Dans cet article
- On March 30, 2026, Google Published a Paper That Changed the Math
- Key Takeaways
- What Google Actually Published
- How Bitcoin's Cryptography Gets Exposed
- Why This Isn't an Emergency — Yet
- The 3.7 Million Bitcoin Problem
- What Core Developers Are Already Building
- What Bitcoin Holders Should Do Right Now
- Frequently Asked Questions
- Can quantum computers break Bitcoin?
- How many qubits are needed to break Bitcoin?
- Is my Bitcoin wallet safe from quantum attacks?
- Should I sell my Bitcoin because of quantum computing?
- References
- What's Next
On March 30, 2026, Google Published a Paper That Changed the Math
A team from Google Quantum AI — alongside Stanford cryptographer Dan Boneh and Ethereum Foundation researcher Justin Drake — released a whitepaper titled "Securing Elliptic Curve Cryptocurrencies against Quantum Vulnerabilities." The paper didn't break Bitcoin. It showed, with precise numbers, how much closer that possibility has become.
The previous best estimate for breaking Bitcoin's cryptography required millions of physical qubits. Google's paper brought that number below 500,000. That is a 20x reduction. And they demonstrated, using a zero-knowledge proof, that their approach works — without revealing the attack itself.
If you hold Bitcoin, this matters. Not because you need to act today, but because the timeline for action just got shorter.
Key Takeaways
- Google's paper reduced the estimated cost of breaking Bitcoin's elliptic curve cryptography by 20x — from millions of physical qubits to fewer than 500,000
- No quantum computer can break Bitcoin today. The largest existing machines have roughly 1,000 noisy qubits. The gap is still ~500x
- The attack window is narrow but real. A sufficiently powerful quantum computer could extract a private key in about 9 minutes — close to Bitcoin's 10-minute block time
- Your wallet is likely safe if you use modern address types (P2WPKH, P2TR) and don't reuse addresses. The immediate risk sits with ~3.7 million BTC in dormant wallets with exposed public keys
- Google's own internal deadline for migrating to post-quantum cryptography is 2029 — not because they expect to break anything by then, but because they believe the threat becomes credible in that timeframe
- Bitcoin Core developers are already working on post-quantum proposals. The protocol can be upgraded. The question is when, not whether
- SHA-256 and Proof of Work are not at risk. Quantum attacks on Bitcoin mining remain computationally infeasible
What Google Actually Published
The paper is authored by Ryan Babbush and colleagues at Google Quantum AI, with contributions from Dan Boneh at Stanford and Justin Drake at the Ethereum Foundation in Zug. These aren't outsiders speculating. They build quantum hardware and design cryptographic standards.
Their core finding: Shor's algorithm — the quantum algorithm that breaks elliptic curve cryptography — can solve Bitcoin's 256-bit ECDLP (elliptic curve discrete logarithm problem) with fewer than 1,200 logical qubits and 90 million Toffoli gates. An alternative configuration uses fewer than 1,450 logical qubits with 70 million Toffoli gates.
Translated to physical hardware with current superconducting architectures and error rates of 10^-3: fewer than 500,000 physical qubits. Previous estimates put this number in the millions.
The execution time is equally striking. On a fast-clock CRQC (cryptographically relevant quantum computer), the attack would take approximately 9 minutes. Bitcoin's block time is 10 minutes. The authors address this overlap directly.
One detail worth understanding: the team used a zero-knowledge proof to verify their results. This means they demonstrated that their approach works without disclosing the specific optimizations that make it possible. It's responsible disclosure applied to quantum cryptanalysis — prove the vulnerability exists, give the community time to respond, don't hand out the blueprint.
A separate paper (Cain et al., arXiv:2603.28627) reached similar conclusions using a different architecture — neutral-atom qubits — suggesting the feasibility is not tied to a single hardware path. Their analysis shows Shor's algorithm is possible with as few as 10,000 reconfigurable atomic qubits, though with requirements for error rates below 10^-4 and coherence times measured in seconds that no current system achieves.
How Bitcoin's Cryptography Gets Exposed
Bitcoin uses ECDSA (Elliptic Curve Digital Signature Algorithm) to prove ownership. Every Bitcoin wallet has a private key and a corresponding public key. The private key signs transactions. The public key verifies them. The security assumption is simple: given a public key, it is computationally impossible to derive the private key. For a deeper look at how keys and seed phrase security relate to this, the BIP39 guide covers it in detail. Classical computers cannot do this in any meaningful timeframe. Quantum computers running Shor's algorithm can.
