Google’s quantum team brings the scenario of quantum computing and Bitcoin closer to reality: new estimates suggest attacks may require far less computational power than previously assumed. What was once a theoretical risk is moving into the realm of practical concern for Bitcoin’s security.
At the same time, a second paper by Oratomic, Caltech and UC Berkeley lowers the threshold to around 10,000 reconfigurable atomic qubits. Together, the two publications mark the sharpest compression yet of the estimated quantum threat to crypto networks. Google also names Coinbase, the Stanford Institute for Blockchain Research and the Ethereum Foundation as partners for a responsible transition.
Subscribe to our newsletter
The best articles of the week, directly delivered into your mailbox.
20-fold reduction in required resources
Google researchers Ryan Babbush and Hartmut Neven present two quantum circuits applying Shor’s algorithm to ECDLP-256. The more efficient design requires fewer than 1,200 logical qubits and around 70 million Toffoli gates. On a superconducting quantum computer with under 500,000 physical qubits, the computation could be completed within minutes, implying roughly a 20x reduction versus prior estimates.
Notably, Google chose an unusual disclosure approach. The circuits themselves are not published; instead, the results are validated via a zero-knowledge proof. This allows independent verification without providing a blueprint for potential attackers. In an accompanying blog post, the authors state they coordinated with the US government prior to release and encourage other research teams to follow a similarly responsible approach.
The paper also models a live attack on Bitcoin transactions. A quantum adversary could intercept a public key during a transaction and derive the private key in roughly nine minutes. Given Bitcoin’s 10-minute block time, this implies a success probability of about 41%. Ethereum, with shorter confirmation times, would be less exposed under this model.
Such a quantum computer does not exist today. However, the estimated requirements have been steadily declining for two decades. In 2012, estimates for running Shor’s algorithm were around one billion physical qubits. Google now puts that figure below 500,000, with Oratomic suggesting even lower thresholds.
Oratomic lowers the threshold to 10,000 qubits
The parallel paper by Oratomic builds on Google’s circuits and adapts them to a different hardware architecture: neutral-atom quantum computers. In this approach, individual atoms are trapped using laser tweezers and used as qubits. These atoms can be dynamically rearranged during computation, enabling more flexible error correction.
If today’s Google announcement wasn’t enough...
Oratomic, Caltech, and UC Berkeley show quantum computers can break crypto with just 10,000 reconfigurable atomic qubits.
It's clearer than ever that blockchains need post-quantum cryptography. pic.twitter.com/hBtEFz7p1s
— Project Eleven (@projecteleven) March 31, 2026
The authors show that a system with around 26,000 qubits could break ECC-256 in roughly 10 days, while a minimal setup of 10,000 physical qubits may suffice. For RSA-2048, widely used across financial institutions, the requirement rises to about 102,000 qubits and three months.
Oratomic co-founder Manuel Endres had already demonstrated a 6,100 neutral-atom qubit array at Caltech in 2025, published in Nature. These magnitudes are therefore moving closer to what is technically feasible. One caveat remains: all nine authors of the Oratomic paper are shareholders in the company, six of them employees, positioning the results also as a roadmap for their own hardware approach.
Taproot expands Bitcoin’s quantum attack surface
These findings cast Taproot, Bitcoin’s 2021 upgrade, in a new light. While improving privacy and efficiency, Taproot exposes public keys on-chain by default, whereas older address formats kept them hashed. This increases the pool of quantum-vulnerable coins to an estimated 6.9 million BTC, including Satoshi-era holdings and frequently reused addresses.
As a result, roughly one-third of Bitcoin’s supply could be considered structurally exposed over the long term. This may affect the valuation of older coins, Taproot adoption, and address reuse practices. Coin Metrics co-founder Nic Carter noted on X that the Oratomic paper may be even more concerning than Google’s release. Taproot usage has already declined since 2024, from 42% to 20% of transactions, according to analyst Willy Woo.
Not just Bitcoin: quantum computing threatens half the internet
Google’s research targets ECDLP-256, the mathematical foundation of elliptic curve cryptography. This extends far beyond blockchains. ECC-256 secures TLS/HTTPS connections, SSH keys, digital signatures for software and documents, authentication protocols such as OAuth and FIDO2, as well as encrypted messaging and VPNs. In practice, almost every secure internet connection relies on some form of this cryptography.
The Oratomic paper also estimates the resources needed to break RSA-2048, widely used by banks: around 102,000 qubits and three months. ECC is likely to fall first due to shorter key lengths, as Shor’s algorithm scales primarily with key size.
Accordingly, Google’s 2029 timeline is not aimed at crypto alone, but at its entire infrastructure. NIST plans to phase out ECC in US federal systems starting in 2030, with a full ban by 2035. Banks, cloud providers and governments can update centrally. Bitcoin, by contrast, requires network-wide consensus.
Bitcoin’s migration path: at least seven years
BIP-360, the leading proposal for quantum resistance, was added to the official BIP repository in February. It removes Taproot’s quantum-vulnerable key path by introducing a new output type, Pay-to-Merkle-Root (P2MR). BTQ Technologies has already implemented BIP-360 on a testnet with over 50 miners and more than 100,000 mined blocks.
However, BIP-360 co-author Ethan Heilman estimates a full migration would take at least seven years, even if started immediately. Roughly three years to activation, followed by a phase where all holders would need to move funds to new addresses. According to a survey by the Trusted Computing Group, 91% of companies still lack a formal roadmap for quantum-safe cryptography.
Crucially, BIP-360 is only a first step. It does not replace ECDSA or Schnorr signatures with quantum-resistant schemes. For context, SegWit took 8.5 years to reach broad adoption, Taproot 7.5 years. Google’s 2029 timeline is moving faster than Bitcoin’s governance has historically allowed.
