Abstract
On March 30, 2026, two landmark papers — one from Google Quantum AI and one from Oratomic/Caltech — dramatically lowered the estimated resources needed to break Bitcoin’s 256-bit elliptic curve cryptography. Google showed that a fast superconducting machine with fewer than 500,000 physical qubits could crack a key in roughly nine minutes, enabling real-time “on-spend” attacks. Oratomic demonstrated that a much smaller neutral-atom system (~26,000 qubits) could achieve the same break in about ten days, making “at-rest” attacks on already-exposed keys far more feasible.
These breakthroughs have moved the quantum threat from a distant theoretical concern to a near-term engineering challenge. Bitcoin’s design leaves it uniquely exposed: a large pool of dormant coins (roughly 1.7–2.3 million BTC) have public keys permanently visible on-chain, and there is no built-in recourse once funds are stolen.
This article provides a clear, balanced examination of the new science, the specific attack vectors (at-rest, on-spend, and on-setup), Bitcoin’s current mitigations (BIP-360 and SHRINCS), Ethereum’s broader risk profile and faster roadmap, and the realistic timelines and policy challenges ahead. It also explores skeptical perspectives, such as Tim Palmer’s Rational Quantum Mechanics hypothesis, and practical recommendations for users, developers, and policymakers.
The central message is optimistic yet urgent: the technical tools to protect Bitcoin already exist or are well under development. With timely, prudent action, the network can successfully migrate to post-quantum cryptography before any cryptographically relevant quantum computer appears. The window of opportunity is open — but it might not stay open forever.
Table of Contents
I. Introduction
1.1 The Wake-Up Calls of March 30, 2026: Simultaneous Release of Google and Oratomic Papers
1.2 Why Bitcoin Is Uniquely Exposed Compared to Traditional Finance
1.3 Purpose, Scope, and Structure of This Article
II. Quantum Computing Fundamentals and the Cryptographic Threat
2.1 Shor’s Algorithm and the Elliptic Curve Discrete Logarithm Problem (ECDLP)
2.2 Logical Qubits vs. Physical Qubits: The Critical Role of Error-Correction Overhead
2.3 Fast-Clock (Superconducting) vs. Slow-Clock (Neutral-Atom) Quantum Architectures
III. Evolution of Resource Estimates for Breaking ECC-256
3.1 The 2022 Baseline: Webber et al. and the 13 Million Physical Qubit Estimate
3.2 Earlier Benchmarks (Gidney & Ekerå 2021 and Other Pre-2026 Estimates)
3.3 Why Resource Requirements Have Fallen Dramatically in Just Four Years
IV. The March 2026 Breakthrough Papers
4.1 Google Quantum AI Whitepaper: <500,000 Physical Qubits on Fast-Clock Superconducting Hardware
4.1.1 Key Claims and Attack Timelines (9 Minutes per Key)
4.1.2 Implications for On-Spend and At-Rest Attacks
4.2 Oratomic/Caltech Paper: ~26,000 Physical Qubits on Slow-Clock Neutral-Atom Hardware
4.2.1 Key Claims and Attack Timelines (10 Days per Key)
4.2.2 Current Hardware Milestone: 6,100-Atom Trapping Array (September 2025)
4.3 Direct Comparison: Google (Fast-Clock, 500k Qubits) vs. Oratomic (Slow-Clock, 26k Qubits)
V. Current State of Quantum Hardware Development
5.1 Superconducting Fast-Clock Platforms (Google, IBM, Fujitsu/RIKEN)
5.1.1 Demonstrated Qubit Counts (~105–256 Physical Qubits as of March 2026)
5.2 Neutral-Atom Slow-Clock Platforms (Oratomic/Caltech)
5.2.1 The Gap Between Trapping Arrays and a Full Quantum Processor
5.3 No Firm Timelines Yet: What Both Teams Have (and Have Not) Stated Publicly
VI. Skeptical Perspectives and Alternative Theories
VII. Quantum Attack Types on Bitcoin
7.1 At-Rest Attacks: Targeting Exposed or Reused Public Keys
7.2 On-Spend Attacks: Real-Time Theft from the Public Mempool
7.3 On-Setup Attacks: Why Bitcoin Is Immune
VIII. Specific Impacts on Bitcoin and the Broader Crypto Ecosystem
8.1 Vulnerable Bitcoin Script Types and Dormant Assets (~2.3 Million BTC at Risk)
8.2 Address Reuse vs. Fresh Addresses: Current Real-World Protections
8.3 On-Spend Risks to Active Transactions
8.4 Second-Order Effects on Mining, Consensus, and Ecosystem Confidence
IX. Bitcoin’s Current and Proposed Mitigations
9.1 Intermediate Fixes: BIP-360 (Pay-to-Merkle-Root / P2MR)
9.1.1 What It Solves (At-Rest Protection for New Addresses)
9.1.2 What It Does Not Solve (On-Spend and Legacy Coins)
9.2 Full Post-Quantum Solution: Blockstream Research’s December 2025 Paper and SHRINCS Hash-Based Signatures
9.2.1 Progress on Liquid Sidechain (March 2026 Live Testing)
9.2.2 Why This Would Eliminate Both At-Rest and On-Spend Attacks
9.2.3 Limitations for Legacy and Dormant Coins
9.2.4 Possible Solutions for Old Dormant Coins
9.3 Alternative Short-Term Solutions Without Soft Forks
9.4 Limitations and Next Steps for Bitcoin Core Mainnet Adoption
X. Ethereum’s Quantum Risk Profile and Transition Plans
10.1 Why Ethereum Faces a Broader Quantum Attack Surface Than Bitcoin
10.1.1 Account Model and Persistent Public-Key Exposure
10.1.2 Smart Contracts, Admin Keys, Bridges, Oracles, and Real-World Assets
10.1.3 Proof-of-Stake Validators (BLS Signatures) and Data Availability Sampling (KZG)
10.1.4 Layer-2s, Stablecoins, and Tokenization — Expanded Systemic Risk
10.2 Ethereum’s Post-Quantum Transition Roadmap
10.2.1 Formation of the Post-Quantum Security Team and pq.ethereum.org Hub
10.2.2 Key Technical Upgrades
10.2.3 Target Timeline
XI. Timeline, Outlook, and Broader Implications
11.1 Realistic Near-Term Scenarios for Reaching Cryptographically Relevant Qubit Counts
11.2 Policy, Community, and Technical Challenges Ahead
11.3 Recommendations for Bitcoin Users, Developers, and Policymakers
XII. Conclusion
12.1 The Shift from “Distant Theoretical Threat” to “Near-Term Engineering Challenge”
12.2 The Urgency of Migration to Post-Quantum Cryptography for Bitcoin and Ethereum
I. Introduction
1.1 The Wake-Up Calls of March 30, 2026: Simultaneous Release of Google and Oratomic Papers
On March 30, 2026, two major scientific papers were published on the same day, each delivering a significant and complementary message to the cryptocurrency community. Together, they represent some of the most important updates in quantum computing resource estimates in recent years and have been widely described as a “wake-up call” for Bitcoin and the broader crypto ecosystem.
The first paper, from Google Quantum AI, is titled “Securing Elliptic Curve Cryptocurrencies against Quantum Vulnerabilities: Resource Estimates and Mitigations” [1]. It shows that an optimized version of Shor’s algorithm for breaking 256-bit elliptic curve cryptography (ECC-256) — the exact standard used by Bitcoin and Ethereum — can now be executed on a superconducting quantum computer with fewer than 500,000 physical qubits. Under realistic assumptions, the attack could complete in roughly nine minutes per key. Because Bitcoin’s average block time is about ten minutes, this speed is fast enough to enable real-time “on-spend” attacks, where an attacker steals coins while a transaction is still sitting in the public mempool.
The second paper, from the newly launched startup Oratomic and researchers at Caltech, is titled “Shor’s algorithm is possible with as few as 10,000 reconfigurable atomic qubits” [2]. It demonstrates that the same ECC-256 break could be achieved with a much smaller machine — around 26,000 physical qubits — using neutral-atom hardware. However, because neutral-atom systems operate on a slower “clock,” the attack would take approximately ten days. This makes the machine highly effective for “at-rest” attacks on already-exposed public keys, but too slow for on-spend attacks.
What makes these two papers especially notable is that they were released on the exact same day, and both represent dramatic reductions compared to earlier estimates. Just four years earlier, in 2022, Webber et al. had calculated that breaking ECC-256 in one day would require roughly 13 million physical qubits using conventional surface-code error correction [4]. The new estimates therefore mark a roughly 26-fold improvement in the case of Google’s fast-clock approach and an even larger leap in compactness for Oratomic’s slow-clock design.
These simultaneous publications have prompted renewed scrutiny of Bitcoin’s quantum vulnerability. Unlike traditional financial systems, which have multiple layers of safeguards, recourse, and insurance, Bitcoin offers no built-in recovery mechanism once a private key is compromised. The Google paper highlights the risk of fast, real-time theft from active transactions, while the Oratomic paper shows that even smaller, slower machines could eventually target the large pool of dormant and long-exposed coins (including over 1.7 million BTC locked in old P2PK scripts).
March 30, 2026, marked a turning point. The hardware requirements for breaking Bitcoin’s cryptography have fallen sharply, and two different technological paths — one fast and larger, one slow but far more compact — now appear feasible within the coming decade. This article examines these breakthroughs in detail, their specific implications for Bitcoin, the current mitigation efforts underway, and the broader outlook for the cryptocurrency ecosystem.
1.2 Why Bitcoin Is Uniquely Exposed Compared to Traditional Finance
Bitcoin’s design makes it particularly vulnerable to quantum attacks in ways that traditional financial systems are not. At its core, Bitcoin relies almost entirely on 256-bit elliptic curve cryptography (ECC-256) to secure ownership of funds. This cryptography is efficient and has worked well for over a decade, but it’s potentially fundamentally breakable by a sufficiently powerful quantum computer running Shor’s algorithm [1].
In traditional finance, even if an attacker somehow obtained the equivalent of a private key (for example, through a data breach or forgery), the victim usually has multiple layers of protection. Banks can reverse fraudulent transactions, credit card companies offer chargebacks, insurance policies cover losses, and legal systems provide recourse. Centralized institutions can freeze accounts, investigate theft, and often recover at least some of the stolen funds. Bitcoin offers none of these safeguards. Once a valid digital signature is broadcast and confirmed on the blockchain, the transaction is irreversible. There is no central authority to step in, no insurance fund, and no practical way to claw back stolen coins.
The public and immutable nature of the Bitcoin blockchain adds another layer of exposure. Every transaction is permanently recorded and visible to anyone. Many early Bitcoin outputs, including a large portion of the roughly 1.7 million BTC locked in old Pay-to-Public-Key (P2PK) scripts from the Satoshi era, have their public keys fully exposed on-chain since the moment they were mined. Even modern addresses become vulnerable the moment they are spent from or reused, because spending reveals the public key. In a world with cryptographically relevant quantum computers, these exposed keys become easy targets for at-rest attacks [1].
Furthermore, Bitcoin contains a significant amount of “dormant” or effectively lost coins — estimates suggest up to 2.3 million BTC may be vulnerable due to old scripts or long-unused addresses whose owners may no longer control the keys [1]. These coins cannot be automatically upgraded or protected through software updates. Traditional financial assets, by contrast, are usually held in custodial accounts or managed by institutions that can update security protocols centrally. Bitcoin’s decentralized and immutable design, while one of its greatest strengths, also means that legacy vulnerabilities are extremely difficult to fix without broad community consensus — and in some cases, potentially controversial hard forks.
In short, Bitcoin combines three dangerous characteristics: (1) heavy reliance on quantum-vulnerable cryptography, (2) complete irreversibility of transactions, and (3) a large volume of permanently exposed or dormant funds. This combination makes it uniquely exposed compared to traditional finance, where centralized control and institutional safeguards provide multiple lines of defense. The Google Quantum AI paper explicitly highlights this difference, noting that “blockchains tend to offer no recourse against fraudulent transactions enabling unrecoverable theft with a forgery of a single digital signature” [1].
This unique exposure is why the recent reductions in required quantum resources have generated such urgent discussion in the Bitcoin community.
1.3 Purpose, Scope, and Structure of This Article
The purpose of this article is to provide a clear, balanced, and comprehensive examination of the latest advances in quantum computing and their potential impact on Bitcoin. On March 30, 2026, two major papers were released on the same day — one from Google Quantum AI and one from Oratomic and Caltech researchers. These developments have moved the quantum threat from a distant theoretical possibility to a near-term engineering challenge that the Bitcoin community must take seriously.
This article aims to translate these highly technical papers into plain, understandable language. It explains exactly what the new resource estimates mean, how quantum computers could attack Bitcoin (both at-rest and on-spend), why Bitcoin is uniquely exposed compared to traditional finance, and what practical steps are already being taken to protect the network. It also addresses skeptical viewpoints — such as Tim Palmer’s recent Rational Quantum Mechanics theory — so readers get a fair picture of both the risks and the uncertainties. The goal is not to create panic, but to give Bitcoin users, developers, and policymakers the facts they need to make informed decisions.
The scope of this article is focused primarily on Bitcoin, while also including a dedicated comparison with Ethereum to highlight important differences in quantum risk profiles. It covers the fundamental principles of quantum threats, the historical evolution of resource estimates (including the 2022 Webber et al. paper that estimated 13 million physical qubits), the two breakthrough papers of March 30, 2026, current hardware status, different types of quantum attacks, Bitcoin’s specific vulnerabilities (including dormant assets and Satoshi-era coins), ongoing mitigation efforts such as BIP-360 and Blockstream’s SHRINCS signatures, and broader timelines and policy implications. It does not go deeply into other cryptocurrencies or non-crypto applications of quantum computing, and it avoids making firm predictions about exact arrival dates of cryptographically relevant quantum computers, since those remain uncertain and depend on future engineering progress.
The article is structured as follows. Sections II and III provide essential background on quantum computing fundamentals and the historical evolution of resource estimates. Section IV analyzes the two landmark March 2026 papers in detail. Section V reviews the current state of quantum hardware. Section VI explores skeptical perspectives, including Tim Palmer’s Rational Quantum Mechanics framework. Sections VII and VIII examine quantum attack types and Bitcoin’s specific vulnerabilities and mitigation strategies. Section IX compares Ethereum’s broader risk profile and its post-quantum transition plans. The final sections discuss realistic timelines, broader implications, and conclusions.
By the end, readers should have a solid, up-to-date understanding of where quantum computing stands today, how it could realistically affect Bitcoin, and what the Bitcoin community is already doing — and still needs to do — to prepare.
