The Clock We Cannot See Is Already Running
RabbitsResearch16 min read·Just now--
A close reading of the Google Quantum AI & Ethereum Foundation whitepaper on breaking blockchain cryptography and what it actually means
There is a particular kind of dread that comes not from chaos, but from clarity. Not the sudden shock of a crisis already unfolding, but the slow, cold recognition that a crisis has been precisely calculated that someone, in a laboratory, has done the math, and the math is not on your side. That is the texture of what Google Quantum AI and the Ethereum Foundation have now handed the world in a 57-page whitepaper released on the final day of March 2026. It arrived without ceremony. It should not have.
For over a decade, the blockchain industry has leaned on a single load-bearing assumption: that breaking elliptic curve cryptography requires a quantum computer so large, so expensive, and so distant in the future that it belongs in the same category as cold fusion or faster-than-light travel. The whitepaper, authored by a team that includes some of the most credentialed researchers in quantum computing, does not say that assumption is wrong. It says it is roughly twenty times more optimistic than reality warrants.
This is not a paper about the future. It is a paper about how close we already are and what the architecture of that proximity actually looks like. To read it carefully is to understand that the threat to Bitcoin, Ethereum, and the broader digital financial infrastructure is not a theoretical horizon. It is an engineering problem. And engineering problems, historically, get solved.
Part I The Numbers
What the Whitepaper Actually Found
Let us start with the technical core, because it is easy to get lost in the narrative weight of this paper and miss the precision of what has actually been calculated. The heart of Bitcoin’s and Ethereum’s security rests on the Elliptic Curve Discrete Logarithm Problem (ECDLP) over the secp256k1 curve specifically the difficulty of deriving a private key from a public key. On a classical computer, this is computationally intractable. On a quantum computer running Shor’s algorithm, it is not.
The question has always been: how large does that quantum computer need to be? Previous estimates from Litinski (2023) put the requirement at roughly 9 million physical qubits using a photonic architecture a number large enough to feel safely distant. The Google Quantum AI team, using new algorithmic optimizations they describe through a zero-knowledge proof without revealing the underlying circuits, has reduced that number to fewer than 500,000 physical qubits on a superconducting architecture. That is a nearly twentyfold reduction from the previous best estimate.
Logical Resources Required to Break 256-bit ECDLP
the scatter plot comparing logical qubit count vs. Toffoli gate count across all prior published estimates (Proos+Zalka’04, Roetteler+’17, Häner+’20, Gouzien+’23, Chevignard+’26, Litinski’23) against the two new circuit variants from this paper.
Why this graph matters: Each dot represents the best published estimate of its era. The two stars at the bottom-left corner are this paper’s results. The gap between the stars and the nearest prior work is not incremental it is structural. It shows that the ceiling of the threat has been dramatically lowered by pure algorithmic improvement, independent of any hardware advance.
The two circuit variants the team has compiled achieve either 1,200 logical qubits with 90 million Toffoli gates, or 1,450 logical qubits with 70 million Toffoli gates. Using standard assumptions about superconducting hardware a 10-microsecond control reaction time, a 50% overhead per Toffoli gate those 70 million gates resolve in approximately 18 to 23 minutes of wall-clock time. When the quantum computer is “primed” (precomputing the portion of the algorithm that depends only on fixed protocol parameters, not the specific public key), the attack time from key exposure to key derivation halves to approximately 9 to 12 minutes.
Bitcoin’s average block time is 10 minutes. That sentence is no longer a reassurance. It is a race condition.
Part II — Three Ways to Attack
The Taxonomy of Quantum Attacks
Not all quantum attacks are equal, and the paper introduces a taxonomy that is crucial for understanding what protections remain viable and for how long. The distinction hinges on two variables: how long the attacker needs, and what kind of quantum hardware they have.
On-Spend Attacks
The most dangerous category. When a user broadcasts a transaction to the Bitcoin network, it enters the public mempool a holding area visible to everyone before it is confirmed in a block. At that moment, the public key is exposed. An on-spend attack means deriving the private key during that window, then broadcasting a fraudulent competing transaction with a higher fee to replace the original. For this to work, the attacker’s quantum computer must be fast enough to solve ECDLP within the average block confirmation time.
