Google Says Quantum Computers Could Crack Bitcoin in 9 Minutes. The Math Behind That Claim Is More Complicated.

Google published a 57-page technical paper today that reduced the estimated computing resources needed to break Bitcoin’s encryption by roughly a factor of ten. Headlines immediately declared Bitcoin could be cracked in nine minutes.

Neither claim is wrong exactly. Both are missing the context that determines whether this is an emergency or a well-documented long-term engineering problem.

What the Paper Actually Says

Authors: Google Quantum AI, UC Berkeley, Ethereum Foundation, Stanford
Prior best estimate (2022): 317 million physical qubits for 1-hour attack
Google's new estimate: Under 500,000 physical qubits — a 10x improvement in efficiency
Attack window: ~9 minutes, ~41% chance of beating original transaction to confirmation
Google's largest quantum processor (Willow): 105 physical qubits
BTC with exposed public keys: ~6.9 million coins (~$600B+ at current prices)
Ethereum's post-quantum plan: Active roadmap, 10+ client teams, targeting 2029
Bitcoin's post-quantum plan: None coordinated

What the paper actually found

The Google paper — authored by researchers at Google Quantum AI, UC Berkeley, the Ethereum Foundation, and Stanford — calculated two circuits for breaking the 256-bit elliptic curve discrete logarithm problem underlying Bitcoin and Ethereum’s transaction signing (ECDSA over secp256k1). The more efficient circuit requires 1,200 logical qubits and 90 million Toffoli gate operations, executable on a machine with under 500,000 physical qubits.

The prior best estimate, from a 2022 paper, required 317 million physical qubits for a one-hour attack, or 1.9 billion for a ten-minute attack. Google’s algorithmic improvements represent a genuine advance — roughly a 10x reduction in the spacetime volume of the attack.

The nine-minute figure comes from modeling an attack against a live Bitcoin transaction. When a wallet spends funds, the public key becomes visible in the transaction broadcast. Bitcoin’s confirmation window is approximately ten minutes. Google’s model estimates the attack could be prepared partially in advance and completed in roughly nine minutes once the public key is visible — giving a 41% probability of forging a competing transaction before the original confirms.

The gap between the math and a working machine

Here is where the headlines diverge from the engineering reality.

The paper’s 500,000-qubit estimate assumes a fully fault-tolerant superconducting quantum computer with physical-to-logical qubit ratios of approximately 345-417 to 1 — the kind of error correction Google has demonstrated in small-scale systems. Google’s Willow chip, their current most advanced processor, has 105 physical qubits. The machine required for this attack is approximately 5,000 times larger.

That gap is not primarily a qubit-count problem. It is a fabrication, connectivity, thermal management, and sustained error-correction problem. Producing 500,000 superconducting qubits that maintain consistent error rates across millions of gate operations simultaneously requires solving engineering challenges that have not been demonstrated at any scale. IBM’s most aggressive roadmap projects 500-1,000 logical qubits by 2029 — well short of the 1,200 needed for Google’s attack circuit, and logical qubits still require hundreds of physical qubits each.

On the 2029 date: Google's stated 2029 deadline refers to when Google plans to complete its own internal migration to post-quantum cryptography — not when a threat machine will exist. The paper does not claim a cryptographically relevant quantum computer will be built by 2029. Most quantum researchers consider a realistic threat 10-20 years away.

The Taproot complication

Bitcoin’s 2021 Taproot upgrade introduced a complexity the paper specifically flags. In older Bitcoin address formats, public keys are only revealed when funds are spent. Taproot makes public keys visible in transaction outputs by default — meaning an attacker with a sufficiently capable quantum computer could target wallets before they initiate a transaction, rather than only during the narrow spend window.

Approximately 6.9 million BTC — roughly one-third of the total supply — sits in wallets where public keys have already been exposed through prior transactions or Taproot outputs. At current prices that represents several hundred billion dollars in potentially vulnerable holdings. The most concentrated risk: roughly 1.6 million BTC in legacy Pay-to-Public-Key addresses, the oldest format, where public keys have been visible since the transactions were made.

One blockchain has a plan. The other doesn’t.

This is the genuinely newsworthy finding in the paper, and it received less coverage than the nine-minute figure.

The Ethereum Foundation has been building a post-quantum migration roadmap for eight years. More than ten client teams are running weekly post-quantum interoperability devnets. The roadmap integrates post-quantum signature schemes incrementally, targeting completion by 2029. Justin Drake of the Ethereum Foundation co-authored the Google paper — a signal of how seriously the Ethereum ecosystem is treating the timeline.