II. Quantum Computing Fundamentals and the Cryptographic Threat
2.1 Shor’s Algorithm and the Elliptic Curve Discrete Logarithm Problem (ECDLP)
At the heart of the quantum threat to Bitcoin lies a powerful mathematical algorithm discovered in 1994 by Peter Shor, then at Bell Laboratories. Shor’s algorithm is designed to solve two classically hard problems very efficiently on a quantum computer: integer factorization (the basis of RSA encryption) and the discrete logarithm problem. In the context of Bitcoin and Ethereum, the relevant version is the elliptic curve discrete logarithm problem, commonly abbreviated as ECDLP [3].
To understand the Elliptic Curve Discrete Logarithm Problem, imagine a mathematical game. You are given two points on an elliptic curve: a starting point G (a fixed public parameter) and another point Q. The challenge is to find the secret number k such that Q=kG, where kG denotes scalar multiplication (repeated elliptic curve addition). On a classical computer, this problem is computationally infeasible when k is large. This hardness underpins the security of 256-bit elliptic curve cryptography, including the secp256k1 curve used by Bitcoin for digital signatures and ownership of coins.
In Bitcoin, when you create a wallet, you generate a private key (a secret random number) and a corresponding public key. The public key is what appears in addresses or is revealed when you spend coins. The entire security model rests on the assumption that no one can efficiently calculate your private key from your public key. This assumption is what ECDLP protects.
Shor’s algorithm changes everything. It can solve the ECDLP in polynomial time — meaning the time required grows relatively slowly as the key size increases — whereas the best known classical algorithms require exponential time. In practical terms, a sufficiently powerful quantum computer running Shor’s algorithm could take a publicly visible Bitcoin public key and compute the corresponding private key in a matter of minutes or days, depending on the hardware [1].
This is not a theoretical curiosity. Bitcoin’s most common cryptographic operations (ECDSA and Schnorr signatures) are built directly on the secp256k1 elliptic curve. If Shor’s algorithm can be run at scale, any public key that has ever been revealed on the blockchain becomes vulnerable. This includes coins locked in old Pay-to-Public-Key (P2PK) scripts (where the public key is visible from the moment the coins were mined) and any address that has been spent from or reused [1].
The implications are profound. In traditional public-key cryptography, the security of billions of dollars in assets rests on the ECDLP being hard. Shor’s algorithm shows that quantum computers can, in principle, break this hardness assumption. The only question is when — or whether — hardware will become powerful enough to run the algorithm at the scale required for real-world attacks on Bitcoin.
This subsection has explained the core mathematical threat. The next sections will explore how many qubits are actually needed to make Shor’s algorithm practical, how different quantum hardware architectures affect attack feasibility, and what this means specifically for Bitcoin’s design.
2.2 Logical Qubits vs. Physical Qubits: The Critical Role of Error-Correction Overhead
One of the most important — and often misunderstood — concepts in quantum computing is the difference between logical qubits and physical qubits.
A logical qubit is the ideal, error-free unit that algorithms like Shor’s actually need to run reliably. It behaves exactly as quantum mechanics textbooks describe: it can exist in a superposition of states, maintain coherence for long periods, and perform precise operations without mistakes.
A physical qubit is the real hardware device we can build today — such as a superconducting circuit or a trapped neutral atom. These qubits are extremely fragile and lose their quantum state (a process known as Quantum decoherence) due to tiny disturbances like heat, electromagnetic noise, and material imperfections. Even rare high-energy particles from background radiation — including cosmic rays or radioactive decay — can disrupt qubits by depositing energy in the device.
To turn thousands of noisy physical qubits into a smaller number of reliable logical qubits, quantum computers must use quantum error correction. The most widely studied method today is the surface code. In simple terms, the surface code works by spreading the information of one logical qubit across many physical qubits and continuously performing “syndrome measurements” to detect errors. Corrections are often tracked in software rather than applied physically immediately, allowing the system to compensate for errors during computation.
This error-correction process creates enormous overhead. For every single logical qubit, hundreds or even thousands of physical qubits may be required, depending on the hardware error rate, connectivity, and type of error-correcting code. In older estimates that relied on standard surface codes with relatively high error rates, this overhead was so large that breaking ECC-256 was projected to require millions of physical qubits.
The Google Quantum AI whitepaper of March 30, 2026 explicitly accounts for this overhead in its calculations. Their optimized Shor’s algorithm requires roughly 1,200–1,450 logical qubits. When they apply realistic superconducting hardware assumptions (10⁻³ physical error rates and planar connectivity) and layer on full surface-code error correction, the total machine size comes out to fewer than 500,000 physical qubits under those assumptions [1].
The Oratomic/Caltech paper takes a different route to reduce overhead. By using newer high-rate quantum LDPC codes (which can achieve encoding rates around 30%, compared with the surface code’s typical ~4%), they are able to protect many more logical qubits with fewer physical qubits. This is why their analysis reaches cryptographically relevant scales with only ~26,000 physical qubits — even though their system would run more slowly [2].
In essence, error-correction overhead is the single biggest reason why quantum computers have historically seemed far from breaking Bitcoin. Every time researchers improve algorithms, circuits, or error-correcting codes, they reduce the number of logical qubits needed — and that, in turn, dramatically lowers the total number of physical qubits required. The two March 2026 papers illustrate how such improvements can change resource estimates.
This distinction between logical and physical qubits also explains why the two papers reach very different numbers: Google optimizes for fast superconducting hardware (which currently has higher overhead per logical qubit), while Oratomic optimizes for neutral-atom hardware that can take better advantage of high-rate codes. Both approaches still require full error correction to run Shor’s algorithm reliably; without it, even millions of physical qubits would likely be too noisy to complete the computation.
The next section explores how the speed of these different hardware platforms (fast-clock versus slow-clock) further shapes which types of attacks on Bitcoin become practical.
2.3 Fast-Clock (Superconducting) vs. Slow-Clock (Neutral-Atom) Quantum Architectures
Not all quantum computers behave the same way. One of the most important practical differences between current quantum hardware platforms is their operating speed — often referred to informally as “clock speed.” This is not about how fast the computer’s processor runs in the traditional sense, but rather how quickly it can perform quantum gates (the basic operations) and complete error-correction cycles.
Fast-clock architectures include superconducting qubits (the main focus of Google Quantum AI and IBM). These platforms have very short gate times (typically tens of nanoseconds) and error-correction cycles in the range of 1 to 10 microseconds. Because operations happen so quickly, a fast-clock machine can execute millions of gates per second in principle. This speed is a major advantage when the goal is to solve a problem before a time limit expires — for example, breaking a Bitcoin transaction key while it is still sitting in the public mempool.
Slow-clock architectures, such as neutral-atom systems (the focus of Oratomic and Caltech) and ion-trap devices, operate much more slowly. Their gate and measurement times are usually in the range of hundreds of microseconds to several milliseconds per cycle. While slower, these platforms offer other strengths: individual qubits tend to remain coherent (stable) for longer periods, and the neutral atoms can be rearranged to optimize qubit connectivity during computation. This reconfigurability allows them to use more advanced, high-rate error-correcting codes that pack more logical qubits into fewer physical qubits.
The March 30, 2026 papers illustrate this difference perfectly. Google’s whitepaper focuses on fast-clock superconducting hardware and concludes that fewer than 500,000 physical qubits would be enough to break an ECC-256 key in roughly nine minutes [1]. This speed is fast enough to enable real-time “on-spend” attacks on Bitcoin, where an attacker derives the private key from a public key revealed in the mempool and broadcasts a competing transaction before the original one is confirmed.
In contrast, the Oratomic/Caltech paper uses a slow-clock neutral-atom architecture. It shows that the same ECC-256 break could be achieved with only about 26,000 physical qubits, but the attack would take approximately ten days [2]. This makes the machine highly effective for “at-rest” attacks on already-exposed public keys (such as reused addresses or old P2PK coins), but far too slow to steal coins while they are still in transit in the mempool.
This architectural split has direct consequences for Bitcoin’s security timeline. Fast-clock machines (superconducting) lower the bar for immediate, real-time theft once they reach the required scale. Slow-clock machines (neutral-atom) could reach cryptographically relevant capability with far fewer qubits, but their slower speed limits them to stealing coins that have been sitting exposed for a long time. Both paths are now considered realistic by leading research teams, which is why the simultaneous publication of these two papers on March 30, 2026, has been viewed as a significant milestone.
The choice of hardware platform is not just a technical detail — it determines both how small a quantum computer needs to be and how quickly it can attack Bitcoin. Fast-clock systems make on-spend attacks possible; slow-clock systems make smaller, more compact at-rest attacks possible. Understanding this distinction is essential for evaluating the true urgency of quantum threats to the Bitcoin network.
III. Evolution of Resource Estimates for Breaking ECC-256
3.1 The 2022 Baseline: Webber et al. and the 13 Million Physical Qubit Estimate
For several years, the most widely cited benchmark for the quantum threat to Bitcoin came from a 2022 paper by Michael Webber and colleagues, titled “The impact of hardware specifications on reaching quantum advantage in the fault tolerant regime” [4]. This study focused specifically on breaking 256-bit elliptic curve cryptography (ECC-256) — the exact system used by Bitcoin and Ethereum — rather than the larger RSA-2048 problem that had dominated earlier discussions.
Using realistic assumptions about superconducting hardware and the standard surface-code error correction, Webber et al. calculated that a quantum computer would need approximately 13 million physical qubits to solve an ECC-256 discrete logarithm (i.e., derive a private key from a public key) in about one day. If the machine were made faster or the attack time relaxed, the number changed, but the one-day figure became the headline number quoted across the crypto and quantum communities. For context, their model assumed a physical gate error rate of 10⁻³ (0.1%), a 1 microsecond error-correction cycle time, and 10 microsecond reaction times — all considered plausible but optimistic targets for near-future superconducting systems at the time.
This 13-million-qubit estimate had a major psychological impact. It reinforced the widespread view that quantum computers capable of breaking Bitcoin were still many decades away. Most Bitcoin developers and users interpreted the number as evidence that there was no urgent need to rush post-quantum upgrades. After all, building and maintaining a stable machine with 13 million physical qubits — while keeping error rates low enough for the surface code to work — seemed like an enormous engineering challenge that would take far longer than the lifespan of current cryptographic standards.
The Webber paper also highlighted the critical role of hardware specifications. Small improvements in error rates or cycle times could dramatically change the qubit count required. However, even under the most optimistic assumptions they considered, the resource requirements remained in the millions of physical qubits. This became the de-facto baseline against which later progress would be measured. When people discussed “quantum threats to Bitcoin” between 2022 and early 2026, the 13-million-qubit figure was almost always the reference point.
It’s important to note that this estimate was not for a hypothetical future technology; it was based on scaling the surface code — the best-understood and most practical error-correcting code available at the time. The paper did not claim that 13 million qubits would be easy to build, only that this was the approximate scale required if one wanted to run Shor’s algorithm on ECC-256 within a reasonable timeframe.
In hindsight, the 2022 Webber estimate served as an important reality check. It showed that even with significant algorithmic optimizations already applied, the combination of Shor’s algorithm and surface-code overhead still demanded an extraordinarily large machine. This is why the March 30, 2026 papers from Google Quantum AI and Oratomic/Caltech were received with such surprise: both teams reported reductions that brought the required physical qubit count down by more than an order of magnitude — from 13 million to under 500,000 (Google) and around 26,000 (Oratomic).
The dramatic drop between the 2022 baseline and the 2026 results is the direct result of advances in quantum algorithms, circuit optimization, and more efficient error-correcting codes. These improvements form the core of the next section.
3.2 Earlier Benchmarks (Gidney & Ekerå 2021 and Other Pre-2026 Estimates)
Before 2022, the most influential and widely discussed quantum resource estimate came from a 2021 paper by Craig Gidney and Martin Ekerå, titled “How to factor 2048-bit RSA integers in 8 hours using 20 million noisy qubits” [5]. This work quickly became the benchmark that many people — including Bitcoin developers, analysts, and journalists — referred to when discussing quantum threats to cryptography.
Gidney and Ekerå focused on RSA-2048, the larger and more computationally intensive public-key system used in many internet protocols at the time. Using realistic assumptions about superconducting hardware and surface-code error correction, they calculated that a quantum computer would need approximately 20 million physical qubits to factor a 2048-bit RSA key in about eight hours. The paper was groundbreaking because it showed, for the first time, that the resource requirements were not in the billions of qubits (as some earlier pessimistic estimates had suggested), but “only” in the tens of millions. This made large-scale quantum cryptanalysis feel somewhat more plausible within the lifetime of current cryptographic standards.
Although the Gidney & Ekerå paper was about RSA rather than Bitcoin’s elliptic curve cryptography, it was frequently cited in Bitcoin discussions. Many people assumed that if 20 million qubits were needed for RSA-2048, then breaking ECC-256 (which offers similar classical security but with smaller keys) would require a comparable or only slightly smaller machine. This created a general impression in the crypto community that quantum computers capable of threatening Bitcoin were still decades away — perhaps not arriving until 2040 or later.
Other pre-2026 estimates followed a similar pattern. Various research groups between 2017 and 2025 produced resource estimates for Shor’s algorithm on both RSA and ECC that typically ranged from several million to tens of millions of physical qubits when using the standard surface code. These numbers were driven by the high overhead of error correction: to create enough reliable logical qubits and run the millions of Toffoli gates required by Shor’s algorithm, researchers had to assume very large numbers of noisy physical qubits.
The consistent message from these earlier benchmarks was clear: quantum computers powerful enough to break ECC-256 would be extraordinarily large and complex machines. Building and operating a stable system with millions of physical qubits while maintaining the extremely low logical error rates needed for deep circuits seemed like a distant engineering goal. As a result, most Bitcoin developers treated quantum risk as a long-term theoretical issue rather than an immediate priority.
These pre-2026 figures — especially the 20-million-qubit RSA estimate from Gidney & Ekerå and the 13-million-qubit ECC-256 estimate from Webber et al. in 2022 — set the baseline against which the March 2026 papers would later be judged. The dramatic reductions reported by Google Quantum AI (<500,000 qubits) and Oratomic/Caltech (~26,000 qubits) represented a major leap forward in algorithmic efficiency and error-correction techniques.
The next section examines exactly how these two 2026 papers achieved such significant improvements over the earlier benchmarks.
3.3 Why Resource Requirements Have Fallen Dramatically in Just Four Years
Between the 2022 Webber et al. estimate of roughly 13 million physical qubits and the two March 30, 2026 papers, the projected resources needed to break ECC-256 dropped by more than an order of magnitude in a remarkably short period.