Bitcoin’s 10-minute average block time makes this the critical threshold. The paper estimates that a superconducting CRQC the type Google, IBM, and others are building could achieve private key derivation in approximately 9 minutes from the primed state. This places Bitcoin’s active transactions within on-spend attack range of first-generation fast-clock CRQCs. Litecoin (2.5-minute blocks) reduces success probability to under 3%. Zcash (75-second blocks) and Dogecoin (1-minute blocks) are currently functionally immune to on-spend attacks.
Race Against the Block: Attack Speed vs. Network Variance
the probability curves showing the likelihood of transaction confirmation (Y-axis, 0–100%) over time since broadcast (X-axis, 0–45 minutes) for Bitcoin, Litecoin, Zcash, and Dogecoin, with the vertical dashed line marking ~9-minute CRQC key derivation time.
Why this graph matters: This is the most viscerally communicative figure in the paper. It shows, visually and precisely, that Bitcoin sits in the danger zone while shorter-block-time cryptocurrencies currently do not. The ~41% figure assumes zero network congestion which the attacker can eliminate by flooding the mempool with high-fee transactions. In the adversarial case, the success rate is higher.
At-Rest Attacks
For public keys that are already exposed on-chain not in transit, but sitting in a locking script or previously revealed in a spending transaction the attacker has days, months, or years to derive the private key. This is the slow-burn threat. Slow-clock quantum computers (neutral atom, ion trap) may not be fast enough for on-spend attacks but are perfectly suited for at-rest attacks. These are also the attacks that threaten dormant wallets addresses holding bitcoin that has not moved in years, whose public keys were exposed the moment they ever spent anything.
On-Setup Attacks
The most insidious category, and the one least discussed in mainstream coverage. Some cryptographic protocols use fixed public parameters derived from secret values “toxic waste” that must be destroyed after a setup ceremony. If a CRQC can recover that secret from the public parameters (a one-time computation), it creates a permanent, reusable classical backdoor into the protocol. No further quantum computation required. Ethereum’s Data Availability Sampling mechanism (using KZG commitments) is specifically vulnerable to this attack mode.
Part III — The Exposed Ledger
Inside Bitcoin: What Is Actually Vulnerable
Bitcoin’s quantum exposure is not uniform it depends entirely on which script type is locking the coins, and whether a public key has ever been revealed. The paper maps this terrain with unusual precision.
The most vulnerable script type is Pay-to-Public-Key (P2PK), used almost exclusively in the early “Satoshi era” of mining. These scripts record the public key directly in the locking script, meaning any CRQC can read it and begin computing the private key without waiting for any transaction. Approximately 1.7 million BTC including the coins widely attributed to Satoshi Nakamoto are locked this way. They have been sitting exposed since 2009. They are, in the language of the paper, “a fixed target.”
The more recently introduced Pay-to-Taproot (P2TR) script, rolled out in the 2021 Taproot soft fork, introduced a surprising regression: it also stores the public key directly in the locking script. Despite being the “modern” Bitcoin address format, P2TR addresses with the bc1p prefix are as vulnerable to at-rest attacks as the original Satoshi-era P2PK coins. In 2025, P2TR represented 21.68% of all Bitcoin transactions meaning a significant and growing fraction of recent Bitcoin activity has been conducted in a quantum-exposed format.
Evolution of BTC Supply Over Time by Protocol Type
the stacked area chart showing the composition of Bitcoin’s total supply over time from 2010–2026, with quantum-vulnerable balances shown in hatched/shaded regions for each protocol type.
The safest standard script types are P2WPKH and P2WSH (using bc1q addresses), which hide public keys behind cryptographic hashes until the moment of spending. These are immune to at-rest attacks unless the owner has ever spent from the same address before, revealing the public key in the process. This is address reuse, and it is remarkably common. Exchanges, merchants, and users who maintain a stable receiving address have inadvertently converted their "safe" P2WPKH addresses into exposed ones.
Bitcoin’s Proof-of-Work consensus mechanism the mining puzzle is explicitly and emphatically not vulnerable to quantum attacks. The paper is direct: Grover’s algorithm, which could theoretically speed up hash preimage search quadratically, offers no meaningful advantage here. The quadratic speedup is consumed by quantum error correction overhead, and Grover’s algorithm does not parallelize. A quantum miner, under fantastical assumptions, would achieve hashrates two orders of magnitude below current ASIC miners. This is one of the paper’s important clarifications: the threat is to signatures, not to mining.
