#GoogleQuantumAICryptoRisk

Google Quantum AI just dropped a white paper that quietly compressed one of the most consequential timelines in crypto history, and most people have not fully processed what it means.

The core finding is this: breaking the elliptic curve cryptography that Bitcoin and Ethereum both rely on may require roughly 500,000 physical qubits on a fast superconducting system — not the millions that prior models assumed. That is a 20-fold improvement in efficiency for executing an optimized version of Shor's algorithm, the quantum method designed precisely to shatter the math underneath ECDSA signatures. A companion paper from Oratomic suggests neutral-atom quantum computers could do it with as few as 26,000 physical qubits, trading speed for scale, taking roughly 10 days per key. Both numbers are still out of reach today. The important word is "today."

The attack surface is not uniformly distributed. It is concentrated in a specific class of addresses: legacy P2PKH wallets where the public key has already been exposed on-chain through a prior spend. Approximately 30 to 35 percent of Bitcoin's entire circulating supply sits in addresses of this type. This includes Satoshi-era coins, long-dormant wallets, and addresses belonging to early miners who never rotated their keys. Google estimates roughly 1.7 million dormant BTC and 6.9 million BTC total are in potentially exposed positions. On the Ethereum side the numbers are even more striking — over $100 billion worth of ETH is flagged as at risk, with the top 1,000 wallets and at least 70 major smart contracts identified as vulnerable, including contracts that back key stablecoins.

This is the asymmetry that most discussions gloss over. A quantum-capable attacker does not need to break every wallet. They need to break the right wallets. They can front-run a transaction the moment a public key is broadcast to the mempool and derive the private key before the block confirms. Google's paper suggests this "on-spend" attack could be executed in under 10 minutes under advanced quantum scenarios. That window is shorter than average Bitcoin block time.

Bitcoin's exposure here is structural and governance-complicated. The protocol uses ECDSA with the secp256k1 curve — exactly the category of cryptography Google flagged as requiring urgent migration. Yet Bitcoin has no coordinated post-quantum roadmap, no dedicated funding structure for this transition, and no agreed timeline. The decentralized governance model that gives Bitcoin its legitimacy also makes protocol-wide cryptographic migrations extraordinarily slow. A soft fork introducing post-quantum signatures like FALCON or SPHINCS+ would require years of developer consensus, testing, and activation. Meanwhile, dormant addresses cannot self-migrate. Forcing key rotation would require either on-chain governance mechanisms that do not exist, or effectively making old address formats unspendable — which touches questions of confiscation and governance that the community has historically been unable to resolve.

Ethereum is in a structurally better position, though not immune. The Ethereum Foundation has spent eight years building a post-quantum roadmap that touches every layer of the protocol. The team is already running weekly test networks for post-quantum signature schemes. Ethereum's ability to coordinate upgrades through hard forks gives it a concrete path forward that Bitcoin currently lacks. This governance asymmetry is real, and it will matter as the timeline shortens.

The honest probability framing: Justin Drake, an Ethereum researcher and co-author of the paper, puts the odds of a cryptographically relevant quantum computer at 10 percent by 2032. Charles Edwards of Capriole Investments puts Q-Day odds at 85 percent by 2032. The spread between those estimates tells you something important — nobody actually knows, and the uncertainty is not narrowing as fast as the qubit counts are improving. Google itself has set an internal deadline of 2029 for migrating its own authentication infrastructure to post-quantum cryptography. That is a signal worth taking seriously. When the organization building the most capable quantum computer in the world decides it needs to finish its own migration within three years, the rest of the industry should treat that as a forward-looking data point, not a distant theoretical concern.

What this is not: an imminent threat, a reason to panic-sell, or evidence that crypto is broken. Today's best quantum systems — including Google's own Willow chip — operate at somewhere between 100 and 1,000 noisy, error-prone physical qubits. The gap between current hardware and the 500,000 stable, error-corrected qubits needed remains enormous. Bitcoin's proof-of-work mechanism and SHA-256 hashing are considered quantum-resistant in the near term; Grover's algorithm could theoretically cut mining difficulty in half, but that is manageable with a doubling of key length and far less urgent than the signature problem.

What this is: a compression event for the urgency of the migration conversation. The window was never infinite. Now the models say it is meaningfully shorter than the previous generation of estimates suggested. The practical steps available to anyone holding crypto today are straightforward — rotate to Taproot or Bech32 addresses, stop reusing addresses, and avoid leaving exposed public keys sitting dormant in legacy formats. These are low-friction actions that buy time regardless of how the governance debates resolve.

The deeper question is whether Bitcoin's community can achieve the kind of coordinated cryptographic migration that its threat model now demands, within the timeframe that Google's own behavior implies. The technical solution exists. The governance solution does not yet.