Google Quantum AI Claims Quantum Computers Could Break Bitcoin Encryption in 9 Minutes

On March 31, 2026, Google Quantum AI, a subsidiary of Google, released a white paper that garnered widespread attention, stating that the resources required for future quantum computers to break Bitcoin’s encryption are approximately 20 times lower than previously estimated. The study quickly sparked intense discussion within the industry, and headlines such as “Quantum Computer Breaks Bitcoin in 9 Minutes” began circulating in the market. But in reality, such panic arises once or twice a year—this time, however, it sounds particularly alarming due to Google’s backing.

We have systematically analyzed this 57-page paper alongside several key studies released concurrently, breaking down the credibility of the claims, assessing the current impact of quantum computing on cryptocurrencies and mining, and evaluating the stage and urgency of associated risks.

Traditionally, Bitcoin’s security is based on a one-way mathematical relationship. When a wallet is created, the system generates a private key, from which the public key is derived. When using Bitcoin, users must prove ownership of the private key without revealing it directly; instead, they use the private key to generate an encrypted signature that the network can verify. This mechanism is secure because modern computers would require billions of years to reverse-engineer the private key from the public key—in other words, breaking the Elliptic Curve Digital Signature Algorithm (ECDSA) would take far longer than is currently feasible, making the blockchain cryptographically considered unbreakable.

However, the emergence of quantum computers has broken this rule. Unlike classical computers, quantum computers do not check keys one by one; instead, they simultaneously explore all possibilities and use quantum interference effects to identify the correct key. To illustrate, a classical computer is like a person in a dark room trying keys one at a time, while a quantum computer is like several master keys that can simultaneously match all locks, efficiently converging on the correct answer. Once quantum computers become powerful enough, attackers could rapidly derive your private key from your exposed public key and forge a transaction to transfer your bitcoins to their own account. If such an attack occurs, due to the irreversibility of blockchain transactions, recovering your assets will be extremely difficult.

On March 31, 2026, Google Quantum AI, in collaboration with Stanford University and the Ethereum Foundation, released a 57-page white paper. The core of this paper assesses the specific threat quantum computing poses to the Elliptic Curve Digital Signature Algorithm (ECDSA). Most blockchains and cryptocurrencies use 256-bit elliptic curve cryptography based on the elliptic curve discrete logarithm problem (ECDLP-256) to secure wallets and transactions. The research team found that the quantum resources required to break ECDLP-256 have been significantly reduced.

They designed a quantum circuit to run Shor’s algorithm specifically for deriving private keys from public keys. This circuit requires execution on a particular type of quantum computer: a superconducting quantum computing architecture. This is the primary technology pathway currently being developed by companies such as Google and IBM, characterized by high-speed computation but requiring extremely low temperatures to maintain qubit stability. Assuming hardware performance meets the standard of Google’s flagship quantum processor, this attack could be carried out in minutes using fewer than 500,000 physical qubits—a figure approximately 20 times lower than previous estimates.

To more intuitively assess this threat, the research team conducted a cracking simulation. By inputting the aforementioned circuit configuration into a real Bitcoin transaction environment, they found that a theoretical quantum computer could reverse-engineer a private key from a public key in approximately nine minutes, with a success rate of about 41%. Since Bitcoin’s average block time is ten minutes, this means that not only are roughly 32% to 35% of Bitcoin’s supply at risk of being statically compromised due to public keys already being exposed on the blockchain, but attackers could theoretically intercept transactions and steal funds before they are confirmed. Although such a quantum computer does not yet exist, this discovery extends the threat of quantum attacks from “static asset harvesting” to “real-time transaction interception,” sparking considerable market concern.

Google also revealed another critical piece of information at the same time: the company has moved its internal deadline for migrating to post-quantum cryptography (PQC) forward to 2029. In simple terms, migrating to post-quantum cryptography means replacing all systems today that rely on RSA and elliptic curve encryption with new cryptographic locks that quantum computers would find extremely difficult to break. Before Google released this whitepaper, this migration was widely regarded as a long-term project. Previously, the U.S. National Institute of Standards and Technology (NIST) had outlined a timeline calling for phasing out old algorithms by 2030 and fully disabling them by 2035, leading the industry to believe it had roughly a decade to prepare. However, based on recent advancements in quantum hardware, quantum error correction, and estimates of quantum factoring capabilities, Google has concluded that the quantum threat is closer than previously assumed—and has therefore significantly advanced its internal migration deadline to 2029. This objectively shortens the preparation window for the entire industry and sends a clear signal to the cryptographic community: quantum computing is progressing faster than expected, and security upgrades must be prioritized sooner. This is undoubtedly a landmark study, but during media dissemination, anxiety has been amplified. How should we rationally interpret this impact?

Could quantum computing render the entire Bitcoin network obsolete?

There is a threat, but it is concentrated at the level of signature security. Quantum computing does not directly affect the underlying structure of blockchain or render the mining mechanism obsolete; it specifically targets the digital signature process. Every Bitcoin transaction requires a signature using a private key to prove ownership of funds, and the network verifies whether the signature is valid. The potential capability of quantum computing is to derive the private key from the publicly available public key, thereby enabling the forgery of signatures.

This presents two real-world risks. One occurs during the transaction process: when a transaction is initiated and its information enters the network but has not yet been bundled into a block, there is a theoretical possibility of being front-run and replaced; such attacks are known as "on-spend attacks." The other targets addresses whose public keys have already been exposed in the past, such as wallets that have remained inactive for long periods or have reused addresses; these attacks allow more time and are easier to understand.

