By QuantaLabs | April 2026 | quantalabs.cc | quantachain.org
Five days ago, an independent researcher named Giancarlo Lelli broke a 15-bit elliptic curve key on a publicly accessible IBM quantum computer and collected a 1 BTC bounty from Project Eleven. The result was debated — some Bitcoin developers showed the winning result could be replicated with random noise, suggesting limited true quantum advantage at this scale. But the debate misses the point entirely.
The real story is what happened three weeks before that, in the research papers.
The Three Papers That Changed the Timeline
In the last week of March 2026, two papers dropped on the same day that fundamentally rewrote the resource estimates for breaking ECDSA:
Google Quantum AI (March 31, 2026)
Google’s research team published a 57-page whitepaper outlining a significantly more efficient implementation of Shor’s algorithm against secp256k1 — the elliptic curve that secures Bitcoin, Ethereum, and virtually every EVM-compatible blockchain. Their circuits require fewer than 500,000 physical qubits on a superconducting architecture to break ECDSA-P256. Critically, the estimated execution time is under 9 minutes.
Bitcoin’s average block time is 10 minutes. The implication: a sufficiently powerful quantum computer could theoretically crack an exposed public key faster than a transaction confirms on-chain.
The previous estimate from Litinski (2023) required ~9 million qubits. Google’s paper represents an approximately 20-fold reduction in the qubit threshold. The paper closed with a line that should be framed on the wall of every blockchain security team:
“It is conceivable that the existence of early CRQCs may first be detected on the blockchain rather than announced.”
Oratomic / Caltech / UC Berkeley (March 31, 2026)
On the exact same day, a team spanning Oratomic (a new quantum startup founded by researchers from Harvard’s landmark neutral-atom fault-tolerance experiments), Caltech, and UC Berkeley published a paper showing Shor’s algorithm can be executed at cryptographically relevant scales with as few as 10,000 reconfigurable neutral-atom qubits.
That is 50x lower than Google’s already-shocking estimate. The key insight: high-rate quantum Low-Density Parity-Check (qLDPC) codes achieve approximately 30% encoding rate, compared to ~4% for surface codes in Google’s architecture. Their largest code encodes 1,480 logical qubits in just 5,278 physical qubits.
Under plausible assumptions, a 26,000-qubit neutral-atom system could crack P-256 in a matter of a few days.
Chevignard-Fouque-Schrottenloher (EUROCRYPT 2026, March 2026)
French researchers published a new quantum circuit architecture for the 256-bit Elliptic Curve Discrete Logarithm Problem at EUROCRYPT 2026, further optimizing the circuit depth needed to attack full production keys.
Three Papers. Three Weeks. The Timeline Just Moved.
This is not distant future speculation. The shift from “we need 20 million qubits” to “we might need 10,000” happened in three months. The trajectory matters more than today’s hardware state.
Cloudflare, which handles a significant share of global internet traffic, put it bluntly in their post-quantum roadmap published this month:
“Q-Day has been pulled forward significantly from typical 2035+ timelines, with neutral atoms in the lead, and other approaches not far behind.”
Google followed with their own public commitment in March 2026: a formal 2029 deadline to transition their entire infrastructure to post-quantum cryptography. Android 17 is shipping with ML-DSA (post-quantum digital signatures) by default.
As of October 2025, Cloudflare reported that over 50% of human-initiated connections to their network were already protected with hybrid post-quantum key exchange (ML-KEM + X25519). By their latest reporting, 65% of human traffic to Cloudflare is now post-quantum encrypted.
The web is already migrating. Blockchain hasn’t started.
Why Blockchain Is More Exposed Than TLS
There’s a subtle but critical difference between what Cloudflare is protecting and what your blockchain is exposing.
TLS key exchange is ephemeral. The keys are fresh for every session. Even if a quantum adversary harvests ciphertext today, breaking the key later only reveals that session’s traffic — not the ability to forge future transactions.
Blockchain public keys are permanent and on-chain.
When you receive funds to an Ethereum address and spend from it, your public key is visible in the transaction history. Anyone who archives that public key today can attempt to derive the private key later. Every wallet that has ever signed a transaction exposes its public key to “harvest now, decrypt later” attacks.
