Search Knowledge Base by Keyword
Can Quantum Computers Break Bitcoin? | 2026 Google Research
Executive Summary
On March 31, 2026, Google’s Quantum AI team published a whitepaper revealing that breaking the elliptic curve cryptography (ECDSA-256) protecting Bitcoin, Ethereum, and most blockchains could require 20× fewer quantum resources than estimated in 2019 — specifically fewer than 500,000 physical qubits. The research models a real-time transaction hijacking attack with a 41% success rate against Bitcoin’s 10-minute block confirmation, and identifies approximately 6.9 million BTC (~32% of supply) in wallets with exposed public keys. Google has set a 2029 deadline to migrate its own infrastructure to post-quantum cryptography. Can quantum computers break Bitcoin?
than 2019 estimate
wallets at risk
break ECDSA-256
migration deadline
- What Google Found: The 20× Factor
- How Much Bitcoin Is Actually at Risk?
- The Real-Time Attack Vector Explained
- The Case for YES — Quantum Is a Real Threat
- The Case for NO — Don’t Panic Yet
- The Qubit Gap: Hardware vs. Threat Threshold
- How the Industry Is Responding
- The Quantum Race Timeline
- What Should Crypto Investors Do Now?
- Frequently Asked Questions
1. What Google Found: The 20× Factor
Google’s Quantum AI team published a whitepaper on March 31, 2026 that fundamentally recalibrates how the security industry assesses quantum threats to cryptocurrency. The headline finding: breaking the 256-bit elliptic curve cryptography (ECDSA-256) that secures Bitcoin, Ethereum, and most other blockchain networks could require fewer than 500,000 physical qubits — roughly 20 times fewer than the team’s own 2019 estimate of 20 million qubits.
Even more striking, the researchers designed two practical attack methods requiring only about 1,200 to 1,450 high-quality logical qubits. That number matters because it represents the “real” computational requirement, stripped of error correction overhead. Previous assumptions placed the logical qubit threshold at 2,330 or higher.
Google also introduced a novel approach to responsible disclosure: instead of publishing step-by-step attack methods, they used zero-knowledge proofs to verify their findings without providing a blueprint for bad actors.
“Planning the transition to quantum-safe cryptosystems requires understanding the cost of quantum attacks on vulnerable cryptosystems.”
— Craig Gidney, Google Quantum AI Researcher
Resource Estimates: Then vs. Now
| Metric | 2019 Estimate | 2026 Estimate | Change |
|---|---|---|---|
| Physical qubits (RSA-2048) | 20 million | <1 million | 20× reduction |
| Physical qubits (ECDSA-256) | ~10 million (est.) | <500,000 | ~20× reduction |
| Logical qubits for attack | 2,330+ | 1,200–1,450 | ~40% reduction |
| Estimated attack time | 8 hours | <1 week (RSA) / ~9 min (live BTC) | Varies by method |
2. How Much Bitcoin Is Actually at Risk?
Google’s research estimates that approximately 6.9 million BTC — roughly one-third of the total supply — sits in wallets where the public key has been exposed. This includes approximately 1.7 million BTC from Bitcoin’s earliest days (Pay-to-Public-Key format), and roughly 5.2 million BTC in reused addresses.
Of particular note: an estimated 1 million BTC attributed to Satoshi Nakamoto sits in early P2PK addresses that are inherently vulnerable.
Bitcoin’s Taproot upgrade (activated November 2021) makes public keys visible by default in its key-path spending mode. Google’s researchers concluded this design choice could increase the number of wallets potentially exposed to quantum-based attacks — creating more vulnerability, not less.
3. The Real-Time Transaction Hijack
The most striking finding isn’t about dormant wallets, it’s about active transactions. When someone sends Bitcoin, their public key is briefly revealed. A quantum computer could derive the private key while the transaction sits in the mempool. Google’s model shows this takes approximately 9 minutes, with pre-computation.
Since Bitcoin blocks take ~10 minutes to confirm, the attacker has a ~41% chance of beating the legitimate transaction.
Chain-by-Chain Vulnerability
| Network | Confirmation | Attack Success | Risk |
|---|---|---|---|
| Bitcoin | ~10 minutes | ~41% | 🔴 High |
| Ethereum | ~12-15 seconds | Near 0% | 🟢 Low |
| Solana | ~0.4 seconds | Near 0% | 🟢 Very Low |
4. The Case for YES, Quantum Is a Real Threat
From 20 million to under 500K physical qubits. Logical qubit needs dropped to ~1,200–1,450. The gap is shrinking faster than models predicted.
State actors are almost certainly collecting blockchain data today, planning to decrypt it once quantum hardware matures. The 6.9M exposed BTC are fixed targets.
Google modeled a 9-minute attack that beats Bitcoin’s confirmation 41% of the time. This is about live transactions being intercepted.
BIP-360’s co-author estimates a full post-quantum migration could take 7 years. Google’s 2029 deadline means the window is narrowing fast.
