Cracking a wallet in 9 minutes: Google's quantum paper shocks the encryption community. Is the Bitcoin "Y2K moment" approaching?

By: Kapiq Qilâra, Deep Tide TechFlow

On March 31, the Google Quantum AI team released a white paper. The title is plain, but the content is explosive.

The paper’s core conclusion: breaking the elliptic-curve cryptography (ECC-256) that protects Bitcoin and Ethereum wallets requires about 20 times fewer quantum computing resources than previously estimated. Specifically, it would take fewer than 1,200 logical qubits and 90 million Toffoli gates to complete the break on a superconducting quantum computer using fewer than 500,000 physical qubits, and it would take only a few minutes.

On the same day, Caltech and the quantum hardware startup Oratomic published another paper with even more aggressive findings: a quantum computer based on a neutral-atom architecture would require as few as about 10,000 physical qubits to launch an attack, and 26,000 qubits could break ECC-256 within about 10 days.

Together, the two papers form the most serious quantum-threat warning the encryption industry has ever faced.

From “a distant theoretical threat” to “a countdown you can count down”

To understand the impact of these two papers, you need to look at a timeline: in 2012, academics estimated that breaking ECC-256 would require about 1 billion physical qubits. In 2023, Daniel Litinski’s paper reduced that figure to about 9 million. Google’s new paper reduced it to below 500,000. Oratomic went even further, pushing it down to 10,000.

In two decades, a five-order-of-magnitude reduction.

This means the framework for discussing quantum threats has been completely changed. In the past, the mainstream narrative was “quantum computers are still decades away from breaking encryption.” Now it has shifted to “if hardware progress accelerates nonlinearly, the window may be only five to ten years.” Ethereum Foundation researcher Justin Drake (who is also a co-author of the Google paper) estimates that by 2032, the probability that quantum computers break secp256k1 ECDSA private keys will be at least 10%.

The Google paper describes two attack scenarios.

The first is “on-spend attack.” When a Bitcoin user initiates a transaction, the public key is briefly exposed in the mempool. A sufficiently fast quantum computer could derive the private key from the public key in about 9 minutes, launching a competing transaction to steal funds before the transaction is confirmed. Given Bitcoin’s average block time of about 10 minutes, the paper estimates the success probability of this kind of attack at about 41%.

In the field of cryptography, a 41% decryption/break probability is not a statistical fluke—it is a signature scheme that has already been compromised.

The second is an “at-rest attack,” targeting dormant wallets whose public keys are already exposed on-chain. This kind of attack has no time limit; the quantum computer can slowly compute at its own pace. The paper estimates that about 6.9 million BTC (one-third of the total supply) are in this exposed state, including about 1.7 million coins from the early days of Bitcoin’s creator era, as well as a large amount of funds whose public keys were exposed due to address reuse.

At current prices, those 6.9 million BTC are worth more than $450 billion.

Taproot: meant to upgrade privacy, but ends up expanding the attack surface

One unexpected finding in the paper is that Bitcoin’s 2021 Taproot upgrade introduced a new vulnerability from the perspective of quantum security. Taproot is intended to improve transaction efficiency and privacy and adopts the Schnorr signature scheme. But a key characteristic of Schnorr signatures is that public keys are exposed on-chain by default, removing the “hash first, then expose” protection layer in the old address format (P2PKH).

In other words, Taproot’s improvement in traditional security ironically opens a door in quantum security. This expands the pool of Bitcoin that is vulnerable to quantum attack—from early coins and reused addresses to all wallets using Taproot.

Ethereum: the problem is bigger, but preparations arrive earlier

If Bitcoin faces “wallet-level” risk, Ethereum’s issues are “infrastructure-level.”

The Google paper points out that Ethereum is exposed to quantum attacks at five levels: personal wallets, smart contract management keys, PoS staking verification, Layer 2 networks, and data availability sampling mechanisms. The paper estimates that the top 1,000 Ethereum wallets hold about 20.5 million ETH. A quantum computer that breaks a key every 9 minutes could wipe them all out in less than 9 days. At current ETH prices, those assets are worth about $41.5 billion.

A deeper problem is systemic risk. On Ethereum, about $200 billion worth of stablecoins and tokenized assets rely on administrator key signatures, and about 37 million staked ETH is authenticated through the same kind of digital signatures that are vulnerable to attack. If a large staking pool is compromised, attackers might even interfere with the consensus mechanism itself.

