Your Bitcoin and Ethereum Might Not Be Safe: Google's Latest Quantum Warning Changes Everything

Bitcoin and Ethereum are more vulnerable to quantum computer attacks than most in crypto realize, according to a March 2026 whitepaper from researchers at Google Quantum AI, the Ethereum Foundation, and Stanford University. The paper shows a working quantum computer could break the elliptic curve encryption protecting most crypto wallets in roughly 9 minutes, using fewer than 500,000 physical qubits.

What Makes Bitcoin and Ethereum Vulnerable to Quantum Attacks?

Both blockchains rely on Elliptic Curve Cryptography (ECC), specifically a curve called secp256k1, to secure wallet signatures. The security of that system depends on the difficulty of solving the Elliptic Curve Discrete Logarithm Problem (ECDLP). Shor's algorithm, a known quantum computing method, can solve ECDLP efficiently. The critical question has always been: how large does the quantum computer actually need to be?

The research team provides a precise answer. They built two quantum circuit variants to break 256-bit ECDLP:

• 1,200 logical qubits and 90 million Toffoli gates
• 1,450 logical qubits and 70 million Toffoli gates

On a superconducting quantum architecture with physical error rates of 10⁻³, both variants run on fewer than 500,000 physical qubits. That is nearly 20 times fewer than previous published estimates. To prove these figures without exposing the actual attack circuits, the team published a zero-knowledge (ZK) proof, a cryptographic method that lets you verify a claim without revealing the underlying data. That same technique is already used in blockchain privacy protocols like Zcash.

How Fast Could a Quantum Attack Actually Happen?

With the machine pre-loaded in what the researchers call a "primed" state, cracking a single private key takes roughly 9 to 12 minutes. That timing matters directly for Bitcoin.

When a user broadcasts a Bitcoin transaction, their public key becomes visible in the public mempool, the queue of unconfirmed transactions. The average Bitcoin block takes about 10 minutes to confirm. A quantum attacker could pull the public key from the mempool, derive the private key in approximately 9 minutes, and broadcast a fraudulent competing transaction before the original gets confirmed. The researchers calculate slightly less than 41% probability of success under idealized conditions.

This is called an on-spend attack. A separate type, the at-rest attack, targets wallets whose public keys are already permanently visible on-chain. Pay-to-Public-Key (P2PK) scripts, used heavily in Bitcoin's early years, fall into this category. They still hold approximately 1.7 million BTC, including Satoshi-era mining rewards. Across all vulnerable script types, roughly 6.9 million BTC is currently at risk.

Bitcoin's Proof-of-Work Is Not at Risk

Bitcoin mining uses SHA-256 hashing. Grover's algorithm, the quantum method sometimes cited as a mining threat, provides only a quadratic speedup. Quantum error correction overhead absorbs that speedup almost entirely. Under realistic assumptions, a quantum miner would still be far slower than today's ASIC hardware, such as the Antminer S19 Pro, which runs at over 110 TH/s. Bitcoin's Proof-of-Work consensus is not a credible quantum target.

Does Ethereum Have a Bigger Quantum Problem Than Bitcoin?

Yes. Ethereum's account model, smart contracts, and Proof-of-Stake consensus create more attack surfaces. The researchers identify five distinct vulnerability types.

Once an Ethereum account sends a transaction, its public key is permanently exposed on-chain. The top 1,000 Ethereum accounts by balance hold approximately 20.5 million ETH, most of which are vulnerable. Smart contracts controlled by admin keys, which have also been exposed through past transactions, add more risk. At least 70 of the top 500 contracts by ETH balance, holding around 2.5 million ETH, have exposed admin keys. These keys control stablecoins, bridges, and price oracles.

Layer 2 networks such as Arbitrum and Base are Optimistic Rollups that rely on digital signatures vulnerable to quantum attacks, while zkSNARK-based protocols such as zkSync Era also use quantum-vulnerable elliptic curve pairings. The researchers estimate at least 15 million ETH in total value is at risk across major L2 protocols. The staking layer holds approximately 37 million ETH secured by BLS signatures on the BLS12-381 curve, which is breakable by a somewhat larger, but still first-generation, quantum computer.

