A Landmark Paper and a Startling Estimate

On March 30, 2026, Google Quantum AI released a 57-page white paper co-authored with researchers from the Ethereum Foundation and Stanford University. The paper, formally titled Securing Elliptic Curve Cryptocurrencies against Quantum Vulnerabilities: Resource Estimates and Mitigations, presented significantly revised estimates for breaking the 256-bit elliptic curve discrete logarithm problem — the cryptographic foundation underpinning Bitcoin, Ethereum, and virtually every major blockchain.

The central finding was striking: Shor’s algorithm, which can theoretically derive a private key from a public key, could execute using fewer than 1,200 logical qubits and under 90 million Toffoli gates — or alternatively, fewer than 1,450 logical qubits with under 70 million gates. Mapped to real superconducting hardware at current error rates, that translates to fewer than 500,000 physical qubits. This is nearly a 20-fold reduction from prior estimates, which had placed the requirement at around 9 million physical qubits on a photonic architecture.

The team achieved these reductions through three innovations: a “windowed arithmetic” technique that compresses the computational spacetime volume to roughly one-tenth of previous schemes; a “yoke” technique for denser logical qubit storage in surface code grids; and lower error-correction overhead modeled directly on engineering data from Google’s own 2024 Willow chip.

“Attacks will only ever get better.”

— Google Quantum AI et al., arXiv:2603.28846 (March 2026)

The Nine Minutes That Matter

The most consequential element of the paper is not the qubit count — it is the runtime. On a fast-clock superconducting architecture, the researchers calculated total execution at roughly 18 to 23 minutes. But Shor’s algorithm permits a critical optimization: the first half of the computation depends only on the elliptic curve’s public parameters and can be precomputed independently of any specific target. A quantum computer could sit in a “primed” state, and the moment a target’s public key is broadcast to the network, complete the private key derivation in approximately 9 minutes.

Bitcoin’s average block confirmation time is 10 minutes. The paper’s Figure 6 shows that at a 9-minute attack window, an adversary has approximately a 41% probability of completing the key derivation and broadcasting a fraudulent transaction before the victim’s original transaction is confirmed. The paper also notes that an attacker could flood the mempool with high-fee transactions to extend confirmation times, and that parallelizing multiple quantum systems would raise the success probability further still.

Shorter block times offer better protection. The paper calculates attack success rates of under 3% for Litecoin (2.5-minute blocks), under 0.1% for Zcash (75-second blocks), and below 0.0125% for Dogecoin (1-minute blocks). Bitcoin’s 10-minute block interval — originally calibrated to balance network propagation latency against orphan block rates — inadvertently gives quantum attackers the most comfortable window of any major proof-of-work chain.

Why Ethereum Faces a Different, Potentially Deeper Risk

Bitcoin’s primary defense against “at-rest” quantum attacks is address hashing: standard Bitcoin addresses encode a hash of the public key, keeping the underlying key hidden until a coin is actually spent. This limits most attacks to a race against the clock during active transactions.

Ethereum’s account model provides no equivalent protection. Once an Ethereum address executes any transaction, the public key is permanently inscribed on-chain. The paper describes this as making systematic “at-rest” attacks structurally easier on Ethereum: an adversary with a sufficiently capable quantum computer does not need to race any clock — it can methodically crack any historically active address at leisure.

The paper also identifies what it terms “Admin Vulnerability.” Major stablecoin contracts — specifically naming USDT and USDC — have administrator keys whose public components are already exposed on-chain through prior governance transactions. Cracking those keys would grant an attacker full control over the contracts, including unlimited minting and the ability to freeze arbitrary accounts.

Ethereum’s proof-of-stake consensus layer faces a third exposure vector. Validators use BLS signatures based on the BLS12-381 elliptic curve, which is similarly vulnerable to quantum discrete logarithm attacks. Cracking a majority of validator signing keys — without needing to own the underlying staked ETH — would give an attacker effective consensus control over the chain.

The Exposed Billions: Satoshi’s Coins and Beyond

The paper’s blockchain data analysis identifies approximately 6.7 million BTC currently sitting in quantum-vulnerable addresses. Of these, roughly 2.3 million BTC have not moved in at least five years. A notable subset — approximately 1.7 million BTC — resides in early Pay-to-Public-Key (P2PK) outputs from Bitcoin’s founding era, where public keys were written directly into locking scripts rather than hidden behind a hash. These coins have been publicly exposed since 2009.

Roughly 1.1 million of these BTC are widely attributed to Satoshi Nakamoto and are currently valued at approximately $74 billion. The paper models what it terms a “quantum salvage operation”: a single fast-clock cryptographically relevant quantum computer could process more than 150 dormant addresses per day, potentially sweeping billions of dollars of long-abandoned holdings over a period of months to years.

Responsible Disclosure and the Zero-Knowledge Proof

The research team took an unusual approach to publication. Rather than releasing the optimized quantum circuits — which would constitute a detailed attack blueprint — they published a zero-knowledge proof: a cryptographic verification built using the SP1 zkVM and Groth16 SNARK system that allows any third party to confirm a valid circuit of the claimed scale exists, without being able to view the circuit itself. The proof can be verified on a consumer computer in under a second.