But here's where the details matter. Your public key is not always visible on the blockchain. When and how it gets exposed determines your risk.
On-spend attacks are the most immediate threat. When you broadcast a Bitcoin transaction, your public key becomes visible in the mempool — the waiting room where unconfirmed transactions sit before being mined into a block. A quantum attacker monitoring the mempool would have roughly 9 to 12 minutes to extract your private key from your public key, craft a competing transaction, and steal your funds. That window aligns uncomfortably with Bitcoin's block time.
At-rest attacks target dormant wallets where the public key is already exposed on-chain. Early Bitcoin addresses (P2PK format, used from 2009 to roughly 2012) store the public key directly. An estimated 3.7 million BTC sits in these addresses. A quantum attacker doesn't need to wait for a transaction — the public key is already there. These coins can be attacked at any time, with no time pressure.
On-setup attacks are the most exotic category. These target fixed protocol parameters — the elliptic curve constants themselves. The Google paper addresses this but considers it a lower-priority vector.
For a deeper understanding of how Bitcoin transactions work and how keys relate to addresses, see Sending & Receiving Bitcoin and Technical Deep Dive.
Why This Isn't an Emergency — Yet
The numbers from Google's paper are real. But so is the gap between what exists today and what the paper describes.
The largest quantum computers in operation have approximately 1,000 noisy qubits. Google's attack requires 500,000 physical qubits with error rates of 10^-3 — meaning only one in every thousand quantum operations can fail. Current systems are nowhere near that reliability at scale.
That is a 500x gap in qubit count alone, before accounting for error correction. Building a machine with 500,000 high-quality qubits is an engineering challenge that no one has solved or publicly claimed to be close to solving.
Google's own internal migration target is 2029. They are preparing their systems for post-quantum cryptography by that date — not because they expect a working cryptographically relevant quantum computer by then, but because they believe the risk becomes non-trivial in the years that follow. This is a company that builds quantum hardware. Their timeline reflects their view of what's achievable.
But here's the part that should keep you alert: the 20x improvement in this paper happened in just a few years. The previous estimates were published, debated, and widely cited as proof that quantum attacks on Bitcoin were decades away. Then a single paper moved the goalpost by an order of magnitude. Attacks get better. They don't get worse.
The honest framing: Bitcoin is not in danger today. It will need to upgrade its cryptography within the next decade. The window is measured in years, not months — but it is not indefinite.
The 3.7 Million Bitcoin Problem
Not all Bitcoin addresses are equally exposed. The risk concentrates on a specific category: P2PK (Pay-to-Public-Key) addresses from Bitcoin's earliest years.
Between 2009 and roughly 2012, Bitcoin transactions used a format that stored the full public key directly on the blockchain. Satoshi Nakamoto's own coins are in P2PK addresses. An estimated 3.7 million BTC — worth hundreds of billions of dollars at current prices — sits in these addresses with their public keys permanently visible.
Many of these coins haven't moved in over a decade. The private keys may be lost. The owners may be unreachable or deceased. These coins cannot be migrated to quantum-safe addresses because no one can sign the transaction to move them.
This creates an uncomfortable policy question that the Google paper explicitly raises: what happens when a quantum computer becomes powerful enough to derive those private keys? Is that theft? Is it "digital salvage" — the quantum equivalent of recovering sunken treasure? The paper doesn't answer the question. It flags it for the community to debate.
This is probably not your situation. If you created your wallet after 2012 using any standard wallet software, your Bitcoin almost certainly uses modern address formats: P2PKH, P2SH, P2WPKH (SegWit), or P2TR (Taproot). These formats hash your public key before putting it on-chain. Your public key is only revealed when you spend — not while your coins sit idle. Dormant modern wallets are not vulnerable to at-rest quantum attacks.
What Core Developers Are Already Building
Bitcoin's developers are not waiting for a quantum emergency. Post-quantum cryptography (PQC) research has been active in the Bitcoin development community for years, and the Google paper has accelerated that work.
NIST (the U.S. National Institute of Standards and Technology) finalized its first set of post-quantum cryptographic standards in 2024. These algorithms — including CRYSTALS-Dilithium for digital signatures and CRYSTALS-Kyber for key encapsulation — are designed to resist both classical and quantum attacks.
For Bitcoin, the migration path involves several Bitcoin Improvement Proposals (BIPs) that would introduce quantum-resistant signature schemes. The technical challenges are real:
Signature size. Post-quantum signatures are significantly larger than ECDSA signatures. A CRYSTALS-Dilithium signature is roughly 2,420 bytes compared to ECDSA's ~72 bytes. This has direct implications for block space, transaction fees, and network throughput.
