Is it really too optimistic? Two papers published on the same day show that quantum computing has lowered the barrier to cracking Bitcoin by two orders of magnitude.

On March 31 afternoon, Bitcoin reversed the morning’s rally and accelerated its drop, breaking below the $67,000 mark; the Crypto Fear and Greed Index slipped to 28. On social media, a repeatedly shared image claims that a quantum computer can crack the physical quanta required to break Bitcoin private keys, dropping from the million-level to the ten-thousand-level. A researcher at Google Quantum AI warned that a quantum attack could hijack a Bitcoin transaction currently being broadcast within 9 minutes, with about a 41% probability of finishing before confirmation. About 6.9 million Bitcoin with exposed public keys are currently lying quietly on-chain, waiting for computing power to catch up with theory.

What triggered this wave of panic were two papers published almost simultaneously the day before. One came from the Google Quantum AI team, and the other from Oratomic, a neutral-atom quantum computing company. Viewed individually, each paper is a major advancement in its respective field. Taken together, they target different layers of the quantum computing stack, and the effect multiplies directly.

Ethereum core researcher Justin Drake said in a tweet that this is “a milestone day for quantum computing and cryptography.” He participated in the Google team’s paper, which improves Shor’s algorithm—the most famous quantum attack algorithm in the cryptography community—specifically used to break RSA and elliptic-curve encryption. The secp256k1 signature scheme used by Bitcoin and Ethereum falls squarely within the category of elliptic-curve cryptography.

Why are the two papers placed together truly frightening? Because the total physical qubits required to break an elliptic-curve signature = the number of logical qubits (how many “clean” computation units the algorithm needs) × the number of physical qubits required per logical qubit (how many “redundant” hardware components are needed at the error-correction layer to maintain a clean unit). The Google paper compresses the former, while Oratomic’s paper compresses the latter. When both numerator and denominator shrink at the same time, the product drops sharply.

According to a paper included in EUROCRYPT 2026, the number of logical qubits needed to break a 256-bit elliptic curve fell from 2,330 in 2017 (according to the benchmark paper by Roetteler et al.) to 2,124 in 2020 (according to Haner’s improvements), and then to 1,098 in March 2026. Over nine years, the algorithm-layer requirement was cut by more than half. The Google team’s paper goes further: it performs dedicated optimization for the secp256k1 curve used by Bitcoin and Ethereum, pushing the required logical qubits down to about 1,000. The circuit depth is only about 100 million Toffoli gates (as described by Justin Drake, cited by CryptoBriefing), which on a superconducting platform corresponds to roughly 1,000 seconds of Shor’s algorithm runtime.

Meanwhile, according to data from the Oratomic paper cited in the tweet, the neutral-atom approach compresses the number of physical qubits required per logical qubit from about 400 in traditional surface codes to about 10. The principle behind this breakthrough is completely different from Google’s. Google improves the efficiency of the algorithm itself, while Oratomic improves the error-correction overhead of the underlying hardware. Both improvements can stack.

Multiply the two numbers: the 2017 estimate is about 7 million physical qubits, while the March 2026 estimate for the neutral-atom route is about 10,000. Total demand drops from the million level to the ten-thousand level—a decline of more than two orders of magnitude.

This multiplicative effect gives rise to two entirely different attack approaches.

Based on paper calculations organized in the tweets, the superconducting route (Google’s research direction) needs about 500,000 physical qubits and can run for about 9 minutes to crack a private key—fast enough to hijack real-time transactions. The neutral-atom route (Oratomic’s research direction) needs only about 10,000 physical qubits, but its runtime stretches to about 10 days. This is not a problem because its attack targets are dormant wallets whose public keys have already been exposed; it is not time-sensitive.

How should we interpret the gap? Google’s strongest Willow processor today has 105 superconducting qubits (according to Google Quantum AI specifications), which is still about 4,762 times away from the 500,000 threshold. But the neutral-atom field’s fault-tolerant computing system has already reached about 500 qubits, leaving only about a 20x gap to the 10,000 threshold. If you look at physical array size instead of fault tolerance capability, laboratories have already captured more than 6,100 atoms, narrowing the gap further to less than 2x.