Moreover: Bitcoin and Ethereum addresses that have never been spent from expose only the hash of the public key — which buys some time. But ~6.9 million Bitcoin currently sit in wallets where the public key is already fully exposed on-chain. All of those funds can be targeted the moment a sufficiently powerful quantum computer exists.
The Coinbase advisory board has explicitly flagged this: the transition to post-quantum cryptography in blockchains is not a simple key-swap. It is a complex, breaking migration that requires a hard fork, wallet migration tooling, and a coordinated cutover. The longer you wait to build on quantum-resistant foundations, the more painful the migration becomes.
What a Production Falcon-512 Blockchain Actually Looks Like
We didn’t write this post from theory. QuantaLabs builds Quantachain — the first publicly live Layer 1 blockchain using NIST-standardized Falcon-512 lattice signatures from genesis, with external node operators, a live block explorer, and a published benchmark suite.
Here is what our engineering team measured in the April 2026 benchmark run (Node v0.7.1, Ubuntu 22.04, 4-core environment):
Cryptographic Core — Falcon-512
| Operation | Quantachain | ECDSA-P256 | Overhead |
|---|---|---|---|
| Sign | 0.227 ms | ~0.05 ms | ~4.5× |
| Verify (serial) | 0.006 µs | ~0.12 ms | < 1× (faster) |
| Verify (parallel, 4 cores) | 0.001 µs (batch 100) | — | — |
| Key generation | 6.8 ms | ~0.05 ms | Higher |
| Signature size | 689 bytes avg | 64 bytes | ~10.8× |
| Public key size | 897 bytes | 64 bytes | ~14× |
The signing overhead is real — Falcon-512 costs approximately 4.5× more to sign than ECDSA-P256. This is the honest tradeoff of post-quantum security.
But look at verification: Falcon-512 serial verification in our implementation runs at 168,000+ verifications per second. With Rayon-based parallel batch verification across 4 physical cores, a block of 200 transactions verifies in 0.169 ms total — a 7× speedup over serial, beating the theoretical 4× core maximum due to cache locality effects.
The performance gap between classical and PQC signature verification — the primary throughput bottleneck in a block validator — closes to under 1.3× per-block in parallel batch mode.
Mempool and Throughput
| Metric | Result |
|---|---|
| Mempool insert throughput | 230,041 tx/sec |
| Duplicate rejection latency (Bloom filter) | 3.3 µs (O(1)) |
| Fee-ordered top-1200 selection | 590 µs |
| Eviction under flood | 251,312 ops/sec |
The mempool runs on a priority-fee BTreeMap (O(log n) insert, O(1) remove) with a Bloom filter providing O(1) duplicate detection at 50K capacity and 0.01% false positive rate.
Block Compression
Falcon-512 signatures are ~10× larger than ECDSA. Unmitigated, this would cause severe blockchain state bloat. We integrated zstd Level-3 block compression:
| Block size | Raw | Compressed | Ratio | Compression time |
|---|---|---|---|---|
| 100 txs | 171 KB | 86 KB | 1.97× | 0.37 ms |
| 500 txs | 856 KB | 359 KB | 2.38× | 1.57 ms |
| 1,200 txs (full block) | 2,054 KB | 838 KB | 2.45× | 5.48 ms |
A full 1,200-transaction Falcon-512 block compresses from 2 MB to 838 KB in under 5.5 milliseconds. This cuts annualized ledger growth by over 60% relative to uncompressed Falcon-512, keeping storage costs competitive with classical blockchains.
Live Node — End-to-End HTTP Pipeline
Beyond in-memory benchmarks, we ran a live HTTP stress test against a running testnet node (sequential submissions with Falcon-512 signed transactions via the /api/transactions/submit endpoint):
- Median round-trip latency (p50): 0.70 ms — full pipeline (HTTP + JSON deserialize + Falcon-512 verify + nonce check + balance check + mempool insert)
- Concurrent flood throughput: 792 tx/sec (end-to-end, real network path)
- Sequential acceptance rate: 100% — zero false rejections, zero signature errors
A 0.70 ms median acceptance latency for a fully Falcon-512 signed transaction is competitive with production ECDSA blockchains. We are not trading performance for security. The numbers prove it.