However, it’s important to emphasize that these risks do not apply universally to all Bitcoin or all users. You are only at risk during the brief window when you initiate a transaction, or if your address has previously exposed its public key. This is not an immediate threat to the entire system.

Will the threat arrive this soon?

The premise of “cracked in 9 minutes” assumes the existence of a fault-tolerant quantum computer with 500,000 physical qubits. Currently, Google’s most advanced Willow chip has only 105 physical qubits, and IBM’s Condor processor has approximately 1,121—still hundreds of times away from the 500,000 threshold. According to Ethereum Foundation researcher Justin Drake, the probability of a Quantum Day (Q-Day) occurring by 2032 is only 10%. Therefore, this is not an imminent threat, but neither is it a tail risk that can be entirely ignored.

What is the greatest threat posed by quantum computing?

Bitcoin is not the most affected system; it is simply the one whose value is most intuitive and easily perceived by the public. The challenge posed by quantum computing is a broader systemic issue. All internet infrastructure relying on public-key cryptography—including banking systems, government communications, secure email, software signing, and identity authentication systems—faces the same threat. This is precisely why organizations such as Google, the U.S. National Security Agency (NSA), and the National Institute of Standards and Technology (NIST) have been actively promoting the transition to post-quantum cryptography over the past decade. Once a quantum computer with practical attack capabilities emerges, it will not only impact cryptocurrencies but the entire trust infrastructure of the digital world. Therefore, this is not a singular risk specific to Bitcoin, but a systemic upgrade required for global information infrastructure.

On the same day Google published its paper, BTQ Technologies released a research paper titled “Kardashev Scale Quantum Computing for Bitcoin Mining,” quantifying the feasibility of quantum mining from both physical and economic perspectives. Author Pierre-Luc Dallaire-Demers developed a comprehensive model of all technical aspects involved in quantum mining, from underlying hardware to upper-layer algorithms, to estimate the actual cost of mining with quantum computers.

The findings reveal that even under the most favorable assumptions, quantum mining would require approximately 10⁸ physical qubits and 10⁴ megawatts of power—roughly equivalent to the total output of a large national grid. Under Bitcoin’s mainnet difficulty as of January 2025, the required resources surge to about 10²³ physical qubits and 10²⁵ watts, approaching the energy output of a star. In comparison, the entire Bitcoin network currently consumes approximately 13–25 gigawatts, falling far short—by more than an order of magnitude—of the energy scale required for quantum mining.

Further research indicates that the theoretical speedup advantage of Grover's algorithm is offset by various practical overheads in engineering, preventing it from translating into actual mining profits. Quantum mining is neither physically nor economically feasible.

Google is not the only organization discussing this issue. Institutions such as Coinbase, the Ethereum Foundation, and the Stanford Center for Blockchain Research have already been advancing related research. Ethereum Foundation researcher Justin Drake commented, "By 2032, there is at least a 10% chance that quantum computers will recover secp256k1 ECDSA private keys from exposed public keys. Although it still seems unlikely that a cryptographically significant quantum computer will emerge before 2030, there is no better time than now to start preparing."

Therefore, we currently do not need to worry about quantum computing causing a fatal impact on mining, as the resource requirements far exceed the scope of any rational economic decision. No one would expend that much energy to claim just 3.125 bitcoins from a single block.

If quantum computing presents a challenge, the industry has long had an answer: post-quantum cryptography (PQC)—encryption algorithms resistant to quantum computers. Specific technical approaches include implementing quantum-resistant signature algorithms, optimizing address structures to minimize public key exposure, and gradually transitioning through protocol upgrades. Currently, NIST has completed standardization of post-quantum cryptography, with ML-DSA (a module-lattice-based digital signature algorithm, FIPS 204) and SLH-DSA (a stateless hash-based signature algorithm, FIPS 205) serving as the two core post-quantum signature schemes.

At the Bitcoin network level, BIP 360 (Pay-to-Merkle-Root, or P2MR) was officially adopted into the Bitcoin Improvement Proposals repository in early 2026. It addresses a transaction pattern introduced by the Taproot upgrade, activated in 2021. While Taproot was designed to enhance Bitcoin’s privacy and efficiency, its “key path spending” feature exposes public keys during transactions, potentially making them vulnerable to future quantum attacks. The core idea of BIP 360 is to eliminate this public key-exposing path by modifying the transaction structure, so that fund transfers no longer require revealing public keys—thereby reducing exposure to quantum risks at the source.

For the cryptocurrency industry, upgrading the blockchain involves a range of issues including on-chain compatibility, wallet infrastructure, address systems, user migration costs, and community coordination, requiring collective participation from the protocol layer, clients, wallets, exchanges, custodians, and even individual users to update the entire ecosystem. However, the industry has at least reached a consensus on this, and future progress is now merely a matter of execution and timeline.

After carefully analyzing these recent developments, it becomes clear that the situation is not as alarming as it may seem. While human research into quantum computing is indeed accelerating toward reality, we still have ample time to respond. Bitcoin today is not a static system; it has been an evolving network over the past decade. From script upgrades to Taproot, from privacy enhancements to scalability solutions, it has continuously sought a balance between security and efficiency.

The challenges posed by quantum computing may simply be the reason for the next upgrade. The quantum clock is ticking. The good news is that we all hear it—and we still have time to respond. In this era of rapidly advancing computing power, all we need to do is ensure that the trust mechanisms of the crypto world always stay ahead of technological threats.