Part IV — Ethereum’s Wider Surface
Ethereum: Five Distinct Vulnerabilities, One Systemic Risk
If Bitcoin’s quantum exposure is primarily about dormant coins and mempool timing, Ethereum’s exposure is something categorically more complex. The paper identifies five distinct attack vectors across Ethereum’s architecture, each with different technical roots and different scales of potential damage.
1. Account Vulnerability
Unlike Bitcoin, which tracks unspent transaction outputs, Ethereum uses a persistent account model. Once an Ethereum account initiates any transaction, its public key is permanently exposed on-chain. The paper estimates that the top 1,000 Ethereum accounts by ETH balance holding approximately 20.5 million ETH could be compromised by a fast-clock CRQC in under nine days. A quantum attacker does not need to rush. They can work through the list methodically.
Account Vulnerability: Top 1,000 Ethereum Accounts by ETH Balance
the bar chart showing ETH balance (Y-axis, log scale from 10K to 100M ETH) by rank (X-axis, 0–1000), colored orange for accounts that have initiated a transaction (vulnerable) and grey for accounts that have not.
Why this graph matters: This is arguably the most immediately alarming figure in the entire paper for Ethereum holders. It shows that being wealthy on Ethereum is, structurally, nearly synonymous with being quantum-vulnerable. The top accounts have been active they have transacted and every transaction permanently reveals the public key.
2. Admin Vulnerability
Smart contracts that hold significant assets frequently reserve admin privileges to a handful of Externally Owned Accounts keys that can upgrade the contract’s logic, pause execution, or drain funds. These admin keys are rarely rotated, and because they have been used in governance votes and contract upgrades, their public keys are exposed on-chain. Among the top 500 Ethereum smart contracts by ETH balance, at least 70 are subject to admin key exposure, holding approximately 2.5 million ETH plus, critically, administrative control over roughly $200 billion in stablecoins and tokenized Real World Assets.
The second-order effects are staggering: oracle compromise could trigger cascading DeFi liquidations; bridge compromise could drain entire cross-chain liquidity pools; stablecoin admin compromise could allow unlimited minting, collapsing the peg. The paper notes that RWAs are projected to exceed $16.1 trillion by 2030, most of it on Ethereum the entire tokenized financial stack rests on admin keys that a CRQC could derive in hours.
3. Code Vulnerability
None of Ethereum’s precompiled smart contracts the low-level cryptographic primitives that developers can call currently implement post-quantum cryptographic schemes. All existing zkSNARK-based L2 rollups (Arbitrum, Base, Optimism, zkSync) depend on elliptic curve pairings that are quantum-vulnerable. The paper estimates total Code Vulnerability exposure at ~15 million ETH in Total Value Secured across major L2 protocols and bridges.
Code Vulnerability Profile of Major L2s & Bridges
the horizontal bar chart showing Total Value Secured (millions of ETH) for major L2 protocols and bridges, color-coded by architecture type: Optimistic Rollups (red), Sidechain/Bridge (orange), ZK-SNARK (yellow), ZK-STARK (green).
Why this graph matters: It distinguishes, at a glance, which L2 protocols are already quantum-resistant (STARKs, which use hash-based proofs) from those that are not (Optimistic Rollups and pairing-based SNARKs). Starknet and StarkWare’s STWO appear in green functionally immune. Arbitrum and Base, which together secure the vast majority of L2 TVS, appear in red. The chart is a risk map for anyone operating in the Ethereum ecosystem.
4. Consensus Vulnerability
Ethereum’s Proof-of-Stake consensus aggregates validator signatures using BLS signatures on the BLS12–381 curve a pairing-friendly curve that requires somewhat more quantum resources to break than secp256k1, but not dramatically more. The paper estimates the additional cost is modest, placing BLS12–381 within reach of the same first-generation CRQCs that threaten standard accounts.