However, Ethereum has a structural advantage: the block time is only 12 seconds; most transactions are confirmed within a minute; and many use private mempools, which makes the feasibility of “on-spend attacks” on Ethereum far lower than on Bitcoin.

The good news is that the Ethereum community’s response is more proactive.

The Ethereum Foundation just launched pq.ethereum.org last week, bringing together eight years of post-quantum research results, with more than 10 client teams advancing development and testing of testnets on a weekly basis. Vitalik Buterin has also previously published a quantum-resistance roadmap. By contrast, the Bitcoin community’s governance culture is more conservative. The BIP-360 proposal (introducing a quantum-resistant wallet format) was merged into the BIP repository in February, but it only addresses one type of public key exposure issue; a complete cryptography migration requires much larger-scale protocol changes.

Community reaction: panic, rationality, and “this isn’t only our problem either”

The encryption industry’s reaction, as expected, split into several camps.

The panic camp is represented by Project Eleven’s CEO Alex Pruden: “This paper directly refutes every argument the encryption industry uses to ignore quantum threats.” Haseeb Qureshi, a partner at Dragonfly, was even more direct in a post on X: “Post-quantum is no longer a drill.”

The rationally optimistic camp is represented by CZ. He argues that cryptocurrencies only need to upgrade to quantum-resistant algorithms—“there’s no need to panic.” This is technically correct, but it overlooks a key issue: decentralized blockchains can’t forcibly push software updates the way banks or military networks can. The migration cycle of Bitcoin infrastructure—from user wallets to exchange support to new address formats—may take five to ten years, even if all parties reach consensus today.

The “everything can be broken” camp points out that quantum computing threatens not only blockchains. Global banking systems, SWIFT transfers, stock exchanges, military communications, and HTTPS websites all rely on the same cryptographic system. The Google paper responds positively: centralized systems can push updates to users, decentralized blockchains cannot. That is the fundamental difference.

The coldest humor comes from Musk: “At least in the future, if you forget your wallet password, you’ll be able to get it back.”

Conflicts of interest and rational discounts

Neither of the two papers is “purely academic.”

All nine authors of the Caltech/Oratomic paper are shareholders of Oratomic, and six of them are company employees. The paper is both a scientific achievement and commercial promotion of the company’s neutral-atom hardware roadmap. Google’s paper is not entirely neutral either. Google set 2029 as its internal deadline for migrating its own systems to post-quantum cryptography, and the paper’s conclusions closely align with this business decision. Additionally, for security reasons, Google did not publish the actual quantum circuit designs, but instead validated the results to the U.S. government via zero-knowledge proofs.

The conflict of interest in the papers needs to be discounted, but the trend itself does not. Every time someone claims “the quantum threat is exaggerated,” the next paper will cut the number of required qubits by another order of magnitude.

How far is it from “Q-Day” right now?

Currently, the most advanced quantum computers have about 6,000 qubits, and their coherence time is only about 13 seconds. From 6,000 qubits to the 500,000 qubits required by the Google paper (or the 10,000 qubits claimed by Oratomic), there is still a huge engineering gap in between.

But the analogy from crypto investor McKenna is worth remembering: “You can think of Q-Day as Y2K, but this time it’s real.”

StarkWare co-founder Eli Ben-Sasson called on the Bitcoin community to accelerate the advancement of BIP-360. Google itself said it is working with Coinbase, the Stanford Blockchain Research Institute, and the Ethereum Foundation to pursue a responsible migration.

The debate is no longer “can quantum computing break encryption,” but “can the encryption industry complete the migration before hardware catches up.” Google’s 2029 timeline, together with the sharp qubit-demand compression described in the Oratomic paper, leaves the industry a buffer period shorter than anyone expected.

The 1.1 million BTC that Satoshi has left dormant cannot migrate themselves to quantum-safe addresses. If the quantum computer arrives first, this digital inheritance worth more than $70 billion will become the largest “digital shipwreck salvage” target in history. Even the Google paper introduces a legal framework analogy for “digital salvage,” suggesting that governments may need to pass laws to handle dormant assets that can’t be migrated.

This is a problem that Bitcoin’s white paper never foresaw: if the mathematical barrier that protects private property is itself broken, can “Code is Law” still hold?