On March 30, 2026, two landmark papers\u200a\u2014\u200aone from Google Quantum AI and one from Oratomic\/Caltech\u200a\u2014\u200adramatically lowered the estimated resources needed to break Bitcoin\u2019s 256-bit elliptic curve cryptography. Google showed that a fast superconducting machine with fewer than 500,000 physical qubits could crack a key in roughly nine minutes, enabling real-time \u201con-spend\u201d attacks. Oratomic demonstrated that a much smaller neutral-atom system (~26,000 qubits) could achieve the same break in about ten days, making \u201cat-rest\u201d attacks on already-exposed keys far more feasible.<\/p>\n
These breakthroughs have moved the quantum threat from a distant theoretical concern to a near-term engineering challenge. Bitcoin\u2019s design leaves it uniquely exposed: a large pool of dormant coins (roughly 1.7\u20132.3 million BTC) have public keys permanently visible on-chain, and there is no built-in recourse once funds are\u00a0stolen.<\/p>\n
This article provides a clear, balanced examination of the new science, the specific attack vectors (at-rest, on-spend, and on-setup), Bitcoin\u2019s current mitigations (BIP-360 and SHRINCS), Ethereum\u2019s broader risk profile and faster roadmap, and the realistic timelines and policy challenges ahead. It also explores skeptical perspectives, such as Tim Palmer\u2019s Rational Quantum Mechanics hypothesis, and practical recommendations for users, developers, and policymakers.<\/p>\n
The central message is optimistic yet urgent: the technical tools to protect Bitcoin already exist or are well under development. With timely, prudent action, the network can successfully migrate to post-quantum cryptography before any cryptographically relevant quantum computer appears. The window of opportunity is open\u200a\u2014\u200abut it might not stay open\u00a0forever.<\/p>\n
I. Introduction<\/strong> II. Quantum Computing Fundamentals and the Cryptographic Threat<\/strong> III. Evolution of Resource Estimates for Breaking ECC-256 IV. The March 2026 Breakthrough Papers V. Current State of Quantum Hardware Development VI. Skeptical Perspectives and Alternative Theories<\/strong><\/p>\n VII. Quantum Attack Types on Bitcoin VIII. Specific Impacts on Bitcoin and the Broader Crypto Ecosystem IX. Bitcoin\u2019s Current and Proposed Mitigations X. Ethereum\u2019s Quantum Risk Profile and Transition Plans XI. Timeline, Outlook, and Broader Implications XII. Conclusion On March 30, 2026, two major scientific papers were published on the same day, each delivering a significant and complementary message to the cryptocurrency community. Together, they represent some of the most important updates in quantum computing resource estimates in recent years and have been widely described as a \u201cwake-up call\u201d for Bitcoin and the broader crypto ecosystem.<\/p>\n The first paper, from Google Quantum AI, is titled \u201cSecuring Elliptic Curve Cryptocurrencies against Quantum Vulnerabilities: Resource Estimates and Mitigations\u201d<\/em> [1]. It shows that an optimized version of Shor\u2019s algorithm for breaking 256-bit elliptic curve cryptography (ECC-256)\u200a\u2014\u200athe exact standard used by Bitcoin and Ethereum\u200a\u2014\u200acan now be executed on a superconducting quantum computer with fewer than 500,000 physical qubits. Under realistic assumptions, the attack could complete in roughly nine minutes per key. Because Bitcoin\u2019s average block time is about ten minutes, this speed is fast enough to enable real-time \u201con-spend\u201d attacks, where an attacker steals coins while a transaction is still sitting in the public\u00a0mempool.<\/p>\n The second paper, from the newly launched startup Oratomic and researchers at Caltech, is titled \u201cShor\u2019s algorithm is possible with as few as 10,000 reconfigurable atomic qubits\u201d<\/em> [2]. It demonstrates that the same ECC-256 break could be achieved with a much smaller machine\u200a\u2014\u200aaround 26,000 physical qubits\u200a\u2014\u200ausing neutral-atom hardware. However, because neutral-atom systems operate on a slower \u201cclock,\u201d the attack would take approximately ten days. This makes the machine highly effective for \u201cat-rest\u201d attacks on already-exposed public keys, but too slow for on-spend\u00a0attacks.<\/p>\n What makes these two papers especially notable is that they were released on the exact same day, and both represent dramatic reductions compared to earlier estimates. Just four years earlier, in 2022, Webber et al. had calculated that breaking ECC-256 in one day would require roughly 13 million physical qubits using conventional surface-code error correction [4]. The new estimates therefore mark a roughly 26-fold improvement in the case of Google\u2019s fast-clock approach and an even larger leap in compactness for Oratomic\u2019s slow-clock design.<\/p>\n These simultaneous publications have prompted renewed scrutiny of Bitcoin\u2019s quantum vulnerability. Unlike traditional financial systems, which have multiple layers of safeguards, recourse, and insurance, Bitcoin offers no built-in recovery mechanism once a private key is compromised. The Google paper highlights the risk of fast, real-time theft from active transactions, while the Oratomic paper shows that even smaller, slower machines could eventually target the large pool of dormant and long-exposed coins (including over 1.7 million BTC locked in old P2PK scripts).<\/p>\n March 30, 2026, marked a turning point. The hardware requirements for breaking Bitcoin\u2019s cryptography have fallen sharply, and two different technological paths\u200a\u2014\u200aone fast and larger, one slow but far more compact\u200a\u2014\u200anow appear feasible within the coming decade. This article examines these breakthroughs in detail, their specific implications for Bitcoin, the current mitigation efforts underway, and the broader outlook for the cryptocurrency ecosystem.<\/p>\n Bitcoin\u2019s design makes it particularly vulnerable to quantum attacks in ways that traditional financial systems are not. At its core, Bitcoin relies almost entirely on 256-bit elliptic curve cryptography (ECC-256) to secure ownership of funds. This cryptography is efficient and has worked well for over a decade, but it\u2019s potentially fundamentally breakable by a sufficiently powerful quantum computer running Shor\u2019s algorithm [1].<\/p>\n In traditional finance, even if an attacker somehow obtained the equivalent of a private key (for example, through a data breach or forgery), the victim usually has multiple layers of protection. Banks can reverse fraudulent transactions, credit card companies offer chargebacks, insurance policies cover losses, and legal systems provide recourse. Centralized institutions can freeze accounts, investigate theft, and often recover at least some of the stolen funds. Bitcoin offers none of these safeguards. Once a valid digital signature is broadcast and confirmed on the blockchain, the transaction is irreversible. There is no central authority to step in, no insurance fund, and no practical way to claw back stolen\u00a0coins.<\/p>\n The public and immutable nature of the Bitcoin blockchain adds another layer of exposure. Every transaction is permanently recorded and visible to anyone. Many early Bitcoin outputs, including a large portion of the roughly 1.7 million BTC locked in old Pay-to-Public-Key (P2PK) scripts from the Satoshi era, have their public keys fully exposed on-chain since the moment they were mined. Even modern addresses become vulnerable the moment they are spent from or reused, because spending reveals the public key. In a world with cryptographically relevant quantum computers, these exposed keys become easy targets for at-rest attacks\u00a0[1].<\/p>\n Furthermore, Bitcoin contains a significant amount of \u201cdormant\u201d or effectively lost coins\u200a\u2014\u200aestimates suggest up to 2.3 million BTC may be vulnerable due to old scripts or long-unused addresses whose owners may no longer control the keys [1]. These coins cannot be automatically upgraded or protected through software updates. Traditional financial assets, by contrast, are usually held in custodial accounts or managed by institutions that can update security protocols centrally. Bitcoin\u2019s decentralized and immutable design, while one of its greatest strengths, also means that legacy vulnerabilities are extremely difficult to fix without broad community consensus\u200a\u2014\u200aand in some cases, potentially controversial hard\u00a0forks.<\/p>\n In short, Bitcoin combines three dangerous characteristics: (1) heavy reliance on quantum-vulnerable cryptography, (2) complete irreversibility of transactions, and (3) a large volume of permanently exposed or dormant funds. This combination makes it uniquely exposed compared to traditional finance, where centralized control and institutional safeguards provide multiple lines of defense. The Google Quantum AI paper explicitly highlights this difference, noting that \u201cblockchains tend to offer no recourse against fraudulent transactions enabling unrecoverable theft with a forgery of a single digital signature\u201d <\/em>[1].<\/p>\n This unique exposure is why the recent reductions in required quantum resources have generated such urgent discussion in the Bitcoin community.<\/p>\n The purpose of this article is to provide a clear, balanced, and comprehensive examination of the latest advances in quantum computing and their potential impact on Bitcoin. On March 30, 2026, two major papers were released on the same day\u200a\u2014\u200aone from Google Quantum AI and one from Oratomic and Caltech researchers. These developments have moved the quantum threat from a distant theoretical possibility to a near-term engineering challenge that the Bitcoin community must take seriously.<\/p>\n This article aims to translate these highly technical papers into plain, understandable language. It explains exactly what the new resource estimates mean, how quantum computers could attack Bitcoin (both at-rest and on-spend), why Bitcoin is uniquely exposed compared to traditional finance, and what practical steps are already being taken to protect the network. It also addresses skeptical viewpoints\u200a\u2014\u200asuch as Tim Palmer\u2019s recent Rational Quantum Mechanics theory\u200a\u2014\u200aso readers get a fair picture of both the risks and the uncertainties. The goal is not to create panic, but to give Bitcoin users, developers, and policymakers the facts they need to make informed decisions.<\/p>\n The scope of this article is focused primarily on Bitcoin, while also including a dedicated comparison with Ethereum to highlight important differences in quantum risk profiles. It covers the fundamental principles of quantum threats, the historical evolution of resource estimates (including the 2022 Webber et al. paper that estimated 13 million physical qubits), the two breakthrough papers of March 30, 2026, current hardware status, different types of quantum attacks, Bitcoin\u2019s specific vulnerabilities (including dormant assets and Satoshi-era coins), ongoing mitigation efforts such as BIP-360 and Blockstream\u2019s SHRINCS signatures, and broader timelines and policy implications. It does not go deeply into other cryptocurrencies or non-crypto applications of quantum computing, and it avoids making firm predictions about exact arrival dates of cryptographically relevant quantum computers, since those remain uncertain and depend on future engineering progress.<\/p>\n The article is structured as follows. Sections II and III provide essential background on quantum computing fundamentals and the historical evolution of resource estimates. Section IV analyzes the two landmark March 2026 papers in detail. Section V reviews the current state of quantum hardware. Section VI explores skeptical perspectives, including Tim Palmer\u2019s Rational Quantum Mechanics framework. Sections VII and VIII examine quantum attack types and Bitcoin\u2019s specific vulnerabilities and mitigation strategies. Section IX compares Ethereum\u2019s broader risk profile and its post-quantum transition plans. The final sections discuss realistic timelines, broader implications, and conclusions.<\/p>\n By the end, readers should have a solid, up-to-date understanding of where quantum computing stands today, how it could realistically affect Bitcoin, and what the Bitcoin community is already doing\u200a\u2014\u200aand still needs to do\u200a\u2014\u200ato\u00a0prepare.<\/p>\n At the heart of the quantum threat to Bitcoin lies a powerful mathematical algorithm discovered in 1994 by Peter Shor, then at Bell Laboratories. Shor\u2019s algorithm is designed to solve two classically hard problems very efficiently on a quantum computer: integer factorization (the basis of RSA encryption) and the discrete logarithm problem. In the context of Bitcoin and Ethereum, the relevant version is the elliptic curve discrete logarithm problem, commonly abbreviated as ECDLP\u00a0[3].<\/p>\n To understand the Elliptic Curve Discrete Logarithm Problem, imagine a mathematical game. You are given two points on an elliptic curve: a starting point G <\/em><\/strong>(a fixed public parameter) and another point Q<\/em><\/strong>. The challenge is to find the secret number k <\/em><\/strong>such that Q=kG<\/em><\/strong>, where kG<\/em><\/strong> denotes scalar multiplication (repeated elliptic curve addition). On a classical computer, this problem is computationally infeasible when k<\/em><\/strong> is large. This hardness underpins the security of 256-bit elliptic curve cryptography, including the secp256k1 curve used by Bitcoin for digital signatures and ownership of\u00a0coins.<\/p>\n In Bitcoin, when you create a wallet, you generate a private key (a secret random number) and a corresponding public key. The public key is what appears in addresses or is revealed when you spend coins. The entire security model rests on the assumption that no one can efficiently calculate your private key from your public key. This assumption is what ECDLP protects.<\/p>\n Shor\u2019s algorithm changes everything. It can solve the ECDLP in polynomial time\u200a\u2014\u200ameaning the time required grows relatively slowly as the key size increases\u200a\u2014\u200awhereas the best known classical algorithms require exponential time. In practical terms, a sufficiently powerful quantum computer running Shor\u2019s algorithm could take a publicly visible Bitcoin public key and compute the corresponding private key in a matter of minutes or days, depending on the hardware\u00a0[1].<\/p>\n This is not a theoretical curiosity. Bitcoin\u2019s most common cryptographic operations (ECDSA and Schnorr signatures) are built directly on the secp256k1 elliptic curve. If Shor\u2019s algorithm can be run at scale, any public key that has ever been revealed on the blockchain becomes vulnerable. This includes coins locked in old Pay-to-Public-Key (P2PK) scripts (where the public key is visible from the moment the coins were mined) and any address that has been spent from or reused\u00a0[1].<\/p>\n The implications are profound. In traditional public-key cryptography, the security of billions of dollars in assets rests on the ECDLP being hard. Shor\u2019s algorithm shows that quantum computers can, in principle, break this hardness assumption. The only question is when\u200a\u2014\u200aor whether\u200a\u2014\u200ahardware will become powerful enough to run the algorithm at the scale required for real-world attacks on\u00a0Bitcoin.<\/p>\n This subsection has explained the core mathematical threat. The next sections will explore how many qubits are actually needed to make Shor\u2019s algorithm practical, how different quantum hardware architectures affect attack feasibility, and what this means specifically for Bitcoin\u2019s design.<\/p>\n One of the most important\u200a\u2014\u200aand often misunderstood\u200a\u2014\u200aconcepts in quantum computing is the difference between logical qubits and physical\u00a0qubits.<\/p>\n A logical qubit<\/em><\/strong> is the ideal, error-free unit that algorithms like Shor\u2019s actually need to run reliably. It behaves exactly as quantum mechanics textbooks describe: it can exist in a superposition of states, maintain coherence for long periods, and perform precise operations without mistakes.<\/p>\n A physical qubit<\/em><\/strong> is the real hardware device we can build today\u200a\u2014\u200asuch as a superconducting circuit or a trapped neutral atom. These qubits are extremely fragile and lose their quantum state (a process known as Quantum decoherence<\/em><\/strong>) due to tiny disturbances like heat, electromagnetic noise, and material imperfections. Even rare high-energy particles from background radiation\u200a\u2014\u200aincluding cosmic rays or radioactive decay\u200a\u2014\u200acan disrupt qubits by depositing energy in the\u00a0device.