Google Quantum AI dropped a 57-page whitepaper on March 30 that should make anyone holding crypto pay attention. Co-authored with Ethereum Foundation researcher Justin Drake and Stanford cryptographer Dan Boneh, the paper argues that breaking the elliptic curve cryptography protecting Bitcoin, Ethereum, and basically every other blockchain requires roughly 20 times fewer quantum resources than the field previously assumed. The number that matters: fewer than 500,000 physical qubits on a superconducting architecture, down from prior estimates in the millions.
That's still a lot of qubits. Google's most advanced chip, Willow, runs 105. But the gap is closing through algorithmic optimization alone, independent of hardware advances, and that trajectory is the paper's central argument.
The nine-minute problem
The whitepaper presents two optimized quantum circuits for solving the 256-bit Elliptic Curve Discrete Logarithm Problem on the secp256k1 curve: one using 1,200 or fewer logical qubits with 90 million Toffoli gates, another using 1,450 logical qubits with 70 million Toffoli gates. On a sufficiently powerful superconducting machine, those circuits execute in minutes.
Here's where it gets uncomfortable for Bitcoin specifically. The paper describes an "on-spend" attack: a quantum adversary monitors the mempool, spots an unconfirmed transaction (which reveals the sender's public key), derives the private key, and submits a competing transaction, all before the block confirms. On Bitcoin's roughly 10-minute block time, the attack window is about 9 minutes. The authors estimate a 41% probability of success.
41% is not a certainty. But it is a coin flip you'd rather not take with your savings.
Ethereum's 12-second block times make this particular attack far less practical. The real exposure there is different (and, I'd argue, worse in some ways).
What's actually at risk
The paper estimates around 6.9 million BTC are already vulnerable through exposed or reused public keys. That includes roughly 1.7 million BTC sitting on early-era addresses from the Satoshi period, coins that have never moved and whose public keys are permanently visible on-chain. And here's an irony the authors flag: Bitcoin's Taproot upgrade, adopted in 2021, re-exposed public keys directly on the blockchain, a vulnerability that earlier address formats had actually patched.
For Ethereum, Google maps five distinct attack categories. The top 1,000 wallets hold about 20.5 million ETH with exposed public keys, and a fast quantum machine could churn through all of them in under nine days. But the wallet-level risk isn't even the scariest part. At least 70 admin-controlled smart contracts, holding around 2.5 million ETH plus stablecoin minting authority worth roughly $200 billion, rely on the same vulnerable cryptography. A quantum attacker who cracks one admin key doesn't just steal tokens. They could mint new stablecoins, drain treasury contracts, or brick a bridge.
Then there's the consensus layer, with 37 million staked ETH, and a particularly nasty vector involving Ethereum's KZG trusted setup for Data Availability Sampling. A quantum computer could recover the secret scalar from that setup and create what the paper calls a permanent, reusable exploit that works without needing quantum access again. The authors describe this exploit as "potentially tradable." That phrase should keep people up at night.
Beyond Bitcoin and Ethereum
Litecoin, Dogecoin, Solana, Cardano, Bitcoin Cash, Zcash, Monero: they all use elliptic curve cryptography. The paper doesn't pretend this is a two-chain problem. Privacy coins face an additional threat: retroactive deanonymization. A future quantum attacker could decrypt historical confidential transactions on chains like Zcash and Monero, unraveling years of supposed privacy after the fact.
One detail that got less coverage: Bitcoin's proof-of-work mining is actually safe. The speedup from Grover's algorithm, the quantum shortcut for brute-force search, gets completely eaten by the overhead of quantum error correction. Mining continues to be a classical computation problem. Private key theft is the real threat vector here.
How they disclosed it (and why that matters)
The authors did something unusual. Rather than publishing the optimized attack circuits, they ran them through a zero-knowledge proof system, specifically a Groth16 zkSNARK generated via the SP1 Zero-Knowledge Virtual Machine. Third parties can verify that the claimed resource reductions are real without seeing the actual circuits. Google says it also engaged with the U.S. government before publication.
There's a nice irony here that the paper's authors acknowledge: the Groth16 proof itself relies on BLS12-381, a pairing-friendly elliptic curve that would also be vulnerable to a sufficiently powerful quantum computer. The proof is only sound because the machine that could break it doesn't exist yet. As a blog post from Google Research put it, the team wanted to raise awareness without providing a roadmap for bad actors.
This is a precedent. If other quantum research teams adopt the same zero-knowledge disclosure model, we're looking at a future where attack capabilities are verified but opaque. That feels like the right approach, even if it makes independent scrutiny harder.
So when does this become real?
Not tomorrow. Not next year. The paper is careful about that distinction. Current quantum hardware is orders of magnitude away from the 500,000-qubit threshold, and the error rates on existing machines are nowhere near what fault-tolerant computation requires. Fireblocks, in its analysis, noted that the gap requires sustained engineering breakthroughs "measured in years, not months."
But Justin Drake, who co-authored the paper and sits inside the Ethereum Foundation, now puts at least a 10% chance on a quantum computer recovering a secp256k1 private key by 2032. That's a short window for migrating a decentralized global protocol.
The Ethereum Foundation launched a post-quantum research hub on March 24, consolidating eight years of work into a phased migration roadmap. More than 10 client teams are running weekly post-quantum interoperability devnets. The target for layer 1 upgrades is 2029, but the Foundation admits that full execution-layer migration will take longer. And critically, upgrading Ethereum's base layer doesn't automatically fix the thousands of smart contracts already deployed on it. Each protocol and bridge needs to independently upgrade and rekey.
Binance founder CZ posted on X that "all crypto has to do is upgrade," which is technically true in the same way that "all you have to do is renovate every building in the city" is technically true. He acknowledged the hard part: debates over which algorithms to adopt, potential forks, and the risk of new bugs in rushed code.
Google has set a 2029 target for its own migration to post-quantum cryptography. The paper points to a few early movers: the QRL blockchain, a first post-quantum transaction on Algorand, and experiments on Solana and XRP Ledger. But these are proofs of concept, not production-ready migrations of networks holding hundreds of billions in value.
What I'm watching
The market reaction has been muted so far, which tells you something about how crypto processes long-term structural risk. Some quantum-resistant tokens jumped 50% on the news, according to CoinDesk, but Bitcoin and Ethereum barely flinched. Charles Edwards of Capriole Investments has argued that quantum concerns already contributed to Bitcoin's slide from $126,000 to $80,000 in late 2025. Whether the market has priced this in or is ignoring it, I genuinely can't tell.
The governance question is the one I keep coming back to. Bitcoin doesn't have an Ethereum Foundation. It has BIP-360, a proposal to replace Taproot's key path with Pay-to-Merkle-Root to reduce elliptic curve exposure. Getting consensus on that, in a community that spent years fighting over block sizes, while a quantum clock ticks in the background? Good luck.
