A new technical paper from Google's Quantum AI team provides precise resource estimates for breaking Bitcoin's Elliptic Curve Digital Signature Algorithm (ECDSA) using a fault-tolerant quantum computer. The findings indicate the mathematical pathway to derive a private key from a public key in roughly 9 minutes is now fully mapped, with the primary remaining barrier being the construction of sufficiently large-scale quantum hardware.
The work, detailed in a whitepaper titled "Cryptographic Vulnerabilities in the Quantum Era," represents a significant reduction in the estimated physical resources required for such an attack. It also introduces a critical architectural distinction that separates threats to active transactions from threats to static, at-rest funds.
What the Researchers Mapped
The core technical achievement is the compilation of Shor's algorithm to solve the specific 256-bit elliptic curve discrete logarithm problem that secures Bitcoin and Ethereum. The team determined this requires approximately:
- 1,200 logical qubits (error-corrected)
- 90 million Toffoli gates (a standard quantum logic gate)
Through error-correction overhead calculations for superconducting qubits, this translates to needing fewer than half a million physical qubits. This is a nearly 20-fold reduction compared to the best prior estimates from Daniel Litinski's 2023 work on lattice-surgery surface codes.
Key Implications for Cryptocurrency Security
The 9-minute runtime estimate is particularly significant because Bitcoin's average block time—the interval between transaction confirmations—is 10 minutes. This narrows the window for a potential "on-spend" attack, where a quantum adversary could:
- Observe a transaction broadcast to the mempool (the pool of unconfirmed transactions).
- Rapidly compute the private key from the exposed public key.
- Forge a new transaction moving the funds to their own address before the original transaction is confirmed in a block.
The Hardware Speed Divide
The paper introduces a crucial distinction based on quantum hardware architecture:
Superconducting & Photonic Microsecond-scale Can threaten active transactions (on-spend attacks) Neutral Atom & Ion Trap Millisecond to second-scale Can only threaten static holdings with long-exposed keysThis means that not all large-scale quantum computers would be equally dangerous to live transaction flows. Only systems with fast error-correction cycles could execute an attack within Bitcoin's confirmation window.
The Scale of the At-Risk Asset Pool
The research highlights a substantial existing vulnerability: approximately 6.9 million BTC (worth over $600 billion at current prices) sit in addresses where the public key is already exposed on the blockchain. This includes:
- ~1.7 million BTC locked in early Pay-to-Public-Key (P2PK) scripts from Bitcoin's earliest days (2009-2010).
- These are almost certainly lost funds (private keys unknown or destroyed), but they represent a permanent, multibillion-dollar target for a future quantum adversary capable of deriving the private keys.
Ethereum's Distinct Risk Profile
The analysis notes that Ethereum faces a different, and potentially more complex, set of quantum threats due to its architectural choices:
- Account Model: Unlike Bitcoin's UTXO model, Ethereum's account-based system exposes public keys differently.
- BLS Signatures: Used by Ethereum validators in the proof-of-stake consensus mechanism.
- KZG Commitment Scheme: Employed in Ethereum's data availability sampling for scaling solutions.
Each of these components presents a separate "at-rest" attack surface for a sufficiently powerful quantum computer.
Verification via Zero-Knowledge Proof
In a novel methodological step, the Google team validated their quantum resource estimates using a zero-knowledge proof system. This allowed them to cryptographically prove the correctness of their compiled attack circuit and resource counts without revealing the circuit details themselves. This is a first in the field of quantum cryptanalysis and sets a new standard for verifiability in resource estimation papers.
What This Means in Practice
The margin between theoretical quantum capability and cryptographic failure is narrowing faster than most blockchain migration timelines assume. While building a fault-tolerant quantum computer with 500,000 physical qubits remains a monumental engineering challenge—current state-of-the-art machines have fewer than 1,000 physical qubits without full error correction—the mathematical pathway is now clearly defined. The primary barrier has shifted from algorithm design to hardware engineering.
gentic.news Analysis
This work from Google Quantum AI represents a concrete escalation in the timeline of the "cryptographic quantum threat." For years, the discussion has been theoretical, with resource estimates often dismissed as requiring millions of qubits decades away. Reducing the physical qubit estimate by a factor of 20, into the mid-hundreds of thousands, brings the problem into a more tangible engineering timeframe. It aligns with the accelerated progress in quantum error correction we've covered, such as our February 2026 report on QuEra's 256-logical-qubit demonstration and the IBM Quantum Heron processor's improved gate fidelities.
The architectural distinction between fast-clock (superconducting/photonic) and slow-clock (neutral atom/ion trap) systems is particularly insightful for risk assessment. It suggests that even if a large-scale quantum computer is built using slower modalities, the immediate threat to live transaction settlement might be mitigated, while the threat to static, exposed keys remains. This creates a potential bifurcation in quantum security strategies: blockchains may need defenses against both fast, transaction-time attacks and slower, archival attacks.
The use of a zero-knowledge proof to verify the quantum circuit is a notable advancement in research methodology. It addresses longstanding skepticism about quantum resource estimates, which are often complex and difficult to independently audit. This verification technique may become standard for future cryptanalysis papers, increasing confidence in threat timelines.
Ultimately, this paper serves as the most precise warning yet to the cryptocurrency ecosystem: the migration to quantum-resistant cryptography cannot be deferred indefinitely. While the exact hardware timeline remains uncertain, the mathematical blueprint for breaking current systems is now complete and verified. Projects that have delayed planning for post-quantum transitions, assuming a multi-decade horizon, may need to reassess their roadmap in light of these refined estimates.
Frequently Asked Questions
How many qubits are needed to break Bitcoin encryption?
According to this Google Quantum AI paper, breaking Bitcoin's ECDSA encryption requires approximately 1,200 logical qubits, which translates to fewer than 500,000 physical superconducting qubits when accounting for error correction overhead. This is a 20-fold reduction from the best prior estimates published in 2023.
How long would it take a quantum computer to crack a Bitcoin private key?
The compiled Shor's algorithm could derive a private key from a public key in roughly 9 minutes on a sufficiently large fault-tolerant quantum computer. This is significant because Bitcoin's average block confirmation time is 10 minutes, making "on-spend" attacks against unconfirmed transactions theoretically plausible.
Is my Bitcoin safe from quantum computers today?
Yes, for now. No existing quantum computer has anywhere near the 500,000 error-corrected physical qubits required for this attack. Current state-of-the-art machines, like IBM's Condor, have around 1,000 physical qubits without full fault tolerance. The threat is forward-looking, but this research clarifies the mathematical pathway and reduces the estimated hardware requirements.
What cryptocurrencies are most at risk from quantum attacks?
All cryptocurrencies using elliptic curve cryptography (like ECDSA or EdDSA) are theoretically vulnerable. Bitcoin has significant risk due to the large amount of BTC in addresses with exposed public keys (~6.9 million BTC). Ethereum has different attack surfaces due to its account model, BLS signatures for validators, and KZG commitments. The risk timeline depends on the development of large-scale, fault-tolerant quantum hardware.
