A whitepaper published on March 30 by Google Quantum AI has dramatically compressed the estimated timeline for quantum computers to break the elliptic-curve cryptography that secures virtually every major blockchain — and the crypto industry is scrambling to assess the fallout.
The paper was co-authored by Google researchers Ryan Babbush and Hartmut Neven alongside Ethereum Foundation researcher Justin Drake and Stanford cryptographer Dan Boneh. It concludes that breaking the 256-bit elliptic curve discrete logarithm problem underpinning Bitcoin and Ethereum transaction signatures would require fewer than 500,000 physical qubits, roughly a 20-fold reduction from previous estimates that placed the threshold in the millions.
"We want to raise awareness on this issue and are providing the cryptocurrency community with recommendations to improve security and stability before this is possible," the Google researchers wrote in an accompanying blog post.
Three Attack Classes
The whitepaper distinguishes between three classes of quantum attacks on blockchains, each targeting different points of vulnerability in the transaction lifecycle.
First, "on-spend" attacks target transactions in flight. When a user broadcasts a Bitcoin transaction, the public key becomes visible in the mempool. On a fast-clock quantum architecture using superconducting or photonic qubits, the paper estimates that deriving the corresponding private key could take roughly nine minutes. Bitcoin's average block confirmation time is 10 minutes, giving an attacker a narrow but viable window to sign a fraudulent replacement transaction and front-run the original.
Second, "at-rest" attacks target dormant wallets where public keys are already permanently exposed on-chain. Early Bitcoin outputs used Pay-to-Public-Key scripts that embedded public keys directly, and address reuse has compounded the exposure. The paper estimates that approximately 6.9 million BTC are currently vulnerable to this type of attack, including roughly 1.7 million coins from the Satoshi era. Unlike on-spend attacks, there is no time constraint — any quantum machine could work through the cryptography at its own pace.
"Mining acceleration via quantum is mostly a sideshow. Private-key theft is the real existential vector," Cais Manai, CPO and co-founder of TEN Protocol, told The Defiant in February.
Finally, "on-setup" attacks apply specifically to cryptographic ceremonies underpinning systems like Ethereum's Data Availability Sampling. The KZG polynomial commitment scheme used in Ethereum's blob data verification relies on a one-time trusted setup that generates a secret scalar, which is intended to be destroyed afterward. A quantum computer could recover that secret from publicly available parameters, creating what the paper calls a permanent, reusable exploit that can forge data availability proofs without further quantum computation.
Ethereum's Exposure
The whitepaper identifies at least five distinct attack classes for Ethereum alone.
Beyond wallet-level risk — the paper flags roughly 20.5 million ETH held in accounts with exposed public keys — admin keys governing stablecoin minting authority rely on the same vulnerable signatures. The paper estimates that approximately $200 billion in stablecoins and tokenized assets on Ethereum depend on these admin keys.
Ethereum's proof-of-stake consensus layer faces its own exposure. Roughly 37 million staked ETH is authenticated via digital signatures that the paper considers quantum-vulnerable. The paper warns that if staking concentration in large pools is exploited, the threshold for disrupting consensus narrows significantly.
Layer 2 networks present additional risk. The paper estimates that at least 15 million ETH across major rollups and cross-chain bridges is exposed. The authors note that StarkNet, which uses hash-based rather than elliptic-curve cryptography, stands out as quantum-safe.
"The community will soon face difficult, unprecedented decisions regarding the fate of these assets, forcing tradeoffs between the immutability of cryptographic property rights and the economic stability of the network," the paper warns.
Disclosure via Zero-Knowledge Proof
In what the paper's authors frame as a first for quantum cryptanalysis, Google did not publish the actual quantum circuits used to achieve its optimized resource estimates. Instead, the team ran its circuit simulator through the SP1 Zero-Knowledge Virtual Machine and published a Groth16 zkSNARK proof, allowing third parties to verify the claimed resource reductions without gaining access to the specific techniques required to execute an attack.
"To share this research responsibly, we engaged with the U.S. government and developed a new method to describe these vulnerabilities via a zero-knowledge proof, so they can be verified without providing a roadmap for bad actors," the researchers wrote.
The paper comes a week after the Ethereum Foundation launched a public resource hub consolidating eight years of post-quantum research into a phased migration roadmap. The EF's plan targets core Layer 1 protocol upgrades by 2029 through four sequential hard forks, beginning with equipping validators with quantum-resistant backup keys and progressively replacing the current BLS signature scheme with hash-based alternatives.
Bitcoin's BIP-360, which proposes a quantum-resistant Pay-to-Merkle-Root output type to replace Taproot's vulnerable key-path spending, was merged into the official BIP repository in February. But the proposal does not introduce post-quantum signatures — it only removes one category of public key exposure. A full cryptographic migration would require a much larger protocol change.
Google itself has set a 2029 deadline to migrate its own authentication and digital signature services to post-quantum cryptography.
Dormant Coin Dilemma
Perhaps the most politically charged implication of the paper involves assets that cannot be migrated — coins locked in wallets whose private keys are lost, including Satoshi Nakamoto's estimated 1.1 million BTC in early P2PK outputs. These coins cannot voluntarily move to quantum-safe addresses.
The paper introduces a "digital salvage" framework, drawing an analogy to maritime salvage law, as a potential governance model for addressing quantum recovery of these assets. The policy choices facing the industry are stark: whether to hard fork and burn unmigrated coins, impose migration deadlines with rate-limited withdrawal periods, or allow quantum-equipped actors to claim dormant assets.
What’s Next
The paper does not claim that current quantum hardware can execute these attacks today — Google's most advanced processor, Willow, operates with just 105 physical qubits, as The Defiant noted when the chip was announced in December 2024.
But the trajectory of optimization is the central argument: resource estimates for breaking elliptic curve cryptography have dropped by roughly an order of magnitude through algorithmic improvements alone, independent of hardware scaling.
For Bitcoin and Ethereum — the two networks holding the vast majority of crypto market capitalization — the question is no longer whether to migrate, but whether the governance processes that define these protocols can move fast enough.
"This paper directly refutes every argument the crypto industry has used to dismiss the quantum threat,” Alex Pruden, CEO and co-founder of Project Eleven, a post-quantum migration company, told The Defiant via email.
“The solution to protect these networks exists; the question is whether the rest of the industry and core protocol developers start building now or wait and suffer the consequences," he concluded.
This article was written with the assistance of AI workflows. All our stories are curated, edited and fact-checked by a human.