OPN Intel
LIVE
BTC$76,620MAYER0.95×200W1.25×PI-CYCLE38%DRAWDOWN-39%PUELL0.81×W-RSI45BMSB0.97×
AS OF 2026-05-24
Intel· Quantum series· Mar 31, 2026· 5 min read

Google Cut the Estimated Qubit Threshold for Breaking Bitcoin by 20x

On March 31, Google's Quantum AI team published a whitepaper arguing that breaking elliptic-curve cryptography — the signature scheme securing Bitcoin — may require far fewer quantum resources than prior estimates. The headline number of fewer than 500,000 physical qubits is a 20x reduction from what was previously modeled. The '9-minute attack with 41% success rate' framing circulating in crypto media is a scenario estimate from secondary coverage, not Google's primary claim. What Google actually established is more significant and more durable: the hardware bar is materially lower than the industry assumed, and the case for post-quantum migration planning is now more urgent.

Key takeaways

  1. Google's March 31 whitepaper 'Securing Elliptic Curve Cryptocurrencies against Quantum Attacks' argues the qubit requirement for attacking secp256k1-based elliptic-curve cryptography (the signature scheme Bitcoin uses) is under 500,000 physical qubits, versus prior estimates in the tens of millions. That is roughly a 20x reduction in the estimated hardware threshold
  2. The paper models two attack circuits requiring approximately 1,200-1,450 logical qubits. Google used a zero-knowledge proof to let others verify the resource estimate without publishing a full attack methodology, specifically to avoid handing a blueprint to adversaries
  3. The '9-minute attack with 41% success rate' framing is a secondary-source scenario estimate, not a direct quote from Google's whitepaper. It models what a sufficiently advanced quantum system could theoretically accomplish within Bitcoin's 10-minute confirmation window given a briefly exposed public key. It is a calibrated warning, not evidence of an operational capability that exists today
  4. Bitcoin's 2021 Taproot upgrade is identified as a compounding factor. Taproot exposes public keys on-chain by default, removing the hash-first protection that older P2PKH address formats provide. Roughly 6.9 million BTC now has exposed public keys, including approximately 1.7 million in early P2PK addresses, many believed inaccessible due to lost keys
  5. Bitcoin has no coordinated post-quantum migration plan. Ethereum has had one in development for eight years with weekly devnets, four mapped fork milestones, and a dedicated engineering coalition. Google has set a 2029 internal deadline for migrating its own authentication to post-quantum cryptography. BIP-360 exists as a Bitcoin post-quantum proposal but has no agreed timeline or coordinated development effort

What Happened

On March 31, 2026, Google's Quantum AI team published a whitepaper titled 'Securing Elliptic Curve Cryptocurrencies against Quantum Attacks.' The paper's central argument is that the computational resources required to break secp256k1 elliptic-curve discrete logarithm cryptography — the signature scheme used by Bitcoin, Ethereum, and most other major blockchains — is materially lower than prior estimates. Previous modeling placed the qubit threshold in the tens of millions. Google now argues it is under 500,000 physical qubits, with two proposed attack circuits requiring approximately 1,200 to 1,450 high-quality logical qubits.

Google did something unusual here: instead of publishing a step-by-step attack recipe, the team used a zero-knowledge proof so independent researchers could verify the resource estimate without getting a working blueprint. That choice is itself a signal. Google took the responsible-disclosure problem seriously enough to engineer around it. That is not what you do for a theoretical threat.

What the '9 Minutes and 41%' Numbers Actually Mean

These numbers are circulating widely in crypto media but require context. They appear in secondary coverage modeling a specific attack scenario: a sufficiently advanced quantum computer, given a public key briefly revealed during a live Bitcoin transaction, might derive the corresponding private key in roughly nine minutes. Bitcoin's average block confirmation time is approximately ten minutes. Under this model, an attacker operating near that speed would successfully intercept a transaction before confirmation about 41% of the time.

That framing is plausible as a scenario estimate, but it is not a finding Google stated directly in the primary whitepaper. It should not be read as evidence that this attack is executable today, or that 41% is a fixed property of Bitcoin's security model. What Google did establish directly is the hardware threshold reduction. The scenario modeling extrapolates from that. The appropriate takeaway is: if the hardware estimate is broadly correct, Bitcoin's 10-minute confirmation window may eventually provide insufficient time separation between broadcast and confirmation to protect against a quantum-equipped adversary who already has a public key.

The Taproot Problem and Which Coins Are Most Exposed

Bitcoin's Taproot upgrade, activated in November 2021, improved transaction efficiency and enabled more sophisticated smart contract functionality. It did so partly by adopting Schnorr signatures that expose public keys directly on-chain by default. Older Pay-to-Public-Key-Hash (P2PKH) address formats hashed the public key first, providing one additional layer between an attacker and the data needed to run a quantum attack. Taproot removed that layer for wallets using the new format.

