Most people saw the headline. “Google says it can break Bitcoin.” That is not what the paper says. But what it actually says is worse than most Bitcoiners want to admit, and better than most critics are willing to acknowledge.

On March 30, 2026, researchers from Google Quantum AI, Stanford University, and the Ethereum Foundation published a 57-page whitepaper titled Securing Elliptic Curve Cryptocurrencies against Quantum Vulnerabilities: Resource Estimates and Mitigations. Within 24 hours, the discourse collapsed into two camps: people screaming that Bitcoin is dead, and people screaming that nothing has changed.

Both are wrong. And as someone who works at the intersection of blockchain forensics and legal process, recovering digital assets from estates where documentation is nonexistent and custody is a mess, the implications of this paper hit differently than the average hot take on X.

Let me walk through what the paper actually says, what the popular commentary gets right and wrong, and what Bitcoin holders need to understand right now.

What Google Actually Published

This is not a blog post. It is not a press release with a product pitch attached. This is a peer-level research paper with detailed resource estimates, a novel zero-knowledge proof mechanism, and co-authors from three of the most credible institutions in cryptography and computer science.

The core finding: Google’s team has developed quantum circuits that could solve the 256-bit Elliptic Curve Discrete Logarithm Problem (ECDLP) on the secp256k1 curve, the curve Bitcoin uses for its digital signatures, using either 1,200 logical qubits with 90 million Toffoli gates, or 1,450 logical qubits with 70 million Toffoli gates.

On a standard superconducting architecture with current error rates, they estimate these circuits could execute on fewer than 500,000 physical qubits. That is roughly a 20x reduction over prior estimates.

Here is the part most commentary glosses over: they validated these estimates using a cryptographic zero-knowledge proof. They did not publish the circuits themselves. They published proof that the circuits exist, that they work, and that they meet the stated resource constraints, without revealing how to build them. This is responsible disclosure, the same framework used across cybersecurity when a vulnerability is real but the fix is not yet deployed.

The paper explicitly states that the team withheld circuit details because “the escalating risk that detailed cryptanalytic blueprints could be weaponized by adversarial actors necessitates a shift in disclosure practices.”

That sentence alone tells you the authors consider this a real and proximate threat, not a theoretical exercise.

The Timeline Question: Not Today, But Not Never

The largest quantum computer in operation today has roughly 1,200 noisy, non-error-corrected qubits. The attack described in the paper requires 500,000 physical qubits running error-corrected circuits. That is a massive engineering gap.

But the paper’s own analysis of historical progress shows something important. In the last decade, the estimated physical qubits required to break 2048-bit RSA encryption dropped from over 1 billion to under 1 million, driven by improvements in quantum algorithms and error correction, not just hardware scaling. The same trajectory applies to ECDLP. Quoting from Section II.C of the paper: “attacks always get better.”

The authors specifically warn against treating this as a distant concern. They note that quantum computing is still in its “era of ferment,” an early innovation phase with multiple competing architectures, where progress comes in discrete jumps rather than gradual curves. A breakthrough in error correction, code architecture, or modular interconnects could compress the timeline dramatically.

Their recommendation: the cryptocurrency community should begin post-quantum migration immediately.

What the Popular Discourse Gets Right

Some of the commentary circulating online lands on the facts accurately. The paper does reduce the theoretical ECDSA attack to 1,200 logical qubits. The circuits were withheld and a zero-knowledge proof was used in their place. The largest current quantum computer is indeed roughly 1,200 noisy qubits, a real and meaningful gap. BIP-360 is live on a testnet environment. And 500,000 physical qubits is the correct physical qubit estimate for the attack.

The questions being raised about the cost of running such a system are also legitimate. Nobody has built a 500,000 physical qubit machine, so any figure is extrapolation, but the extrapolation is instructive. Superconducting qubits currently cost between $10,000 and $50,000 per unit to fabricate. At that rate, qubit fabrication alone for the required machine runs between $5 billion and $25 billion, before touching infrastructure. Operational costs on existing systems run roughly $500,000 per year just for liquid helium, plus full-time teams of physicists and engineers, vibration-isolated facilities, electromagnetic shielding, and dedicated power infrastructure. For context, a 1,000-qubit system today is estimated to exceed $100 million in development and operational costs. The attack requires 500 times that qubit count, with error-corrected circuits that do not yet exist. You are describing a machine that only a nation-state or near-nation-state level adversary could build and operate. That is a real deterrent today. The problem is that the coins do not move, the public keys do not expire, and the attack only has to become economically viable once.

