1. The Headline That Rattled the Crypto World
On March 31, 2026, Google's Quantum AI team published a whitepaper with a finding that rippled immediately through the cryptocurrency industry: a future quantum computer could, in theory, derive a bitcoin private key from its corresponding public key in approximately nine minutes. Bitcoin's average block confirmation time is around ten minutes. That one-minute margin — separating a completed attack from a confirmed transaction — was enough to send researchers, developers, and investors scrambling to understand what the paper actually said, and what it meant for the security of the world's largest cryptocurrency.
The nine-minute figure dominated social media and financial news coverage, frequently stripped of its technical context in ways that amplified alarm beyond what the underlying research supports. The reality, as with most quantum computing research, is considerably more layered. The threat is real, meaningful, and closer than it appeared even a year ago — but the conditions under which a nine-minute key-cracking attack could actually occur are far from being met, and the paper's authors explicitly state that quantum attacks are not yet imminent.
2. The Cryptographic Foundation Being Challenged
To understand what Google's research actually threatens, it is necessary to understand what it targets. Bitcoin and Ethereum both rely on 256-bit elliptic curve digital signatures — specifically the secp256k1 curve for Bitcoin — to prove wallet ownership and authorize transactions. When a user wants to send bitcoin, they produce a digital signature using their private key. The network can verify that signature using the corresponding public key without ever needing to know the private key. The mathematical relationship between the two is asymmetric: generating a public key from a private key is trivially fast, while deriving a private key from a public key is, for classical computers, computationally infeasible.
The underlying hardness assumption is known as the elliptic curve discrete logarithm problem, or ECDLP. Classical computers cannot solve it efficiently because the best known algorithms require exponential time as the key length increases. Quantum computers running an algorithm called Shor's algorithm can, in principle, solve the problem in polynomial time — meaning the computational cost grows far more slowly with key length, eventually making the problem tractable given sufficient quantum hardware. Google's paper addresses how much quantum hardware would actually be required.
3. The Qubit Reduction That Changes the Calculus
Previous estimates of the quantum resources required to break bitcoin's cryptography had placed the threshold in the range of millions of physical qubits — a scale that felt distant given that today's most advanced quantum computers operate in the range of hundreds to a few thousand qubits. Google's paper reduces that estimate by approximately twentyfold, to fewer than 500,000 physical qubits, for a system capable of running the relevant computation.
Separately, researchers from Caltech and quantum hardware startup Oratomic published a closely related paper suggesting that with a neutral-atom quantum architecture — where laser-controlled atoms serve as the qubit medium — the threshold could fall as low as 10,000 physical qubits for a ten-day attack on the same 256-bit elliptic curve system, or around 26,000 qubits in a more conservative model. The Oratomic authors have commercial interests in the neutral-atom approach, which requires those findings to be weighed with appropriate skepticism. The directional message from both papers, however, is consistent: the resource requirements for a cryptographically relevant quantum attack are declining faster than the field had generally anticipated, and the timeline to a genuinely capable machine may be closer to the early 2030s than the mid-2030s or beyond.
4. Two Distinct Types of Attack Risk
Google's paper identifies two separate categories of quantum threat to bitcoin, and conflating them produces significant misunderstanding of the actual risk profile.
The first is the real-time transaction attack, which is the basis for the nine-minute headline figure. When a bitcoin user broadcasts a transaction to the network, they expose their public key for a brief window before the transaction is confirmed and included in a block. During that window — typically around ten minutes under normal network conditions — a sufficiently fast quantum computer could, in theory, derive the private key from the exposed public key, construct a competing transaction with a higher fee, broadcast it to the network, and have it confirmed ahead of the original. Under Google's model, the preparation phase of the computation can be performed in advance, with only the final approximately nine-minute segment needed once the target transaction appears in the mempool. That gives the attacker roughly a 41% chance of beating confirmation on any given transaction, based on the statistical distribution of block confirmation times.
The second and arguably more significant threat is the at-rest attack against wallets where the public key has already been permanently exposed. Unlike the real-time attack — which requires the quantum computer to race against a confirmation clock — the at-rest attack has no time pressure. A quantum computer that becomes available at any point in the future can target these wallets at leisure, with no race against the blockchain.
5. The 6.9 Million Bitcoin Already Exposed
The at-rest attack vector applies to any wallet where the public key has been revealed on-chain and the funds have not since been moved to a fresh address. Google's paper estimates that approximately 6.9 million bitcoin — roughly one-third of the total circulating supply — currently sit in wallets meeting this criterion. The exposed category includes approximately 1.7 million bitcoin from the network's earliest years, when the original pay-to-public-key transaction format was used and public keys were embedded directly in transaction outputs rather than being derivable only at the moment of spending. It also includes funds in addresses whose public keys were revealed through normal transaction activity and were subsequently reused rather than rotated to new addresses.
This figure is notably higher than recent estimates from other analysts, who had placed the concentration of easily actionable vulnerable bitcoin at around 10,200 coins. The discrepancy reflects differing assumptions about what constitutes meaningful exposure, but the order-of-magnitude difference underscores how much uncertainty remains in these assessments. If the higher figure is closer to correct, the potential market impact of a quantum attack on at-rest wallets would be substantial — a sudden influx of roughly $460 billion in bitcoin at current prices onto the market would be deeply destabilizing.