The paper explicitly addresses what the authors describe as a cultural problem in quantum cryptanalysis research: a tendency to publish efficient attack algorithms as scientific achievements while treating their real-world consequences as off-limits for discussion. The team coordinated with the U.S. government prior to publication and engaged security firm Trail of Bits to audit the ZK proof for soundness vulnerabilities. This responsible disclosure model represents a meaningful departure from prior norms in the field.

Bitcoin’s Developer Response: BIP-360 and BIP-361

The Bitcoin development community has moved quickly. On February 11, 2026, BIP-360 was published and merged into Bitcoin’s official proposal repository, introducing Pay-to-Merkle-Root (P2MR) — a new output type that preserves Taproot-style script trees while eliminating the quantum-vulnerable key-path spend. BIP-360 was authored by Hunter Beast, Ethan Heilman, and Isabel Foxen Duke, and entered testnet implementation via BTQ Technologies earlier in 2026.

BIP-360 addresses newly created coins. It does nothing for the existing 6.5 to 6.9 million BTC already in vulnerable addresses.

BIP-361, formally titled “Post Quantum Migration and Legacy Signature Sunset” and co-authored by Jameson Lopp and others, was published on April 14, 2026. It proposes a phased deadline requiring holders of quantum-vulnerable coins to migrate their holdings to quantum-resistant addresses. After the deadline, the network would stop honoring spends from legacy signature types, effectively rendering unmigrated coins unspendable.

The Unmovable Problem

BIP-361’s mechanism works only for coins whose owners are alive and holding valid keys. An estimated 1.7 million BTC in ancient P2PK addresses cannot migrate — their private keys are believed to be permanently lost. If BIP-361 is adopted, these coins would be frozen: inaccessible to any future owner, including any hypothetical quantum adversary.

The proposal’s authors frame the freeze not as confiscation but as protection: “Coins stolen by a quantum computer would devalue every other bitcoin — think of it as theft from everyone.”

As of April 17, 2026, BIP-361 remains a draft with no activation parameters defined. Reception within the Bitcoin developer community has been contentious. Alternative proposals under discussion include rate-limited spending from vulnerable outputs and voluntary migration schemes without mandatory sunset periods.

The Post-Quantum Migration Landscape Across Chains

Post-quantum cryptography (PQC) migration is the recognized long-term solution, but it carries significant engineering costs. NIST-standardized post-quantum signatures such as Falcon and Dilithium are substantially larger than ECDSA: Falcon signatures run approximately 1,280 bytes versus 64–73 bytes for ECDSA. For Bitcoin, adopting PQC would either reduce transaction throughput within existing block size limits or reignite the historically divisive block size debate.

Network Current Status Quantum Exposure Active Proposals
Bitcoin BIP-360 in testnet; BIP-361 draft HIGH — ~34% of supply exposed P2MR address type, migration sunset
Ethereum PQ research team formed Jan 2026; $2M research prize active CRITICAL — account model exposes all active wallets Signature aggregation research, PQ roadmap at pq.ethereum.org
Algorand First Falcon-signed transaction completed in 2025 LOWER — PQC integration active Smart contracts can call Falcon verification natively
Solana Winternitz Vaults deployed experimentally MODERATE Partnership with Project Eleven (Dec 2025)
XRP Ledger Testing ML-DSA signatures on AlphaNet MODERATE NIST-standard post-quantum scheme in evaluation
QRL / Abelian Post-quantum from genesis MINIMAL Built on hash-based and lattice-based signatures

How Much Time Remains?

No cryptographically relevant quantum computer (CRQC) exists today. Roadmaps cited by BIP-361’s authors, drawing on McKinsey and academic research, place a plausible arrival window between 2027 and 2030. Google has publicly committed to completing its own internal migration to post-quantum cryptography by 2029. NIST’s broader transition horizon for industry extends to 2035.

In April 2026, a researcher broke a 15-bit elliptic-curve key using publicly available quantum hardware, claiming a 1 BTC bounty from Project Eleven’s Q-Day Prize — a practical demonstration at tiny scale of the attack class described in the paper.

The Google paper’s own conclusion is measured but urgent: there is likely still time to migrate public blockchains to PQC before a CRQC arrives, but the margin for error is narrowing. For the Bitcoin community specifically, the combination of BIP-360 and BIP-361 represents the first concrete migration framework in the network’s history. Whether the governance process can move fast enough — and whether the community can reach consensus on the fate of dormant coins — may be the defining question for Bitcoin’s next decade.

For individual holders, the practical steps are straightforward: verify whether your coins reside in modern wallet addresses (P2WPKH or P2TR) or older formats with exposed public keys, and follow the post-quantum migration timelines being published by the projects you hold. The technology to protect new coins already exists. The political challenge of protecting the old ones is just beginning.