The Practical Comparison: Falcon-512 vs. Every Alternative
A common question: why not Dilithium (now ML-DSA), which NIST standardized first?
| Scheme | Quantum-Safe | Sig Size | PK Size | Verify speed |
|---|---|---|---|---|
| Falcon-512 | Yes | ~689 B | 897 B | ~168K ops/s |
| CRYSTALS-Dilithium3 | Yes | 3,309 B | 1,952 B | High |
| ECDSA-P256 | No | 64 B | 64 B | ~8K ops/s (classical) |
| Ed25519 | No | 64 B | 32 B | Very high (classical) |
Falcon-512 produces the smallest signature of any NIST-standardized PQC scheme. At ~689 bytes average (with compression), it is 4.8× smaller than Dilithium3. For a blockchain where every transaction signature is stored permanently on-chain and propagated across every node, signature size is not a footnote — it determines long-term sustainability.
What “Harvest Now, Decrypt Later” Means for Your Infrastructure Today
This is not a future threat. Nation-state-level adversaries have been operating HNDL (Harvest Now, Decrypt Later) campaigns since at least the Snowden-era disclosures. Every encrypted packet sent over a classical TLS or ECDSA-signed connection is a candidate for archival and future decryption.
The NSA’s CNSA 2.0 framework mandates that all new national security systems must be quantum-safe by January 2027. The White House Executive Order 14144 (January 2025) requires federal agencies to prioritize PQC in procurement. NIST’s deprecation timeline calls for RSA and ECDSA to be disallowed after 2035.
For blockchain specifically: every ECDSA-signed transaction in your history is already being harvested. You cannot retroactively re-sign historical transactions. You can only control what you build from now forward.
What We Built, and Why It’s Different
Quantachain is not a proof of concept. It is a live mainnet-adjacent network with:
- Falcon-512 signatures from genesis — every transaction on every block, since block #1
- A Chrome extension wallet with Falcon-512 key generation, mnemonic recovery, and AES-256-GCM encrypted local storage
- External node operators running independent validating nodes
- A live block explorer at scan.quantachain.org
- A Zenodo-published research paper documenting the architecture with peer-reviewed methodology
This benchmark suite runs against the same node binary. These numbers are not simulations.
What You Should Do If You’re Building on ECC Today
Immediate:
- Audit your signing scheme. Know every place ECDSA or Ed25519 is used in your infrastructure — transaction signing, TLS certificates, internal service auth, HSM configuration.
- Migrate TLS key exchange to ML-KEM (this is already handled by Cloudflare for your edge, but your origin servers and internal microservices need manual configuration).
Medium term (before 2027):
- If you are building a new chain or significant protocol upgrade, do not build on ECDSA. The engineering cost of migrating later — coordinating a hard fork, building parallel signing schemes, migrating wallet key material — will be an order of magnitude larger than building on Falcon-512 from genesis.
- Implement crypto agility in your signing layer. Even if you stay on ECDSA today, your codebase should be structured so the signing scheme is swappable without a full protocol rewrite.
If you want help: QuantaLabs offers cryptographic readiness audits and Falcon-512 / Kyber-1024 migration engineering. We have done this on a production network. Reach us at enterprise@quantalabs.cc.
The Line That Should Stay With You
Google’s paper on breaking secp256k1 closed with a sentence that no blockchain developer should dismiss:
“It is conceivable that the existence of early CRQCs may first be detected on the blockchain rather than announced.”
Meaning: the first sign that Q-Day has arrived might not be a press release. It might be $2.5 trillion in ECC-secured digital assets draining to an unknown address.
The migration window is open. Build accordingly.
QuantaLabs is the engineering lab behind Quantachain — the first live post-quantum blockchain running Falcon-512 signatures in production. We publish our benchmarks, architecture, and research openly.
