Marin IvezicCalled it.
In Nov I wrote that ECC was the easier quantum target: postquantum.com/post-quantum/shor-rsa-ecc-diffie-hellman/
In March I argued Bitcoin's quantum risk was underestimated because everyone used RSA benchmarks: postquantum.com/post-quantum/bitcoin-quantum-risk-closer-ecc/
EUROCRYPT 2026 just confirmed both.
Chevignard, Fouque & Schrottenloher halved ECDLP qubit counts:
P-256: 2,124 → 1,193 (42% less than RSA-3072!)
P-224: 1,098 (21.5% less than RSA-2048)
Full writeup: https://postquantum.com/security-pqc/algorithm-quantum-ecc/
A New Algorithm Shrinks the Quantum Attack Surface for ECC
15 Mar 2026 - When Clémence Chevignard, Pierre-Alain Fouque, and André Schrottenloher submitted their latest paper to EUROCRYPT 2026, they already had a track record that the cryptographic community was watching closely. In 2024, the same team at INRIA Rennes had published a method that slashed the qubit requirements for quantum factoring of RSA integers - work that Craig Gidney at Google Quantum AI subsequently used as a foundation to bring the estimated physical qubit cost of breaking RSA-2048 from 20 million down to under one million. That result sent tremors through every risk committee tracking quantum timelines. Now the