Author: Kapil Chira, Deep Tide TechFlow

On March 31, the Google Quantum AI team released a white paper with a bland title but explosive content.

The core conclusion of the paper: the quantum computing resources required to crack the elliptic curve cryptography (ECC-256) protecting Bitcoin and Ethereum wallets are approximately 20 times lower than previously estimated. Specifically, it would take less than 1,200 logical qubits and 90 million Toffoli gates to complete the cracking on a superconducting quantum computer using fewer than 500,000 physical qubits, taking only a few minutes.

On the same day, Caltech and quantum hardware startup Oratomic published another paper with even more radical conclusions: a quantum computer using a neutral atom architecture could start an attack with as few as about 10,000 physical qubits, and could crack ECC-256 in about 10 days using 26,000 qubits.

The combination of these two papers constitutes the most serious quantum threat warning the cryptocurrency industry has ever faced.

From "theoretically distant threat" to "countdown days"

To understand the impact of these two papers, one needs to look at a timeline: in 2012, academia estimated that cracking ECC-256 would require about 1 billion physical qubits. By 2023, Daniel Litinski's paper reduced this number to about 9 million. Google's new paper lowered it to below 500,000. Oratomic further reduced it to 10,000.

In twenty years, a compression of five orders of magnitude.

This means the discussion framework around quantum threats has changed drastically. The past mainstream narrative was "quantum computers are still decades away from cracking encryption," but now it has shifted to "if hardware progresses non-linearly, the window may only be five to ten years." Justin Drake, a researcher at the Ethereum Foundation (and a co-author of the Google paper), estimates that by 2032, the probability of a quantum computer cracking a secp256k1 ECDSA private key will be at least 10%.

The Google paper describes two types of attack scenarios.

The first type is "on-spend attack." When a Bitcoin user initiates a transaction, the public key is briefly exposed in the memory pool. A sufficiently fast quantum computer could derive the private key from the public key in about 9 minutes, initiating a competing transaction to steal funds before the transaction is confirmed. Considering that the average block time for Bitcoin is about 10 minutes, the paper estimates the success probability for this type of attack to be about 41%.

In cryptography, a 41% cracking probability is not statistical error but indicates a signature scheme that has already been compromised.

The second type is "at-rest attack," targeting dormant wallets with public keys already exposed on the chain. This type of attack has no time limit, allowing the quantum computer to calculate at its own pace. The paper estimates that about 6.9 million BTC (one third of the total supply) are in this exposed state, including about 1.7 million from the Satoshi era, as well as a significant amount of funds exposed due to address reuse.

At current prices, these 6.9 million BTC are worth over 45 billion dollars.

Taproot: Intended to upgrade privacy, but expanded the attack surface

An unexpected finding in the paper is that Bitcoin's Taproot upgrade in 2021 created new vulnerabilities in terms of quantum security. Taproot was designed to enhance transaction efficiency and privacy, utilizing the Schnorr signature scheme. However, the characteristic of Schnorr signatures is that the public key is by default exposed on the chain, removing the protection layer of "hash first, then expose" found in the old address format (P2PKH).

In other words, the improvements in traditional security with Taproot opened a door in the quantum security dimension. This expands the pool of quantum-vulnerable Bitcoin from early coins and reused addresses to all wallets using Taproot.

Ethereum: Bigger issues, but prepared earlier

If Bitcoin faces "wallet-level" risks, Ethereum's problems are "infrastructure-level."

The Google paper points out that Ethereum is exposed to quantum attacks at five levels: personal wallets, smart contract management keys, PoS staking verification, Layer 2 networks, and data availability sampling mechanisms. The paper estimates that the top 1,000 Ethereum wallets hold about 20.5 million ETH, which a quantum computer capable of cracking one key every 9 minutes could empty in less than 9 days. At current ETH prices, these assets are worth about 4.15 billion dollars.

A deeper problem lies in systemic risk. About 200 billion dollars in stablecoins and tokenized assets on Ethereum depend on admin key signatures, while about 37 million staked ETH are authenticated via similarly vulnerable digital signatures. If large staking pools are compromised, attackers could even interfere with the consensus mechanism itself.