<\/p>\n To turn thousands of noisy physical qubits into a smaller number of reliable logical qubits, quantum computers must use quantum error correction. <\/em><\/strong>The most widely studied method today is the surface code. In simple terms, the surface code works by spreading the information of one logical qubit across many physical qubits and continuously performing \u201csyndrome measurements\u201d to detect errors. Corrections are often tracked in software rather than applied physically immediately, allowing the system to compensate for errors during computation.<\/p>\n This error-correction process creates enormous overhead. For every single logical qubit, hundreds or even thousands of physical qubits may be required, depending on the hardware error rate, connectivity, and type of error-correcting code. In older estimates that relied on standard surface codes with relatively high error rates, this overhead was so large that breaking ECC-256 was projected to require millions of physical\u00a0qubits.<\/p>\n The Google Quantum AI whitepaper of March 30, 2026 explicitly accounts for this overhead in its calculations. Their optimized Shor\u2019s algorithm requires roughly 1,200\u20131,450 logical qubits. When they apply realistic superconducting hardware assumptions (10\u207b\u00b3 physical error rates and planar connectivity) and layer on full surface-code error correction, the total machine size comes out to fewer than 500,000 physical qubits<\/em><\/strong> under those assumptions [1].<\/p>\n The Oratomic\/Caltech paper takes a different route to reduce overhead. By using newer high-rate quantum LDPC codes (which can achieve encoding rates around 30%, compared with the surface code\u2019s typical ~4%), they are able to protect many more logical qubits with fewer physical qubits. This is why their analysis reaches cryptographically relevant scales with only ~26,000 physical qubits\u200a\u2014\u200aeven though their system would run more slowly\u00a0[2].<\/p>\n In essence, error-correction overhead is the single biggest reason why quantum computers have historically seemed far from breaking Bitcoin. Every time researchers improve algorithms, circuits, or error-correcting codes, they reduce the number of logical qubits needed\u200a\u2014\u200aand that, in turn, dramatically lowers the total number of physical qubits required. The two March 2026 papers illustrate how such improvements can change resource estimates.<\/p>\n This distinction between logical and physical qubits also explains why the two papers reach very different numbers: Google optimizes for fast superconducting hardware (which currently has higher overhead per logical qubit), while Oratomic optimizes for neutral-atom hardware that can take better advantage of high-rate codes. Both approaches still require full error correction to run Shor\u2019s algorithm reliably; without it, even millions of physical qubits would likely be too noisy to complete the computation.<\/p>\n The next section explores how the speed of these different hardware platforms (fast-clock versus slow-clock) further shapes which types of attacks on Bitcoin become practical.<\/p>\n Not all quantum computers behave the same way. One of the most important practical differences between current quantum hardware platforms is their operating speed\u200a\u2014\u200aoften referred to informally as \u201cclock speed.\u201d This is not about how fast the computer\u2019s processor runs in the traditional sense, but rather how quickly it can perform quantum gates (the basic operations) and complete error-correction cycles.<\/p>\n Fast-clock architectures<\/em><\/strong> include superconducting qubits (the main focus of Google Quantum AI and IBM). These platforms have very short gate times (typically tens of nanoseconds) and error-correction cycles in the range of 1 to 10 microseconds. Because operations happen so quickly, a fast-clock machine can execute millions of gates per second in principle. This speed is a major advantage when the goal is to solve a problem before a time limit expires\u200a\u2014\u200afor example, breaking a Bitcoin transaction key while it is still sitting in the public\u00a0mempool.<\/p>\n Slow-clock architectures<\/em><\/strong>, such as neutral-atom systems (the focus of Oratomic and Caltech) and ion-trap devices, operate much more slowly. Their gate and measurement times are usually in the range of hundreds of microseconds to several milliseconds per cycle. While slower, these platforms offer other strengths: individual qubits tend to remain coherent (stable) for longer periods, and the neutral atoms can be rearranged to optimize qubit connectivity during computation. This reconfigurability allows them to use more advanced, high-rate error-correcting codes that pack more logical qubits into fewer physical\u00a0qubits.<\/p>\n The March 30, 2026 papers illustrate this difference perfectly. Google\u2019s whitepaper focuses on fast-clock superconducting hardware and concludes that fewer than 500,000 physical qubits would be enough to break an ECC-256 key in roughly nine minutes <\/em><\/strong>[1]. This speed is fast enough to enable real-time \u201con-spend\u201d attacks on Bitcoin, where an attacker derives the private key from a public key revealed in the mempool and broadcasts a competing transaction before the original one is confirmed.<\/p>\n In contrast, the Oratomic\/Caltech paper uses a slow-clock neutral-atom architecture. It shows that the same ECC-256 break could be achieved with only about 26,000 physical qubits, but the attack would take approximately ten days<\/em><\/strong> [2]. This makes the machine highly effective for \u201cat-rest\u201d attacks on already-exposed public keys (such as reused addresses or old P2PK coins), but far too slow to steal coins while they are still in transit in the\u00a0mempool.<\/p>\n This architectural split has direct consequences for Bitcoin\u2019s security timeline. Fast-clock machines (superconducting) lower the bar for immediate, real-time theft once they reach the required scale. Slow-clock machines (neutral-atom) could reach cryptographically relevant capability with far fewer qubits, but their slower speed limits them to stealing coins that have been sitting exposed for a long time. Both paths are now considered realistic by leading research teams, which is why the simultaneous publication of these two papers on March 30, 2026, has been viewed as a significant milestone.<\/p>\n The choice of hardware platform is not just a technical detail\u200a\u2014\u200ait determines both how small a quantum computer needs to be and how quickly it can attack Bitcoin. Fast-clock systems make on-spend attacks possible; slow-clock systems make smaller, more compact at-rest attacks possible. Understanding this distinction is essential for evaluating the true urgency of quantum threats to the Bitcoin\u00a0network.<\/p>\n For several years, the most widely cited benchmark for the quantum threat to Bitcoin came from a 2022 paper by Michael Webber and colleagues, titled \u201cThe impact of hardware specifications on reaching quantum advantage in the fault tolerant regime\u201d<\/em> [4]. This study focused specifically on breaking 256-bit elliptic curve cryptography (ECC-256)\u200a\u2014\u200athe exact system used by Bitcoin and Ethereum\u200a\u2014\u200arather than the larger RSA-2048 problem that had dominated earlier discussions.<\/p>\n Using realistic assumptions about superconducting hardware and the standard surface-code error correction, Webber et al. calculated that a quantum computer would need approximately 13 million physical qubits to solve an ECC-256 discrete logarithm (i.e., derive a private key from a public key) in about one day. If the machine were made faster or the attack time relaxed, the number changed, but the one-day figure became the headline number quoted across the crypto and quantum communities. For context, their model assumed a physical gate error rate of 10\u207b\u00b3 (0.1%), a 1 microsecond error-correction cycle time, and 10 microsecond reaction times\u200a\u2014\u200aall considered plausible but optimistic targets for near-future superconducting systems at the\u00a0time.<\/p>\n This 13-million-qubit estimate had a major psychological impact. It reinforced the widespread view that quantum computers capable of breaking Bitcoin were still many decades away. Most Bitcoin developers and users interpreted the number as evidence that there was no urgent need to rush post-quantum upgrades. After all, building and maintaining a stable machine with 13 million physical qubits\u200a\u2014\u200awhile keeping error rates low enough for the surface code to work\u200a\u2014\u200aseemed like an enormous engineering challenge that would take far longer than the lifespan of current cryptographic standards.<\/p>\n The Webber paper also highlighted the critical role of hardware specifications. Small improvements in error rates or cycle times could dramatically change the qubit count required. However, even under the most optimistic assumptions they considered, the resource requirements remained in the millions of physical qubits. This became the de-facto baseline against which later progress would be measured. When people discussed \u201cquantum threats to Bitcoin\u201d between 2022 and early 2026, the 13-million-qubit figure was almost always the reference point.<\/p>\n It\u2019s important to note that this estimate was not for a hypothetical future technology; it was based on scaling the surface code\u200a\u2014\u200athe best-understood and most practical error-correcting code available at the time. The paper did not claim that 13 million qubits would be easy to build, only that this was the approximate scale required if one wanted to run Shor\u2019s algorithm on ECC-256 within a reasonable timeframe.<\/p>\n In hindsight, the 2022 Webber estimate served as an important reality check. It showed that even with significant algorithmic optimizations already applied, the combination of Shor\u2019s algorithm and surface-code overhead still demanded an extraordinarily large machine. This is why the March 30, 2026 papers from Google Quantum AI and Oratomic\/Caltech were received with such surprise: both teams reported reductions that brought the required physical qubit count down by more than an order of magnitude\u200a\u2014\u200afrom 13 million to under 500,000 (Google) and around 26,000 (Oratomic).<\/p>\n The dramatic drop between the 2022 baseline and the 2026 results is the direct result of advances in quantum algorithms, circuit optimization, and more efficient error-correcting codes. These improvements form the core of the next\u00a0section.<\/p>\n Before 2022, the most influential and widely discussed quantum resource estimate came from a 2021 paper by Craig Gidney and Martin Eker\u00e5, titled \u201cHow to factor 2048-bit RSA integers in 8 hours using 20 million noisy qubits\u201d <\/em>[5]. This work quickly became the benchmark that many people\u200a\u2014\u200aincluding Bitcoin developers, analysts, and journalists\u200a\u2014\u200areferred to when discussing quantum threats to cryptography.<\/p>\n Gidney and Eker\u00e5 focused on RSA-2048, the larger and more computationally intensive public-key system used in many internet protocols at the time. Using realistic assumptions about superconducting hardware and surface-code error correction, they calculated that a quantum computer would need approximately 20 million physical qubits to factor a 2048-bit RSA key in about eight hours. The paper was groundbreaking because it showed, for the first time, that the resource requirements were not in the billions of qubits (as some earlier pessimistic estimates had suggested), but \u201conly\u201d in the tens of millions. This made large-scale quantum cryptanalysis feel somewhat more plausible within the lifetime of current cryptographic standards.<\/p>\n Although the Gidney & Eker\u00e5 paper was about RSA rather than Bitcoin\u2019s elliptic curve cryptography, it was frequently cited in Bitcoin discussions. Many people assumed that if 20 million qubits were needed for RSA-2048, then breaking ECC-256 (which offers similar classical security but with smaller keys) would require a comparable or only slightly smaller machine. This created a general impression in the crypto community that quantum computers capable of threatening Bitcoin were still decades away\u200a\u2014\u200aperhaps not arriving until 2040 or\u00a0later.<\/p>\n Other pre-2026 estimates followed a similar pattern. Various research groups between 2017 and 2025 produced resource estimates for Shor\u2019s algorithm on both RSA and ECC that typically ranged from several million to tens of millions of physical qubits when using the standard surface code. These numbers were driven by the high overhead of error correction: to create enough reliable logical qubits and run the millions of Toffoli gates required by Shor\u2019s algorithm, researchers had to assume very large numbers of noisy physical\u00a0qubits.<\/p>\n The consistent message from these earlier benchmarks was clear: quantum computers powerful enough to break ECC-256 would be extraordinarily large and complex machines. Building and operating a stable system with millions of physical qubits while maintaining the extremely low logical error rates needed for deep circuits seemed like a distant engineering goal. As a result, most Bitcoin developers treated quantum risk as a long-term theoretical issue rather than an immediate priority.<\/p>\n These pre-2026 figures\u200a\u2014\u200aespecially the 20-million-qubit RSA estimate from Gidney & Eker\u00e5 and the 13-million-qubit ECC-256 estimate from Webber et al. in 2022\u200a\u2014\u200aset the baseline against which the March 2026 papers would later be judged. The dramatic reductions reported by Google Quantum AI (<500,000 qubits) and Oratomic\/Caltech (~26,000 qubits) represented a major leap forward in algorithmic efficiency and error-correction techniques.<\/p>\n The next section examines exactly how these two 2026 papers achieved such significant improvements over the earlier benchmarks.<\/p>\n Between the 2022 Webber et al. estimate of roughly 13 million physical qubits and the two March 30, 2026 papers, the projected resources needed to break ECC-256 dropped by more than an order of magnitude in a remarkably short\u00a0period.<\/p>\n Google Quantum AI\u2019s paper showed that fewer than 500,000 physical qubits on superconducting hardware would now suffice for a nine-minute attack, while the Oratomic\/Caltech team demonstrated that only around 26,000 physical qubits on a neutral-atom system could achieve the same result in about ten days. This represents a reduction of roughly 26\u00d7 compared to the 2022 baseline for fast-clock systems, and an even more dramatic leap in compactness for slow-clock designs.<\/p>\n What drove such rapid progress in such a short time? The biggest gains came from advances in quantum algorithms and circuit optimization<\/em><\/strong>. Earlier estimates relied on relatively straightforward implementations of Shor\u2019s algorithm. The 2026 papers introduced significant refinements: more efficient ways to perform elliptic curve point addition (the main bottleneck in Shor\u2019s algorithm for ECC), windowed arithmetic techniques, state reuse, and better compilation strategies that dramatically reduced the number of Toffoli gates required. Google\u2019s team, for example, optimized their circuits down to 70\u201390 million Toffoli gates\u200a\u2014\u200aa substantial improvement over prior work\u00a0[1].<\/p>\n A second major driver was progress in quantum error correction.<\/em><\/strong> The 2022 Webber estimate assumed the standard surface code, which has a relatively low encoding rate (roughly 4%). This meant that many physical qubits were needed to protect each logical qubit. The Oratomic\/Caltech paper made heavy use of newer high-rate quantum low-density parity-check (qLDPC) codes, which achieve encoding rates of around 30%. These codes pack far more logical qubits into fewer physical qubits by taking advantage of long-range connectivity that is naturally available in neutral-atom systems. Google\u2019s paper, while still relying primarily on the surface code for its fast-clock estimate, also incorporated recent improvements in logical instruction sets and magic-state distillation that further reduced overhead [1,\u00a02].