Google Quantum AI just published a research paper with the Ethereum Foundation, Stanford, and UC Berkeley.

It’s about what quantum computers will do to cryptocurrency.

And after reading all 57 pages, I can tell you this: the crypto community is not ready for what’s coming.

This paper gives exact numbers. Exact qubit counts. Exact attack times. No vague “sometime in the future” talk. Real math.

If you hold crypto, don’t skip this one.

Every crypto transaction you make is protected by a math problem called ECDLP. You don’t need to remember the name. Just know this: it’s the lock on your wallet.

You have a private key (the secret) and a public key (the address). The whole system works because nobody can figure out your private key from your public key.

Classical computers can’t do it. It would take billions of years.

Quantum computers can.

There’s an algorithm called Shor’s algorithm that can solve this problem fast. The question was always: how big does the quantum computer need to be?

Google just answered that.

And the answer is smaller than most people thought.

The team built two versions of their quantum circuit for breaking Bitcoin’s specific encryption curve (secp256k1).

Version one: 1200 logical qubits, 90 million Toffoli gates.

Version two: 1450 logical qubits, 70 million Toffoli gates.

Now, logical qubits need error correction, so you need more physical qubits to make them work. Even after all that overhead, the researchers estimate this runs on fewer than half a million physical qubits.

Previous best estimate? About 9 million physical qubits. Google just cut that by roughly 20x.

But here’s what really matters.

The quantum computer can precompute the first half of the attack ahead of time. So when your public key shows up in a transaction, the actual key-breaking takes about 9 minutes.

Bitcoin’s average block time? 10 minutes.

That’s insane..

The paper breaks quantum attacks into three types. This is a really useful way to think about it.

On-spend attacks. You broadcast a transaction. Your public key is now visible in the mempool, waiting to be confirmed. A quantum attacker grabs it, cracks your private key, and sends a competing transaction before yours gets confirmed.

At-rest attacks. Your public key is already sitting on the blockchain from an old transaction. Maybe you haven’t touched your wallet in years. The attacker has unlimited time. No rush.

On-setup attacks. Some crypto protocols have fixed public parameters baked into their design. A quantum attacker cracks those parameters once, and creates a reusable backdoor. No quantum computer needed after that. Anyone with the exploit can keep using it forever.

Here’s something the paper introduces that I think is underrated.

Not all quantum computers run at the same speed.

Superconducting and photonic quantum computers have really fast operations. The paper calls them “fast-clock” architectures. Google, IBM, Rigetti.. they’re building these.

Neutral atom and ion trap computers are about 100 to 1000 times slower. The paper calls them “slow-clock.” IonQ, Quantinuum, QuEra.. they’re building these.

Why does this matter?

If the first powerful quantum computer is fast-clock, both on-spend and at-rest attacks become possible at the same time. Your live transactions and your dormant wallets are both at risk.

If it’s slow-clock, only at-rest attacks work at first. The attacker can crack old wallets but can’t intercept your live transactions because they’re too slow.

Nobody knows which type gets there first. The paper says: plan for both.

Let’s get specific.

About 1.7 million BTC sits in P2PK addresses. These are the oldest Bitcoin addresses, including Satoshi-era mining rewards. The public keys are right there on the blockchain. Completely exposed.

Any quantum computer, fast or slow, can target them.

When you include addresses with reused keys and other exposed scripts, the total quantum-vulnerable Bitcoin is roughly 6.9 million BTC.

Many modern Bitcoin addresses hide the public key behind a hash. So attackers can’t target them at rest. But the moment you spend from one of these addresses, your public key appears, and an on-spend attack becomes possible.

Another important thing the paper clears up: Bitcoin mining is NOT at risk from quantum computers.

There’s a common belief that quantum computers could mine faster using Grover’s algorithm. The paper says no. The quantum speedup is almost entirely eaten up by error correction overhead. A quantum miner would perform over 100x worse than a standard ASIC miner.

So mining is safe. Your keys are not.

One more thing. Bitcoin’s Taproot upgrade from 2021 actually made things worse. P2TR scripts store the public key directly on-chain, bringing back the same vulnerability as the old P2PK addresses. The paper literally calls it a “security regression.”

For Bitcoin with its 10-minute block time, a quantum attacker breaking a key in 9 minutes has roughly a 41% chance of stealing the funds in an on-spend attack.

For Litecoin (2.5-minute blocks), that drops to less than 3%.

For Zcash (75-second blocks), less than one in thirteen hundred.

Ethereum’s attack surface is broader than Bitcoin’s. The paper identifies five distinct vulnerability types.

