Authors: Ryan Babbush & Hartmut Neven, Google Quantum AI

Translation: Deep Tide TechFlow

Deep Tide Introduction: This is a primary source of today's quantum threat discussion, not a media relaying, but an official technical blog jointly published by Google's Quantum AI Research Director and VP Engineering.

The core conclusion is simple: The estimated number of physical quantum bits needed to break Bitcoin's elliptic curve encryption has now been reduced by about 20 times. Google simultaneously released verification materials in the form of "zero-knowledge proofs," allowing third parties to verify conclusions without disclosing attack details—this mode of disclosure itself is also worth noting.

The full text is as follows:

March 31, 2026

Ryan Babbush, Director of Quantum Algorithms Research, Google Quantum AI; Hartmut Neven, Vice President of Engineering, Google Quantum AI, Google Research

We are exploring a new paradigm to elucidate the cryptographic breaking capabilities of future quantum computers and outline the steps that should be taken to mitigate their impact.

Quantum Resource Estimation

Quantum computers are expected to solve problems previously deemed unsolvable, including applications in chemistry, drug discovery, and energy. However, large-scale cryptographically relevant quantum computers (CRQC) are also capable of breaking widely used public key cryptography, which protects various systems, including confidential information. Governments and institutions, including Google, have been grappling with this security challenge for years. With continuous advancements in science and technology, CRQC is gradually becoming a reality, necessitating a transition to post-quantum cryptography (PQC)—which is also the reason we recently proposed a 2029 migration timeline.

In our white paper, we shared the latest estimates of the quantum computing "resources" (i.e., quantum bits and quantum gates) required to break the 256-bit elliptic curve discrete logarithm problem (ECDLP-256). We express resource estimates in terms of logical quantum bits (error-corrected quantum bits composed of hundreds of physical quantum bits) and the number of Toffoli gates (a costly basic operation on quantum bits that is a major factor in determining the runtime of many algorithms).

Specifically, we compiled two quantum circuits (a sequence of quantum gates) to implement Shor's algorithm for ECDLP-256: one using fewer than 1,200 logical quantum bits and 90 million Toffoli gates, and another using fewer than 1,450 logical quantum bits and 70 million Toffoli gates. We estimate that under standard hardware capability assumptions consistent with part of Google's flagship quantum processor, these circuits can be executed on superconducting quantum bits CRQC with fewer than 500,000 physical quantum bits within a few minutes.

This is a reduction by about 20 times in the number of physical quantum bits required to break ECDLP-256, continuing a long optimization process of compiling quantum algorithms into fault-tolerant circuits.

Protecting Cryptocurrency with Post-Quantum Cryptography

Most blockchain technologies and cryptocurrencies currently rely on ECDLP-256 to secure critical aspects of their safety. As discussed in our paper, PQC is a mature path to achieving post-quantum blockchain security, capable of ensuring the long-term viability of cryptocurrencies and the digital economy in a world where CRQC exists.

We cited examples of post-quantum blockchains, as well as experimental deployments of PQC on blockchains that originally had quantum vulnerabilities. We pointed out that although viable solutions like PQC exist, implementation still takes time, increasing the urgency to take action.

We also made additional suggestions for the cryptocurrency community to improve security and stability in the short and long term, including: avoiding exposing or reusing vulnerable wallet addresses, and potential policy options addressing the issue of abandoned cryptocurrencies.

Our Approach to Vulnerability Disclosure

The disclosure of security vulnerabilities is a contentious issue. On one hand, the "no disclosure" stance argues that publicizing vulnerabilities serves as an operational manual for attackers. On the other hand, the "full disclosure" movement believes that making the public aware of security vulnerabilities can keep them vigilant and take self-protective measures, and also encourage security repairs. In the field of computer security, this debate has coalesced around a set of compromise solutions known as "responsible disclosure" and "coordinated vulnerability disclosure." Both advocate for disclosing vulnerabilities under a set embargo period, allowing affected systems time to roll out security fixes. Leading security research organizations, such as Carnegie Mellon University's CERT/CC and Google's Project Zero, have adopted variants of responsible disclosure with strict deadlines, which has also been adopted as an international standard ISO/IEC 29147:2018.

The disclosure of security vulnerabilities in blockchain technology is further complicated by a special factor: cryptocurrencies are not just decentralized data processing systems. The value of their digital assets comes not only from the digital security of the network but also from public confidence in the system. As the digital security layer may be vulnerable to CRQC attacks, public confidence can also be eroded by fear, uncertainty, and doubt (FUD) tactics. Thus, non-scientific and unsubstantiated resource estimates concerning quantum algorithms for breaking ECDLP-256 may themselves constitute an attack on the system.

These considerations guide our cautious disclosure approach regarding quantum attack resource estimates on blockchain technology based on elliptic curve cryptography. First, we aim to reduce the FUD risks in our discussion by clarifying areas where blockchains are immune to quantum attacks and highlighting progress made in post-quantum blockchain security. Second, without sharing the underlying quantum circuits, we substantiate our resource estimates through the release of a state-of-the-art cryptographic construct called "zero-knowledge proofs," allowing third parties to verify our claims without disclosing sensitive attack details.

We welcome further discussions with the quantum, security, cryptocurrency, and policy communities to reach a consensus on future responsible disclosure norms.

Through this work, our goal is to support the long-term health of the cryptocurrency ecosystem and blockchain technology, which are becoming increasingly important in the digital economy. Looking ahead, we hope that our responsible disclosure approach can spark an important dialogue between quantum computing researchers and the broader public, and offer a model for the field of quantum cryptanalysis research.