<\/p>\n Third, architectural innovations<\/em><\/strong> played a key role. The Oratomic paper leverages the reconfigurability of neutral-atom arrays\u200a\u2014\u200athe ability to physically move qubits around during computation\u200a\u2014\u200ato enable more efficient code surgery and parallel operations. This approach allows them to achieve cryptographically relevant performance with far fewer total physical qubits than a rigid superconducting layout would require. Google\u2019s work, by contrast, focuses on scaling well-understood superconducting hardware with planar connectivity, showing that even without exotic new codes, algorithmic gains alone can bring the qubit count down dramatically.<\/p>\n Finally, there has been a broader cultural and methodological shift in the quantum computing field. Researchers have become much more systematic about optimizing every layer of the stack\u200a\u2014\u200afrom the high-level algorithm down to the lowest-level circuit compilation and error-correction decoding. The use of zero-knowledge proofs in the Google paper to validate their resource estimates without revealing exploitable details is itself an example of this increased sophistication and responsibility [1].<\/p>\n Taken together, these improvements\u200a\u2014\u200abetter algorithms, more efficient error-correcting codes, smarter compilation, and hardware-specific architectural tricks\u200a\u2014\u200aexplain why the resource requirements fell so sharply between 2022 and 2026. What once looked like a distant, almost insurmountable engineering challenge (13 million qubits) now appears within reach of continued scaling on existing technological roadmaps.<\/p>\n The next section examines the two March 2026 papers in detail and shows exactly how these advances translate into concrete new estimates for breaking Bitcoin\u2019s cryptography.<\/p>\n On March 30, 2026, Google Quantum AI released one of the most significant papers in recent quantum cryptanalysis history. Titled Securing Elliptic Curve Cryptocurrencies against Quantum Vulnerabilities: Resource Estimates and Mitigations<\/em>, the whitepaper was authored by a team including Ryan Babbush, Craig Gidney, and collaborators from Ethereum Foundation and Stanford University [1].<\/p>\n The paper\u2019s central finding is striking: an optimized version of Shor\u2019s algorithm can break 256-bit elliptic curve cryptography (ECC-256)\u200a\u2014\u200athe exact system used by Bitcoin and Ethereum\u200a\u2014\u200ausing fewer than 500,000 physical qubits <\/em><\/strong>on a superconducting (fast-clock) quantum computer. This represents a roughly 26-fold reduction compared to the widely cited 2022 Webber et al. estimate of 13 million physical qubits for a one-day attack\u00a0[4].<\/p>\n The authors deliberately used conservative, realistic hardware assumptions: a physical gate error rate of 10\u207b\u00b3 (0.1%), planar (nearest-neighbor) connectivity, and the well-understood surface code for error correction. They did not rely on speculative future technologies or exotic new error-correcting codes. Instead, they achieved the dramatic reduction through careful algorithmic and circuit-level optimizations.<\/p>\n To address concerns about responsible disclosure, the team published a cryptographic zero-knowledge proof validating their resource claims without revealing the actual quantum circuits that could be used for an attack. This approach allows the community to trust the numbers while preventing immediate misuse by bad actors\u00a0[1].<\/p>\n The paper presents two optimized circuit variants for solving the ECDLP on the secp256k1 curve (Bitcoin\u2019s curve):<\/p>\n One variant optimized for fewer qubits: 1,200 logical qubits and 90 million Toffoli\u00a0gates.Another variant optimized for fewer gates: 1,450 logical qubits and 70 million Toffoli\u00a0gates.<\/p>\n When these circuits are compiled onto realistic superconducting hardware with full surface-code error correction, the total physical qubit requirement is under 500,000<\/em><\/strong>. The estimated runtime for a single key derivation is approximately 9 minutes<\/em><\/strong> (after a pre-computation \u201cpriming\u201d step that can be done in advance). This 9-minute figure is critical because it fits comfortably inside Bitcoin\u2019s average 10-minute block interval.<\/p>\n The authors emphasize that this speed is achievable on the same class of hardware Google has already demonstrated experimentally (scaled-up versions of their current superconducting processors). They note that further modest improvements\u200a\u2014\u200aeither in algorithm design or in hardware reaction times\u200a\u2014\u200acould reduce the time even\u00a0further.<\/p>\n Because the attack can complete in roughly nine minutes, the Google paper explicitly warns that the first generation of cryptographically relevant fast-clock quantum computers would be capable of on-spend attacks. An attacker could monitor the public mempool, extract a revealed public key from an unconfirmed transaction, derive the private key in minutes, and broadcast a competing transaction that steals the funds before the original transaction is mined into a\u00a0block.<\/p>\n At the same time, the same machine would also be highly effective at at-rest attacks on any public key that has already been exposed on the blockchain. This includes:<\/p>\n Old P2PK outputs (over 1.7 million BTC, including many Satoshi-era coins)Reused addresses (where spending has already revealed the public\u00a0key)Taproot key-path\u00a0spends<\/p>\n The paper stresses that once a fast-clock machine of this scale exists, both types of attacks become realistic threats. The authors therefore urge the cryptocurrency community to begin migrating to post-quantum cryptography without delay, and they highlight intermediate mitigations (such as private mempools and commit-reveal schemes) that could buy time against on-spend\u00a0attacks.<\/p>\n Google\u2019s whitepaper does not merely lower the qubit count\u200a\u2014\u200ait shows that the first machines powerful enough to perform at-rest attacks on exposed keys would likely also be fast enough to enable real-time theft from the mempool. This combination of reduced size and practical speed is what makes the March 30, 2026 paper such a significant wake-up call for\u00a0Bitcoin.<\/p>\n Also published on March 30, 2026, the second major paper came from a collaboration between the newly launched startup Oratomic and researchers at Caltech (including Madelyn Cain, Qian Xu, Dolev Bluvstein, and John Preskill). Titled \u201cShor\u2019s algorithm is possible with as few as 10,000 reconfigurable atomic qubits\u201d<\/em>, this work takes a completely different technological path from Google\u2019s superconducting approach\u00a0[2].<\/p>\n Instead of fast-clock superconducting qubits, the Oratomic\/Caltech team focuses on neutral-atom quantum computers<\/em><\/strong>\u200a\u2014\u200aa slow-clock architecture that uses individual atoms trapped in laser beams (optical tweezers) as qubits. Neutral-atom systems are slower in gate speed and error-correction cycles, but they offer natural long-range connectivity and the ability to physically move qubits during computation. This reconfigurability allows them to use more advanced, high-rate error-correcting codes that dramatically reduce the total number of physical qubits\u00a0needed.<\/p>\n The paper\u2019s headline result is that Shor\u2019s algorithm for breaking ECC-256 can be executed with as few as 10,000\u201313,000 physical qubits in a compact \u201cspace-efficient\u201d design, or around 26,000 physical qubits <\/em><\/strong>in a faster, time-optimized configuration. These numbers are achieved by using high-rate quantum low-density parity-check (qLDPC) codes with encoding rates of approximately 30%\u200a\u2014\u200afar more efficient than the standard surface code\u2019s ~4% rate used in most superconducting estimates.<\/p>\n The authors project that, with a 1 ms stabilizer measurement cycle time (realistic for current neutral-atom hardware), the time-optimized architecture could solve an ECC-256 discrete logarithm in approximately 10 days.<\/em><\/strong> This is dramatically slower than Google\u2019s nine-minute estimate, but still well within a practical window for at-rest attacks on exposed or dormant\u00a0coins.<\/p>\n The paper also includes estimates for the larger RSA-2048 problem, requiring 11,000\u201314,000 qubits for slower runs or about 102,000 qubits for a faster parallelized version taking roughly 97 days. However, the authors emphasize that ECC-256 is the more relevant and immediate cryptographic target for blockchains like Bitcoin and Ethereum.<\/p>\n Importantly, the Oratomic\/Caltech team used conservative assumptions and focused on architectures that could be built by scaling existing neutral-atom technology. Their work demonstrates that a much smaller quantum machine\u200a\u2014\u200aone potentially reachable earlier than a 500,000-qubit superconducting system\u200a\u2014\u200acould still pose a serious threat to cryptocurrencies, albeit only for at-rest attacks due to the slower clock\u00a0speed.<\/p>\n The Oratomic\/Caltech paper is grounded in real experimental progress. In September 2025, the same Caltech team (led by researchers who later founded Oratomic) achieved a major milestone: they successfully trapped and controlled more than 6,100 individual neutral atoms<\/em><\/strong> in a large optical tweezer array. This experiment, published in Nature [6], demonstrated the largest coherent neutral-atom array ever built at the time. The atoms remained stable for extended periods and could be moved around dynamically\u200a\u2014\u200akey capabilities needed for the reconfigurable architectures described in the March 2026 paper\u00a0[2].<\/p>\n This 6,100-atom array is not yet a full universal quantum processor capable of running Shor\u2019s algorithm. It represents an early-stage hardware demonstration focused on trapping, coherence, and qubit transport. Turning this array into a fault-tolerant quantum computer with full error correction, universal gates, and the ability to run deep circuits is still a significant engineering challenge. Nevertheless, it shows that neutral-atom platforms are rapidly scaling and are no longer limited to small numbers of\u00a0qubits.<\/p>\n In summary, the Oratomic\/Caltech paper complements Google\u2019s work by showing an alternative path: a much smaller, slower machine that could still break ECC-256, but only for at-rest attacks. Together, the two papers illustrate that quantum cryptanalysis is advancing along multiple technological fronts\u200a\u2014\u200aone emphasizing speed, the other emphasizing compactness\u200a\u2014\u200amaking the overall threat to Bitcoin more credible and closer than previously thought.<\/p>\n The two papers offer two very different but equally important visions of how quantum computers might eventually break ECC-256, the cryptography that secures Bitcoin and Ethereum. Rather than contradicting each other, they complement one another by exploring separate technological paths with different strengths and limitations.<\/p>\n Google Quantum AI\u2019s approach focuses on fast-clock superconducting hardware. Their estimate is that a machine with fewer than 500,000 physical qubits would be sufficient to run an optimized Shor\u2019s algorithm and solve an ECC-256 key in roughly nine minutes. This speed is possible because superconducting qubits have very fast gate times and error-correction cycles (typically 1\u201310 microseconds). The paper uses conservative assumptions based on hardware Google has already demonstrated experimentally (such as their Willow chip) and relies primarily on the well-understood surface code for error correction [1].<\/p>\n Because the attack can finish in under ten minutes, Google\u2019s machine would be capable of\u00a0both:<\/p>\n At-rest attacks<\/em> <\/strong>(stealing coins with already-exposed public keys, such as old P2PK outputs or reused addresses), andOn-spend attacks<\/em><\/strong> (stealing coins in real time from the public mempool before the transaction is confirmed in a\u00a0block).<\/p>\n As such, Google\u2019s result shows a relatively large but very fast quantum computer that could threaten active Bitcoin transactions the moment it becomes available.<\/p>\n Oratomic and Caltech\u2019s approach, by contrast, focuses on slow-clock neutral-atom hardware. Their most time-optimized design requires only about 26,000 physical qubits\u200a\u2014\u200aroughly 20 times fewer than Google\u2019s estimate\u200a\u2014\u200abut the attack would take approximately ten days assuming a 1 ms stabilizer cycle time. This dramatic reduction in qubit count is achieved by using newer high-rate quantum LDPC codes (with ~30% encoding efficiency) and taking advantage of the natural reconfigurability of neutral-atom arrays, where neutral atoms can be rearranged to optimize qubit connectivity during computation [2].<\/p>\n The Oratomic machine would therefore be excellent for at-rest attacks on any public key that has already been revealed on the blockchain. However, ten days is far too slow to perform on-spend attacks inside Bitcoin\u2019s 10-minute block window. This makes Oratomic\u2019s path a smaller, more compact route to quantum cryptanalysis, but one that is limited to stealing long-exposed or dormant\u00a0coins.<\/p>\n The two papers therefore paint a more complete picture of the quantum threat. Google\u2019s result raises the alarm about real-time theft once fast superconducting machines reach ~500k qubits. Oratomic\u2019s result shows that much smaller machines could still break ECC-256, even if they take longer\u200a\u2014\u200ameaning the total number of qubits required may be lower than previously thought if slower architectures scale successfully.<\/p>\n Importantly, both papers assume full quantum error correction is in place. Without it, even millions of physical qubits would be too noisy to run Shor\u2019s algorithm reliably. The dramatic reductions achieved in both cases come from a combination of better algorithms, smarter circuit designs, and more efficient error-correcting codes rather than from any single \u201cmagic\u201d breakthrough.<\/p>\n Together, these two complementary papers make the quantum threat to Bitcoin feel considerably more immediate and realistic than it did just a few years\u00a0ago.<\/p>\n Superconducting qubits are currently the most advanced and widely pursued fast-clock quantum computing technology. These systems use tiny superconducting circuits cooled to near absolute zero to create and control qubits. Their main advantage is speed: gate operations and error-correction cycles can be performed in microseconds, making them the leading candidates for the fast on-spend attacks described in the Google paper. As of March 2026, three major players dominate this space: Google Quantum AI, IBM Quantum, and the Japanese collaboration between Fujitsu and\u00a0RIKEN.<\/p>\n Google has long been at the forefront of superconducting quantum hardware. Its most advanced publicly demonstrated processor is the Willow chip, which contains 105 physical qubits. This chip, first unveiled in late 2024, has been used to demonstrate below-threshold error correction and small-scale quantum algorithms. Google continues to focus on scaling this technology while improving coherence times and gate fidelities. Their March 2026 whitepaper explicitly bases its <500,000-qubit estimate on a scaled-up version of this same superconducting platform with realistic error rates and planar connectivity [1].<\/p>\n IBM Quantum has taken a modular approach. Its latest flagship systems include the Heron r2\/r3 processors, which have reached 156 physical qubits in a single chip [7], and the Nighthawk processor with 120 qubits [8]. IBM has also demonstrated multi-chip modular systems that link several processors together, effectively creating systems with several hundred to low thousands of physical qubits in total [9]. IBM\u2019s roadmap emphasizes improving error rates and building larger modular arrays, positioning superconducting technology as a practical path toward utility-scale machines\u00a0[9].<\/p>\n In Japan, the Fujitsu\/RIKEN collaboration has made rapid progress. As of early 2026, they have demonstrated a superconducting processor with 256 physical qubits\u200a\u2014\u200athe largest single-chip count among the major players at the time of the March 2026 papers. Their publicly stated goal is to reach 1,000 qubits by the end of 2026, showing aggressive scaling ambitions in the fast-clock domain\u00a0[10].