Quantum Threat to Bitcoin Just Got More Urgent

Google's Quantum AI team published a whitepaper on Tuesday sharply revising downward the computational resources needed to break Bitcoin's cryptography. The paper, "Securing Elliptic Curve Cryptocurrencies against Quantum Vulnerabilities: Resource Estimates and Mitigations," estimates that a quantum computer with fewer than 500,000 physical qubits could break Bitcoin's 256-bit elliptic curve cryptography, a roughly 20-fold reduction from prior estimates that hovered in the millions.

More precisely, Google's researchers compiled two optimized quantum circuits implementing Shor's algorithm for the elliptic curve discrete logarithm problem (ECDLP-256): one using fewer than 1,200 logical qubits with 90 million Toffoli gates, and another using fewer than 1,450 logical qubits with 70 million Toffoli gates. Both are executable on a superconducting qubit system with standard assumptions about near-future hardware capabilities.

The threat window is real. Google's analysis suggests that once a Bitcoin transaction is broadcast and a private key exposed on-chain, a quantum attacker could derive the private key and hijack the transaction in approximately nine minutes – just shy of Bitcoin's typical 10-minute block confirmation window, giving an attacker roughly a 41% chance of success.

Google released its research using a novel disclosure method: a zero-knowledge proof verifying the quantum circuits exist without revealing implementation details – an unusual approach signaling the firm's assessment of the threat's seriousness.

The Taproot vulnerability

Bitcoin's 2021 Taproot upgrade unwittingly widened the attack surface. Unlike earlier transaction types that concealed public keys, Taproot exposes them by default on the blockchain – a design choice intended to improve privacy and efficiency but which quantum algorithms could exploit. Google's research identified roughly 6.9 million BTC already sitting in addresses where public keys have been exposed, including approximately 1.7 million from Bitcoin's early years.

A simultaneous paper from Caltech and quantum startup Oratomic offers a complementary threat model. Published to the arXiv preprint server, it demonstrates that neutral-atom quantum computers could execute similar attacks with as few as 10,000 physical qubits, or roughly 50 times more efficient than Google's superconducting-qubit estimate. Under the Caltech/Oratomic assumptions, a 26,000-qubit system could break ECC-256 in about ten days, allowing an attacker to systematically derive private keys and drain funds.

No imminent danger, but urgency rising

Google emphasized attacks remain theoretical. Current quantum computers are nowhere near these thresholds. IBM's latest processor contains 1,121 qubits; Google's Willow chip operates at a different scale. The gap between today's hardware and attack-capable systems likely spans years or decades.

Yet the trajectory is unmistakable. Estimated qubit requirements for breaking ECDLP-256 via Shor's algorithm have fallen five orders of magnitude in two decades, from roughly 1 billion qubits in 2012 to 10,000 today. Each optimization compounds the risk horizon.

Unlike traditional cryptosystems that can be patched remotely, Bitcoin's immutability means any migration to post-quantum cryptography requires consensus-driven hard forks and network-wide coordination. Post-quantum schemes already exist – NIST has standardized lattice-based alternatives – but deploying them demands protocol-level changes that take years to implement and test.

Ethereum has moved faster. The Ethereum Foundation published a quantum-resilience roadmap last week with eight years of research, ten client teams running weekly devnets, and a multi-fork migration plan. Bitcoin, by contrast, lacks comparable preparation infrastructure.