The math on breaking Bitcoin just got worse
I work in the crypto self-custody space, and March 30, 2026 marks a clean before and after. Google Quantum AI published a paper that does something no team had pulled off: it cuts the estimated cost of breaking Bitcoin's cryptography by an order of magnitude, then proves the result through a zero-knowledge verification. Nothing broke. The preparation window shrank.
The previous consensus, anchored by Webber et al. (2022), pegged the qubit requirement for a Bitcoin attack somewhere between 13 and 317 million physical qubits. Google's paper (arXiv:2603.28846, Babbush, Boneh, Drake, Gidney, Zalcman, Broughton, Khattar, Neven, Bergamaschi) pulls the number below 500,000. A 20x compression of the lower bound. The paper also shows Shor's algorithm can solve Bitcoin's 256-bit elliptic curve discrete logarithm problem with roughly 1,200 logical qubits and 90 million Toffoli gates.
The largest quantum computers running today carry around 1,000 noisy qubits. The 500,000-qubit requirement is still a 500x gap, and that gap assumes error rates no system has demonstrated at scale. This is not a crisis. It is a data point that makes the eventual crisis legible.
TL;DR
Google's March 30, 2026 paper (arXiv:2603.28846) cut the estimated qubit cost of breaking Bitcoin's ECDSA by 20x, from millions of physical qubits down to fewer than 500,000. No quantum computer can break Bitcoin today. The largest existing machines sit at roughly 1,000 noisy qubits, a 500x gap. About 3.7 million BTC in legacy P2PK and reused-P2PKH addresses carries real at-rest exposure because the public keys sit on-chain forever. Modern address types (P2WPKH, P2TR) hide the public key until spend and carry no at-rest risk. Bitcoin Core developers are drafting BIP-360 and BIP-361 for a phased post-quantum migration. NIST finalized its post-quantum signature standards (FIPS 203/204/205) on August 13, 2024, with a 2030 deprecation deadline for classical signatures and disallowance by 2035. SHA-256 and Proof of Work face no meaningful quantum threat. Prepare. Do not panic.
What the paper actually says
Read the author list once. Ryan Babbush leads from Google Quantum AI. Dan Boneh (Stanford cryptographer) and Justin Drake (Ethereum Foundation researcher) co-author. These are not journalists speculating about a future threat. They build quantum hardware and they design the cryptographic standards that replace broken ones.
Their core contribution is a set of optimizations to Shor's algorithm that slash the quantum resources needed to solve the elliptic curve discrete logarithm problem (ECDLP) underlying Bitcoin's ECDSA. The alternative configuration in the paper uses 1,450 logical qubits and 70 million Toffoli gates. Translate that to physical hardware at current superconducting architectures with error rates of 10^-3 and you land below 500,000 physical qubits.
One piece of responsible disclosure stands out. The team used a zero-knowledge proof to verify the result. They showed the approach works without publishing the specific optimizations that make it work. The vulnerability proof is public. The attack blueprint stays under wraps. That buys the community time.
A separate paper (Cain et al., arXiv:2603.28627) reached similar conclusions on a different hardware path: neutral-atom qubits rather than superconducting. Their analysis puts Shor's algorithm within reach using as few as 10,000 reconfigurable atomic qubits, though they need error rates below 10^-4 and coherence times measured in seconds that no current system meets. Two independent groups converging on similar feasibility estimates matters more than either paper alone.
Full Google paper: https://quantumai.google/static/site-assets/downloads/cryptocurrency-whitepaper.pdf
Why the attack window matters
Bitcoin uses ECDSA to prove ownership. Your private key signs transactions. Your public key verifies them. The security assumption: deriving a private key from its public key is computationally infeasible. Classical computers cannot do it. Quantum computers running Shor's algorithm can. For a deeper look at how keys and seed phrase security relate, the BIP39 guide covers the mechanics.
Your exposure depends on when and whether your public key is visible.
On-spend exposure is the time-sensitive case. When you broadcast a transaction, your public key sits in the mempool before the block gets mined. A quantum attacker watching the mempool would have a window measured in single-digit minutes (the Google paper's abstract describes the attack time as minutes at fast-clock speeds, though the exact figure depends on hardware configuration). Bitcoin's block time is 10 minutes. The authors address that overlap directly.
At-rest exposure affects dormant wallets where the public key is already on-chain. P2PK addresses from 2009 to roughly 2012 store the full public key directly in the transaction output. Roughly 3.7 million BTC sits in these addresses with public keys permanently visible. Satoshi's own coins are P2PK. A quantum attacker can hit these any time, without waiting for a transaction. The Shor factorization record on classical hardware, by comparison, sits at 21 (achieved in 2012). No classical machine has factored anything cryptographically meaningful. The quantum advantage starts where classical computation stops.
For how Bitcoin addresses and key formats work, see Sending & Receiving Bitcoin and Technical Deep Dive.
