Google just told the crypto industry that the threat is closer than anyone. The industry, for once, is listening.
A white paper released Monday evening by Google’s Quantum AI team revealed that breaking the 256-bit elliptic curve cryptography protecting Bitcoin and Ethereum wallets could require fewer than 500,000 physical qubits (a unit of computation in quantum systems), a reduction of about 20 times from previous estimates that put the requirement in the millions.
The paper also describes how a quantum computer could decrypt Bitcoin private keys in about nine minutes once a transaction exposes a public key, giving an attacker a 41% chance of beating Bitcoin’s 10-minute confirmation window.
The research landed like a bomb in online crypto circles. Not because he says quantum computers can break bitcoin today – they can’t – but because it significantly reduces the timetable for when they could.
“We’re no longer looking at the mid-2030s, we could have quantum computers of this scale by the end of the decade,” Haseeb Qureshi, managing partner at Dragonfly, told X. “All blockchains need a transition plan as soon as possible. Post-quantum is no longer an exercise.”
Qureshi pointed out an unusual detail in Google’s disclosure. The team has not published the actual quantum circuits. Instead, they published a zero-knowledge proof that verifies that the circuits exist without revealing how they work. “It’s very atypical, it shows that Google thinks it’s serious,” he said.
Justin Drake, an Ethereum Foundation researcher who joined the Google paper as a late co-author, said his “confidence in Q-day by 2032 has increased significantly,” estimating by that date at least a 10% chance that a quantum computer will recover a “secp256k1” private key from an exposed public key.
Drake noted that the optimized quantum circuit has “only 100 million Toffoli gates, which is surprisingly shallow,” and that on a superconducting platform the total runtime would be about 1,000 seconds.
“The low-hanging fruit is still being picked, with at least one of Google’s optimizations resulting from a surprisingly simple observation,” Drake added. “AI was not yet tasked with finding optimizations.”
Although human researchers continue to find simple improvements, the minimum number of qubits needed has not been achieved. Drake said the number of logical qubits “could likely drop below 1,000 soon.”
Today is a monumental day for quantum computing and cryptography. Two revolutionary articles have just been published (links in the next tweet). Both papers improve on Shor’s algorithm, infamous for cracking RSA and elliptic curve cryptography. The two results combine, optimizing distinct layers of…
– Justin Drake (@drakefjustin) March 31, 2026
Security engineer Conor Deegan, whose published research was cited in the Google article, offered one of the most technically detailed answers. He demonstrated a model in which paper surfaces across multiple chains: quantum computing acts as a single cost that produces classical exploits that can be reused indefinitely.
Ethereum’s “KZG” reliable configuration, Zcash’s “Sapling” protocol, and Litecoin’s “MimbleWimble” all embed the hardness of the elliptic curve into fixed public parameters that only need to be broken once.
“Deploying new crypto infrastructure on ECDLP curves is now indefensible given these resource estimates,” Deegan said.
The paper estimates that about 6.9 million bitcoins, or about a third of the total supply, are in wallets where public keys have already been exposed. This includes 1.7 million BTC from the network’s early years, including those of Satoshi Nakamoto (the mysterious creator of the Bitcoin network), as well as additional funds allocated by address reuse.
CoinDesk reported earlier Monday that Bitcoin’s Taproot 2021 upgrade, designed to enable more efficient private transactions, also exposed the blockchain’s public keys by default, a technical move that now carries quantum risk.
This figure dwarfs CoinShares’ February estimate that only about 10,200 BTC are concentrated enough to cause “appreciable market disruption” if stolen. Google’s methodology counts all exposed keys, not just large balances.
The Bitcoin vs Ethereum divide
The reaction split along familiar lines. Ethereum’s readiness has drawn praise. The absence of Bitcoin has caused concern.
“You can think of Q-Day as the year 2000, but it’s real,” said a well-followed crypto investor known only as “McKenna,” managing partner at Arete. “People should thank the Ethereum Foundation for being early and leading this research. The problem is Bitcoin. The lack of urgency and the question of consensus on what to do with vulnerable coins.”
The Ethereum Foundation launched pq.ethereum.org last week with eight years of post-quantum research, 10+ client teams shipping weekly devnets, and a multi-fork migration roadmap.
Drake, co-author of the Google paper, is part of that same Ethereum team – a direct link between researchers quantifying the threat and developers building the defense.