What the Popular Discourse Gets Wrong

This is where I have to be precise, because inaccuracies on both sides create real confusion.

On attack speed. Several posts circulating online describe the attack as taking “days.” The paper says the opposite for fast-clock architectures. On a superconducting cryptographically relevant quantum computer (CRQC), the attack could execute in approximately 9 minutes using a “primed” machine that precomputes half the algorithm in advance. That is close to Bitcoin’s average 10-minute block time. The paper describes this as enabling “on-spend” attacks, where a quantum attacker intercepts a transaction from the public mempool, derives the private key, and broadcasts a competing transaction before the original is confirmed. “Days” only applies to slow-clock architectures like neutral atom or ion trap devices. Getting this wrong changes the entire risk assessment.

On BIP-360. Some commentary frames BIP-360 as a “quantum-resistant output type.” This is misleading. BIP-360 introduces Pay-to-Merkle-Root (P2MR), which removes the vulnerable key-path spend from Taproot outputs. That is a meaningful improvement. It protects against at-rest attacks on Taproot addresses. But the paper states clearly: “P2MR, like all other standard script types in Bitcoin, is currently vulnerable to on-spend attacks. Thus, at present, P2MR constitutes a security patch for the Taproot regression.” BIP-360 does not introduce post-quantum signatures. It does not add new signature algorithms or opcodes. It is an incremental first step, not a post-quantum solution. The BIP’s own authors describe it as “a conservative first step toward quantum resistance rather than a sweeping cryptographic overhaul.”

On Bitcoin’s development readiness. Some observers claim Bitcoin developers “aren’t waiting for a crisis” and are “already shipping.” This overstates the current state of development. SHRIMPS, the post-quantum signature scheme generating discussion, was published on Delving Bitcoin as a research proposal. It is promising work, achieving roughly 2.5 KB signatures at 128-bit security, about three times smaller than NIST’s SLH-DSA standard. But it is not a shipped product. It is not a BIP. It is not integrated into any wallet software or consensus code. Blockstream deployed SHRINCS, a related hash-based signature scheme, on the Liquid sidechain in March 2026, which is a genuine milestone and the first production deployment of post-quantum signatures on a Bitcoin-linked network. But Liquid is a federated sidechain, not Bitcoin mainnet. The consensus requirements are fundamentally different.

On BIP-360’s cryptographic contents. Some commentary correctly notes that BIP-360 contains zero post-quantum cryptographic algorithms, and that there is no formal PQ signature BIP, and no coordinated protocol roadmap. That is accurate. A May 2025 analysis from Chaincode Labs confirmed that Bitcoin post-quantum initiatives remained “at an early and exploratory stage.” Where the framing sometimes falls short is in the implication that nothing meaningful is happening. Work is happening. It is just early, fragmented, and competing with Bitcoin’s conservative governance culture that historically makes protocol upgrades slow. The Taproot activation itself, a comparatively modest change, took years of discussion.

What Bitcoin Holders Actually Need to Know

The paper identifies four categories of quantum vulnerability for Bitcoin, and this is where it gets personal for anyone holding bitcoin or administering an estate that includes digital assets.

1. Weak Address Vulnerability. P2PK and P2TR addresses expose the public key directly on the blockchain. Over 1.7 million BTC sits in P2PK scripts, including Satoshi-era mining rewards. These are vulnerable to at-rest attacks by any quantum computer, fast or slow. P2TR (Taproot) addresses introduced in 2021 brought back this same exposure pattern, which the paper describes as “a security regression” from a quantum perspective.

2. Address Reuse Vulnerability. If you have ever spent bitcoin from an address and still have funds at that address, your public key is exposed on the blockchain in the spending transaction. The paper estimates approximately 6.9 million total BTC across all protocol types is vulnerable when address reuse is factored in.

3. Public Mempool Exposure. Every standard Bitcoin transaction currently exposes the public key during the settlement window. With the paper’s estimate of a 9-minute key derivation on a primed fast-clock CRQC, the probability of a successful on-spend attack against a Bitcoin transaction is approximately 41%.

4. Offchain Exposure. Using the same private key across multiple blockchains (Bitcoin and Bitcoin Cash, for example), or sharing extended public keys with portfolio tracking services, creates additional attack vectors.

The critical takeaway: if you are using Taproot (bc1p) addresses, your public key is exposed. If you have reused any address that has previously spent bitcoin, your public key is exposed. The paper’s math says those coins become targets the moment a sufficiently capable quantum computer exists.