<\/p>\n As of March 31, 2026, the current state of superconducting hardware can be summarized as\u00a0follows:<\/p>\n Google Quantum AI:<\/em> <\/strong>105 physical qubits (Willow chip, demonstrated 2024 and still the reference platform in their 2026\u00a0paper).IBM Quantum<\/em>:<\/strong> 156 physical qubits on the latest Heron r2\/r3 processors, with the Nighthawk processor at 120 qubits. IBM has also demonstrated modular multi-chip systems that link several processors together, effectively creating systems with several hundred to low thousands of physical qubits in research configurations.Fujitsu\/RIKEN<\/em>:<\/strong> 256 physical qubits on their most recent demonstrated chip, with plans to scale to 1,000 qubits by the end of\u00a02026.<\/p>\n These numbers represent working quantum processors\u200a\u2014\u200anot just arrays of trapped qubits. They can already run small quantum circuits, perform basic error-corrected operations, and execute simple algorithms. However, they remain orders of magnitude smaller than the ~500,000 physical qubits Google estimates would be needed for a cryptographically relevant fast-clock machine capable of breaking ECC-256 in minutes\u00a0[1].<\/p>\n The gap is still large\u200a\u2014\u200aroughly 2,000\u00d7 to 5,000\u00d7 smaller than the target\u200a\u2014\u200abut the superconducting platforms have a clear, incremental scaling path based on decades of engineering experience in cryogenics, microwave control, and fabrication. This is why Google\u2019s paper treats the 500,000-qubit threshold as a realistic engineering goal rather than a distant theoretical one.<\/p>\n In the next subsection, we turn to the leading slow-clock alternative: neutral-atom systems being developed by Oratomic and\u00a0Caltech.<\/p>\n While superconducting qubits represent the leading fast-clock approach, neutral-atom systems offer a very different path to large-scale quantum computing. These platforms use individual neutral atoms (typically cesium or rubidium) trapped in arrays of laser beams known as optical tweezers. The atoms serve as qubits, and their quantum states are manipulated using carefully controlled laser pulses. Neutral-atom systems are classified as slow-clock architectures because their gate operations and error-correction cycles are significantly slower than those of superconducting qubits\u200a\u2014\u200atypically in the range of hundreds of microseconds to several milliseconds per\u00a0cycle.<\/p>\n The main advantages of neutral-atom technology are long coherence times (atoms can remain in quantum states for relatively long periods) and natural reconfigurability. Because the atoms are not fixed in place like superconducting circuits, they can be physically moved around during computation using the same laser tweezers that trap them. This mobility enables long-range connectivity and makes it easier to implement advanced, high-rate error-correcting codes that require non-local interactions. These features are exactly what the Oratomic\/Caltech team exploited to achieve much lower physical qubit counts in their March 30, 2026 paper\u00a0[2].<\/p>\n Oratomic is a brand-new startup that officially launched in March 2026, built directly on research from the Caltech group led by Manuel Endres and Dolev Bluvstein. The company\u2019s goal is to turn the theoretical architectures described in their paper into practical, large-scale quantum computers.<\/p>\n The most advanced experimental result associated with the Oratomic team is the September 2025 demonstration by Caltech researchers of a 6,100-atom trapping array. In this experiment, more than 6,100 individual neutral atoms were successfully trapped in a large grid of optical tweezers, maintained high coherence for extended periods, and could be dynamically moved around. This was a genuine hardware milestone\u200a\u2014\u200athe largest coherent neutral-atom array ever built at the time\u200a\u2014\u200aand was published in the journal Nature\u00a0[6].<\/p>\n However, there is still a significant gap between this trapping array and a full, cryptographically relevant quantum processor. A working quantum processor must be able to do much more than simply hold and move atoms. It requires:<\/p>\n Reliable universal quantum gates<\/em> <\/strong>(the ability to perform any quantum operation on the\u00a0qubits).High-fidelity measurements <\/em><\/strong>and real-time feedback.Full quantum error correction<\/em><\/strong> running continuously across the entire\u00a0system.The capacity to execute very deep circuits (millions of gates) without errors accumulating and destroying the computation.<\/p>\n The 6,100-atom array demonstrates excellent trapping, coherence, and transport capabilities, but it has not yet been turned into a universal, error-corrected quantum computer capable of running algorithms as complex as Shor\u2019s. In other words, the team has built a very large and stable \u201cparking lot\u201d for qubits, but they still need to add the engines, steering, traffic control, and error-correction systems before the system can drive complex computations.<\/p>\n The Oratomic\/Caltech paper bridges this gap theoretically. It shows how a scaled and enhanced version of this neutral-atom technology\u200a\u2014\u200ausing high-rate qLDPC codes and reconfigurable architectures\u200a\u2014\u200acould reach cryptographically relevant performance with only ~26,000 physical qubits. The paper\u2019s estimates assume further engineering advances in gate fidelity, stabilizer measurement speed (targeting 1 ms cycles), and integration of full fault-tolerant operations. While substantial work remains, the September 2025 6,100-atom result provides a credible experimental foundation for the paper\u2019s\u00a0claims.<\/p>\n In summary, neutral-atom platforms like those being developed by Oratomic offer the potential for much smaller machines than superconducting systems, but they are currently further away from being full, universal quantum processors. The gap between today\u2019s large trapping arrays and tomorrow\u2019s cryptographically relevant computers is significant, yet the rapid progress in atom trapping and control suggests this path is advancing quickly alongside the superconducting route.<\/p>\n Despite the dramatic reductions in required qubit counts reported in the two March 30, 2026 papers, neither Google Quantum AI nor Oratomic has provided a specific, firm public timeline for when their respective target machines\u200a\u2014\u200aroughly 500,000 physical qubits for Google\u2019s fast-clock superconducting system or ~26,000 physical qubits for Oratomic\u2019s slow-clock neutral-atom system\u200a\u2014\u200awill actually be built and operational.<\/p>\n This lack of concrete dates is typical in quantum computing. While researchers can calculate the theoretical resources needed, turning those calculations into working hardware at scale involves enormous engineering challenges: improving fabrication yields, maintaining coherence across larger systems, integrating control electronics, and achieving the extremely low logical error rates required for deep algorithms like Shor\u2019s. Both teams emphasize that their estimates are based on scaling known technology rather than requiring new scientific breakthroughs, but scaling still takes\u00a0time.<\/p>\n Google Quantum AI has the most publicly articulated long-term vision. In recent roadmap updates (including statements accompanying the March 2026 whitepaper), Google continues to target \u201ccommercially relevant quantum computers\u201d by the end of the decade\u200a\u2014\u200ameaning roughly 2029\u20132030. They have not committed to a specific year for reaching the 500,000-physical-qubit threshold described in their ECC-256 paper. Instead, Google\u2019s public statements focus on near-term milestones such as scaling to tens of thousands of physical qubits while simultaneously improving error rates and error-correction performance. The company has also announced it\u2019s beginning work on neutral-atom systems as a parallel research track, but its primary superconducting roadmap remains the foundation for the fast-clock estimates in the paper\u00a0[1].<\/p>\n Oratomic, being a brand-new startup that officially launched on the same day the paper was published (March 30, 2026), has not yet released any detailed roadmap or timeline. The company\u2019s public statements so far have been limited to the claims in the scientific paper itself. Their current experimental foundation is the 6,100-atom trapping array demonstrated by the Caltech team in September 2025. Turning that milestone into a full fault-tolerant processor capable of running Shor\u2019s algorithm at the ~26,000-qubit scale will require significant additional engineering. Oratomic has not indicated when they expect to reach this level, only that their architecture is designed to be scalable from existing neutral-atom technology [2].<\/p>\n Both teams are optimistic that their respective qubit targets are achievable with continued engineering progress on platforms that have already shown promising results in the laboratory. However, neither has translated those optimistic assessments into firm calendar dates. This cautious approach is common in the field: quantum hardware timelines have historically slipped, and companies prefer to under-promise and over-deliver rather than risk setting unrealistic expectations.<\/p>\n The absence of firm timelines does not mean the threat is distant. It simply reflects the reality that moving from today\u2019s demonstrated systems (105\u2013256 qubits for superconducting, 6,100-atom arrays for neutral atoms) to the much larger scales needed for cryptographically relevant attacks still requires years of focused engineering effort. The next section explores the current state of these hardware platforms in more detail and what the gap between today\u2019s devices and tomorrow\u2019s cryptographically relevant machines looks\u00a0like.<\/p>\n While the two March 30 papers represent the latest and most optimistic estimates for breaking ECC-256, not all physicists agree that quantum computers will continue to scale indefinitely with exponential power. There is a strong mainstream consensus that dominates the quantum computing industry, alongside a small but serious group of minority voices who argue that fundamental physical limits may cap quantum advantage much earlier than expected.<\/p>\n The mainstream consensus\u200a\u2014\u200aheld by the vast majority of quantum researchers, including the teams at Google Quantum AI, IBM, and most academic groups\u200a\u2014\u200ais based on standard quantum mechanics as it has been understood and tested for over 100 years. In this view, the mathematical space in which quantum states live (called Hilbert space) is continuous and infinite. This means that every additional qubit doubles the number of possible states the system can represent (2^N states for N qubits). As long as error rates can be kept low enough through better hardware and error correction, there is no hard physical ceiling to scaling. The only limits are engineering ones: noise, decoherence, fabrication challenges, and cost. This is why companies like Google continue to publish aggressive roadmaps aiming for hundreds of thousands or even millions of physical qubits in the coming decade\u00a0[1].<\/p>\n A prominent minority view was published on March 16, 2026, by Oxford physicist Tim Palmer, a Royal Society Fellow. In a peer-reviewed paper in Proceedings of the National Academy of Sciences (PNAS) titled \u201cRational Quantum Mechanics: Testing quantum theory with quantum computers,\u201d<\/em> Palmer proposes a new framework called Rational Quantum Mechanics (RaQM)<\/em><\/strong>\u00a0[11].<\/p>\n At its heart, RaQM asks a simple but profound question: \u201cWhat if gravity makes nature hate true continuity?\u201d<\/em><\/strong> Palmer argues that gravity\u200a\u2014\u200awhich is not yet fully incorporated into standard quantum mechanics\u200a\u2014\u200aforces the mathematical space in which quantum states live (Hilbert space) to be fundamentally discrete<\/em><\/strong> rather than continuous. In other words, nature may not allow infinitely smooth mathematical descriptions; there could be a built-in \u201cgraininess\u201d at the smallest\u00a0scales.<\/p>\n To understand this, recall that gravity (according to Einstein\u2019s general relativity) places fundamental constraints on energy and information density. If too much quantum information (too many entangled qubits) is encoded in a finite physical region, gravitational considerations suggest there is a natural limit to how much can be stored or processed. Palmer\u2019s idea is that nature enforces a cutoff on the granularity of quantum state space\u200a\u2014\u200aa kind of smallest possible \u201cpixel size\u201d in Hilbert space. This makes the space effectively discrete (like a grid with tiny but finite steps) rather than perfectly continuous. In other words, there is an inherent \u201cgraininess\u201d at the smallest\u00a0scales.<\/p>\n This discreteness would impose a hard physical limit on how much quantum information can actually be entangled and processed. According to Palmer\u2019s calculations, meaningful exponential quantum advantage is limited to roughly 200\u2013400 qubits<\/em><\/strong> with current technology, and an absolute maximum of around 1,000 qubits<\/em><\/strong> even in ideal future hardware. Beyond this point, algorithms like Shor\u2019s would lose their exponential advantage because the quantum state simply cannot hold enough information.<\/p>\n Palmer\u2019s paper is notable because it\u2019s formally peer-reviewed, published in one of the world\u2019s top journals, and includes specific, testable predictions. He even suggests concrete experiments that could be run on near-term quantum computers within the next five years to distinguish between standard quantum mechanics and RaQM. However, as of today, no such experiments have yet been performed. The idea remains a provocative but untested hypothesis.<\/p>\n The quantum computing industry (Google, IBM, and others) has not publicly altered its development plans in response to the paper. Their roadmaps continue to assume standard quantum mechanics, where the only limits are engineering ones. Most experts view Palmer\u2019s idea as a valuable contribution worthy of careful testing, but still a minority perspective. The mainstream consensus remains that the physics that has worked perfectly for a century will continue to hold at larger\u00a0scales.<\/p>\n This debate matters greatly for Bitcoin. If the mainstream view is correct, the hardware targets described in the March 2026 papers (500k or 26k qubits) are realistic engineering goals that could be reached within the next decade. If Palmer\u2019s view ultimately proves correct, the quantum threat to ECC-256 might never fully materialize at the scales needed for practical attacks. Until experiments decide the issue, the Bitcoin community is wisely preparing for the more conservative (mainstream) scenario.<\/p>\n An at-rest attack is the simplest and most straightforward type of quantum attack on Bitcoin. It occurs when a quantum computer targets a public key that is already visible somewhere on the blockchain and has plenty of time (hours, days, or even years) to solve for the corresponding private key using Shor\u2019s algorithm.<\/p>\n In Bitcoin, ownership of coins is proven by digital signatures created with a private key. The public key is what the network uses to verify those signatures. The security of the entire system rests on the assumption that it is computationally infeasible for anyone to derive the private key from the public key. Shor\u2019s algorithm breaks this assumption on a sufficiently powerful quantum computer.<\/p>\n For an at-rest attack to succeed, the attacker only needs one thing: access to the public key. Once the public key is known, the quantum computer can quietly compute the private key offline. The attacker then uses that private key to forge a transaction and steal any coins still controlled by that\u00a0key.<\/p>\n Bitcoin has several script types that expose public keys in different ways, making them vulnerable to at-rest\u00a0attacks:<\/p>\n P2PK (Pay-to-Public-Key)<\/em><\/strong> scripts, used heavily in Bitcoin\u2019s early days (2009\u20132010), record the full public key directly on the blockchain the moment the coins are received. Over 1.7 million BTC\u200a\u2014\u200aincluding a large portion of Satoshi-era mining rewards\u200a\u2014\u200aare still locked in these old P2PK scripts. Their public keys have been fully visible for 16+ years, even though the coins have never been spent\u00a0[1].Reused addresses<\/em> <\/strong>(P2PKH, P2WPKH, P2WSH, etc.) become vulnerable the moment they are spent from. When a user spends coins from an address, the unlocking script reveals the public key. Any remaining coins at that address are then exposed to at-rest attacks\u00a0forever.P2TR (Pay-to-Taproot)<\/em><\/strong> <\/em>addresses also expose a public key in the key-path spend, creating a similar vulnerability for any coins using the default key\u00a0path.