A new paper from Google Quantum AI has sharply reduced the estimated hardware required to crack elliptic-curve cryptography used by Bitcoin and much of Ethereum, moving a long-running security debate closer to market terms.
At current market prices, the quantum computing risks could affect more than $600 billion in Bitcoin, Ethereum, and stablecoins.
The paper, co-authored by Google researchers, Ethereum Foundation researcher Justin Drake, and Stanford cryptographer Dan Boneh, says Shor’s algorithm for the 256-bit elliptic curve discrete logarithm problem can run with either no more than 1,200 logical qubits and 90 million Toffoli gates or no more than 1,450 logical qubits and 70 million Toffoli gates.
Google says those circuits could be executed on a superconducting, cryptographically relevant quantum computer with fewer than 500,000 physical qubits in a few minutes, roughly a 20-fold reduction from prior estimates of the number of physical qubits.
Notably, Google does not say such a machine exists today. Still, Ethereum Foundation’s Drake said his confidence in a so-called Q-day by 2032 had risen sharply and that he now sees at least a 10% chance that a quantum computer could recover a secp256k1 private key from an exposed public key by then.
Meanwhile, Google paired the paper with an unusual disclosure model, revealing that it engaged with the US government and used a zero-knowledge proof so outsiders could verify the resource estimates without receiving the underlying attack circuits.
The paper says progress in quantum computing has reached the point where publishing improved attack details in full has become less prudent, even as publishing trustworthy resource estimates remains necessary to motivate defenses.
Bitcoin’s problem is partly a race and partly a stockpile
For Bitcoin, the paper’s immediate market hook is timing. It models an “on-spend” attack in which a quantum machine derives a private key after a user reveals a public key by broadcasting a transaction, then tries to syndicate a competing transaction before the original payment is confirmed.
The paper says a fast-clock superconducting machine could reduce the live attack window to about 9 minutes from a primed state, close to Bitcoin’s roughly 10-minute average block time.
Under the paper’s assumptions, that implies a theft success probability of slightly less than 41%.
Meanwhile, that is only one part of the Bitcoin story, as the paper pointed out that about 6.7 million BTC are sitting in vulnerable addresses. This is equivalent to roughly $444 billion, or nearly 32% of BTC’s total cap of 21 million coins.
Of this, the paper says old Pay-to-Public-Key scripts still secure more than 1.7 million BTC, worth about $112.6 billion at current market price, and that the total amount of dormant quantum-vulnerable Bitcoin may reach 2.3 million BTC across script types, or about $152.3 billion.
Those coins cannot all be migrated simply by asking current users to move funds, because many are thought to be abandoned, lost, or otherwise inactive.
Apart from that, the authors also argue that Taproot, despite its benefits for privacy and flexibility, reintroduced a quantum weakness because Pay-to-Taproot places the tweaked public key directly in the locking script.
They added that Grover-based attacks on Bitcoin mining remain impractical for decades, keeping the near-term focus on signatures rather than proof of work.
That leaves Bitcoin with two distinct problems. One is the risk of live transactions if a future fast-clock machine can reliably break keys within the settlement window. The other is a large stock of older or exposed coins that could become fixed targets in a post-CRQC world.
The paper explicitly states that every existing Bitcoin transaction type is vulnerable to on-spend attacks from a future fast-clock machine, while older P2PK outputs and modern P2TR outputs introduce at-rest exposure of their own.
Ethereum’s quantum risk runs through wallets, validators, and tokenized assets
Meanwhile, the quantum risks for Ethereum are presented differently.
The paper says early fast-clock quantum computers are unlikely to launch the same kind of on-spend attack there because Ethereum produces blocks in deterministic 12-second slots, processes most transactions in less than a minute, and already relies heavily on private mempools.
Instead, the main quantum threat lies in at-rest attacks against long-lived accounts and the systems attached to them.
The paper estimates that a fast-clock attacker could crack the 1,000 highest-net-worth Ethereum accounts, holding about 20.5 million ETH, in less than nine days. At Tuesday’s ETH price of about $2,023.46, that comes to roughly $41.5 billion.
Among the top 500 contract accounts by ETH balance, it says at least 70 accounts holding about 2.5 million ETH are exposed through administrative keys, a bucket worth about $5.1 billion at current prices, with a private-key derivation attack on those accounts taking less than 15 hours on a fast-clock machine.
Meanwhile, the larger institutional story sits behind those balances. The paper links that admin vulnerability to about $200 billion in stablecoins and tokenized real-world assets on Ethereum and says those keys can function as control points for issuers, bridges, oracle operators, and emergency guardians.
The paper warned that a successful quantum attack on such accounts could allow arbitrary minting, false price feeds, frozen user funds, or drained liquidity pools, depending on the system. The paper says this is why standard asset-balance models understate the true value-at-risk.
It then widens the lens further. In its Ethereum risk taxonomy, the paper flags about 15 million ETH in Layer 2 and protocol value exposed through code and data-availability vulnerabilities, equal to roughly $30.4 billion at current prices, and about 37 million ETH in consensus stake exposed through BLS-signature-related risk, or about $74.9 billion.
Those figures overlap with other components of Ethereum’s architecture, but together they show why the paper treats Ethereum as a broader infrastructure problem rather than a wallet-security story.
The pressure shifts from theory to migration
Against this backdrop, the industry is left to ask whether blockchains, wallets, exchanges, and tokenized-asset issuers can migrate before the economics of attack shift.
Charles Guillemet, the Chief Technology Officer (CTO) at Ledger, said:
“The good news is that we already have the tools: Post Quantum Cryptography, now we need to migrate.”
However, the Google paper says the process will take years, and the industry cannot wait for perfect clarity on the exact arrival date of cryptographically relevant quantum computers.
According to the firm, it will require both protocol work and changes in wallet behavior, including reducing public-key exposure and ending key reuse wherever possible.
Essentially, vulnerable cryptocurrency communities should move to post-quantum cryptography without delay.
For Bitcoin, that means a race against a settlement window that no longer looks comfortably wide. For Ethereum, it means protecting not just coins but the much larger stack of contracts and tokenized claims now resting on the same vulnerable math.
