Google just told the crypto industry that the threat is closer than anyone priced. The industry is listening for once.
A whitepaper published late Monday by Google’s Quantum AI team found that breaking the 256-bit elliptic curve cryptography that protects bitcoin and Ethereum wallets could require fewer than 500,000 physical qubits (a unit of computation in quantum systems), about a 20-fold reduction from previous estimates in the millions that required it.
The paper also described how a quantum computer could crack private bitcoin keys in about nine minutes when a transaction reveals a public key, giving an attacker a 41% chance of beating bitcoin’s 10-minute confirmation window.
The research landed like a bombshell across online crypto circles. Not because it says quantum computers can break bitcoin today — they can’t — but because it dramatically compresses the timeline for when they can.
“We’re no longer looking at the mid-2030s, we could have quantum computers of this scale by the end of the decade,” Haseeb Qureshi, managing partner at Dragonfly, said at X. “All blockchains need a transition plan ASAP. Post-quantum is no longer an exercise.”
Qureshi pointed to an unusual detail in Google’s disclosure. The team did not publish the actual quantum circuits. Instead, they published a zero-knowledge proof that confirms the circuits exist without revealing how they work. “This is very atypical, which shows that Google thinks this is serious,” he said.
Justin Drake, an Ethereum Foundation researcher who joined the Google paper as a late co-author, said his “confidence in q-day in 2032 has increased significantly,” estimating at least a 10% chance of a quantum computer recreating a ‘secp256k1’ private key from an exposed public key before that date.
Drake noted that the optimized quantum circuit is “only 100 million Toffoli gates, which is surprisingly shallow,” and that on a superconducting platform the total runtime would be about 1,000 seconds.
“Low-hanging fruit is still being picked, with at least one of the Google optimizations resulting from a surprisingly simple observation,” added Drake. “AI was not yet tasked with finding optimizations.”
While human researchers are still finding straightforward improvements, the floor for the number of qubits needed has not been reached. Drake said that logical qubit numbers “could soon go below 1,000.”
Today is a monumental day for quantum computing and cryptography. Two groundbreaking papers just landed (links in next tweet). Both papers improve on Shor’s algorithm, which is notorious for breaking RSA and elliptic curve cryptography. The two results combine, optimize separate layers of…
— Justin Drake (@drakejustin) 31 March 2026
Security engineer Conor Deegan, whose published research was cited in the Google paper, offered one of the most technically detailed answers. He marked a pattern where the paper surfaces across multiple chains: quantum computing acts as a one-time cost that produces infinitely reusable classical feats.
Ethereum’s ‘KZG’ trusted setup, Zcash’s ‘Sapling’ protocol and Litecoin’s ‘MimbleWimble’ all embed elliptic curve hardness in fixed public parameters that need to be broken only once.
“Deployment of new cryptographic infrastructure on ECDLP curves is now untenable given these resource estimates,” Deegan said.
The paper estimates that about 6.9 million bitcoins, about a third of the total supply, are sitting in wallets where public keys have already been exposed. It includes 1.7 million BTC from the early years of the network, including Satoshi Nakamoto’s (the mysterious creator of the Bitcoin network), as well as additional funds affected by address recycling.
CoinDesk reported earlier Monday that bitcoin’s 2021 Taproot upgrade, which was designed to enable more efficient, private transactions, also exposed public keys on the blockchain by default, a technical move that now carries quantum risk.
That figure dwarfs CoinShares’ February estimate that only about 10,200 BTC are concentrated enough to cause “noticeable market disruption” if stolen. Google’s method counts all exposed keys, not just large balances.
The distribution between Bitcoin and Ethereum
The reaction split along familiar lines. Ethereum’s preparation drew praise. Bitcoin’s lack of it raised alarm.
“You can think of q-day as Y2K, but real,” said well-followed crypto investor known only as ‘McKenna’, managing partner at Arete. “People should thank the Ethereum Foundation for being early on and leading this research. The messy part of this is Bitcoin. The lack of urgency and the consensus issue of what to do with vulnerable coins.”
The Ethereum Foundation launched pq.ethereum.org last week with eight years of post-quantum research, more than 10 client teams posting weekly devnets, and a multi-fork migration roadmap.
Drake, who co-authored the Google paper, is part of the same Ethereum team — a direct link between the researchers quantifying the threat and the developers building the defenses.
