Google just published research suggesting that breaking Bitcoin's cryptography may require far fewer quantum computing resources than the industry assumed, and that Bitcoin's own 2021 Taproot upgrade inadvertently widened the attack surface.
The findings land at a moment when BTC trades at $67,482 as of March 31, 2026, with the Fear & Greed index sitting at 28 (Fear). Markets are already nervous. A credible downgrade to quantum timelines does not help.
Fewer Qubits, Shorter Timeline
Previous estimates placed the qubit threshold for cracking Bitcoin's elliptic curve digital signature algorithm (ECDSA) in the millions. Google's new research pulls that number below 500,000 physical qubits, with as few as 1,200 to 1,450 high-quality logical qubits needed for a practical attack.
The distinction between physical and logical qubits matters. Physical qubits are the raw hardware units. Logical qubits are error-corrected abstractions that do the actual computational work. Reducing the logical qubit requirement to roughly 1,200 means the engineering challenge, while still enormous, is closer to the horizon than "decades away."
Google itself flagged 2029 as a potential milestone for useful quantum systems in earlier research. This latest paper tightens that timeline further by showing the resource requirements were overestimated.
The 9-Minute Attack Window
The research models a real-time quantum attack that could compromise a Bitcoin transaction in approximately 9 minutes, with a 41% success rate against Bitcoin's standard 10-minute block confirmation window.
That overlap is the uncomfortable part. Bitcoin's security model assumes that the time between broadcasting a transaction and its confirmation in a block is too short for an attacker to derive a private key from a public key. If quantum hardware can close that gap, the 10-minute block time becomes a vulnerability rather than a feature.
The 41% success rate is not a guarantee. But in cryptography, a 41% chance of breaking a signature scheme is not a rounding error. It is a broken scheme.
How Taproot Made Things Worse
Bitcoin's Taproot upgrade, activated in November 2021, was designed to improve privacy and smart contract flexibility. It uses Schnorr signatures, which are more efficient than the legacy ECDSA scheme, but they come with a tradeoff: Taproot addresses expose public keys directly on the blockchain by default.
Under the older Pay-to-Public-Key-Hash (P2PKH) format, public keys were hidden behind a hash. An attacker would need to crack both the hash and the elliptic curve. Taproot removed that first layer of protection.
The result: approximately 6.9 million BTC, roughly one-third of all bitcoin in circulation, now sits in wallets where public keys are visible on-chain. That includes about 1.7 million BTC from early network years (including Satoshi-era coins) and funds in addresses that have been reused.
For context, CoinShares previously estimated that only around 10,200 BTC faced significant quantum risk. Google's figure is 680 times larger.
Zero-Knowledge Disclosure
Google's team used zero-knowledge proofs to demonstrate their findings without revealing actual attack methods. This is responsible disclosure in practice: proving the vulnerability exists without handing adversaries a blueprint.
The approach suggests Google takes the threat seriously enough to invest in a secure disclosure framework rather than simply publishing a paper with theoretical calculations.
What Defenses Exist
Bitcoin is not defenseless, but the defenses require action.
Post-quantum signature schemes like SPHINCS+ and CRYSTALS-Dilithium are already standardized by NIST. Integrating them into Bitcoin would require a soft fork or hard fork, neither of which happens quickly in Bitcoin's conservative governance culture.
Address hygiene offers partial protection today. Users who never reuse addresses and move funds to fresh P2PKH addresses (where public keys remain hidden until spending) reduce their exposure. But this is a behavioral fix, not a protocol fix, and it does nothing for the 6.9 million BTC already exposed.
Quantum-resistant wallets are a concept, not a product. No major self-custody wallet currently implements post-quantum signatures for Bitcoin.
The clock is not at zero. Google's own researchers describe the threat as "not yet imminent." But the gap between "not yet imminent" and "too late to migrate" is where the risk lives.
What This Means for Bitcoin Holders
The immediate practical impact is zero. No quantum computer today can execute this attack. But the research changes the planning horizon.
Bitcoin developers have discussed post-quantum migration paths for years. The challenge is coordination: moving billions of dollars in value from legacy address formats to quantum-resistant ones requires network-wide consensus, wallet upgrades, and a migration timeline that does not leave slower movers exposed.
For users holding BTC in crypto card wallets or exchange accounts, the custodian's key management practices become relevant. Custodial providers that stake reputation on security will need to articulate their post-quantum roadmap. Self-custody users should, at minimum, avoid address reuse and consider consolidating funds into non-Taproot addresses until the picture clarifies.
Overview
Google's latest quantum computing research reduces the estimated qubit threshold for breaking Bitcoin's ECDSA from millions to under 500,000 physical qubits, with a practical attack requiring approximately 1,200 logical qubits. The 2021 Taproot upgrade compounds the issue by exposing public keys on-chain by default, widening the vulnerable pool to roughly 6.9 million BTC. The research models a 9-minute attack with a 41% success rate against Bitcoin's 10-minute confirmation window. No quantum computer can execute this today, but the timeline just compressed.