The gap is real and the timeline is not infinite
The 500x qubit gap between current hardware and the attack threshold is no rounding error. Going from 1,000 noisy qubits to 500,000 high-fidelity qubits means solving fabrication, error correction, and coherence problems at once. No research group has publicly claimed to be close.
Google's own internal post-quantum migration target is 2029. They aim to ready their systems by that date, not because they expect a working cryptographically relevant quantum computer by then, but because they believe the risk becomes non-trivial in the years that follow. The company building the hardware is telling you the window matters. That is a specific kind of signal.
The NIST timeline adds concrete structure. FIPS 203, 204, and 205 (the first post-quantum cryptographic standards, covering CRYSTALS-Kyber, CRYSTALS-Dilithium, and SPHINCS+) were finalized on August 13, 2024. The migration schedule: classical signature algorithms deprecated by 2030, disallowed by 2035. Federal systems answer to that deadline. Bitcoin does not answer to NIST. But the wider cryptographic ecosystem's timeline gives you a useful floor for thinking about urgency.
What should register is velocity. The Webber et al. estimate held as consensus for years. One paper moved the bound by 20x. Research improvements compound. Attacks get better. They do not revert.
The 3.7 million BTC problem
Bitcoin addresses do not carry equal exposure. The risk concentrates in P2PK outputs from Bitcoin's earliest years.
Between 2009 and roughly 2012, Bitcoin transactions stored the full public key directly on-chain in P2PK format. Satoshi's coins sit here. So does a substantial fraction of early mining output. Many of these outputs haven't moved in over a decade. The private keys may be lost. The owners may be unreachable.
That sets up a policy question the Google paper raises explicitly. When a quantum computer can derive those private keys, is that theft, or something else? The paper does not answer. The community has not answered either. BIP-361 proposes an eventual freeze on vulnerable coins as part of the migration path. That debate will be loud.
If you created a wallet after 2012 with any standard wallet software, you are almost certainly using P2PKH, P2SH, P2WPKH, or P2TR. These formats hash the public key before putting it on-chain. Your public key only appears when you spend. Dormant modern wallets carry no at-rest risk.
What Core developers are building
Post-quantum work in Bitcoin development predates this paper. Google's findings have accelerated it.
Two proposals sit in draft with a working testnet. BIP-360 defines quantum-safe address types using post-quantum signature schemes. BIP-361 outlines a phased migration that gives holders time to move coins to new address types before any freeze on legacy outputs. For the full technical analysis, read BIP-360 and BIP-361: Bitcoin's Quantum Upgrade Path.
The engineering constraints are real. Post-quantum signatures are larger. CRYSTALS-Dilithium produces signatures of roughly 2,420 bytes versus ECDSA's 72 bytes. That hits block space, fees, and throughput. Any signature scheme change requires consensus upgrade across every node. Bitcoin's upgrade process is deliberate by design, not slow by accident (SegWit took years from proposal to activation; Taproot followed the same pattern). These are tractable problems. They are not fast ones.
For how Bitcoin's protocol architecture handles upgrades, see Technical Deep Dive.
What to do right now
Stop reusing addresses. When you receive Bitcoin to an address and spend from it, your public key is exposed on-chain for that address forever. A fresh address per transaction keeps your public key hidden until you choose to spend. Every modern wallet generates new addresses on its own.
Use modern address types. If your wallet still generates legacy addresses starting with "1", move to one that supports SegWit (bc1q) or Taproot (bc1p). These formats hash the public key and keep it off-chain until spend. Most hardware wallets default to them. The Bitcoin self-custody guide covers wallet choice in detail.
Check your old wallets. If you have been in Bitcoin since the early days and still hold coins in P2PK addresses, moving them to a modern address type is the single most concrete protective step available to early adopters.
Follow BIP-360 and BIP-361. When post-quantum signature proposals reach activation maturity, the community will need to coordinate. Understand the timeline now and you are not scrambling when the upgrade ships.
For wallet security practices, see Wallets: Staying Secure. For privacy practices that also reduce quantum exposure, see Bitcoin Privacy.
References
- Babbush, R., Boneh, D., Drake, J., Gidney, C., Zalcman, A., Broughton, M., Khattar, T., Neven, H., Bergamaschi, T. et al. "Securing Elliptic Curve Cryptocurrencies against Quantum Vulnerabilities." arXiv:2603.28846, March 30, 2026. Full PDF: https://quantumai.google/static/site-assets/downloads/cryptocurrency-whitepaper.pdf
- Cain, M. et al. "Shor's algorithm is possible with as few as 10,000 reconfigurable atomic qubits." arXiv:2603.28627, March 2026.
- IACR ePrint 2026/625. Related cryptanalytic analysis.
- NIST. FIPS 203, 204, 205 (post-quantum cryptographic standards). Finalized August 13, 2024. https://csrc.nist.gov/projects/post-quantum-cryptography
What's next
New to Bitcoin? Start with Chapter 1. It covers the foundation you need to understand the rest of this article.
Already holding? Review your wallet setup in Wallets: Staying Secure and confirm you use modern address types without address reuse. That combination is your best protection today.
