Google Quantum AI official disclosure: The number of quantum bits required to crack Bitcoin encryption has been reduced by 20 times.

Author: Ryan Babbush & Hartmut Neven, Google Quantum AI

Translation: ShenChao TechFlow

ShenChao Quick Take: This is the first-hand source for today’s quantum threat discussion—it’s not a media retelling. It’s an official technical blog jointly published by Google Quantum AI’s Research Director and VP Engineering.

There is only one core takeaway: the estimated physical quantity of quantum bits required to break Bitcoin’s elliptic curve cryptography has now been reduced by about 20x. Google also released verification materials in the form of “zero-knowledge proofs,” enabling third parties to verify the conclusion without disclosing the attack details—this way of disclosure is also worth paying attention to.

The full text is as follows:

March 31, 2026

Ryan Babbush, Director of Quantum Algorithms Research at Google Quantum AI; Hartmut Neven, VP Engineering at Google Quantum AI, Google Research

We are exploring a new pattern to illuminate the future quantum computers’ password-cracking capabilities, and we outline what steps should be taken to mitigate its impact.

Quantum resource estimates

Quantum computers are expected to solve previously unsolvable problems, including applications in chemistry, drug discovery, and energy. However, large-scale cryptography-related quantum computers (CRQC) can also break the public-key cryptography that is widely used today—this cryptography protects confidential information and all kinds of systems. Governments and institutions in various countries, including Google, have been addressing this security challenge for many years. With continued progress in science and technology, CRQC is gradually becoming a reality, which requires a transition to post-quantum cryptography (PQC)—and this is also why we recently proposed a 2029 migration timeline.

In our white paper, we share the latest estimates of the quantum “resources” (i.e., quantum bits and quantum gates) required to solve the 256-bit elliptic curve discrete logarithm problem (ECDLP-256) underlying the breaking of elliptic curve cryptography. We express the resource estimates in terms of logical qubits (error-corrected qubits composed of hundreds of physical qubits) and the number of Toffoli gates (an elementary operation that is costly at the level of quantum bits, and a major factor determining the execution time of many algorithms).

Specifically, we compiled two quantum circuits (sequences of quantum gates) to implement Shor’s algorithm for ECDLP-256: one using fewer than 1,200 logical qubits and 90 million Toffoli gates, and another using fewer than 1,450 logical qubits and 70 million Toffoli gates. We estimate that, under standard hardware capability assumptions consistent with some of Google’s part-flagship quantum processors, these circuits can execute on superconducting-qubit CRQC with fewer than 500,000 physical qubits in a matter of minutes.

This is a reduction of about 20x in the number of physical qubits required to break ECDLP-256, and it continues the long optimization journey of compiling quantum algorithms into fault-tolerant circuits.

Using post-quantum cryptography to secure cryptocurrencies

Most blockchain technology and cryptocurrencies currently rely on ECDLP-256 to secure key aspects of their security. As we argue in our paper, PQC is a mature path for achieving post-quantum blockchain security, providing assurance for the long-term viability of cryptocurrencies and digital economies in a world where CRQC exists.

We list examples of post-quantum blockchains and cases where PQC was experimentally deployed on blockchains that previously had quantum vulnerabilities. We point out that although PQC and other feasible solutions already exist, implementation still takes time—making the urgency to act increase day by day.

We also offer additional recommendations to the cryptocurrency community to improve security and stability in both the short and long term, including: avoiding exposure or reusing wallet addresses that contain vulnerabilities, and potential policy options for the issue of abandoned cryptocurrencies.

Our vulnerability disclosure approach

Vulnerability disclosure is a controversial topic. On the one hand, the “no disclosure” position argues that publicly disclosing vulnerabilities is equivalent to handing attackers an operations manual. On the other hand, the “full disclosure” movement argues that making the public aware of security vulnerabilities not only helps keep people vigilant and take self-protective measures, but also incentivizes security repair work. In the field of computer security, this debate has converged into a set of compromise approaches known as “responsible disclosure” and “coordinated vulnerability disclosure.” Both advocate disclosing vulnerabilities with a set embargo period, giving affected systems time to deploy security fixes. Top security research organizations such as Carnegie Mellon University’s CERT/CC and Google’s Project Zero have adopted variants of responsible disclosure with strict deadlines, a practice that has also been adopted as the international standard ISO/IEC 29147:2018.

Disclosure of security vulnerabilities in blockchain technology is also made more complex by one special factor: cryptocurrencies are not just decentralized data-processing systems. The value of their digital assets comes not only from the network’s digital security, but also from the public’s confidence in the system. While the public-facing security layer may be attacked by CRQC, public confidence may also be eroded by fear, uncertainty, and doubt (FUD). Therefore, the non-scientific, baseless resource estimates for quantum algorithms that break ECDLP-256 may itself constitute an attack on the system.

These considerations guide our cautious approach to disclosure of quantum attack resource estimates for blockchain technologies based on elliptic curve cryptography. First, we reduce the risk of FUD in what we discuss by clearly identifying the areas in which blockchains are immune to quantum attacks, and by emphasizing the progress that has been achieved in post-quantum blockchain security. Second, without sharing the underlying quantum circuits, we substantiate our resource estimates by releasing an advanced cryptographic construction called “zero-knowledge proofs,” allowing third parties to verify our claims without us disclosing sensitive attack details.

We welcome further discussion with the quantum, security, cryptocurrency, and policy communities, in order to reach consensus on future responsible disclosure practices.

Through this work, our goal is to support the long-term healthy development of the cryptocurrency ecosystem and blockchain technology, which are occupying an increasingly important position in the digital economy. Looking ahead, we hope that our responsible disclosure approach will spark an important dialogue between quantum computing researchers and the broader public, and will provide a transferable model for research in quantum cryptanalysis.