Executive Summary

On March 31, 2026, a joint research team from Google Quantum AI, UC Berkeley, the Ethereum Foundation, and Stanford released a 57-page white paper. Its conclusion is blunt: breaking the ECDSA secp256k1 cryptography that Bitcoin and Ethereum rely on would take a quantum computer with fewer than 500,000 physical qubits, roughly one-twentieth of earlier estimates. And under those ideal conditions, the runtime would be at least 9 minutes.

The press ran with the headline "Bitcoin hacked in 9 minutes." But that 9 minutes comes with a catch: a cryptographically relevant quantum computer (CRQC) on the order of 500,000 qubits would already have to exist. Today's most advanced quantum computer, Google Willow, has 105 physical qubits, one five-thousandth of what's needed. There is no immediate threat.

The paper does carry two serious warnings, though. First, HNDL (Harvest Now, Decrypt Later) attacks, in which encrypted data is collected today and decrypted by a future quantum computer, can begin right now. Second, roughly 6.9M BTC, about 32% of all Bitcoin, already has its public key exposed and is vulnerable to a quantum attack. A migration that takes 5 to 10 years is not too late to begin now, but it can't wait much longer either.

<500K
Physical qubits
Theoretical minimum needed to break ECDSA (superconducting architecture)
5,000x
Current gap
Google Willow's 105 qubits vs. the 500,000 required
6.9M
Vulnerable BTC
Bitcoin with exposed public keys — about 32% of the total, including address reuse
9 min
Theoretical runtime
Assumes a CRQC exists, optimal conditions, 41% success rate — not an immediate threat

About the paper

Title: "Securing Elliptic Curve Cryptocurrencies against Quantum Vulnerabilities: Resource Estimates and Mitigations"
Published: March 31, 2026
Authors: Ryan Babbush, Craig Gidney, Hartmut Neven (Google Quantum AI), Justin Drake (Ethereum Foundation), Dan Boneh (Stanford), Thiago Bergamaschi (UC Berkeley), and others
Length: 57 pages, including zero-knowledge proof verification

1. What the Paper Says — The Exact Numbers

The heart of the Google Quantum AI paper is an improvement in algorithmic efficiency. The team cut the quantum resources required to break the secp256k1 curve that powers Bitcoin's ECDSA (Elliptic Curve Digital Signature Algorithm) to roughly one-twentieth of the 2023 estimate.

Logical qubit requirements (for ECDLP-256)

The paper offers two circuit options. In both, the algorithmic resource counts are theoretical, and physical implementation would require a separate error-correction scheme.

Option Logical qubits Toffoli gates Characteristic
Circuit 1 ≤1,200 ~90 million Minimizes gate count
Circuit 2 ≤1,450 ~70 million Optimizes the space-time trade-off

Physical qubits and runtime

Converting 1,200 logical qubits into physical qubits yields a much larger number. Applying surface-code error correction and assuming a 10⁻³ error rate, a superconducting architecture, and a planar nearest-neighbor (4-connectivity) layout, the paper estimates that fewer than 500,000 physical qubits would suffice. That, though, is a theoretical minimum.

<500K
Physical qubits
Assumes superconducting architecture, surface code, 10⁻³ error rate
9–23 min
Runtime range
At least 9 minutes when run after precomputation under optimal conditions
41%
Success rate
Under ideal conditions, within Bitcoin's 10-minute block time

The context around "9 minutes" — the crucial preconditions

"9 minutes" is only the second stage of a two-stage attack. The first stage, offline precomputation, must already be complete. And above all, the 9-minute scenario starts from the assumption that a CRQC (a cryptographically relevant quantum computer) already exists. No such machine exists in the world today.

How much this improves on prior work

The real significance of this paper is the pace of improvement. A 2023 estimate based on a photonic architecture put the figure at roughly 9 million qubits. This paper brings it down to 500,000, about an 18-fold reduction. Trace the earlier work and the rate of improvement is itself accelerating.

Date Research Qubits required Improvement factor
2023 Earlier photonic architecture ~9 million Baseline
May 2025 Craig Gidney — RSA-2048 ~1 million ~9x
Feb 2026 Iceberg Quantum — LDPC codes ~100K (RSA) Another 10x
Mar 2026 Google Quantum AI — ECC-specific <500K (ECC) ~20x vs. 2023

Here's a technically interesting twist. ECC (elliptic curve cryptography) has shorter keys than RSA and is generally considered more secure, yet it is actually more vulnerable to quantum attack. Breaking RSA-2048 takes about 4,098 logical qubits, whereas breaking P-256 ECC takes only about 2,330. The paradox is that the shorter key length makes the quantum algorithm more efficient.

