Google’s Quantum AI team has published a whitepaper arguing that the quantum resources needed to break elliptic-curve cryptography are far lower than previously believed. The revised estimate narrows the gap between theory and practical attack capability, raising new urgency around the security of on-chain signatures and exposed wallet keys.
The importance of the finding goes beyond abstract cryptography. If private keys can be recovered within the time window of a normal Bitcoin block interval, network operators, developers and wallet providers may have less time than expected to prepare migration paths and defensive upgrades.
Lower resource estimates change the security timeline
According to Google’s analysis, breaking 256-bit elliptic-curve cryptography could require roughly 1,200 to 1,450 logical qubits and fewer than 500,000 physical qubits. That marks a sharp reduction from earlier estimates that often assumed systems would need around a million physical qubits or more to perform the same attack.
The paper attributes that reduction to improvements in algorithm design and error correction. Faster modular exponentiation, residue number system arithmetic and more efficient approaches to logical-qubit density all contributed to lowering the projected hardware burden needed for a successful attack.
Those changes also affect how different quantum architectures should be evaluated. By reducing gate depth and lowering the number of required Toffoli gates, the new estimates alter the practical targets for both superconducting and neutral-atom platforms. Separate research cited alongside Google’s work suggests that other hardware paths may also reach ECC-256-breaking capability through different trade-offs in time and qubit count.
Two attack paths create different kinds of risk
Google’s paper draws a clear distinction between two operational attack scenarios. The first is an on-spend attack, where a public key becomes visible once a transaction is broadcast and an attacker races to recover the private key before the transaction is confirmed.
In that model, Google estimates that a superconducting quantum machine could complete the attack in about nine minutes if enough work had already been precomputed. That timing matters because it places the attack window inside the roughly 10-minute Bitcoin block interval, meaning a sufficiently prepared attacker could compete directly with normal confirmation timing.
The second scenario is an at-rest attack aimed at wallets whose public keys are already visible on-chain. These attacks do not require the same urgency, because dormant or already-exposed addresses can be targeted over days or weeks by slower quantum systems. Google estimates that about 6.9 million BTC, or roughly one-third of circulating supply, sits in wallets with exposed keys, while some large Ethereum addresses could also be vulnerable under the modeled assumptions.
Migration pressure now moves from long term to immediate planning
The paper strongly reinforces the case for migration to post-quantum cryptography. Any future shift in signature schemes will affect transaction size, verification costs and bandwidth usage, meaning the transition is not only a security problem but also a network-performance problem.
That complexity creates a difficult coordination challenge. Changing signature standards will require cross-client alignment, likely protocol upgrades, and long planning cycles, especially on networks where governance is slow and conservative. Even if a migration path is agreed, addresses with already exposed public keys will remain a long-tail risk that cannot simply be erased by future upgrades.
Google also places the issue on a more concrete calendar by pointing to a 2029 internal migration target for its own systems and aligning that thinking with broader standards pushing quantum-safe adoption by 2030. Those timelines give vendors, wallet providers and node operators a clearer signal that post-quantum planning is no longer hypothetical.
They need to identify which keys are already exposed on-chain, model the CPU and bandwidth trade-offs of candidate post-quantum schemes, and begin coordinating upgrade paths that preserve consensus stability as cryptographic assumptions change.
