Can quantum computing crack Bitcoin? Google white paper reveals risks to 6.9 million BTC by 2026

On March 31, 2026, Google’s Quantum AI team released a highly anticipated white paper, updating its technical assessment of the threat quantum computers pose to crypto assets. Authored jointly by Hartmut Neven, Vice President of Google Research, and Ryan Babbush, Director of Quantum Algorithms Research, the report disclosed the latest resource estimates for quantum attacks through zero-knowledge proof technology, and clearly pointed the threat timeline to 2029. The white paper states that future quantum computers of cryptographic relevance (CRQC) may need fewer than 500,000 physical qubits to break the elliptic curve cryptography (ECDSA) algorithms that secure Bitcoin and Ethereum within minutes. This conclusion quickly sent shockwaves through the industry, prompting the market to reassess the vulnerability of crypto assets in the face of the quantum era.

9-Minute Threat and 6.9 Million BTC: Core Facts from the White Paper

In the white paper, Google publicly disclosed for the first time its quantum-circuit optimization plan for breaking the 256-bit elliptic curve discrete logarithm problem (ECDLP-256). Research shows that the number of logical qubits required to carry out the attack has been reduced from the thousands previously estimated to 1,200 to 1,450, corresponding to roughly 70 million to 90 million Toffoli gates (basic operation units in quantum computing). Based on the development pace of today’s superconducting quantum processors, Google expects that a CRQC with about 500,000 physical qubits will be able to complete the break of ECDLP-256 within a few minutes.

The white paper particularly emphasizes two core threat vectors for the Bitcoin network: first, directly breaking private keys of unmoved public-key addresses via Shor’s algorithm—this mainly targets “dormant addresses” that have long not been used, including approximately 1.1 million BTC allegedly held by Satoshi Nakamoto; second, “hijacking attacks” targeting transactions in transit—i.e., using the roughly 9-minute window between transaction broadcast and inclusion on-chain, attackers can quickly derive the private key of the transaction originator and tamper with the transaction’s target address. Google estimates that the total amount of BTC exposed to this kind of risk on the Bitcoin network is as high as 6.9 million coins, which—based on current market prices—exceeds $47 billion.

For the Ethereum ecosystem, the white paper notes that the complex transaction-execution logic of smart-contract platforms and the Layer 2 interaction mechanisms may give rise to five quantum attack paths, including but not limited to validator-node private key theft, forged relay signatures in cross-chain bridges, and signature replay attacks in historical states. Google warns that these attack paths could put more than $100 billion in locked assets on the Ethereum chain at risk.

From Shor’s Algorithm to the 2029 Timeline: The Evolution Path of Quantum Threats

The threat quantum computing poses to public-key cryptography is not a new topic. As early as 1994, mathematician Peter Shor proposed Shor’s algorithm, demonstrating that quantum computers can efficiently solve integer factorization and discrete logarithm problems. After the U.S. National Institute of Standards and Technology (NIST) officially initiated post-quantum cryptography (PQC) standardization projects in 2016, Google also began planning the migration to post-quantum encryption in the same year.

In 2024, NIST published the first batch of post-quantum encryption standards, marking the transition of PQC from academic research to engineering and practical applications. During this period, Google continued to participate in the development of industry standards, and in 2025 proposed its internal migration schedule, planning to complete the transition of critical infrastructure to PQC before 2029. This 2026 white paper can be viewed as an extension of that timeline and an upgraded risk warning. The white paper explicitly mentions that Google is collaborating with institutions such as Coinbase, the Stanford Blockchain Research Center, and the Ethereum Foundation to advance a responsible disclosure framework and industry migration plan.

Key timeline is as follows:

The Truth of 1,200 Qubits

The white paper’s core data is based on the optimization of two key variables: the number of logical qubits and the number of Toffoli gates. The research team compiled two sets of different quantum circuits, implementing attack schemes requiring 1,200 logical qubits + 70 million Toffoli gates, and 1,450 logical qubits + 70 million Toffoli gates, respectively. Compared with the 20,000 to 30,000 logical qubits commonly estimated by the industry in 2024, Google’s latest results compress the required resources by nearly 20 times.

