Google’s Quantum Paper Cuts Qubit Estimates 20-Fold, Raising Crypto Security Stakes
A new white paper from Google Quantum AI has reduced the estimated physical qubit requirement to break elliptic-curve cryptography by roughly 20 times, compressing what many treated as a distant theoretical risk into a matter that demands near-term engineering responses. The paper, co-authored by Google researchers, Ethereum Foundation researcher Justin Drake, and Stanford cryptographer Dan Boneh, specifies that Shor’s algorithm for the 256-bit elliptic curve discrete logarithm problem can be executed with no more than 1,200 logical qubits and 90 million Toffoli gates, or alternatively with 1,450 logical qubits and 70 million Toffoli gates. On a superconducting, cryptographically relevant quantum computer, those circuits could run with fewer than 500,000 physical qubits, and the authors estimate the execution time at a few minutes from a primed state.
What the Paper Actually Proves, and What It Does Not
The most important clarification to establish at the outset is that Google does not claim such a machine exists today. Current superconducting quantum processors remain orders of magnitude below the fault-tolerant, error-corrected threshold required to run these circuits at cryptographic scale. The contribution of the paper is not a demonstration of an attack; it is a resource estimate, and one that is substantially more precise and more alarming than prior benchmarks. The previous consensus estimate ran to roughly 10 million physical qubits; the new figure is under 500,000, a compression factor that shifts the plausible arrival window for a cryptographically relevant quantum computer from the late 2030s into the early 2030s under optimistic hardware scaling assumptions.
Google also adopted an unusual disclosure posture. Rather than publishing the underlying attack circuits in full, the team used a zero-knowledge proof to allow external parties to verify the resource estimates without receiving the circuits themselves. The paper states explicitly that progress has reached a point where publishing improved attack details in full has become less prudent, even as publishing trustworthy resource estimates remains necessary to motivate defensive work. That framing is itself a data point: it signals that the researchers regard the estimates as operationally credible rather than purely academic.
On the same day, a separate team from Oratomi, Caltech, and UC Berkeley published independent findings suggesting that Shor’s algorithm could run at cryptographically relevant scales with as few as 10,000 reconfigurable atomic qubits, with ECC-256 potentially falling in five days on a 22,000-qubit machine. The two papers use different hardware models and assumptions, so the specific figures are not directly comparable, but their simultaneous appearance reinforces the directional conclusion: the engineering gap is closing faster than the cryptographic community’s public consensus had anticipated.
The Bitcoin Exposure Problem Is Structural, Not Marginal
For Bitcoin, the paper draws a precise map of vulnerability. It models what it calls an “on-spend” attack, in which a quantum machine derives a private key after a user broadcasts a transaction and reveals the associated public key, then attempts to broadcast a competing transaction before the original is confirmed. Under the paper’s assumptions, a fast-clock superconducting machine could reduce the live attack window to approximately 9 minutes from a primed state. Given Bitcoin’s average block time of roughly 10 minutes, the paper estimates a theft success probability of slightly under 41 percent in that scenario. That figure deserves careful reading: it is not a certainty of theft, but it is far removed from the negligible probability that underpins current security assumptions.
The paper also quantifies the static exposure from dormant addresses, which is a separate and arguably more intractable problem. Approximately 6.7 million BTC sit in addresses where the public key has already been exposed to the chain, requiring no transaction to initiate an attack. Of that total, old Pay-to-Public-Key scripts still secure more than 1.7 million BTC, worth approximately $112.6 billion at current prices, and the total dormant quantum-vulnerable supply across script types may reach 2.3 million BTC, or roughly $152.3 billion. At current market prices, the aggregate vulnerable Bitcoin supply approaches $444 billion. With Bitcoin’s active address count at 459,981 and hash rate at 904.5 EH/s at time of writing, the network is operationally healthy by conventional metrics; the quantum risk does not appear in those figures at all, which is precisely what makes it structurally dangerous.
The paper also raises a more recent complication: Taproot, which was widely adopted as a privacy and efficiency improvement, reintroduced a quantum weakness by placing the tweaked public key directly in the locking script. This means that Taproot outputs created after November 2021 carry the same class of exposure as the older Pay-to-Public-Key format. The authors note, however, that Grover-based attacks on Bitcoin mining remain impractical for decades, keeping the near-term risk concentrated in signature schemes rather than proof of work.
Bitcoin currently sits at 106,907 blocks from its next halving, a figure that places the event roughly two years out. Protocol upgrades on the scale required for post-quantum migration typically take longer than that to reach consensus and deploy across the full node network, which means the halving will likely arrive before any post-quantum hardening of the base layer is meaningfully complete.
Ethereum Faces Five Distinct Attack Surfaces
The paper’s treatment of Ethereum is more granular than its Bitcoin analysis, identifying five separate vulnerability categories with quantified exposure at each level. Individual wallets represent the most visible target: the top 1,000 Ethereum addresses alone hold approximately 20.5 million ETH. At time of writing, Ethereum trades at $2,099.14, up 3.19 percent over the prior 24 hours, placing the dollar value of those 1,000 wallets in excess of $43 billion.