Bitcoin has no coordinated post-quantum migration plan. Bitcoin’s decentralized governance structure — no foundation, no roadmap authority, consensus required among independent developers who move deliberately — is a structural disadvantage for organizing a multi-year cryptographic transition. The necessary changes would require a hard fork: a coordinated upgrade that every node operator must adopt. Bitcoin has executed hard forks before, but never for a change of this scope, and never under a defined time pressure.

"The post-quantum transition can't be postponed any longer. The threat is real, the timeline is compressing, and the cost of waiting is asymmetric." — CoinDesk opinion, March 31, 2026

What the realistic risk looks like

The threat has two timescales. The near-term risk — over the next five years — is primarily to wallets with already-exposed public keys if quantum hardware advances faster than expected. The longer-term risk — ten to twenty years out, which is where most expert consensus sits — is a systematic attack capability that could undermine transaction security broadly.

The asymmetry that makes this worth taking seriously even with a distant timeline: migrating cryptographic infrastructure at scale takes years. If the threat is real in 2035, the migration needs to begin by 2030 at the latest to avoid a window of vulnerability. Ethereum is already running that timeline. Bitcoin is not.

Bottom Line

Google's paper is a legitimate algorithmic advance — a 10x reduction in the estimated resources needed to break elliptic curve cryptography is not trivial. The nine-minute attack framing is accurate under the paper's assumptions. The machine that would run it doesn't exist, won't exist by 2029, and requires engineering advances that are not incremental from current hardware.

The real story is governance, not physics. Ethereum has been preparing for this for years and has a functioning roadmap. Bitcoin, which holds more value and has more exposed public keys, has no coordinated plan and a governance structure that makes coordinating one slow. That gap is the actual risk — not whether a quantum computer exists today.

sources

The Google Paper

Babbush, R. et al. (Google Quantum AI, UC Berkeley, Ethereum Foundation, Stanford) — "Securing Elliptic Curve Cryptocurrencies against Quantum Vulnerabilities: Resource Estimates and Mitigations." Google Research, March 31, 2026. https://quantumai.google/static/site-assets/downloads/cryptocurrency-whitepaper.pdf
Google Research Blog — "Safeguarding cryptocurrency by disclosing quantum vulnerabilities responsibly." March 31, 2026. https://research.google/blog/safeguarding-cryptocurrency-by-disclosing-quantum-vulnerabilities-responsibly/

Technical Context

Webber, M. et al. — "The impact of hardware specifications on reaching quantum advantage in the fault tolerant regime." npj Quantum Information, 2022. Prior best estimate: 317 million physical qubits for 1-hour attack, or 1.9 billion for 10-minute attack. Google's paper reduces this to under 500,000.
SecurityWeek — "Google Slashes Quantum Resource Requirements for Breaking Cryptocurrency Encryption." March 2026. https://www.securityweek.com/google-slashes-quantum-resource-requirements-for-breaking-cryptocurrency-encryption/
CoinDesk — "Bitcoin's Taproot Could Make Quantum Attacks Easier Than Expected." March 2026. https://www.coindesk.com/markets/2026/03/31/bitcoin-s-taproot-could-make-quantum-attacks-easier-than-expected-new-google-research-says

Bitcoin vs. Ethereum Response

CoinDesk — "Here's How Bitcoin, Ethereum, and Other Networks Are Preparing for the Looming Quantum Threat." March 2026. https://www.coindesk.com/tech/2026/03/28/here-s-how-bitcoin-ethereum-and-other-networks-are-preparing-for-the-looming-quantum-threat
The Market Periodical — "Ethereum Foundation Unveils Post-Quantum Threat Roadmap." March 2026. https://themarketperiodical.com/2026/03/26/ethereum-foundation-unveils-post-quantum-threat-roadmap/
CoinDesk — "Google Warns Five Quantum Attack Paths Could Put $100 Billion on Ethereum at Risk." March 31, 2026. https://www.coindesk.com/tech/2026/03/31/google-warns-five-quantum-attack-paths-could-put-usd100-billion-on-ethereum-at-risk

Expert Skepticism on Timeline

CoinShares Research — "Quantum Vulnerability in Bitcoin: A Manageable Risk." 2026. https://coinshares.com/us/insights/research-data/quantum-vulnerability-in-bitcoin-a-manageable-risk/
Digital Watch Observatory — "Quantum Computing Threatens Bitcoin: Experts Debate Timeline." 2026. https://dig.watch/updates/quantum-computing-threatens-bitcoin-experts-debate-timeline
DL News — "Google Sets New Date for Quantum Reckoning as Bitcoin and Ethereum Devs Prepare." March 2026. https://www.dlnews.com/articles/markets/google-new-date-quantum-reckoning-bitcoin-ethereum-dev-prepare/