Shor's Algorithm Explained

Shor's algorithm explained in plain terms: it is a quantum computing procedure, published by mathematician Peter Shor in 1994, that can factor large integers and solve discrete logarithm problems exponentially faster than any known classical algorithm. Both capabilities are lethal to the two cryptographic primitives that secure almost every cryptocurrency wallet in existence today, RSA and elliptic-curve cryptography (ECC). This article walks through the mathematical mechanism, the hardware requirements to run it at scale, credible expert timelines, and the specific implications for Bitcoin, Ethereum, and every other blockchain that inherits these vulnerabilities.

What Shor's Algorithm Actually Does

Peter Shor published his algorithm in 1994, before practical quantum computers existed. The core insight was that a quantum computer could exploit a mathematical relationship between the problem of factoring large integers and the problem of finding the period of a function, a task quantum circuits handle with remarkable efficiency via the Quantum Fourier Transform (QFT).

The Integer Factoring Path

RSA encryption derives its security from the fact that multiplying two large prime numbers together is trivial, while reversing that operation (finding the two primes from their product) is computationally intractable for classical computers. A 2048-bit RSA key, for example, would take a classical computer longer than the age of the universe to factor using the best known algorithms (the General Number Field Sieve).

Shor's algorithm reduces that intractability to a polynomial-time problem on a quantum computer:

  1. Choose a random integer *a* that is coprime to the number *N* you want to factor.
  2. Use a quantum circuit to find the period *r* of the function f(x) = a^x mod N. This step uses quantum superposition and the QFT to evaluate all possible inputs simultaneously and extract the periodicity.
  3. If *r* is even and a^(r/2) ≢ -1 (mod N), compute gcd(a^(r/2) ± 1, N) to obtain the prime factors.
  4. Repeat with different values of *a* if needed. The expected number of repetitions is small.

The quantum speedup comes entirely from step 2. Classical period-finding is exponentially slow; quantum period-finding is polynomial. Everything else in the algorithm is classical bookkeeping.

The Discrete Logarithm Path

ECC, which underlies Bitcoin's secp256k1 curve and Ethereum's key infrastructure, relies on the discrete logarithm problem: given a public key point *Q* on an elliptic curve and the generator point *G*, find the integer *k* such that Q = kG. No efficient classical algorithm exists for this on properly chosen curves.

Shor's algorithm has a direct variant for discrete logarithms over both finite fields and elliptic curves. The structure is analogous: a quantum circuit computes a two-dimensional period of a related function, the QFT extracts it, and the private key *k* falls out. A 256-bit ECC key is generally considered roughly equivalent in classical security to a 3072-bit RSA key, yet both are broken by Shor's algorithm with a comparable number of logical qubits.

---

Why Standard Crypto Wallets Are Vulnerable

Every time you generate a Bitcoin or Ethereum address, the process involves ECC. Your private key is a 256-bit integer. Your public key is derived from it via elliptic-curve point multiplication. Your wallet address is then a hash of that public key.

The vulnerability has two layers:

Addresses that have never sent a transaction expose only the hash of a public key. Breaking a hash requires Grover's algorithm (a different quantum algorithm), which offers only a quadratic speedup rather than an exponential one, and is far less immediately threatening. Nevertheless, best practice is to assume all ECC-derived secrets will eventually be compromised.

---

Qubit Requirements: The Hardware Gap

Knowing that Shor's algorithm *can* break ECC and RSA is different from knowing when a real machine *will*. The gap is primarily one of hardware scale and error correction.

Logical vs. Physical Qubits

Current quantum computers operate with *physical* qubits, which are noisy and prone to decoherence. To run Shor's algorithm reliably, you need *logical* qubits — error-corrected qubits formed by encoding one logical qubit across many physical qubits.

Estimates for breaking a 2048-bit RSA key using leading error-correction codes (such as the surface code):

Target KeyLogical Qubits RequiredPhysical Qubits Required (surface code)Estimated Runtime
RSA-2048~4,000~4 million~hours
ECC-256 (secp256k1)~2,330~2.3 million~hours
RSA-1024~2,000~2 million~hours
ECC-160~1,000~1 million~hours

These figures are drawn from research by Banegas et al. (2021) and Craig Gidney & Martin Ekerå (2021), which revised earlier, more pessimistic estimates downward. The Gidney-Ekerå paper concluded that a 2048-bit RSA key could be broken in approximately eight hours using 20 million physical qubits running at realistic error rates.

Where Quantum Hardware Stands Today

As of 2024, the most advanced publicly announced quantum processors hold on the order of 1,000 to 1,500 physical qubits, with error rates still several orders of magnitude too high for fault-tolerant computation at scale. IBM's roadmap targets utility-scale fault-tolerant systems in the late 2020s. Google's error-correction experiments have demonstrated that below a threshold error rate, additional physical qubits genuinely suppress logical error rates, confirming the theoretical basis for scaling.

