Summary
A team from INRIA Rennes that helped reset RSA risk calculations in 2024 is back with a shot across the bow for elliptic curve cryptography. Chevignard, Fouque, and Schrottenloher’s EUROCRYPT 2026 paper introduces a quantum algorithm for the elliptic curve discrete log problem that cuts logical qubit needs roughly in half. For a 256-bit prime curve, the requirement drops to 1,098 logical qubits from a prior 2,124 estimate, with similar reductions for P-384 (1,494 vs. 3,151) and P-521 (1,895 vs. 4,258).
There is a real catch: far higher gate counts. Yet qubits remain the scarcest resource on the path to a cryptanalytically relevant quantum computer (CRQC), so this tradeoff still tightens timelines more than it relaxes them. As with their earlier work that helped bring RSA-2048’s estimated physical cost under one million qubits, the headline here is that ECC’s comfort margin is shrinking faster than many roadmaps assumed.
For CISOs and quantum security teams, this is another nudge to accelerate crypto agility. Inventory ECC dependencies across TLS, mobile and IoT authentication, code signing, wallets, and HSM estates. Prioritize PQC migration and hybrid modes, align firmware and certificate lifecycles with deprecation plans, and track logical-to-physical overheads and error correction progress. The risk of harvest-now-decrypt-later against ECC-backed data moves closer, so posture updates and budgeted mitigation should follow.
Read more
See the original article at: https://postquantum.com/security-pqc/algorithm-quantum-ecc/