Google Quantum AI’s paper showed that fewer than 500,000 physical qubits on superconducting hardware would now suffice for a nine-minute attack, while the Oratomic/Caltech team demonstrated that only around 26,000 physical qubits on a neutral-atom system could achieve the same result in about ten days. This represents a reduction of roughly 26× compared to the 2022 baseline for fast-clock systems, and an even more dramatic leap in compactness for slow-clock designs.
What drove such rapid progress in such a short time? The biggest gains came from advances in quantum algorithms and circuit optimization. Earlier estimates relied on relatively straightforward implementations of Shor’s algorithm. The 2026 papers introduced significant refinements: more efficient ways to perform elliptic curve point addition (the main bottleneck in Shor’s algorithm for ECC), windowed arithmetic techniques, state reuse, and better compilation strategies that dramatically reduced the number of Toffoli gates required. Google’s team, for example, optimized their circuits down to 70–90 million Toffoli gates — a substantial improvement over prior work [1].
A second major driver was progress in quantum error correction. The 2022 Webber estimate assumed the standard surface code, which has a relatively low encoding rate (roughly 4%). This meant that many physical qubits were needed to protect each logical qubit. The Oratomic/Caltech paper made heavy use of newer high-rate quantum low-density parity-check (qLDPC) codes, which achieve encoding rates of around 30%. These codes pack far more logical qubits into fewer physical qubits by taking advantage of long-range connectivity that is naturally available in neutral-atom systems. Google’s paper, while still relying primarily on the surface code for its fast-clock estimate, also incorporated recent improvements in logical instruction sets and magic-state distillation that further reduced overhead [1, 2].
Third, architectural innovations played a key role. The Oratomic paper leverages the reconfigurability of neutral-atom arrays — the ability to physically move qubits around during computation — to enable more efficient code surgery and parallel operations. This approach allows them to achieve cryptographically relevant performance with far fewer total physical qubits than a rigid superconducting layout would require. Google’s work, by contrast, focuses on scaling well-understood superconducting hardware with planar connectivity, showing that even without exotic new codes, algorithmic gains alone can bring the qubit count down dramatically.
Finally, there has been a broader cultural and methodological shift in the quantum computing field. Researchers have become much more systematic about optimizing every layer of the stack — from the high-level algorithm down to the lowest-level circuit compilation and error-correction decoding. The use of zero-knowledge proofs in the Google paper to validate their resource estimates without revealing exploitable details is itself an example of this increased sophistication and responsibility [1].
Taken together, these improvements — better algorithms, more efficient error-correcting codes, smarter compilation, and hardware-specific architectural tricks — explain why the resource requirements fell so sharply between 2022 and 2026. What once looked like a distant, almost insurmountable engineering challenge (13 million qubits) now appears within reach of continued scaling on existing technological roadmaps.
The next section examines the two March 2026 papers in detail and shows exactly how these advances translate into concrete new estimates for breaking Bitcoin’s cryptography.
IV. The March 2026 Breakthrough Papers
4.1 Google Quantum AI Whitepaper: <500,000 Physical Qubits on Fast-Clock Superconducting Hardware
On March 30, 2026, Google Quantum AI released one of the most significant papers in recent quantum cryptanalysis history. Titled Securing Elliptic Curve Cryptocurrencies against Quantum Vulnerabilities: Resource Estimates and Mitigations, the whitepaper was authored by a team including Ryan Babbush, Craig Gidney, and collaborators from Ethereum Foundation and Stanford University [1].
The paper’s central finding is striking: an optimized version of Shor’s algorithm can break 256-bit elliptic curve cryptography (ECC-256) — the exact system used by Bitcoin and Ethereum — using fewer than 500,000 physical qubits on a superconducting (fast-clock) quantum computer. This represents a roughly 26-fold reduction compared to the widely cited 2022 Webber et al. estimate of 13 million physical qubits for a one-day attack [4].
The authors deliberately used conservative, realistic hardware assumptions: a physical gate error rate of 10⁻³ (0.1%), planar (nearest-neighbor) connectivity, and the well-understood surface code for error correction. They did not rely on speculative future technologies or exotic new error-correcting codes. Instead, they achieved the dramatic reduction through careful algorithmic and circuit-level optimizations.
To address concerns about responsible disclosure, the team published a cryptographic zero-knowledge proof validating their resource claims without revealing the actual quantum circuits that could be used for an attack. This approach allows the community to trust the numbers while preventing immediate misuse by bad actors [1].
4.1.1 Key Claims and Attack Timelines (~9 Minutes per Key)
The paper presents two optimized circuit variants for solving the ECDLP on the secp256k1 curve (Bitcoin’s curve):
One variant optimized for fewer qubits: 1,200 logical qubits and 90 million Toffoli gates.Another variant optimized for fewer gates: 1,450 logical qubits and 70 million Toffoli gates.
When these circuits are compiled onto realistic superconducting hardware with full surface-code error correction, the total physical qubit requirement is under 500,000. The estimated runtime for a single key derivation is approximately 9 minutes (after a pre-computation “priming” step that can be done in advance). This 9-minute figure is critical because it fits comfortably inside Bitcoin’s average 10-minute block interval.
The authors emphasize that this speed is achievable on the same class of hardware Google has already demonstrated experimentally (scaled-up versions of their current superconducting processors). They note that further modest improvements — either in algorithm design or in hardware reaction times — could reduce the time even further.
4.1.2 Implications for On-Spend and At-Rest Attacks
Because the attack can complete in roughly nine minutes, the Google paper explicitly warns that the first generation of cryptographically relevant fast-clock quantum computers would be capable of on-spend attacks. An attacker could monitor the public mempool, extract a revealed public key from an unconfirmed transaction, derive the private key in minutes, and broadcast a competing transaction that steals the funds before the original transaction is mined into a block.
At the same time, the same machine would also be highly effective at at-rest attacks on any public key that has already been exposed on the blockchain. This includes:
Old P2PK outputs (over 1.7 million BTC, including many Satoshi-era coins)Reused addresses (where spending has already revealed the public key)Taproot key-path spends
The paper stresses that once a fast-clock machine of this scale exists, both types of attacks become realistic threats. The authors therefore urge the cryptocurrency community to begin migrating to post-quantum cryptography without delay, and they highlight intermediate mitigations (such as private mempools and commit-reveal schemes) that could buy time against on-spend attacks.
Google’s whitepaper does not merely lower the qubit count — it shows that the first machines powerful enough to perform at-rest attacks on exposed keys would likely also be fast enough to enable real-time theft from the mempool. This combination of reduced size and practical speed is what makes the March 30, 2026 paper such a significant wake-up call for Bitcoin.
4.2 Oratomic/Caltech Paper: ~26,000 Physical Qubits on Slow-Clock Neutral-Atom Hardware
Also published on March 30, 2026, the second major paper came from a collaboration between the newly launched startup Oratomic and researchers at Caltech (including Madelyn Cain, Qian Xu, Dolev Bluvstein, and John Preskill). Titled “Shor’s algorithm is possible with as few as 10,000 reconfigurable atomic qubits”, this work takes a completely different technological path from Google’s superconducting approach [2].
Instead of fast-clock superconducting qubits, the Oratomic/Caltech team focuses on neutral-atom quantum computers — a slow-clock architecture that uses individual atoms trapped in laser beams (optical tweezers) as qubits. Neutral-atom systems are slower in gate speed and error-correction cycles, but they offer natural long-range connectivity and the ability to physically move qubits during computation. This reconfigurability allows them to use more advanced, high-rate error-correcting codes that dramatically reduce the total number of physical qubits needed.
4.2.1 Key Claims and Attack Timelines (~10 Days per Key)
The paper’s headline result is that Shor’s algorithm for breaking ECC-256 can be executed with as few as 10,000–13,000 physical qubits in a compact “space-efficient” design, or around 26,000 physical qubits in a faster, time-optimized configuration. These numbers are achieved by using high-rate quantum low-density parity-check (qLDPC) codes with encoding rates of approximately 30% — far more efficient than the standard surface code’s ~4% rate used in most superconducting estimates.
The authors project that, with a 1 ms stabilizer measurement cycle time (realistic for current neutral-atom hardware), the time-optimized architecture could solve an ECC-256 discrete logarithm in approximately 10 days. This is dramatically slower than Google’s nine-minute estimate, but still well within a practical window for at-rest attacks on exposed or dormant coins.
The paper also includes estimates for the larger RSA-2048 problem, requiring 11,000–14,000 qubits for slower runs or about 102,000 qubits for a faster parallelized version taking roughly 97 days. However, the authors emphasize that ECC-256 is the more relevant and immediate cryptographic target for blockchains like Bitcoin and Ethereum.
Importantly, the Oratomic/Caltech team used conservative assumptions and focused on architectures that could be built by scaling existing neutral-atom technology. Their work demonstrates that a much smaller quantum machine — one potentially reachable earlier than a 500,000-qubit superconducting system — could still pose a serious threat to cryptocurrencies, albeit only for at-rest attacks due to the slower clock speed.
4.2.2 Current Hardware Milestone: 6,100-Atom Trapping Array (September 2025)
The Oratomic/Caltech paper is grounded in real experimental progress. In September 2025, the same Caltech team (led by researchers who later founded Oratomic) achieved a major milestone: they successfully trapped and controlled more than 6,100 individual neutral atoms in a large optical tweezer array. This experiment, published in Nature [6], demonstrated the largest coherent neutral-atom array ever built at the time. The atoms remained stable for extended periods and could be moved around dynamically — key capabilities needed for the reconfigurable architectures described in the March 2026 paper [2].
This 6,100-atom array is not yet a full universal quantum processor capable of running Shor’s algorithm. It represents an early-stage hardware demonstration focused on trapping, coherence, and qubit transport. Turning this array into a fault-tolerant quantum computer with full error correction, universal gates, and the ability to run deep circuits is still a significant engineering challenge. Nevertheless, it shows that neutral-atom platforms are rapidly scaling and are no longer limited to small numbers of qubits.
In summary, the Oratomic/Caltech paper complements Google’s work by showing an alternative path: a much smaller, slower machine that could still break ECC-256, but only for at-rest attacks. Together, the two papers illustrate that quantum cryptanalysis is advancing along multiple technological fronts — one emphasizing speed, the other emphasizing compactness — making the overall threat to Bitcoin more credible and closer than previously thought.
4.3 Direct Comparison: Google (Fast-Clock, 500k Qubits) vs. Oratomic (Slow-Clock, 26k Qubits)
The two papers offer two very different but equally important visions of how quantum computers might eventually break ECC-256, the cryptography that secures Bitcoin and Ethereum. Rather than contradicting each other, they complement one another by exploring separate technological paths with different strengths and limitations.
Google Quantum AI’s approach focuses on fast-clock superconducting hardware. Their estimate is that a machine with fewer than 500,000 physical qubits would be sufficient to run an optimized Shor’s algorithm and solve an ECC-256 key in roughly nine minutes. This speed is possible because superconducting qubits have very fast gate times and error-correction cycles (typically 1–10 microseconds). The paper uses conservative assumptions based on hardware Google has already demonstrated experimentally (such as their Willow chip) and relies primarily on the well-understood surface code for error correction [1].
Because the attack can finish in under ten minutes, Google’s machine would be capable of both:
At-rest attacks (stealing coins with already-exposed public keys, such as old P2PK outputs or reused addresses), andOn-spend attacks (stealing coins in real time from the public mempool before the transaction is confirmed in a block).
As such, Google’s result shows a relatively large but very fast quantum computer that could threaten active Bitcoin transactions the moment it becomes available.
Oratomic and Caltech’s approach, by contrast, focuses on slow-clock neutral-atom hardware. Their most time-optimized design requires only about 26,000 physical qubits — roughly 20 times fewer than Google’s estimate — but the attack would take approximately ten days assuming a 1 ms stabilizer cycle time. This dramatic reduction in qubit count is achieved by using newer high-rate quantum LDPC codes (with ~30% encoding efficiency) and taking advantage of the natural reconfigurability of neutral-atom arrays, where neutral atoms can be rearranged to optimize qubit connectivity during computation [2].
The Oratomic machine would therefore be excellent for at-rest attacks on any public key that has already been revealed on the blockchain. However, ten days is far too slow to perform on-spend attacks inside Bitcoin’s 10-minute block window. This makes Oratomic’s path a smaller, more compact route to quantum cryptanalysis, but one that is limited to stealing long-exposed or dormant coins.
The two papers therefore paint a more complete picture of the quantum threat. Google’s result raises the alarm about real-time theft once fast superconducting machines reach ~500k qubits. Oratomic’s result shows that much smaller machines could still break ECC-256, even if they take longer — meaning the total number of qubits required may be lower than previously thought if slower architectures scale successfully.
Importantly, both papers assume full quantum error correction is in place. Without it, even millions of physical qubits would be too noisy to run Shor’s algorithm reliably. The dramatic reductions achieved in both cases come from a combination of better algorithms, smarter circuit designs, and more efficient error-correcting codes rather than from any single “magic” breakthrough.
Together, these two complementary papers make the quantum threat to Bitcoin feel considerably more immediate and realistic than it did just a few years ago.
V. Current State of Quantum Hardware Development
5.1 Superconducting Fast-Clock Platforms (Google, IBM, Fujitsu/RIKEN)
Superconducting qubits are currently the most advanced and widely pursued fast-clock quantum computing technology. These systems use tiny superconducting circuits cooled to near absolute zero to create and control qubits. Their main advantage is speed: gate operations and error-correction cycles can be performed in microseconds, making them the leading candidates for the fast on-spend attacks described in the Google paper. As of March 2026, three major players dominate this space: Google Quantum AI, IBM Quantum, and the Japanese collaboration between Fujitsu and RIKEN.
Google has long been at the forefront of superconducting quantum hardware. Its most advanced publicly demonstrated processor is the Willow chip, which contains 105 physical qubits. This chip, first unveiled in late 2024, has been used to demonstrate below-threshold error correction and small-scale quantum algorithms. Google continues to focus on scaling this technology while improving coherence times and gate fidelities. Their March 2026 whitepaper explicitly bases its <500,000-qubit estimate on a scaled-up version of this same superconducting platform with realistic error rates and planar connectivity [1].
IBM Quantum has taken a modular approach. Its latest flagship systems include the Heron r2/r3 processors, which have reached 156 physical qubits in a single chip [7], and the Nighthawk processor with 120 qubits [8]. IBM has also demonstrated multi-chip modular systems that link several processors together, effectively creating systems with several hundred to low thousands of physical qubits in total [9]. IBM’s roadmap emphasizes improving error rates and building larger modular arrays, positioning superconducting technology as a practical path toward utility-scale machines [9].