The gap between ~1,000 noisy physical qubits today and ~4 million high-fidelity physical qubits needed to break RSA-2048 is enormous. But hardware scaling in the field has been non-linear and difficult to predict.

---

Realistic Timelines: What Experts Say

There is no consensus, and any specific date carries wide uncertainty. The honest framing is a distribution of scenarios, not a single prediction.

The prudent framing is: the threat is not immediate, but the migration lead time is long, and the cost of being wrong is total loss of funds.

---

NIST's Post-Quantum Response

The U.S. National Institute of Standards and Technology (NIST) ran a multi-year standardisation process for post-quantum cryptographic algorithms and published its first finalised standards in August 2024:

These algorithms are designed to resist both classical and quantum attacks, including Shor's algorithm. Lattice-based schemes in particular have no known quantum polynomial-time attacks; the hardness problems they rely on (Learning With Errors, Short Integer Solution) are not amenable to period-finding in the way RSA and ECC are.

Migrating a blockchain protocol to any of these standards requires consensus at the protocol layer, wallet software updates, and user action to move funds to new address formats. That is a multi-year undertaking even under optimal conditions.

---

What This Means for Crypto Wallet Users

For individual holders, the practical implications are:

The migration problem is analogous to the Y2K remediation effort: the underlying vulnerability is well-understood, the fix exists, but coordinating adoption across a fragmented ecosystem is the hard part.

---

Shor's Algorithm vs. Grover's Algorithm: A Quick Distinction

These two quantum algorithms are often conflated in media coverage, but they address different problems and pose different levels of threat to crypto.

AlgorithmTargetQuantum SpeedupPractical Threat Level
Shor'sRSA, ECC (asymmetric crypto)ExponentialHigh — completely breaks ECC/RSA at scale
Grover'sSymmetric keys, hash functionsQuadraticModerate — effectively halves key strength (e.g., AES-128 → AES-64 equivalent)

Grover's algorithm against SHA-256 (used in Bitcoin's proof-of-work and address derivation) requires roughly 2^128 operations even with quantum acceleration, which remains computationally infeasible. SHA-256 address hashing is not the acute vulnerability. ECC key derivation is.

---

Summary: The Core Takeaways

Frequently Asked Questions

What exactly does Shor's algorithm do?

Shor's algorithm is a quantum procedure that solves two related mathematical problems — integer factorisation and the discrete logarithm — exponentially faster than any known classical algorithm. This breaks RSA encryption (which relies on hard factorisation) and elliptic-curve cryptography (which relies on the discrete logarithm problem), both of which underpin cryptocurrency wallet security.

How many qubits does it take to break Bitcoin's elliptic-curve cryptography?

Research by Gidney and Ekerå estimates that breaking a 256-bit elliptic-curve key (as used in Bitcoin and Ethereum) would require approximately 2.3 million physical qubits operating with low error rates under surface-code error correction. Today's most advanced quantum processors hold around 1,000 to 1,500 noisy physical qubits, so the gap remains very large.

When could a quantum computer realistically break crypto wallets?

There is no single consensus date. The Global Risk Institute's expert surveys place the 50% probability of a cryptographically relevant quantum computer in the 2035–2045 window, with a smaller but non-negligible tail risk in the late 2020s. U.S. and German government agencies recommend completing post-quantum migration by 2030–2035 to be safe.

Does Shor's algorithm also threaten Bitcoin's SHA-256 hashing?

No. SHA-256 is a symmetric/hash function and is not vulnerable to Shor's algorithm. Grover's algorithm (a different quantum procedure) offers only a quadratic speedup against hash functions, effectively halving the security level. Against SHA-256 this still leaves roughly 2^128 operations required, which remains computationally infeasible even with quantum hardware.

What post-quantum alternatives exist for cryptocurrency wallets?

NIST finalised four post-quantum cryptographic standards in 2024: ML-KEM (key encapsulation), ML-DSA and FN-DSA (lattice-based digital signatures), and SLH-DSA (hash-based signatures). These are resistant to both Shor's and Grover's algorithms. Implementing them in a blockchain context requires protocol-level changes and wallet software updates, which is an active area of research for both Bitcoin (BIP-360 / QuBit) and Ethereum.

What is a 'harvest now, decrypt later' attack, and is it already happening?

A harvest now, decrypt later (HNDL) attack involves an adversary recording encrypted data or blockchain transactions today, storing them, and decrypting them once sufficiently powerful quantum hardware becomes available. For blockchain transactions this is relevant where the public key is already exposed on-chain. Security agencies consider HNDL a current, active threat for long-lived secrets, which is why migration timelines start now rather than when a CRQC is confirmed.