<\/p>\n In contrast, a truly fresh, never-used address (for example, a standard P2WPKH address that has only received funds and never spent any) keeps the public key hidden behind a cryptographic hash. In this case, there is no public key available for a quantum computer to attack\u200a\u2014\u200aso at-rest attacks are currently impossible on those coins\u00a0[1].<\/p>\n The Google Quantum AI paper explicitly highlights that roughly 6.9 million BTC are currently vulnerable to at-rest attacks due to exposed or reused public keys, with up to 2.3 million BTC considered \u201cdormant\u201d or long-unused and therefore especially attractive targets [1]. Satoshi\u2019s coins fall squarely into this category: because they were created using P2PK scripts, their public keys have been exposed on-chain since the moment they were mined, even though they have never been\u00a0moved.<\/p>\n At-rest attacks can be carried out by either fast-clock or slow-clock quantum computers. They do not require real-time speed\u200a\u2014\u200aonly that the public key is already known. This makes them the most immediate and realistic threat once cryptographically relevant quantum hardware becomes available, regardless of whether it is a fast superconducting machine or a slower neutral-atom system.<\/p>\n While at-rest attacks target coins whose public keys have already been exposed on the blockchain for a long time, on-spend attacks represent a more immediate and aggressive threat. An on-spend attack occurs when a quantum computer steals coins in real time while a legitimate transaction is still sitting in Bitcoin\u2019s public mempool\u200a\u2014\u200athe temporary holding area where unconfirmed transactions wait to be included in a\u00a0block.<\/p>\n Here is how the attack would work in practice. When a user broadcasts a normal Bitcoin transaction to send coins, the transaction enters the public mempool. For nearly all standard Bitcoin address types (P2PKH, P2WPKH, P2WSH, and P2TR), the public key must be revealed at this moment so that network nodes can verify the digital signature. Once the public key is visible in the mempool, a quantum attacker with a fast-clock machine can extract it, run Shor\u2019s algorithm to derive the corresponding private key, and then quickly create and broadcast a competing \u201cforged\u201d transaction that sends the same coins to the attacker\u2019s own wallet. If the attacker\u2019s transaction is confirmed first\u200a\u2014\u200atypically by offering a higher transaction fee to miners\u200a\u2014\u200athe original user\u2019s transaction is rejected, and the coins are\u00a0stolen.<\/p>\n The Google Quantum AI whitepaper makes this scenario particularly realistic. Their optimized circuits show that a superconducting quantum computer with fewer than 500,000 physical qubits could solve an ECC-256 key in approximately nine minutes (after an optional pre-computation \u201cpriming\u201d step). Because Bitcoin\u2019s average block time is about ten minutes, this speed is fast enough for the attack to succeed before the original transaction is mined into a block [1]. The paper notes that the attacker could pre-compute part of the algorithm in advance and wait for a public key to appear in the mempool, further shortening the effective time required.<\/p>\n On-spend attacks are only possible with fast-clock quantum architectures (superconducting, photonic, or silicon spin qubits). These platforms have the rapid gate times and short error-correction cycles needed to complete the computation inside Bitcoin\u2019s narrow confirmation window. Slow-clock systems, such as neutral-atom machines (like the one proposed in the Oratomic paper), are far too slow. Even if they could break the key with only 26,000 physical qubits, the ten-day timeframe would make on-spend attacks impossible\u200a\u2014\u200athey would only be useful for at-rest theft of already-exposed coins\u00a0[2].<\/p>\n The public mempool is the critical vulnerability here. Bitcoin transactions are broadcast openly to the entire network so that anyone can verify and include them. This transparency, which is essential for Bitcoin\u2019s decentralized security, also creates a brief but exploitable window. High-value transactions or those sent during periods of low network congestion would be especially attractive targets. An attacker could even artificially congest the mempool with their own high-fee transactions to buy extra time for the quantum computer to finish deriving the private\u00a0key.<\/p>\n In summary, on-spend attacks represent the most time-sensitive quantum threat to Bitcoin. They do not require the public key to have been exposed for a long time\u200a\u2014\u200aonly long enough for a fast-clock quantum computer to solve for the private key while the transaction is still unconfirmed. The Google paper\u2019s nine-minute estimate shows that once a cryptographically relevant fast-clock machine exists, active Bitcoin transactions will no longer be safe. This is why the combination of reduced qubit requirements and fast attack timelines has become such a pressing concern for the Bitcoin community.<\/p>\n The third category of quantum attack discussed in the Google Quantum AI whitepaper is the on-setup attack. Unlike at-rest or on-spend attacks, which directly target individual public keys, an on-setup attack is a one-time quantum computation that creates a permanent, reusable classical backdoor into a cryptographic protocol. After the initial quantum step, the attacker no longer needs a quantum computer\u200a\u2014\u200athe backdoor can be exploited repeatedly using ordinary classical computers [1].<\/p>\n Here is how an on-setup attack works in principle. Some advanced blockchain features rely on fixed public parameters that were generated during a \u201ctrusted setup ceremony.\u201d These parameters often contain hidden secrets (sometimes called \u201ctoxic waste\u201d) that were supposed to be destroyed after the setup. If an attacker with a quantum computer can recover those secrets by solving the discrete logarithm problem on the fixed public parameters, they gain a universal backdoor. This backdoor can then be used to forge proofs, create counterfeit coins, break privacy, or undermine critical protocol mechanisms\u200a\u2014\u200aall without further quantum computation.<\/p>\n Examples of protocols vulnerable to on-setup attacks\u00a0include:<\/p>\n Ethereum\u2019s Data Availability Sampling (DAS), which uses KZG polynomial commitments generated during a trusted setup ceremony.Certain privacy protocols such as Zcash\u2019s older Sapling shielded pool (which had a trusted setup) and some implementations of Mimblewimble, which rely on fixed public parameters generated during a setup, could in principle be vulnerable to a one-time quantum computation [1].<\/p>\n In these cases, a single successful quantum computation on the fixed setup parameters would give the attacker a lasting classical exploit that could be traded or used indefinitely.<\/p>\n Bitcoin, however, is not vulnerable to on-setup attacks under its current design, because it does not rely on any trusted setup or fixed public parameters.<\/p>\n Bitcoin\u2019s design is deliberately simple and does not rely on any trusted setup ceremonies, fixed public protocol parameters, or complex zero-knowledge proof systems that contain hidden secrets. There are no \u201ctoxic waste\u201d parameters generated during a setup phase, no KZG commitments, and no fixed public values that could serve as a backdoor. Bitcoin\u2019s core transaction validation uses straightforward ECDSA or Schnorr signatures based on the secp256k1 elliptic curve, with no additional cryptographic primitives that would enable this type of\u00a0attack.<\/p>\n The Google paper explicitly states this immunity:<\/p>\n \u201cWhile the Bitcoin blockchain is immune to on-setup attacks\u2026\u201d [1]<\/p>\n This is a deliberate architectural choice. Bitcoin prioritizes simplicity and minimalism, avoiding the more advanced cryptographic features found in Ethereum, Zcash, or Mimblewimble-based chains that introduce new quantum vulnerabilities. As a result, the only quantum threats Bitcoin faces are the direct at-rest and on-spend attacks that target individual public keys\u200a\u2014\u200anot universal backdoors that could compromise the entire protocol.<\/p>\n This immunity is one of Bitcoin\u2019s structural advantages in a post-quantum world. While other blockchains must worry about both key-breaking attacks and potential protocol-level backdoors created by on-setup attacks, Bitcoin\u2019s attack surface is limited to the exposure of individual public keys. This makes the problem more contained and easier to reason about, even though it remains a serious challenge that requires urgent attention.<\/p>\n Bitcoin\u2019s security ultimately rests on the assumption that private keys cannot be derived from public keys. Quantum computers running Shor\u2019s algorithm break this assumption, but not every Bitcoin output is equally vulnerable. The degree of risk depends entirely on the script type used to lock the coins and whether the public key has ever been revealed on the blockchain.<\/p>\n Bitcoin supports several standard script types, each with different quantum exposure characteristics. The Google Quantum AI whitepaper provides a detailed analysis of these types and quantifies the total value currently at risk\u00a0[1].<\/p>\n P2PK (Pay-to-Public-Key):<\/em><\/strong> <\/em>These are the oldest and most vulnerable scripts. In a P2PK output, the full public key is written directly on the blockchain the moment the coins are received (usually as a coinbase mining reward). No spending is required for the public key to be visible. Over 1.7 million BTC\u200a\u2014\u200anearly 9% of all Bitcoin\u200a\u2014\u200aremain locked in these legacy P2PK scripts, including a large portion of early Satoshi-era mining rewards. Because the public keys have been exposed since 2009\u20132010, these coins are fully vulnerable to at-rest attacks by any cryptographically relevant quantum computer, fast-clock or slow-clock [1].P2PKH, P2WPKH, P2WSH (Pay-to-Public-Key-Hash and SegWit variants): <\/em><\/strong>These scripts hide the public key behind a cryptographic hash when the coins are received. They are therefore safe from at-rest attacks as long as the address has never been spent from. However, the moment a user spends coins from such an address, the public key is revealed in the unlocking script. Any remaining coins at that address then become vulnerable to at-rest attacks. This is the classic address reuse vulnerability. The Google paper estimates that address reuse currently exposes roughly 5 million additional BTC to quantum risk\u00a0[1].P2TR (Pay-to-Taproot):<\/em><\/strong> Introduced in 2021, Taproot was intended to improve privacy and efficiency. However, in its default \u201ckey-path\u201d spending mechanism, it records a tweaked public key directly on-chain. This created a quantum security regression compared to older SegWit addresses. P2TR outputs are therefore vulnerable to at-rest attacks as soon as the coins are received\u00a0[1].P2MS (Pay-to-Multisig) and other legacy scripts:<\/em><\/strong> <\/em>These expose multiple public keys directly and are similarly vulnerable from the moment of\u00a0receipt.<\/p>\n The Google paper estimates that, as of early 2026, approximately 6.9 million BTC in total are currently vulnerable to at-rest quantum attacks due to exposed or reused public keys. Of this amount, roughly 2.3 million BTC are considered \u201cdormant\u201d\u200a\u2014\u200acoins that have not moved in many years and are locked in old scripts or long-unused addresses. These dormant assets represent a fixed, high-value target that cannot be easily protected through normal wallet upgrades. Many of them are believed to have lost keys, making them effectively abandoned but still attractive to quantum attackers [1].<\/p>\n Satoshi\u2019s coins are a prominent example. A significant portion of the early mining rewards attributed to Satoshi Nakamoto (roughly 1 million BTC) were created using P2PK scripts. Their public keys have been fully visible on the blockchain since they were mined, even though the coins have never been spent. This makes them permanently exposed to at-rest attacks, regardless of any future signature upgrades that might be implemented on Bitcoin\u00a0[1].<\/p>\n The existence of such a large pool of vulnerable and dormant coins creates unique challenges for Bitcoin. Unlike traditional financial systems, where lost or abandoned assets can often be reclaimed or managed through legal processes, Bitcoin\u2019s immutable design means these coins remain on the ledger indefinitely. If a quantum computer capable of at-rest attacks becomes available, these assets could be stolen without any technical recourse for the original\u00a0owners.<\/p>\n This situation underscores why the Google paper describes Bitcoin as \u201cuniquely exposed\u201d compared to traditional finance: there is no central authority to freeze accounts, reverse transactions, or update security centrally. The only defenses are technical upgrades (such as BIP-360 and post-quantum signatures) and user behavior (avoiding address reuse and migrating legacy coins). The scale of dormant assets\u200a\u2014\u200aespecially the early P2PK coins\u200a\u2014\u200amakes the quantum risk not just theoretical, but a concrete economic and security concern for the entire Bitcoin\u00a0network.<\/p>\n The next subsection examines how address reuse and fresh-address practices affect real-world protection levels\u00a0today.<\/p>\n One of the most practical and immediately actionable defenses against quantum at-rest attacks is also one of Bitcoin\u2019s oldest and simplest rules: never reuse addresses. This guideline, originally recommended by Satoshi Nakamoto in the 2009 whitepaper for privacy reasons, has taken on new importance in the quantum\u00a0era.<\/p>\n How Fresh Addresses Provide Protection<\/strong><\/p>\n Modern Bitcoin address types\u200a\u2014\u200aparticularly Pay-to-Witness-Public-Key-Hash (P2WPKH) and Pay-to-Witness-Script-Hash (P2WSH), which begin with \u201cbc1q\u201d\u200a\u2014\u200aare designed to keep the public key hidden. When coins are sent to a fresh address, only a cryptographic hash of the public key is recorded on the blockchain. Without the actual public key, a quantum computer has nothing to attack using Shor\u2019s algorithm. As long as the address has never been spent from, it remains protected from at-rest attacks, even if a powerful quantum computer exists\u00a0[1].<\/p>\n This protection is automatic and built into the protocol. A user who always generates a new receive address for every incoming payment (the default behavior in most modern wallets) is, in effect, using Bitcoin\u2019s strongest available defense against quantum at-rest theft\u00a0today.<\/p>\n The Danger of Address\u00a0Reuse<\/strong><\/p>\n The moment a user spends from an address, the full public key is revealed in the unlocking script. From that point onward, any remaining coins still sitting at that address are vulnerable to at-rest attacks. To stay quantum-safe, users should immediately move leftover coins to a fresh, never-before-used address. Even if the user stops reusing the original address afterward, the exposed coins are permanently at risk. The quantum computer can simply read the now-exposed public key from the blockchain and compute the private key at its\u00a0leisure.<\/p>\n Address reuse is unfortunately very common in practice. Merchants, exchanges, and many users often publish a single static address for convenience, donations, or payment processing. The Google Quantum AI whitepaper estimates that address reuse currently exposes roughly 5 million BTC to quantum risk [1]. This figure includes not only ordinary user wallets but also large holdings on centralized exchanges and services that rely on address reuse for operational efficiency.<\/p>\n Once reuse occurs, the protection of the hash is permanently lost. Even if the user stops reusing the address afterward, any coins that remain at that address are now permanently exposed to future quantum computers.