In Japan, the Fujitsu/RIKEN collaboration has made rapid progress. As of early 2026, they have demonstrated a superconducting processor with 256 physical qubits — the largest single-chip count among the major players at the time of the March 2026 papers. Their publicly stated goal is to reach 1,000 qubits by the end of 2026, showing aggressive scaling ambitions in the fast-clock domain [10].
5.1.1 Demonstrated Qubit Counts (~105–256 Physical Qubits as of March 2026)
As of March 31, 2026, the current state of superconducting hardware can be summarized as follows:
Google Quantum AI: 105 physical qubits (Willow chip, demonstrated 2024 and still the reference platform in their 2026 paper).IBM Quantum: 156 physical qubits on the latest Heron r2/r3 processors, with the Nighthawk processor at 120 qubits. IBM has also demonstrated modular multi-chip systems that link several processors together, effectively creating systems with several hundred to low thousands of physical qubits in research configurations.Fujitsu/RIKEN: 256 physical qubits on their most recent demonstrated chip, with plans to scale to 1,000 qubits by the end of 2026.
These numbers represent working quantum processors — not just arrays of trapped qubits. They can already run small quantum circuits, perform basic error-corrected operations, and execute simple algorithms. However, they remain orders of magnitude smaller than the ~500,000 physical qubits Google estimates would be needed for a cryptographically relevant fast-clock machine capable of breaking ECC-256 in minutes [1].
The gap is still large — roughly 2,000× to 5,000× smaller than the target — but the superconducting platforms have a clear, incremental scaling path based on decades of engineering experience in cryogenics, microwave control, and fabrication. This is why Google’s paper treats the 500,000-qubit threshold as a realistic engineering goal rather than a distant theoretical one.
In the next subsection, we turn to the leading slow-clock alternative: neutral-atom systems being developed by Oratomic and Caltech.
5.2 Neutral-Atom Slow-Clock Platforms (Oratomic/Caltech)
While superconducting qubits represent the leading fast-clock approach, neutral-atom systems offer a very different path to large-scale quantum computing. These platforms use individual neutral atoms (typically cesium or rubidium) trapped in arrays of laser beams known as optical tweezers. The atoms serve as qubits, and their quantum states are manipulated using carefully controlled laser pulses. Neutral-atom systems are classified as slow-clock architectures because their gate operations and error-correction cycles are significantly slower than those of superconducting qubits — typically in the range of hundreds of microseconds to several milliseconds per cycle.
The main advantages of neutral-atom technology are long coherence times (atoms can remain in quantum states for relatively long periods) and natural reconfigurability. Because the atoms are not fixed in place like superconducting circuits, they can be physically moved around during computation using the same laser tweezers that trap them. This mobility enables long-range connectivity and makes it easier to implement advanced, high-rate error-correcting codes that require non-local interactions. These features are exactly what the Oratomic/Caltech team exploited to achieve much lower physical qubit counts in their March 30, 2026 paper [2].
Oratomic is a brand-new startup that officially launched in March 2026, built directly on research from the Caltech group led by Manuel Endres and Dolev Bluvstein. The company’s goal is to turn the theoretical architectures described in their paper into practical, large-scale quantum computers.
5.2.1 The Gap Between Trapping Arrays and a Full Quantum Processor
The most advanced experimental result associated with the Oratomic team is the September 2025 demonstration by Caltech researchers of a 6,100-atom trapping array. In this experiment, more than 6,100 individual neutral atoms were successfully trapped in a large grid of optical tweezers, maintained high coherence for extended periods, and could be dynamically moved around. This was a genuine hardware milestone — the largest coherent neutral-atom array ever built at the time — and was published in the journal Nature [6].
However, there is still a significant gap between this trapping array and a full, cryptographically relevant quantum processor. A working quantum processor must be able to do much more than simply hold and move atoms. It requires:
Reliable universal quantum gates (the ability to perform any quantum operation on the qubits).High-fidelity measurements and real-time feedback.Full quantum error correction running continuously across the entire system.The capacity to execute very deep circuits (millions of gates) without errors accumulating and destroying the computation.
The 6,100-atom array demonstrates excellent trapping, coherence, and transport capabilities, but it has not yet been turned into a universal, error-corrected quantum computer capable of running algorithms as complex as Shor’s. In other words, the team has built a very large and stable “parking lot” for qubits, but they still need to add the engines, steering, traffic control, and error-correction systems before the system can drive complex computations.
The Oratomic/Caltech paper bridges this gap theoretically. It shows how a scaled and enhanced version of this neutral-atom technology — using high-rate qLDPC codes and reconfigurable architectures — could reach cryptographically relevant performance with only ~26,000 physical qubits. The paper’s estimates assume further engineering advances in gate fidelity, stabilizer measurement speed (targeting 1 ms cycles), and integration of full fault-tolerant operations. While substantial work remains, the September 2025 6,100-atom result provides a credible experimental foundation for the paper’s claims.
In summary, neutral-atom platforms like those being developed by Oratomic offer the potential for much smaller machines than superconducting systems, but they are currently further away from being full, universal quantum processors. The gap between today’s large trapping arrays and tomorrow’s cryptographically relevant computers is significant, yet the rapid progress in atom trapping and control suggests this path is advancing quickly alongside the superconducting route.
5.3 No Firm Timelines Yet: What Both Teams Have (and Have Not) Stated Publicly
Despite the dramatic reductions in required qubit counts reported in the two March 30, 2026 papers, neither Google Quantum AI nor Oratomic has provided a specific, firm public timeline for when their respective target machines — roughly 500,000 physical qubits for Google’s fast-clock superconducting system or ~26,000 physical qubits for Oratomic’s slow-clock neutral-atom system — will actually be built and operational.
This lack of concrete dates is typical in quantum computing. While researchers can calculate the theoretical resources needed, turning those calculations into working hardware at scale involves enormous engineering challenges: improving fabrication yields, maintaining coherence across larger systems, integrating control electronics, and achieving the extremely low logical error rates required for deep algorithms like Shor’s. Both teams emphasize that their estimates are based on scaling known technology rather than requiring new scientific breakthroughs, but scaling still takes time.
Google Quantum AI has the most publicly articulated long-term vision. In recent roadmap updates (including statements accompanying the March 2026 whitepaper), Google continues to target “commercially relevant quantum computers” by the end of the decade — meaning roughly 2029–2030. They have not committed to a specific year for reaching the 500,000-physical-qubit threshold described in their ECC-256 paper. Instead, Google’s public statements focus on near-term milestones such as scaling to tens of thousands of physical qubits while simultaneously improving error rates and error-correction performance. The company has also announced it’s beginning work on neutral-atom systems as a parallel research track, but its primary superconducting roadmap remains the foundation for the fast-clock estimates in the paper [1].
Oratomic, being a brand-new startup that officially launched on the same day the paper was published (March 30, 2026), has not yet released any detailed roadmap or timeline. The company’s public statements so far have been limited to the claims in the scientific paper itself. Their current experimental foundation is the 6,100-atom trapping array demonstrated by the Caltech team in September 2025. Turning that milestone into a full fault-tolerant processor capable of running Shor’s algorithm at the ~26,000-qubit scale will require significant additional engineering. Oratomic has not indicated when they expect to reach this level, only that their architecture is designed to be scalable from existing neutral-atom technology [2].
Both teams are optimistic that their respective qubit targets are achievable with continued engineering progress on platforms that have already shown promising results in the laboratory. However, neither has translated those optimistic assessments into firm calendar dates. This cautious approach is common in the field: quantum hardware timelines have historically slipped, and companies prefer to under-promise and over-deliver rather than risk setting unrealistic expectations.
The absence of firm timelines does not mean the threat is distant. It simply reflects the reality that moving from today’s demonstrated systems (105–256 qubits for superconducting, 6,100-atom arrays for neutral atoms) to the much larger scales needed for cryptographically relevant attacks still requires years of focused engineering effort. The next section explores the current state of these hardware platforms in more detail and what the gap between today’s devices and tomorrow’s cryptographically relevant machines looks like.
VI. Skeptical Perspectives and Alternative Theories
While the two March 30 papers represent the latest and most optimistic estimates for breaking ECC-256, not all physicists agree that quantum computers will continue to scale indefinitely with exponential power. There is a strong mainstream consensus that dominates the quantum computing industry, alongside a small but serious group of minority voices who argue that fundamental physical limits may cap quantum advantage much earlier than expected.
The mainstream consensus — held by the vast majority of quantum researchers, including the teams at Google Quantum AI, IBM, and most academic groups — is based on standard quantum mechanics as it has been understood and tested for over 100 years. In this view, the mathematical space in which quantum states live (called Hilbert space) is continuous and infinite. This means that every additional qubit doubles the number of possible states the system can represent (2^N states for N qubits). As long as error rates can be kept low enough through better hardware and error correction, there is no hard physical ceiling to scaling. The only limits are engineering ones: noise, decoherence, fabrication challenges, and cost. This is why companies like Google continue to publish aggressive roadmaps aiming for hundreds of thousands or even millions of physical qubits in the coming decade [1].
A prominent minority view was published on March 16, 2026, by Oxford physicist Tim Palmer, a Royal Society Fellow. In a peer-reviewed paper in Proceedings of the National Academy of Sciences (PNAS) titled “Rational Quantum Mechanics: Testing quantum theory with quantum computers,” Palmer proposes a new framework called Rational Quantum Mechanics (RaQM) [11].
At its heart, RaQM asks a simple but profound question: “What if gravity makes nature hate true continuity?” Palmer argues that gravity — which is not yet fully incorporated into standard quantum mechanics — forces the mathematical space in which quantum states live (Hilbert space) to be fundamentally discrete rather than continuous. In other words, nature may not allow infinitely smooth mathematical descriptions; there could be a built-in “graininess” at the smallest scales.
To understand this, recall that gravity (according to Einstein’s general relativity) places fundamental constraints on energy and information density. If too much quantum information (too many entangled qubits) is encoded in a finite physical region, gravitational considerations suggest there is a natural limit to how much can be stored or processed. Palmer’s idea is that nature enforces a cutoff on the granularity of quantum state space — a kind of smallest possible “pixel size” in Hilbert space. This makes the space effectively discrete (like a grid with tiny but finite steps) rather than perfectly continuous. In other words, there is an inherent “graininess” at the smallest scales.
This discreteness would impose a hard physical limit on how much quantum information can actually be entangled and processed. According to Palmer’s calculations, meaningful exponential quantum advantage is limited to roughly 200–400 qubits with current technology, and an absolute maximum of around 1,000 qubits even in ideal future hardware. Beyond this point, algorithms like Shor’s would lose their exponential advantage because the quantum state simply cannot hold enough information.
Palmer’s paper is notable because it’s formally peer-reviewed, published in one of the world’s top journals, and includes specific, testable predictions. He even suggests concrete experiments that could be run on near-term quantum computers within the next five years to distinguish between standard quantum mechanics and RaQM. However, as of today, no such experiments have yet been performed. The idea remains a provocative but untested hypothesis.
The quantum computing industry (Google, IBM, and others) has not publicly altered its development plans in response to the paper. Their roadmaps continue to assume standard quantum mechanics, where the only limits are engineering ones. Most experts view Palmer’s idea as a valuable contribution worthy of careful testing, but still a minority perspective. The mainstream consensus remains that the physics that has worked perfectly for a century will continue to hold at larger scales.
This debate matters greatly for Bitcoin. If the mainstream view is correct, the hardware targets described in the March 2026 papers (500k or 26k qubits) are realistic engineering goals that could be reached within the next decade. If Palmer’s view ultimately proves correct, the quantum threat to ECC-256 might never fully materialize at the scales needed for practical attacks. Until experiments decide the issue, the Bitcoin community is wisely preparing for the more conservative (mainstream) scenario.
VII. Quantum Attack Types on Bitcoin
7.1 At-Rest Attacks: Targeting Exposed or Reused Public Keys
An at-rest attack is the simplest and most straightforward type of quantum attack on Bitcoin. It occurs when a quantum computer targets a public key that is already visible somewhere on the blockchain and has plenty of time (hours, days, or even years) to solve for the corresponding private key using Shor’s algorithm.
In Bitcoin, ownership of coins is proven by digital signatures created with a private key. The public key is what the network uses to verify those signatures. The security of the entire system rests on the assumption that it is computationally infeasible for anyone to derive the private key from the public key. Shor’s algorithm breaks this assumption on a sufficiently powerful quantum computer.
For an at-rest attack to succeed, the attacker only needs one thing: access to the public key. Once the public key is known, the quantum computer can quietly compute the private key offline. The attacker then uses that private key to forge a transaction and steal any coins still controlled by that key.
Bitcoin has several script types that expose public keys in different ways, making them vulnerable to at-rest attacks:
P2PK (Pay-to-Public-Key) scripts, used heavily in Bitcoin’s early days (2009–2010), record the full public key directly on the blockchain the moment the coins are received. Over 1.7 million BTC — including a large portion of Satoshi-era mining rewards — are still locked in these old P2PK scripts. Their public keys have been fully visible for 16+ years, even though the coins have never been spent [1].Reused addresses (P2PKH, P2WPKH, P2WSH, etc.) become vulnerable the moment they are spent from. When a user spends coins from an address, the unlocking script reveals the public key. Any remaining coins at that address are then exposed to at-rest attacks forever.P2TR (Pay-to-Taproot) addresses also expose a public key in the key-path spend, creating a similar vulnerability for any coins using the default key path.
In contrast, a truly fresh, never-used address (for example, a standard P2WPKH address that has only received funds and never spent any) keeps the public key hidden behind a cryptographic hash. In this case, there is no public key available for a quantum computer to attack — so at-rest attacks are currently impossible on those coins [1].
The Google Quantum AI paper explicitly highlights that roughly 6.9 million BTC are currently vulnerable to at-rest attacks due to exposed or reused public keys, with up to 2.3 million BTC considered “dormant” or long-unused and therefore especially attractive targets [1]. Satoshi’s coins fall squarely into this category: because they were created using P2PK scripts, their public keys have been exposed on-chain since the moment they were mined, even though they have never been moved.
At-rest attacks can be carried out by either fast-clock or slow-clock quantum computers. They do not require real-time speed — only that the public key is already known. This makes them the most immediate and realistic threat once cryptographically relevant quantum hardware becomes available, regardless of whether it is a fast superconducting machine or a slower neutral-atom system.
