Author:TechFlow
Author: Kapiqila, Deep Tide TechFlow
On March 31, the Google Quantum AI team released a white paper with a bland title but explosive content.
The paper's core conclusion is that breaking the elliptic curve cryptography (ECC-256) protecting Bitcoin and Ethereum wallets requires approximately 20 times fewer quantum computing resources than previously estimated. Specifically, it can be broken on a superconducting quantum computer using fewer than 500,000 physical qubits with fewer than 1,200 logical qubits and 90 million Toffoli gates, taking only a few minutes.
On the same day, Caltech and quantum hardware startup Oratomic published another paper with even more radical conclusions: a quantum computer using a neutral atom architecture can launch an attack with as few as about 10,000 physical qubits, and 26,000 qubits can break ECC-256 in about 10 days.
The two papers, taken together, constitute the most serious warning of the quantum threat in the history of the crypto industry.
From a "theoretically distant threat" to a "countdown that can be counted down to the end"
To understand the impact of these two papers, we need to look at a timeline: In 2012, the academic community estimated that cracking ECC-256 would require approximately 1 billion physical qubits. In 2023, Daniel Litinski's paper reduced that number to about 9 million. Google's new paper lowered it to below 500,000. Oratomic went even further, reducing it to 10,000.
Over the past two decades, the compression has increased by five orders of magnitude.
This means the framework for discussing the quantum threat has been completely transformed. The prevailing narrative of the past—"quantum computers are decades away from breaking encryption"—has now shifted to "if hardware advancements accelerate non-linearly, the window of opportunity may only be five to ten years." Justin Drake, a researcher at the Ethereum Foundation (and co-author of the Google paper), estimates that by 2032, a quantum computer will have at least a 10% probability of breaking the secp256k1 ECDSA private key.
The Google paper describes two types of attack scenarios.
The first type is the "on-spend attack." When a Bitcoin user initiates a transaction, the public key is briefly exposed in the mempool. A sufficiently fast quantum computer can deduce the private key from the public key in about 9 minutes and launch a competing transaction to steal funds before the transaction is confirmed. Considering that the average Bitcoin block time is about 10 minutes, the paper estimates the success probability of this type of attack to be about 41%.
In the field of cryptography, a 41% probability of breaking a signature is not a statistical error, but rather a signature scheme that has already been compromised.
The second type is the "at-rest attack," which targets dormant wallets whose public keys are already exposed on the blockchain. This type of attack has no time limit; quantum computers can calculate at their own pace. The paper estimates that approximately 6.9 million BTC (one-third of the total supply) are in this exposed state, including about 1.7 million early coins from the Satoshi Nakamoto era, and a large amount of funds whose public keys have been exposed due to address reuse.
At current prices, these 6.9 million BTC are worth over $450 billion.
Taproot: Intended to enhance privacy, it has instead expanded the attack surface.
One surprising finding in the paper is that Bitcoin's 2021 Taproot upgrade created new vulnerabilities in the dimension of quantum security. Taproot aims to improve transaction efficiency and privacy, employing the Schnorr signature scheme. However, a characteristic of Schnorr signatures is that the public key is exposed on-chain by default, removing the "hash first, then expose" protection layer of the old address format (P2PKH).
In other words, Taproot's improvements in traditional security open a door to quantum security. This extends quantum-vulnerable Bitcoin pools from early coins and reused addresses to all wallets using Taproot.
Ethereum: Bigger Problems, But Earlier Preparation
If Bitcoin faces "wallet-level" risks, Ethereum's problems are "infrastructure-level."
A Google paper identifies five layers of Ethereum that are vulnerable to quantum attacks: personal wallets, smart contract management keys, PoS staking verification, Layer 2 networks, and data availability sampling mechanisms. The paper estimates that the top 1000 Ethereum wallets hold approximately 20.5 million ETH, which could be wiped out in less than nine days by a quantum computer capable of cracking one key every nine minutes. At current ETH prices, these assets are worth approximately $41.5 billion.
A deeper problem lies in systemic risk. Approximately $200 billion worth of stablecoins and tokenized assets on Ethereum rely on administrator key signatures, and about 37 million staked ETH are authenticated through equally vulnerable digital signatures. If a large staking pool is compromised, attackers could even disrupt the consensus mechanism itself.
