Cracking a wallet in 9 minutes: Google's quantum paper shocks the encryption community. Is the Bitcoin "Y2K moment" approaching?

Two papers layered on top of each other form the most serious quantum-threat warning ever issued in the crypto industry.

Author: Kapi Qirla, Deep Tide TechFlow

On March 31, the Google Quantum AI team released a white paper. The title is bland, but the content is explosive.

The paper’s core conclusion: to break the elliptic-curve cryptography (ECC-256) that protects Bitcoin and Ethereum wallets, the required quantum-computing resources are about 20 times lower than previously estimated. Specifically, using a superconducting quantum computer, you can complete the break with fewer than 1.2 thousand logical qubits and 90 million Toffoli gates using fewer than 500,000 physical qubits, taking only a few minutes.

On the same day, Caltech and the quantum hardware startup Oratomic published another paper, with an even more aggressive conclusion: on a quantum computer using a neutral-atom architecture, an attack can be launched with as few as about 10,000 physical qubits, and 26,000 qubits could break ECC-256 within about 10 days.

Two papers layered on top of each other form the most serious quantum-threat warning ever issued in the crypto industry.

From “theoretical distant threat” to “a countdown you can calculate”

To understand the impact of these two papers, you need to look at a timeline: in 2012, academia estimated that breaking ECC-256 would require about 1 billion physical qubits. In 2023, Daniel Litinski’s paper reduced that figure to about 9 million. Google’s new paper brings it down to below 500,000. Oratomic goes even further, compressing it to 10,000.

Over two decades, a five-order-of-magnitude reduction.

This means the discussion framework for quantum threats has been completely changed. The mainstream narrative used to be “quantum computers are still decades away from breaking encryption,” and now it has become “if hardware progress accelerates nonlinearly, the window period may be only five to ten years.” Ethereum Foundation researcher Justin Drake (also a co-author of the Google paper) estimates that by 2032, the probability of quantum computers breaking secp256k1 ECDSA private keys will be at least 10%.

The Google paper describes two types of attack scenarios.

The first is an “on-spend attack.” When a Bitcoin user initiates a transaction, the public key is briefly exposed in the mempool. A quantum computer fast enough can derive the private key from the public key within about 9 minutes, launching a competing transaction to steal funds before the original transaction is confirmed. Given Bitcoin’s average block time is about 10 minutes, the paper estimates the success probability of this kind of attack at about 41%.

In the field of cryptography, a 41% cracking probability is not a statistical fluke—it is a signature scheme that has already been broken.

The second is an “at-rest attack,” targeting dormant wallets where the public keys are already exposed on-chain. This kind of attack has no time limit; the quantum computer can compute slowly at its own pace. The paper estimates that about 6.9 million BTC (one-third of the total supply) are in this exposed state, including about 1.7 million coins from the early Bitcoin era associated with Satoshi-era holdings, as well as large amounts of funds whose public keys have been exposed due to address reuse.

At current prices, those 6.9 million BTC are worth more than $45 billion.

Taproot: intended to upgrade privacy, but instead expands the attack surface

One unexpected finding in the paper is that Bitcoin’s 2021 Taproot upgrade created a new vulnerability on the dimension of quantum security. Taproot is designed to improve transaction efficiency and privacy, and it uses a Schnorr signature scheme. But the characteristic of Schnorr signatures is that the public key is exposed on-chain by default, removing the protective layer of “hash first, expose later” in the old address format (P2PKH).

In other words, Taproot’s improvement in traditional security opens a door in the quantum-security dimension. This expands the pool of Bitcoin that is vulnerable to quantum attacks from early coins and reused addresses to all wallets using Taproot.

Ethereum: the problem is bigger, but preparation can start earlier

If Bitcoin faces “wallet-level” risk, Ethereum’s problem is “infrastructure-level.”

The Google paper points out that Ethereum is exposed to quantum attacks across five layers: personal wallets, smart contract management keys, PoS staking validation, Layer 2 networks, and data availability sampling mechanisms. The paper estimates that Ethereum’s top 1,000 wallets hold about 20.5 million ETH, and a quantum computer that breaks a key every 9 minutes could clear all of them in under 9 days. Based on the current ETH price, these assets are worth about $41.5 billion.

The deeper issue is systemic risk. Stablecoins and tokenized assets totaling about $200 billion on Ethereum rely on administrator key signatures, and about 37 million staked ETH is authenticated using the same kinds of digital signatures that are vulnerable. If a large staking pool is compromised, attackers might even interfere with the consensus mechanism itself.