7.2 On-Spend Attacks: Real-Time Theft from the Public Mempool
While at-rest attacks target coins whose public keys have already been exposed on the blockchain for a long time, on-spend attacks represent a more immediate and aggressive threat. An on-spend attack occurs when a quantum computer steals coins in real time while a legitimate transaction is still sitting in Bitcoin’s public mempool — the temporary holding area where unconfirmed transactions wait to be included in a block.
Here is how the attack would work in practice. When a user broadcasts a normal Bitcoin transaction to send coins, the transaction enters the public mempool. For nearly all standard Bitcoin address types (P2PKH, P2WPKH, P2WSH, and P2TR), the public key must be revealed at this moment so that network nodes can verify the digital signature. Once the public key is visible in the mempool, a quantum attacker with a fast-clock machine can extract it, run Shor’s algorithm to derive the corresponding private key, and then quickly create and broadcast a competing “forged” transaction that sends the same coins to the attacker’s own wallet. If the attacker’s transaction is confirmed first — typically by offering a higher transaction fee to miners — the original user’s transaction is rejected, and the coins are stolen.
The Google Quantum AI whitepaper makes this scenario particularly realistic. Their optimized circuits show that a superconducting quantum computer with fewer than 500,000 physical qubits could solve an ECC-256 key in approximately nine minutes (after an optional pre-computation “priming” step). Because Bitcoin’s average block time is about ten minutes, this speed is fast enough for the attack to succeed before the original transaction is mined into a block [1]. The paper notes that the attacker could pre-compute part of the algorithm in advance and wait for a public key to appear in the mempool, further shortening the effective time required.
On-spend attacks are only possible with fast-clock quantum architectures (superconducting, photonic, or silicon spin qubits). These platforms have the rapid gate times and short error-correction cycles needed to complete the computation inside Bitcoin’s narrow confirmation window. Slow-clock systems, such as neutral-atom machines (like the one proposed in the Oratomic paper), are far too slow. Even if they could break the key with only 26,000 physical qubits, the ten-day timeframe would make on-spend attacks impossible — they would only be useful for at-rest theft of already-exposed coins [2].
The public mempool is the critical vulnerability here. Bitcoin transactions are broadcast openly to the entire network so that anyone can verify and include them. This transparency, which is essential for Bitcoin’s decentralized security, also creates a brief but exploitable window. High-value transactions or those sent during periods of low network congestion would be especially attractive targets. An attacker could even artificially congest the mempool with their own high-fee transactions to buy extra time for the quantum computer to finish deriving the private key.
In summary, on-spend attacks represent the most time-sensitive quantum threat to Bitcoin. They do not require the public key to have been exposed for a long time — only long enough for a fast-clock quantum computer to solve for the private key while the transaction is still unconfirmed. The Google paper’s nine-minute estimate shows that once a cryptographically relevant fast-clock machine exists, active Bitcoin transactions will no longer be safe. This is why the combination of reduced qubit requirements and fast attack timelines has become such a pressing concern for the Bitcoin community.
7.3 On-Setup Attacks: Why Bitcoin Is Immune
The third category of quantum attack discussed in the Google Quantum AI whitepaper is the on-setup attack. Unlike at-rest or on-spend attacks, which directly target individual public keys, an on-setup attack is a one-time quantum computation that creates a permanent, reusable classical backdoor into a cryptographic protocol. After the initial quantum step, the attacker no longer needs a quantum computer — the backdoor can be exploited repeatedly using ordinary classical computers [1].
Here is how an on-setup attack works in principle. Some advanced blockchain features rely on fixed public parameters that were generated during a “trusted setup ceremony.” These parameters often contain hidden secrets (sometimes called “toxic waste”) that were supposed to be destroyed after the setup. If an attacker with a quantum computer can recover those secrets by solving the discrete logarithm problem on the fixed public parameters, they gain a universal backdoor. This backdoor can then be used to forge proofs, create counterfeit coins, break privacy, or undermine critical protocol mechanisms — all without further quantum computation.
Examples of protocols vulnerable to on-setup attacks include:
Ethereum’s Data Availability Sampling (DAS), which uses KZG polynomial commitments generated during a trusted setup ceremony.Certain privacy protocols such as Zcash’s older Sapling shielded pool (which had a trusted setup) and some implementations of Mimblewimble, which rely on fixed public parameters generated during a setup, could in principle be vulnerable to a one-time quantum computation [1].
In these cases, a single successful quantum computation on the fixed setup parameters would give the attacker a lasting classical exploit that could be traded or used indefinitely.
Bitcoin, however, is not vulnerable to on-setup attacks under its current design, because it does not rely on any trusted setup or fixed public parameters.
Bitcoin’s design is deliberately simple and does not rely on any trusted setup ceremonies, fixed public protocol parameters, or complex zero-knowledge proof systems that contain hidden secrets. There are no “toxic waste” parameters generated during a setup phase, no KZG commitments, and no fixed public values that could serve as a backdoor. Bitcoin’s core transaction validation uses straightforward ECDSA or Schnorr signatures based on the secp256k1 elliptic curve, with no additional cryptographic primitives that would enable this type of attack.
The Google paper explicitly states this immunity:
“While the Bitcoin blockchain is immune to on-setup attacks…” [1]
This is a deliberate architectural choice. Bitcoin prioritizes simplicity and minimalism, avoiding the more advanced cryptographic features found in Ethereum, Zcash, or Mimblewimble-based chains that introduce new quantum vulnerabilities. As a result, the only quantum threats Bitcoin faces are the direct at-rest and on-spend attacks that target individual public keys — not universal backdoors that could compromise the entire protocol.
This immunity is one of Bitcoin’s structural advantages in a post-quantum world. While other blockchains must worry about both key-breaking attacks and potential protocol-level backdoors created by on-setup attacks, Bitcoin’s attack surface is limited to the exposure of individual public keys. This makes the problem more contained and easier to reason about, even though it remains a serious challenge that requires urgent attention.
VIII. Specific Impacts on Bitcoin and the Broader Crypto Ecosystem
8.1 Vulnerable Bitcoin Script Types and Dormant Assets (~2.3 Million BTC at Risk)
Bitcoin’s security ultimately rests on the assumption that private keys cannot be derived from public keys. Quantum computers running Shor’s algorithm break this assumption, but not every Bitcoin output is equally vulnerable. The degree of risk depends entirely on the script type used to lock the coins and whether the public key has ever been revealed on the blockchain.
Bitcoin supports several standard script types, each with different quantum exposure characteristics. The Google Quantum AI whitepaper provides a detailed analysis of these types and quantifies the total value currently at risk [1].
P2PK (Pay-to-Public-Key): These are the oldest and most vulnerable scripts. In a P2PK output, the full public key is written directly on the blockchain the moment the coins are received (usually as a coinbase mining reward). No spending is required for the public key to be visible. Over 1.7 million BTC — nearly 9% of all Bitcoin — remain locked in these legacy P2PK scripts, including a large portion of early Satoshi-era mining rewards. Because the public keys have been exposed since 2009–2010, these coins are fully vulnerable to at-rest attacks by any cryptographically relevant quantum computer, fast-clock or slow-clock [1].P2PKH, P2WPKH, P2WSH (Pay-to-Public-Key-Hash and SegWit variants): These scripts hide the public key behind a cryptographic hash when the coins are received. They are therefore safe from at-rest attacks as long as the address has never been spent from. However, the moment a user spends coins from such an address, the public key is revealed in the unlocking script. Any remaining coins at that address then become vulnerable to at-rest attacks. This is the classic address reuse vulnerability. The Google paper estimates that address reuse currently exposes roughly 5 million additional BTC to quantum risk [1].P2TR (Pay-to-Taproot): Introduced in 2021, Taproot was intended to improve privacy and efficiency. However, in its default “key-path” spending mechanism, it records a tweaked public key directly on-chain. This created a quantum security regression compared to older SegWit addresses. P2TR outputs are therefore vulnerable to at-rest attacks as soon as the coins are received [1].P2MS (Pay-to-Multisig) and other legacy scripts: These expose multiple public keys directly and are similarly vulnerable from the moment of receipt.
The Google paper estimates that, as of early 2026, approximately 6.9 million BTC in total are currently vulnerable to at-rest quantum attacks due to exposed or reused public keys. Of this amount, roughly 2.3 million BTC are considered “dormant” — coins that have not moved in many years and are locked in old scripts or long-unused addresses. These dormant assets represent a fixed, high-value target that cannot be easily protected through normal wallet upgrades. Many of them are believed to have lost keys, making them effectively abandoned but still attractive to quantum attackers [1].
Satoshi’s coins are a prominent example. A significant portion of the early mining rewards attributed to Satoshi Nakamoto (roughly 1 million BTC) were created using P2PK scripts. Their public keys have been fully visible on the blockchain since they were mined, even though the coins have never been spent. This makes them permanently exposed to at-rest attacks, regardless of any future signature upgrades that might be implemented on Bitcoin [1].
The existence of such a large pool of vulnerable and dormant coins creates unique challenges for Bitcoin. Unlike traditional financial systems, where lost or abandoned assets can often be reclaimed or managed through legal processes, Bitcoin’s immutable design means these coins remain on the ledger indefinitely. If a quantum computer capable of at-rest attacks becomes available, these assets could be stolen without any technical recourse for the original owners.
This situation underscores why the Google paper describes Bitcoin as “uniquely exposed” compared to traditional finance: there is no central authority to freeze accounts, reverse transactions, or update security centrally. The only defenses are technical upgrades (such as BIP-360 and post-quantum signatures) and user behavior (avoiding address reuse and migrating legacy coins). The scale of dormant assets — especially the early P2PK coins — makes the quantum risk not just theoretical, but a concrete economic and security concern for the entire Bitcoin network.
The next subsection examines how address reuse and fresh-address practices affect real-world protection levels today.
8.2 Address Reuse vs. Fresh Addresses: Current Real-World Protections
One of the most practical and immediately actionable defenses against quantum at-rest attacks is also one of Bitcoin’s oldest and simplest rules: never reuse addresses. This guideline, originally recommended by Satoshi Nakamoto in the 2009 whitepaper for privacy reasons, has taken on new importance in the quantum era.
How Fresh Addresses Provide Protection
Modern Bitcoin address types — particularly Pay-to-Witness-Public-Key-Hash (P2WPKH) and Pay-to-Witness-Script-Hash (P2WSH), which begin with “bc1q” — are designed to keep the public key hidden. When coins are sent to a fresh address, only a cryptographic hash of the public key is recorded on the blockchain. Without the actual public key, a quantum computer has nothing to attack using Shor’s algorithm. As long as the address has never been spent from, it remains protected from at-rest attacks, even if a powerful quantum computer exists [1].
This protection is automatic and built into the protocol. A user who always generates a new receive address for every incoming payment (the default behavior in most modern wallets) is, in effect, using Bitcoin’s strongest available defense against quantum at-rest theft today.
The Danger of Address Reuse
The moment a user spends from an address, the full public key is revealed in the unlocking script. From that point onward, any remaining coins still sitting at that address are vulnerable to at-rest attacks. To stay quantum-safe, users should immediately move leftover coins to a fresh, never-before-used address. Even if the user stops reusing the original address afterward, the exposed coins are permanently at risk. The quantum computer can simply read the now-exposed public key from the blockchain and compute the private key at its leisure.
Address reuse is unfortunately very common in practice. Merchants, exchanges, and many users often publish a single static address for convenience, donations, or payment processing. The Google Quantum AI whitepaper estimates that address reuse currently exposes roughly 5 million BTC to quantum risk [1]. This figure includes not only ordinary user wallets but also large holdings on centralized exchanges and services that rely on address reuse for operational efficiency.
Once reuse occurs, the protection of the hash is permanently lost. Even if the user stops reusing the address afterward, any coins that remain at that address are now permanently exposed to future quantum computers.
Real-World Impact and Best Practices
For ordinary Bitcoin users, the rule is straightforward:
Always use a fresh, never-before-used address when receiving funds.Avoid publishing static addresses for donations or recurring payments when possible.Hierarchical Deterministic (HD) wallets make this easy by automatically generating new addresses.
For businesses and exchanges, the trade-off is more difficult. Static addresses simplify accounting, customer experience, and proof-of-reserves procedures. However, in a post-quantum world, this convenience comes with significant risk. The Google paper notes that many of the largest Bitcoin holders on the network are linked to major exchanges that have historically reused addresses [1].
BIP-360 (Pay-to-Merkle-Root), once activated, will improve the situation for new addresses by removing the key-path exposure present in Taproot, making fresh P2MR addresses even more quantum-resistant. However, it does not retroactively protect already-reused or legacy addresses.
Using fresh addresses currently provide meaningful real-world protection against at-rest quantum attacks. Address reuse is the single largest avoidable vulnerability in the Bitcoin ecosystem today. While not a complete solution (on-spend attacks would still be possible with fast-clock machines), consistently using fresh addresses is one of the simplest and most effective defenses users can adopt right now while the network works toward full post-quantum upgrades.
The next subsection examines the more urgent, real-time threat: on-spend attacks on active transactions.
8.3 On-Spend Risks to Active Transactions
While at-rest attacks target coins that have already had their public keys exposed for a long time, on-spend attacks represent the most immediate and operationally disruptive quantum threat to Bitcoin. These attacks aim to steal funds in real time while a legitimate transaction is still sitting in the public mempool — the temporary, publicly visible queue where unconfirmed transactions wait to be included in a block.
The attack proceeds as follows. When a user broadcasts a standard Bitcoin transaction, it enters the public mempool so that miners and nodes across the network can verify and eventually include it in a block. For nearly all common address types (P2PKH, P2WPKH, P2WSH, and P2TR), the public key must be revealed in the unlocking script at this stage so the network can check the digital signature. As soon as the public key appears in the mempool, a quantum attacker with a fast-clock machine can extract it, run Shor’s algorithm to derive the private key, and then rapidly create and broadcast a competing “forged” transaction that sends the same coins to the attacker’s own wallet. By offering a significantly higher transaction fee, the attacker can incentivize miners to include their forged transaction first. If successful, the original user’s transaction is rejected, and the funds are stolen before they are ever confirmed on the blockchain [1].
The Google Quantum AI whitepaper makes this scenario alarmingly realistic. Their optimized circuits show that a superconducting (fast-clock) quantum computer with fewer than 500,000 physical qubits could solve an ECC-256 key in approximately nine minutes. Because Bitcoin’s average block time is about ten minutes, this speed is fast enough for the attacker to potentially front-run many ordinary transactions. The paper notes that the attacker can pre-compute part of the algorithm in advance and simply wait for a public key to appear in the mempool, reducing the effective time needed even further [1].