As of February 2026, approximately 37 million ETH is staked. A quantum attacker who compromises more than one-third of validators can halt finality; more than two-thirds grants complete chain control the ability to rewrite transaction history and censor arbitrary transactions. The paper notes that Lido alone represents approximately 20% of staked ETH, and its admin infrastructure has its own key exposure. Concentrated staking means the threshold attacks are closer than uniformly distributed validator counts would suggest.
5. Data Availability Vulnerability
Perhaps the most technically subtle threat. Ethereum’s Data Availability Sampling (DAS) mechanism introduced to allow validators to verify L2 blob data without downloading all of it uses KZG polynomial commitments with a “trusted setup.” The secret generated during that setup (the “toxic waste”) can be recovered from the public Structured Reference String by a CRQC running Shor’s algorithm once. That single computation creates a permanent, reusable classical exploit a backdoor that can then be used repeatedly by anyone, with no further quantum hardware required. This is an on-setup attack, and it converts a one-time quantum capability into an indefinite classical threat.
Part V — Dormant Assets and the Hardest Question
The Problem That Cannot Be Updated
Software can be patched. Protocols can be upgraded. But there is a class of assets that cannot be migrated by any software update, no matter how well-designed: coins whose private keys no longer exist. The approximately 1.7 million BTC in P2PK scripts including what is widely believed to be Satoshi Nakamoto’s own holdings are sitting on-chain with their public keys permanently exposed, controlled by keys that may be lost forever.
The paper estimates roughly 2.3 million BTC across all vulnerable dormant addresses (those inactive for five or more years) when all script types with exposed or reused keys are counted. This is the population that cannot protect itself. Whatever the protocol decides to do with them nothing, burn them, rate-limit their spending the decision will set a precedent for digital property rights that no legal or philosophical tradition has previously encountered.
Cumulative Amount Harvested in a Quantum Salvage Operation
the log-log curve showing cumulative BTC recovered (Y-axis, 10K–1M+ BTC) against time spent on key derivation in days (X-axis, 10⁻² to 1⁰⁷ days), with separate curves for fast-clock (9 min/key) and slow-clock (14h–12d/key) CRQCs, and further split by P2PK-only vs. all addresses.
Why this graph matters: This figure reframes dormant coins not as lost property but as a time-indexed resource extraction problem. A fast-clock CRQC working through P2PK addresses in order of value would collect approximately 100,000 BTC within the first 10 days. The slow-clock version takes years but eventually reaches the same destination. Either way, the endpoint is the same: someone else’s coins become available to whoever first builds a sufficiently capable machine.
The Bitcoin community is currently debating three broad approaches. Do Nothing accepts that quantum attackers will eventually acquire the coins, betting on market absorption. Burn proposes a soft fork that renders P2PK coins unspendable after a certain date effectively confiscating any bitcoin whose owner has not migrated. Hourglass rate-limits the spending of dormant coins to one per block, slowing the potential supply shock while still allowing eventual recovery. An informal poll at the 2025 Presidio Bitcoin Quantum Summit found roughly equal support for all three.
The paper introduces a fourth option: a “bad sidechain” a purpose-built recovery chain where CRQC operators could deposit recovered dormant coins for ownership adjudication, using offchain proofs like mnemonic codes to identify original owners. The analogy is to maritime salvage law, adapted for digital property.
Part VI — The Path Forward
Post-Quantum Cryptography: What Exists, What Works, and What It Costs
Post-quantum cryptography is not speculative. It is standardized. The U.S. National Institute of Standards and Technology (NIST) finalized its first PQC standards in 2024, including ML-DSA (formerly CRYSTALS-Dilithium, lattice-based) and SLH-DSA (formerly SPHINCS+, hash-based). Falcon, another lattice-based scheme, is already being deployed in production on Algorand with the first PQC-secured transaction executed there in 2025. The XRP Ledger has deployed ML-DSA on its AlphaNet. QRL, Mochimo, and Abelian have used PQC exclusively since launch.
The obstacle is not cryptographic it is economic and social. Post-quantum signatures are large. A Falcon signature is approximately 1,280 bytes; a standard ECDSA signature in Bitcoin is 64–73 bytes. That is a roughly 20× increase in signature size. On Bitcoin, where block size debates have already caused a hard fork (Bitcoin Cash, 2017), introducing a protocol change that expands signature sizes by that factor will require a level of community consensus that has historically been nearly impossible to achieve. The paper notes that even migrating Bitcoin’s current transaction rate to PQC would take several months of network bandwidth dedicated exclusively to address migration and that assumes the migration starts before the first CRQC arrives.