From the perspective of physical implementation, Google performs projections based on the performance parameters of its current flagship quantum processor. Assuming each logical qubit consists of about 400 physical qubits (accounting for quantum error-correction overhead), then 1,200 logical qubits correspond to a total of roughly 480,000 physical qubits. Given that quantum hardware expands in scale by about 1.5x to 2x per year, Google believes it is highly feasible to reach that physical scale around 2029.

Based on Gate market data, as of April 1, 2026, the price of Bitcoin (BTC) is $68,201.5, with a 24h trading volume of $821.63M, a market cap of $1.41T, and a market share of 55.68%. Ethereum (ETH) is priced at $2,103.61, with a 24h trading volume of $407.98M, a market cap of $249.77B, and a market share of 10.08%. If the risks described in the white paper become reality, based on current prices, the market value of the 6.9 million BTC exposed to the risk would exceed $47 billion, while the $10 billion worth of Ethereum assets exposed to risk would be more than 40% of its current total market cap.

Split Market Voices: From Panic to Rationality

After the white paper was released, a clearly divided set of mainstream views and controversies emerged inside and outside the industry.

Supporters (represented by Google, some academic institutions, and parts of the security research community) believe that the precise resource requirements for responsibly disclosing quantum threats are a necessary step to drive industry upgrades. Google verifies the feasibility of the attack via zero-knowledge proof technology without leaking the specific circuit designs, and is viewed as a new disclosure model that balances transparency and security. The white paper explicitly mentions partners including Coinbase, the Stanford Blockchain Research Center, and the Ethereum Foundation, indicating that some industry leaders recognize and participate in this risk-warning mechanism.

Opponents and skeptics focus on three dimensions: the accuracy of how urgent the timeline is, potential market disruptions caused by the disclosure method, and the ability of existing blockchain architectures to resist attacks. Some members of the crypto community point out that although the white paper claims to be “responsible disclosure,” its release approach inevitably triggers panic-driven discussions in the market, which could constitute a non-technical attack on confidence in crypto assets. In addition, Bitcoin core developers emphasize that even if quantum attacks become technically possible, the Bitcoin network is not defenseless—for example, while the Taproot upgrade may increase the attack surface in some scenarios, it also provides the foundation for introducing more flexible script and signature schemes.

Three Facets of a White Paper

When analyzing Google’s white paper, it is necessary to clearly distinguish among three layers: facts, viewpoints, and speculation.

Google did release the white paper, which includes specific data on quantum-circuit compilation (such as 1,200 logical qubits, 70 million Toffoli gates, etc.). These data have been verified via zero-knowledge proofs and are therefore verifiable. Google proposed a migration timeline for 2029 and, in terms of collaboration, it has worked with institutions including the Ethereum Foundation. The white paper also explicitly mentions a technical judgment that the Bitcoin Taproot upgrade could increase the attack surface.

The white paper’s statements about “quantum computing potentially ending Bitcoin earlier than expected” fall under the research team’s concluding judgment. Its estimate of the risk exposed to 6.9 million BTC is based on the assumption that “all long-term unmoved addresses have taken no protective measures,” which does not hold absolutely in real-world networks. Similarly, the warning about five attack paths for Ethereum is based on an assumption that the attacker already has CRQC capabilities.

The feasibility of quantum computers reaching the scale described in the white paper by 2029 is a projection extrapolated based on the current pace of hardware development. Whether the number of physical qubits can grow from the current few hundred to 500,000 within three years depends on multiple technical breakthroughs in quantum error correction and hardware manufacturing, and there is a high degree of uncertainty.

In addition, a comparable narrative comes from Satoshi Nakamoto’s 2010 forum remarks. At the time, when facing discussions about similar technological evolution, Nakamoto said: “If SHA-256 is thoroughly broken, I think we can achieve consensus to roll the blockchain back to some known good state, and continue from there.” This view echoes the current industry consensus of “encryption is always easier than cracking,” where the evolution capability of encrypted assets itself is also part of its security model.

