The paper dropped today…

It is 57 pages. It was authored by researchers from the Google Quantum AI team, UC Berkeley, the Ethereum Foundation, and Stanford. The lead authors are Ryan Babbush, Director of Quantum Algorithms at Google, and Hartmut Neven, VP of Engineering at Google Quantum AI. Craig Gidney, whose name on a resource estimate really moves markets in the quantum research community, is a co-author.

The finding: cracking the encryption that protects Bitcoin requires 20 times fewer quantum computing resources than what the world believed.

Read that again.

Not slightly fewer. Not marginally fewer. Twenty times fewer.

That number compresses the timeline for everything. And the way Google chose to publish it raises questions that the headlines are not asking.

What Google Found

Bitcoin and Ethereum both rely on a mathematical problem called ECDLP-256, the 256-bit Elliptic Curve Discrete Logarithm Problem, to secure wallet signatures and transactions. Your private key is derived from your public key through this math. Classical computers would need billions of years to reverse it. That protection is the cryptographic foundation of every transaction on every major blockchain.

Quantum computers running Shor’s algorithm can, in theory, reverse it in minutes.

The question has always been how many qubits that requires. Google’s team built two circuits to answer it.

Circuit one: fewer than 1,200 logical qubits, fewer than 90 million Toffoli gates. Circuit two: fewer than 1,450 logical qubits, fewer than 70 million Toffoli gates.

On a standard superconducting architecture using surface code error correction, with current hardware assumptions, both circuits execute in minutes using fewer than 500,000 physical qubits. The previous estimate was in the millions, specifically the prior standard was approximately 9 million physical qubits. Google cut that by roughly 18 times.

The more technically precise achievement is a roughly 10x improvement in spacetime volume, the combined product of qubits and gate count, over the best prior published estimates. This matters because spacetime volume drives both the size of the machine required and how long error correction must run. Previous leading papers forced a tradeoff: you could have fewer qubits or fewer gates, but not both. Google’s team found the balance point between them.

Craig Gidney is the same researcher who published the RSA-2048 qubit estimate in May 2025. His work has been consistent and directional. Each paper has moved the threat closer. This is not a marginal preprint. This is the engineering specification for a machine that breaks Bitcoin’s cryptography, written by the team building that machine, compatible with hardware they have already demonstrated.

The Nine-Minute Window

The paper introduces an attack that most coverage has underplayed. They call it the on-spend attack.

When you send Bitcoin, your public key is briefly exposed while your transaction waits in the mempool. It sits there, unconfirmed, publicly visible. Bitcoin’s average block time is approximately 10 minutes.

Google’s model shows a fast quantum computer can precompute part of the attack in advance, then complete the full calculation in roughly nine minutes once your transaction appears. That gives an attacker approximately a 41% probability of stealing your funds before your transfer ever confirms.

This is not a threat to old dormant wallets from 2010. This is a threat to money in motion. The paper is explicit.

“This is not merely a distant danger to dormant keys; the potential for early fast-clock CRQCs to launch on-spend attacks within Bitcoin’s 10-minute average block time places active transactions at immediate risk.”

The key distinction the paper introduces is hardware architecture. Fast-clock machines, superconducting and photonic platforms, have microsecond error correction cycles. These are the machines Google and IBM are building. Slower architectures, neutral atoms and ion traps, cannot execute the attack fast enough to beat the mempool window. For slow-clock machines, only at-rest attacks against long-exposed keys are practical. For fast-clock machines, your next transaction is also a target.

For Ethereum, the shorter confirmation time drops the on-spend success probability sharply, under 1%. But Ethereum faces a different and in some ways larger problem, which I cover below.

What Is Already Exposed

6.9 million Bitcoin currently sit in wallets with publicly exposed keys. That is roughly one third of the total supply.

1.7 million of those Bitcoin are in Satoshi-era addresses using a format called Pay-to-Public-Key. The public keys in those addresses are already visible on-chain. They cannot be migrated. Satoshi is gone. Those coins sit permanently exposed, with their locks already showing.

2.3 million BTC when all vulnerable script types are fully counted.

20.5 million ETH face equivalent at-rest exposure.

Google included a chart in the paper mapping the top 100,000 vulnerable and dormant Bitcoin addresses by balance. The paper’s authors built the target list. They published it.

The paper contains a direct quote that frames the scale of the problem: “This rapidly closing window forces the Bitcoin community to face urgent and difficult decisions regarding legacy assets, such as the 1.7 million bitcoin locked in P2PK scripts.”

Taproot Made It Worse

Here is what most outlets are not covering.

Bitcoin activated Taproot in November 2021. Developers celebrated it as the most significant upgrade since SegWit. The entire near-term scaling roadmap for Bitcoin runs through Taproot. Lightning Network, BitVM, Ark, all of it depends on Taproot being the dominant address format.