2. Media vs. Reality — The Fact-Check

Within hours of the paper's release, crypto outlets including CCN, TheStreet, and CoinFomania ran headlines declaring that Bitcoin could be "hacked in 9 minutes." Some reported that "1.7M BTC is at risk." Here, claim by claim, is the gap between what the authors meant and what the press conveyed.

Claim Media coverage What the paper actually says Verdict
9-minute hack "Bitcoin can be hacked in 9 minutes today" A theoretical simulation assuming a CRQC exists, ideal conditions, and a 41% success rate Exaggerated
Immediate threat "Bitcoin is at risk right now" A ~5,000x gap between today's best (105 qubits) and the requirement (500,000) False
500,000 qubits "500,000 qubits is enough" A theoretical minimum; the real figure could be far higher once error-correction overhead is included Partly accurate
Vulnerable BTC "1.7M BTC at risk" ~1.72M BTC in the most vulnerable P2PK type; 6.9M BTC once address reuse is included Partly accurate
The paper's message "A quantum time bomb" "Start preparing now — but this is not an immediate threat" Distorted

Why hype coverage is harmful

Overblown coverage does damage in two ways. First, it triggers panic over something that isn't a real threat, adding needless market volatility. After the paper dropped, BTC fell 1.61% and ETH fell 1.19% short-term. Second, and more seriously, it distracts from preparing for HNDL attacks, the threat that is genuinely immediate. Amid the noise of "it's about to be hacked," the quiet, substantive threat of "harvest now, decrypt later" gets buried.

Alex Thorn, head of firmwide research at Galaxy Digital, assessed that "the threat is real but overstated, and it edges into FUD (fear, uncertainty, and doubt)." ARK Invest likewise held that there is no immediate quantum threat. Neither, however, denies the long-term threat itself.

3. The 5,000x Hardware Gap — Why This Isn't an Immediate Threat

To understand the gulf between the paper's 500,000 qubits and reality, you have to look at the current state of quantum hardware. It isn't just a matter of qubit count; it's a matter of error rates and error-correction schemes.

System Physical qubits Announced Notes
Google Willow 105 Dec 2024 Error rate: 0.035% single-qubit, 0.33% two-qubit
IBM Nighthawk 120 2025 218 tunable couplers
IBM Kookaburra (target) ~4,158 2026 target 1,386 × 3 across three linked chips
CRQC requirement <500,000 Theoretical Per this paper

The gap between Google Willow's 105 physical qubits and the 500,000 required is more than a difference in numbers. At today's error rates, implementing a single logical qubit takes hundreds to thousands of physical qubits. Achieving a 10⁻⁶ error rate with a standard surface code requires a distance-27 logical qubit, which works out to 1,457 physical qubits. In other words, there is a double barrier: the number of logical qubits multiplied by the physical-qubit overhead.

Logical vs. physical qubits — the key concept

A physical qubit is the unstable quantum state of actual hardware. A logical qubit is a stable, abstract qubit obtained by combining many physical qubits and applying error correction. The paper's "500,000 physical qubits" assumes ideal conditions in which error correction works flawlessly. Meeting that condition in the real world could take far more physical qubits.

What the pace of algorithmic progress signals

The hardware gap is large, true, but the paper's real warning is in how fast the algorithms are improving. Three papers in three months have kept driving the required resources down. Hardware, too, is advancing well ahead of the traditional Moore's Law curve. That it is getting harder to forecast even 5 to 10 years out is itself a signal.

The Quantum Insider described the release as "three papers in three months rewriting the quantum-threat timeline." Craig Gidney's RSA-2048 paper in May 2025, Iceberg Quantum's LDPC-code paper in February 2026, and now Google's ECC paper have arrived back to back.

4. How Much BTC Is Vulnerable? — What 6.9M Means

Even once a quantum computer can actually break ECDSA, not all Bitcoin is equally at risk. The risk splits sharply on one question: whether a public key has been exposed on the blockchain. Here is a breakdown of vulnerability by Bitcoin address type.

Vulnerability by address type

P2PK (most vulnerable)
1.72M BTC
Public key directly exposed on-chain

An early Bitcoin-era address format, and the one holding Satoshi Nakamoto's early mining coins. The public key is visible as-is, so a CRQC could attack it the moment one appears.

