Three papers in three months just rewrote the quantum threat timeline for cryptocurrency. The last one came from Google, and it is the most consequential.
On March 31, Google Quantum AI published a whitepaper demonstrating that the elliptic curve cryptography protecting Bitcoin and every major blockchain can be broken with approximately 20 times fewer quantum computing resources than anyone previously estimated. Their circuits require fewer than 1,200 logical qubits and under 500,000 physical qubits, executable in minutes. The previous best estimate, from Litinski in 2023, was roughly 9 million physical qubits.
CZ, Binance's former CEO, responded the same day: "It's always easier to encrypt than decrypt. All crypto has to do is upgrade to Quantum-Resistant Algorithms. So, no need to panic."
He is right about the math. He is wrong about the execution.
The Nine-Minute Window
Google's paper models a specific attack scenario. Once a Bitcoin public key is exposed on-chain, a sufficiently powerful quantum computer could derive the corresponding private key in approximately nine minutes. Bitcoin's average block confirmation time is ten minutes. That gives an attacker a 41% probability of stealing funds before the legitimate transaction confirms.
This is not a theoretical edge case. Roughly 6.9 million BTC, about one-third of all Bitcoin in circulation, currently sits in wallets where public keys are visible on the blockchain. And here is the irony: Bitcoin's own 2021 Taproot upgrade, designed to improve transaction efficiency using Schnorr signatures, inadvertently widened the attack surface by exposing public keys by default.
A feature intended to make Bitcoin more efficient made it more vulnerable to the exact threat that just got 20 times closer.
Three Papers, Three Months, Orders of Magnitude
Google's paper is alarming on its own. In context, it is part of a pattern that should concern anyone relying on current cryptographic standards.
In May 2025, Google researcher Craig Gidney demonstrated that breaking RSA-2048 encryption was feasible with fewer than 1 million physical qubits, down from 20 million in 2019. In February 2026, Sydney-based startup Iceberg Quantum published a Pinnacle architecture using quantum low-density parity-check codes that pushed that number below 100,000. Then Google's March paper dropped the requirement for Bitcoin's elliptic curve cryptography from 9 million to under 500,000.
The trajectory over the past 14 years tells a clear story:
- 2012: ~1 billion qubits estimated to break RSA-2048
- 2019: ~20 million qubits
- 2025: Fewer than 1 million qubits
- 2026: Fewer than 100,000 qubits
Each step represents a 10 to 20x reduction, driven almost entirely by algorithmic improvements, not hardware advances. Google's current Willow processor has 105 qubits. The gap between 105 and 500,000 is real. But the gap between 500,000 and the next algorithmic breakthrough is unknowable, and the trend line says it is shrinking faster than anyone modeled.
"Just Upgrade" Is Not a Migration Plan
CZ's reassurance that crypto "just needs to upgrade" treats post-quantum migration like a software update. For centralized systems, it roughly is. Google set a 2029 deadline for migrating its own infrastructure. Android 17 already ships with quantum-resistant signatures. NIST finalized its post-quantum cryptographic standards in August 2024. The tools exist. Centralized organizations can deploy them unilaterally.
Decentralized networks cannot.
Bitcoin's upgrade process requires rough consensus across miners, node operators, wallet developers, exchanges, and individual users. This is the same implementation gap that has left DNSSEC at 35% adoption after two decades of finalized standards, except Bitcoin's decentralized governance makes the coordination problem harder, not easier. The network famously took years to implement Taproot, a relatively straightforward improvement. A quantum-resistant migration is categorically harder: it requires changing the fundamental signature scheme that secures every transaction, and it requires every holder to actively move their funds to updated addresses.
BIP-360, Bitcoin's leading post-quantum proposal, went live on testnet in March 2026 with roughly 50 miners participating. Its co-author, Ethan Heilman, estimates seven years for a full migration to quantum resilience, and calls that optimistic. Seven years from today puts Bitcoin's migration completion at 2033, four years after Google's internal migration deadline and right at NIST's deprecation cutoff for quantum-vulnerable algorithms.
CZ acknowledged this tension. He noted that debates over which algorithms to adopt could trigger blockchain forks, that inactive projects may never upgrade, and that self-custody holders face a manual migration burden. But he framed these as manageable challenges. They are structural ones. Bitcoin was designed to resist coordinated change. That is a feature for censorship resistance. It is a liability for cryptographic migration under a deadline.
The Satoshi Problem
There is one problem that no upgrade can solve.
Approximately 1.1 million BTC, worth tens of billions of dollars, sits in wallets attributed to Satoshi Nakamoto. Those wallets have exposed public keys and no known active steward. A quantum computer capable of breaking elliptic curve cryptography could claim them.
There is no mechanism to force-migrate dormant wallets. The community would face an impossible choice: fork the chain to freeze those coins preemptively (violating Bitcoin's property rights ethos) or accept a quantum-enabled theft of the network's most symbolically significant holdings.
CZ mentioned dormant wallets as a concern. He did not mention that the community has no plan for addressing them.
The Governance Gap Is the Vulnerability
Google disclosed this research responsibly. They published a zero-knowledge proof that lets external researchers verify their claims without revealing the actual attack circuits, an unprecedented approach for quantum cryptanalysis. They coordinated with Coinbase, the Ethereum Foundation, and Stanford's blockchain research institute before publication.
The contrast with Bitcoin's response is instructive. Ethereum has spent eight years preparing for this moment: a dedicated hub at pq.ethereum.org, weekly test networks, and a multi-fork roadmap with specific milestones. Ethereum researcher Justin Drake, who co-authored the Google paper, called it "a monumentous day for quantum computing and cryptography." He said it from a position of preparation.
Bitcoin has a testnet with 50 miners and a former exchange CEO saying not to panic.
The FBI, NIST, and CISA declared 2026 the "Year of Quantum Security." NSA's CNSA 2.0 standard requires quantum-safe systems by January 2027. Federal agencies face an April 2026 deadline to submit post-quantum transition plans. Every centralized institution with something to protect is moving. The network that arguably has the most to protect is moving the slowest.
What to Watch
The quantum threat to Bitcoin is not imminent. Google's Willow chip has 105 qubits; the attack requires 500,000. But three things make the current moment different from every previous "quantum is coming" warning:
-
The algorithmic improvement curve is steepening, not flattening. Three papers in three months delivered order-of-magnitude reductions. The bottleneck is not hardware; it is mathematics. And mathematics does not follow Moore's Law; it follows breakthroughs.
-
The harvest window is already open. Every Bitcoin transaction with an exposed public key is permanently recorded on a public ledger. Nation-states engaged in harvest-now-decrypt-later strategies are not waiting for a quantum computer to exist. They are stockpiling data that becomes retroactively vulnerable the moment one does. Ransomware groups have already pivoted from encryption to pure data exfiltration; harvest-now-decrypt-later is the same playbook with a longer fuse and a bigger prize.
-
The governance mismatch is structural, not temporary. Google can set a 2029 deadline and meet it. Ethereum can roadmap four hard forks. Bitcoin's consensus mechanism, by design, makes coordinated urgent action extraordinarily difficult. The network optimized for censorship resistance is the one least equipped for a coordinated cryptographic migration.
CZ is right that stronger computing power ultimately benefits cryptography. The question is whether Bitcoin's governance can deploy that benefit before the threat arrives. Right now, the answer from Bitcoin's own developers is: seven years, if we are lucky.
The math says "just upgrade." The governance says "good luck."
