Ecosystem
Wallet
yellow banner logo
TRADING
PLATFORM LIVE
GET STARTED
yellow shooting starsbackground stars

How To Protect Your Bitcoin From The Quantum Threat

profile-alexey-bondarev
Alexey Bondarev2 hours ago
#Bitcoin#Quantum Computers
How To Protect Your Bitcoin From The Quantum Threat

A Google Quantum AI whitepaper published on Mar. 30, 2026, identifies roughly 6.9 million Bitcoin (BTC) — about one-third of the total supply — sitting in addresses vulnerable to quantum "at-rest" attacks, including an estimated 1.1 million coins linked to the network's pseudonymous creator, Satoshi Nakamoto.

TL;DR

  • Google Quantum AI found that breaking Bitcoin's 256-bit elliptic curve cryptography may require fewer than 500,000 physical qubits — a 20-fold reduction from prior estimates.
  • Roughly 6.9 million BTC sit in address types where public keys are permanently exposed, making them targets for future quantum at-rest attacks.
  • Satoshi-era P2PK addresses cannot be upgraded by anyone, raising thorny governance questions about whether to freeze dormant coins or let them remain vulnerable.

What Google's Whitepaper Actually Says

The paper carries a long title: "Securing Elliptic Curve Cryptocurrencies against Quantum Vulnerabilities: Resource Estimates and Mitigations." It runs 57 pages and represents the most detailed quantum-cryptographic threat assessment ever produced by a major technology company.

Six Google Quantum AI researchers — Ryan Babbush, Adam Zalcman, Craig Gidney, Michael Broughton, Tanuj Khattar and Hartmut Neven — co-authored the paper. External collaborators included Thiago Bergamaschi of UC Berkeley, Justin Drake of the Ethereum Foundation and Dan Boneh of Stanford.

The central technical contribution is a pair of optimized quantum circuits that implement Shor's algorithm for the Elliptic Curve Discrete Logarithm Problem on 256-bit curves.

That is the exact cryptographic primitive securing Bitcoin.

One circuit uses fewer than 1,200 logical qubits and 90 million Toffoli gates. The other uses fewer than 1,450 logical qubits and 70 million Toffoli gates.

Google estimates these circuits could run on a superconducting quantum computer with fewer than 500,000 physical qubits in a matter of minutes. Previous estimates required drastically more hardware. A widely cited 2022 paper from the University of Sussex projected 317 million physical qubits for a one-hour attack and 1.9 billion for a ten-minute window. Google's finding compresses that requirement by roughly 20 times.

In an unusual step for a resource estimation paper, Google withheld the actual circuit implementations. Instead it published a zero-knowledge proof using SP1 and Groth16 SNARK. Independent researchers can verify the claims without gaining access to the attack details themselves.

This builds on earlier quantum milestones at Google.

The Willow chip, announced in Dec. 2024 and published in Nature, demonstrated 105 superconducting qubits with the first "below-threshold" quantum error correction on a superconducting processor. Error rates halved with each step from 3x3 to 5x5 to 7x7 qubit grids. Willow completed a benchmark in under five minutes that would take the Frontier supercomputer an estimated 10 septillion years.

Still, Google was explicit that Willow poses no cryptographic threat today.

Charina Chou, Google Quantum AI's director and COO, told The Verge in Dec. 2024 that the chip cannot break modern cryptography and that roughly 4 million physical qubits would be needed to crack RSA.

Also Read: Experts Say Bitcoin Isn't In Danger Today, But The Clock Is Ticking

Google quantum research raises new concerns over Bitcoin and Ethereum encryption vulnerability (Image: Shutterstock)

Why Satoshi's Coins Are the Most Exposed

The vulnerability at the center of Google's analysis traces back to a design choice made in Bitcoin's first days. When Satoshi Nakamoto launched the network on Jan. 3, 2009, the mining software sent block rewards to P2PK (Pay-to-Public-Key) outputs. In this format, the full public key sits permanently visible on the blockchain from the moment coins arrive.

The locking script is simply the public key followed by an OP_CHECKSIG command. That means the 65-byte uncompressed or 33-byte compressed public key is exposed to anyone reading the chain.