Taproot also exposes public keys on-chain by default.

The older dominant format, Pay-to-Public-Key-Hash, hid your public key behind a cryptographic hash until you spent. That hash layer provided a degree of quantum protection. You could have a public key exposed for ten milliseconds during a transaction and an attacker with a slow quantum computer still could not break it in time. Taproot’s key-path spend mechanism replaced that design. Your public key now sits on the blockchain permanently, in the output itself, visible to anyone.

Google’s paper names this directly. Taproot’s design choice expands the number of wallets vulnerable to quantum attack.

Taproot adoption has dropped from 42% of all Bitcoin transactions in 2024 to roughly 20% now. Users are quietly moving away from it. The Bitcoin Core developer community, which built and championed Taproot, has not offered a clear public response to why.

The surveillance and exploitation infrastructure I covered in my DarkSword investigation targets the application layer. The quantum threat described in today’s paper targets the protocol layer. Both point at the same wallets.

What Google Did Not Publish

This is the part no one is asking about.

Google did not publish the actual attack circuits. Instead, the team built a zero-knowledge proof, a cryptographic construction that allows independent researchers to verify the claim is accurate without learning how the attack works. The zero-knowledge proof was built using SP1 zkVM and Groth16 SNARK. Google committed to their secret circuits via SHA-256 hash, generated 9,024 test inputs, simulated the circuits, and wrapped the result in a cryptographic proof. Anyone can verify the circuits work. No one outside a small group knows what they contain.

Before publishing anything, Google “engaged with the U.S. government.” That is a direct quote from the paper’s blog post.

The sequence is this. Google built two quantum circuits capable of breaking Bitcoin’s encryption. The U.S. government saw the research before the public did. The public received a proof that the circuits exist.

I do not know what the government received. I do not know what agreement was reached or what the scope of the pre-publication briefing was. The paper does not say. What I can tell you is that there is a version of this research that exists in a government context that the public does not have access to.

That is not a conspiracy. That is what the paper says.

There is one additional detail worth noting. The zero-knowledge proof that Google published to verify their circuits relies on pairing-friendly elliptic curves, specifically BLS12-381. BLS12-381 is itself quantum-vulnerable. The proof’s mathematical integrity only holds because a cryptographically relevant quantum computer does not yet exist. The proof is, in a precise sense, secured by the same gap it is attempting to measure.

The NSA has been operating under CNSA 2.0 since 2022, a framework that mandates quantum-resistant cryptography for all National Security System acquisitions by January 2027. Senior U.S. officials have explicitly warned of harvest now, decrypt later operations, where adversaries collect encrypted data today intending to decrypt it once quantum hardware matures. When I wrote about the regulatory framework being built around stablecoins, the same agencies shaping that legislation are the ones being briefed on quantum attack vectors before publication. The overlap is not accidental.

The IBM Convergence

Google is not alone on this timeline.

IBM’s fault-tolerant quantum computer, called Quantum Starling, is scheduled to come online in Poughkeepsie, New York in 2029. It will be capable of executing 100 million quantum gates across 200 logical qubits. IBM published its full roadmap in June 2025: processor architectures for 2025, 2026, and 2027 that build toward Starling as the culminating system.

Two companies, competing with each other in quantum hardware, both arrived independently at 2029 as the threshold year. That convergence is not a coincidence and it is not marketing. It represents the engineering consensus from the organizations doing the work.

Google’s 2029 PQC migration deadline for its own internal infrastructure, announced earlier this year, is not a coincidence either. When an organization building the quantum hardware announces it will have its own cryptography upgraded before 2029, the implication is direct.

The paper itself makes this explicit. The time remaining before the arrival of CRQCs “still exceeds that needed to migrate blockchains to PQC,” but that margin, the paper says, is “increasingly narrow.”

The Second Paper

There was a second paper.

Five days before Google published today, French researchers Clémence Chevignard, Pierre-Alain Fouque, and André Schrottenloher published a paper for EUROCRYPT 2026. Their finding: solving ECDLP-256 requires approximately 1,098 logical qubits, cutting the previous estimate of 2,124 roughly in half.

Two independent research teams converging on sub-1,500 qubit estimates in the same week is what Nic Carter was referring to when he wrote that Google’s paper was “maybe not even the most concerning quantum paper released today.”

The Chevignard paper achieved fewer qubits than Google’s circuits but required far more gates, over 100 billion Toffoli gates versus Google’s 70-90 million. Google found the balance point between the two prior leading estimates. The result is a spacetime volume, qubits multiplied by gates, roughly 10 times smaller than either previous approach.

When two independent teams converge on the same problem and arrive at compatible answers within days of each other, that is not a coincidence either. That is the field reaching a level of maturity where the results are reproducible.

The Ethereum Surface

Bitcoin has one fundamental quantum vulnerability. Ethereum has five.