Ethereum's Data Availability Sampling (DAS) mechanism, introduced in the Dencun upgrade in March 2024, uses KZG polynomial commitments. A single quantum computation could extract a permanent secret from those public parameters and generate a reusable exploit, requiring no further quantum access to attack the system afterward. Ethereum's total value secured, including stablecoins and tokenized real-world assets (RWAs), exceeds $600 billion. RWA tokenization is projected to reach $16.1 trillion by 2030, expanding that attack surface further.

Which Blockchains Are Already Post-Quantum?

A handful of projects built with this threat in mind. The Quantum Resistant Ledger (QRL) has used post-quantum signatures since its 2018 launch. Algorand completed its first post-quantum transaction in 2025 using Falcon signatures, a scheme standardized by the U.S. National Institute of Standards and Technology (NIST). Solana deployed an experimental Winternitz Vault for post-quantum asset storage. The XRP Ledger tested ML-DSA signatures on its AlphaNet test instance. For Bitcoin, BIP-360 proposes a new Pay-to-Merkle-Root (P2MR) script type that removes the at-rest vulnerability reintroduced by Taproot's P2TR addresses.

What Is the Ethereum Foundation Doing About the Quantum Threat?

The Ethereum Foundation has already begun taking concrete steps toward post-quantum readiness. Justin Drake, one of the co-authors of this research paper, is himself a researcher at the Ethereum Foundation. 

The Foundation has supported research into hash-based replacements for the BLS12-381 signature scheme currently used by Ethereum validators. A draft proposal called EIP-7932 has also been put forward to introduce precompiled smart contracts that support post-quantum signature schemes directly at the protocol level, something that does not currently exist on Ethereum. 

In a post on X, Drake described the publication of this paper as marking an inflection point in the Ethereum Foundation's long-term quantum strategy. The paper itself notes that Ethereum's stronger organizational leadership, compared to Bitcoin's fully decentralized governance model, gives it a meaningful advantage in executing a faster and more coordinated migration to post-quantum cryptography.

What Should Crypto Users Do Right Now?

The most exposed assets today are Bitcoin wallets using P2PK or P2TR (Taproot, bc1p prefix) scripts, Ethereum accounts that have ever sent a transaction, and any address with reused public keys across transactions or chains. 

Switching to fresh SegWit (bc1q) addresses on Bitcoin reduces at-rest risk. The only complete long-term fix is a protocol-wide migration to post-quantum cryptography, and the researchers say that process needs to start immediately.

The Bottom Line

Quantum computers powerful enough to break Bitcoin or Ethereum encryption do not exist today. The machines currently operating, including Google's own superconducting processors, are nowhere near the scale needed to run the attacks described in this paper. Building a fault-tolerant quantum computer with 500,000 physical qubits at the error rates required remains a significant engineering challenge that could still take years, possibly over a decade, to achieve.

But that gap is closing faster than most people in crypto expected.

The significance of this research is not that your Bitcoin wallet is at risk today. It is that the resource requirements for breaking secp256k1 encryption just dropped by a factor of nearly 20 compared to previous estimates. That kind of reduction, driven purely by algorithmic improvements before the hardware even catches up, is exactly the trend the crypto community needs to take seriously now.

Migrating a blockchain like Bitcoin or Ethereum to post-quantum cryptography is not a quick software patch. It requires broad community consensus, protocol changes, and enough time for millions of wallet holders to move their funds. The researchers estimate the migration process for Bitcoin alone could take several months of network capacity even under ideal conditions, and that assumes the process starts well before any quantum threat is live.

The post-quantum era is not here yet. But the window to prepare is open now, and based on this research, it may not stay open as long as the industry once assumed.

Resources

1. Research report by Google, Ethereum Foundation, and Stanford University: Securing Elliptic Curve Cryptocurrencies against Quantum Vulnerabilities: Resource Estimates and Mitigations

2. Project Eleven on X: Post on March 31

3. Justin Drake on X: Post on January 24