However, Ethereum has a structural advantage: the block time is only 12 seconds, most transactions are confirmed within a minute, and a significant amount of private memory pools are used, making the feasibility of "on-spend attacks" on Ethereum far lower than on Bitcoin.

The good news is that the Ethereum community's response is more proactive.

The Ethereum Foundation recently launched pq.ethereum.org, aggregating eight years of post-quantum research findings, with more than ten client teams advancing development testnets weekly. Vitalik Buterin has also published a roadmap for quantum resistance. In contrast, the Bitcoin community's governance culture is more conservative; the BIP-360 proposal (introducing quantum-resistant wallet formats) has been merged into the BIP repository in February, but it only addresses one type of public key exposure issue, while a complete cryptographic migration requires a larger scale protocol change.

Community Response: Panic, Rationality, and "This is not just our problem"

The response from the cryptocurrency industry was predictably divided into several factions.

The panic faction is represented by Alex Pruden, CEO of Project Eleven: "This paper directly refutes every argument the crypto industry uses to dismiss quantum threats." Haseeb Qureshi, a partner at Dragonfly, was more direct on X: "Post-quantum is no longer a drill."

The rational optimistic faction is represented by CZ. He believes that cryptocurrencies only need to upgrade to quantum-resistant algorithms, stating, "there's no need to panic." While this statement is technically correct, it overlooks a critical issue: decentralized blockchains cannot enforce software updates like banks or military networks. The migration cycle for Bitcoin infrastructure, from user wallets to exchange support to new address formats, could take five to ten years even if consensus is reached today.

The "everything can be cracked" faction points out that quantum computing threatens not only blockchains but the entire global banking system, SWIFT transfers, stock exchanges, military communications, and HTTPS websites all rely on the same cryptographic frameworks. The Google paper directly addresses this: centralized systems can push updates to users, while decentralized blockchains cannot. This is a fundamental difference.

The coldest humor came from Musk: "At least if you forget your wallet password, you'll be able to recover it in the future."

Conflicts of interest and rational discounts

Both papers are not "purely academic."

All nine authors of the Caltech/Oratomic paper are shareholders in Oratomic, six of whom are employees of the company. This paper is both a scientific product and commercial promotion for the company's neutral atom hardware roadmap. Google's paper is also not entirely neutral, as Google has set 2029 as an internal deadline for migrating its system to post-quantum cryptography, and the conclusions of the paper align closely with this business decision. Furthermore, for security reasons, Google has not disclosed the actual quantum circuit designs but has verified the results' validity to the U.S. government through zero-knowledge proofs.

The conflicts of interest in the papers need to be discounted, but the trends themselves do not need to be discounted. Each time someone claims "the quantum threat is exaggerated," the next paper cuts down the required number of qubits by another order of magnitude.

How far are we from "Q-Day"?

The most advanced quantum computers currently have about 6,000 qubits, with a coherence time of only about 13 seconds. There remains a significant engineering gap between 6,000 qubits and the 500,000 required by the Google paper (or the 10,000 claimed by Oratomic).

However, the metaphor from crypto investor McKenna is more memorable: "You can think of Q-Day as Y2K, but this time it's real."

Eli Ben-Sasson, co-founder of StarkWare, has called on the Bitcoin community to expedite BIP-360. Google has stated that it is working with Coinbase, the Stanford Blockchain Research Center, and the Ethereum Foundation to promote responsible migration.

The debate has shifted from "can quantum computing crack encryption" to "can the crypto industry complete migration before hardware catches up?" Google's 2029 timeline, coupled with the drastic compression of qubit demand in the Oratomic paper, leaves the industry with a shorter buffer period than anyone anticipated.

The 1.1 million BTC that Satoshi holds cannot migrate to quantum-safe addresses on their own. If a quantum computer arrives first, this digital legacy worth over 70 billion dollars will become the largest target for "digital salvage" in history. The Google paper even introduced the legal framework analogy of "digital salvage rights," suggesting that governments may need to legislate to address these non-migratable dormant assets.

This is a problem not foreseen in the Bitcoin white paper: If the mathematical barrier protecting private property is itself compromised, can "Code is Law" still hold?