Quantum Computing Just Broke RSA-2048 in a Lab: What This Means for Your Crypto Wallet

What Actually Happened

The headlines arrived in waves. "Quantum computer cracks RSA-2048." "The end of crypto." "Move your Bitcoin now." Most of them were wrong about the implications, and a few of them were actively harmful — driving panic-sells and phishing-vector engagement among less technical holders.

Here is what genuinely happened: a research team running a fault-tolerant quantum prototype executed Shor's factoring algorithm on a 2048-bit RSA modulus and recovered the prime factors. That is the first end-to-end demonstration at the parameter size used in real-world TLS, code signing, and corporate VPN authentication. It is a scientific milestone of the first order.

It is also not yet a deployable attack on your wallet. The demonstration required hours of error correction calibration, ran against a specific pre-selected modulus rather than an arbitrary key, and consumed physical-qubit resources that do not yet scale to attacking the millions of live RSA and ECDSA keys protecting financial infrastructure. The gap between "we can do this in a lab on one chosen input" and "we can do this against any production key in minutes" is approximately the gap between the Wright brothers' 1903 flight and a transatlantic airliner.

That said, the gap is closing faster than most cryptographers predicted in 2020. The right response is not panic. It is informed preparation.

Shor's Algorithm in Plain English

Most public-key cryptography relies on math problems that are easy in one direction and hard in reverse. RSA relies on the fact that multiplying two large primes is easy but factoring their product is hard for classical computers. Elliptic curve cryptography (ECC) — used by Bitcoin and Ethereum — relies on the elliptic curve discrete logarithm problem (ECDLP), which is the elliptic-curve analog of factoring.

Peter Shor's 1994 algorithm uses quantum superposition and the quantum Fourier transform to find the period of a modular exponentiation function — a structure that solves both factoring and discrete log in polynomial time on a sufficiently large quantum computer. "Sufficiently large" has historically meant millions of physical qubits with strong error correction, far beyond what existed in 2020.

What changed in the lab demo: better error correction codes (surface codes with lower physical-qubit overhead), faster calibration, and modest improvements in coherence time. Those improvements do not make Shor's instant; they shrink the required hardware to a level that is genuinely on the horizon rather than purely theoretical.

RSA-2048 vs. ECDSA: The Wallet Cryptography Question

Bitcoin and Ethereum do not use RSA. They use ECDSA — the elliptic curve digital signature algorithm — on the secp256k1 curve. The relevant question for crypto holders is whether breaking RSA-2048 implies breaking ECDSA, and the answer is broadly yes: Shor's algorithm extends naturally from factoring to discrete log. The required quantum resources are different but in the same order of magnitude.

The practical exposure differs by chain:

Bitcoin's UTXO model. When you receive Bitcoin to a P2PKH or P2WPKH address, only the hash of your public key is visible on chain. Your full public key is not exposed until the moment you spend from that UTXO. An attacker with a sufficiently powerful quantum computer would have a window — measured in tx propagation and confirmation time — to use Shor's on the public key, derive your private key, and front-run your spend with their own.

Ethereum's account model. Every outgoing Ethereum transaction includes a signature from which the public key can be recovered (that is how the network verifies the sender). Once an Ethereum address has signed any transaction, its full public key is visible. The window for quantum attack is therefore "from your first outgoing tx onward" rather than "during a single spend."

This asymmetry has a practical implication. A Bitcoin user who keeps funds at addresses they have never spent from is broadly safe from a quantum attack until spend time. An Ethereum user with an active address is exposed continuously after their first tx.

Real Timeline: 5 to 15 Years

The most credible public estimates for "practical attacks on production ECDSA keys" come from a few sources:

• NIST has been running the Post-Quantum Cryptography Standardization Process since 2016 and recommends agencies migrate by 2030–2035.
• IBM publishes a quantum roadmap targeting "millions of qubits in connected systems by the early 2030s," with cryptographic relevance somewhere between 2030 and 2035.
• Google Quantum AI has demonstrated incremental error correction milestones (their Willow chip in 2024) but estimates broad cryptographic impact in the 2030s.
• Cloud Security Alliance maintains a "Quantum Threat Timeline" report aggregating expert opinion; the median 2024 estimate for breaking RSA-2048 in real time was 2031–2034.

The consensus, after the lab demo, is that the front edge of those estimates may shift earlier by a couple of years. The middle of the window — say 2032 to 2035 — is still where most credible forecasters place the practical threat. That is enough time to migrate, but not so much time that the work can be deferred indefinitely.

NIST Post-Quantum Standards

NIST finalized three post-quantum cryptography standards in August 2024:

• FIPS 203 — ML-KEM (Module-Lattice-Based Key-Encapsulation Mechanism, derived from CRYSTALS-Kyber). For key encapsulation, the building block of TLS-style key exchange.
• FIPS 204 — ML-DSA (Module-Lattice-Based Digital Signature Algorithm, derived from CRYSTALS-Dilithium). For digital signatures. Likely the primary "drop-in replacement for ECDSA" in most general-purpose deployments.
• FIPS 205 — SLH-DSA (Stateless Hash-Based Digital Signature Algorithm, derived from SPHINCS+). A conservative hash-based scheme producing large signatures but resistant to a wider class of cryptanalytic surprise.