Google's paper identifies this as a meaningful exposure expansion. Current estimates place approximately 6.9 million BTC in addresses where the public key is already visible on-chain. Roughly 1.7 million of those are in early P2PK format from Bitcoin's first years, many believed inaccessible due to lost keys. The remainder includes Taproot addresses and heavily reused addresses across all formats. For context, earlier estimates from CoinShares placed the quantum-vulnerable supply at around 10,200 BTC. Google's figure is orders of magnitude larger. The difference comes from the broader definition of exposure: not just P2PK legacy coins, but any wallet where a public key has appeared on-chain at any point.

Bitcoin Has No Migration Plan. Ethereum Does.

Google's internal deadline for migrating its own authentication infrastructure to post-quantum cryptography is 2029. That is three years. The Ethereum Foundation has been building toward a post-quantum migration since 2018, with a roadmap spanning four hard forks, weekly devnets under the PQ Interop program, and coordinated teams across cryptography, protocol architecture, and client development. BIP-360 exists as a Bitcoin post-quantum proposal, but it has no agreed activation timeline, no coordinated engineering program, and no multi-team development effort comparable to what Ethereum has built. Nic Carter, a prominent Bitcoin advocate and co-founder of Castle Island Ventures, publicly acknowledged this gap this week.

The asymmetry reflects Bitcoin's governance model. Taproot, the last major cryptographic upgrade, took years of discussion before activation. A post-quantum migration would require changes to Bitcoin's signature scheme at the protocol level, touching every wallet format, every transaction type, and every client implementation. There is no central authority to set a deadline. There is no foundation with a dedicated engineering budget for this work. Whether Bitcoin's decentralized governance can coordinate a migration on a three-year timeline is an open and unresolved question.

What This Means for You

The practical action items available today are not about selling Bitcoin. They are about address hygiene and understanding your exposure. Do not reuse addresses. A fresh address for every receive means your public key is never exposed on-chain until you spend from that address. Once you spend, the public key is briefly visible — that is the window Google's scenario models. After confirmation the exposure closes, but the public key is permanently on-chain. Minimizing reuse minimizes the number of your addresses that could be targeted in a future quantum environment.

Understand your address type. P2PKH addresses (starting with 1) and P2SH addresses (starting with 3) hash the public key by default until you spend. Native SegWit (bc1q) addresses hash the public key as well. Taproot addresses (bc1p) expose it directly. This does not mean Taproot addresses are dangerous today — there is no quantum computer capable of this attack. It means that in a post-quantum environment, coins in Taproot addresses with reused or previously spent keys carry higher structural exposure. The Trezor Safe 7 on the Kit page specifically uses post-quantum cryptography for firmware verification, which is a different layer — it protects the device, not the on-chain address format. On-chain post-quantum protection requires a protocol-level change that has not yet been specified or scheduled for Bitcoin.

What to Watch

Watch for developer response, not price. The real signal is whether BIP-360 or an equivalent post-quantum signature proposal gets serious traction and a development timeline. Google's own 2029 deadline is the clearest external benchmark: the people who built this research are migrating their own infrastructure by then. If you want one number to track, watch quantum hardware error correction rates — that is the technical hurdle separating the theoretical attack from the operational one.

The hardware bar just dropped by 20x. Bitcoin has no migration plan. You have three years to care about your address hygiene.

Sources

  1. [1]Google Quantum AI — 'Securing Elliptic Curve Cryptocurrencies against Quantum Attacks', whitepaper, March 31, 2026
  2. [2]CoinDesk — 'Bitcoin's Taproot Could Make Quantum Attacks Easier Than Expected, New Google Research Says', March 31, 2026
  3. [3]CoinDesk — 'Watch Out Bitcoin Devs. Google Says Post-Quantum Migration Needs to Happen by 2029', March 28, 2026
  4. [4]Spendnode — 'Google Says Quantum Could Break Bitcoin With Fewer Qubits Than Expected, and Taproot Is Part of the Problem', March 31, 2026
  5. [5]CryptoNews.net — 'Google Warns Bitcoin Encryption Could Break with Fewer Quantum Resources than Expected', March 31, 2026
  6. [6]CoinShares — prior estimate of 10,200 BTC in quantum-vulnerable legacy address types, referenced for comparison
  7. [7]Ethereum Foundation — pq.ethereum.org, PQ Interop devnet documentation and post-quantum roadmap
  8. [8]BIP-360 — Bitcoin post-quantum signature proposal, status: draft, no activation timeline
Quantum series · Part 1 of 9
Next part →
Four Bitcoin Proposals for Surviving a Quantum Attack

More in Quantum

Trump Executive Order Moves Federal PQC Deadline to 2031Project Eleven's 15-Bit Quantum Bounty, Reproduced in 20 Python LinesPostquant Labs Shipped Quantum Protection Without a Bitcoin Soft Fork