Google's new quantum paper has jolted the Bitcoin$63,220.57security debate from long-dated theory into something a lot more immediate. The headline finding is simple and nasty: cracking the elliptic curve cryptography behind Bitcoin wallets may require roughly 20 times fewer quantum resources than many earlier estimates suggested. [1]
That does not mean Bitcoin is getting hacked tomorrow. It does mean the industry's old habit of filing quantum risk under "future problem" looks increasingly dodgy.
Register for free and get unlimited access to all articles.
What Google actually changed
The paper from Google Quantum AI revises down the cost of attacking the public-key cryptography used by Bitcoin$63,220.57 and Ethereum$1,672.43 accounts. Earlier assumptions had broadly pointed to the mid-2030s or beyond for a credible threat. Google's updated modelling suggests the hardware and error-correction thresholds needed to run Shor's algorithm against wallet keys may arrive materially sooner if progress in quantum engineering keeps compounding. [2]
The practical scenario matters. A quantum attacker does not need to break Bitcoin's proof-of-work or rewrite the chain from scratch. The more realistic path is to target exposed public keys and derive the corresponding private keys quickly enough to steal funds. Google's paper indicates that, once a public key is visible, a sufficiently capable quantum machine could recover the private key in about nine minutes. [3]
For Bitcoin, that shifts the conversation from abstract cryptography to wallet hygiene, output types and upgrade timelines.
Why Bitcoin is more exposed than many holders realise
Bitcoin addresses are not all equally vulnerable. Funds sitting behind public-key hashes have some protection until the holder spends, because the full public key is not revealed on-chain until that moment. Once revealed, the clock starts. If quantum hardware ever reaches the required scale, those outputs become attackable during the transaction window or any period after exposure if coins remain in a reused address structure.
Older coins are the obvious weak spot. Early pay-to-pubkey outputs, reused addresses, and dormant wallets with exposed keys are the low-hanging fruit. Google's modelling has refocused attention on just how much BTC sits in those categories.
The figure getting passed around today is roughly 6.9 million BTC, or about one-third of total supply, that could sit at heightened quantum risk under the wrong conditions. That is not the same as saying one-third of Bitcoin can be stolen overnight. It is a measure of the blast radius if the network fails to migrate before quantum capability catches up. [4]
Taproot has added another wrinkle. While it improves privacy and scripting flexibility, some researchers have argued that wider use of Schnorr signatures and output structures that expose keys in different ways could expand the eventual attack surface if quantum-safe migration lags. Better functionality now can become a liability later if wallet software and protocol rules are slow to adapt. [3]
Markets are not pricing this like an immediate crisis
For all the noise, this is not showing up as a full-blown market panic. Bitcoin was trading around $67,074 in the source report, down modestly on the day rather than collapsing. That price action says traders still view quantum risk as a structural issue, not a same-week liquidation event. [3]
That reaction makes sense. Quantum attacks remain constrained by hardware that does not yet exist at the necessary fault-tolerant scale. There is no on-chain evidence of quantum exploitation, no abnormal drain from known vulnerable clusters, and no reason to think someone has silently built a machine capable of cracking Bitcoin keys in production today.
Still, market calm should not be mistaken for safety. Crypto is notorious for pricing tail risk only after it becomes operational. The same crowd that ignores slow-burn technical debt will sprint for the exits once there is a credible exploit path. For now, this looks like a repricing of urgency, not of BTC itself.
Ethereum is moving faster, and Bitcoin notices that
One awkward detail for Bitcoiners is that Ethereum developers have already started a more organised post-quantum migration effort. That does not mean Ethereum is solved, far from it, but it does mean one major ecosystem is treating the threat as an engineering roadmap instead of a forum argument. [5]
Bitcoin's culture makes changes slower by design. That has benefits in normal conditions, but it becomes a bit of a mess when the challenge demands coordination across wallets, miners, exchanges, custodians and conservative core developers. Post-quantum migration is not a one-line patch. It likely means new signature schemes, phased wallet transitions, and ugly policy questions around how to treat coins that never move.
The hardest part may not be cryptography. It may be governance. Any serious Bitcoin upgrade will invite three fights at once: which post-quantum scheme to trust, whether to force migration deadlines, and whether unmoved legacy coins should remain spendable indefinitely if they become a standing attack vector.
The real technical bottleneck is migration, not invention
Quantum-resistant signature schemes already exist in the academic and standards world. The problem is fitting them into Bitcoin's constraints without bloating transaction sizes, harming verification efficiency, or introducing new implementation risks.
Post-quantum cryptography tends to come with trade-offs. Larger signatures mean higher blockspace demand. More complex verification can affect node performance. Multi-year wallet transitions create operational risk and social friction. Exchanges and custodians can migrate with enough incentive. Lost-coin addresses, abandoned UTXOs and inert early wallets cannot.
That leads to an uncomfortable conclusion: even if Bitcoin adopts quantum-safe tools in time, some slice of the supply may remain permanently vulnerable unless consensus rules eventually quarantine or invalidate old spending paths. That is where the debate gets politically toxic. Touching dormant coins, even for network defence, will be painted by some as violating Bitcoin's core property rights.
What builders and investors are likely to do next
Expect the first response to be tactical, not revolutionary. Wallet providers can discourage address reuse more aggressively. Custodians can prioritise moving funds into outputs designed for future migration. Researchers can sharpen estimates of which UTXO sets have exposed public keys and which script types face the highest eventual risk.
Developers will also likely revisit proposals for quantum-safe address formats and staged soft fork paths. The credible route is gradual: enable new secure primitives first, incentivise migration second, and debate punitive treatment for legacy outputs only if the threat becomes near term.
For investors, the main takeaway is not to dump BTC because of a research paper. It is to understand that part of Bitcoin's security budget now sits outside mining and inside cryptographic adaptability. A chain that cannot coordinate a migration fast enough is more fragile than its market cap suggests.
That matters for institutions as well. Treasury buyers and ETF allocators have spent two years focusing on macro flows, halving cycles and sovereign adoption narratives. Quantum risk introduces a different lens: protocol upgrade risk. If this topic keeps advancing, expect due diligence memos to shift from "Can Bitcoin survive regulation?" to "Can Bitcoin upgrade under pressure?"
The timeline is still uncertain, but the comfort zone is gone
No one can honestly pin down the exact year a fault-tolerant quantum computer becomes dangerous to Bitcoin. Google's paper is not a countdown clock. It is a reduction in the estimated distance between here and a credible attack threshold.
That distinction matters. The threat remains conditional on breakthroughs in qubit quality, error correction, hardware scaling and sustained engineering execution. But the margin of safety just narrowed on paper, and that is enough to force action from serious operators.
Crypto has a bad habit of waiting for a proper scare before fixing obvious problems. This one should not need a live exploit to concentrate minds.
Risk box
What supports the current concern: Google's updated estimate cuts the resource requirement for breaking wallet cryptography by about 20 times, and the attack path targets exposed public keys rather than the chain itself.
What limits the immediate danger: No known quantum system today can execute this attack at the required fault-tolerant scale, and price action does not suggest the market sees an imminent event.
What would invalidate the panic: If later peer review shows Google's assumptions are too aggressive, or if quantum hardware progress stalls well below fault-tolerant thresholds, the urgency fades.
What would make it much worse: Faster-than-expected gains in error correction, public evidence that key recovery timelines are compressing further, or continued delay in Bitcoin post-quantum upgrade planning.
Your reviews help us improve the quality of both current and future articles. All reviews are public and visible to other readers. We use both ratings and comments to improve future articles and to revise any articles that do not meet our standards.
See more like this on Google