Several factors make on-spend attacks particularly dangerous in practice:
The attacker can engage the victim in a “Replace-By-Fee” (RBF) bidding war, rationally offering extremely high fees because they are stealing funds they do not own.An attacker could artificially congest the mempool with their own high-fee transactions to buy extra time for the quantum computation to finish.The attack works against virtually all standard transaction types once the public key is revealed in the mempool.
The Google paper estimates that, under realistic conditions, a nine-minute quantum attack would have a meaningful probability of success against typical Bitcoin transactions, especially during periods of normal or low network congestion [1].
Importantly, on-spend attacks are only possible with fast-clock quantum architectures. Slow-clock systems, such as the neutral-atom machines described in the Oratomic paper, are far too slow — taking roughly ten days per key — to execute this type of real-time theft. This means the on-spend threat is specifically tied to the scaling of fast-clock superconducting hardware [2].
Currently, there is no built-in default protection against on-spend attacks on Bitcoin mainnet. Some advanced users can reduce risk by using private mempool services (sending transactions directly to miners or builders instead of the public mempool) or commit-reveal schemes, but these are only partial and temporary measures. They add complexity and do not eliminate the underlying vulnerability.
In summary, on-spend attacks turn Bitcoin’s greatest strength — its open, decentralized, and transparent transaction broadcast mechanism — into a critical vulnerability. The Google paper’s nine-minute estimate shows that once fast-clock cryptographically relevant quantum computers exist, active Bitcoin transactions will no longer be safe. This real-time theft risk, combined with the large volume of at-rest vulnerable coins, is why the March 2026 papers have been viewed as such an urgent wake-up call for the Bitcoin ecosystem.
8.4 Second-Order Effects on Mining, Consensus, and Ecosystem Confidence
Beyond the direct risk of stolen coins, quantum attacks would create significant second-order effects that could destabilize Bitcoin’s mining economy, consensus mechanism, and overall ecosystem confidence. These indirect consequences may ultimately prove as damaging as the thefts themselves.
Impact on Mining Economics and Difficulty Adjustment
If quantum computers begin successfully executing at-rest or on-spend attacks, the market would likely react with panic selling and a sharp drop in Bitcoin’s price. Mining profitability is directly tied to the fiat value of block rewards and transaction fees. A sudden and sustained price collapse would make many mining operations unprofitable almost overnight.
Bitcoin’s difficulty adjustment algorithm recalibrates every 2,016 blocks (roughly every two weeks). This slow response creates a dangerous lag: mining revenue could fall dramatically while the network’s total hashrate remains high for days or weeks. During this period, many miners would operate at a loss, potentially leading to widespread shutdowns. Reduced hashrate would slow block production, lengthen confirmation times, and make on-spend attacks even easier to execute.
Chain Reorganizations and Miner Extractable Value (speculative, but logically plausible)
Quantum attackers could also exploit their ability to derive private keys quickly to create new forms of Miner Extractable Value (MEV). For example, an attacker might offer miners substantial bribes (in the form of high-fee transactions) to deliberately orphan blocks that contain high-value legitimate transactions. By causing a chain reorganization, the attacker could cancel the original transaction and insert their own forged one. This would introduce a new and dangerous form of MEV that incentivizes miners to collude with quantum thieves.
Such reorganizations would undermine one of Bitcoin’s core security assumptions: that transactions become increasingly final as they are buried under more blocks. In a quantum-active world, even deeply confirmed transactions could suddenly become reversible if a sufficiently powerful attacker and cooperative miners decide to rewrite history.
Erosion of Ecosystem Confidence
Perhaps the most serious second-order effect is the potential loss of public and institutional confidence. Bitcoin’s value and adoption rest heavily on the perception that it’s a secure, immutable store of value. Widespread quantum theft — even if limited to reused addresses or dormant coins — would shatter that perception. News of large-scale thefts would likely trigger panic selling, reduced merchant acceptance, and a flight of capital to perceived safer assets.
This loss of confidence could also fracture the Bitcoin community. Debates over how to handle vulnerable dormant assets (burn, hourglass rate-limiting, or a “bad sidechain” solution) could lead to contentious hard forks, further damaging trust and splitting liquidity. Exchanges and custodians might face massive withdrawals or even solvency issues if they hold significant exposed funds.
Proof-of-Work Consensus Remains Indirectly Vulnerable
It is worth noting that Bitcoin’s Proof-of-Work consensus mechanism itself is not directly threatened by quantum computers. Grover’s algorithm offers only a quadratic speedup for mining, which is almost entirely erased by the overhead of quantum error correction. The Google paper explicitly states that quantum mining remains “science fiction” in any realistic timeframe [1]. However, the economic effects of quantum theft could indirectly weaken the consensus layer by making mining unprofitable and reducing hashrate, thereby making the network more susceptible to other attacks during periods of low security.
In summary, quantum attacks would not only steal coins directly but would also create cascading economic, technical, and social effects. These second-order consequences — slowed block production, increased reorganizations, eroded confidence, and potential community fractures — could threaten Bitcoin’s long-term viability even more than the thefts themselves. This is why the Google paper urges immediate action on both technical mitigations and broader policy considerations. The following section examines the specific upgrades and proposals Bitcoin is already developing to address these risks.
IX. Bitcoin’s Current and Proposed Mitigations
9.1 Intermediate Fixes: BIP-360 (Pay-to-Merkle-Root / P2MR)
One of the most practical and near-term improvements currently under discussion in the Bitcoin community is BIP-360, which introduces a new output script type called Pay-to-Merkle-Root (P2MR). Proposed in early 2026 and now in Draft status, BIP-360 is designed as a simple, low-disruption soft fork that directly addresses one of Bitcoin’s most glaring quantum vulnerabilities: the exposure of public keys in Taproot addresses.
BIP-360 is essentially a “quantum-hardened” version of Taproot (P2TR). It keeps most of Taproot’s privacy and efficiency benefits but removes the vulnerable “key path spend” that directly records a public key on-chain when the address is created. Instead, P2MR commits only to the Merkle root of the script tree. When the coins are eventually spent, the spender must reveal a specific script leaf along with a Merkle proof — the actual public key or script is never exposed until the moment of spending [12].
9.1.1 What It Solves (At-Rest Protection for New Addresses)
The primary benefit of BIP-360 is strong protection against at-rest attacks for all newly created addresses.
When coins are sent to a fresh P2MR address, only a Merkle root is recorded on the blockchain. The public key itself remains hidden. A quantum computer therefore has no public key to attack with Shor’s algorithm. This protection holds even if the address is reused multiple times for receiving funds.
Importantly, when you spend from a P2MR address, the change/output coins are sent to a new fresh P2MR address in the same transaction. This design avoids the Taproot-style regression, where spending once permanently exposed a public key for any remaining coins at that address. As a result, leftover coins stay protected from at-rest attacks as long as they are sent to new P2MR outputs [12].
Once activated, any Bitcoin sent to new P2MR addresses (bc1z… format) would be significantly safer from at-rest quantum theft. This is a meaningful improvement over today’s Taproot addresses, which the Google paper explicitly called a “security regression” from a quantum perspective because they expose a public key by default [1].
BIP-360 is intentionally designed to be an intermediate fix — something that can be deployed relatively quickly through a soft fork without requiring a full post-quantum signature scheme. It improves quantum resistance for new coins while the more complex work on hash-based signatures (such as SHRINCS) continues.
9.1.2 What It Does Not Solve (On-Spend and Legacy Coins)
Despite its benefits, BIP-360 is only a partial solution.
On-spend attacks remain possible. When a user eventually spends from a P2MR address, the public key or script is still revealed in the mempool. A fast-clock quantum computer could still derive the private key in time to steal the funds before confirmation.Legacy and dormant coins are unaffected. BIP-360 only creates a new address type. All existing UTXOs — including the ~1.7 million BTC in old P2PK scripts, reused addresses, and early P2TR outputs — remain exactly as vulnerable as they are today. The only way to protect those coins is for their owners to manually spend them to new P2MR (or future post-quantum) addresses.
BIP-360 significantly reduces at-rest risk for future coins and new users, but it does not retroactively fix the large pool of already-exposed legacy coins, nor does it eliminate the real-time on-spend threat. It’s widely viewed as a valuable “quick win” and a stepping stone toward fuller post-quantum security.
The next subsection examines the more comprehensive, long-term solution being developed by Blockstream Research.
9.2 Full Post-Quantum Solution: Blockstream Research’s December 2025 Paper and SHRINCS Hash-Based Signatures
While intermediate measures like BIP-360 can provide meaningful near-term protection for new addresses, the only complete, long-term solution to Bitcoin’s quantum vulnerability is to replace the current elliptic curve signatures (ECDSA and Schnorr) with quantum-resistant alternatives. The most advanced and Bitcoin-specific proposal currently under active development is SHRINCS, introduced in a December 5, 2025 paper by Mikhail Kudinov and Jonas Nick of Blockstream Research [13].
SHRINCS is an optimized, hash-based post-quantum signature scheme derived from the NIST-standardized SPHINCS+ algorithm. Unlike elliptic curve cryptography, which relies on the hardness of the discrete logarithm problem, hash-based signatures rely only on the security of cryptographic hash functions (the same primitives already used extensively in Bitcoin for Proof-of-Work and address hashing). Because no efficient quantum algorithm is known to break hash functions beyond a quadratic speedup from Grover’s algorithm (which is largely negated by error correction), hash-based signatures are considered fully quantum-resistant.
The Blockstream team specifically tuned SHRINCS for Bitcoin’s constraints:
Signature sizes are reduced to approximately 3–4 KB (significantly smaller than the standard SPHINCS+ implementation).It supports hierarchical deterministic (HD) wallets, multi-signature schemes, and threshold signatures.It’s designed to work cleanly within Taproot’s script tree structure, allowing it to be introduced via a soft fork with minimal disruption.
Once implemented on Bitcoin mainnet, SHRINCS would eliminate the ECDLP vulnerability entirely. Any coins moved to addresses using SHRINCS signatures would be protected from both at-rest and on-spend quantum attacks, regardless of how powerful future quantum computers become.
9.2.1 Progress on Liquid Sidechain (March 2026 Live Testing)
Blockstream has not waited for mainnet activation to begin real-world testing. In March 2026 — only three months after the original paper — the team successfully deployed and broadcast the first live post-quantum signed transactions on the Liquid Network, Bitcoin’s production sidechain. These transactions used SHRINCS signatures combined with Simplicity (Blockstream’s new smart contract language) and are protecting real assets on a live, functioning blockchain.
This test is highly significant for several reasons:
It demonstrates that SHRINCS is not just theoretical — it works in a production environment with real economic value.Liquid serves as a realistic testing ground that closely mirrors Bitcoin’s consensus rules and transaction format.The successful deployment provides practical data on performance, signature sizes, and wallet integration that will inform the eventual mainnet proposal.
A newer, more compact variant called SHRIMPS (with signatures around 2.5 KB and improved support for multiple devices sharing the same seed) was proposed shortly afterward [14]. The rapid appearance of SHRIMPS, along with the live SHRINCS deployment on Liquid, shows strong momentum and active development within the Bitcoin community toward practical post-quantum signatures.
The Liquid implementation has already shown that SHRINCS can be integrated without breaking existing functionality and that the larger signature sizes are manageable within Liquid’s higher block limits. This progress has given the Bitcoin developer community confidence that a full post-quantum signature upgrade is technically feasible.
Blockstream’s SHRINCS proposal, combined with its rapid move from paper to live testing on Liquid, represents the most mature and Bitcoin-native path to full quantum resistance. Once activated on mainnet via a soft fork, it would provide comprehensive protection against both at-rest and on-spend attacks for any coins that migrate to the new signature scheme. However, as discussed in the next subsection, even this powerful solution has important limitations when it comes to legacy and dormant coins.
9.2.2 Why This Would Eliminate Both At-Rest and On-Spend Attacks
The reason Blockstream’s SHRINCS proposal would provide complete, long-term protection against quantum attacks is both simple and powerful: it removes the exact mathematical problem that Shor’s algorithm exploits.
Current Bitcoin signatures (ECDSA and Schnorr) are built on the secp256k1 elliptic curve. Their security depends entirely on the hardness of the elliptic curve discrete logarithm problem (ECDLP). Shor’s algorithm is specifically designed to solve the ECDLP efficiently on a quantum computer, allowing an attacker to derive the private key from any public key. This is the root cause of both at-rest attacks (on already-exposed keys) and on-spend attacks (on keys revealed in the mempool).
SHRINCS is a hash-based post-quantum signature scheme. It does not use elliptic curves or any discrete logarithm problem at all. Its security rests solely on the collision resistance and pre-image resistance of cryptographic hash functions — the same kind of hashes Bitcoin already uses extensively for Proof-of-Work and address generation. No known quantum algorithm, including Shor’s algorithm, can break a well-designed hash-based signature scheme in any practical way. The only relevant quantum algorithm is Grover’s, which offers only a quadratic (square-root) speedup for searching hash pre-images. When combined with the massive overhead of quantum error correction, this speedup becomes negligible and does not allow realistic key recovery or forgery [13].
Because the underlying hard problem (ECDLP) is completely eliminated, both major quantum attack vectors on Bitcoin are neutralized for any coins that use SHRINCS signatures:
At-rest attacks become impossible. There is no public key that a quantum computer can feed into Shor’s algorithm. The public key in a hash-based scheme does not reveal information that allows private key recovery via discrete logarithms. Even if the public key is fully visible on the blockchain for years, a quantum computer still cannot derive the private key.On-spend attacks are also eliminated for the same reason. Even if a transaction is broadcast and the signature is visible in the public mempool, a quantum attacker cannot derive the private key quickly enough (or at all) to forge a competing transaction before confirmation. The nine-minute attack window that makes on-spend attacks feasible under Google’s fast-clock estimates simply disappears.
Once a soft fork activates support for SHRINCS and users migrate their coins to new quantum-safe addresses, those funds would be protected against both at-rest and on-spend quantum attacks, no matter how powerful future quantum computers become. The protection is permanent and does not rely on keeping public keys hidden — the cryptography itself is quantum-resistant by design.
This is why SHRINCS is considered the full, long-term solution for Bitcoin. It does not merely reduce risk; it removes the root cryptographic vulnerability that makes quantum attacks possible in the first place. The successful live testing of SHRINCS on the Liquid sidechain in March 2026 has already shown that the scheme works in a real production-like environment, giving the community confidence that a mainnet rollout is technically achievable.
However, as the next subsection explains, even this powerful upgrade has important limitations when it comes to legacy and dormant coins.