Smart contract administrator keys represent the second attack surface. Those keys control approximately $200 billion in stablecoins and other tokenised real-world assets, making them arguably more systemically dangerous than individual wallet theft. Validators constitute a third exposure tier, with 37 million ETH in staked funds dependent on the security of signing keys that remain subject to the same elliptic-curve assumptions. Layer-2 infrastructure adds a fourth category, with each major L2 carrying exposure estimated at around 15 million ETH. A fifth vector involves Ethereum’s data verification layer, where quantum attacks could in principle compromise the integrity of rollup proofs. As CoinDesk reported, the combined exposure across these five vectors exceeds $100 billion by CoinDesk’s conservative accounting, though the stablecoin administrator key risk pushes the total substantially higher under broader assumptions.
The Ethereum Foundation is further along in its post-quantum planning than Bitcoin Core. Vitalik Buterin has published a quantum-resistance roadmap, and the Foundation’s Drake, who co-authored the Google paper, stated that his confidence in a Q-Day by 2032 has increased sharply. Drake now assigns at least a 10 percent probability that a quantum computer could recover a secp256k1 private key from an exposed public key by 2032. That probability sounds modest in isolation; applied to $600 billion or more in combined crypto assets, it represents a risk-adjusted exposure that no institutional risk manager can responsibly ignore. The Google 2029 quantum migration deadline for its own internal systems provides the clearest external reference point for timeline calibration.
The Coordination Problem Is Harder Than the Cryptography
The engineering path to post-quantum cryptography is well-defined. The US National Institute of Standards and Technology finalised its first set of post-quantum cryptographic standards in 2024, and several candidate algorithms are available for implementation. Google itself has committed to migrating its own systems by 2029. The barrier for crypto networks is not algorithmic; it is governance and coordination at a scale that has no corporate equivalent.
Bitcoin’s BIP 360 proposal introduces new transaction formats designed to reduce exposure to quantum-vulnerable cryptographic assumptions. It remains in draft form, with test implementations running in experimental environments, but no timeline exists for mainnet activation. Any upgrade to Bitcoin’s core protocol requires broad agreement across wallet developers, exchanges, mining pools, and full-node operators with differing technical priorities and financial incentives. Binance founder Changpeng Zhao has argued publicly that migration is feasible without destabilising the network, while acknowledging that execution is the binding constraint. He is right on both counts, and the second point is the one that matters.
The governance problem is asymmetric in a specific and important way: the coins most at risk from quantum attack are predominantly held in dormant addresses by wallets that cannot be prompted to migrate. Lost coins, long-abandoned wallets, and addresses whose owners are deceased or unreachable will not update to post-quantum formats regardless of what the protocol allows. Those coins will either remain permanently vulnerable or require the network to take some collective action about their status, a discussion that implicates property rights, protocol conservatism, and miner incentives simultaneously. That is a harder conversation than deploying a new signature scheme.
Who Bears the Asymmetric Risk, and Where Preparation Creates Relative Advantage
The directional assessment here is not ambiguous. Bitcoin faces the larger absolute risk because of the scale of dormant vulnerable supply and the slower governance apparatus, but Ethereum faces the larger systemic risk because its smart contract layer concentrates control over stablecoins and institutional assets in administrator keys that are discrete targets rather than a diffuse population of individual wallets. An attacker with a cryptographically relevant quantum computer would rationally prioritise administrator keys controlling $200 billion in stablecoins over the labour-intensive process of sweeping millions of individual Bitcoin addresses. Ethereum’s post-quantum roadmap is more developed, but the attack surface is more concentrated and more immediately consequential.
Projects that have already begun integrating post-quantum signature schemes, or whose architectures can accommodate algorithm substitution without hard forks, carry a structural advantage over this period. The XRP Ledger’s quantum-resilience testing, reported on 31 March, reflects the broader scramble among Layer-1 networks to demonstrate preparation. Whether those demonstrations translate into genuine hardening before a cryptographically relevant machine exists is the operative question, and the honest answer is that no network can currently guarantee it will.
For institutional holders, the Google paper forces a portfolio-level reassessment. The 10 percent probability Drake assigns to Q-Day by 2032 may seem low, but it is no longer in the range where reasonable risk management permits inaction. Custodians and exchanges that have not mapped their key management infrastructure against post-quantum requirements are now operationally behind the information available to them. The firms that move earliest on key infrastructure upgrades, custodial post-quantum signing, and smart contract administrative key rotation will carry less tail risk than those that treat the 90 percent non-event probability as a basis for deferral. A 10 percent probability of catastrophic loss, assigned by a co-author of the threat model itself, is not a reason for patience. It is a specification for engineering priority.
The paper’s most consequential contribution may be less the specific qubit numbers, which will continue to be revised as hardware matures, and more the credibility signal embedded in its authorship and disclosure methodology. When a Google Quantum AI team uses a zero-knowledge proof to share estimates rather than circuits, and when a senior Ethereum Foundation researcher assigns a double-digit probability to a private-key break within six years, the institutional posture that treats quantum risk as a future-decade concern has been formally invalidated. The arithmetic of preparation time versus attack arrival window has tightened considerably, and the burden of proof has shifted from those urging urgency to those counselling delay.