6. How Bitcoin's Taproot Upgrade Complicated the Picture
One of the more counterintuitive findings in Google's paper involves Bitcoin's Taproot upgrade, which was activated in November 2021 and introduced several improvements to transaction efficiency, script flexibility, and privacy. Taproot's technical design makes public keys visible by default for a common transaction type, in contrast to older address formats that can spend funds without revealing the underlying public key until the spending transaction is broadcast.
The intended design trade-off was reasonable: Taproot's efficiency and privacy benefits were considered to outweigh the marginal additional exposure during the transaction window, given the prevailing assumption that practical quantum computers capable of exploiting that window were decades away. Google's revised qubit estimates and shorter attack timeline change that calculation. By making public keys more visible as a standard part of Taproot's operation, the upgrade inadvertently expanded the pool of wallets vulnerable to the real-time attack vector. The paper explicitly flags this as a reason to accelerate post-quantum migration efforts, even as it acknowledges that the immediate threat remains theoretical.
7. What Google's Paper Deliberately Withheld
One detail of the publication stands out as unusual in the context of academic cryptographic research: Google's team chose not to publish the actual quantum circuits underlying their key-derivation computation. This is the first quantum resource estimation paper of this kind to withhold that level of implementation detail explicitly for security reasons. Instead, the team published a zero-knowledge proof — a cryptographic construction that allows independent parties to verify the correctness of the claim without being given the working implementation that would allow a bad actor to reproduce or immediately deploy it.
The decision to withhold the circuits suggests that Google's team views the research as having crossed a threshold of specificity and reproducibility that warrants precautionary handling. It also reflects an acknowledgment that nation-state actors — rather than criminal hackers — represent the most plausible near-term threat vector for this type of capability. A state with access to classified quantum hardware and the motivation to attack cryptocurrency holdings, financial messaging infrastructure, or military communications would not need to wait for public publication of an open-source implementation.
8. Ethereum's Post-Quantum Head Start
One asymmetry that Google's paper highlights is the difference in preparedness between Bitcoin and Ethereum. The Ethereum Foundation published a targeted roadmap for post-quantum migration in late March 2026, with a completion target of 2029. Ethereum's account-based architecture and its history of coordinated protocol upgrades — including the Merge — give it a structural advantage in executing the kind of network-wide cryptographic transition that post-quantum migration requires. The development team has also been actively working on the technical foundations of quantum-resistant signature schemes for Ethereum's specific use case.
Bitcoin, by contrast, has not yet begun a comparable migration. The network's design philosophy emphasizes stability and backward compatibility, which creates higher barriers to the kind of fundamental cryptographic changes that post-quantum security would require. Proposals such as BIP 360, which would introduce quantum-resistant wallet formats and allow voluntary migration of funds to safer address types, are under active development. StarkWare co-founder Eli Ben-Sasson publicly urged the Bitcoin developer community to accelerate work on this and similar proposals, framing it explicitly as a forward-looking security imperative rather than an immediate crisis response.
9. The "Everything Gets Broken" Counterargument
The most widely circulated counterargument to the quantum alarm framing holds that if quantum computers capable of breaking elliptic curve cryptography are eventually built, they would threaten not only cryptocurrency but the entire global digital infrastructure — banking systems, military communications, internet encryption, stock exchanges, and government networks. Under this reading, a world where bitcoin's cryptography is breakable is a world where civilization's digital backbone has already collapsed, making the specific risk to cryptocurrency somewhat beside the point.
This argument has genuine force as a reminder of the breadth of quantum's implications, but it understates a critical asymmetry: centralized systems can coordinate updates. A government, a bank, or a technology company can push cryptographic upgrades to their systems, communicate with their users, and migrate to post-quantum standards through normal administrative and operational processes. Bitcoin and Ethereum cannot do this unilaterally — migration requires broad consensus across a decentralized network of users, developers, and validators, and it requires individual users to actively move funds from vulnerable addresses to new ones. That coordination problem is structurally harder than the equivalent upgrade for a centralized institution, and it is the reason why Google's paper urges earlier, rather than later, action for blockchain networks specifically.
10. What the Timeline Actually Looks Like
The practical takeaway from Google's paper is not that bitcoin is in danger today or next year. Current quantum computers do not approach the scale or quality required for the attacks described in the research. Building a machine with hundreds of thousands of high-quality, error-corrected logical qubits remains a formidable engineering challenge, and estimates for when such a machine might exist range from the early 2030s under optimistic assumptions to the mid-2040s under more conservative ones.
What the paper does establish is that the credible threat horizon has moved closer than the field previously estimated, and that the window for proactive cryptographic migration — while still open — is narrowing faster than many in the crypto industry had planned around. For holders of bitcoin in older address formats or addresses where public keys have been exposed, the at-rest attack risk is the more pressing near-term concern, because it does not depend on a nine-minute race against the blockchain — it simply requires that a capable quantum computer eventually exist. Migrating funds to quantum-resistant address formats, once those are available, is the appropriate response. For the broader industry, the paper serves as a calibration of urgency: not an emergency, but no longer a theoretical horizon that can be safely deferred indefinitely.