Ethereum’s path looks somewhat more navigable. The Ethereum Foundation functions as an organized, non-profit entity with demonstrated capacity to coordinate major protocol changes as shown by the 2016 DAO hack reversal and the 2022 Proof-of-Stake transition (the Merge). EIP-7932, which proposes precompiles for post-quantum signature verification, is already under discussion. The Foundation has funded research into hash-based multi-signatures to replace BLS12–381 in the consensus layer.
The Responsible Disclosure Problem
One of the paper’s most intellectually honest sections concerns its own existence. The authors acknowledge a genuine tension: publishing detailed resource estimates motivates the cryptocurrency community to act, but publishing specific circuit details would give adversaries a construction blueprint. Their solution ZK proofs of resource bounds without circuit disclosure is an adaptation of the “responsible disclosure” paradigm from software vulnerability research to quantum cryptanalysis.
The paper argues that detailed cryptanalytic publication should stop: “We believe it is now a matter of public responsibility to share refined resource estimates while withholding the precise mechanics of the underlying attacks.” This is a significant departure from the historical norm in quantum computing, where publishing algorithmic improvements is considered scientifically prestigious. The implicit acknowledgment is that the field has entered a different phase one where the gap between theoretical result and operational capability is closing fast enough to warrant treating cryptanalytic improvements as sensitive information.
There is also a harder warning buried in this section: the final stages of the race to build a CRQC may happen in opacity. Nation-states and well-resourced actors may achieve quantum cryptanalytic capability without announcing it. The paper suggests that the first public sign of a working CRQC may not be a press release it may be an unexplained large transfer from a dormant Bitcoin wallet.
Conclusion
What This Moment Actually Asks Of Us
The paper’s closing argument is urgent without being panicked. The authors explicitly state that they believe the time remaining before CRQCs arrive still exceeds the time needed to migrate public blockchains to post-quantum cryptography but that the margin is narrow and narrowing, and that the process must begin immediately to complete in time.
For individual crypto holders, the near-term implications are practical and concrete. If you hold Bitcoin, avoid using P2TR addresses (bc1p) until post-quantum alternatives are available they expose your public key from the moment of receipt. Use P2WPKH (bc1q) addresses and never reuse them. For Ethereum, understand that any account that has ever sent a transaction has an exposed public key. There is no individual mitigation short of protocol-level PQC adoption but following Account Abstraction (ERC-4337) developments that enable key rotation is prudent.
For the ecosystem at large, the paper’s taxonomy of vulnerability by blockchain type is the most practically useful analytical frame: post-quantum blockchains (QRL, Abelian) face no ECDLP threat; UTXO-based chains (Bitcoin, Litecoin, Dogecoin, Cardano) offer individual users the option to avoid at-rest exposure through disciplined key hygiene; account-model chains (Ethereum, Solana, TRON) make long-term public key exposure structurally inevitable. The transition urgency scales accordingly.
What the paper communicates, most fundamentally, is that the assumption of distance the comfortable sense that quantum computing is someone else’s problem in some other decade is no longer empirically defensible. The numbers have been recalculated, verified by cryptographic proof, and published by the same organization that built the most capable superconducting quantum processors on the planet. They are not speculating about what might be possible. They are describing what they have already compiled.
The clock is running. It has been running. The question is no longer whether to prepare it is whether there is still enough time.
— — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — —
Source: Babbush, R., Zalcman, A., Gidney, C., Broughton, M., Khattar, T., Neven, H., Bergamaschi, T., Drake, J., & Boneh, D. (2026). Securing Elliptic Curve Cryptocurrencies against Quantum Vulnerabilities: Resource Estimates and Mitigations. arXiv:2603.28846 [quant-ph]. Dated April 1, 2026.
Note on figures: All figures referenced in the grey boxes above are taken directly from the source whitepaper. Insert the corresponding figure images extracted from the PDF at each marked location. Figure numbers match those in the original paper exactly. Figures 1, 5, 6, 8, 11, and 14 are the most essential for reader comprehension and are recommended for inclusion in the published piece.