P2PKH (conditionally vulnerable)
+~5M BTC
Estimate including address reuse

Unused addresses store only a hash of the public key, so they are relatively safe. But any address that has transacted even once has its public key exposed on-chain. The more an address is reused, the greater the risk.

New addresses (safe)
~68%
Addresses that have never transacted

Addresses whose public key is not exposed on-chain. They stay protected from quantum attack until they transact. The brief window during a transaction, when the public key is exposed, is the weak point.

What makes up the 6.9M BTC

Add the ~1.72M BTC in P2PK addresses to the P2PKH addresses whose public keys are exposed through reuse, and you get roughly 6.9M BTC, about 32% of all Bitcoin. Of that 6.9M, an estimated 1.1M BTC is believed to be Satoshi Nakamoto's early mining coins: P2PK-format coins that haven't moved in more than eight years.

The Taproot paradox

Bitcoin's 2021 Taproot upgrade was introduced to improve privacy and efficiency. Paradoxically, though, Taproot tends to expose more public keys on-chain. The paper notes that wider Taproot adoption could, over time, raise the share of BTC vulnerable to quantum attack.

Ethereum's additional weak points

Ethereum carries extra vulnerabilities that Bitcoin doesn't. The paper analyzes five weak points specific to Ethereum.

  • KZG polynomial commitment scheme: Ethereum's data-availability scheme. If a quantum computer could recover the "toxic waste" generated during the trusted setup, the entire proof system could be neutralized.
  • Exposed validator keys: The validator keys used in Ethereum 2.0's BLS signatures are exposed on-chain.
  • Rollup cross-chain bridge keys: The keys used in bridges between L2 rollups and L1 Ethereum.
  • ECDSA-signing smart contracts: DeFi protocol smart contracts that use ECDSA signature verification internally.
  • Historical on-chain keys: Public keys already recorded on the blockchain. These become targets that a future CRQC could attack retroactively.

5. HNDL: The Real Immediate Threat

If quantum computers don't exist yet, what is actually at risk right now? The answer is HNDL, Harvest Now, Decrypt Later. Many institutions, including in a 2025 paper from the U.S. Federal Reserve, flag this as the most immediate threat.

What an HNDL attack is

The attacker collects and stores encrypted data being transmitted today, then decrypts it in the future once a CRQC is built. Where confidentiality has to hold into the future, for medical records, financial transaction histories, or classified government communications, this threat is real rather than theoretical.

By the nature of a blockchain, every Ethereum and Bitcoin transaction is permanently public. A public key written to the chain remains accessible forever. Even if a CRQC arrives a decade from now, it can attack the keys in transactions recorded ten years earlier.

Why it's a threat right now

  • Every public key on the blockchain is permanently accessible
  • A long-term confidentiality risk for data with decades-long retention mandates (HIPAA, GDPR, SOX)
  • Encrypted communications from government, military, and financial institutions may already be harvesting targets

Responding to HNDL — what you can do now

  • Move to hybrid encryption based on NIST PQC standards (ML-KEM, ML-DSA)
  • Build a plan to update the encryption algorithms protecting long-retention data
  • Blockchain wallets: stop reusing addresses and migrate gradually to new ones

NIST finalized its post-quantum cryptography (PQC) standards in August 2024: FIPS 203 (ML-KEM, based on CRYSTALS-Kyber), FIPS 204 (ML-DSA, based on CRYSTALS-Dilithium), and FIPS 205 (SLH-DSA, based on SPHINCS+). Under NSM-10, the U.S. federal government aims to migrate all systems to PQC by 2035.

On March 17, 2026, the SEC and CFTC issued a joint interpretation on the quantum threat, urging financial institutions to prepare for a PQC transition. It's a sign that regulators, too, now treat HNDL as a real threat.

6. Where Bitcoin and Ethereum Stand on Response

The two major blockchain ecosystems are responding to the quantum threat in ways that suit their own characters. Bitcoin, wrestling with the difficulty of community consensus, is debating a new address format; Ethereum, with a more flexible upgrade path, has laid out a concrete roadmap.

Bitcoin: BIP360 and Hourglass

The most closely watched proposal in the Bitcoin ecosystem is BIP360 (Pay-to-Merkle-Root). Merged into the official BIP repository on February 11, 2026, it was authored by developers Hunter Beast (MARA), Ethan Hellman, and Foxen Duke together with members of the StarkWare team. It introduces a new address format that supports quantum-resistant signature schemes.