However, Ethereum has a structural advantage: block time is only 12 seconds, most transactions are confirmed within one minute, and it makes extensive use of private mempools, which makes "instant attacks" far less feasible on Ethereum than on Bitcoin.
The good news is that the Ethereum community has responded more proactively.
The Ethereum Foundation launched pq.ethereum.org last week, bringing together eight years of post-quantum research, with more than 10 client teams advancing testnet development weekly. Vitalik Buterin also previously released a quantum-resistant roadmap. In contrast, the Bitcoin community's governance culture is more conservative. While the BIP-360 proposal (introducing a quantum-resistant wallet format) was merged into the BIP repository in February, it only addresses one type of public key exposure problem; a complete cryptographic migration requires much larger-scale protocol changes.
Community reactions: panic, rationality, and "This isn't just our problem"
The crypto industry's reaction, as expected, split into several factions.
The panic-mongers are represented by Alex Pruden, CEO of Project Eleven: "This paper directly refutes every argument the crypto industry uses to ignore the quantum threat." Haseeb Qureshi, a partner at Dragonfly, put it more bluntly on X: "Post-quantum is no longer a drill."
Rational optimists are represented by CZ. He believes that cryptocurrencies only need to be upgraded to quantum-resistant algorithms, and "there's no need to panic." This statement is technically correct, but it ignores a crucial issue: decentralized blockchains cannot force software updates like banking or military networks. The migration cycle of Bitcoin's infrastructure, from user wallets to exchange support to new address formats, could take five to ten years, even if all parties reach a consensus today.
The "can be cracked" camp argues that quantum computing threatens not only blockchain, but also the global banking system, SWIFT transfers, stock exchanges, military communications, and HTTPS websites—all of which rely on the same encryption system. A Google paper directly addresses this: centralized systems can push updates to users, while decentralized blockchains cannot. This is the fundamental difference.
The driest joke came from Musk: "At least if you forget your wallet PIN, you can get it back in the future."
Conflict of interest and rational discount
Neither of the two papers is "purely academic".
All nine authors of the Caltech/Oratomic paper are shareholders of Oratomic, with six being company employees. This paper serves both as scientific evidence and as commercial promotion for the company's neutral atom hardware roadmap. Google's paper is not entirely neutral either; Google set 2029 as its internal deadline for migrating its system to post-quantum cryptography, and the paper's conclusions are highly consistent with this business decision. Furthermore, for security reasons, Google did not disclose the actual quantum circuit design but instead verified the validity of its results with the US government using zero-knowledge proofs.
Conflicts of interest in academic papers need to be discounted, but trends themselves do not. Every time someone claims that "the quantum threat is exaggerated," the next paper cuts the required number of qubits by another order of magnitude.
How far are we from "Q-Day"?
The most advanced quantum computers currently have about 6,000 qubits and a coherence time of only about 13 seconds. There is still a huge engineering gap between 6,000 qubits and the 500,000 qubits required in Google's paper (or the 10,000 qubits claimed by Oratomic).
But crypto investor McKenna's analogy is more memorable: "You can think of Q-Day as Y2K, but this time it's real."
StarkWare co-founder Eli Ben-Sasson called on the Bitcoin community to accelerate the rollout of BIP-360. Google itself stated that it is working with Coinbase, the Stanford Blockchain Institute, and the Ethereum Foundation to advance responsible migration.
The debate is no longer about whether quantum computing can break encryption, but whether the encryption industry can migrate before hardware catches up. Google's 2029 timeline, coupled with the drastic reduction in the demand for qubits in the Oratomic paper, leaves the industry with a shorter buffer period than anyone expected.
Satoshi Nakamoto's 1.1 million dormant Bitcoins cannot be automatically migrated to a quantum-secure address. If quantum computers arrive first, this digital legacy, worth over $70 billion, will become the largest "digital shipwreck salvage" target in history. A Google paper even introduced a legal framework analogy of "digital salvage," suggesting that governments may need to legislate to deal with these dormant assets that cannot be migrated.
This is a problem that was not foreseen in the Bitcoin white paper:If the mathematical barriers protecting private property are breached, can "Code is Law" still hold true?
