Google’s Quantum AI team has published new research estimating that a cryptographically relevant quantum computer could break the elliptic-curve cryptography securing Bitcoin and Ethereum with far fewer resources than previously thought, compressing perceived timelines for “Q‑day” and renewing debate over Bitcoin’s Taproot-era exposure.
Google Research Lowers Qubit Threshold for Breaking ECC
In a whitepaper and accompanying blog post released Tuesday, Google researchers report that optimized quantum circuits for the elliptic-curve discrete logarithm problem over 256-bit keys (ECDLP‑256) could be executed with fewer than 500,000 physical qubits and roughly 1,200 logical qubits. That figure is well below earlier projections that envisioned the need for millions of physical qubits.
“We estimate that these circuits can be executed on a superconducting qubit [cryptographically relevant quantum computer] with fewer than 500,000 physical qubits in a few minutes, given standard assumptions about hardware capabilities that are consistent with some of Google’s flagship quantum processors,” the team wrote, calling the result “an approximately 20‑fold reduction in the number of physical qubits required to solve ECDLP‑256.” The whitepaper warns that cryptographically relevant quantum computers pose a threat to widely deployed public‑key cryptography.
Most major blockchains, including Bitcoin and Ethereum, rely on 256‑bit elliptic‑curve cryptography to secure wallets and authorize transactions. While no such quantum hardware exists today, the new estimates narrow the gap between theory and practice and could accelerate planning for post‑quantum migration.
Live Attack Model: Stealing Coins During Confirmation
Beyond static key recovery, the research models a live, in‑flight attack in which a quantum adversary derives a private key from a freshly revealed public key and attempts to spend the coins before the original transaction confirms. The authors estimate an attack could succeed in roughly nine minutes, implying about a 41% chance of beating Bitcoin’s average 10‑minute block time under their assumptions. Ethereum’s faster confirmation times could reduce that window, though its externally owned accounts also rely on elliptic‑curve signatures.
Taproot Widens On‑Chain Exposure
The findings put Bitcoin’s 2021 Taproot upgrade in a new light. While Taproot improved privacy and scripting efficiency with Schnorr signatures and aggregated spending conditions, it also began revealing public keys on‑chain by default, removing the prior “hash‑first” layer that older address formats (such as P2PKH) provided. Researchers estimate that approximately 6.9 million BTC are now potentially quantum‑exposed over a long enough horizon, including coins in Taproot outputs, heavily reused addresses, and Satoshi‑era outputs that reveal public keys.
Industry Timeline and Market Impact
Although the necessary quantum machines do not yet exist, Google has reportedly set 2029 as an internal deadline for post‑quantum migration across its systems, underscoring the long lead times required to update cryptographic infrastructure. On social platform X, industry figures highlighted additional papers published the same day, including work from Oratomic, Caltech, and UC Berkeley that explores attacks using reconfigurable atomic qubits, reflecting growing academic focus on real‑world feasibility.
For crypto markets and infrastructure teams, the research may reshape how “old coins,” address‑reuse, and Taproot usage are valued and managed. Key signals to watch include:
- Taproot adoption trends and address‑reuse hygiene across major networks.
- Progress on post‑quantum cryptography standards and wallet/protocol migration plans.
- Developer discussions around quantum‑resilient upgrade paths and timelines.
At the time of writing, Bitcoin trades around $66,000, according to TradingView data.