On Mar. 30, Google Quantum AI published a 57-page whitepaper coauthored with Justin Drake of the Ethereum Foundation and Dan Boneh of Stanford.
The paper demonstrates that breaking the 256-bit elliptic-curve discrete logarithm problem, the cryptographic foundation underlying most blockchain transactions, requires roughly 500,000 physical qubits, a 20-fold reduction from prior estimates.
That compression means a sufficiently advanced quantum computer could crack a Bitcoin private key in approximately 9 minutes, placing live transactions within the 10-minute block confirmation window with roughly a 41% probability of theft.
Days earlier, Google had set a 2029 deadline for completing the industry’s post-quantum cryptography migration.
Those numbers generated the expected interest around when quantum computers will be able to crack Bitcoin.”
It also raised another question asked by Bloomberg’s Eric Balchunas and Bitcoin analyst Checkmate.
Checkmate asked,
This paper, if I understand it correctly, is Google saying we have cracked the design for a cryptographically relevant quantum computer.
That’s a very big deal.
Why oh why, did they focus the paper on our blockchain bags?
Not government codes. Not banking infrastructure, Not internet protocols.
Internet funny money.
Balchunas added,
Not discounting threat (that’s a whole sep debate) but why would Google apply this research time/money on crypto vs something of way more societal consequence, like military defense systems, the global banking system or even private emails. Is bitcoin really their biggest worry?
So why did Google choose blockchains as the vehicle for one of the most consequential responsible-disclosure exercises in the history of public key cryptography?
Not a Bitcoin paper
The paper’s first move is widening. Google explicitly stated that the literature had overlooked vulnerabilities in stablecoins and tokenization, then devoted sections to USDT and USDC admin keys, Ethereum validator concentration, and real-world asset tokenization.
The document projected that tokenized assets could push quantum-vulnerable values above $16 trillion by 2030. Co-writing with the Ethereum Foundation and Stanford researchers frames the paper as an argument for industry-wide migration.
The numbers Google chose to publish make the vulnerability legible.
About 1.7 million BTC, nearly 9% of all Bitcoin, sits in P2PK scripts with public keys exposed on-chain, and dormant vulnerable Bitcoin may reach 2.3 million BTC across script types.
Roughly 6.9 million BTC in total are at heightened risk, including wallets opened by Taproot’s default public-key disclosure. On Ethereum, the 1,000 wealthiest exposed accounts hold approximately 20.5 million ETH, and a sufficiently advanced machine could drain them within nine days.
These are observable, on-chain facts. A researcher can verify them without access to a bank’s internal systems, a government registry, or a telecom’s proprietary PKI.
Google has pursued post-quantum cryptography since 2016.
The company ran the first PQC experiments in Chrome that year, protected internal communications with PQC in 2022, enabled ML-KEM by default for TLS 1.3 and QUIC on desktop Chrome in 2024, launched quantum-safe digital signatures in Cloud KMS preview in 2025, and integrated ML-DSA-based PQC protections into Android 17 in March 2026.
The crypto whitepaper is one public-facing case study inside a migration Google already runs across its own infrastructure, and a carefully controlled one. Google withheld the actual attack circuits and instead published a zero-knowledge proof, allowing anyone to verify its resource estimates without accessing the attack roadmap.
The company coordinated with the US government before publication.
Current geopolitics amplifies the timing. The US finalized its first PQC standards in 2024 and aims to achieve full industry migration by 2035. South Korea targets the same 2035. Reports noted that China is working toward national PQC standards within 3 years.
Google’s paper lands in an accelerating standards race, and crypto serves as the most visible public arena for how that race plays out in practice.
“]
Why crypto specifically
Google’s own introduction provides one answer: cryptocurrencies “stand out” among quantum-vulnerable systems because many blockchains rely heavily on ECDLP-based elliptic-curve cryptography, which a smaller quantum computer can break than comparable RSA systems.
| Factor | Crypto / blockchains | Closed financial or traditional systems |
|---|---|---|
| Main cryptographic exposure | Heavy reliance on ECDLP-based curves | Mixed systems, often less transparent |
| Recourse after forged signature | Often none; losses can be final | Fraud controls, reversals, legal recourse |
| Observability | Public keys, mempools, dormant wallets visible on-chain | Internal systems are private |
| Governance | Open, decentralized, slow consensus | Central authority can mandate upgrades |
| Failure mode | Public and irreversible | Often operationally contained |
Additionally, blockchains typically offer no recourse when a forged signature authorizes a fraudulent transfer.
The combination of concentrated cryptographic exposure and irreversible failure makes crypto the clearest venue to demonstrate what post-quantum signature collapse looks like.
Beneath that technical argument sits a governance argument. The paper explicitly states that Bitcoin’s decentralized structure and “lack of a singular center of power” may require a “drawn-out process of consensus building” for key rotation or dormant-asset policy.
Centralized institutions deploy software updates through a single authority, and Bitcoin’s equivalent requires decentralized consensus, a process that runs in public at whatever pace the community permits.
Google chose the domain where the migration problem plays out in the open, where failures turn permanent and public, and where no single authority can resolve the coordination problem by mandate.
The same vulnerable cryptography protects TLS web traffic, firmware updates, end-to-end messaging, passports, MFA, SSH, and DNS.
Blockchains layer on top of all that a set of properties unique to open networks: public-key registries, observable mempools, on-chain dormant wallets, and governance debates that run in real time and are open to any observer.
The inference that the paper’s structure supports is that those properties give Google a venue to explain the blast radius of a signature migration failure in observable, public terms before the same migration becomes necessary in systems with lower tolerance for public failure.
What to expect
The paper could force chains, wallets, and stablecoin issuers to make PQC migration visible and measurable early.
Google already points to live or test PQC deployments on Algorand, Solana, and XRP Ledger.
Projects that demonstrate clean key-rotation paths, hybrid-signature support, and a credible approach to dormant assets earn governance credibility they can carry into the tokenization wave.
Crypto would then move from the first visible venue for quantum vulnerability to the first public laboratory for post-quantum trust infrastructure, and Google’s paper becomes the founding document for that transition.
The result is a controlled disclosure that forced the hardest governance conversation before a quantum computer relevant to cryptography existed.
| Scenario | What happens | What it means |
|---|---|---|
| Bull case | Chains, wallets, and stablecoin issuers make PQC migration visible and measurable early | Crypto becomes the first public laboratory for post-quantum trust infrastructure |
| Bear case | Coordination fails, Bitcoin key-rotation politics drag, validator/admin-key complexity stays unresolved | Crypto becomes the best public example of how trust migration can fail in the open |
If coordination fails visibly, Bitcoin’s consensus politics drag on key rotation, Ethereum-style validator and admin-key complexity stays unresolved, and stablecoins or tokenized assets start selecting host chains unevenly on PQC readiness.
The 6.9 million BTC in high-exposure wallets then constitute a permanent liability that the network cannot address without a breakthrough in social coordination; it has never been managed at this scale.
Google’s paper ages into a different kind of record: documentation that crypto earned its place in the research through the visibility of its failure modes and the finality of its losses, with the most consequential systems requiring a different kind of disclosure altogether.
Google published its research as a controlled warning about the internet’s coming trust migration and chose the domain where that migration runs in public, turns irreversible on failure, and falls to no single authority to mandate.