A 20x gap and a 4,762x gap are distances on completely different orders of magnitude. The neutral-atom route is closer than most people think.

As for Bitcoin’s situation, it is far from being ready to face this change.

According to a joint report by Ark Invest and Unchained, about 7 million Bitcoin (about 33% of total supply) are exposed to quantum risk, with a value of roughly $440 billion to $480 billion. These vulnerable addresses fall into three categories. About 1.7 million are in early P2PK addresses, with the public keys directly exposed on-chain, and most of them have already been lost—no one can operate to migrate. About 1.1 million belong to Satoshi Nakamoto, distributed across roughly 22,000 addresses, with the holders’ identities unknown. The remaining about 4.2 million are in address re-use or P2TR addresses; their public keys are also exposed, but in theory their holders can proactively migrate to safe addresses.

In other words, about 2.8 million Bitcoin (40% of the vulnerable total) can’t be saved no matter what. Their private keys are either lost or the holders will never show up. This is not a problem a technical solution can fix—it is a governance issue: whether the community should freeze these addresses that are destined to be exposed. According to a CoinDesk report from February, the Bitcoin community has already generated intense debate over whether to freeze Satoshi’s 1.1 million holdings, and no consensus has been reached yet.

Even for the 4.2 million that are theoretically migratable, migration is not automatic. Holders must actively transfer assets from old addresses to addresses using new signature schemes, and historical experience shows that many holders will not take action before the deadline.

Faced with the same threat, the response strategies of the three major public chains diverge sharply.

According to pq.ethereum.org, which went live on March 25, 2026 by the Ethereum Foundation, Ethereum has been preparing for eight years and has a complete multi-stage roadmap: replace the current BLS signature scheme with leanXMSS hash signatures, aiming to complete the L1 protocol upgrade in 2029. After more than 10 client teams run weekly post-quantum devnet interoperability tests, users can migrate progressively via account abstraction, without needing a hard fork. Google has also set an internal post-quantum migration deadline to complete by 2029 (according to the Google Security Blog), and Ethereum’s timeline aligns with it.

Solana has an experimental option. The Winternitz Vault proposed on GitHub in December 2025 by Dean Little, Chief Scientist at Zeus Network—using a one-time vault mechanism based on hash signatures. But this is an optional approach: users need to actively opt in, and there is no official timeline.

Bitcoin’s situation is the most severe. There is no coordinated plan, no foundation-level dedicated funding, and no timeline. Bitcoin’s governance model requires a decentralized community to reach broad consensus in order to drive protocol changes, and this community has historically been known for moving slowly. According to the 2026 Quantum Threat Timeline report by the Global Risk Institute, cryptography-related quantum computers are “quite likely” to appear within 10 years and “very likely” within 15 years. If Ethereum’s 2029 target proceeds as planned, the migration will be completed before the window closes. Bitcoin is still in an early stage even in terms of discussion.

With two papers published on the same day, a problem long viewed as a “distant threat” suddenly gained concrete numbers: 10,000 physical qubits, 10 days, and a private key for a dormant wallet.

But it needs to be emphasized that this is still a major lowering of a theoretical threshold, not a truly imminent attack. Today’s most advanced neutral-atom systems are still about 20x away from 10,000 fault-tolerant qubits, and the superconducting route’s gap is even on the scale of thousands of times. A 10-to-15-year time window still exists, and the Bitcoin community is not without opportunities. Bitcoin has faced highly divisive governance tests in the past—such as the block size debate and SegWit activation—and ultimately, under pressure, it converged on consensus. The nature of the quantum threat is different from routing debates: it does not involve vested-interest disagreements; it is a shared risk facing the entire network. Paradoxically, it may become an external force that accelerates action by the Bitcoin community.

The real issue is not whether quantum computing can crack Bitcoin, but whether the Bitcoin community can complete preparations before the window closes.

Click to learn more about Law’s recruitment by BlockBeats

Welcome to join the official Law’s BlockBeats community:

Telegram subscription group: https://t.me/theblockbeats

Telegram discussion group: https://t.me/BlockBeats_App

Twitter official account: https://twitter.com/BlockBeatsAsia