<\/p>\n Real-World Impact and Best Practices<\/strong><\/p>\n For ordinary Bitcoin users, the rule is straightforward:<\/p>\n Always use a fresh, never-before-used address when receiving funds.Avoid publishing static addresses for donations or recurring payments when possible.Hierarchical Deterministic (HD) wallets make this easy by automatically generating new addresses.<\/p>\n For businesses and exchanges, the trade-off is more difficult. Static addresses simplify accounting, customer experience, and proof-of-reserves procedures. However, in a post-quantum world, this convenience comes with significant risk. The Google paper notes that many of the largest Bitcoin holders on the network are linked to major exchanges that have historically reused addresses [1].<\/p>\n BIP-360 (Pay-to-Merkle-Root), once activated, will improve the situation for new addresses by removing the key-path exposure present in Taproot, making fresh P2MR addresses even more quantum-resistant. However, it does not retroactively protect already-reused or legacy addresses.<\/p>\n Using fresh addresses currently provide meaningful real-world protection against at-rest quantum attacks. Address reuse is the single largest avoidable vulnerability in the Bitcoin ecosystem today. While not a complete solution (on-spend attacks would still be possible with fast-clock machines), consistently using fresh addresses is one of the simplest and most effective defenses users can adopt right now while the network works toward full post-quantum upgrades.<\/p>\n The next subsection examines the more urgent, real-time threat: on-spend attacks on active transactions.<\/p>\n While at-rest attacks target coins that have already had their public keys exposed for a long time, on-spend attacks represent the most immediate and operationally disruptive quantum threat to Bitcoin. These attacks aim to steal funds in real time while a legitimate transaction is still sitting in the public mempool\u200a\u2014\u200athe temporary, publicly visible queue where unconfirmed transactions wait to be included in a\u00a0block.<\/p>\n The attack proceeds as follows. When a user broadcasts a standard Bitcoin transaction, it enters the public mempool so that miners and nodes across the network can verify and eventually include it in a block. For nearly all common address types (P2PKH, P2WPKH, P2WSH, and P2TR), the public key must be revealed in the unlocking script at this stage so the network can check the digital signature. As soon as the public key appears in the mempool, a quantum attacker with a fast-clock machine can extract it, run Shor\u2019s algorithm to derive the private key, and then rapidly create and broadcast a competing \u201cforged\u201d transaction that sends the same coins to the attacker\u2019s own wallet. By offering a significantly higher transaction fee, the attacker can incentivize miners to include their forged transaction first. If successful, the original user\u2019s transaction is rejected, and the funds are stolen before they are ever confirmed on the blockchain [1].<\/p>\n The Google Quantum AI whitepaper makes this scenario alarmingly realistic. Their optimized circuits show that a superconducting (fast-clock) quantum computer with fewer than 500,000 physical qubits could solve an ECC-256 key in approximately nine minutes. Because Bitcoin\u2019s average block time is about ten minutes, this speed is fast enough for the attacker to potentially front-run many ordinary transactions. The paper notes that the attacker can pre-compute part of the algorithm in advance and simply wait for a public key to appear in the mempool, reducing the effective time needed even further\u00a0[1].<\/p>\n Several factors make on-spend attacks particularly dangerous in practice:<\/p>\n The attacker can engage the victim in a \u201cReplace-By-Fee\u201d (RBF) bidding war, rationally offering extremely high fees because they are stealing funds they do not\u00a0own.An attacker could artificially congest the mempool with their own high-fee transactions to buy extra time for the quantum computation to\u00a0finish.The attack works against virtually all standard transaction types once the public key is revealed in the\u00a0mempool.<\/p>\n The Google paper estimates that, under realistic conditions, a nine-minute quantum attack would have a meaningful probability of success against typical Bitcoin transactions, especially during periods of normal or low network congestion [1].<\/p>\n Importantly, on-spend attacks are only possible with fast-clock quantum architectures. Slow-clock systems, such as the neutral-atom machines described in the Oratomic paper, are far too slow\u200a\u2014\u200ataking roughly ten days per key\u200a\u2014\u200ato execute this type of real-time theft. This means the on-spend threat is specifically tied to the scaling of fast-clock superconducting hardware\u00a0[2].<\/p>\n Currently, there is no built-in default protection against on-spend attacks on Bitcoin mainnet. Some advanced users can reduce risk by using private mempool services (sending transactions directly to miners or builders instead of the public mempool) or commit-reveal schemes, but these are only partial and temporary measures. They add complexity and do not eliminate the underlying vulnerability.<\/p>\n In summary, on-spend attacks turn Bitcoin\u2019s greatest strength\u200a\u2014\u200aits open, decentralized, and transparent transaction broadcast mechanism\u200a\u2014\u200ainto a critical vulnerability. The Google paper\u2019s nine-minute estimate shows that once fast-clock cryptographically relevant quantum computers exist, active Bitcoin transactions will no longer be safe. This real-time theft risk, combined with the large volume of at-rest vulnerable coins, is why the March 2026 papers have been viewed as such an urgent wake-up call for the Bitcoin ecosystem.<\/p>\n Beyond the direct risk of stolen coins, quantum attacks would create significant second-order effects that could destabilize Bitcoin\u2019s mining economy, consensus mechanism, and overall ecosystem confidence. These indirect consequences may ultimately prove as damaging as the thefts themselves.<\/p>\n Impact on Mining Economics and Difficulty Adjustment<\/strong><\/p>\n If quantum computers begin successfully executing at-rest or on-spend attacks, the market would likely react with panic selling and a sharp drop in Bitcoin\u2019s price. Mining profitability is directly tied to the fiat value of block rewards and transaction fees. A sudden and sustained price collapse would make many mining operations unprofitable almost overnight.<\/p>\n Bitcoin\u2019s difficulty adjustment algorithm recalibrates every 2,016 blocks (roughly every two weeks). This slow response creates a dangerous lag: mining revenue could fall dramatically while the network\u2019s total hashrate remains high for days or weeks. During this period, many miners would operate at a loss, potentially leading to widespread shutdowns. Reduced hashrate would slow block production, lengthen confirmation times, and make on-spend attacks even easier to\u00a0execute.<\/p>\n Chain Reorganizations and Miner Extractable Value (speculative, but logically plausible)<\/strong><\/p>\n Quantum attackers could also exploit their ability to derive private keys quickly to create new forms of Miner Extractable Value (MEV). For example, an attacker might offer miners substantial bribes (in the form of high-fee transactions) to deliberately orphan blocks that contain high-value legitimate transactions. By causing a chain reorganization, the attacker could cancel the original transaction and insert their own forged one. This would introduce a new and dangerous form of MEV that incentivizes miners to collude with quantum\u00a0thieves.<\/p>\n Such reorganizations would undermine one of Bitcoin\u2019s core security assumptions: that transactions become increasingly final as they are buried under more blocks. In a quantum-active world, even deeply confirmed transactions could suddenly become reversible if a sufficiently powerful attacker and cooperative miners decide to rewrite\u00a0history.<\/p>\n Erosion of Ecosystem Confidence<\/strong><\/p>\n Perhaps the most serious second-order effect is the potential loss of public and institutional confidence. Bitcoin\u2019s value and adoption rest heavily on the perception that it\u2019s a secure, immutable store of value. Widespread quantum theft\u200a\u2014\u200aeven if limited to reused addresses or dormant coins\u200a\u2014\u200awould shatter that perception. News of large-scale thefts would likely trigger panic selling, reduced merchant acceptance, and a flight of capital to perceived safer\u00a0assets.<\/p>\n This loss of confidence could also fracture the Bitcoin community. Debates over how to handle vulnerable dormant assets (burn, hourglass rate-limiting, or a \u201cbad sidechain\u201d solution) could lead to contentious hard forks, further damaging trust and splitting liquidity. Exchanges and custodians might face massive withdrawals or even solvency issues if they hold significant exposed\u00a0funds.<\/p>\n Proof-of-Work Consensus Remains Indirectly Vulnerable<\/strong><\/p>\n It is worth noting that Bitcoin\u2019s Proof-of-Work consensus mechanism itself is not directly threatened by quantum computers. Grover\u2019s algorithm offers only a quadratic speedup for mining, which is almost entirely erased by the overhead of quantum error correction. The Google paper explicitly states that quantum mining remains \u201cscience fiction\u201d in any realistic timeframe [1]. However, the economic effects of quantum theft could indirectly weaken the consensus layer by making mining unprofitable and reducing hashrate, thereby making the network more susceptible to other attacks during periods of low security.<\/p>\n In summary, quantum attacks would not only steal coins directly but would also create cascading economic, technical, and social effects. These second-order consequences\u200a\u2014\u200aslowed block production, increased reorganizations, eroded confidence, and potential community fractures\u200a\u2014\u200acould threaten Bitcoin\u2019s long-term viability even more than the thefts themselves. This is why the Google paper urges immediate action on both technical mitigations and broader policy considerations. The following section examines the specific upgrades and proposals Bitcoin is already developing to address these\u00a0risks.<\/p>\n One of the most practical and near-term improvements currently under discussion in the Bitcoin community is BIP-360, which introduces a new output script type called Pay-to-Merkle-Root (P2MR). Proposed in early 2026 and now in Draft status, BIP-360 is designed as a simple, low-disruption soft fork that directly addresses one of Bitcoin\u2019s most glaring quantum vulnerabilities: the exposure of public keys in Taproot addresses.<\/p>\n BIP-360 is essentially a \u201cquantum-hardened\u201d version of Taproot (P2TR). It keeps most of Taproot\u2019s privacy and efficiency benefits but removes the vulnerable \u201ckey path spend\u201d that directly records a public key on-chain when the address is created. Instead, P2MR commits only to the Merkle root of the script tree. When the coins are eventually spent, the spender must reveal a specific script leaf along with a Merkle proof\u200a\u2014\u200athe actual public key or script is never exposed until the moment of spending\u00a0[12].<\/p>\n The primary benefit of BIP-360 is strong protection against at-rest attacks<\/em><\/strong> for all newly created addresses.<\/p>\n When coins are sent to a fresh P2MR address, only a Merkle root is recorded on the blockchain. The public key itself remains hidden. A quantum computer therefore has no public key to attack with Shor\u2019s algorithm. This protection holds even if the address is reused multiple times for receiving funds.<\/p>\n Importantly, when you spend from a P2MR address, the change\/output coins are sent to a new fresh P2MR address in the same transaction<\/em><\/strong>. This design avoids the Taproot-style regression, where spending once permanently exposed a public key for any remaining coins at that address. As a result, leftover coins stay protected from at-rest attacks as long as they are sent to new P2MR outputs\u00a0[12].<\/p>\n Once activated, any Bitcoin sent to new P2MR addresses (bc1z\u2026 format) would be significantly safer from at-rest quantum theft. This is a meaningful improvement over today\u2019s Taproot addresses, which the Google paper explicitly called a \u201csecurity regression\u201d from a quantum perspective because they expose a public key by default\u00a0[1].<\/p>\n BIP-360 is intentionally designed to be an intermediate fix\u200a\u2014\u200asomething that can be deployed relatively quickly through a soft fork without requiring a full post-quantum signature scheme. It improves quantum resistance for new coins while the more complex work on hash-based signatures (such as SHRINCS) continues.<\/p>\n Despite its benefits, BIP-360 is only a partial solution.<\/p>\n On-spend attacks remain possible<\/em>.<\/strong> When a user eventually spends from a P2MR address, the public key or script is still revealed in the mempool. A fast-clock quantum computer could still derive the private key in time to steal the funds before confirmation.Legacy and dormant coins are unaffected<\/em>. <\/strong>BIP-360 only creates a new address type. All existing UTXOs\u200a\u2014\u200aincluding the ~1.7 million BTC in old P2PK scripts, reused addresses, and early P2TR outputs\u200a\u2014\u200aremain exactly as vulnerable as they are today. The only way to protect those coins is for their owners to manually spend them to new P2MR (or future post-quantum) addresses.<\/p>\n BIP-360 significantly reduces at-rest risk for future coins and new users, but it does not retroactively fix the large pool of already-exposed legacy coins, nor does it eliminate the real-time on-spend threat. It\u2019s widely viewed as a valuable \u201cquick win\u201d and a stepping stone toward fuller post-quantum security.<\/p>\n The next subsection examines the more comprehensive, long-term solution being developed by Blockstream Research.<\/p>\n While intermediate measures like BIP-360 can provide meaningful near-term protection for new addresses, the only complete, long-term solution to Bitcoin\u2019s quantum vulnerability is to replace the current elliptic curve signatures (ECDSA and Schnorr) with quantum-resistant alternatives. The most advanced and Bitcoin-specific proposal currently under active development is SHRINCS, introduced in a December 5, 2025 paper by Mikhail Kudinov and Jonas Nick of Blockstream Research\u00a0[13].<\/p>\n SHRINCS is an optimized, hash-based post-quantum signature scheme derived from the NIST-standardized SPHINCS+ algorithm. Unlike elliptic curve cryptography, which relies on the hardness of the discrete logarithm problem, hash-based signatures rely only on the security of cryptographic hash functions (the same primitives already used extensively in Bitcoin for Proof-of-Work and address hashing). Because no efficient quantum algorithm is known to break hash functions beyond a quadratic speedup from Grover\u2019s algorithm (which is largely negated by error correction), hash-based signatures are considered fully quantum-resistant.<\/p>\n The Blockstream team specifically tuned SHRINCS for Bitcoin\u2019s constraints:<\/p>\n Signature sizes are reduced to approximately 3\u20134 KB (significantly smaller than the standard SPHINCS+ implementation).It supports hierarchical deterministic (HD) wallets, multi-signature schemes, and threshold signatures.It\u2019s designed to work cleanly within Taproot\u2019s script tree structure, allowing it to be introduced via a soft fork with minimal disruption.<\/p>\n Once implemented on Bitcoin mainnet, SHRINCS would eliminate the ECDLP vulnerability entirely. Any coins moved to addresses using SHRINCS signatures would be protected from both at-rest and on-spend quantum attacks, regardless of how powerful future quantum computers become.<\/p>\n Blockstream has not waited for mainnet activation to begin real-world testing. In March 2026\u200a\u2014\u200aonly three months after the original paper\u200a\u2014\u200athe team successfully deployed and broadcast the first live post-quantum signed transactions <\/em><\/strong>on the Liquid Network, Bitcoin\u2019s production sidechain. These transactions used SHRINCS signatures combined with Simplicity (Blockstream\u2019s new smart contract language) and are protecting real assets on a live, functioning blockchain.