QuanChainQuanChain
Research

Quantum Supremacy vs Quantum Advantage: What the Distinction Means for Crypto Security

Google claimed quantum supremacy in 2019. IBM disputed it. Neither claim tells you anything about the threat to ECDSA-256. Here is why the terms are often misunderstood and what would actually constitute a cryptographic threat.

Dr. Sarah ChenDr. Sarah Chen
June 26, 2026
8 min read
Share
Part of the Why Quantum Computing Threatens Blockchain — And What Comes Next series

Defining the Terms: Supremacy vs Advantage

Quantum supremacy and quantum advantage are often used interchangeably in media coverage. They mean different things, and the distinction matters for assessing the quantum threat to cryptography.

Quantum supremacy (now often called "quantum computational advantage" to avoid the loaded connotations of "supremacy") refers to a quantum computer performing a specific task faster than the best available classical computer, regardless of whether the task is useful. The task can be artificial or contrived. The requirement is only that classical computers cannot match the performance.

Quantum advantage on a useful problem means a quantum computer outperforming classical computers on a problem that has practical applications, such as drug discovery, materials simulation, logistics optimization, or, critically, cryptographic attacks. This has not been demonstrated as of mid-2026. It is a significantly higher bar than quantum supremacy.

Google's 2019 Sycamore Claim

In October 2019, Google published a paper in Nature claiming that its 53-qubit Sycamore processor completed a random circuit sampling task in 200 seconds, a task Google estimated would take the world's best classical supercomputer (Summit at Oak Ridge National Laboratory) approximately 10,000 years.

The task was specifically designed to be hard for classical computers and easy for quantum computers. Random circuit sampling applies a series of random quantum gates to qubits and measures the output distribution. Verifying that a quantum computer is doing this correctly is computationally expensive classically. But the task has no practical application. No one needs random circuit samples for anything other than benchmarking quantum hardware.

IBM responded within days of the publication. IBM researchers argued that the 10,000-year classical estimate was too pessimistic, and that an optimized classical simulation using Summit could complete the same task in approximately 2.5 days by using disk storage more cleverly. In 2022, a team including researchers from IBM published an algorithm that reduced the classical simulation time further. The computational task Google used to claim supremacy was not as hard classically as Google's initial paper suggested.

Why Supremacy on Artificial Benchmarks Does Not Threaten Cryptography

The Sycamore experiment used a 53-qubit noisy intermediate-scale quantum device. It ran a shallow circuit (the circuit depth was limited to keep errors manageable) on a problem with no cryptographic relevance. Even if we accept Google's claim at face value, it has no direct bearing on the ability to run Shor's algorithm against ECDSA-256.

Running Shor's algorithm against secp256k1, the elliptic curve used in Bitcoin and Ethereum, requires an estimated 2,330 fault-tolerant logical qubits according to a 2022 analysis by Webber et al. in AVS Quantum Science. Translating logical qubits to physical qubits at current surface code overhead ratios of 1,000:1 requires millions of physical qubits. The Sycamore chip had 53 qubits with no error correction. The gap between 53 noisy physical qubits and millions of fault-tolerant qubits is not measured in incremental steps. It is a qualitative transition to an entirely different class of machine.

Quantum error correction overhead is the key concept here. Quantum supremacy demonstrations use shallow, noisy circuits. Cryptographic attacks require deep, fault-tolerant circuits. These are not the same thing, and progress on the former does not directly imply progress on the latter.

What Quantum Advantage on a Useful Problem Would Actually Mean

Quantum advantage on a useful problem would mean a quantum computer solving a practically relevant problem faster than any classical computer can, in a way that provides real-world value. Examples that researchers actively pursue include: simulating molecular dynamics for drug discovery, optimizing supply chain problems at scale, solving linear systems of equations relevant to machine learning, and eventually, running Shor's algorithm against deployed public key cryptography.

None of these have been demonstrated as of mid-2026. The closest candidates are quantum chemistry simulations on small molecules, where quantum computers have shown error-free results on problems of modest size. But classical simulation methods have also improved rapidly, and the crossover point where quantum clearly outperforms classical on practically useful problems remains in the future.

For cryptography specifically, quantum advantage would mean running a complete factoring or discrete logarithm computation on a cryptographic-scale input (2048-bit RSA or 256-bit elliptic curve). This requires not just the qubit count but the fault tolerance and circuit depth that current machines cannot achieve. The quantum computing timeline for reaching this bar is measured in years to decades, not months.

The Specific Thresholds Needed for a Cryptographic Attack on ECDSA-256

Breaking ECDSA-256 with Shor's algorithm requires solving the elliptic curve discrete logarithm problem on secp256k1. The specific hardware requirements, based on published analyses, are: approximately 2,330 fault-tolerant logical qubits (Webber et al., 2022), physical qubit count in the range of 4 million to 20 million depending on physical error rates, and a total computation time of hours to days depending on clock speed and circuit parallelism.

The best classical algorithm for the elliptic curve discrete logarithm (Pollard's rho) requires approximately 2^128 operations for a 256-bit curve. This is computationally infeasible for classical hardware. Shor's algorithm reduces this to polynomial time, which is why Bitcoin's ECDSA keys are vulnerable to Shor's algorithm in a way that is qualitatively different from the vulnerability to Grover's algorithm.