9.2.3 Limitations for Legacy and Dormant Coins
Although BIP-360 and SHRINCS represent major steps forward in quantum resistance, both solutions share a critical limitation: they cannot automatically protect legacy and dormant coins that already exist on the blockchain today. This is one of the most challenging aspects of Bitcoin’s quantum transition and one that has no simple technical fix.
The core issue is that both upgrades are forward-looking. BIP-360 creates a new, quantum-safer address type (P2MR), and SHRINCS introduces a new quantum-resistant signature scheme. These protections only apply to coins that are deliberately moved into the new scripts or signatures. Any UTXOs that remain in their original vulnerable scripts — especially the old P2PK outputs from 2009–2010 — stay exactly as exposed as they are today. Neither upgrade can retroactively rewrite or secure coins that have already been locked using quantum-vulnerable cryptography.
Satoshi’s coins and other early P2PK outputs illustrate this problem most clearly. These coins, which total over 1.7 million BTC (and up to 2.3 million BTC when including all vulnerable dormant scripts), were created using Pay-to-Public-Key (P2PK) scripts. In P2PK, the full public key is recorded directly on the blockchain the moment the coins are mined. Because these coins have never been spent, their public keys have been openly visible for 16+ years. Even after SHRINCS is activated on mainnet, these coins will remain fully vulnerable to at-rest quantum attacks. A quantum computer can simply read the exposed public key from any old block and derive the private key at any time [1].
For coins that are still spendable (i.e., the owner still controls the private key), the only way to gain protection is through manual migration. The owner must actively create a transaction that spends the legacy coins and sends them to a new quantum-safe address (either a P2MR address or, once available, a SHRINCS-based address). This process is straightforward for active users but becomes impossible for truly lost or abandoned coins whose private keys no longer exist.
This creates a difficult situation for the roughly 2.3 million BTC estimated to be dormant and quantum-vulnerable. Many of these coins — including a significant portion of the early Satoshi-era rewards — are believed to have lost keys. No signature upgrade, soft fork, or technical improvement can protect them because there is no living owner who can move them. If a cryptographically relevant quantum computer becomes available, these assets will eventually be stolen by whoever can derive the private keys first. The Google paper notes that this pool of permanently exposed, un-migratable coins represents a fixed, high-value target that cannot be fixed through normal protocol upgrades [1].
Because of this, dealing with truly abandoned legacy coins may ultimately require hard-fork-level changes or policy-level solutions. Possible approaches discussed across Bitcoin research, crypto-economic theory, and adjacent policy discussions include:
A “burn” mechanism that renders these coins permanently unspendable after a certain date.A hypothetical rate-limiting or time-based restriction system that would allow these coins to be spent only very slowly over time.A sidechain-based migration or recovery mechanism where coins could be moved under alternative validation rules using off-chain proofs (such as cryptographic proofs of ownership, seed recovery evidence, or other verifiable attestations).Policy responses from governments, such as treating the assets as abandoned property subject to regulated digital salvage.
None of these options are simple or uncontroversial. They would likely require broad community consensus and could lead to contentious debates or even chain splits. Until such decisions are made, the large pool of legacy and dormant coins remains one of Bitcoin’s most intractable quantum vulnerabilities.
While BIP-360 and SHRINCS can fully protect new coins and actively managed funds, they offer no automatic protection for the millions of BTC locked in old, exposed scripts — particularly the early P2PK coins that have never been spent. This limitation highlights why the quantum transition for Bitcoin is not just a technical challenge but also a social, economic, and potentially policy-level one. The next subsection discusses the practical next steps for bringing these upgrades to Bitcoin mainnet.
9.2.4 Possible Solutions for Old Dormant Coins
Bitcoin developers have begun exploring emergency “rescue” mechanisms that could be activated only in a genuine quantum crisis. The most advanced proposal so far comes from Lightning Labs CTO Olaoluwa Osuntokun. On April 8, 2026, he released a working zk-STARK escape hatch for BIP-32 wallets [15].
In an emergency soft fork that disables the vulnerable “keyspend” path, Osuntokun’s zero-knowledge proof lets the rightful owner prove (without revealing their seed or private keys) that a particular on-chain public key was derived from their BIP-32 seed using the standard rules. The owner can then safely move the coins via the remaining script-path. The proof is post-quantum secure, can be generated in roughly 50 seconds on a modern laptop, and fits inside a normal Bitcoin transaction.
This mechanism works well for modern BIP-32/BIP-86 wallets created from 2012 onward. However, it does not work for the very oldest raw P2PK coins from 2009–early 2011, because those outputs were created before BIP-32 existed and have no derivation path to prove.
Osuntokun himself described the political dimension of any such emergency soft fork as “the giant political elephant in the room.” Any proposal that would effectively freeze unrescuable pre-2012 coins would likely face a steep uphill battle, as it could be seen by many in the community as violating Bitcoin’s core ethos of unfreezable money. For this reason, it might only be regarded as a true last-resort safety net rather than a likely path forward.
Nevertheless, Osuntokun’s proposal has already begun an important conversation about practical rescue mechanisms for old dormant coins. It demonstrates that zero-knowledge or proof-based solutions are technically feasible today, and it opens the door for other, potentially less controversial approaches that could one day cover even the earliest 2009-era outputs. In the meantime, the clear priority among developers remains proactive upgrades (BIP-360 and SHRINCS) so that the number of exposed legacy coins keeps shrinking over time and the need for any emergency intervention never arises.
9.3 Alternative Short-Term Solutions Without Soft Forks
While BIP-360 and SHRINCS represent the primary paths being pursued by the Bitcoin developer community, other researchers are exploring creative ways to achieve quantum safety without any protocol change at all.
One notable recent proposal is QSB (“Quantum-Safe Bitcoin”), introduced on April 9, 2026 by Avihu Mordechai Levy of StarkWare [16]. QSB builds on the earlier Binohash work and replaces its quantum-vulnerable signature-size puzzle with a hash-to-sig puzzle based purely on RIPEMD-160 pre-image resistance. The scheme uses Lamport/HORS signatures inside legacy Bitcoin Script to create cryptographically strong transaction identifiers that remain secure even against Shor’s algorithm.
Because QSB operates entirely within existing consensus rules (legacy pre-SegWit scripts, 201-opcode limit, 10,000-byte script size), it requires no soft fork. Transactions using QSB are valid today, though they are non-standard and must typically be submitted directly to miners.
QSB demonstrates that quantum-safe spending of legacy UTXOs is technically possible right now. However, the author himself describes it as a “last-resort measure.” Practical drawbacks include:
High off-chain GPU cost (roughly $75–$200 per transaction in the recommended configuration);Significantly more complex transaction generation and user experience;Limited applicability (bare scripts only; does not support SegWit, Taproot, or Lightning channels);Larger transaction sizes and non-standard relay behavior.
QSB therefore serves as a useful emergency tool or proof-of-concept, but it is not a scalable, user-friendly replacement for the more comprehensive upgrades offered by BIP-360 and SHRINCS. Its existence nevertheless highlights the ingenuity of the Bitcoin technical community and the variety of approaches being explored in parallel.
9.4 Limitations and Next Steps for Bitcoin Core Mainnet Adoption
While BIP-360 and SHRINCS represent promising technical paths toward quantum resistance, both upgrades still face significant practical, social, and consensus-related hurdles before they can be activated on Bitcoin’s mainnet. These limitations reflect Bitcoin’s conservative and decentralized governance model, which prioritizes stability and broad agreement over rapid change.
Both proposals are designed as soft forks, meaning they can be activated without splitting the chain or forcing all users to upgrade immediately. Old nodes would simply treat the new script types and signatures as non-standard but still valid. This is a major advantage compared to hard forks. However, soft-fork activation still requires substantial community consensus, extensive review, and careful testing. Bitcoin’s history shows that even relatively straightforward upgrades (such as SegWit in 2017) can take years of discussion and face opposition from those concerned about increased resource usage or changes to the protocol’s minimalist ethos.
Key limitations include:
Signature size and bandwidth concerns: SHRINCS signatures are larger (approximately 3–4 KB) than current ECDSA or Schnorr signatures. This increases block space usage and could reduce the overall transaction throughput of the network if widely adopted. Some Bitcoin developers worry that larger signatures could make running full nodes more expensive, potentially leading to greater centralization over time.Adoption inertia: Even after activation, users and businesses must actively migrate their coins to the new quantum-safe addresses and signatures. Many users and services may delay this migration due to cost, complexity, or simple inertia.Legacy coin problem: As discussed earlier, neither BIP-360 nor SHRINCS can automatically protect the large pool of dormant and exposed legacy coins (especially the ~1.7–2.3 million BTC in old P2PK and long-reused addresses). These coins can only be protected if their owners manually move them — something that is impossible for truly lost keys.
Next steps for mainnet adoption are already underway but will require patience:
Continued testing and refinement: SHRINCS has already been successfully tested with live transactions on the Liquid sidechain in March 2026. Further testing on Bitcoin testnet and signet will be needed to evaluate performance, wallet integration, and edge cases.Formal BIP progression: Both BIP-360 and the SHRINCS-related BIPs must go through the standard Bitcoin Improvement Proposal review process. This includes public discussion on the Bitcoin developer mailing list, peer review of the code, and consensus-building among developers, miners, and node operators.Community education and wallet support: Major wallet developers will need to add support for the new address types and signatures. Exchanges and services will also need time to update their infrastructure.Activation mechanism: Once ready, activation would likely use a miner-activated soft-fork mechanism (similar to Taproot) or a more modern “speedy trial” approach. This requires a clear supermajority of miner signaling and broad node adoption.
The Bitcoin community is generally moving cautiously but constructively. There is growing recognition that quantum resistance is no longer a distant theoretical issue, especially after the March 2026 papers. However, Bitcoin’s culture of conservatism means that any change — even a security improvement — must be thoroughly vetted to avoid unintended consequences.
While the technical solutions exist and are already being tested on sidechains, bringing them to Bitcoin Core mainnet will require time, consensus, and careful coordination. The process is expected to take several years rather than months. In the meantime, users can protect themselves by avoiding address reuse, moving legacy coins when possible, and supporting the ongoing development of these upgrades.
X. Ethereum’s Quantum Risk Profile and Transition Plans
10.1 Why Ethereum Faces a Broader Quantum Attack Surface Than Bitcoin
While Bitcoin faces serious quantum risks, Ethereum has a significantly broader quantum attack surface. The Google Quantum AI whitepaper explicitly notes that Ethereum’s design and ecosystem create a significantly larger and more complex attack surface than Bitcoin’s simpler UTXO model [1]. This broader vulnerability stems from fundamental architectural differences and the sheer scale of economic activity built on top of Ethereum.
Ethereum is not just a digital currency like Bitcoin; it’s a general-purpose programmable blockchain that supports smart contracts, decentralized applications, stablecoins, tokenized real-world assets, and complex financial primitives. These features, while powerful, introduce multiple new ways for quantum computers to cause damage.
10.1.1 Account Model and Persistent Public-Key Exposure
Unlike Bitcoin’s UTXO model, where coins exist as discrete, one-time-use outputs, Ethereum uses an account-based model. Every user has a persistent account identified by an address derived from its public key. The moment an account sends its first transaction, the full public key is revealed on-chain and remains exposed indefinitely. There is no easy way to rotate keys without abandoning the account and losing its history, reputation, and DeFi positions.
This persistent exposure means that once an Ethereum account has been used, its public key is permanently available for quantum at-rest attacks. The Google paper estimates that the top 1,000 Ethereum accounts alone hold approximately 20.5 million ETH that are already vulnerable in this way [1]. In contrast, Bitcoin users can (and are encouraged to) generate fresh addresses for every incoming payment, keeping public keys hidden until spent.
10.1.2 Smart Contracts, Admin Keys, Bridges, Oracles, and Real-World Assets
Ethereum’s smart contract functionality adds another massive layer of risk. Many high-value contracts have administrative or upgrade keys that control critical functions such as minting tokens, pausing protocols, or managing liquidity. These admin keys are rarely rotated and are often quantum-vulnerable.
The paper highlights that smart contracts currently secure roughly 2.5 million ETH plus over $200 billion in stablecoins and tokenized real-world assets (RWAs). Compromising an admin key could allow an attacker to mint fraudulent tokens, drain bridges, manipulate oracles, or seize control of entire protocols [1]. Bridges, oracles, and custodians of tokenized assets represent particularly high-leverage targets — low ETH balance but enormous systemic impact if compromised.
10.1.3 Proof-of-Stake Validators (BLS Signatures) and Data Availability Sampling (KZG)
Ethereum’s Proof-of-Stake consensus relies on BLS signatures for validator attestations and aggregation. These signatures are based on the BLS12–381 elliptic curve, which is also vulnerable to Shor’s algorithm. With approximately 37 million ETH currently staked, a quantum attacker who compromises enough validators could halt finality, reorganize the chain, or even finalize conflicting blocks [1].
Additionally, Ethereum’s Data Availability Sampling (DAS) mechanism uses KZG polynomial commitments. These commitments contain fixed public parameters that are vulnerable to a one-time on-setup attack. A single successful quantum computation could create a permanent classical backdoor, allowing an attacker to forge data availability proofs and stall or manipulate Layer-2 rollups without needing a quantum computer again [1].
10.1.4 Layer-2s, Stablecoins, and Tokenization — Expanded Systemic Risk
The rapid growth of Layer-2 scaling solutions, stablecoins, and real-world asset tokenization has dramatically increased Ethereum’s quantum attack surface. These systems inherit the vulnerabilities of the base layer while adding their own smart-contract and bridge risks. The total value secured (TVS) on Ethereum, including stablecoins and RWAs, is estimated at well over $600 billion, far exceeding Bitcoin’s primarily native-asset ecosystem [1].
A successful quantum attack on Ethereum could therefore trigger cascading failures: stablecoin depegs, bridge drains, oracle manipulation, and widespread loss of confidence in the entire DeFi and tokenization ecosystem. This systemic risk is much broader than Bitcoin’s more contained, native-currency focus.
Ethereum’s account model, smart contract complexity, Proof-of-Stake design, and expanding tokenization economy create a significantly wider and more interconnected set of quantum vulnerabilities than Bitcoin faces. This is why the Google paper describes Ethereum as having a “broader overall quantum attack surface” [1]. The next subsection outlines Ethereum’s proactive response and transition plans.
10.2 Ethereum’s Post-Quantum Transition Roadmap
Unlike Bitcoin’s more decentralized governance model, Ethereum has taken a more coordinated approach to post-quantum security. The Ethereum Foundation has made quantum resistance an active area of research and coordination, establishing a dedicated team and public resources to guide the ecosystem.
