Key Takeaways
- Google’s research indicates that a quantum computer with fewer than 500,000 physical qubits could break Bitcoin’s elliptic curve cryptography in about nine minutes.
- No such machine currently exists, but projections target 2029 for the implementation of post-quantum cryptography across systems.
- The paper details three attack modes: at-rest, on-spend, and on-setup, highlighting different vulnerabilities.
- 1.7 million Bitcoin in old formats remain exposed to potential quantum attacks, and the community debates how to address this issue.
- Post-quantum cryptography solutions exist but face hurdles like larger signature sizes and consensus among decentralized networks.
Seventy million operations, each one a Toffoli gate, each one a controlled-controlled-NOT flipping qubits through superposition states at temperatures colder than outer space, the whole sequence unspooling across roughly 1,200 logical qubits in nine to twelve minutes. That is what Google Quantum AI’s updated estimate looks like translated from the abstract mathematics of fault-tolerant circuit design into something resembling plain English. What those nine minutes could accomplish, according to a whitepaper released on 30 March, is the derivation of a Bitcoin private key from any exposed public key on the blockchain. Bitcoin’s average block time runs to ten minutes. The margin between safety and theft is thin enough that you might mistake it for none.
The announcement, published jointly by Google Research directors Ryan Babbush and Hartmut Neven, is careful about what it claims and careful about what it withholds. The team has shown that “future quantum computers may break the elliptic curve cryptography” securing cryptocurrency and much else besides. But in a move borrowed from the computer security world’s decades-long argument about vulnerability disclosure, they have not published the actual quantum circuits that would execute the attack. A zero-knowledge proof sits in their place: a cryptographic construction that lets anyone verify the resource estimates are accurate without learning enough to build the weapon.
The underlying mathematical problem is called the elliptic curve discrete logarithm problem, ECDLP. Virtually every major blockchain relies on its presumed hardness: Bitcoin, Ethereum, Solana, most of the rest. The hardness works because recovering a private key from a public one is computationally infeasible on classical machines. On a quantum computer running Shor’s algorithm, it is not. What has changed is the resource estimate: how large does the quantum machine need to be before feasibility flips? Previous best estimates put the physical qubit requirement above nine million for a superconducting architecture. Google’s new figures bring that down to fewer than half a million, roughly a twenty-fold reduction, arrived at through gradual algorithmic optimisation that has been compressing these estimates for years.
Google’s updated estimates suggest a machine with fewer than 500,000 physical qubits running Shor’s algorithm could crack a Bitcoin private key in roughly nine minutes. No such machine exists today, but Google’s own internal migration timeline targets 2029 as the year post-quantum cryptography should be in place. The gap between now and then is where the risk lives.
No, at least not in any timeframe that looks plausible. Grover’s algorithm can provide a modest speedup for mining, but the quantum error correction overhead essentially consumes that advantage, and the algorithm doesn’t parallelise well. Classical ASIC miners remain far more efficient. The threat is to the cryptographic signatures protecting ownership, not to the mining process itself.
When you broadcast a Bitcoin transaction, your public key becomes visible in the public mempool before your transaction is confirmed. An on-spend attack would use a quantum computer to derive your private key during that window, then broadcast a competing transaction redirecting your funds. With a nine-minute key derivation time and Bitcoin’s ten-minute average block time, the paper estimates roughly a 41% chance of success per attack.
About 1.7 million bitcoin in old address formats has its public key permanently visible on the blockchain. Much of it is believed to be inaccessible, possibly including Satoshi Nakamoto’s coins. These cannot be migrated and will eventually be crackable by a sufficiently powerful quantum machine. The Bitcoin community is debating whether to leave them alone, render them unspendable by protocol change, or limit the rate at which they can be spent to prevent market disruption.
Post-quantum cryptography uses mathematical problems that are hard for quantum computers as well as classical ones, typically based on lattices or hash functions rather than elliptic curves. NIST standardised several post-quantum algorithms in 2024. Some blockchains already use them. The main obstacles to wider adoption are larger signature sizes, higher bandwidth requirements, and the political difficulty of getting decentralised networks to agree on protocol changes.
Half a million physical qubits is still, at present, a machine that does not exist. Google’s flagship Willow processor has demonstrated error-corrected logical qubits at the scale needed to validate the approach, but the arithmetic from 72 physical qubits to 500,000 is not a trivial engineering problem. The team’s own migration timeline, released separately in February, puts 2029 as the target for post-quantum cryptography transition across Google’s own systems. That is the implicit threat model: not tomorrow, but perhaps not as far off as the cryptocurrency community has been comfortable assuming.