Eli Ben-Sasson, co-founder of StarkWare, urged the Bitcoin community to “strengthen initiatives like BIP 360,” a proposal that would introduce quantum-resistant wallet formats allowing for voluntary migration.
“Saying quantum computers are coming is not FUD,” Ben-Sasson said. “FUD claims Bitcoin can’t scale. It can scale. Just start working on these solutions today.”
Bitcoin must prepare for the quantum era.
We must strengthen initiatives like BIP 360.
We need to invest more effort in finding creative and intelligent solutions to ensure the post-quantum security of Bitcoin.Saying quantum computers are coming is not FUD. FUD claims… https://t.co/KqQ0RpXKbX
—Eli Ben-Sasson | Starknet.io (@EliBenSasson) March 31, 2026
Bitcoin advocate Bit Paine offered a measured approach. “I still think about 10 years is the most likely time frame, but I consider it uncomfortably high that we’ll see something disruptive within five years. High enough that action within the next two years would be prudent.”
The element that changed his thinking was “the persistent nonlinearities in QC advancements and the veil of secrecy that underlies this research.” When estimates of physical qubits drop by several orders of magnitude, he said, “we may not have much margin between ‘quantum is on a trajectory to disrupt bitcoin’ and ‘secp256k1 is broken.’
Paine added a national security dimension. “A CRQC can be developed in stealth mode and appear out of nowhere.”
Google’s decision to use a zero-knowledge proof rather than publishing the circuits reinforces this point. If the world’s first quantum lab self-censors its own research for security reasons, state actors with equivalent or greater capabilities are unlikely to publish it.
Drake echoed this. “From now on, let’s assume that cutting-edge algorithms will be censored. A blackout of academic publications would be a telltale sign.”
Why cryptocurrencies?
Some industry voices have questioned why Google focused its most detailed analysis on cryptography rather than banking or military systems. ETF analyst Eric Balchunas asked why Google would “apply this research time and money to crypto rather than something with far more societal consequences.”
Castle Island Ventures partner Nic Carter has the answer: Blockchains are the most fragile systems that rely on encryption that quantum computers can break. “Banks don’t fail because you reverse engineer a single key. Blockchains do that,” Carter said. “They are much more fragile. The banks will be upgraded anyway. There will be no attack surface there.”
Binance co-founder Changpeng Zhao called for calm but acknowledged the practical difficulty.
“All cryptography needs to do is move to quantum-resistant algorithms, so there is no need to panic,” Zhao said. “In practice, there are some execution considerations. It’s difficult to organize upgrades in a decentralized world.”
Zhao also directly raised the issue of Satoshi. If these parts move during a migration, “that means it’s still there, which is interesting to know.” If they don’t, he said, “it might be better to effectively lock or burn those addresses so they don’t get passed to the first hacker who cracks them.”
I’ve seen some people freaking out or asking questions about the impact of quantum computing on cryptography.
At a high level, all cryptography has to do is move to quantum-resistant (post-quantum) algorithms. So don’t panic. 😂In practice, there are some execution considerations. It’s difficult to…
– CZ 🔶BNB (@cz_binance) March 31, 2026
The most popular counterargument about crypto X was that quantum computing breaks everything, not just blockchains.
“If quantum kills Bitcoin, it also kills the global banking system, SWIFT transfers, stock exchanges, military communications, nuclear command systems, every HTTPS website on earth,” wrote crypto commentator Quinten François.
Elon Musk struck a lighter note, posting that at least “if you forgot your wallet password, it will be accessible in the future.”
The article addresses this framing head on. Centralized systems, from banks to military networks, can push software updates to their users. A decentralized blockchain cannot. The timeline for migrating Bitcoin infrastructure, including user wallets, exchange support and new address formats, could take five to ten years, even after a solution is agreed upon.
Meanwhile, Google said it was working alongside Coinbase, the Stanford Institute for Blockchain Research and the Ethereum Foundation on responsible approaches to the transition.
The company presented its research not as an attack on cryptocurrency, but as an effort to “support the long-term health of the cryptocurrency ecosystem.”
The message coming from almost every sector of the industry is now the same. The threat is no longer theoretical; it is time to act. The only remaining variable is whether the protocols that need to migrate will do so before the hardware catches up.
Read more: Here’s how Bitcoin, Ethereum and other networks are preparing for the looming quantum threat