FALCON, another lattice-based signature scheme with smaller signatures than ML-DSA, is expected to be standardized as FIPS 206. Standards drafts are public; implementations are available in OpenSSL, BoringSSL, and most major TLS libraries.

These are the algorithms that will, over the next decade, replace RSA and ECDSA in TLS, code signing, SSH, VPNs, and — critically for crypto holders — blockchain signatures.

How the Major Chains Are Responding

Bitcoin. BIP-360 is the leading proposal for quantum-safe address types. It defines address formats supporting SLH-DSA and ML-DSA signatures alongside (eventually replacing) the current ECDSA-based addresses. BIP-360 is in active discussion as of early 2026; full implementation will be a multi-year community process involving wallet support, exchange support, and a coordinated migration rather than a hard fork. The conservative Bitcoin culture is a feature here — premature migration to a less-tested PQ scheme would be its own risk.

Ethereum. Account abstraction (ERC-4337 plus EIP-7702) gives Ethereum an unusual advantage: wallets are smart contracts and can switch signature verification logic without a protocol-level fork. A user with an ERC-4337 wallet can, in principle, upgrade their signing module to ML-DSA the day a vetted implementation is available, without waiting for any hard fork or core devs' coordination. This is the real long-game payoff of crypto agility, and it makes Ethereum's quantum migration plausibly less disruptive than Bitcoin's. Our ERC-4337 developer guide covers the architecture in depth.

Algorand. Already uses Falcon for state-proof signatures and is rolling out PQ transaction signing. Among major L1s, Algorand has the most concrete production PQ implementation in 2026.

Cosmos. The Cosmos SDK's signature flexibility makes Dilithium integration straightforward at the chain level. Several Cosmos zones are in active testing.

QANplatform and a handful of newer L1s were designed PQ-resistant from launch using NIST-finalist algorithms. They are smaller-cap but architecturally interesting as references for how a from-scratch PQ chain looks.

What Users Should Actually Do Today

The list is short and unglamorous:

1. Use fresh receiving addresses for every transaction. This is best-practice on Bitcoin regardless of quantum considerations and becomes more important now. A never-spent UTXO has only a hashed public key on chain — quantum-resistant in practice. Reusing addresses concentrates exposure.

2. Don't keep large balances at addresses you have spent from. On Bitcoin, the public key is visible from the moment of first spend. On Ethereum, the same applies from the first outgoing transaction.

3. Spread funds across wallets. Single-point-of-failure concentration is bad for many reasons; quantum is one more.

4. Use hardware wallets. Hardware wallets do not protect against quantum attacks on the public key, but they protect against the much-larger universe of classical compromises that are causing actual losses today. The 2026 advice on hardware wallet selection in our crypto security best practices guide covers the current generation.

5. Watch your chain's PQ migration plan. Subscribe to the BIPs mailing list if you hold Bitcoin. Track Ethereum core dev discussions if you hold ETH. When migration paths land, plan a structured move within the official guidance.

6. Avoid quantum-FUD scams. Phishing emails impersonating exchanges with urgent "quantum migration" instructions, fake "quantum-safe" tokens with no real PQ cryptography, "migration services" that ask for seed phrases — all are scams. Verify any urgent instruction directly with your exchange or wallet provider through official channels. The general principles in our explainers — What is Bitcoin? and What is Ethereum? — still apply: never share seed phrases, verify URLs, treat urgency as a red flag.

7. Don't panic-sell. Markets price in known threats over time. Selling during a quantum-news spike usually means selling near a local low and buying back higher after the cycle of fear and rebound.

The Cryptographer's View

Talk to working cryptographers and the sentiment is closer to "this is the next big migration" than "the apocalypse is here." Past major migrations — DES to AES, MD5 and SHA-1 to SHA-2, RSA-1024 to RSA-2048 — happened across multi-year timelines with clear standards processes and orderly transitions. The PQ migration will be larger than any of those because it touches every layer of public-key infrastructure, but the playbook is the same: standards finalize, implementations stabilize, deployments migrate, legacy systems sunset.

The crypto industry has an unusual advantage: a mature standards body (NIST) finished the heavy cryptographic lifting, and several chains have built-in upgrade paths. The challenges are coordination and user-side hygiene, not algorithmic discovery.

A Note on Disclaimers

Nothing in this article is investment advice. Cryptographic threat models are technical and evolving; the specific recommendations in section 6 reflect current best practice but should be verified against your own threat model and chain-specific guidance. If you hold large balances, consult a security professional and your chain's official migration documentation rather than relying on a general post.

Final Thoughts

The headline "RSA-2048 broken in lab" is technically correct and historically significant. The headline "your Bitcoin is in immediate danger" is misleading. The reasonable middle ground — preparation, hygiene, and watching the migration path — is where holders, developers, and chain governance should sit through 2026 and beyond.

We will revisit this as the standards finalize, as BIP-360 evolves, and as the first major chains ship production PQ wallet support. The story is moving, but it is not moving as fast as the headlines suggest.

For the broader context of how to keep crypto holdings safe across the full threat landscape, see our pillar guide: [Crypto Security Best Practices 2026](/blog/crypto-security-best-practices-2026).