A new paper from Google Quantum AI significantly reduces estimates of the amount of hardware required to break the elliptic curve cryptography used in much of Bitcoin and Ethereum, bringing a long-standing security debate closer to market conditions.
At current market prices, quantum computing risks could impact more than $600 billion in Bitcoin, Ethereum, and stablecoins.
The paper, co-authored by Google researchers, Ethereum Foundation researcher Justin Drake, and Stanford University cryptologist Dan Vaughn, says Scholl’s algorithm for the 256-bit elliptic curve discrete logarithm problem can be run in less than 1,200 logical qubits and 90 million toffori gates, or 1,450 logical qubits and 70 million toffoli gates.
According to Google, these circuits can be run in minutes on a superconducting cryptography-related quantum computer with fewer than 500,000 physical qubits, which is about 20 times lower than previous estimates of the number of physical qubits.
Notably, Google does not say that such a machine currently exists. Still, the Ethereum Foundation’s Drake said he is rapidly increasing confidence that so-called Q-day will materialize by 2032, and that he sees at least a 10% chance that a quantum computer will be able to recover the secp256k1 private key from the public key by then.
Meanwhile, Google combined this paper with an unusual disclosure model, revealing that it worked with the US government and used zero-knowledge proofs to allow outsiders to verify resource estimates without receiving the underlying attack vectors.
The paper states that advances in quantum computing have reached a point where it is no longer prudent to fully disclose the details of an improved attack, although publication of reliable resource estimates is still necessary to motivate defenses.
Bitcoin’s problem is partly competition and partly stockpiling
When it comes to Bitcoin, the paper says timing is key to the market for now. This models an “on-spend” attack in which a user reveals their public key by broadcasting a transaction, and then a quantum machine derives their private key and attempts to syndicate competing transactions before the original payment is confirmed.
The paper states that a superconducting machine with a fast clock could reduce the time window for a live attack from readiness to about nine minutes, which is close to Bitcoin’s average block time of about 10 minutes.
Under this paper’s assumptions, this means that the probability of a successful theft is just under 41%.
On the other hand, this is just part of Bitcoin’s history, as the paper points out that approximately 6.7 million BTC is sitting in vulnerable addresses. This is equivalent to approximately $444 billion, or almost 32% of BTC’s total cap of 21 million coins.
Of this, older public key payment scripts still have secured 1.7 million BTC (worth about $112.6 billion at current market prices), and the total amount of dormant quantum-vulnerable Bitcoin could reach 2.3 million BTC (about $152.3 billion) across script types, the paper said.
Many of these coins are believed to be abandoned, lost, or otherwise inactive, so you won’t be able to transfer them all just by asking current users to transfer their funds.
Separately, the authors claim that despite Taproot’s privacy and flexibility advantages, Pay-to-Taproot reintroduces quantum weaknesses because it places a tweaked public key directly in the lock script.
They added that Grover-based attacks on Bitcoin mining have remained impractical for decades and are focused on signatures rather than proof-of-work for the time being.
That leaves Bitcoin with two different problems. One is the risk that actual trades will take place if future high-speed clock machines can reliably break the key within the settlement window. The other is a large inventory of old and exposed coins that could become a fixed target in a post-CRQC world.
The paper explicitly states that while all existing Bitcoin transaction types are vulnerable to on-spend attacks from future fast-clock machines, the old P2PK output and the latest P2TR output introduce their own at-rest exposures.
Ethereum quantum risk occurs through wallets, validators, and tokenized assets
Ethereum’s quantum risks, on the other hand, are presented differently.
The paper notes that early fast-clock quantum computers are unlikely to mount similar on-spend attacks because Ethereum generates blocks in deterministic 12-second slots, processes most transactions in less than a minute, and already relies heavily on private memory pools.
Instead, the primary quantum threat lies in at-rest attacks against long-lived accounts and the systems connected to them.
The paper estimates that an attacker with a fast clock could crack the 1,000 highest net worth Ethereum accounts holding approximately 20.5 million ETH within nine days. At Tuesday’s ETH price of about $2,023.46, that’s about $41.5 billion.
Of the top 500 contracted accounts by ETH balance, at least 70 accounts holding approximately 2.5 million ETH are exposed through managed keys, equivalent to a bucket worth approximately $5.1 billion at current prices, and private key derivation attacks against these accounts take less than 15 hours on a high-speed machine.
On the other hand, there is a larger institutional story behind these balances. The paper links the custodian’s vulnerability to approximately $200 billion of stablecoins and tokenized real-world assets on Ethereum, and says these keys could serve as control points for issuers, bridges, oracle operators, and emergency guardians.
The paper warned that a successful quantum attack on such accounts could allow arbitrary minting, false price feeds, freezing of user funds, or depletion of liquidity pools, depending on the system. This is why standard asset balance models underestimate true value at risk, the paper says.
Next, widen the lens further. The paper reports that in Ethereum’s risk classification, code and data availability vulnerabilities expose layer 2 and protocol values to approximately 15 million ETH (equivalent to approximately $30.4 billion at current prices), and BLS signature-related risks expose approximately 37 million ETH of consensus stake, equivalent to approximately $74.9 billion.
These numbers overlap with other components of Ethereum’s architecture, but together they demonstrate why this paper treats Ethereum as a broader infrastructure issue rather than a wallet security story.
Pressure shifts from theory to transition
Against this backdrop, the industry is left wondering whether issuers of blockchains, wallets, exchanges, and tokenized assets can migrate before the economics of attacks change.
Charles Guillemet, Chief Technology Officer (CTO), Ledger, said:
“The good news is we already have the tools, post-quantum cryptography. Now we need to transition.”
However, Google’s paper says this process will take years, and the industry cannot wait for the exact arrival date of cryptographically relevant quantum computers to become fully clear.
The company says it will require both protocol work and changes to wallet behavior, such as reducing public key exposure and ending key reuse wherever possible.
Fundamentally, the vulnerable cryptocurrency community needs to move to post-quantum cryptography without delay.
For Bitcoin, that means competition with a payment window that no longer looks comfortably wide. For Ethereum, this means protecting not just the coin, but a much larger stack of contracts and tokenized claims that are built on the same vulnerable computation.
(Tag translation) Bitcoin