There is no hash layer protecting it.

Satoshi also implemented P2PKH (Pay-to-Public-Key-Hash), which stores only a hash of the public key. P2PKH addresses — the familiar ones starting with "1" — appeared on the blockchain within two weeks of the genesis block.

The design was deliberate. Satoshi recognized that elliptic curve cryptography could fall to a modified version of Shor's algorithm run on a future quantum computer.

Despite that awareness, the mining software continued defaulting to P2PK for coinbase rewards throughout 2009 and 2010. Sergio Demian Lerner's landmark Patoshi pattern research, first presented in 2013, identified that a single entity mined approximately 22,000 blocks between Jan. 2009 and mid-2010. That entity accumulated roughly 1.0 to 1.1 million BTC.

The mining behavior was distinct from the publicly released client. It used multi-threaded nonce scanning and appeared to intentionally throttle output to protect network stability.

Only about 907 BTC from that stash were ever spent. The most famous transaction sent 10 BTC to Hal Finney in the first person-to-person Bitcoin transfer on Jan. 12, 2009.

Because these coins have never moved, their public keys remain permanently exposed. A quantum computer running Shor's algorithm could derive the corresponding private keys without any time pressure. That is the core "at-rest" attack vector.

Also Read: Midnight Mainnet Debuts On Cardano With 9 Partners, Including Google Cloud

Three Attack Vectors and the 6.9 Million BTC Exposure

Google's whitepaper formalizes a taxonomy of quantum attacks on cryptocurrencies that clarifies the scale of different threat vectors.

At-rest attacks target public keys that sit permanently exposed on the blockchain. The attacker has unlimited time — days, months or years — to derive the private key. This category covers three main address types:

  • P2PK addresses, where the public key is visible in the locking script from the moment coins arrive
  • Reused P2PKH addresses, where the public key was revealed after the first outgoing transaction
  • P2TR/Taproot addresses, which store a tweaked public key directly on-chain by design

Google identifies Taproot as a security regression from a quantum perspective. Even slower quantum architectures like neutral-atom or ion-trap systems could execute at-rest attacks since there is no time constraint. The on-chain analysis finds roughly 1.7 million BTC in P2PK scripts and approximately 6.9 million BTC total across all vulnerable address types when reuse and Taproot exposure are factored in.

On-spend attacks, formerly called "in-transit" attacks, target transactions in the mempool.

When a user broadcasts a transaction, the public key is revealed in the input. An attacker must derive the private key before the transaction confirms — roughly 10 minutes for Bitcoin.

Google's paper indicates a fast-clock superconducting quantum computer could solve ECDLP in approximately nine minutes, yielding about a 41% success probability of beating confirmation.

On-setup attacks target fixed protocol parameters like trusted setup ceremonies. Bitcoin is immune to this vector. But Ethereum (ETH) Data Availability Sampling and protocols like Tornado Cash could be vulnerable.

The critical point is that proof-of-work mining is not threatened. Grover's algorithm provides only a quadratic speedup against SHA-256, reducing effective security from 256 bits to 128 bits — still far beyond feasibility. A Mar. 2026 paper by Dallaire-Demers et al. demonstrated that quantum mining would require roughly 10²³ qubits and 10²⁵ watts of power, approaching civilization-scale energy requirements.

Also Read: Bitcoin Faces Six Bearish Months But ETF Demand Grows

How Far Away Is Q-Day for Bitcoin?

The gap between current quantum hardware and cryptographic relevance remains large but is narrowing faster than expected.

Today's leading processors include Google's Willow at 105 superconducting qubits, IBM's Nighthawk at 120 qubits with improved fidelity, Quantinuum's Helios at 98 trapped-ion qubits and Caltech's record-setting 6,100 neutral-atom qubit array.

The largest general-purpose system remains IBM's Condor at 1,121 qubits. Against Google's revised target of fewer than 500,000 physical qubits, the gap ranges from roughly 80 to 5,000 times depending on architecture.

