In March 2026, Google’s Quantum AI team, in collaboration with Stanford University and the Ethereum Foundation, released a 57-page white paper systematically analyzing the security threats quantum computing poses to cryptocurrencies. The core finding: the quantum computing resources required to break the 256-bit Elliptic Curve Cryptography (ECC-256) underpinning Bitcoin and Ethereum are about 20 times less than previous best estimates. Specifically, under a superconducting quantum computing architecture, fewer than 500,000 physical qubits could execute such an attack, reducing the runtime to about 9 minutes.
The significance of this discovery isn’t that quantum computers can already break Bitcoin—current hardware is nowhere near capable—but that it shifts "Q-Day" (the moment quantum computers can break current cryptography) from a distant theoretical concern to a calculable engineering window. Google has internally set 2029 as its deadline to migrate its systems to post-quantum cryptography (PQC). Justin Drake, Ethereum Foundation researcher and co-author of the paper, estimates that by 2032, the probability of a quantum computer recovering a secp256k1 private key from an exposed public key is at least 10%.
How Shor’s Algorithm Derives Private Keys from Public Keys
Bitcoin’s security relies on the Elliptic Curve Digital Signature Algorithm (ECDSA) using the secp256k1 curve. The core assumption is that, with classical computers, it’s infeasible to derive a private key from a public key within a practical timeframe. This forms the foundational security premise of the entire blockchain system.
Shor’s algorithm demonstrates that, on a quantum computer, the elliptic curve discrete logarithm problem can be solved efficiently. Google’s key contribution in this work is compiling a quantum circuit for Shor’s algorithm specifically targeting secp256k1, and providing concrete resource estimates. The paper offers two approaches: one keeps logical qubits under 1,200 and Toffoli gates under 90 million; the other increases logical qubits to 1,450 but reduces Toffoli gates to 70 million. On a superconducting quantum computer, this equates to fewer than 500,000 physical qubits.
Symbolically, Google didn’t release the full attack circuit. Instead, they used zero-knowledge proofs to verify the circuit’s existence and correctness. This approach, borrowed from the "responsible disclosure" principle in traditional cybersecurity, signals that quantum cryptanalysis has entered a new stage—one requiring proactive defense rather than reactive fixes.
Two Attack Scenarios: Real-Time Interception and Offline Harvesting
The white paper describes two quantum attack scenarios, each with distinct risk profiles.
The first is the "real-time attack," targeting transactions broadcast in the mempool. When a user initiates a Bitcoin transaction, their public key is briefly exposed on the network—about 10 minutes, matching Bitcoin’s average block time. A sufficiently fast quantum computer could derive the private key from the public key in roughly 9 minutes, allowing an attacker to submit a competing transaction and steal the funds before confirmation. The paper estimates that a single quantum machine in a pre-computed state would have about a 41% chance of intercepting a transaction during this window.
The second is the "static attack," targeting dormant wallets whose public keys are permanently exposed on-chain. Here, there’s no time constraint; a quantum computer can work at its own pace. The paper estimates that about 6.9 million bitcoins—around 33% of total supply—have exposed public keys, including roughly 1.7 million early coins from the Satoshi era and a large amount of funds exposed due to address reuse.
A notable finding in the white paper is that Bitcoin’s 2021 Taproot upgrade, while improving traditional security and privacy, actually increased the quantum attack surface by defaulting to public key exposure on-chain. Taproot removed the "hash-then-expose" protection layer present in the old P2PKH address format.
The Technical Cost and Governance Dilemma of Countering Quantum Threats
The path to countering quantum threats is clear, but so are the costs. The US National Institute of Standards and Technology (NIST) completed the standardization of the first batch of post-quantum cryptography standards in August 2024, including FIPS 203, 204, and 205. On the technical side, viable alternatives include lattice-based post-quantum signatures (such as ML-DSA, formerly CRYSTALS-Dilithium) and hash-based signatures (such as SLH-DSA, formerly SPHINCS+).
However, Bitcoin’s decentralized governance model makes cryptographic migration exceptionally complex. Introducing post-quantum signature schemes would require a soft or hard fork, necessitating community consensus, developer coordination, and synchronized upgrades from wallet providers and exchanges. The Bitcoin community has proposed BIP-360 to add quantum-resistant signature options, but it remains under discussion. Core developer Adam Back and others argue that the quantum threat is still "decades away," and that premature, large-scale upgrades could introduce unvetted cryptographic vulnerabilities.
The real issue behind this debate is that the uncertainty of the quantum threat turns "when to migrate" into a game-theoretic problem. Upgrading too early could waste development resources, while waiting too long could result in irreversible asset loss.
How Quantum Threats Are Changing Crypto Asset Security Valuation
Quantum computing threats are redefining the "security margin" of crypto assets. The traditional assumption—that public keys cannot be reversed to private keys within a feasible timeframe—is being recalibrated. The 6.9 million bitcoins (worth over $450 billion at current prices) with fully exposed public keys now rely solely on the temporary fact that quantum computers are not yet mature.
