This morning, Google’s Quantum AI team published a whitepaper that quietly moved the timeline on one of the most consequential threats in crypto. The findings are technical, the implications are not.
Previous estimates held that breaking Bitcoin’s encryption would require millions of quantum bits. Millions put the threat comfortably in the “someone else’s problem” category. Google’s new estimate in today’s blog post puts it below 500,000 physical qubits, with a practical attack requiring as few as 1,200 logical qubits.
That is not a refinement of the timeline. That is a compression by a factor of twenty.
The paper also models a specific attack scenario: a quantum computer hijacking a Bitcoin transaction in approximately nine minutes, with a 41% success rate against Bitcoin’s ten-minute block confirmation window. Not a theoretical future attack. A statistical model with numbers attached to it. A 41% chance of stealing a transaction before it confirms is not a rounding error. In any other security context it would be called a broken system.
Google also pulled its internal deadline for migrating to post-quantum cryptography forward to 2029. The year of the next US presidential election. Three years away.
What Taproot Has to Do With It
This is where it gets uncomfortable for Bitcoin specifically.
Bitcoin’s 2021 Taproot upgrade was widely celebrated. It improved transaction efficiency, enabled more complex smart contracts, and added privacy features. It also, as a design decision, made public keys visible on the blockchain by default.
Under the older Pay-to-Public-Key-Hash format, public keys were hidden behind a cryptographic hash until a transaction was made. An attacker would need to crack the hash first, then the elliptic curve behind it. Two layers. Taproot removed the first layer.
The result: approximately 6.9 million Bitcoin, roughly one-third of the entire circulating supply, now sits in wallets where the public key is exposed on-chain. That number includes about 1.7 million Bitcoin from the network’s early years, including addresses widely believed to belong to Satoshi Nakamoto, and funds in addresses that have been reused. For comparison, CoinShares previously estimated that only 10,200 Bitcoin faced meaningful quantum risk. Google’s figure is 680 times larger.
The upgrade that was supposed to make Bitcoin better may have widened the attack surface by an order of magnitude. The Bitcoin community built the door. Google just told them the lock is weaker than they thought.
Ethereum’s Answer: Seven Hard Forks and a Dedicated Team
One week ago, the Ethereum Foundation launched pq.ethereum.org — a dedicated hub for post-quantum security research, bringing together years of previously scattered cryptographic work into one public resource.
The Ethereum Foundation’s answer to the quantum threat is the Strawmap: seven hard forks over four years, each one incrementally replacing Ethereum’s cryptographic foundations without pausing the live network. The approach has been called a “Ship of Theseus” strategy — replace every plank in the ship, one at a time, while the ship keeps sailing.
The first two forks are already in progress. Glamsterdam is targeted for the first half of 2026. Hegota follows later this year. The first quantum-resistant upgrades replacing BLS validator signatures with hash-based leanXMSS signatures are being considered for inclusion in Hegota. More than ten Ethereum client teams are currently running post-quantum development networks, known as devnets, with weekly interoperability sessions to ensure different software clients remain compatible as the cryptography changes.
The research that underpins this work began in 2018. Justin Drake, one of the co-authors of today’s Google paper, is an Ethereum Foundation researcher. The team that published the threat model is partly the same team building the defense.
Ethereum Foundation researchers put it plainly: “Layer 1 protocol upgrades could be completed by 2029, with full execution-layer migration taking additional years beyond that.”
Seven forks. Weekly devnets. A dedicated team. A public roadmap. A 2029 target that matches Google’s deadline.
Bitcoin’s Answer: A BIP and a Debate
Bitcoin has BIP-360.
BIP-360 proposes a new Pay-to-Merkle-Root script type, designed to retain Taproot’s efficiency benefits while removing the at-rest vulnerability that Taproot introduced. It is a genuine technical solution to a real problem. It was proposed. It sits in the Bitcoin Improvement Proposal process. It has not been merged.
Bitcoin’s upgrade culture is not a bug in the system. It is a feature. The deliberate conservatism, the resistance to change, the requirement for overwhelming consensus before touching the base layer, these properties are what make Bitcoin trustworthy as a store of value. A protocol that changes easily can be changed by the wrong people for the wrong reasons.
But that same conservatism means that when the threat timeline compresses from decades to three years, Bitcoin cannot simply convene a team and publish a roadmap. It has to achieve consensus among a decentralized network of node operators, miners, developers, and holders who have strong and divergent views about what Bitcoin is and what it should do.
The block size wars lasted four years and nearly split the network. The Taproot upgrade itself took years of advocacy before activation. SegWit before that. Every meaningful Bitcoin upgrade requires a social consensus process that operates on a completely different timescale than Google’s engineering deadlines.
The people who are most concerned about quantum will push for urgency. The people who are most concerned about Bitcoin’s conservatism will push back. Both groups are right about something important. That is what makes this a culture war and not just a technical debate.
The Numbers That Put This In Context
6.9 million Bitcoin at risk. At today’s price that is approximately $466 billion sitting in wallets with exposed public keys.
1.7 million of those Bitcoin are in early wallet formats including Satoshi-era addresses that cannot be upgraded by their owners because the keys are likely lost. Whoever builds the first quantum computer capable of running Google’s attack scenario would have a theoretical claim on tens of billions of dollars in Bitcoin that has not moved in fifteen years and has no living owner to defend it.
No quantum computer can execute this attack today. The machines currently operating, including Google’s own superconducting processors, are nowhere near the scale required. The 500,000 qubit threshold remains a significant engineering challenge. The timeline is three years, not three months.
But three years is also not decades. It is the same amount of time Bitcoin has to coordinate a network-wide upgrade to post-quantum cryptography that every previous major Bitcoin upgrade has taken, start to finish, for changes that were far less contentious than touching the signature scheme that secures every wallet on the network.
What This Actually Means
The quantum threat to Bitcoin is not imminent. Google said so explicitly, and the researchers who wrote the paper used zero-knowledge proofs to disclose the vulnerability without publishing a blueprint for attackers. Responsible disclosure by the people most capable of executing the attack.
But the threat is no longer theoretical either. It has a qubit count. It has an attack time. It has a success rate. It has a deadline that a company the size of Google has built its own internal security timeline around.
Ethereum has a named team, a named roadmap, a named target date, and weekly working sessions already running. Bitcoin has a BIP and the most consequential governance debate in its history waiting to happen.
The US Strategic Bitcoin Reserve holds Bitcoin because it is the most decentralized, most secure monetary asset ever created. That security rests on cryptographic foundations that Google just told us are more fragile than we thought.
Whether Bitcoin can upgrade those foundations on a three-year timeline, with the consensus process it has, is the question that the culture war will eventually have to answer. The deadline does not care about the debate.
