Google’s latest quantum research changes the practical timeline, not just the theory. The key shift is that breaking the elliptic-curve cryptography used by Bitcoin and Ethereum may require fewer than 500,000 physical qubits, about 20 times less than earlier estimates, which turns post-quantum migration from a long-range design question into a nearer-term protocol and wallet problem.
Google cut the resource estimate that underpinned the old comfort zone
The new study optimized quantum circuits for Shor’s algorithm against ECDLP-256, the elliptic curve discrete logarithm problem behind the signature schemes used across major blockchains. Google’s team reported implementations using roughly 1,200 to 1,450 logical qubits and around 70 to 90 million Toffoli gates. Translated into physical hardware assumptions, that pushes the requirement below 500,000 physical qubits, sharply down from prior estimates that had left more room before a cryptographically relevant quantum computer became plausible.
That does not mean such a machine exists today. It does mean the old habit of treating the threat as distant and leisurely is no longer a sound reading of the evidence. The draft timeline now points toward a compressed window, with some expert estimates placing at least a 10% probability of a cryptography-breaking quantum machine by 2032 rather than safely beyond the mid-2030s.
Bitcoin and Ethereum do not face the same attack surface
The most important distinction is not that both chains use elliptic-curve cryptography, but that they expose keys differently. In Bitcoin, the main danger is an “on-spend” attack: once a transaction reveals the public key, a quantum attacker may have about nine minutes to derive the private key and race the network before confirmation. That is uncomfortably close to Bitcoin’s roughly 10-minute block interval, and it puts about 6.9 million BTC at elevated risk, especially coins tied to older wallet formats and coins whose spending behavior exposes public keys.
Ethereum’s account model creates a harsher condition. After an account transacts, its public key is exposed and remains available, which allows an “at-rest” attack with no comparable time limit. An attacker would not need to intercept a pending payment inside a narrow window; they could work against exposed accounts over time. The draft estimate puts more than 37 million ETH in exposed accounts, making Ethereum’s problem less about mempool timing and more about the standing stock of vulnerable addresses.
| Network | Main quantum attack mode | Time constraint | Estimated exposed amount | Main constraint on mitigation |
|---|---|---|---|---|
| Bitcoin | “On-spend” key recovery after public key exposure | About 9 minutes | ~6.9 million BTC | Consensus coordination and wallet adoption, including proposals such as BIP 360 |
| Ethereum | “At-rest” recovery from permanently exposed account public keys | No hard time limit | 37+ million ETH | Protocol and client migration at large account scale |
Why the protocol response is uneven
Ethereum is already working through an active post-quantum roadmap that includes client and protocol changes, which fits the fact that its exposure is structural and persistent. Bitcoin’s path is harder politically even if the code changes are narrower in concept, because any serious migration raises questions about legacy outputs, wallet compatibility, miner and node adoption, and what to do about vulnerable coins that may never move. That is why proposals such as BIP 360 matter as checkpoints rather than as abstract research.
Google also used zero-knowledge proofs to verify its optimized circuits without publishing a complete attack blueprint. That choice matters for market structure and project signaling: it supports the credibility of the claim while limiting immediate copyability, which is different from making a dramatic warning without technical backing. The practical message is not “panic now,” but “the burden of proof has shifted toward implementers who still assume there is ample time.”
The nearer checkpoint is adoption, not headlines about quantum supremacy
For investors, developers, and treasury managers, the signal to watch is not a single dramatic lab announcement. It is the combination of quantum hardware scaling and actual migration progress across live networks, wallets, custodians, and signing infrastructure. A chain with a published post-quantum roadmap but weak wallet uptake is still exposed; a chain with no credible upgrade path is worse. That makes adoption rate a more useful indicator than vague claims that quantum computers are either “already here” or “still decades away.”
In the short term, reducing address reuse, rotating keys faster, and moving away from wallet patterns that expose public keys can lower immediate risk, but those are partial measures. They do not solve Ethereum’s at-rest exposure or Bitcoin’s long-tail stock of vulnerable outputs. A durable fix requires migration to post-quantum cryptography, and Google’s timeline pointing toward a rough 2029 preparation deadline leaves less room for governance delay than the market had assumed.
Immediate reader questions
Is this an attack happening now?
No. The change is that the estimated resource threshold fell sharply, which shortens the expected timeline and makes delay harder to justify.
Which chain looks more exposed right now?
Ethereum has the more permissive attack condition because exposed public keys can be attacked at rest with no strict time window. Bitcoin’s risk is narrower in timing but still material because of the amount of exposed BTC.
What is the clearest next checkpoint?
Watch two things together: quantum hardware progress and whether major networks, wallet providers, and custodians actually adopt post-quantum standards. For Bitcoin, movement on proposals such as BIP 360 is a concrete marker.
Does avoiding address reuse solve the problem?
It helps at the margin, especially for Bitcoin, but it is not a substitute for a network-wide migration to post-quantum cryptography.
About the Author