<\/p>\n This test is highly significant for several\u00a0reasons:<\/p>\n It demonstrates that SHRINCS is not just theoretical\u200a\u2014\u200ait works in a production environment with real economic\u00a0value.Liquid serves as a realistic testing ground that closely mirrors Bitcoin\u2019s consensus rules and transaction format.The successful deployment provides practical data on performance, signature sizes, and wallet integration that will inform the eventual mainnet proposal.<\/p>\n A newer, more compact variant called SHRIMPS<\/em><\/strong> (with signatures around 2.5 KB and improved support for multiple devices sharing the same seed) was proposed shortly afterward [14]. The rapid appearance of SHRIMPS, along with the live SHRINCS deployment on Liquid, shows strong momentum and active development within the Bitcoin community toward practical post-quantum signatures.<\/p>\n The Liquid implementation has already shown that SHRINCS can be integrated without breaking existing functionality and that the larger signature sizes are manageable within Liquid\u2019s higher block limits. This progress has given the Bitcoin developer community confidence that a full post-quantum signature upgrade is technically feasible.<\/p>\n Blockstream\u2019s SHRINCS proposal, combined with its rapid move from paper to live testing on Liquid, represents the most mature and Bitcoin-native path to full quantum resistance. Once activated on mainnet via a soft fork, it would provide comprehensive protection against both at-rest and on-spend attacks for any coins<\/em><\/strong> that migrate to the new signature scheme. However, as discussed in the next subsection, even this powerful solution has important limitations when it comes to legacy and dormant\u00a0coins.<\/p>\n The reason Blockstream\u2019s SHRINCS proposal would provide complete, long-term protection against quantum attacks is both simple and powerful: it removes the exact mathematical problem that Shor\u2019s algorithm exploits.<\/p>\n Current Bitcoin signatures (ECDSA and Schnorr) are built on the secp256k1 elliptic curve. Their security depends entirely on the hardness of the elliptic curve discrete logarithm problem (ECDLP). Shor\u2019s algorithm is specifically designed to solve the ECDLP efficiently on a quantum computer, allowing an attacker to derive the private key from any public key. This is the root cause of both at-rest attacks (on already-exposed keys) and on-spend attacks (on keys revealed in the mempool).<\/p>\n SHRINCS is a hash-based post-quantum signature scheme. It does not use elliptic curves or any discrete logarithm problem at all. Its security rests solely on the collision resistance and pre-image resistance of cryptographic hash functions\u200a\u2014\u200athe same kind of hashes Bitcoin already uses extensively for Proof-of-Work and address generation. No known quantum algorithm, including Shor\u2019s algorithm, can break a well-designed hash-based signature scheme in any practical way. The only relevant quantum algorithm is Grover\u2019s, which offers only a quadratic (square-root) speedup for searching hash pre-images. When combined with the massive overhead of quantum error correction, this speedup becomes negligible and does not allow realistic key recovery or forgery\u00a0[13].<\/p>\n Because the underlying hard problem (ECDLP) is completely eliminated, both major quantum attack vectors on Bitcoin are neutralized for any coins that use SHRINCS signatures:<\/p>\n At-rest attacks become impossible.<\/em><\/strong> There is no public key that a quantum computer can feed into Shor\u2019s algorithm. The public key in a hash-based scheme does not reveal information that allows private key recovery via discrete logarithms. Even if the public key is fully visible on the blockchain for years, a quantum computer still cannot derive the private\u00a0key.On-spend attacks are also eliminated for the same reason.<\/em> <\/strong>Even if a transaction is broadcast and the signature is visible in the public mempool, a quantum attacker cannot derive the private key quickly enough (or at all) to forge a competing transaction before confirmation. The nine-minute attack window that makes on-spend attacks feasible under Google\u2019s fast-clock estimates simply disappears.<\/p>\n Once a soft fork activates support for SHRINCS and users migrate their coins to new quantum-safe addresses, those funds would be protected against both at-rest and on-spend quantum attacks, no matter how powerful future quantum computers become. The protection is permanent and does not rely on keeping public keys hidden\u200a\u2014\u200athe cryptography itself is quantum-resistant by\u00a0design.<\/p>\n This is why SHRINCS is considered the full, long-term solution for Bitcoin. It does not merely reduce risk; it removes the root cryptographic vulnerability that makes quantum attacks possible in the first place. The successful live testing of SHRINCS on the Liquid sidechain in March 2026 has already shown that the scheme works in a real production-like environment, giving the community confidence that a mainnet rollout is technically achievable.<\/p>\n However, as the next subsection explains, even this powerful upgrade has important limitations when it comes to legacy and dormant\u00a0coins.<\/p>\n Although BIP-360 and SHRINCS represent major steps forward in quantum resistance, both solutions share a critical limitation: they cannot automatically protect legacy and dormant coins<\/em><\/strong> that already exist on the blockchain today. This is one of the most challenging aspects of Bitcoin\u2019s quantum transition and one that has no simple technical fix.<\/p>\n The core issue is that both upgrades are forward-looking. BIP-360 creates a new, quantum-safer address type (P2MR), and SHRINCS introduces a new quantum-resistant signature scheme. These protections only apply to coins that are deliberately moved into the new scripts or signatures. Any UTXOs that remain in their original vulnerable scripts\u200a\u2014\u200aespecially the old P2PK outputs from 2009\u20132010\u200a\u2014\u200astay exactly as exposed as they are today. Neither upgrade can retroactively rewrite or secure coins that have already been locked using quantum-vulnerable cryptography.<\/p>\n Satoshi\u2019s coins and other early P2PK outputs<\/em><\/strong> illustrate this problem most clearly. These coins, which total over 1.7 million BTC (and up to 2.3 million BTC when including all vulnerable dormant scripts), were created using Pay-to-Public-Key (P2PK) scripts. In P2PK, the full public key is recorded directly on the blockchain the moment the coins are mined. Because these coins have never been spent, their public keys have been openly visible for 16+ years. Even after SHRINCS is activated on mainnet, these coins will remain fully vulnerable to at-rest quantum attacks. A quantum computer can simply read the exposed public key from any old block and derive the private key at any time\u00a0[1].<\/p>\n For coins that are still spendable (i.e., the owner still controls the private key), the only way to gain protection is through manual migration. The owner must actively create a transaction that spends the legacy coins and sends them to a new quantum-safe address (either a P2MR address or, once available, a SHRINCS-based address). This process is straightforward for active users but becomes impossible for truly lost or abandoned coins whose private keys no longer\u00a0exist.<\/p>\n This creates a difficult situation for the roughly 2.3 million BTC estimated to be dormant and quantum-vulnerable. Many of these coins\u200a\u2014\u200aincluding a significant portion of the early Satoshi-era rewards\u200a\u2014\u200aare believed to have lost keys. No signature upgrade, soft fork, or technical improvement can protect them because there is no living owner who can move them. If a cryptographically relevant quantum computer becomes available, these assets will eventually be stolen by whoever can derive the private keys first. The Google paper notes that this pool of permanently exposed, un-migratable coins represents a fixed, high-value target that cannot be fixed through normal protocol upgrades\u00a0[1].<\/p>\n Because of this, dealing with truly abandoned legacy coins may ultimately require hard-fork-level changes or policy-level solutions<\/em><\/strong>. Possible approaches discussed across Bitcoin research, crypto-economic theory, and adjacent policy discussions include:<\/p>\n A \u201cburn\u201d mechanism that renders these coins permanently unspendable after a certain\u00a0date.A hypothetical rate-limiting or time-based restriction system that would allow these coins to be spent only very slowly over\u00a0time.A sidechain-based migration or recovery mechanism where coins could be moved under alternative validation rules using off-chain proofs (such as cryptographic proofs of ownership, seed recovery evidence, or other verifiable attestations).Policy responses from governments, such as treating the assets as abandoned property subject to regulated digital\u00a0salvage.<\/p>\n None of these options are simple or uncontroversial. They would likely require broad community consensus and could lead to contentious debates or even chain splits. Until such decisions are made, the large pool of legacy and dormant coins remains one of Bitcoin\u2019s most intractable quantum vulnerabilities.<\/p>\n While BIP-360 and SHRINCS can fully protect new coins and actively managed funds, they offer no automatic protection for the millions of BTC locked in old, exposed scripts\u200a\u2014\u200aparticularly the early P2PK coins that have never been spent. This limitation highlights why the quantum transition for Bitcoin is not just a technical challenge but also a social, economic, and potentially policy-level one. The next subsection discusses the practical next steps for bringing these upgrades to Bitcoin\u00a0mainnet.<\/p>\n Bitcoin developers have begun exploring emergency \u201crescue\u201d mechanisms that could be activated only in a genuine quantum crisis. The most advanced proposal so far comes from Lightning Labs CTO Olaoluwa Osuntokun. On April 8, 2026, he released a working zk-STARK escape hatch for BIP-32 wallets\u00a0[15].<\/p>\n In an emergency soft fork that disables the vulnerable \u201ckeyspend\u201d path, Osuntokun\u2019s zero-knowledge proof lets the rightful owner prove (without revealing their seed or private keys) that a particular on-chain public key was derived from their BIP-32 seed using the standard rules. The owner can then safely move the coins via the remaining script-path. The proof is post-quantum secure, can be generated in roughly 50 seconds on a modern laptop, and fits inside a normal Bitcoin transaction.<\/p>\n This mechanism works well for modern BIP-32\/BIP-86 wallets created from 2012 onward. However, it does not work for the very oldest raw P2PK coins from 2009\u2013early 2011, because those outputs were created before BIP-32 existed and have no derivation path to\u00a0prove.<\/p>\n Osuntokun himself described the political dimension of any such emergency soft fork as \u201cthe giant political elephant in the room.\u201d Any proposal that would effectively freeze unrescuable pre-2012 coins would likely face a steep uphill battle, as it could be seen by many in the community as violating Bitcoin\u2019s core ethos of unfreezable money. For this reason, it might only be regarded as a true last-resort safety net rather than a likely path\u00a0forward.<\/p>\n Nevertheless, Osuntokun\u2019s proposal has already begun an important conversation about practical rescue mechanisms for old dormant coins. It demonstrates that zero-knowledge or proof-based solutions are technically feasible today, and it opens the door for other, potentially less controversial approaches that could one day cover even the earliest 2009-era outputs. In the meantime, the clear priority among developers remains proactive upgrades (BIP-360 and SHRINCS) so that the number of exposed legacy coins keeps shrinking over time and the need for any emergency intervention never\u00a0arises.<\/p>\n While BIP-360 and SHRINCS represent the primary paths being pursued by the Bitcoin developer community, other researchers are exploring creative ways to achieve quantum safety without any protocol change at\u00a0all<\/em><\/strong>.<\/p>\n One notable recent proposal is QSB (\u201cQuantum-Safe Bitcoin\u201d)<\/em><\/strong>, introduced on April 9, 2026 by Avihu Mordechai Levy of StarkWare [16]. QSB builds on the earlier Binohash work and replaces its quantum-vulnerable signature-size puzzle with a hash-to-sig puzzle based purely on RIPEMD-160 pre-image resistance. The scheme uses Lamport\/HORS signatures inside legacy Bitcoin Script to create cryptographically strong transaction identifiers that remain secure even against Shor\u2019s algorithm.<\/p>\n Because QSB operates entirely within existing consensus rules (legacy pre-SegWit scripts, 201-opcode limit, 10,000-byte script size), it requires no soft fork. Transactions using QSB are valid today, though they are non-standard and must typically be submitted directly to\u00a0miners.<\/p>\n QSB demonstrates that quantum-safe spending of legacy UTXOs is technically possible right now. However, the author himself describes it as a \u201clast-resort measure.\u201d Practical drawbacks include:<\/p>\n High off-chain GPU cost (roughly $75\u2013$200 per transaction in the recommended configuration);Significantly more complex transaction generation and user experience;Limited applicability (bare scripts only; does not support SegWit, Taproot, or Lightning channels);Larger transaction sizes and non-standard relay behavior.<\/p>\n QSB therefore serves as a useful emergency tool or proof-of-concept, but it is not a scalable, user-friendly replacement for the more comprehensive upgrades offered by BIP-360 and SHRINCS. Its existence nevertheless highlights the ingenuity of the Bitcoin technical community and the variety of approaches being explored in parallel.<\/p>\n While BIP-360 and SHRINCS represent promising technical paths toward quantum resistance, both upgrades still face significant practical, social, and consensus-related hurdles before they can be activated on Bitcoin\u2019s mainnet. These limitations reflect Bitcoin\u2019s conservative and decentralized governance model, which prioritizes stability and broad agreement over rapid\u00a0change.<\/p>\n Both proposals are designed as soft forks<\/em><\/strong>, meaning they can be activated without splitting the chain or forcing all users to upgrade immediately. Old nodes would simply treat the new script types and signatures as non-standard but still valid. This is a major advantage compared to hard forks. However, soft-fork activation still requires substantial community consensus, extensive review, and careful testing. Bitcoin\u2019s history shows that even relatively straightforward upgrades (such as SegWit in 2017) can take years of discussion and face opposition from those concerned about increased resource usage or changes to the protocol\u2019s minimalist ethos.<\/p>\n Key limitations include:<\/strong><\/p>\n Signature size and bandwidth concerns:<\/em> <\/strong>SHRINCS signatures are larger (approximately 3\u20134 KB) than current ECDSA or Schnorr signatures. This increases block space usage and could reduce the overall transaction throughput of the network if widely adopted. Some Bitcoin developers worry that larger signatures could make running full nodes more expensive, potentially leading to greater centralization over\u00a0time.Adoption inertia:<\/em><\/strong> Even after activation, users and businesses must actively migrate their coins to the new quantum-safe addresses and signatures. Many users and services may delay this migration due to cost, complexity, or simple\u00a0inertia.Legacy coin problem:<\/em> <\/strong>As discussed earlier, neither BIP-360 nor SHRINCS can automatically protect the large pool of dormant and exposed legacy coins (especially the ~1.7\u20132.3 million BTC in old P2PK and long-reused addresses). These coins can only be protected if their owners manually move them\u200a\u2014\u200asomething that is impossible for truly lost\u00a0keys.