What Happened
On March 31, 2026, Google's Quantum AI team published a whitepaper titled 'Securing Elliptic Curve Cryptocurrencies against Quantum Attacks.' The paper's central argument is that the computational resources required to break secp256k1 elliptic-curve discrete logarithm cryptography — the signature scheme used by Bitcoin, Ethereum, and most other major blockchains — is materially lower than prior estimates. Previous modeling placed the qubit threshold in the tens of millions. Google now argues it is under 500,000 physical qubits, with two proposed attack circuits requiring approximately 1,200 to 1,450 high-quality logical qubits.
Google did something unusual here: instead of publishing a step-by-step attack recipe, the team used a zero-knowledge proof so independent researchers could verify the resource estimate without getting a working blueprint. That choice is itself a signal. Google took the responsible-disclosure problem seriously enough to engineer around it. That is not what you do for a theoretical threat.
What the '9 Minutes and 41%' Numbers Actually Mean
These numbers are circulating widely in crypto media but require context. They appear in secondary coverage modeling a specific attack scenario: a sufficiently advanced quantum computer, given a public key briefly revealed during a live Bitcoin transaction, might derive the corresponding private key in roughly nine minutes. Bitcoin's average block confirmation time is approximately ten minutes. Under this model, an attacker operating near that speed would successfully intercept a transaction before confirmation about 41% of the time.
That framing is plausible as a scenario estimate, but it is not a finding Google stated directly in the primary whitepaper. It should not be read as evidence that this attack is executable today, or that 41% is a fixed property of Bitcoin's security model. What Google did establish directly is the hardware threshold reduction. The scenario modeling extrapolates from that. The appropriate takeaway is: if the hardware estimate is broadly correct, Bitcoin's 10-minute confirmation window may eventually provide insufficient time separation between broadcast and confirmation to protect against a quantum-equipped adversary who already has a public key.
The Taproot Problem and Which Coins Are Most Exposed
Bitcoin's Taproot upgrade, activated in November 2021, improved transaction efficiency and enabled more sophisticated smart contract functionality. It did so partly by adopting Schnorr signatures that expose public keys directly on-chain by default. Older Pay-to-Public-Key-Hash (P2PKH) address formats hashed the public key first, providing one additional layer between an attacker and the data needed to run a quantum attack. Taproot removed that layer for wallets using the new format.
Google's paper identifies this as a meaningful exposure expansion. Current estimates place approximately 6.9 million BTC in addresses where the public key is already visible on-chain. Roughly 1.7 million of those are in early P2PK format from Bitcoin's first years, many believed inaccessible due to lost keys. The remainder includes Taproot addresses and heavily reused addresses across all formats. For context, earlier estimates from CoinShares placed the quantum-vulnerable supply at around 10,200 BTC. Google's figure is orders of magnitude larger. The difference comes from the broader definition of exposure: not just P2PK legacy coins, but any wallet where a public key has appeared on-chain at any point.
Bitcoin Has No Migration Plan. Ethereum Does.
Google's internal deadline for migrating its own authentication infrastructure to post-quantum cryptography is 2029. That is three years. The Ethereum Foundation has been building toward a post-quantum migration since 2018, with a roadmap spanning four hard forks, weekly devnets under the PQ Interop program, and coordinated teams across cryptography, protocol architecture, and client development. BIP-360 exists as a Bitcoin post-quantum proposal, but it has no agreed activation timeline, no coordinated engineering program, and no multi-team development effort comparable to what Ethereum has built. Nic Carter, a prominent Bitcoin advocate and co-founder of Castle Island Ventures, publicly acknowledged this gap this week.
The asymmetry reflects Bitcoin's governance model. Taproot, the last major cryptographic upgrade, took years of discussion before activation. A post-quantum migration would require changes to Bitcoin's signature scheme at the protocol level, touching every wallet format, every transaction type, and every client implementation. There is no central authority to set a deadline. There is no foundation with a dedicated engineering budget for this work. Whether Bitcoin's decentralized governance can coordinate a migration on a three-year timeline is an open and unresolved question.
What This Means for You
The practical action items available today are not about selling Bitcoin. They are about address hygiene and understanding your exposure. Do not reuse addresses. A fresh address for every receive means your public key is never exposed on-chain until you spend from that address. Once you spend, the public key is briefly visible — that is the window Google's scenario models. After confirmation the exposure closes, but the public key is permanently on-chain. Minimizing reuse minimizes the number of your addresses that could be targeted in a future quantum environment.
Understand your address type. P2PKH addresses (starting with 1) and P2SH addresses (starting with 3) hash the public key by default until you spend. Native SegWit (bc1q) addresses hash the public key as well. Taproot addresses (bc1p) expose it directly. This does not mean Taproot addresses are dangerous today — there is no quantum computer capable of this attack. It means that in a post-quantum environment, coins in Taproot addresses with reused or previously spent keys carry higher structural exposure. The Trezor Safe 7 on the Kit page specifically uses post-quantum cryptography for firmware verification, which is a different layer — it protects the device, not the on-chain address format. On-chain post-quantum protection requires a protocol-level change that has not yet been specified or scheduled for Bitcoin.
What to Watch
Watch for developer response, not price. The real signal is whether BIP-360 or an equivalent post-quantum signature proposal gets serious traction and a development timeline. Google's own 2029 deadline is the clearest external benchmark: the people who built this research are migrating their own infrastructure by then. If you want one number to track, watch quantum hardware error correction rates — that is the technical hurdle separating the theoretical attack from the operational one.