- quantalabs.cc
- quantachain.org
- scan.quantachain.org
- Research: Zenodo 10.5281/zenodo.18753528
- contact@quantalabs.cc
References and Further Reading
Google Quantum AI
- Google Quantum AI — Safeguarding cryptocurrency by disclosing quantum vulnerabilities responsibly (March 2026): https://research.google/blog/safeguarding-cryptocurrency-by-disclosing-quantum-vulnerabilities-responsibly/
- Google Security Blog — Cryptography migration timeline (2029 commitment): https://blog.google/innovation-and-ai/technology/safety-security/cryptography-migration-timeline/
Oratomic / Caltech / UC Berkeley
- Cain et al., “Shor’s algorithm is possible with as few as 10,000 reconfigurable atomic qubits” (March 31, 2026): https://arxiv.org/pdf/2603.28627
Project Eleven
- Project Eleven — Q-Day Prize awarded for largest public quantum attack on ECC (April 24, 2026): https://blog.projecteleven.com/posts/project-eleven-awards-1-btc-q-day-prize-for-largest-quantum-attack-on-elliptic-curve-cryptography-to-date
- PR Newswire announcement: https://www.prnewswire.com/news-releases/project-eleven-awards-1-btc-q-day-prize-for-largest-quantum-attack-on-elliptic-curve-cryptography-to-date-302752439.html
Cloudflare
- Cloudflare — Post-Quantum Roadmap (2026, includes Q-Day timeline update): https://blog.cloudflare.com/post-quantum-roadmap/
- Cloudflare — State of the Post-Quantum Internet in 2025 (October 2025): https://blog.cloudflare.com/pq-2025/
- Cloudflare — Automatically Secure: 6,000,000 domains upgraded for the quantum future (September 2025): https://blog.cloudflare.com/automatically-secure/
- Cloudflare — Post-Quantum Zero Trust (March 2025): https://blog.cloudflare.com/post-quantum-zero-trust/
- Cloudflare PQC documentation: https://developers.cloudflare.com/ssl/post-quantum-cryptography/
Industry Coverage
- The Block — “No longer a drill”: Google’s quantum breakthrough and Bitcoin security: https://www.theblock.co/post/395944/no-longer-drill-googles-latest-quantum-breakthrough-debate-bitcoins-security
- Fireblocks — What Google’s new quantum research means for institutional crypto security: https://www.fireblocks.com/blog/google-quantum-research-institutional-crypto-security
- The Quantum Insider — Q-Day just got closer: three papers in three months rewriting the timeline: https://thequantuminsider.com/2026/03/31/q-day-just-got-closer-three-papers-in-three-months-are-rewriting-the-quantum-threat-timeline/
- TIME — AI helped spark a quantum breakthrough. The world is not prepared: https://time.com/article/2026/04/07/ai-quantum-computing-advance/
- CoinDesk — Researcher wins 1 BTC bounty for largest quantum attack on ECC (April 24, 2026): https://www.coindesk.com/tech/2026/04/24/researcher-wins-1-bitcoin-bounty-for-largest-quantum-attack-on-underlying-tech
- postquantum.com — Google Quantum AI achieves 10x reduction in resources to break Bitcoin’s cryptography: https://postquantum.com/security-pqc/google-quantum-bitcoin-ecdlp/
- postquantum.com — 10,000 qubits to run Shor’s algorithm: https://postquantum.com/security-pqc/10000-qubits-shors/
Standards and Policy
- NIST IR 8547 — PQC deprecation timeline (RSA/ECDSA deprecated after 2030, disallowed after 2035): https://csrc.nist.gov/pubs/ir/8547/ipd
- NSA CNSA 2.0 — All new national security systems quantum-safe by January 2027: https://www.nsa.gov/Cybersecurity/Post-Quantum-Cybersecurity-Resources/
- White House Executive Order 14144 — Strengthening and Promoting Innovation in the Nation’s Cybersecurity (January 2025): https://www.whitehouse.gov/presidential-actions/2025/01/strengthening-and-promoting-innovation-in-the-nations-cybersecurity/
Quantachain and QuantaLabs
- Quantachain live network: https://quantachain.org
- Quantachain block explorer: https://scan.quantachain.org
- QuantaLabs website: https://quantalabs.cc
- Quanta Wallet (Chrome): https://chromewebstore.google.com/detail/quanta-wallet/glofbcgdmodmaohealombcgoapdbdaff
- Research paper — “QUANTA: Engineering a Production-Ready Post-Quantum Blockchain with Falcon-512 Lattice Signatures” (Zenodo, February 2026): https://doi.org/10.5281/zenodo.18753528
- Research paper — “Learning with Correlated Errors: A New Lattice Hard Problem with Worst-Case Reductions” (Zenodo, March 2026): https://doi.org/10.5281/zenodo.18753529
Top comments (0)