Several developments in 2025 and 2026 have accelerated timelines:

  • Microsoft unveiled Majorana 1 in Feb. 2025 — the first processor using topological qubits, designed to scale to 1 million qubits on a palm-sized chip, though independent replication studies have questioned whether the topological effects are conclusively demonstrated
  • Amazon's Ocelot chip, also from Feb. 2025, uses "cat qubits" that reduce error-correction overhead by up to 90%
  • A companion paper released alongside Google's whitepaper claimed neutral-atom architectures could break ECC-256 with as few as 10,000 physical qubits under optimistic assumptions

Expert timeline estimates span a wide range. Google has set an internal 2029 deadline for migrating its own systems to post-quantum cryptography.

Ethereum researcher Justin Drake estimates at least a 10% chance that by 2032 a quantum computer could recover a secp256k1 ECDSA private key. IonQ's roadmap targets 80,000 logical qubits by 2030.

On the skeptical end, Blockstream CEO Adam Back dismisses 2028 timelines as not credible. NVIDIA CEO Jensen Huang places useful quantum computers at 15 to 30 years out. NIST recommends completing migration to post-quantum cryptography by 2035.

The algorithmic improvement trend adds urgency. Physical qubit requirements for breaking elliptic curve cryptography have dropped by four to five orders of magnitude between 2010 and 2026. Google's latest circuits represent a further 20-fold reduction from previous best estimates.

Also Read: Chainalysis Launches AI Bots To Fight Crypto Crime

The Race to Quantum-Proof Bitcoin's Protocol

The Bitcoin developer community has mobilized around several proposals, though fundamental governance challenges remain.

BIP-360 (Pay-to-Merkle-Root), authored by Hunter Beast of MARA/Anduro, Ethan Heilman and Isabel Foxen Duke, was merged into the official BIP repository in Feb. 2025. It introduces a new SegWit version 2 output type with a bc1z prefix that commits only to a Merkle root of the script tree. That removes the quantum-vulnerable key-path spend from Taproot. BIP-360 does not itself introduce post-quantum signatures but creates the framework for them.

BTQ Technologies has deployed a working BIP-360 implementation on its Bitcoin Quantum testnet. More than 50 miners and 100,000 blocks have been produced as of Mar. 2026.

The Lopp/Papathanasiou proposal, unveiled at the Quantum Bitcoin Summit in July 2025, outlines a three-phase soft fork.

Phase A bans sending to legacy ECDSA addresses three years after BIP-360 activation. Phase B makes all legacy signatures invalid, permanently freezing quantum-vulnerable coins two years after that. Phase C offers an optional recovery path through zero-knowledge proof of BIP-39 seed possession.

The QRAMP proposal by Agustin Cruz takes a harder line. It proposes a mandatory migration deadline via hard fork, after which unmigrated coins become unspendable. The Hourglass proposal from Hunter Beast and Michael Casey at Marathon Digital offers a middle path — rate-limiting movement of quantum-exposed coins to one UTXO per block, stretching a potential attack from hours to roughly eight months.

On the standards front, NIST finalized its first three post-quantum cryptography standards in Aug. 2024: ML-KEM (based on CRYSTALS-Kyber) for key encapsulation, ML-DSA (based on CRYSTALS-Dilithium) for digital signatures and SLH-DSA (based on SPHINCS+) as a backup signature standard.

A fifth algorithm, HQC, was selected in Mar. 2025 as a backup key encapsulation mechanism.

The main challenge for Bitcoin integration is signature size. Dilithium signatures run approximately 2,420 bytes versus ECDSA's roughly 72 bytes — a 33-fold increase that would strain block space and raise transaction costs significantly.

Beyond Bitcoin, the broader ecosystem is moving quickly.

The Ethereum Foundation designated post-quantum security as a core priority in Jan. 2026, launching a four-phase hard-fork roadmap with a medium-term target of quantum resistance by 2029. Coinbase formed an Independent Advisory Board on Quantum Computing featuring Scott Aaronson, Dan Boneh and Justin Drake.

Also Read: Cardano Whales Grab $53M In ADA But Price Stays Flat

What Bitcoin Holders Should Do Now

For individual Bitcoin holders, the practical guidance is straightforward even as the protocol-level debate continues. Coins stored in P2WSH (SegWit witness script hash, bc1q with 62 characters) or P2WPKH (SegWit, bc1q with 42 characters) addresses that have never been used for outgoing transactions offer the strongest currently available protection.