The 2,330 logical qubit estimate assumes highly optimized circuit compilation. Less optimized implementations require more qubits. The estimate also assumes that all logical qubits are available simultaneously with fault-tolerant quality, which requires millions of physical qubits at current error correction overhead ratios. IBM's current Heron r2 chip has 133 physical qubits. The gap is a factor of roughly 30,000 to 150,000 in physical qubit count alone, without accounting for the fault tolerance requirements.

Why Media Coverage Systematically Overstates Quantum Progress

Media coverage of quantum computing consistently overstates progress for several reasons. First, qubit count announcements are easy to report and headline-friendly. "IBM releases 1,000-qubit chip" is a clear, simple claim. "IBM releases a chip with approximately one fault-tolerant logical qubit for the deepest circuits" is accurate but less compelling. Second, companies have financial incentives to generate attention. Press releases emphasize milestones and omit context. Third, quantum computing is a technically complex field, and few journalists have the background to distinguish physical qubits from logical qubits or to ask about two-qubit gate error rates.

The result is a systematic pattern: each major quantum computing announcement generates headlines suggesting an imminent threat to cryptography, followed by expert clarifications that the headline significantly overstates the practical significance, followed by the cycle repeating with the next announcement.

The correct framework for evaluating quantum computing announcements is to ask three questions: What is the two-qubit gate fidelity? How many fault-tolerant logical qubits does this enable? And how does that compare to the millions needed for cryptographic attacks? If the announcement does not answer these questions, the headline is not reliable as an indicator of cryptographic threat progress. The quantum threat to blockchain is real, but it is measured in years, not in qubit count announcements.

Frequently Asked Questions

What is the difference between quantum supremacy and quantum advantage?

Quantum supremacy means a quantum computer outperforms classical computers on a specific task, regardless of whether the task is useful. Quantum advantage on a useful problem means a quantum computer outperforms classical computers on a task with practical applications. Google's 2019 Sycamore claim was quantum supremacy on an artificial benchmark. Quantum advantage on a useful problem, including cryptographic attacks, has not been demonstrated.

Did Google's 2019 quantum supremacy claim mean Bitcoin was at risk?

No. Google's Sycamore chip ran a shallow circuit on 53 noisy qubits with no error correction. Breaking Bitcoin's ECDSA keys requires approximately 2,330 fault-tolerant logical qubits, which translates to millions of physical qubits at current error correction overhead ratios. Sycamore had 53 physical qubits and zero logical qubits. The claim has no direct bearing on cryptographic security.

How many qubits are needed to break ECDSA-256?

Running Shor's algorithm against ECDSA-256 requires approximately 2,330 fault-tolerant logical qubits according to a 2022 analysis by Webber et al. At current surface code overhead of roughly 1,000:1, this translates to approximately 2 to 20 million physical qubits depending on error rates. No announced quantum system comes close to this.

Why does IBM dispute Google's quantum supremacy claims?

IBM disputed Google's 2019 claim by arguing that classical simulation of the random circuit sampling task was more tractable than Google's estimate suggested. IBM researchers showed that using disk storage cleverly could reduce the classical simulation time from 10,000 years to approximately 2.5 days. Later work reduced this further. The dispute was about the specific classical-versus-quantum comparison, not about whether Sycamore performed the quantum computation correctly.

When will quantum computers actually threaten ECDSA?

Most credible expert estimates place cryptographically relevant quantum computers in the 2030s, with wide uncertainty. The timeline requires achieving physical error rates below 0.1%, scaling to millions of physical qubits, and solving classical control challenges for real-time error decoding at scale. The harvest-now-decrypt-later threat means preparation should begin before the threat materializes, which is why post-quantum migration is relevant now despite the threat being years away.

Dr. Sarah Chen

Dr. Sarah Chen

Head of Cryptography Research

Dr. Sarah Chen leads cryptographic research at QuanChain, specialising in post-quantum algorithm integration and quantum threat timeline analysis. She holds a PhD in cryptography and has published extensively on lattice-based cryptographic systems and their application to distributed ledger security.

Related Articles

Glowing teal elongated ellipsoid with a thin orbital ring and a small bright dot at the base, heading "How Many Qubits to Break Bitcoin?"

Research

How Many Qubits Does It Take to Break Bitcoin? The Number Has Fallen 200x

7 min read

Research

Quantum Error Correction Explained: Why Qubit Count Alone Doesn't Break Encryption

9 min read

Dark corridor with a glowing teal right-angle light joint at the far wall, heading "Shor's Algorithm Explained" and subtitle "How Quantum Computers Break Encryption"

Research

Shor's Algorithm Explained: How Quantum Computers Break Encryption

15 min read

Bitcoin B logo fragmenting and dissolving into a teal particle cloud with a teal laser beam, heading "Bitcoin's Quantum Vulnerability"

Security

Bitcoin's Quantum Vulnerability: A Complete Technical Analysis

9 min read

Back to Blog