Google Quantum AI Officially Reveals: Number of Qubits Required to Break Bitcoin Encryption Reduced by 20x
TechFlow Selected TechFlow Selected
Google Quantum AI Officially Reveals: Number of Qubits Required to Break Bitcoin Encryption Reduced by 20x
Google also released the verification materials using “zero-knowledge proofs,” enabling third parties to verify the conclusions without revealing the attack details.
Navigating Web3 tides with focused insightsAuthors: Ryan Babbush & Hartmut Neven, Google Quantum AI
Translation: TechFlow
TechFlow Intro: This is the primary source for today’s discussion on quantum threats—not media commentary, but an official technical blog jointly published by Google Quantum AI’s Research Director and VP of Engineering.
The core conclusion is singular: the previously estimated number of physical qubits required to break Bitcoin’s elliptic-curve cryptography has now been reduced by approximately 20-fold. Google has also released verification materials in a “zero-knowledge proof” manner—enabling third parties to verify the conclusions without learning the attack details. This disclosure method itself is noteworthy.
Full Text Below:
March 31, 2026
Ryan Babbush, Research Director of Quantum Algorithms, Google Quantum AI; Hartmut Neven, VP of Engineering, Google Quantum AI and Google Research
We are exploring a new paradigm to clarify the cryptanalytic capabilities of future quantum computers and outline steps needed to mitigate their impact.
Quantum Resource Estimates
Quantum computers promise to solve problems previously considered intractable—including applications in chemistry, drug discovery, and energy. However, large-scale Cryptographically Relevant Quantum Computers (CRQCs) could likewise break widely deployed public-key cryptography, which safeguards confidential information and other critical systems. Governments and institutions—including Google—have long grappled with this security challenge. As scientific and technological progress continues, CRQCs are gradually becoming a reality, necessitating the transition to Post-Quantum Cryptography (PQC)—which is why we recently proposed a 2029 migration timeline.
In our white paper, we share updated estimates of the quantum “resources” (i.e., qubits and quantum gates) required to break Elliptic-Curve Discrete Logarithm Problem-256 (ECDLP-256), the foundation of elliptic-curve cryptography. We express resource requirements in terms of logical qubits (error-corrected qubits composed of hundreds of physical qubits) and Toffoli gates (costly elementary operations on qubits that dominate execution time for many algorithms).
Specifically, we compiled two quantum circuits (sequences of quantum gates) implementing Shor’s algorithm against ECDLP-256: one requiring fewer than 1,200 logical qubits and 90 million Toffoli gates; another requiring fewer than 1,450 logical qubits and 70 million Toffoli gates. Under hardware capability assumptions consistent with some of Google’s flagship quantum processors, we estimate these circuits could execute in minutes on a superconducting-qubit CRQC with fewer than 500,000 physical qubits.
This represents an approximate 20-fold reduction in the number of physical qubits required to break ECDLP-256—and marks a continuation of the long optimization journey of compiling quantum algorithms into fault-tolerant circuits.
Securing Cryptocurrencies with Post-Quantum Cryptography
Most blockchain technologies and cryptocurrencies currently rely on ECDLP-256 to secure key aspects of their systems. As argued in our paper, PQC offers a mature pathway toward post-quantum blockchain security, ensuring the long-term viability of cryptocurrencies and the digital economy in a world where CRQCs exist.
We cite examples of post-quantum blockchains and experimental deployments of PQC on originally quantum-vulnerable blockchains. We note that although viable solutions like PQC already exist, implementation still requires time—making urgent action increasingly critical.
We also offer additional recommendations to the cryptocurrency community to improve security and stability in both the short and long term—including avoiding exposure or reuse of vulnerable wallet addresses, and potential policy options to address the issue of abandoned cryptocurrencies.
Our Vulnerability Disclosure Approach
Vulnerability disclosure is a contentious topic. On one hand, the “no disclosure” stance holds that publishing vulnerabilities amounts to handing attackers an operational manual. On the other, the “full disclosure” movement argues that informing the public about security vulnerabilities both raises awareness and encourages self-protection, while also motivating security remediation efforts. In computer security, this debate has largely converged on compromise frameworks known as “responsible disclosure” and “coordinated vulnerability disclosure.” Both advocate disclosing vulnerabilities under embargo periods—giving affected systems time to deploy security fixes. Leading security research institutions—including Carnegie Mellon University’s CERT/CC and Google’s Project Zero—have adopted variants of responsible disclosure with strict deadlines, a practice now formalized as the international standard ISO/IEC 29147:2018.
Disclosure of security vulnerabilities in blockchain technology is further complicated by a unique factor: cryptocurrencies are not merely decentralized data-processing systems. Their digital asset value derives both from the network’s cryptographic security and from public confidence in the system. While digital security may be threatened by CRQCs, public confidence may simultaneously erode due to Fear, Uncertainty, and Doubt (FUD) tactics. Thus, non-scientific, unsubstantiated resource estimates for quantum algorithms capable of breaking ECDLP-256 may themselves constitute an attack on the system.
These considerations guided our careful disclosure approach to quantum attack resource estimates targeting elliptic-curve-based blockchain technologies. First, we mitigated FUD risks by explicitly identifying domains where blockchains remain immune to quantum attacks and emphasizing recent progress in post-quantum blockchain security. Second, without sharing the underlying quantum circuits, we substantiated our resource estimates by publishing an advanced cryptographic construct known as a “zero-knowledge proof,” enabling third parties to verify our claims without access to sensitive attack details.
We welcome further discussions with the quantum, security, cryptocurrency, and policy communities to reach consensus on future responsible disclosure norms.
Through this work, our goal is to support the long-term healthy development of the cryptocurrency ecosystem and blockchain technologies—both of which are assuming ever-greater importance in the digital economy. Looking ahead, we hope our responsible disclosure approach will spark an important dialogue between quantum computing researchers and the broader public—and provide a replicable model for the field of quantum cryptanalysis research.
Join TechFlow official community to stay tuned
Telegram:https://t.me/TechFlowDaily
X (Twitter):https://x.com/TechFlowPost
X (Twitter) EN:https://x.com/BlockFlow_News
@GoogleResearch