BIP360 — Pay-to-Merkle-Root
  • Proposes a quantum-resistant address format
  • Bitcoin Quantum Testnet v0.3.0 (BTQ Technologies, Mar 2026)
  • Currently in development and community discussion
The Hourglass proposal
  • Gradually restricts the use of vulnerable classical-cryptography addresses
  • Gives users time to move to quantum-resistant addresses first
  • Contested against Bitcoin's immutability principle

Bitcoin's core dilemma

One of Bitcoin's greatest strengths, immutability, is also the biggest obstacle to its quantum response. Satoshi's early coins are locked in P2PK addresses with no clear owner, legally or technically. Force-locking or force-moving them runs against Bitcoin's philosophical principles. No protocol change is possible without community consensus, and reaching that consensus can take years.

Ethereum: Vitalik's four-stage roadmap

On February 26, 2026, Vitalik Buterin used a public blog post to lay out a four-stage roadmap for Ethereum's quantum-resistant transition, targeting completion in 2029.

Area Current Quantum-resistant transition plan
Validator signatures BLS signatures Move to hash-based signatures
Data storage KZG commitments Move to STARK-based (quantum-resistant)
Account signatures ECDSA Multi-scheme support via EIP-8141
Migration approach Gradual, account-abstraction-based (no flag day)

Ethereum's advantage is account abstraction. Rather than naming a single flag day, the design lets users migrate their own accounts to new signature schemes gradually. The jump in gas cost, from roughly 3,000 today to about 200,000, is to be mitigated with aggregation techniques.

It's worth noting that one of the paper's authors, Justin Drake, is an Ethereum Foundation researcher. The paper's release can itself be read as internal pressure to push the Ethereum ecosystem toward a PQC transition.

7. Expert Timeline Consensus — When Is Q-Day?

"Q-Day" is the day a CRQC becomes real. Line up the experts' estimates and, even between optimists and pessimists, a rough consensus emerges: what's called for is medium-term preparation, not short-term panic.

Expert / institution Q-Day estimate Probability / basis
Craig Gidney (Google) Before 2030 10% probability
Justin Drake (Ethereum Foundation) Before 2032 10%+ probability
Median expert consensus 2031–2035 Most realistic scenario
Google (internal transition deadline) 2029 Target for completing its own certificate-service migration
U.S. federal government (NSM-10) 2035 Target for completing full PQC migration
Galaxy Digital's Alex Thorn "Decades" Threat is real; short-term panic is unwarranted

Migration lead time: why start now

Even in the optimistic scenario, having 5 to 10 years until Q-Day sounds like good news. Given the complexity of blockchain protocol upgrades, it isn't. Bitcoin's Taproot upgrade took more than four years from first discussion to activation, and a PQC transition is a far more fundamental change.

Aug 2024 — NIST PQC standards finalized
FIPS 203/204/205 formalized, giving global system migration a legal foundation.
Feb 2026 — BIP360 merged into the repository
Bitcoin's quantum-resistant address proposal formalized; testnet under way.
Feb 2026 — Vitalik unveils Ethereum's four-stage roadmap
Targets 2029 completion via a gradual, account-abstraction-based transition.
Mar 2026 — Google's quantum paper + SEC-CFTC joint interpretation
The 500,000-qubit estimate goes public; financial regulators urge preparation.
2029 (target) — Ethereum PQC roadmap completion target
Synced with Google's own system-migration deadline.
2031–2035 (estimated) — Q-Day probability window
Median expert consensus. Migration must be complete before this window.
2035 — U.S. federal government transition-completion target
Per the NSM-10 directive; financial institutions are expected to follow a comparable schedule.

The bottom line: Q-Day is not tomorrow's threat. But migration takes 5 to 10 years, HNDL attacks can begin right now, and the algorithms are improving faster than expected. There is more than enough reason to start preparing today. Not panic, but systematic preparation.

Data integrity, another layer

Moving to quantum-resistant cryptography is not just swapping out an algorithm. It brings its own question of how to verify and preserve data integrity along the way. When the encryption scheme changes, how do you verify the authenticity of previously signed data? During the transition, when two cryptographic schemes coexist, how should data pipelines be designed?

Pebblous's DataClinic and DataGreenhouse focus on a point that matters in exactly this kind of transition: keeping data quality consistent is what decides the reliability of the entire AI pipeline. Even with quantum-resistant infrastructure in place, it means nothing if the data flowing over it is contaminated or tampered with. Cryptographic transition and data-quality management aren't separate problems; they're one journey toward building trustworthy digital infrastructure.

FAQ

The questions we've heard most often since Google's quantum paper came out.