Markets are already responding to this risk in various ways. The usage rate of Taproot addresses dropped from 42% in 2024 to about 20%, indicating that some users are deliberately avoiding address formats that expose public keys. CoinShares investment strategist Matthew Kimmell noted that this research "shortens the window for the industry to advance research and develop an action plan."
From a broader perspective, the crypto industry is more vulnerable to quantum threats than traditional finance, mainly because blockchain ledgers are public and irreversible. Traditional financial institutions can bulk-update certificates and keys to defend against quantum attacks, but once a public key is exposed on-chain, it’s permanent—it cannot be "revoked." This structural difference means the crypto industry needs not only the capacity to "adopt post-quantum algorithms," but also an institutional framework for "adapting to continuous cryptographic evolution."
How Close Are We from Resource Estimates to Real-World Attacks?
While the white paper’s resource estimates have dropped significantly, real-world attack capability is still a long way off. Today’s most advanced quantum systems—including Google’s Willow chip—have only about 100 physical qubits and have not achieved error correction. Bridging the gap from current hardware to 500,000 stable, error-corrected physical qubits involves overcoming major engineering hurdles.
Some experts believe current concerns are premature. Adam Back of Blockstream points out that Bitcoin’s network layer doesn’t rely on traditional cryptography; the quantum threat isn’t about intercepting network traffic, but about breaking individual users’ private keys. Additionally, the SHA-256 hash function used in proof-of-work is relatively robust against quantum attacks—Grover’s algorithm only improves hash cracking efficiency to the square root, far less threatening than Shor’s algorithm’s "exponential" impact on public-key cryptography.
However, this doesn’t mean the industry can afford to wait. In cybersecurity, the "collect now, decrypt later" strategy means attackers may already be gathering blockchain data, waiting for quantum computers to mature before breaking it. This time asymmetry requires the industry to deploy defenses before quantum computers become a reality.
From Google’s 2029 Roadmap to International Regulatory Timelines
Google’s goal to migrate its internal systems to PQC by 2029 is not an isolated move. The US National Security Agency’s CNSA 2.0 framework requires all new national security systems to use quantum-safe algorithms by January 2027, full migration by 2030, and complete infrastructure migration by 2035. The dual pressures of NIST standards and NSA regulatory timelines are pushing companies and institutions to treat PQC migration as a compliance mandate, not just a research topic.
This context poses a more direct challenge for the crypto industry. Upgrading decentralized networks like Bitcoin and Ethereum often takes years. The Ethereum Foundation has spent years researching post-quantum roadmaps and is already running post-quantum signature schemes on testnets. In contrast, Bitcoin still lacks a clear post-quantum roadmap and coordinated funding mechanism. While decentralized governance grants legitimacy, it also makes protocol-level cryptographic migration exceptionally slow.
Conclusion
Google’s Quantum AI team’s white paper doesn’t spell the end for Bitcoin. Instead, it transforms the quantum threat from a vague, distant hypothesis into a set of quantifiable engineering parameters. The 500,000 physical qubits required for an attack, the roughly 9-minute attack window, and the 6.9 million bitcoins with exposed public keys—all define a real and narrowing security window.
The industry’s challenge isn’t just technical—NIST has already solved the algorithmic problem. The real difficulty is governance coordination. In decentralized networks, building consensus takes time, but quantum computing’s progress won’t wait. Over the next five to seven years, the crypto industry must balance two risks: upgrading too early and introducing untested cryptography, or upgrading too late and facing irreversible asset losses. Regardless of the path chosen, quantum computing has shifted from a theoretical concept to a practical variable that must be integrated into crypto asset security frameworks.
FAQ
Q: Can quantum computers break Bitcoin right now?
A: No. The most advanced quantum systems today have only about 100 physical qubits. Breaking Bitcoin’s ECC-256 requires around 500,000 error-corrected physical qubits—a gap of several hundred times.
Q: What does a 9-minute crack mean?
A: This refers to the "real-time attack" scenario described in the white paper. If a quantum computer is in a pre-computed state, it would take about 9 minutes from public key exposure to successful cracking—slightly less than Bitcoin’s average 10-minute block time. Theoretically, this gives about a 41% chance of intercepting a transaction.
Q: Which bitcoins are most at risk?
A: Addresses with permanently exposed public keys are at highest risk, including early P2PK addresses (about 1.7 million coins), addresses exposed due to reuse, and Taproot addresses. The paper estimates about 6.9 million bitcoins are in this exposed state.
Q: Can Bitcoin be upgraded to defend against quantum attacks?
A: Yes. NIST has finalized post-quantum cryptography standards (like ML-DSA and SLH-DSA). Bitcoin could introduce quantum-resistant signature options through proposals like BIP-360. The challenge is that upgrades require community consensus, which can take years.
Q: What should users do now?
A: Avoid reusing addresses—use a new address for each transaction. Store large amounts in cold wallets. Stay informed about community progress on quantum-resistant upgrades, and proactively migrate assets to more secure address formats.
