CLASSIFIED BRIEFING

QUANTUM THREAT
ASSESSMENT

Google Quantum AI — March 30, 2026

How close is a quantum computer to breaking your Bitcoin wallet?

Coin Bureau Podcast x The Better Traders

Click to Advance

The Paper

WHAT GOOGLE JUST PUBLISHED

"Securing Elliptic Curve Cryptocurrencies against Quantum Vulnerabilities"

Ryan Babbush • Craig Gidney • Hartmut Neven + 6 others

Google Quantum AI • UC Berkeley • Ethereum Foundation • Stanford

Published March 30, 2026

Notable: Google used a zero-knowledge proof to verify findings without releasing attack instructions. The math is real. The threat is quantified. The timeline just got shorter.

"The expected emergence of cryptographically relevant quantum computers will represent a singular discontinuity in the history of digital security."

— Babbush et al., Google Quantum AI, 2026

BITCOIN

ETHEREUM

ALL ECDLP BLOCKCHAINS

The Math

THE LOCK ON EVERY CRYPTO WALLET

Private key n: secret

Public key Q=nP: visible

Reverse: ECDLP

Every Bitcoin wallet uses this math. Your private key generates a public key through a one-way operation on this curve.

Reversing this — finding n from Q — would take a classical computer longer than the age of the universe.

It's been unbreakable for 30 years. Until now.

Used by:

BITCOIN ETHEREUM SOLANA CARDANO AVALANCHE

Quantum Advantage

WHY QUANTUM CHANGES EVERYTHING

Shor's Algorithm solves ECDLP exponentially faster

CLASSICAL COMPUTER

age of universe

10³⁰ years to crack secp256k1

Classical computers test one possibility at a time. The keyspace has more combinations than atoms in the observable universe.

VS

QUANTUM (SHOR'S ALGORITHM)

MINUTES

~Minutes to crack secp256k1

How Shor's Algorithm works: 1. Superposition tests all answers simultaneously

2. Quantum Fourier Transform extracts the period

3. Reduces ECDLP to polynomial time

2022 ESTIMATE — Google

~0

Physical Qubits Required

Physical qubits are the raw hardware building blocks. Logical qubits are error-corrected qubits — it takes thousands of physical qubits to make one reliable logical qubit.

This was already an alarming number in 2022

2026 ESTIMATE — Google Willow Architecture

<0

Physical Qubits Required

20x REDUCTION

Based on Google Willow processor architecture. The bar just dropped dramatically — and it's still falling.

The Reduction Visualized

THE QUBIT REQUIREMENT FELL 20x

Execution time: MINUTES on superconducting hardware

Context: No CRQC exists today. This is a resource estimate. The bar is lower than we thought, and it's falling.

Circuit Design

TWO ATTACK CIRCUIT CONFIGURATIONS

Circuit Configuration A

High-Depth / Low-Width

Logical Qubits~1,200

Toffoli Gates90M

StrategyDepth-optimized

Uses fewer qubits but runs a deeper circuit. Trades qubit count for more sequential operations.

Circuit Configuration B

Low-Depth / High-Width

Logical Qubits~1,450

Toffoli Gates70M

StrategyWidth-optimized

Uses more qubits to run a shallower circuit. Faster execution, higher hardware demand.

What this means: Both configurations use dramatically fewer resources than 2022 estimates. Either configuration could theoretically execute a full Bitcoin key attack once a CRQC with sufficient physical qubits exists.

Attack Vectors

GOOGLE IDENTIFIED TWO DISTINCT ATTACKS

ON-SPEND ATTACK

Target transactions while in the mempool. Public key is briefly exposed. CRQC has ~10 minutes to crack and replace.

CRITICAL

AT-REST ATTACK

Target old wallets with permanently exposed public keys. No time pressure — attack can happen anytime.

HIGH

Attack Vector 1

ON-SPEND ATTACK — DEEP DIVE

Hardware

SUPERCONDUCTING
PHOTONIC • SILICON

Attack Window

~10 min

Threat Level

CRITICAL

Mitigation

Private mempools, commit-reveal schemes

Attack Vector 2

AT-REST ATTACK — DEEP DIVE

Hardware

NEUTRAL ATOM
ION TRAP

Time Needed

Hours to days

Threat Level

HIGH

At-Risk Addresses

~4M Bitcoin addresses with permanently exposed public keys

Risk Assessment

WHO IS AT RISK? (1/2)

