Google’s Quantum AI team published research on March 30, 2026 indicating that breaking Bitcoin and Ethereum’s elliptic curve cryptography may require fewer than 500,000 physical qubits and approximately 1,200 to 1,450 high-quality logical qubits, significantly lower than previous estimates in the millions.
The paper warns that real-time quantum attacks could hijack Bitcoin transactions in approximately nine minutes, potentially beating confirmation about 41% of the time, and notes that Bitcoin’s Taproot upgrade, which makes public keys visible by default, has widened the pool of vulnerable wallets to an estimated 6.9 million bitcoin.
Quantum Resource Estimates Show 20-Fold Reduction in Required Qubits
Google researchers compiled two quantum circuits implementing Shor’s algorithm for the 256-bit elliptic curve discrete logarithm problem (ECDLP-256), which forms the cryptographic foundation for Bitcoin, Ethereum, and many other blockchain networks. One circuit uses fewer than 1,200 logical qubits and 90 million Toffoli gates, while a second uses fewer than 1,450 logical qubits and 70 million Toffoli gates.
The researchers estimate these circuits could be executed on a superconducting qubit cryptographically relevant quantum computer (CRQC) with fewer than 500,000 physical qubits within a few minutes, assuming hardware capabilities consistent with some of Google’s flagship quantum processors. The finding represents an approximately 20-fold reduction in the number of physical qubits required to solve ECDLP-256 compared to earlier estimates, continuing a trend of gradual optimization in compiling quantum algorithms to fault-tolerant circuits.
Google has previously pointed to 2029 as a potential milestone for useful quantum systems, and the updated resource estimates suggest the gap between current technology and a viable attack may be smaller than previously assumed. The company has been leading efforts toward post-quantum cryptography migration since 2016.
Real-Time Transaction Attacks Could Beat Confirmation 41% of the Time
The research outlines two potential attack methods targeting in-flight Bitcoin transactions. When a Bitcoin transaction is broadcast, the sender’s public key is briefly revealed before the transaction is confirmed. A sufficiently fast quantum computer could calculate the corresponding private key from that public key and redirect the funds before the original transaction settles.
Under Google’s model, a quantum system could prepare part of the calculation in advance, then complete the attack in approximately nine minutes once a transaction appears on the network. Bitcoin transactions typically take around 10 minutes to confirm, giving an attacker roughly a 41% probability of successfully redirecting funds before the original transfer is finalized.
Ethereum may be less exposed to this specific risk because its faster block times leave less time for an attack. However, both networks rely on the same elliptic curve cryptography foundation and would require post-quantum migration to remain secure against future quantum threats.
Taproot Upgrade Exposes More Wallets to Potential Quantum Attack
The paper estimates that approximately 6.9 million bitcoin, roughly one-third of the total supply, already sit in wallets where the public key has been exposed in some way. This includes approximately 1.7 million bitcoin from the network’s early years, funds affected by address reuse, and bitcoin held in wallets using the Taproot address format introduced in 2021.
Taproot, Bitcoin’s 2021 upgrade designed to improve privacy and efficiency, made public keys visible on the blockchain by default, removing a layer of protection used in older address formats. Google’s researchers state that this design choice could expand the number of wallets vulnerable to future quantum attacks, as exposed public keys eliminate the need for attackers to break the hash function protecting legacy addresses.
The findings contrast with recent estimates from CoinShares, which argued that only about 10,200 bitcoin are concentrated enough to significantly move markets if stolen. Google’s analysis suggests the pool of at-risk bitcoin is substantially larger.
Google Discloses Vulnerabilities Using Zero-Knowledge Proof to Avoid Attack Roadmaps
Google developed a new method to disclose quantum vulnerability research without providing a roadmap for bad actors. Rather than releasing step-by-step details of how to break cryptographic systems, the team used a zero-knowledge proof to demonstrate that their findings are accurate without exposing the underlying method. This allows third parties to verify the results while limiting the risk the research could be misused.
The company engaged with the US government in developing this disclosure approach and urged other research teams to adopt similar practices. Google noted that the disclosure of security vulnerabilities in blockchain technologies is complicated by the fact that cryptocurrencies derive value both from digital security and public confidence, and unscientific resource estimates can themselves represent an attack through fear, uncertainty, and doubt.
The research was conducted in collaboration with the Stanford Institute for Blockchain Research, the Ethereum Foundation, and Coinbase, as part of broader industry efforts to transition to post-quantum cryptography.
Recommendations for Post-Quantum Cryptography Migration
Google’s paper provides recommendations for the cryptocurrency community to improve security and stability before quantum attacks become viable. The primary recommendation is transitioning blockchains to post-quantum cryptography, which is resistant to quantum attacks and represents a well-understood path to post-quantum blockchain security.
Additional recommendations include refraining from exposing or reusing vulnerable wallet addresses, accelerating the adoption of address formats that do not reveal public keys until funds are spent, and considering policy options to address abandoned cryptocurrency that may become vulnerable.
The researchers noted that while viable post-quantum solutions exist, they will take time to implement across decentralized networks, bringing increasing urgency to act. Google’s 2029 timeline for useful quantum systems represents a target for migration rather than an imminent threat, but the updated resource estimates suggest the planning horizon may be shorter than previously understood.
FAQ
How many qubits would be needed to break Bitcoin’s cryptography?
Google researchers estimate that breaking the elliptic curve cryptography used by Bitcoin and Ethereum would require fewer than 500,000 physical qubits and approximately 1,200 to 1,450 high-quality logical qubits. This represents a 20-fold reduction from previous estimates that ranged into the millions.
How does Bitcoin’s Taproot upgrade affect quantum vulnerability?
Taproot, Bitcoin’s 2021 upgrade, makes public keys visible on the blockchain by default, removing a layer of protection used in older address formats. Google estimates this has widened the pool of vulnerable wallets to approximately 6.9 million bitcoin, including about 1.7 million bitcoin from the network’s early years.
How would a real-time quantum attack on Bitcoin work?
An attacker could target transactions in flight, using the public key revealed during broadcast to calculate the corresponding private key with a sufficiently fast quantum computer. Under Google’s model, an attack could be completed in about nine minutes, potentially beating the 10-minute confirmation window approximately 41% of the time.
