Google study suggests quantum computing could threaten Bitcoin security

On March 31, 2026, Google Quantum AI, a subsidiary of Google, released a white paper that garnered widespread attention, stating that the resources required for future quantum computers to break Bitcoin’s encryption are approximately 20 times lower than previously estimated. This research quickly sparked intense discussion within the industry, and headlines such as “Quantum Computer Breaks Bitcoin in 9 Minutes” began circulating in the market. But honestly, this kind of panic arises one or two times a year—this time, it simply sounds more alarming because it’s backed by Google’s name.

We have systematically analyzed this 57-page paper alongside several key studies released concurrently, breaking down the credibility of the claims, assessing the actual impact of current quantum computing advancements on the cryptocurrency and mining industries, and evaluating the stage and urgency of associated risks.

Traditionally, Bitcoin’s security is based on a one-way mathematical relationship. When creating a wallet, the system generates a private key, from which the public key is derived. When using Bitcoin, users prove ownership of the private key not by revealing it directly, but by generating an encrypted signature that the network can verify. This mechanism is secure because modern computers would require billions of years to reverse-engineer the private key from the public key—in other words, breaking the Elliptic Curve Digital Signature Algorithm (ECDSA) would take far longer than is currently feasible, making the blockchain cryptographically considered unbreakable.

However, the emergence of quantum computers has broken this rule. Unlike classical computers, quantum computers do not check keys one by one; instead, they explore all possibilities simultaneously and leverage quantum interference effects to identify the correct key. To use an analogy: a classical computer is like a person in a dark room trying keys one at a time, while a quantum computer is like multiple master keys that can simultaneously test all locks, efficiently narrowing in on the correct solution. Once quantum computers become powerful enough, attackers could rapidly calculate your private key from your exposed public key, then forge a transaction to transfer your bitcoins to their own account. If such an attack occurs, the irreversible nature of blockchain transactions makes it extremely difficult to recover your assets.

On March 31, 2026, Google Quantum AI, in collaboration with Stanford University and the Ethereum Foundation, released a 57-page white paper. The core of this paper assesses the specific threat that quantum computing poses to the Elliptic Curve Digital Signature Algorithm (ECDSA). Most blockchains and cryptocurrencies use 256-bit elliptic curve cryptography based on the elliptic curve discrete logarithm problem (ECDLP-256) to secure wallets and transactions. The research team found that the quantum resources required to break ECDLP-256 have been significantly reduced.

They designed a quantum circuit to run Shor’s algorithm specifically for deriving private keys from public keys. This circuit requires execution on a particular type of quantum computer: a superconducting quantum computing architecture. This is the primary technology pathway currently being developed by companies such as Google and IBM, characterized by high-speed computation but requiring extremely low temperatures to maintain qubit stability. Assuming hardware performance meets the standards of Google’s flagship quantum processor, this attack could be carried out in minutes using fewer than 500,000 physical qubits—a figure approximately 20 times lower than previous estimates.

To more intuitively assess this threat, the research team conducted a cracking simulation. By inputting the aforementioned circuit configuration into a real Bitcoin transaction environment, they found that a theoretical quantum computer could reverse-engineer a private key from a public key in approximately nine minutes, with a success rate of about 41%. Since Bitcoin’s average block time is ten minutes, this means that not only are roughly 32% to 35% of Bitcoin’s supply at risk of being statically compromised due to public keys already being exposed on the blockchain, but attackers could theoretically intercept transactions and steal funds before they are confirmed. Although such a quantum computer does not yet exist, this discovery extends the threat of quantum attacks from “static asset harvesting” to “real-time transaction interception,” triggering significant market concern.

At the same time, Google revealed another critical piece of information: the company has moved its internal deadline for migrating to post-quantum cryptography (PQC) forward to 2029. In simple terms, migrating to PQC means replacing all systems today that rely on RSA and elliptic curve encryption with new cryptographic locks that quantum computers would find extremely difficult to break. Before Google released this whitepaper, this migration was widely regarded as a long-term project. Previously, the U.S. National Institute of Standards and Technology (NIST) had outlined a timeline calling for discontinuation of legacy algorithms by 2030 and complete phase-out by 2035, leading the industry to believe it had roughly a decade to prepare. However, based on recent advancements in quantum hardware, quantum error correction, and estimates of quantum factoring resources, Google now assesses that the quantum threat is closer than previously thought—and has therefore significantly advanced its internal migration deadline to 2029. This effectively shortens the preparation window for the entire industry and sends a clear signal to the cryptographic community: quantum computing is progressing faster than expected, and security upgrades must be prioritized sooner. This is undoubtedly a landmark study, but during media dissemination, anxiety has been amplified. How should we rationally interpret this impact?

1. Could quantum computing render the entire Bitcoin network obsolete?

There is a threat, but it is concentrated at the level of signature security. Quantum computing does not directly affect the underlying structure of blockchain or render the mining mechanism obsolete; it specifically targets the digital signature process. Every Bitcoin transaction requires a signature using a private key to prove ownership of funds, and the network verifies whether the signature is valid. The potential capability of quantum computing lies in deriving the private key from the publicly available public key, thereby enabling forged signatures.

This presents two real-world risks. One occurs during the transaction process: when a transaction is initiated and its information enters the network but has not yet been included in a block, there is a theoretical possibility of being front-run—a type of attack known as an "on-spend attack." The other targets addresses whose public keys have already been exposed historically, such as wallets that have remained inactive for long periods or have reused addresses; these attacks allow more time and are easier to understand.