Account Vulnerability. Ethereum uses accounts, not UTXOs like Bitcoin. Once you send your first transaction, your public key is permanently exposed. The top 1,000 richest Ethereum accounts (about 20.5 million ETH) could be cracked in less than nine days.

Admin Vulnerability. Many smart contracts have admin keys that control upgrades, pausing, and fund extraction. These keys are rarely rotated. At least 70 of the top 500 contract accounts (about 2.5 million ETH) are at risk. This extends to roughly 200 billion USD in stablecoins and tokenized assets.

Code Vulnerability. Ethereum’s Layer 2 ecosystem uses cryptographic primitives that are themselves quantum-vulnerable. At least 15 million ETH in total value across major L2 protocols is at risk. Only protocols using hash-based zkSTARKs are considered safe.

Consensus Vulnerability. Ethereum’s Proof-of-Stake uses BLS signatures for validator attestations. About 37 million ETH is staked. If more than a third of validators are compromised, the chain halts. If more than two-thirds, the attacker owns the chain.

A quantum attacker with 20 machines would need over nine months to get there. But if stake is concentrated in big pools like Lido (about 20% of staked ETH), targeted attacks become much faster.

Data Availability Vulnerability. This is an on-setup attack. Ethereum’s DAS mechanism uses KZG commitments. A quantum computer can extract the “toxic waste” from the trusted setup ceremony and create a permanent, tradable backdoor. Anyone can use it. No quantum computer needed after the first crack.

The paper does give Ethereum one advantage: the Ethereum Foundation can push changes faster than Bitcoin’s decentralized consensus process.

There are roughly 2.3 million BTC in dormant addresses that haven’t moved in at least five years. Many of these likely have lost private keys. The owners might be dead. They might have thrown away their seed phrases.

These coins can’t be migrated to quantum-safe addresses. Nobody has the keys to move them. They’re just sitting there.

The Bitcoin community is debating three approaches.

“Do Nothing.” Let quantum computers take the coins.

“Burn.” Make the coins permanently unspendable through a protocol change.

“Hourglass.” Limit the rate at which dormant coins can be spent, creating a bottleneck.

The paper also proposes something called “Bad Sidechain,” inspired by the “bad bank” concept from traditional finance. A dedicated sidechain where recovered coins go for ownership resolution using off-chain proofs like mnemonic phrases.

On the government side, the paper discusses “digital salvage,” treating dormant crypto like sunken treasure under a regulated recovery framework.

The paper is blunt: if protocol changes are not made, these coins will be taken. The only question is by whom.

The researchers actually have the quantum circuits that could break Bitcoin’s cryptography. But they didn’t publish them.

Instead, they published a zero-knowledge proof. It cryptographically verifies that they have circuits with the claimed qubit and gate counts, without revealing the circuits themselves.

Their argument: publishing detailed attack circuits would be irresponsible. But staying silent about the threat would also be irresponsible. The ZK proof is their middle ground.

And there’s a funny irony they point out. The ZK proof itself uses elliptic curve cryptography. Which means it’s theoretically vulnerable to the same quantum attacks they’re studying. But since no quantum computer can break it today, the proof holds.

Not everyone is sleeping on this.

Quantum Resistant Ledger (QRL) has been post-quantum since 2018. Algorand ran its first post-quantum transaction in 2025 using Falcon signatures. Solana deployed an experimental quantum-resistant vault. The XRP Ledger deployed post-quantum signatures on its test network.

Some are moving. But most of the money is still sitting on quantum-vulnerable chains.

The authors go out of their way to explain where crypto is safe. Mining isn’t threatened. Certain address types are protected against at-rest attacks. Post-quantum cryptography exists and works.

But the core message is clear. The window is narrowing.

They suggest that the existence of early quantum computers might first be detected on the blockchain, rather than announced publicly.

Think about that.

The first sign might not be a press conference. It might be a million dormant Bitcoin suddenly moving to unknown wallets.

The paper also warns against using gradually harder ECDLP challenges as an early warning system. Once a quantum architecture overcomes its scaling barriers, there might be very little time between breaking 32-bit ECDLP and breaking 256-bit ECDLP.

By the time someone publicly demonstrates Shor’s algorithm on a small curve, it might already be too late.

The technical solutions exist. Post-quantum cryptography is real. It’s deployed in some places. But the migration has to start now. Not when the first attack happens.

What do you think? Should the Bitcoin community burn Satoshi’s coins to protect the network? Or is that crossing a line?

The Flyover cuts through the noise mainstream media refuses to clear.

No spin. No agenda. Just the day's most important stories — politics, business, sports, tech, and more — delivered fast and free every morning.

Our editorial team combs hundreds of sources so you don't have to spend your morning doom-scrolling.

Join 2.3 million Americans who start their day with facts, not takes.

Start Reading for Free