A new paper from Google Quantum AI has compressed the estimated hardware requirements for breaking elliptic-curve cryptography – the signature scheme underpinning Bitcoin and crypto transactions – by roughly 20-fold, moving a long-running theoretical threat measurably closer to an engineering problem.
The research, co-authored by Google researchers, Ethereum Foundation researcher Justin Drake, and Stanford cryptographer Dan Boneh, revises the physical qubit threshold downward from prior estimates exceeding 10 million to fewer than 500,000, a compression that forces institutional risk models to treat Q-Day as a medium-term rather than generational concern. At current market prices, the assets directly exposed to the cryptographic assumption at issue exceed $600 billion across Bitcoin, Ethereum, and stablecoins.
EXPLORE: Google Warns of Coruna iPhone Exploit Targeting Crypto
Shor’s Algorithm Efficiency: What the 20x Qubit Compression Actually Represents
The operative mechanism here is Shor’s algorithm applied to the 256-bit elliptic curve discrete logarithm problem – the mathematical foundation of ECDSA (Elliptic Curve Digital Signature Algorithm), which Bitcoin and Ethereum use to authorize transactions by proving private key ownership without revealing the key itself.
A sufficiently capable quantum computer running Shor’s algorithm could, in principle, derive a private key from an exposed public key, allowing an attacker to sign transactions and drain funds without authorization.
Prior estimates, drawn from analyses between 2017 and 2023, projected that executing this attack would require machines on the order of millions of physical qubits – hardware so distant from current capability that the threat horizon sat comfortably in the 2040s under most institutional models.
The Google Quantum AI whitepaper, published March 30, 2026, revises that threshold sharply: Shor’s algorithm for the same problem can now be executed with no more than 1,200 logical qubits and 90 million Toffoli gates – or alternatively 1,450 logical qubits and 70 million Toffoli gates – on a superconducting, cryptographically relevant quantum computer (CRQC) with fewer than 500,000 physical qubits, completing the attack in minutes from a primed state.
The distinction between logical and physical qubits matters: physical qubits are noisy and require error-correction overhead, meaning many physical qubits are needed to sustain one reliable logical qubit. The 20x compression reflects advances in error-correction efficiency and gate optimization – not a new algorithmic breakthrough, but a tighter engineering implementation of a known approach. Google does not claim such a machine exists today. The paper’s significance is in recalibrating what the hardware target looks like, not in announcing it has been reached.
DISCOVER: Meme coin supercycle: Top performers this week
Bitcoin Crypto Address Exposure: Which Outputs Are Vulnerable to Quantum and How Much BTC Is at Risk
Bitcoin’s cryptographic exposure is not uniform across all address types. The highest-risk category is pay-to-public-key (P2PK) outputs – legacy address formats, prevalent in early Bitcoin blocks, including Satoshi-era coinbase outputs, where the full public key is written directly into the blockchain and permanently visible.
A quantum attacker with a functional CRQC could target these addresses without needing to observe a live transaction, since the public key is already on-chain.
A secondary category involves address reuse in pay-to-public-key-hash (P2PKH) outputs: once a user spends from a P2PKH address, the public key is revealed in the transaction, creating a window – however narrow – during which a CRQC could theoretically derive the private key before the transaction confirms.
Approximately 6.7 million Bitcoin addresses currently carry exposed public keys through one of these two mechanisms, representing a material share of the circulating supply. Whether any of those addresses belong to sophisticated institutional holders is unknown publicly, but the concentration of early-mined Bitcoin in P2PK outputs means the aggregate BTC-at-risk figure is not trivial.
The Bitcoin protocol has no active post-quantum upgrade path at the consensus level. Discussions around quantum-resistant signature schemes – including lattice-based alternatives being standardized by NIST – exist in developer forums, but no Bitcoin Improvement Proposal has reached consensus-stage consideration for a post-quantum migration.
The compressed timeline Google has published changes the urgency calculus for that discussion, even if the engineering problem of migrating a UTXO set of this scale remains formidable.
EXPLORE: Crypto breakout alerts this week
next
Disclaimer: Coinspeaker is committed to providing unbiased and transparent reporting. This article aims to deliver accurate and timely information but should not be taken as financial or investment advice. Since market conditions can change rapidly, we encourage you to verify information on your own and consult with a professional before making any decisions based on this content.
Daniel Frances is a technical writer and Web3 educator specializing in macroeconomics and DeFi mechanics. A crypto native since 2017, Daniel leverages his background in on-chain analytics to author evidence-based reports and deep-dive guides. He holds certifications from The Blockchain Council, and is dedicated to providing “information gain” that cuts through market hype to find real-world blockchain utility.
Source: https://www.coinspeaker.com/google-quantum-timeline-bitcoin-ethereum-security/