The paper maps them explicitly: Account Vulnerability, where 20.5 million ETH in the top wallets carry permanently exposed public keys; Admin Vulnerability, where smart contract administrator keys are exposed; Code Vulnerability, where quantum computers could manufacture reusable classical exploits from smart contract logic, a risk unique to Ethereum that does not exist in Bitcoin; Consensus Vulnerability, targeting Proof-of-Stake validator keys; and Data Availability Vulnerability.

The combined exposure exceeds $100 billion at current prices, and that figure does not account for the DeFi collateral, stablecoins, and real-world assets sitting on top of the Ethereum base layer.

On Ethereum specifically, once a user sends a transaction, the public key is permanently visible on-chain. There is no hash protection layer. There is no way to rotate the key without abandoning the account entirely. Google estimates a CRQC cracking one key every nine minutes could work through all 1,000 top ETH wallets in under nine days.

The paper also notes that real-world asset tokenization is projected to grow the pool of assets governed by quantum-vulnerable smart contracts by nearly 10 times by 2030. The institutions now moving traditional finance onto blockchain infrastructure through the tokenization frameworks I covered in the CLARITY Act piece are building on cryptography that has a published expiration date.

The Ethereum Foundation published a four-fork quantum roadmap targeting 2029. The GENIUS Act’s stablecoin framework, which I covered in depth here, governs the same assets that would be exposed in an Ethereum quantum event.

The Governance Problem

BIP-360 exists. It proposes a new Bitcoin address format called Pay-to-Merkle-Root that removes the quantum-vulnerable key-path from Taproot. It was merged into Bitcoin’s official BIP repository in February 2026. A testnet went live on March 20, eleven days ago.

Bitcoin Core has not started implementation.

A full migration is estimated at five to ten years minimum. It would reduce block capacity by roughly half and increase transaction fees and node costs substantially. There is no CEO of Bitcoin. There is no board. Every meaningful protocol change requires broad consensus across a decentralized developer community. Bitcoin’s historical governance disputes were triggered by far smaller technical changes than a full cryptographic overhaul.

Adam Back, Blockstream CEO, said in November 2025 that the quantum risk is “20 to 40 years away, if then.”

Google published its paper today.

Nic Carter called the findings “very sobering.” He has spent months warning that Bitcoin developers have their heads in the sand on this issue. He has also raised the scenario where large institutional holders like BlackRock, with substantial Bitcoin ETF exposure, could gain governance leverage over the protocol if the developer community refuses to act within a credible timeframe. The institutional capture dynamic in Bitcoin is not purely a quantum story. I wrote about how that same capture mechanism operates in the legislative layer with the GENIUS Act and the Circle freeze. The governance pressure from quantum risk is the same mechanism arriving through a different door.

Bitcoin developer Pieter Wuille said previously: “I cannot see how the currency can maintain any value at all in such a setting. And this affects everyone, even those who diligently moved their coins to protected schemes.”

The technical problem is solvable. Post-quantum cryptography standards from NIST are finalized. CRYSTALS-Dilithium, SPHINCS+, and related algorithms exist and work. The migration is logistically difficult, not technically impossible. But Bitcoin has never had to do anything like this under a hard external deadline.

The Last Line

The paper closes with a sentence that should be read very carefully.

“It is conceivable that the existence of early CRQCs may first be detected on the blockchain rather than announced.”

There might not be any public announcement of Q-Day.

The first signal could be a movement of coins from a Satoshi-era wallet that no one alive should be able to touch. Or a quiet drain of dormant addresses, one by one, over weeks, each attributed to nothing in particular.

The attacker’s interest is in silence.

I have written about how the Nikolai Mushegian case illustrated the pattern of information that circulates inside intelligence and finance circles before it reaches the public, if it ever does. The Mushegian piece touched on the overlap between crypto’s early architecture and intelligence community interest. The question of who knew what, and when, runs through that story and it runs through this one.

Google built the circuits. The United States government got them first. The public got a mathematical proof that they exist. The fix requires Bitcoin to coordinate a decade-long cryptographic overhaul across a leaderless global network with no enforcement mechanism, under a hardware deadline set by the companies building the threat.

IBM’s first fault-tolerant quantum system is scheduled for 2029. Google’s own internal deadline is 2029. Those are not two separate data points.

The countdown clock started today.

Strident Citizen is independent and reader funded. No ads. No institutional backing. Every article is free to read. If this kind of investigative journalism matters to you, a paid subscription is the most direct way to keep it going.

If you found this useful, share it with someone who holds Bitcoin. They should know what was published today.

This publication covers the infrastructure of power inside crypto. Subscribe to get every investigation directly.

Google briefed the U.S. government before publishing this paper and withheld the actual attack circuits. Do you think that disclosure was adequate? What should responsible disclosure look like when the asset at risk is decentralized?