Google’s Quantum AI team with co-authors from Stanford and the Ethereum Foundation published a Quantum Security Report. It analyzes the resources needed for a cryptographically relevant quantum computer (CRQC) to break elliptic curve cryptography specifically ECDSA and Schnorr signatures used in Bitcoin and Ethereum.
Breaking the 256-bit elliptic curve discrete logarithm problem (the core of Bitcoin’s signatures) could require fewer than 500,000 physical qubits on a superconducting quantum computer — roughly 20 times fewer than many prior estimates which often cited millions of qubits.
For a real-time on-spend or mempool attack: Once a transaction broadcasts and exposes the public key which happens during spending, a pre-primed quantum computer could derive the private key in about 9 minutes or 12 minutes in some scenarios. Bitcoin’s average block time is ~10 minutes, so this creates a narrow window where an attacker might steal funds before confirmation estimated ~41% success rate in their model with one machine; higher with parallelism.
This is not about cracking the blockchain’s hash functions (SHA-256 is more resistant via Grover’s algorithm) or stealing coins from dormant, unspent addresses without an exposed public key. The main vulnerability is when public keys are revealed — e.g., in legacy Pay-to-PubKey addresses, reused addresses, or certain Taproot spends.
Register for Tekedia Mini-MBA edition 20 (June 8 – Sept 5, 2026).
Register for Tekedia AI in Business Masterclass.
Join Tekedia Capital Syndicate and co-invest in great global startups.
Register for Tekedia AI Lab.
Google also recently accelerated its own internal deadline for migrating systems to post-quantum cryptography (PQC) to 2029, citing faster progress in quantum hardware, error correction, and resource estimates. This is a theoretical analysis based on improved modeling of Shor’s algorithm implementations, error rates, and hardware assumptions.
No such quantum computer exists today: Current quantum machines are in the low thousands of noisy qubits. Fault-tolerant, large-scale systems with hundreds of thousands of high-quality qubits are still years away — estimates for Q-Day vary widely, but Google’s paper and timeline suggest the 2030s as a plausible risk horizon, not tomorrow.
The 9-minute figure assumes a machine already primed with partial pre-computation and ideal conditions. Real-world error correction, decoherence, and overhead would likely make it slower and more resource-intensive. Not all Bitcoin is equally at risk. Coins in addresses that have never spent are safer until spent.
Roughly 1/3 of BTC supply ~6.9 million coins may have exposed public keys or use vulnerable patterns, per various analyses. Taproot (Schnorr) can sometimes expose keys more readily in certain cases. Bitcoin’s core hash-based security holds up better against quantum than many other systems. The bigger near-term quantum risk to the world is harvest now, decrypt later attacks on stored encrypted data.
What This Means for Bitcoin and Crypto
The community has discussed quantum threats for years — this paper lowers the estimated difficulty and tightens the timeline, serving as a strong reminder for proactive upgrades rather than panic. Bitcoin is designed to evolve via soft forks; solutions include: Migrating to post-quantum signature schemes (NIST has standardized several PQC algorithms).
Best practices today: Avoid address reuse, move funds from legacy exposed addresses to new quantum-resistant ones when feasible. Ethereum has been planning PQC transitions for longer; Bitcoin developers and researchers are now getting louder calls to prioritize it.
Experts emphasize this is a long-term engineering challenge, not an imminent collapse. Similar warnings have circulated before without breaking crypto. That said, ignoring it would be reckless — the paper explicitly urges responsible disclosure and migration to safeguard cryptocurrency.
It’s a serious wake-up call that accelerates planning, but Bitcoin isn’t cracked yet. The protocol has survived many predicted deaths through upgrades. If you’re holding BTC, the practical advice remains timeless: Use fresh addresses, secure your keys, and watch for network proposals on quantum readiness.