Does quantum computing threaten BTC security? Google's latest research analysis: 6.9 million BTC at risk

In March 2026, a Google Quantum AI team, together with Stanford University and the Ethereum Foundation, released a 57-page white paper that systematically analyzes the security threats that quantum computing poses to cryptocurrencies. The core conclusion is: to break the 256-bit elliptic curve cryptography (ECC-256) underpinning Bitcoin and Ethereum, the quantum computing resources required are reduced by about 20 times compared with the best prior estimates. Specifically, under a superconducting quantum computing architecture, fewer than 500k physical qubits are enough to carry out the attack, and the runtime is compressed to roughly 9 minutes.

The significance of this finding is not that quantum computers can already break Bitcoin—which current hardware clearly does not meet— but that it compresses the timeline of “Q-Day” (the moment when quantum computers can break existing cryptography) from a distant theoretical problem into a computable engineering window. Google itself has set an internal deadline for migrating to post-quantum cryptography (PQC) as 2029. Ethereum Foundation researcher and paper co-author Justin Drake estimates that by 2032, the probability that quantum computers can recover the secp256k1 private key from already exposed public keys will be at least 10%.

How the Shor algorithm derives private keys from public keys

Bitcoin security is based on the Elliptic Curve Digital Signature Algorithm (ECDSA), using the secp256k1 curve. Its core assumption is that under classical computing conditions, given a public key, it is impossible to derive the corresponding private key within a feasible time. This assumption forms the fundamental security premise of the entire blockchain system.

The Shor algorithm shows that, in a quantum computing model, the elliptic curve discrete logarithm problem can be solved efficiently. The core contribution of this Google work is that it directly compiles a Shor algorithm quantum circuit targeting secp256k1 and provides concrete resource estimates. The paper offers two approaches: one keeps logical qubits below 1,200 and Toffoli gates below 90 million; the other increases logical qubits to 1,450 but reduces Toffoli gates to 70 million. On a superconducting quantum computer, this corresponds to fewer than 500k physical qubits.

More symbolically, Google did not publish a complete attack circuit. Instead, it used a zero-knowledge proof to verify the existence and correctness of the circuit. This approach borrows from the “responsible disclosure” principle in traditional information security, indicating that quantum cryptanalysis has entered a new phase where proactive defenses are needed rather than just after-the-fact remediation.

Two types of attack scenarios: immediate interception and offline harvesting

The white paper describes two quantum attack scenarios, whose risk characteristics are fundamentally different.

The first is “immediate attack,” targeting transactions being broadcast in the mempool. When a user initiates a Bitcoin transaction, the public key is temporarily exposed on the network for about 10 minutes—this is Bitcoin’s average block time window. A sufficiently fast quantum computer can, within about 9 minutes, reverse the public key to recover the private key, initiating a competing transaction before the transaction is confirmed to steal funds. The paper estimates that, with a single precomputed state quantum machine, the probability of successfully intercepting transactions in this window is about 41%.

The second is a “static attack,” targeting dormant wallets whose public keys have already been permanently exposed on-chain. This attack has no time limit; a quantum computer can crack it at its own pace. The paper estimates that the public keys of about 6.9 million Bitcoins (about 33% of the total supply) are already exposed, including about 1.7 million early coins from the Satoshi era, as well as a large amount of funds exposed due to address reuse.

A notable finding in the white paper is that although Bitcoin’s 2021 Taproot upgrade improved traditional security and privacy, it also, by default, exposed public keys on-chain, effectively expanding the quantum attack surface. Taproot removed the protective layer of “hash first, expose later” in the old address format (P2PKH).

The technical cost of addressing quantum threats and the governance dilemma

The path to addressing quantum threats is clear, but the cost is equally clear. The U.S. National Institute of Standards and Technology (NIST) completed standardization for the first batch of post-quantum cryptography standards in August 2024, including FIPS 203, 204, and 205. At the technical level, feasible replacement options include lattice-based post-quantum signatures (such as ML-DSA, originally CRYSTALS-Dilithium), hash-based signatures (such as SLH-DSA, originally SPHINCS+), and others.

However, Bitcoin’s decentralized governance model makes cryptographic migration exceptionally complex. Introducing post-quantum signature schemes requires achieving it through a soft fork or a hard fork, which in turn needs community consensus, developer coordination, synchronized upgrades from wallet service providers, and exchanges. The Bitcoin community has proposed BIP-360, aiming to introduce an anti-quantum signature option, but the proposal is still under discussion. Bitcoin Core developers such as Adam Back argue that the quantum threat is still “decades away,” and that an early large-scale upgrade may introduce cryptographic vulnerabilities that have not been sufficiently validated.

The real issue behind this controversy is that the uncertainty of the quantum threat turns “when to start migration” itself into a game. Upgrading too early may waste development resources, while upgrading too late may face irreversible asset loss.

How quantum threats change the logic behind security valuation for crypto assets

Quantum computing threats redefine the “security margin” of crypto assets. Traditional security assumptions—namely that a public key cannot be reverse-derived into a private key within a feasible time—are being recalibrated. The public keys of 6.9 million Bitcoins (valued at more than $500k at the current market value) are fully exposed, and the security of these assets relies only on the temporary fact that quantum computers have not yet matured.

