01 October 2024, Baden-Württemberg, Ehningen: A model of a suspension of the quantum chip of a Quantum System Two quantum computer is on display at the opening of the first quantum data center of the computer company IBM. Photo: Marijan Murat/dpa (Photo by Marijan Murat/picture alliance via Getty Images)
dpa/picture alliance via Getty Images
Google just told the Bitcoin and cryptocurrencies industry it has less time than it thought to prepare for the quantum computing influence. In a whitepaper published March 31, Google Quantum AI researchers demonstrated that breaking the elliptic curve cryptography protecting bitcoin, ether and most major cryptocurrencies could require fewer than 500,000 physical qubits on a superconducting quantum computer. That’s roughly a 20 times reduction from prior estimates, which pegged the figure in the millions.
The paper carries serious institutional weight. Its coauthors include Justin Drake of the Ethereum Foundation, Dan Boneh of Stanford, and six Google Quantum AI researchers led by Ryan Babbush and Hartmut Neven. Google says it engaged with the U.S. government before publishing and names Coinbase, the Stanford Institute for Blockchain Research, and the Ethereum Foundation as collaborators.
It’s important to understand that no quantum computer can execute this attack today. Google’s most advanced chip, Willow, has 105 qubits. But the distance between current hardware and a machine capable of cracking bitcoin’s cryptography is shrinking faster than projected.
“My confidence in q-day by 2032 has shot up significantly,” Drake, who joined the paper as a late coauthor, wrote on X. He estimates at least a 10% chance that a quantum computer recovers a private key from an exposed public key by that year.
Why Quantum Computing Threatens Cryptocurrency
Bitcoin’s security relies on a single mathematical assumption: that deriving a private key from a public key is computationally impossible for any existing machine. The specific math is called the Elliptic Curve Discrete Logarithm Problem. Every time someone sends bitcoin, they reveal their public key. A classical computer would need longer than the age of the universe to reverse-engineer the private key from it.
But quantum computers break that assumption. An algorithm published by mathematician Peter Shor in 1994 solves ECDLP exponentially faster than any classical approach. A quantum computer with enough stable and error-corrected qubits running Shor’s algorithm could derive a private key, forge a digital signature and drain a wallet.
The quantum computing influence won’t impact Bitcoin’s proof-of-work mining, which uses the SHA-256 hash function. Drake put it clearly: “Commercially-viable Bitcoin PoW via Grover’s algorithm is not happening any time soon. We’re talking decades, possibly centuries away.” The vulnerability targets the digital signature schemes: ECDSA and Schnorr, both built on the secp256k1 elliptic curve.
Google’s whitepaper points out that cryptocurrencies are uniquely exposed among systems that rely on this type of cryptography. Blockchains use elliptic curve keys that are almost an order of magnitude smaller than RSA keys at comparable security levels, meaning a smaller quantum computer can crack them. And unlike traditional finance, which layers multiple safeguards, blockchains offer no recourse against fraudulent transactions. One forged signature could mean irreversible theft.
Three Types Of Quantum Attack
The paper classifies quantum attacks on cryptocurrencies into three categories, based on how fast the attacker needs to be: on-spend, at-rest and on-setup attacks.
On-spend attacks target transactions in transit. When someone broadcasts a bitcoin transaction, their public key becomes visible in the mempool. An attacker intercepts it, derives the private key, and broadcasts a fraudulent replacement before the original confirms. Bitcoin’s average block time is 10 minutes. Google’s paper estimates a superconducting quantum computer could complete the cracking in about nine minutes, using a technique where the machine precomputes half the algorithm and waits in a “primed” state until a target appears. With 11 primed machines running in parallel, the speedup reaches 6.5 times, bringing it well under the block time. According to CoinDesk, the single-machine scenario gives an attacker roughly a 41% chance of beating the original transaction to confirmation.
Ethereum’s 12-second block time and Solana’s 400-millisecond window make on-spend attacks harder on those chains, though not impossible with faster hardware.
At-rest attacks target public keys already exposed on the blockchain: dormant wallets, reused addresses, coins secured with older script types. The attacker has days, weeks, or longer. Slower quantum architectures are sufficient for this.
On-setup attacks are the most exotic. They target fixed protocol parameters to produce a reusable backdoor that works on an ordinary computer afterward. Bitcoin is immune to this type. But the paper warns that Ethereum’s Data Availability Sampling mechanism and privacy protocols like Tornado Cash are not.
The Numbers And The Secrecy
The team compiled two quantum circuits implementing Shor’s algorithm for the secp256k1 curve. One uses fewer than 1,200 logical qubits and 90 million Toffoli gates. The other uses fewer than 1,450 logical qubits and 70 million Toffoli gates.
On a superconducting architecture with standard assumptions, those circuits translate to fewer than half a million physical qubits. The previous state-of-the-art estimate, from a 2023 paper by Litinski, required roughly 9 million physical qubits in a photonic architecture for a single-instance attack.
The paper notes that more aggressive hardware assumptions could push the number below 100,000. But those designs require connectivity patterns that haven’t been demonstrated in real devices, so the team stuck with conservative estimates consistent with Google’s existing processors.
A telling element of this new announcement is that Google didn’t publish the circuits. Instead, the team used a zero-knowledge proof to verify their claims without revealing the attack details. The proof, generated using the SP1 zero-knowledge virtual machine, lets anyone confirm that the team possesses circuits of the claimed size that correctly compute elliptic curve point addition on 9,000 random test inputs, without seeing the circuits themselves.
It’s the first time a ZK proof has been used to disclose a novel quantum cryptanalysis result. Google says it engaged with the U.S. government before publishing and urges other research teams to adopt the same approach.
Ethereum And Bitcoin Approaches
Ethereum has spent eight years building toward this moment. The foundation launched pq.ethereum.org as a dedicated hub for post-quantum security, running weekly test networks and mapping milestones across four upcoming hard forks. Target: full migration by 2029.
Bitcoin’s first step arrived in February, when BIP-360 was merged into the official Bitcoin Improvement Proposal repository. The proposal creates a new output type, Pay-to-Merkle-Root, that hides public keys and supports future post-quantum signatures. But it doesn’t replace ECDSA or Schnorr with quantum-resistant alternatives. That requires more proposals and more consensus.
Google has set 2029 as its internal deadline for migrating authentication services. The National Security Agency’s CNSA 2.0 framework calls for quantum-safe systems by 2030. Bitcoin has no central authority to set deadlines. No coordinated engineering team. A governance culture that treats urgency with suspicion. The last major cryptographic upgrade, Taproot, took years of discussion before activation.
What Bitcoin Users Can Do Now
If bitcoin sits in an address that has previously sent a transaction, the public key is already exposed. Moving funds to a fresh, never-used address removes them from the pool of at-rest targets. It doesn’t make them quantum-proof, but it resets the clock.
Stop reusing addresses. Every time a public key appears on the blockchain, it becomes a potential target.
Watch for post-quantum compatibility from wallets, exchanges, and custody providers. Early adopters will have an edge.
Don’t fall for alarmism: the timeline isn’t tomorrow, but it’s time to act.
