1
News

Google Cuts Quantum-Cracking Estimates 20× — $600B Countdown for Bitcoin & Ethereum

Posted on by Josh Taylor

The headline findings (and the nerdy bits)

Google’s quantum team dropped a paper that seriously shrinks previous estimates for the hardware needed to crack the elliptic-curve math that underpins Bitcoin and Ethereum wallets. In plain English: the quantum threat just got a lot more realistic — still hypothetical, but less sci-fi and more “uh-oh.”

The researchers show that Shor’s algorithm for the common 256-bit curve could run with roughly 1,200–1,450 logical qubits and on the order of 70–90 million Toffoli gates. With error correction overhead, that maps to an estimated superconducting machine with under about 500,000 physical qubits and the ability to break keys in minutes. That’s roughly a 20-fold reduction from older physical-qubit estimates.

Google is careful to note: no such cryptographically capable quantum computer is known to exist today. Still, some experts now put a non-trivial chance on a so-called “Q-day” within the next decade — one researcher raised his personal probability for a breakthrough by 2032 to around 10%.

Rather than publishing full attack circuits, the authors used a disclosure model that lets outsiders verify the resource math without revealing detailed attack code. The takeaway: the community needs reliable resource estimates to motivate defenses, but publishing every attack detail could be irresponsible right now.

Why you should care — Bitcoin, Ethereum, and the scramble to migrate

There are two distinct worries. First: live “on-spend” attacks. For Bitcoin, the paper models an attacker who waits until you broadcast a transaction (which exposes a public key), then uses a fast quantum machine to recover the private key and race to broadcast a competing spend. If a future machine can go from ready-to-attack to key-cracking in about nine minutes, that dangerously overlaps with Bitcoin’s usual ~10-minute block interval. Under the paper’s assumptions, the success chance for such a race is on the order of 40% — not trivial.

Second: at-rest exposure. Lots of funds sit in addresses that are inherently vulnerable if keys are ever recovered. The study estimates roughly 6.7 million BTC live in susceptible outputs — a big chunk of the supply. Older pay-to-public-key formats alone account for over 1.7 million BTC, and total dormant vulnerable coins could be around 2.3 million BTC across output types. Many of these coins are probably lost or abandoned, so you can’t just ask everyone to move their funds.

Even recent upgrades introduce subtleties. One example is Taproot’s design, which improves privacy and flexibility but also places tweaked public keys directly in locking scripts — a different way to create “at-rest” exposure. Grover-style horsepower to attack proof-of-work remains a non-urgent concern for decades; the nearer-term pain point is signatures (i.e., private keys), not mining algorithms.

Ethereum’s story is framed a little differently. Fast quantum machines are less suited to typical short-lived transaction races on Ethereum because of its smaller block slots and faster transaction processing. The primary danger there is long-lived accounts, admin keys, and smart-contract control keys — the things that act as gatekeepers for tokens, bridges, oracles, and minting functions.

The paper estimates a fast attacker could target the top thousand wealthiest accounts in under two weeks, and that a subset of contract-admin keys across the largest contracts could be broken in hours. Those admin keys can be control points for stablecoins, bridges, oracles and therefore effectively unlock far more than the ETH balance directly associated with the account. In short: attacking one key can cascade into hundreds of billions of dollars in risk across tokens and tokenized assets.

On the big-picture balance sheet, the paper flags additional exposures: tens of millions of ETH tied up in Layer 2 protocols and data-availability systems, and very large amounts of staked consensus value that rely on different signature schemes. When you add up all these slices, the risk looks less like “wallet safety” and more like “infrastructure-wide headache.”

So what do we do? The obvious answer is migration to post-quantum cryptography and better key hygiene — stop reusing keys, minimize public-key exposure, and plan large-scale, coordinated upgrades. The paper’s authors and other experts say migration will take years and require protocol-level work plus changes in how wallets and custodians behave. This is not something you can fix overnight, and it’s not a problem to punt on until we have perfect certainty about quantum arrival times.

Bottom line: this research doesn’t say the apocalypse is tomorrow, but it does pull the quantum threat into clearer focus and speeds up the countdown clock. If you hold keys, build wallets, run a service, or manage treasury assets, this is the moment to start taking post-quantum planning seriously — with urgency and a little bit of caffeinated panic.