Chain	Signature Scheme	Quantum Risk	Notes
Bitcoin — exposed P2PK	secp256k1 ECDSA	HIGH	~4M addresses permanently exposed
Bitcoin — new transactions	secp256k1 ECDSA	MEDIUM	Protected behind hash until spend
Ethereum (ETH)	secp256k1 ECDSA	CRITICAL	Account model = permanent public key
Solana (SOL)	Ed25519	HIGH	Different curve, still ECDLP-based
ETH Smart Contracts	Various	CRITICAL	Admin keys reused; quantum enables classical exploits

Risk Assessment

WHO IS AT RISK? (2/2)

Chain	Signature Scheme	Quantum Risk	Notes
ETH Proof-of-Stake	BLS Signatures	HIGH	Consensus layer vulnerable
ETH DAS	KZG Commitments	HIGH	Data availability layer exposed
Zcash (ZEC) — shielded	ECDLP-free	SAFE	Quantum resistant
Bitcoin PoW	SHA-256	SAFE	Grover's offers minimal speedup
Algorand	PQC migration	MEDIUM	Actively migrating to PQC

95%+ of all crypto uses ECDLP-based signatures

The Dormant Asset Problem

~0 BTC

Estimated coins with permanently exposed public keys

Includes Satoshi's ~1.1M coins in early P2PK addresses — fully vulnerable to at-rest quantum attack.

At ~$100K/BTC, that's approximately $110 billion at risk

The Hard Problem

THERE IS NO CLEAN ANSWER

DO NOTHING

A CRQC operator drains all dormant wallets. Billions stolen instantly. Market chaos. The Bitcoin trust model collapses. "Hard money" becomes "stolen money."

FORCE DESTRUCTION

Protocol-level burning of exposed coins. "Your coins are safe forever" becomes a lie. Breaks Bitcoin's trust model from the other direction. Sets precedent for confiscation.

"The challenge posed by dormant assets illustrates why policy engagement must accompany technical solutions."

Policy Options

THE 6 OPTIONS ON THE TABLE

01

Do Nothing

Let quantum attackers take dormant coins. Maximum ideological purity, maximum financial damage.

DANGEROUS

02

Burn

Protocol-level destruction of vulnerable coins after a migration deadline. Irreversible.

COMPLEX

03

Hourglass

Freeze (not burn) vulnerable coins. Owners can reclaim by proving ownership with a quantum-safe signature.

VIABLE

04

Bad Sidechain

Migrate to a quantum-safe sidechain. Paper argues this creates dangerous fragmentation.

DANGEROUS

05

Digital Salvage

Regulated government recovery of exposed coins. Paper explores legal and technical frameworks.

COMPLEX

06

National Security Response

State-level intervention to secure or redistribute vulnerable assets before adversaries exploit them.

COMPLEX

Action Items

WHAT INDIVIDUALS SHOULD DO NOW

Stop reusing wallet addresses — use a fresh address every transaction

Move funds out of old P2PK and reused P2PKH addresses now

Use Taproot (P2TR) addresses — never expose the public key before spending

Watch your blockchain's PQC migration timeline — be ready to move

Protocol Action

WHAT BLOCKCHAINS MUST DO

Deadline: Before 2030

Migrate to CRYSTALS-Dilithium or FALCON

Both are NIST-approved post-quantum cryptography standards

Deploy private mempools

Prevents on-spend attack by hiding transactions until confirmation

Implement commit-reveal transaction schemes

Hides public key until after the transaction is committed

Plan for dormant coin policy — start community discussion now

There is no good option. But "no plan" is the worst option.

The Timeline

THE WINDOW IS CLOSING

The quantum threat is not here yet. The preparation window is now.

Coin Bureau Podcast

x

The Better Traders

Source

Babbush et al. (2026)
"Securing Elliptic Curve Cryptocurrencies against Quantum Vulnerabilities"
Google Quantum AI • UC Berkeley • Ethereum Foundation • Stanford
Published March 30, 2026

For educational purposes only. Not financial advice.

QUANTUM THREATASSESSMENT

WHAT GOOGLE JUST PUBLISHED

THE LOCK ON EVERY CRYPTO WALLET

WHY QUANTUM CHANGES EVERYTHING

THE QUBIT REQUIREMENT FELL 20x

TWO ATTACK CIRCUIT CONFIGURATIONS

GOOGLE IDENTIFIED TWO DISTINCT ATTACKS

ON-SPEND ATTACK — DEEP DIVE

AT-REST ATTACK — DEEP DIVE

WHO IS AT RISK? (1/2)

WHO IS AT RISK? (2/2)

THERE IS NO CLEAN ANSWER

DO NOTHING

FORCE DESTRUCTION

THE 6 OPTIONS ON THE TABLE

WHAT INDIVIDUALS SHOULD DO NOW

WHAT BLOCKCHAINS MUST DO

THE WINDOW IS CLOSING

QUANTUM THREAT
ASSESSMENT