Google’s 2029 deadline reflects internal confidence that cryptographically relevant quantum computers (CRQCs) are approaching. IBM projects a fault-tolerant computer (Starling) with 200 logical qubits by 2029. Quantinuum aims for full fault tolerance by 2029. Jefferies advised clients to drop Bitcoin allocations entirely due to quantum risk.
5. The Case for NO, Don’t Panic Yet
IBM’s most advanced processor (Heron) has 156 qubits. Google’s Sycamore has 53. We’re orders of magnitude from 500K physical qubits.
Current machines are “noisy” — ~1,000 physical qubits per logical qubit. Maintaining coherence for days is beyond any existing hardware.
NIST standardized PQC algorithms in 2024. BIP-360 is on testnet. The solutions are built — the challenge is adoption speed, not invention.
A quantum breakthrough would compromise banking and government before Bitcoin — triggering a coordinated global response before crypto is targeted.
Adam Back, CEO of Blockstream, argues the practical quantum threat is 20–40 years away. ARK Invest’s March 2026 report concluded we’re still at Stage 0 — quantum computers exist but lack any commercially relevant capability.
6. The Qubit Gap: Hardware vs. Threat Threshold
Quantum Computing Hardware Milestones
| System | Year | Physical Qubits | Status |
|---|---|---|---|
| Google Sycamore | 2019 | 53 | ✅ Operational |
| Google Willow | 2024 | 105 | ✅ Operational |
| IBM Heron r3 | 2025 | 156 | ✅ Operational |
| IBM Kookaburra | 2026 | 4,158 (3-chip) | 📋 Planned |
| IBM Starling | 2029 | ~10,000 | 🗺️ Roadmap |
| IBM Blue Jay | 2033 | ~100,000 | 🗺️ Roadmap |
| ⚠️ ECDSA-256 Break Threshold | ??? | <500,000 | ⚠️ Danger Zone |
The most optimistic hardware projections don’t place us at 500K qubits before 2033–2035. However, if qubit counts keep doubling every 1–2 years and AI-guided error correction compresses the timeline further, the “comfortable decade” could shrink to a “nervous five years.”
7. How the Industry Is Responding
Bitcoin: Slow but Moving
BIP-360 (Pay-to-Merkle-Root) was merged into Bitcoin’s official BIP repository on February 11, 2026. It introduces a quantum-resistant address type (bc1z) that prevents public key exposure. BTQ Technologies deployed the first testnet implementation with 50+ miners and 100,000+ blocks processed. However, a full migration could take up to 7 years.
Source: altFINS Crypto Screener
Ethereum: Ahead of the Curve
Ethereum has spent eight years preparing a multi-fork roadmap for post-quantum security, running weekly test networks. Its faster confirmation time provides inherent protection against real-time attacks.
Government & Standards Bodies
| Organization | Action | Deadline |
|---|---|---|
| U.S. Federal Agencies | Submit PQC transition plans (NSM-10) | April 2026 |
| Complete infrastructure PQC migration | 2029 | |
| European Union | Critical infrastructure quantum resistance | 2030 |
| NIST | Phase out elliptic curve cryptography | Mid-2030s |
| NSA CNSA 2.0 | Quantum-safe national security systems | 2030 |
8. The Quantum Race Timeline
9. What Should Crypto Investors Do Now?
1. Move to modern addresses. If you hold BTC on legacy P2PK or P2PKH addresses (starting with “1”), migrate to bc1 (Native SegWit) addresses immediately.
2. Stop reusing addresses. Every time you spend from an address, your public key is exposed. Use a new address for every transaction.
3. Monitor BIP-360. Follow the proposal’s progress. When quantum-resistant address types (bc1z) go live on mainnet, be ready to migrate.
4. Assess chain-level preparedness. Evaluate each network’s quantum readiness. Ethereum’s active PQC roadmap and faster confirmations provide inherent advantages.
5. Don’t panic-sell based on FUD. Google explicitly warned that unsubstantiated fear can itself be used as an attack on crypto confidence. Act deliberately, not reactively.
The End
Google’s March 2026 research doesn’t mean Bitcoin is broken. It means the timeline for when it could be broken just got significantly shorter. The 20× reduction in required quantum resources compresses years of comfortable preparation into a more urgent window.
The good news: post-quantum cryptography solutions already exist. NIST has standards. BIP-360 is on testnet. Ethereum has a multi-year roadmap.
The challenge isn’t technical — it’s organizational. Bitcoin’s decentralized governance is its greatest philosophical strength but also its biggest vulnerability in a coordinated upgrade. A migration taking 7 years leaves a dangerously narrow margin if CRQCs arrive by the early 2030s.
The danger isn’t quantum computers themselves. It’s complacency. Every year the community delays PQC migration, the window shrinks. The crypto industry has perhaps 5–8 years. That’s enough, but only if the work starts now.
10. Frequently Asked Questions
Last Updated: March 31, 2026 |
Reading Time: ~18 minutes
Sources: Google Research, altFINS, CoinDesk, ARK Invest / Unchained, IBM Quantum, BIP-360.org, NIST, Bitcoin Magazine
⚠️ Disclaimer: This article is for informational purposes only and does not constitute financial or investment advice. Always do your own research before making investment decisions.