Consensus changes. Any change to Bitcoin's signature scheme requires a soft fork or hard fork — a protocol upgrade that every node on the network must adopt. Bitcoin's upgrade process is deliberately conservative. The SegWit upgrade took years from proposal to activation.
Backward compatibility. Existing UTXOs (unspent transaction outputs) protected by ECDSA need a migration path. Users must actively move their funds to new quantum-resistant address types. This cannot be done automatically.
The work is underway. Two proposals — BIP-360 (quantum-safe addresses) and BIP-361 (a phased migration plan that would eventually freeze vulnerable coins) — are now in draft with a working testnet. For the full analysis of what these proposals mean for holders, read BIP-360 and BIP-361: Bitcoin's Quantum Upgrade Path.
For more on Bitcoin's protocol architecture and how upgrades work, see Technical Deep Dive.
What Bitcoin Holders Should Do Right Now
Don't panic. No quantum computer can break Bitcoin's cryptography today. The gap between current hardware and what's needed is enormous. You have time.
Don't reuse addresses. Every time you receive Bitcoin to the same address and spend from it, your public key is exposed on-chain for that address. Using a fresh address for every transaction minimizes the window during which your public key is visible. Every modern wallet generates new addresses automatically — make sure yours does.
Use modern address types. If your wallet still generates legacy addresses (starting with "1"), consider migrating to a wallet that supports SegWit (addresses starting with "bc1q") or Taproot (addresses starting with "bc1p"). These formats hash your public key, keeping it hidden until you spend. Most hardware wallets and reputable software wallets support these formats by default. The Bitcoin self-custody guide walks through choosing the right wallet type in detail.
Check your old wallets. If you've been in Bitcoin since the early days and have coins in P2PK addresses, consider moving them to a modern address format. This is the single most concrete step early adopters can take.
Stay informed. Follow the Bitcoin Core development mailing list and BIP discussions. When post-quantum signature proposals reach maturity, the community will need to coordinate an upgrade. Understanding the timeline helps you prepare.
Don't make financial decisions based on quantum fear. The fundamentals of Bitcoin — its monetary policy, its decentralization, its settlement guarantees — are unchanged. The cryptography will need upgrading. That is a known, tractable engineering problem with active work toward solutions.
For more on wallet security practices, see Wallets — Staying Secure. For privacy practices that also reduce quantum exposure, see Bitcoin Privacy.
Frequently Asked Questions
Can quantum computers break Bitcoin?
Not today. Google's March 2026 paper showed that a quantum computer with fewer than 500,000 physical qubits could break Bitcoin's elliptic curve cryptography in about 9 minutes. Current quantum computers have approximately 1,000 noisy qubits. Based on current trajectories, a cryptographically relevant quantum computer is estimated to be 5 to 15 years away. Bitcoin's protocol can and will be upgraded before that threshold is reached.
How many qubits are needed to break Bitcoin?
Google's paper estimates fewer than 500,000 physical qubits with error rates of 10^-3, or fewer than 1,200 logical qubits. The largest existing quantum computers have roughly 1,000 noisy qubits — a 500x gap before accounting for the error correction improvements required.
Is my Bitcoin wallet safe from quantum attacks?
Yes, for now. If you use modern address types (P2WPKH or P2TR) and avoid reusing addresses, your public key is only exposed briefly when you spend. Dormant coins in modern addresses are not vulnerable. The primary at-rest risk is to early-era P2PK addresses with permanently exposed public keys.
Should I sell my Bitcoin because of quantum computing?
This book doesn't offer price advice. What we can say: Bitcoin's cryptographic vulnerability is a known, well-studied problem with active solutions in development. The protocol has been upgraded before and will be upgraded again. Google's paper is a data point that accelerates the timeline — it doesn't change the fundamental value proposition of a decentralized, fixed-supply monetary network.
References
- Babbush, R. et al., "Securing Elliptic Curve Cryptocurrencies against Quantum Vulnerabilities," Google Quantum AI Whitepaper, March 30, 2026
- Cain, M. et al., "Shor's algorithm is possible with as few as 10,000 reconfigurable atomic qubits," arXiv:2603.28627
- Google Research Blog, "Safeguarding cryptocurrency by disclosing quantum vulnerabilities responsibly," March 2026
What's Next
New to Bitcoin? Start with Chapter 1 — it takes 8 minutes to read, and it gives you the foundation to understand everything in this article.
Already holding? Review your wallet security in Wallets — Staying Secure — make sure you're using modern address types and not reusing addresses. These two habits are the best protection you have today.