The paper distinguishes between three attack modes, and the distinction matters. At-rest attacks target long-exposed public keys, the ones sitting permanently visible on the blockchain because of how older Bitcoin address formats work. On-spend attacks are the noisier, more dramatic variant: intercepting a transaction while it sits in the public mempool waiting to be mined, cracking the private key faster than a new block can be added, and broadcasting a forged competing transaction. On-setup attacks are stranger still, requiring the quantum computer only once to extract a secret from fixed protocol parameters, after which a classical computer can exploit the resulting backdoor indefinitely. Ethereum’s data availability sampling mechanism is vulnerable to this third kind. So is the Tornado Cash protocol.
The on-spend threat to Bitcoin is, by the paper’s own analysis, roughly 41% likely to succeed given a nine-minute key derivation time against Bitcoin’s ten-minute average block interval. Litecoin, with its 2.5-minute blocks, brings that success probability down to under 3%. Zcash falls below one in a thousand. These are not comforting numbers for Bitcoin. A sufficiently fast quantum attacker could flood the mempool with high-fee transactions, then win a Replace-By-Fee bidding war using money that is not theirs. The original owner, bidding to defend their funds, faces a scorched earth scenario: victory means paying nearly everything to miners anyway.
What makes this disclosure complicated is that cryptocurrency is not just a technical system. It is a social institution, and its value depends partly on confidence in the network. Unsubstantiated quantum threat claims have a history of functioning as market manipulation, a category the paper calls FUD: fear, uncertainty and doubt. The Google team’s response is the zero-knowledge proof, a cryptographic attestation verifiable by anyone, that the resource estimates are real without revealing the circuits that justify them. It adapts responsible disclosure, familiar from conventional cybersecurity, to a domain where patching takes years not weeks.
The dormant asset problem is perhaps the thorniest piece. About 1.7 million bitcoin sits in Pay-to-Public-Key addresses, a format from Bitcoin’s early years in which public keys are on the blockchain rather than hashed and hidden; this includes, probably, a portion of Satoshi Nakamoto’s coins. These cannot be migrated because nobody knows the private keys. When a quantum machine arrives, they become accessible to whoever gets there first. The Bitcoin community is debating: Do Nothing, Burn (render the coins unspendable beforehand), or Hourglass (throttle how fast dormant coins can be spent). An informal poll at last year’s Presidio Bitcoin Quantum Summit found roughly equal support for all three. Consensus, as ever, remains elusive.
Ethereum’s exposure is different in character if not urgency. Every Ethereum address that has ever sent a transaction has its public key permanently on the blockchain. The thousand highest-value accounts hold about 20.5 million ETH this way. Roughly $200 billion in stablecoins and tokenised real-world assets is governed by admin keys potentially susceptible to quantum compromise, allowing arbitrary minting or contract takeover. Around 37 million staked ETH in the consensus layer depends on a signature scheme the paper expects first-generation quantum machines to break at modest additional cost beyond Bitcoin.
The path forward exists, technically. Post-quantum cryptography has been standardised by NIST, and several blockchains already use it from inception. The barriers are logistical and political: larger signature sizes, bandwidth overhead, and the difficulty of getting decentralised communities to agree on anything substantial. Bitcoin’s 2017 block-size dispute produced a hard fork and a permanent schism. A post-quantum migration would require changes considerably more disruptive.
The paper’s closing argument is not quite a warning, or not only a warning. It is closer to a statement about timelines and probabilities: the amount of time remaining before cryptographically relevant quantum computers exist probably still exceeds the time needed to migrate, but the margin is narrowing, and the threat may announce itself on the blockchain rather than in a press release. “Attacks always get better,” the cryptographers’ saying goes. Resource estimates only move in one direction.
Source: https://quantumai.google/static/site-assets/downloads/cryptocurrency-whitepaper.pdf
ScienceBlog.com has no paywalls, no sponsored content, and no agenda beyond getting the science right. Every story here is written to inform, not to impress an advertiser or push a point of view.
Good science journalism takes time — reading the papers, checking the claims, finding researchers who can put findings in context. We do that work because we think it matters.
If you find this site useful, consider supporting it with a donation. Even a few dollars a month helps keep the coverage independent and free for everyone.