However, Ethereum has a structural advantage: the block time is only 12 seconds; most transactions are confirmed within a minute; and a large number of private mempools are used, making the feasibility of “on-spend attacks” on Ethereum far lower than on Bitcoin.

The good news is that the Ethereum community’s response is more proactive.

Just last week, the Ethereum Foundation launched pq.ethereum.org, which gathers eight years of post-quantum research results, and more than 10 client teams have been advancing development and testing for testnets on a weekly basis. Vitalik Buterin has also previously published a quantum-resistance roadmap. By comparison, the Bitcoin community’s governance culture is more conservative. The BIP-360 proposal (introducing a quantum-resistant wallet format) was merged into the BIP repository in February, but it addresses only one type of public-key exposure problem; a complete cryptographic migration requires larger-scale protocol changes.

Community reaction: panic, rationality, and “it’s not just our problem”

Reactions in the crypto industry split into several camps as expected.

The panic camp is represented by Project Eleven CEO Alex Pruden: “This paper directly rebuts every argument the crypto industry uses to dismiss quantum threats.” Dragonfly partner Haseeb Qureshi’s phrasing on X is even more direct: “Post-quantum is no longer a drill.”

The rational and optimistic camp is represented by CZ. He believes crypto assets just need to be upgraded to quantum-resistant algorithms, “no need to panic.” Technically, this is correct, but it overlooks a key issue: decentralized blockchains cannot forcibly push software updates the way banks or military networks can. The migration cycle for Bitcoin infrastructure—from users’ wallets to exchanges supporting it to new address formats—may take five to ten years, even if everyone reaches consensus today.

The “anything can be cracked” camp points out that quantum computing threatens not only blockchains, but also the global banking system, SWIFT transfers, stock exchanges, military communications, and HTTPS websites—each of which depends on the same cryptographic system. The Google paper responds to this positively: centralized systems can push updates to users, but decentralized blockchains cannot. This is the fundamental difference.

The coldest humor comes from Musk: “At least if you forget your wallet password, you’ll be able to get it back in the future.”

Conflicts of interest and rational discount

Neither of the two papers is “purely academic.”

All nine authors of the Caltech/Oratomic paper are shareholders of Oratomic, and six of them are company employees. This paper is both a scientific achievement and a commercial promotion for the company’s neutral-atom hardware roadmap. The Google paper is also not completely neutral. Google set an internal deadline of 2029 for its own systems to migrate to post-quantum cryptography, and the paper’s conclusions align closely with that business decision. In addition, for security reasons, Google did not publish the actual quantum-circuit designs; instead, it validated the results to the U.S. government using zero-knowledge proofs.

Conflicts of interest in the papers need to be discounted, but the trend itself does not need to be discounted. Every time someone claims “quantum threats have been exaggerated,” the next paper cuts another order of magnitude from the number of required qubits.

How far is it from “Q-Day”?

Currently, the most advanced quantum computers have about 6,000 qubits, and the coherence time is only about 13 seconds. From 6,000 qubits to the 500,000 qubits required by the Google paper (or the 10,000 claimed by Oratomic), there is still a massive engineering gap in between.

But the analogy from crypto investor McKenna is worth remembering: “You can think of Q-Day like Y2K, but this time it’s real.”

StarkWare co-founder Eli Ben-Sasson called on the Bitcoin community to accelerate progress on BIP-360. Google itself says it is working with Coinbase, the Stanford Blockchain Research Institute, and the Ethereum Foundation to promote a responsible migration.

The debate is no longer about “whether quantum computing can break encryption,” but about “whether the crypto industry can complete the migration before the hardware catches up.” Google’s 2029 timeline, together with Oratomic paper’s drastic compression of qubit requirements, leaves the industry a buffer period shorter than anyone expected.

The 1.1 million BTC dormant in Satoshi cannot migrate themselves to quantum-safe addresses. If the quantum computer arrives first, this digital legacy worth more than $70 billion will become the target of the largest “digital shipwreck salvage” in history. Even the Google paper introduces a legal framework analogy for “digital salvage,” implying that governments in different countries may need to pass legislation to deal with these dormant assets that cannot be migrated.

Here’s a problem that no Bitcoin white paper foresaw: if the mathematical barriers that protect private property are themselves broken, can “Code is Law” still hold?