However, it is important to emphasize that these risks do not apply universally to all Bitcoin or all users. Threats only arise during the brief window when you initiate a transaction, or if your address has previously exposed its public key. This is not an immediate threat to the entire system.

2. Will the threat arrive this soon?

The premise of “cracking in 9 minutes” assumes the existence of a fault-tolerant quantum computer with 500,000 physical qubits. Currently, Google’s most advanced Willow chip has only 105 physical qubits, and IBM’s Condor processor has approximately 1,121—both still hundreds of times away from the 500,000-qubit threshold. According to Ethereum Foundation researcher Justin Drake, the probability of a quantum breaking day (Q-Day) occurring by 2032 is only 10%. Therefore, this is not an imminent threat, but neither is it a tail risk that can be entirely ignored.

3. What is the greatest threat posed by quantum computing?

Bitcoin is not the most affected system; it is simply the one whose value is most tangible and easily perceived by the public. The challenge posed by quantum computing is a broader systemic issue. All internet infrastructure relying on public-key cryptography—including banking systems, government communications, secure email, software signing, and identity authentication systems—faces the same threat. This is precisely why organizations such as Google, the U.S. National Security Agency (NSA), and the National Institute of Standards and Technology (NIST) have been actively promoting the transition to post-quantum cryptography over the past decade. Once a quantum computer with practical attack capabilities emerges, it will not only impact cryptocurrencies but the entire trust infrastructure of the digital world. Therefore, this is not a singular risk specific to Bitcoin, but a systemic upgrade required for global information infrastructure.

On the same day Google published its paper, BTQ Technologies released a research paper titled “Kardashev Scale Quantum Computing for Bitcoin Mining,” quantifying the feasibility of quantum mining from both physical and economic perspectives. Author Pierre-Luc Dallaire-Demers developed a comprehensive model of all technical aspects involved in quantum mining, from underlying hardware to upper-layer algorithms, enabling an estimation of the actual cost of mining with quantum computers.

The study found that even under the most favorable assumptions, quantum mining would require approximately 10⁸ physical qubits and 10⁴ megawatts of power—roughly equivalent to the total output of a large national power grid. Under Bitcoin’s mainnet difficulty as of January 2025, the required resources surge to about 10²³ physical qubits and 10²⁵ watts, approaching the energy output of a star. In comparison, the entire Bitcoin network currently consumes approximately 13–25 gigawatts, falling far short—by more than an order of magnitude—of the energy scale required for quantum mining.

Further research indicates that the theoretical speedup advantage of Grover's algorithm is offset by various practical overheads in engineering, preventing it from being translated into actual mining profits. Quantum mining is neither physically nor economically feasible.

Google is not the only organization discussing this issue. Institutions such as Coinbase, the Ethereum Foundation, and the Stanford Center for Blockchain Research have already been advancing related research. Ethereum Foundation researcher Justin Drake commented, "By 2032, there is at least a 10% chance that quantum computers will recover secp256k1 ECDSA private keys from exposed public keys. Although the emergence of cryptographically significant quantum computers before 2030 still seems unlikely, there is no better time than now to start preparing."

Therefore, we don’t need to worry about quantum computing causing a catastrophic impact on mining, as the required resources far exceed any rational economic consideration. No one would expend that much energy to claim just 3.125 bitcoins from a single block.

If quantum computing presents a challenge, the industry has long had an answer: post-quantum cryptography (PQC)—encryption algorithms resistant to quantum computers. Specific technical approaches include introducing quantum-resistant signature algorithms, optimizing address structures to minimize public key exposure, and gradually migrating through protocol upgrades. Currently, NIST has completed standardization of post-quantum cryptography, with ML-DSA (a module-lattice-based digital signature algorithm, FIPS 204) and SLH-DSA (a stateless hash-based signature algorithm, FIPS 205) serving as the two core post-quantum signature schemes.

At the Bitcoin network level, BIP 360 (Pay-to-Merkle-Root, or P2MR) was officially incorporated into the Bitcoin Improvement Proposals repository in early 2026. It addresses a transaction pattern introduced by the Taproot upgrade, activated in 2021. While Taproot was designed to enhance Bitcoin’s privacy and efficiency, its “key path spending” feature exposes public keys during transactions, potentially making them vulnerable to future quantum attacks. The core idea of BIP 360 is to eliminate this public key-exposing path by modifying the transaction structure, so that fund transfers no longer require revealing public keys—thereby reducing exposure to quantum risks at the source.

For the cryptocurrency industry, upgrading the blockchain involves a range of issues including on-chain compatibility, wallet infrastructure, address systems, user migration costs, and community coordination, requiring participation from the protocol layer, clients, wallets, exchanges, custodians, and even individual users to update the entire ecosystem. However, the industry has at least reached a consensus on this, and future progress is now merely a matter of execution and timeline.

After carefully analyzing these recent developments, it becomes clear that the situation is not as alarming as it may seem. While human research into quantum computing is indeed accelerating toward reality, we still have ample time to respond. Bitcoin today is not a static system; it has been an evolving network over the past decade. From script upgrades to Taproot, from privacy enhancements to scalability solutions, it has continuously sought a balance between security and efficiency.

The challenges posed by quantum computing may simply be the reason for the next upgrade. The quantum clock is ticking. The good news is that we all hear it—and we still have time to respond. In this era of rapidly advancing computing power, all we need to do is ensure that the trust mechanisms of the crypto world always stay ahead of technological threats.