From Exchanges to Self-Custody: Industry Restructuring in the Post-Quantum Era

The release of Google’s white paper has had substantive impacts on the crypto industry along three dimensions.

First, it accelerates the transition of post-quantum encryption from theory to engineering deployment. Since NIST published PQC standards in 2024, some emerging public-chain and Layer 2 projects have begun testing PQC signature schemes, such as Falcon, Dilithium, and others. After the white paper’s release, discussions about “PQC migration timelines” spread from academia to exchanges, wallet service providers, and mining-pool operators. For large exchanges, designing deposit/withdrawal address systems compatible with PQC while safeguarding existing assets’ security has become a technical challenge that must be solved in the next two years.

Second, it imposes clear upgrade requirements on self-custody users and older projects. The 6.9 million BTC risk exposed in the white paper mainly points to two categories of addresses: long-term unmoved “dormant addresses” and UTXOs that use public-key address formats that have been used (such as Legacy P2PK). This means that any self-custody user who still uses an un-upgraded address format, or who holds assets that have not been moved for a long time, will have a risk exposure that expands over time. For smart-contract projects deployed before 2017, if their signature-verification logic did not leave room for upgrades, they may face permanent security lock-in.

Third, it triggers a rethinking of on-chain asset governance mechanisms. If quantum attacks become real, how to quickly freeze stolen assets, how to coordinate the whole network’s nodes to complete a PQC soft fork, and how to handle non-movable assets in early addresses such as those associated with Satoshi Nakamoto—beyond these technical issues, social coordination problems will become a new challenge for the industry.

Three Possible Futures: Scenario-Based Quantum-Era Simulations

Based on the current pace of technological development and the industry’s response capacity, three possible scenario evolution paths can be simulated.

Scenario One: Optimistic scenario (PQC migration stays ahead of quantum attacks). In this scenario, major public chains, exchanges, and wallet service providers complete PQC upgrades before 2028, and mainstream asset addresses fully migrate to post-quantum signature schemes. Although quantum computers reach breaking capability around 2029, by then the network would no longer have usable attack surfaces. Realizing this scenario depends on rapid convergence of industry consensus and sufficient investment in engineering development resources.

Scenario Two: Pessimistic scenario (quantum attacks arrive before industry upgrades). Quantum hardware develops faster than expected; while the industry has not yet completed PQC migration, attackers already have the capability to carry out breaking attacks. At that point, the Bitcoin and Ethereum networks will face large-scale private-key leakage risk, market confidence will collapse, and asset values will drop sharply. In this scenario, the industry may be forced to take extreme measures, such as forcibly freezing exposed addresses via social consensus, rolling back transactions, or even launching a new chain.

Scenario Three: Most likely scenario (staged upgrades with localized risks coexisting). The industry will complete PQC migration of major address formats between 2028 and 2030, but a large number of long-tail assets, outdated projects, and self-custody addresses that have not been proactively upgraded will still remain exposed to risk. The practical application of quantum computing would begin with localized attacks; attackers may prioritize pilot attacks on addresses with concentrated value and weaker defenses. In this scenario, the focus of risk management shifts from “a uniform upgrade across the entire industry” to “protecting key-asset priorities.”

Conclusion

Google’s 2026 Quantum AI white paper is not an end-of-crypto-world prophecy; it is a technical risk warning whose precision is increasing. It moves quantum attacks from “distant theoretical threats” to “quantifiable engineering challenges,” giving the industry a valuable upgrade time window. Whether it is the potential of Bitcoin’s Taproot upgrade or Ethereum smart contracts’ flexible architecture, both provide the technical foundation for adopting post-quantum cryptography. For every participant in the crypto ecosystem, understanding the essence of quantum threats, assessing the risk exposure of their own assets, and actively tracking the PQC migration process will be the central question for protecting digital-asset security over the coming years. The history of crypto technology evolution has repeatedly proven this: real security does not come from ignoring threats, but from anticipating challenges and responding systemically.