Ethereum’s strategy focuses on gradual, backward-compatible upgrades that allow users, wallets, Layer-2s, and applications to adopt quantum-safe mechanisms over time.
10.2.1 Formation of the Post-Quantum Security Team and pq.ethereum.org Hub
In January 2026, the Ethereum Foundation formally established a dedicated Post-Quantum Security Team led by cryptography engineer Thomas Coratger. The team’s mandate is to coordinate research, develop technical proposals, and guide the broader ecosystem through the post-quantum transition [17].
In March 2026, the Foundation launched the official pq.ethereum.org hub. This site serves as the central public resource for the post-quantum roadmap, technical specifications, implementation guides, and progress updates [18]. Its launch coincided with the release of the Google and Oratomic quantum papers, signalling that the Foundation was treating the updated resource estimates with urgency.
10.2.2 Key Technical Upgrades
The current work includes several major workstreams:
EIP-7932 (Secondary Signature Algorithms): This proposal introduces a registry and precompiles that would allow the Ethereum Virtual Machine (EVM) to natively verify post-quantum signature schemes alongside existing ECDSA and BLS signatures.Account Abstraction (ERC-4337 + EIP-7702): Ethereum’s account model exposes public keys on the first transaction, making key rotation non-trivial in standard externally owned accounts. Enhanced account abstraction aims to enable smart-contract wallets that support seamless migration from vulnerable ECDSA keys to quantum-safe keys without losing account history or DeFi positions.BLS Replacement on the Consensus Layer: Ethereum’s Proof-of-Stake validators currently rely on BLS signatures. Research is ongoing into quantum-resistant alternatives for these signatures.Quantum-Safe Data Availability Sampling (DAS): Research is also underway into quantum-resistant commitment schemes to replace the current KZG polynomial commitments used in DAS.
These workstreams are being developed in parallel, allowing different parts of the ecosystem to migrate at their own pace.
10.2.3 Target Timeline
The Ethereum Foundation has indicated a working target of completing major Layer-1 post-quantum upgrades by 2029. The indicative timeline includes:
2026–2027: Research, specification, and testnet deployment of core primitives.2028: Integration into execution and consensus layers with full testnet validation.2029: Activation on mainnet through coordinated upgrades.
Ethereum’s more coordinated development process (led by the Foundation and core developers) may provide advantages in planning and executing complex, multi-year upgrades compared with Bitcoin’s more decentralized model. However, success will ultimately depend on widespread adoption by wallets, exchanges, Layer-2 teams, and users.
Ethereum is moving in a coordinated and systematic direction on post-quantum readiness. Its evolving roadmap addresses the broader attack surface created by its account model, smart contracts, and tokenization ecosystem, with a working target of around 2029 for major Layer-1 upgrades and a strong emphasis on user-friendly, low-risk migration.
The next section discusses realistic timelines for reaching cryptographically relevant quantum computers and the broader implications for both Bitcoin and Ethereum.
XI. Timeline, Outlook, and Broader Implications
11.1 Realistic Near-Term Scenarios for Reaching Cryptographically Relevant Qubit Counts
Neither the Google Quantum AI whitepaper nor the Oratomic/Caltech paper provides firm calendar dates for when the qubit counts they describe might be reached. Both papers focus on resource estimates and architectural feasibility rather than specific timelines, noting only that the required scales appear achievable through continued engineering progress on existing platforms.
Public roadmaps from leading labs (Google, IBM, Fujitsu/RIKEN) currently target scaling to thousands of physical qubits and achieving commercially relevant, error-corrected quantum computers by the end of the decade, roughly 2029–2030 [1][9][10]. Most expert assessments place the arrival of the first cryptographically relevant quantum computers (CRQCs) capable of breaking ECC-256 in the late 2020s to mid 2030s [19], though significant uncertainty remains. Continued rapid progress in error correction and modular scaling could bring this timeline forward, while challenges in coherence, fabrication yields, or control electronics could push it later.
It’s important to note that these are not firm predictions. Quantum hardware timelines have historically slipped, sometimes by several years. However, the dramatic algorithmic improvements documented in the 2026 papers have moved the goalposts significantly closer than the 13-million-qubit estimates of 2022. What once looked like a distant theoretical challenge now appears to many experts as a difficult but achievable engineering project within the next decade.
11.2 Policy, Community, and Technical Challenges Ahead
Even with promising technical solutions such as BIP-360 and SHRINCS, Bitcoin’s quantum transition faces significant hurdles across technical, community, and policy domains. These challenges reflect the network’s conservative and decentralized nature, which prioritises stability and broad consensus over rapid change.
Technically, the larger size of post-quantum signatures (3–4 KB for SHRINCS versus 64–73 bytes today) raises concerns about block space usage, node bandwidth, and full-node operating costs. Community consensus is another major obstacle: any meaningful soft fork requires extensive review, testing, and broad agreement among developers, miners, node operators, and users. Bitcoin’s history shows that even relatively straightforward upgrades, such as SegWit in 2017, can take years of discussion.
The most difficult issue remains the large pool of legacy and dormant coins (roughly 1.7–2.3 million BTC in old P2PK and long-reused addresses [1]). Because these coins cannot be automatically protected by new signature schemes, any comprehensive solution could potentially lead to proposals sometimes discussed in broader crypto-economic theory, such as burn mechanisms, rate-limiting systems, sidechain-based recovery, or regulated digital salvage. Any of these options could spark intense debate about Bitcoin’s core ethos of immutability and unfreezable money.
While the technical tools exist and are already being tested, successfully bringing them to Bitcoin mainnet will demand patience, coordination, and careful navigation of both technical and social realities. The coming years will test whether the Bitcoin community can balance its commitment to minimalism and decentralization with the urgent need to protect the network from a rapidly advancing quantum threat.
11.3 Recommendations for Bitcoin Users, Developers, and Policymakers
The March 2026 papers have made one thing clear: quantum computing is increasingly viewed as a long-term but potentially nearer-term security risk that the Bitcoin ecosystem must prepare for proactively. While full post-quantum upgrades will take time, concrete actions can be taken today by users, developers, and the broader community to reduce risk and strengthen the network’s resilience.
For Bitcoin Users
The single most effective step an individual can take right now is to stop reusing addresses. Always generate a fresh receive address for every incoming payment — the default behavior in modern wallets. This keeps the public key hidden and reduces exposure to potential at-rest attack vectors under quantum threat models until full post-quantum upgrades are available.
Users who hold coins in old or reused addresses (especially P2PK, early P2TR, or any address that has already been spent from) should prioritize moving those funds to new P2MR addresses once BIP-360 is activated, and later to SHRINCS-based addresses when they become available. Hardware wallets remain the safest storage method, as they keep private keys offline.
For Bitcoin Developers and Core Contributors
Developers should accelerate the review, testing, and activation process for BIP-360 (P2MR) as a near-term soft fork. At the same time, work on SHRINCS and related hash-based signature BIPs should continue, with a focus on efficient integration and broad wallet support. Clear documentation, user-friendly migration tools, and open-source reference implementations will be essential to drive adoption.
For Policymakers and Regulators
Governments and regulators should recognize that quantum computing introduces unique challenges for decentralized digital assets. Possible future policy discussions could include analogies to abandoned property frameworks for truly lost cryptographic assets (such as many early P2PK coins). At the same time, policymakers must respect Bitcoin’s decentralized nature and avoid heavy-handed interventions that could undermine the network’s censorship resistance. International cooperation will be important, as quantum threats do not respect national borders.
Collective Responsibility
The quantum threat to Bitcoin cannot be solved by any single group alone. Users must adopt better hygiene today, developers must deliver robust technical upgrades, and the broader community must engage thoughtfully with the difficult trade-offs that may arise. The March 2026 papers have created a potential window for proactive migration. Acting prudently now, while the required hardware is still years away, is the best way to ensure Bitcoin remains secure in a post-quantum world.
XII. Conclusion
12.1 The Shift from “Distant Theoretical Threat” to “Near-Term Engineering Challenge”
The two papers published on March 30, 2026, mark a genuine turning point. For years, breaking Bitcoin’s 256-bit elliptic curve cryptography was thought to require an almost impossibly large quantum computer — on the order of 13 million physical qubits. The new estimates from Google Quantum AI (<500,000 physical qubits) and Oratomic/Caltech (~26,000 physical qubits) represent a dramatic reduction, showing that the hardware needed for cryptographically relevant attacks is now within reach of continued engineering progress on existing platforms.
What was once viewed as a distant theoretical risk has become a near-term engineering challenge. Fast-clock superconducting systems could enable real-time on-spend attacks, while slower neutral-atom machines could target the large pool of already-exposed legacy coins. Although significant engineering work remains and timelines are still uncertain, the algorithmic and architectural advances documented in the 2026 papers have moved the goalposts substantially closer.
12.2 The Urgency of Migration to Post-Quantum Cryptography for Bitcoin and Ethereum
Both Bitcoin and Ethereum now face a clear window for proactive migration. For Bitcoin, the priority is to accelerate BIP-360 and SHRINCS so that new coins and actively managed funds can be protected before any cryptographically relevant quantum computer appears. For Ethereum, the more coordinated development process has already produced a dedicated Post-Quantum Security Team and a public roadmap targeting major Layer-1 upgrades by 2029.
The quantum threat does not have to become a quantum crisis. With timely action from users, developers, and the broader community, both networks can successfully transition to post-quantum cryptography and maintain their role as secure, decentralized financial infrastructure. The technical tools exist. The remaining question is whether the communities will move quickly enough to implement them.
Acting prudently now — while the required hardware is still years away — is the best way to ensure Bitcoin and Ethereum remain trustworthy in a post-quantum world.
References
[1] Babbush, R., Zalcman, A., Gidney, C., Broughton, M., Khattar, T., Neven, H., Bergamaschi, T., Drake, J., & Boneh, D. (2026). Securing Elliptic Curve Cryptocurrencies against Quantum Vulnerabilities: Resource Estimates and Mitigations. Google Quantum AI Whitepaper, March 30, 2026. https://quantumai.google/static/site-assets/downloads/cryptocurrency-whitepaper.pdf
[2] Cain, M., Xu, Q., King, R., Picard, L. R. B., Levine, H., Endres, M., Preskill, J., Huang, H.-Y., & Bluvstein, D. (2026). Shor’s algorithm is possible with as few as 10,000 reconfigurable atomic qubits. Oratomic & California Institute of Technology, arXiv:2603.28627, March 30, 2026.
[3] Shor, P. W. (1994). Algorithms for quantum computation: Discrete logarithms and factoring. Proceedings of the 35th Annual Symposium on Foundations of Computer Science, 124–134.
[4] Webber, M., et al. (2022). The impact of hardware specifications on reaching quantum advantage in the fault tolerant regime. AVS Quantum Science, 4(1), 013501. https://doi.org/10.1116/5.0073075
[5] Gidney, C., & Ekerå, M. (2021). How to factor 2048-bit RSA integers in 8 hours using 20 million noisy qubits. Quantum, 5, 433. https://doi.org/10.22331/q-2021-04-15-433
[6] Manetsch, H. J., Nomura, G., Bataille, E., Leung, K. H., Lv, X., & Endres, M. (2025). A tweezer array with 6100 highly coherent atomic qubits. Nature, 647, 60–67. https://doi.org/10.1038/s41586-025-09641-4
[7] IBM Quantum. (2026). IBM Quantum Heron Processor Family. Official IBM Quantum Hardware Documentation. https://www.ibm.com/quantum/hardware
[8] IBM. (2026). IBM Announces Nighthawk and the Latest Heron Processors Now Available. IBM Quantum Cloud Announcement, January 13, 2026. https://quantum.cloud.ibm.com/announcements/product-updates/2026-01-05-nighthawk.
[9] IBM Quantum. (2026). IBM Quantum Development Roadmap 2026. Official IBM Quantum Roadmap. https://www.ibm.com/roadmaps/quantum/
[10] Fujitsu & RIKEN. (2025). Fujitsu and RIKEN Develop 256-Qubit Superconducting Quantum Processor Toward 1,000-Qubit Goal by End of 2026. Official Joint Announcement, December 2025. https://info.archives.global.fujitsu/global/about/resources/news/press-releases/2025/0422-01.html
[11] Palmer, T. (2026). Rational quantum mechanics: Testing quantum theory with quantum computers. Proceedings of the National Academy of Sciences, 123(12). https://www.pnas.org/doi/10.1073/pnas.2523350123 (March 16, 2026).
[12] BIP-360: Pay-to-Merkle-Root (P2MR). Bitcoin Improvement Proposal, Draft status, February 2026. https://bips.dev/360/#:~:text=Pay%2Dto%2DMerkle%2DRoot%20(P2MR)%20is%20a,vulnerable%20key%20path%20spend%20removed.
[13] Kudinov, M., & Nick, J. (2025). Hash-based Signature Schemes for Bitcoin. Blockstream Research Technical Report, December 5, 2025. https://eprint.iacr.org/2025/2203.pdf?ref=blog.blockstream.com
[14] Blockstream Research. (2026). SHRIMPS: 2.5 KB post-quantum signatures across multiple stateful devices. Delving Bitcoin Forum, March 27, 2026.
https://delvingbitcoin.org/t/shrimps-2-5-kb-post-quantum-signatures-across-multiple-stateful-devices/2355
[15] Osuntokun, O. (2026). Post Quantum Bitcoin: Concepts of a Plan — A zk-STARK Escape Hatch for BIP-32 Wallets. Bitcoin Development Mailing List, April 8, 2026.
https://groups.google.com/g/bitcoindev/c/Q06piCEJhkI
Proof-of-concept repository: https://github.com/Roasbeef/bip32-pq-zkp/tree/main
[16] Levy, A. M. (2026). Quantum-Safe Bitcoin Transactions Without Softforks. StarkWare, April 9, 2026.
https://github.com/avihu28/Quantum-Safe-Bitcoin-Transactions/blob/main/paper/QSB.pdf
[17] Drake, J. (2026). Post-Quantum (PQ) Team Announcement. Ethereum Foundation, January 23–26, 2026.
https://x.com/drakefjustin/status/2014791629408784816
[18] Ethereum Foundation Post-Quantum Security Team. (2026). Ethereum Post-Quantum Roadmap. pq.ethereum.org, launched March 2026. Official documentation and technical specifications.
[19] Global Risk Institute (2026). Quantum Threat Timeline Report 2025. https://globalriskinstitute.org/publication/quantum-threat-timeline-report-2025b/
Quantum Breakthroughs in 2026: Implications for Bitcoin Security and the Ethereum Ecosystem was originally published in Coinmonks on Medium, where people are continuing the conversation by highlighting and responding to this story.