It's not your fault, but the New Scientist's (are they
that bad?): they confused SHA-256 with ECDSA in their article. In the original paper abstract we can see the following:
Finally, we calculate the number of physical qubits required to break the 256-bit elliptic curve encryption of keys in the Bitcoin network within the small available time frame in which it would actually pose a threat to do so.
Source:
https://avs.scitation.org/doi/10.1116/5.0073075So what they're talking about is already known: Quantum computers with millions of qubits could break ECDSA-256.
I don't know if everybody in this thread knows the difference:
-
ECDSA is used for the public key cryptography. A quantum computer who "cracks ECDSA-256" with Shor's algorithm could calculate the private key once he knows the public key. So what Webber says makes actually sense totally: normally, if you use Bitcoin
as you should and don't reuse addresses, you only publish the public key when you spend coins, so the attacker has only 10 minutes on average to break the keys. His numbers
are confirmed approximately in this other document.*
-
SHA-256 is the algorithm which is used to create the address, hashing the public key. It seems to be difficult to find SHA-256 collisions with quantum computers so the danger actually is much lower than the risk that ECDSA could be broken.
*However there is a scenario which could become reality much earlier: a hacker cracking Satoshi's coins or other "lost" coins which were mined and then forgotten. The reason is that many of them used P2PK coinbase transactions, this means that the public key is stored on the blockchain. So an attacker can use a quantum computer of 2619+ logical qubits** and let it work during several years and he might eventually find a billion dollar treasure.
**2619 is the absolute minimum of "logical" qubits to break ECDSA-256 according to
this source. However, for each "logical" qubit you need several physical qubits due to the need for error correction (see also:
this short explanation). "Bigger" circuits with millions of qubits are faster, but you might build a "slow" QC with "only" dozens of thousands of qubits and try to crack lost coins in P2PK UTXOs and succeed.