75]

Bluvstein, A

D. Bluvstein, A. A. Geim, S. H. Li, S. J. Evered, J. P. Bonilla Ataides, G. Baranes, A. Gu, T. Manovitz, M. Xu, M. Kalinowski, S. Majidy, C. Kokail, N. Maskara, E. C. Trapp, L. M. Stewart, S. Hollerith, H. Zhou, M. J. Gullans, S. F. Yelin, M. Greiner, V. Vuleti´ c, M. Cain, and M. D. Lukin, A fault-tolerant neutral-atom architecture for universal quantum ...

work page 2025
[76]

V. M. Sch¨ afer, C. J. Ballance, K. Thirumalai, L. J. Stephenson, T. G. Ballance, A. M. Steane, and D. M. Lucas, Fast quantum logic gates with trapped-ion qubits, Nature555, 75 (2018)

work page 2018
[77]

imminent

S. Aaronson, More on whether useful quantum computing is “imminent” — Shtetl-Optimized,https://scottaaronson. blog/?p=9425(2025), accessed: 2026-03-22

work page 2025
[78]

Aaronson, On reducing the cost of breaking RSA-2048 to 100,000 physical qubits — Shtetl-Optimized,https:// scottaaronson.blog/?p=9564(2026), accessed: 2026-03-22

S. Aaronson, On reducing the cost of breaking RSA-2048 to 100,000 physical qubits — Shtetl-Optimized,https:// scottaaronson.blog/?p=9564(2026), accessed: 2026-03-22

work page 2048
[79]

Kerckhoffs, La Cryptographie Militaire, Journal des Sciences MilitairesIX, 5 (1883)

A. Kerckhoffs, La Cryptographie Militaire, Journal des Sciences MilitairesIX, 5 (1883)

work page
[80]

CERT Coordination Center, CERT/CC vulnerability disclosure policy, Official Policy Document (2026)

work page 2026
[81]

Google Project Zero, Vulnerability disclosure policy, Official Policy Document (2026)

work page 2026
[82]

N. Carter, Bitcoin developers are mostly not concerned about quantum risk – Murmurations II,https:// murmurationstwo.substack.com/p/bitcoin-developers-are-mostly-not(2026), accessed: 2026-03-22

work page 2026

Showing first 80 references.