The market is responding to this risk in multiple ways. The usage rate of Taproot addresses has fallen from 42% in 2024 to about 20%, showing that some users are actively avoiding address formats that expose public keys. CoinShares investment strategist Matthew Kimmell noted that the purpose of this research is “to shorten the window of time needed for the industry to advance research and reach an action plan.”

From a more macro perspective, the crypto industry is more vulnerable to quantum threats than traditional financial systems because blockchain ledgers are public and irreversible. Traditional financial institutions can defend against quantum attacks by bulk updating certificates and keys, but once a public key for an on-chain asset is exposed, it exists permanently and cannot be “recalled.” This structural difference means the crypto industry needs not only the ability to “adopt post-quantum algorithms,” but also an institutional framework for “responding to the continuous evolution of cryptography.”

How far is it from resource estimates to real-world attacks

Although the white paper’s resource estimates have been substantially lowered, that does not mean real-world attack capabilities are right around the corner. The current most advanced quantum systems—including Google’s Willow chip—have only about 100 physical qubits, and they have not yet achieved fault-tolerant operation. From existing hardware to 500k stable, error-corrected physical qubits, there remain many engineering challenges that have not yet been overcome.

Some experts believe the current concerns are premature. Blockstream’s Adam Back pointed out that Bitcoin’s underlying network does not rely on traditional cryptography in the usual sense; the impact of quantum threats is not about intercepting network transactions, but about cracking specific users’ private keys. In addition, the SHA-256 hash function used in proof-of-work is relatively more robust against quantum attacks; the Grover algorithm can only improve hash cracking efficiency to the square-root level, which is far less of an “exponential” threat to public-key cryptography than Shor’s algorithm.

But this does not mean the industry can passively wait. In cybersecurity, a “collect now, decrypt later” strategy suggests attackers may already be collecting blockchain data in the current phase, waiting until quantum computers mature before attempting to decrypt and exploit it. This time asymmetry requires the industry to complete defensive deployments before quantum computers are built.

From Google’s 2029 timeline to international regulatory roadmaps

Google’s target of completing its internal migration to PQC by 2029 is not an isolated event. The NSA’s CNSA 2.0 framework in the U.S. requires that all newly built national security systems adopt quantum-safe algorithms by January 2027; full migration application must be completed before 2030, and full infrastructure migration before 2035. The dual pressure of NIST standards and the NSA regulatory timeline is pushing enterprises and institutions to convert PQC migration from a research topic into a compliance requirement.

Against this backdrop, the crypto industry faces a more direct challenge. Upgrade cycles for decentralized networks such as Bitcoin and Ethereum often take years. The Ethereum Foundation has invested years researching a post-quantum roadmap and has been running post-quantum signature schemes on test networks. By contrast, Bitcoin has not yet formed a clear post-quantum roadmap and a coordinated funding mechanism; while decentralized governance gives it legitimacy, it also makes cryptographic migration at the protocol layer exceptionally slow.

Summary

Google’s Quantum AI team’s white paper did not declare Bitcoin’s end. Instead, it turns the quantum threat from a vague long-term assumption into a set of quantifiable engineering parameters. Breaking the 500k physical qubits required, the roughly 9-minute attack window, and the 6.9 million Bitcoins with already exposed public keys—together these numbers define a real security window that exists and is narrowing.

The challenges the industry faces are not only technical. NIST has solved the algorithm problem; what is truly difficult is coordination at the governance level. In decentralized networks, reaching consensus takes time, and advances in quantum computing will not wait for consensus to form. Over the next five to seven years, the crypto industry needs to balance between two risks: upgrading too early may introduce cryptographic schemes that have not been sufficiently verified, while upgrading too late may result in irreversible asset loss. No matter what the final path is, quantum computing has moved from a theoretical concept to a practical variable that must be incorporated into crypto asset security frameworks.

FAQ

Q: Can quantum computers break Bitcoin right now?

A: No. The current most advanced quantum systems have only about 100 physical qubits, and breaking Bitcoin’s ECC-256 requires about 500k error-corrected physical qubits—still a gap of several hundred times.

Q: What does a 9-minute break mean?

A: This is the “immediate attack” scenario described in the white paper—when the quantum computer is in a precomputed state, it takes about 9 minutes from the appearance of the public key to completing the break, which is slightly shorter than Bitcoin’s average 10-minute block time, meaning there is theoretically about a 41% interception success rate.

Q: Which Bitcoins are the most dangerous?

A: The highest risk is for addresses whose public keys are permanently exposed on-chain, including early P2PK format addresses (about 1.7 million), addresses exposed due to address reuse, and Taproot addresses. The paper estimates that about 6.9 million Bitcoins are in this kind of exposed state.

Q: Can Bitcoin upgrade to defend against quantum attacks?

A: Yes. NIST has completed post-quantum cryptography standards (such as ML-DSA and SLH-DSA). Bitcoin can introduce anti-quantum signature options through proposals such as BIP-360. The issue is that upgrades require community consensus, and the process may last for years.

Q: What should users do now?

A: Avoid reusing addresses; use a new address for each transaction. Store large assets in cold wallets. Watch community progress on anti-quantum upgrades, and proactively migrate assets to safer address formats.