<\/p>\n Next steps for mainnet adoption<\/strong> are already underway but will require patience:<\/p>\n Continued testing and refinement:<\/em><\/strong> SHRINCS has already been successfully tested with live transactions on the Liquid sidechain in March 2026. Further testing on Bitcoin testnet and signet will be needed to evaluate performance, wallet integration, and edge\u00a0cases.Formal BIP progression:<\/em> <\/strong>Both BIP-360 and the SHRINCS-related BIPs must go through the standard Bitcoin Improvement Proposal review process. This includes public discussion on the Bitcoin developer mailing list, peer review of the code, and consensus-building among developers, miners, and node operators.Community education and wallet support:<\/em><\/strong> Major wallet developers will need to add support for the new address types and signatures. Exchanges and services will also need time to update their infrastructure.Activation mechanism:<\/em> <\/strong>Once ready, activation would likely use a miner-activated soft-fork mechanism (similar to Taproot) or a more modern \u201cspeedy trial\u201d approach. This requires a clear supermajority of miner signaling and broad node adoption.<\/p>\n The Bitcoin community is generally moving cautiously but constructively. There is growing recognition that quantum resistance is no longer a distant theoretical issue, especially after the March 2026 papers. However, Bitcoin\u2019s culture of conservatism means that any change\u200a\u2014\u200aeven a security improvement\u200a\u2014\u200amust be thoroughly vetted to avoid unintended consequences.<\/p>\n While the technical solutions exist and are already being tested on sidechains, bringing them to Bitcoin Core mainnet will require time, consensus, and careful coordination. The process is expected to take several years rather than months. In the meantime, users can protect themselves by avoiding address reuse, moving legacy coins when possible, and supporting the ongoing development of these upgrades.<\/p>\n While Bitcoin faces serious quantum risks, Ethereum has a significantly broader quantum attack surface. The Google Quantum AI whitepaper explicitly notes that Ethereum\u2019s design and ecosystem create a significantly larger and more complex attack surface than Bitcoin\u2019s simpler UTXO model [1]. This broader vulnerability stems from fundamental architectural differences and the sheer scale of economic activity built on top of Ethereum.<\/p>\n Ethereum is not just a digital currency like Bitcoin; it\u2019s a general-purpose programmable blockchain that supports smart contracts, decentralized applications, stablecoins, tokenized real-world assets, and complex financial primitives. These features, while powerful, introduce multiple new ways for quantum computers to cause\u00a0damage.<\/p>\n Unlike Bitcoin\u2019s UTXO model, where coins exist as discrete, one-time-use outputs, Ethereum uses an account-based model<\/em><\/strong>. Every user has a persistent account identified by an address derived from its public key. The moment an account sends its first transaction, the full public key is revealed on-chain and remains exposed indefinitely. There is no easy way to rotate keys without abandoning the account and losing its history, reputation, and DeFi positions.<\/p>\n This persistent exposure means that once an Ethereum account has been used, its public key is permanently available for quantum at-rest attacks. The Google paper estimates that the top 1,000 Ethereum accounts alone hold approximately 20.5 million ETH that are already vulnerable in this way [1]. In contrast, Bitcoin users can (and are encouraged to) generate fresh addresses for every incoming payment, keeping public keys hidden until\u00a0spent.<\/p>\n Ethereum\u2019s smart contract functionality adds another massive layer of risk. Many high-value contracts have administrative or upgrade keys that control critical functions such as minting tokens, pausing protocols, or managing liquidity. These admin keys are rarely rotated and are often quantum-vulnerable.<\/p>\n The paper highlights that smart contracts currently secure roughly 2.5 million ETH plus over $200 billion in stablecoins and tokenized real-world assets (RWAs). Compromising an admin key could allow an attacker to mint fraudulent tokens, drain bridges, manipulate oracles, or seize control of entire protocols [1]. Bridges, oracles, and custodians of tokenized assets represent particularly high-leverage targets\u200a\u2014\u200alow ETH balance but enormous systemic impact if compromised.<\/p>\n Ethereum\u2019s Proof-of-Stake consensus relies on BLS signatures for validator attestations and aggregation. These signatures are based on the BLS12\u2013381 elliptic curve, which is also vulnerable to Shor\u2019s algorithm. With approximately 37 million ETH currently staked, a quantum attacker who compromises enough validators could halt finality, reorganize the chain, or even finalize conflicting blocks\u00a0[1].<\/p>\n Additionally, Ethereum\u2019s Data Availability Sampling (DAS) mechanism uses KZG polynomial commitments. These commitments contain fixed public parameters that are vulnerable to a one-time on-setup attack. A single successful quantum computation could create a permanent classical backdoor, allowing an attacker to forge data availability proofs and stall or manipulate Layer-2 rollups without needing a quantum computer again\u00a0[1].<\/p>\n The rapid growth of Layer-2 scaling solutions, stablecoins, and real-world asset tokenization has dramatically increased Ethereum\u2019s quantum attack surface. These systems inherit the vulnerabilities of the base layer while adding their own smart-contract and bridge risks. The total value secured (TVS) on Ethereum, including stablecoins and RWAs, is estimated at well over $600 billion, far exceeding Bitcoin\u2019s primarily native-asset ecosystem [1].<\/p>\n A successful quantum attack on Ethereum could therefore trigger cascading failures: stablecoin depegs, bridge drains, oracle manipulation, and widespread loss of confidence in the entire DeFi and tokenization ecosystem. This systemic risk is much broader than Bitcoin\u2019s more contained, native-currency focus.<\/p>\n Ethereum\u2019s account model, smart contract complexity, Proof-of-Stake design, and expanding tokenization economy create a significantly wider and more interconnected set of quantum vulnerabilities than Bitcoin faces. This is why the Google paper describes Ethereum as having a \u201cbroader overall quantum attack surface\u201d [1]. The next subsection outlines Ethereum\u2019s proactive response and transition plans.<\/p>\n Unlike Bitcoin\u2019s more decentralized governance model, Ethereum has taken a more coordinated approach to post-quantum security. The Ethereum Foundation has made quantum resistance an active area of research and coordination, establishing a dedicated team and public resources to guide the ecosystem.<\/p>\n Ethereum\u2019s strategy focuses on gradual, backward-compatible upgrades that allow users, wallets, Layer-2s, and applications to adopt quantum-safe mechanisms over\u00a0time.<\/p>\n In January 2026, the Ethereum Foundation formally established a dedicated Post-Quantum Security Team led by cryptography engineer Thomas Coratger. The team\u2019s mandate is to coordinate research, develop technical proposals, and guide the broader ecosystem through the post-quantum transition [17].<\/p>\n In March 2026, the Foundation launched the official pq.ethereum.org<\/em><\/strong> hub. This site serves as the central public resource for the post-quantum roadmap, technical specifications, implementation guides, and progress updates [18]. Its launch coincided with the release of the Google and Oratomic quantum papers, signalling that the Foundation was treating the updated resource estimates with\u00a0urgency.<\/p>\n The current work includes several major workstreams:<\/p>\n EIP-7932 (Secondary Signature Algorithms):<\/em><\/strong> This proposal introduces a registry and precompiles that would allow the Ethereum Virtual Machine (EVM) to natively verify post-quantum signature schemes alongside existing ECDSA and BLS signatures.Account Abstraction (ERC-4337 + EIP-7702):<\/em><\/strong> Ethereum\u2019s account model exposes public keys on the first transaction, making key rotation non-trivial in standard externally owned accounts. Enhanced account abstraction aims to enable smart-contract wallets that support seamless migration from vulnerable ECDSA keys to quantum-safe keys without losing account history or DeFi positions.BLS Replacement on the Consensus Layer: <\/em><\/strong>Ethereum\u2019s Proof-of-Stake validators currently rely on BLS signatures. Research is ongoing into quantum-resistant alternatives for these signatures.Quantum-Safe Data Availability Sampling (DAS):<\/em><\/strong> Research is also underway into quantum-resistant commitment schemes to replace the current KZG polynomial commitments used in\u00a0DAS.<\/p>\n These workstreams are being developed in parallel, allowing different parts of the ecosystem to migrate at their own\u00a0pace.<\/p>\n
1.1 The Wake-Up Calls of March 30, 2026: Simultaneous Release of Google and Oratomic Papers
1.2 Why Bitcoin Is Uniquely Exposed Compared to Traditional Finance
1.3 Purpose, Scope, and Structure of This\u00a0Article<\/p>\n
2.1 Shor\u2019s Algorithm and the Elliptic Curve Discrete Logarithm Problem (ECDLP)
2.2 Logical Qubits vs. Physical Qubits: The Critical Role of Error-Correction Overhead
2.3 Fast-Clock (Superconducting) vs. Slow-Clock (Neutral-Atom) Quantum Architectures<\/p>\n
<\/strong>3.1 The 2022 Baseline: Webber et al. and the 13 Million Physical Qubit Estimate
3.2 Earlier Benchmarks (Gidney & Eker\u00e5 2021 and Other Pre-2026 Estimates)
3.3 Why Resource Requirements Have Fallen Dramatically in Just Four\u00a0Years<\/p>\n
<\/strong>4.1 Google Quantum AI Whitepaper: <500,000 Physical Qubits on Fast-Clock Superconducting Hardware
4.1.1 Key Claims and Attack Timelines (9 Minutes per Key)
4.1.2 Implications for On-Spend and At-Rest Attacks
4.2 Oratomic\/Caltech Paper: ~26,000 Physical Qubits on Slow-Clock Neutral-Atom Hardware
4.2.1 Key Claims and Attack Timelines (10 Days per Key)
4.2.2 Current Hardware Milestone: 6,100-Atom Trapping Array (September 2025)
4.3 Direct Comparison: Google (Fast-Clock, 500k Qubits) vs. Oratomic (Slow-Clock, 26k\u00a0Qubits)<\/p>\n
<\/strong>5.1 Superconducting Fast-Clock Platforms (Google, IBM, Fujitsu\/RIKEN)
5.1.1 Demonstrated Qubit Counts (~105\u2013256 Physical Qubits as of March 2026)
5.2 Neutral-Atom Slow-Clock Platforms (Oratomic\/Caltech)
5.2.1 The Gap Between Trapping Arrays and a Full Quantum Processor
5.3 No Firm Timelines Yet: What Both Teams Have (and Have Not) Stated\u00a0Publicly<\/p>\n
<\/strong>7.1 At-Rest Attacks: Targeting Exposed or Reused Public Keys
7.2 On-Spend Attacks: Real-Time Theft from the Public Mempool
7.3 On-Setup Attacks: Why Bitcoin Is\u00a0Immune<\/p>\n
<\/strong>8.1 Vulnerable Bitcoin Script Types and Dormant Assets (~2.3 Million BTC at Risk)
8.2 Address Reuse vs. Fresh Addresses: Current Real-World Protections
8.3 On-Spend Risks to Active Transactions
8.4 Second-Order Effects on Mining, Consensus, and Ecosystem Confidence<\/p>\n
<\/strong>9.1 Intermediate Fixes: BIP-360 (Pay-to-Merkle-Root \/ P2MR)
9.1.1 What It Solves (At-Rest Protection for New Addresses)
9.1.2 What It Does Not Solve (On-Spend and Legacy Coins)
9.2 Full Post-Quantum Solution: Blockstream Research\u2019s December 2025 Paper and SHRINCS Hash-Based Signatures
9.2.1 Progress on Liquid Sidechain (March 2026 Live Testing)
9.2.2 Why This Would Eliminate Both At-Rest and On-Spend Attacks
9.2.3 Limitations for Legacy and Dormant Coins
9.2.4 Possible Solutions for Old Dormant Coins
9.3 Alternative Short-Term Solutions Without Soft Forks
9.4 Limitations and Next Steps for Bitcoin Core Mainnet\u00a0Adoption<\/p>\n
<\/strong>10.1 Why Ethereum Faces a Broader Quantum Attack Surface Than Bitcoin
10.1.1 Account Model and Persistent Public-Key Exposure
10.1.2 Smart Contracts, Admin Keys, Bridges, Oracles, and Real-World Assets
10.1.3 Proof-of-Stake Validators (BLS Signatures) and Data Availability Sampling (KZG)
10.1.4 Layer-2s, Stablecoins, and Tokenization\u200a\u2014\u200aExpanded Systemic Risk
10.2 Ethereum\u2019s Post-Quantum Transition Roadmap
10.2.1 Formation of the Post-Quantum Security Team and pq.ethereum.org Hub
10.2.2 Key Technical Upgrades
10.2.3 Target\u00a0Timeline<\/p>\n
<\/strong>11.1 Realistic Near-Term Scenarios for Reaching Cryptographically Relevant Qubit Counts
11.2 Policy, Community, and Technical Challenges Ahead
11.3 Recommendations for Bitcoin Users, Developers, and Policymakers<\/p>\n
<\/strong>12.1 The Shift from \u201cDistant Theoretical Threat\u201d to \u201cNear-Term Engineering Challenge\u201d
12.2 The Urgency of Migration to Post-Quantum Cryptography for Bitcoin and\u00a0Ethereum<\/p>\nI. Introduction<\/h3>\n
1.1 The Wake-Up Calls of March 30, 2026: Simultaneous Release of Google and Oratomic\u00a0Papers<\/h4>\n
1.2 Why Bitcoin Is Uniquely Exposed Compared to Traditional Finance<\/h4>\n
1.3 Purpose, Scope, and Structure of This\u00a0Article<\/h4>\n
II. Quantum Computing Fundamentals and the Cryptographic Threat<\/h3>\n
2.1 Shor\u2019s Algorithm and the Elliptic Curve Discrete Logarithm Problem\u00a0(ECDLP)<\/h4>\n
2.2 Logical Qubits vs. Physical Qubits: The Critical Role of Error-Correction Overhead<\/h4>\n
2.3 Fast-Clock (Superconducting) vs. Slow-Clock (Neutral-Atom) Quantum Architectures<\/h4>\n
III. Evolution of Resource Estimates for Breaking\u00a0ECC-256<\/h3>\n
3.1 The 2022 Baseline: Webber et al. and the 13 Million Physical Qubit\u00a0Estimate<\/h4>\n
3.2 Earlier Benchmarks (Gidney & Eker\u00e5 2021 and Other Pre-2026 Estimates)<\/h4>\n
3.3 Why Resource Requirements Have Fallen Dramatically in Just Four\u00a0Years<\/h4>\n
IV. The March 2026 Breakthrough Papers<\/h3>\n
4.1 Google Quantum AI Whitepaper: <500,000 Physical Qubits on Fast-Clock Superconducting Hardware<\/h4>\n
4.1.1 Key Claims and Attack Timelines (~9 Minutes per\u00a0Key)<\/h4>\n
4.1.2 Implications for On-Spend and At-Rest\u00a0Attacks<\/h4>\n
4.2 Oratomic\/Caltech Paper: ~26,000 Physical Qubits on Slow-Clock Neutral-Atom Hardware<\/h4>\n
4.2.1 Key Claims and Attack Timelines (~10 Days per\u00a0Key)<\/h4>\n
4.2.2 Current Hardware Milestone: 6,100-Atom Trapping Array (September 2025)<\/h4>\n
4.3 Direct Comparison: Google (Fast-Clock, 500k Qubits) vs. Oratomic (Slow-Clock, 26k\u00a0Qubits)<\/h4>\n
V. Current State of Quantum Hardware Development<\/h3>\n
5.1 Superconducting Fast-Clock Platforms (Google, IBM, Fujitsu\/RIKEN)<\/h4>\n
5.1.1 Demonstrated Qubit Counts (~105\u2013256 Physical Qubits as of March\u00a02026)<\/h4>\n
5.2 Neutral-Atom Slow-Clock Platforms (Oratomic\/Caltech)<\/h4>\n
5.2.1 The Gap Between Trapping Arrays and a Full Quantum Processor<\/h4>\n
5.3 No Firm Timelines Yet: What Both Teams Have (and Have Not) Stated\u00a0Publicly<\/h4>\n
VI. Skeptical Perspectives and Alternative Theories<\/h3>\n
VII. Quantum Attack Types on\u00a0Bitcoin<\/h3>\n
7.1 At-Rest Attacks: Targeting Exposed or Reused Public\u00a0Keys<\/h4>\n
7.2 On-Spend Attacks: Real-Time Theft from the Public\u00a0Mempool<\/h4>\n
7.3 On-Setup Attacks: Why Bitcoin Is\u00a0Immune<\/h4>\n
VIII. Specific Impacts on Bitcoin and the Broader Crypto Ecosystem<\/h3>\n
8.1 Vulnerable Bitcoin Script Types and Dormant Assets (~2.3 Million BTC at\u00a0Risk)<\/h4>\n
8.2 Address Reuse vs. Fresh Addresses: Current Real-World Protections<\/h4>\n
8.3 On-Spend Risks to Active Transactions<\/h4>\n
8.4 Second-Order Effects on Mining, Consensus, and Ecosystem Confidence<\/h4>\n
IX. Bitcoin\u2019s Current and Proposed Mitigations<\/h3>\n
9.1 Intermediate Fixes: BIP-360 (Pay-to-Merkle-Root \/\u00a0P2MR)<\/h4>\n
9.1.1 What It Solves (At-Rest Protection for New Addresses)<\/h4>\n
9.1.2 What It Does Not Solve (On-Spend and Legacy\u00a0Coins)<\/h4>\n
9.2 Full Post-Quantum Solution: Blockstream Research\u2019s December 2025 Paper and SHRINCS Hash-Based Signatures<\/h4>\n
9.2.1 Progress on Liquid Sidechain (March 2026 Live\u00a0Testing)<\/h4>\n
9.2.2 Why This Would Eliminate Both At-Rest and On-Spend\u00a0Attacks<\/h4>\n
9.2.3 Limitations for Legacy and Dormant\u00a0Coins<\/h4>\n
9.2.4 Possible Solutions for Old Dormant\u00a0Coins<\/h4>\n
9.3 Alternative Short-Term Solutions Without Soft\u00a0Forks<\/strong><\/h4>\n
9.4 Limitations and Next Steps for Bitcoin Core Mainnet\u00a0Adoption<\/h4>\n
X. Ethereum\u2019s Quantum Risk Profile and Transition Plans<\/h3>\n
10.1 Why Ethereum Faces a Broader Quantum Attack Surface Than\u00a0Bitcoin<\/h4>\n
10.1.1 Account Model and Persistent Public-Key Exposure<\/h4>\n
10.1.2 Smart Contracts, Admin Keys, Bridges, Oracles, and Real-World Assets<\/h4>\n
10.1.3 Proof-of-Stake Validators (BLS Signatures) and Data Availability Sampling\u00a0(KZG)<\/h4>\n
10.1.4 Layer-2s, Stablecoins, and Tokenization\u200a\u2014\u200aExpanded Systemic\u00a0Risk<\/h4>\n
10.2 Ethereum\u2019s Post-Quantum Transition Roadmap<\/h4>\n
10.2.1 Formation of the Post-Quantum Security Team and pq.ethereum.org Hub<\/h4>\n
10.2.2 Key Technical Upgrades<\/h4>\n
10.2.3 Target\u00a0Timeline<\/strong><\/h4>\n