Google Warns Quantum Computers Could Threaten Bitcoin Encryption Sooner

Google’s quantum warning reshapes the Bitcoin encryption timeline

Google published a whitepaper warning that quantum computers may be able to break the cryptography used by Bitcoin and Ethereum with far fewer resources than earlier estimates suggested. That changes the conversation in a big way. Instead of treating the risk as distant and highly impractical, the paper argues that the path to a real threat may be shorter than many expected.

At the center of the warning is the cryptography securing most blockchains: 256-bit elliptic curve cryptography. Google’s Quantum AI team found that breaking it could require fewer than 500,000 physical qubits. That figure is about 20 times lower than earlier estimates that placed the requirement in the millions.

Fewer qubits and fewer gates than earlier estimates

The researchers described two quantum circuits implementing Shor’s algorithm. One used fewer than 1,200 logical qubits and 90 million Toffoli gates. The other used fewer than 1,450 logical qubits and 70 million gates.

Google’s researchers said future quantum computers may be able to break the elliptic curve cryptography protecting cryptocurrency and other systems with fewer qubits and gates than previously understood. That point matters because it narrows the gap between theory and potential execution.

How a quantum attack on a Bitcoin transaction could work

Google also described a practical “on-spend” attack scenario tied to normal Bitcoin transaction behavior. When someone broadcasts a Bitcoin transaction, the public key is exposed for a short window. According to the paper, a quantum computer could use that moment to derive the private key and redirect the funds.

The attack would need to move quickly. Google’s outline says it could be completed in about nine minutes. That fits within Bitcoin’s roughly 10-minute block confirmation window. In that scenario, the attacker would have about a 41% chance of beating the original transfer.

Why the transaction window matters

This attack model focuses on timing rather than permanent access at the moment of key creation. The risk appears when the public key becomes visible during a transaction broadcast. If a quantum system can act inside that narrow window, the original owner may lose the race to confirm the intended transfer.

That makes the threat feel more immediate. It is not framed only as a long-range concern about old wallets or dormant keys. It is also tied to how transactions can function in real time.

Bitcoin already has exposed addresses that cannot be upgraded

The paper says the issue is not purely theoretical. About 1.7 million Bitcoin are held in early wallet formats known as P2PK. Those wallets have permanently exposed public keys and cannot be upgraded to quantum-resistant standards.

A broader estimate from Project Eleven places the amount of Bitcoin in vulnerable addresses at around 6.8 million. Taken together, those figures suggest that a meaningful amount of Bitcoin is already sitting in structures that may be exposed if quantum capabilities continue to improve.

Why older wallet formats create lasting risk

Early wallet formats matter here because the public key exposure is already baked in. And once that information is permanently exposed, there is no simple path to retroactively make those holdings quantum-safe using the same address structure.

That’s what gives this warning weight. Some of the exposure is already embedded in the network’s history.

Taproot improved functionality but increased quantum exposure

Google’s whitepaper also pointed to Bitcoin’s 2021 Taproot upgrade as an area of concern. Taproot improved transaction privacy and expanded functionality, but Google said it also increased public key exposure.

The paper described this as a tradeoff between functionality and quantum safety. That tension is important. A change that improves how the network works in one direction may also increase long-term cryptographic exposure in another.

The tradeoff between utility and quantum safety

Taproot is presented here as neither purely good nor purely bad. It improved privacy and functionality, but it also widened exposure in a way that matters under a quantum threat model.

That means the conversation is no longer just about whether blockchain systems can evolve. It is also about what those upgrades expose, and whether the design choices made for performance or flexibility create new risk later.

Google urges a post-quantum migration now

Google urged the crypto industry to begin moving toward post-quantum cryptography now. The company recently set a 2029 deadline to migrate its own infrastructure, and it argued that the crypto community should start the same transition without waiting.

Google also said it used a zero-knowledge proof to verify its findings without disclosing the underlying attack circuits. It called on other research teams to follow similar responsible disclosure practices.

Responsible disclosure without revealing attack circuits

That approach tries to strike a balance. Google says the findings can be verified, but the exact attack circuits were not shared. The goal is to raise awareness and support defensive planning without openly handing over a playbook for exploitation.

The researchers said they want to increase awareness and provide recommendations so the cryptocurrency community can improve security and stability before such attacks become possible.

The risk reaches beyond Bitcoin to Ethereum and other blockchain systems

Google said the threat does not stop with Bitcoin. Ethereum also depends on cryptography that would be vulnerable in a quantum scenario. The paper specifically flagged Ethereum smart contracts, proof-of-stake validator signatures, and layer 2 commitments as exposed to this category of risk.

Some blockchain projects have already started testing quantum-safe approaches. The text points to Algorand and the XRP Ledger as examples of projects experimenting with quantum-safe integrations. It also says the Ethereum Foundation has stepped up its own efforts.

Why this is a broader blockchain security issue

This matters because the warning is not limited to one chain, one wallet type, or one corner of crypto. The concern touches transaction signing, validator behavior, and scaling layers. In other words, it reaches into the core systems that blockchains rely on to operate securely.

And that changes the scope of the conversation. This is not only a Bitcoin key-management issue. It is a wider blockchain cryptography issue.

What Google’s warning means for quantum risk in crypto

Google’s paper pushes the industry toward a more urgent view of quantum risk. The key shift is not that quantum computers are already breaking Bitcoin today. It is that the resources required may be far lower than older estimates suggested, and that known exposure already exists across Bitcoin and other blockchain networks.

The warning also highlights three pressure points at once:

• lower estimated resource requirements for attack execution
• already exposed Bitcoin in vulnerable address types
• a need to begin post-quantum migration before the threat becomes practical

That combination makes the issue harder to dismiss as a distant technical curiosity. It now looks more like a security planning problem with real design, migration, and timing consequences.