Eli Ben-Sasson, co-founder of StarkWare, called on the Bitcoin community to “strengthen initiatives like BIP 360,” a proposal that would introduce quantum-resistant wallet formats that allow voluntary migration.
“To say that quantum computers are coming is not FUD,” Ben-Sasson said. “FUD claims that Bitcoin cannot adapt. It can adapt. Just need to start working on these solutions today.”
Bitcoin must get ready for the quantum era.
We must strengthen initiatives such as BIP 360.
We need to invest more effort in finding creative, smart solutions to ensure that Bitcoin is post-quantum secure.Saying that quantum computers are coming is not FUD. FUD claims… https://t.co/KqQ0RpXKbX
— Eli Ben-Sasson | Starknet.io (@EliBenSasson) 31 March 2026
Bitcoin advocate Bit Paine offered a measured take. “I still think about 10 years is the more likely time frame, but I assign an uncomfortably high probability that we’ll see something disruptive within five years. High enough that action in the next one to two years is prudent.”
The element that changed his thinking was the “persistent non-linearities in QC progress and the shroud of secrecy that underlies this research.” When estimates of physical qubits fall by orders of magnitude, he said, “we may not have much of a window between ‘quantum is about to disrupt bitcoin’ and ‘secp256k1 is broken’.”
Paine added a national security dimension. “A CRQC can be developed in stealth mode and drop out of seemingly nowhere.”
Google’s decision to use a zero-knowledge proof instead of publishing the circuits reinforces this point. If the world’s leading quantum laboratory self-censors its own research for security reasons, state actors with equivalent or superior capabilities are unlikely to publish at all.
Drake echoed this. “From now on, assume state-of-the-art algorithms will be censored. A blackout in academic publications would be a telltale sign.”
Why crypto?
Some industry voices questioned why Google aimed its most detailed analysis at crypto instead of banking or military systems. ETF analyst Eric Balchunas asked why Google would “apply this research time/money to crypto versus something of far more societal consequence.”
Nic Carter, a partner at Castle Island Ventures, had the answer: blockchains are the craziest systems that rely on the encryption that quantum computers can break. “Banks don’t fail because you reverse engineer a single key. Blockchains do,” Carter said. “They’re much more fragile. Banks will upgrade anyway. There won’t be an attack surface there.”
Binance co-founder Changpeng Zhao called for calm but acknowledged the practical difficulty.
“All crypto needs to do is upgrade to quantum-resistant algorithms. So no need to panic,” Zhao said. “In practice, there are some implementation considerations. It’s hard to organize upgrades in a decentralized world.”
Zhao also raised the Satoshi issue directly. If these coins move during a migration, “it means he’s still around, which is interesting to know.” If they don’t, he said, “it might be better to lock or effectively burn those addresses so they don’t go to the first hacker who cracks them.”
So some people panic or ask about the impact of quantum computing on crypto.
At a high level, all crypto needs to do is upgrade to quantum-resistant (post-quantum) algorithms. So no need to panic. 😂In practice, there are some performance considerations. It is difficult to…
— CZ 🔶 BNB (@cz_binance) 31 March 2026
The most popular counterargument on crypto X was that quantum computers break everything, not just blockchains.
“If quantum kills Bitcoin, it also kills the global banking system, SWIFT transfers, exchanges, military communications, nuclear command systems, every HTTPS website on earth,” crypto commentator Quinten Francois wrote.
Elon Musk struck a lighter note, writing that at least “if you’ve forgotten your wallet password, it will be available in the future.”
The paper addresses this framing directly. Centralized systems, from banks to military networks, can push software updates to their users. A decentralized blockchain cannot do that. The timeline for migrating bitcoin’s infrastructure, including user wallets, exchange support and new address formats, could take five to 10 years, even after a solution is agreed upon.
Meanwhile, Google said it is working with Coinbase, the Stanford Institute for Blockchain Research and the Ethereum Foundation on responsible approaches to the transition.
The company framed its research not as an attack on crypto, but as an effort to “support the long-term health of the cryptocurrency ecosystem.”
The message from almost every corner of the industry is now the same. The threat is no longer theoretical; it’s time to act. The only variable left is whether the protocols to be migrated will do so before the hardware catches up.
Read more: Here’s how bitcoin, Ethereum and other networks are preparing for the looming quantum threat
