Quantum threat to Bitcoin

The whitepaper "Securing Elliptic Curve Cryptocurrencies against Quantum Vulnerabilities" is dated April 1, 2026 and is co‑authored by Google Quantum AI researchers including Ryan Babbush, Craig Gidney, Hartmut Neven and collaborators Justin Drake and Dan Boneh. (arxiv.org)) It presents two Shor‑algorithm circuit designs that require ≤1,200 logical qubits and ≤90 million Toffoli gates or ≤1,450 logical qubits and ≤70 million Toffoli gates, and states those circuits could run in minutes on superconducting hardware with 10−3 physical error rates using fewer than 500,000 physical qubits. (arxiv.org)) The paper distinguishes “fast‑clock” (superconducting, photonic) versus “slow‑clock” (ion‑trap, neutral‑atom) architectures and warns fast‑clock cryptographically relevant quantum computers (CRQCs) could enable “on‑spend” attacks against transactions in the mempool. (arxiv.org)) Multiple news analyses cite the whitepaper’s timing estimates to model an attack that could recover a private key in roughly nine minutes—inside Bitcoin’s ~10‑minute block confirmation window—potentially allowing a replacement transaction to be broadcast before confirmation. (forbes.com)) Google’s team flags about 6.9 million BTC as exposed under an “at‑rest” or address‑reuse threat model and identifies roughly 1.7 million BTC locked in legacy Pay‑to‑Public‑Key (P2PK) outputs from Bitcoin’s early years. (coindesk.com)) Google’s Research blog says the company engaged the U.S. government and partners including Coinbase and the Ethereum Foundation, and that it has introduced a 2029 migration timeline for transitioning to post‑quantum cryptography (PQC). (research.google)) To avoid releasing exploit blueprints, the authors used a zero‑knowledge proof to let others verify resource estimates while withholding circuit details, and the paper urges immediate community migration to PQC and exploration of policy options such as regulated “digital salvage” for dormant vulnerable assets. (arxiv.org))