Only a hash of the public key is visible on-chain.

P2TR/Taproot (bc1p) addresses should be avoided for large or long-term holdings. They expose the public key by design.

The most critical practice is never reusing addresses. Once Bitcoin is spent from any address, the public key is revealed and remaining or future funds at that address become quantum-vulnerable. Users can check their exposure using Project Eleven's open-source Bitcoin Risq List, which tracks every quantum-vulnerable Bitcoin address on the network.

Moving funds from an exposed address to a fresh, never-used hash-based address eliminates the at-rest vulnerability.

As Unchained, a Bitcoin custody firm, cautions: beware of scammers who may use quantum fear to pressure hasty transfers. No immediate emergency action is needed.

The deeper problem remains the approximately 1.7 million BTC in P2PK addresses — including Satoshi's estimated 1.1 million — whose keys are irreversibly exposed and whose owners are almost certainly unable to migrate them. Whether to freeze, rate-limit or leave these coins exposed to eventual quantum theft is shaping up as one of the most consequential governance debates in Bitcoin's history.

As Jameson Lopp frames it, allowing quantum recovery of Bitcoin amounts to wealth redistribution toward those who win the technological race to acquire quantum computers.

Also Read: Saylor Quiet On Bitcoin After 13-Week Buying Spree

Conclusion

Google's Mar. 2026 whitepaper did not reveal an imminent threat. No quantum computer today can break Bitcoin's cryptography. What it did was dramatically compress the estimated resource requirements and formalize a timeline that makes preparation urgent rather than theoretical.

The reduction to fewer than 500,000 physical qubits, combined with the four-to-five order-of-magnitude drop in estimates over the past 15 years, means the margin between current capability and cryptographic relevance is narrowing on a trajectory that intersects with industry roadmaps for the late 2020s to early 2030s. The at-rest vulnerability of 6.9 million BTC is a known, quantified risk with no retrospective fix for lost-key P2PK addresses.

The quantum threat to Bitcoin is not primarily a hardware problem. It is a governance and migration problem. The protocol upgrades and social consensus processes required have historically taken five to 10 years in Bitcoin's ecosystem. The clock started ticking the moment Google published those numbers.

Read Next: Crypto Funds Bleed $414M In First Outflows Over Five Weeks: CoinShares

Disclaimer and Risk Warning: The information provided in this article is for educational and informational purposes only and is based on the author's opinion. It does not constitute financial, investment, legal, or tax advice. Cryptocurrency assets are highly volatile and subject to high risk, including the risk of losing all or a substantial amount of your investment. Trading or holding crypto assets may not be suitable for all investors. The views expressed in this article are solely those of the author(s) and do not represent the official policy or position of Yellow, its founders, or its executives. Always conduct your own thorough research (D.Y.O.R.) and consult a licensed financial professional before making any investment decision.
Related Learn Articles
How To Protect Your Bitcoin From Quantum Threats Right Now
Mar 17, 2026
Quantum computers cannot crack Bitcoin (BTC) or Ethereum (ETH) today, but the window for complacency is shrinking as hardware milestones accelerate, e
Post-Quantum Cryptography Explained: New Math To Protect Bitcoin
Mar 24, 2026
As quantum computing advances force cryptographers to rethink the mathematical foundations of digital security, the cryptocurrency industry faces a un
What Are Quantum-Resistant Tokens? How They Secure Crypto from Quantum Computing Threats
May 14, 2025
Quantum computing - once relegated to theoretical physics papers - has emerged as a tangible threat to the cryptographic underpinnings of blockchain n
How To Choose A Hardware Wallet: 10 Things That Matter
Mar 25, 2026
Choosing a hardware wallet is less about finding a universal winner and more about matching a device to your own security needs, portfolio composition
The New Frontier of National Security: Bitcoin as Strategic Government Reserve
Apr 01, 2025
The United States crossed a significant milestone in March 2025, accumulating over 500,000 Bitcoin (valued at approximately $40 billion) as part of a
How To Protect Your Bitcoin From The Quantum Threat | Yellow.com