What is NOT threatened: Bitcoin’s Proof-of-Work consensus mechanism. The paper is explicit on this point. Grover’s algorithm provides only a quadratic speedup for hash functions, which is “all but consumed by the overheads of quantum error correction.” Under the most generous assumptions, a quantum miner’s hashrate would be orders of magnitude below a standard ASIC miner. Quantum computers do not threaten Bitcoin mining for the foreseeable future.

As Andreas Antonopoulos explains in Mastering Bitcoin, the public key is derived from the private key using elliptic curve multiplication, which is a “one-way cryptographic function.” Bitcoin addresses then add another layer by hashing the public key. The critical assumption underlying Bitcoin’s ownership model, that you cannot reverse the elliptic curve multiplication to get from public key to private key, is what Shor’s algorithm on a CRQC would break.

The Estate Problem Nobody Is Talking About

This is where my work comes in.

The Google paper devotes an entire section to “Dormant Digital Assets,” and the implications for estate administration are significant. Over 1.7 million BTC in P2PK scripts have not moved since the earliest days of the network. The paper assumes most of these private keys are lost. They cannot be migrated to a post-quantum protocol because nobody holds the keys.

The paper proposes three frameworks the Bitcoin community is considering: Do Nothing (allow quantum attackers to acquire dormant assets), Burn (render dormant assets unspendable via protocol change), and Hourglass (limit the rate at which dormant assets can be spent). A fourth option they call “Bad Sidechain” would use offchain proofs of ownership, like mnemonic seed phrases, to identify legitimate owners and return recovered assets.

For estate attorneys and fiduciaries, this creates a new category of concern. If a decedent held bitcoin in older address formats with exposed public keys, the timeline for securing those assets is no longer indefinite. A quantum-capable adversary does not need to find a hardware wallet or crack a password. They need to find a public key on the blockchain and run an algorithm.

This does not change what I do today. It changes the urgency. If you are administering an estate with digital assets, the window for identification, documentation, and migration to safer address types is narrowing. Not because quantum computers exist right now, but because the engineering path to building one just got 20 times shorter, and the people building them are telling you to prepare.

The Bottom Line

The Google paper is not FUD. It is a serious, well-documented technical assessment from researchers who backed up their claims with a cryptographic proof. The threat is not immediate, but the timeline is shorter than most people assumed, and the migration path for Bitcoin is long, politically complex, and not yet agreed upon.

The popular discourse on X is doing what it always does: compressing nuance into narrative. The optimists are overstating Bitcoin’s readiness. The pessimists are ignoring the engineering gap that still exists. The reality is somewhere in the middle, and it demands attention, not panic.

Bitcoin’s proof-of-work is safe. Bitcoin’s digital signatures are on a clock. The question is not whether the protocol needs to change. It is whether the community can reach consensus fast enough to change it before the clock runs out.

Satoshi addressed this in 2010, in the only public comment ever made about quantum computing risk to Bitcoin: “If it happens gradually, we can still transition to something stronger.”

The Google paper is telling us it will happen gradually. The question is whether we are listening. I believe that we are.

William Sanchez Jr. is the founder of A.W. Block, a digital asset estate investigation and advisory firm based in Pennsylvania. He works with estate attorneys, probate administrators, and fiduciaries to identify, trace, recover, and document blockchain-based assets within legal proceedings. For more, visit awblock.io.

Sources cited in this article:

• Babbush, R., Zalcman, A., Gidney, C., et al. “Securing Elliptic Curve Cryptocurrencies against Quantum Vulnerabilities: Resource Estimates and Mitigations.” Google Quantum AI, March 30, 2026.

• Antonopoulos, A.M. Mastering Bitcoin: Unlocking Digital Cryptocurrencies. O’Reilly Media.

• Nakamoto, S. “Bitcoin: A Peer-to-Peer Electronic Cash System.” 2008.

• BIP-360: Pay-to-Merkle-Root (P2MR). Bitcoin Improvement Proposal, Draft. bip360.org.

• Milton, A., Shikhelman, C. “Bitcoin and Quantum Computing: Current Status and Future Directions.” Chaincode Labs, 2025.

• SHRIMPS: 2.5 KB Post-Quantum Signatures Across Multiple Stateful Devices. Delving Bitcoin, 2026.

• Blockstream. “Post Quantum Bitcoin: Live Liquid Sidechain Deployment.” March 6, 2026.

• BTQ Technologies. “First Deployment of BIP 360 on Bitcoin Quantum Testnet v0.3.0.” March 20, 2026.

• Gigi. 21 Ways. (Part 1: Building Blocks of Bitcoin).

• Champagne, P. The Book of Satoshi Nakamoto.