What Did Google Quantum AI Announce?

Google Quantum AI published concrete calculations showing quantum computers need 90M Toffoli gates to break Bitcoin and Ethereum signatures in minutes, not years or decades.

Lead researcher Ryan Babbush and collaborators at the Ethereum Foundation and Stanford University used zero-noise ZK proofs to model the attack precisely. They found that a quantum computer with 1,200 logical qubits and performance capability of 90 million Toffoli gates could drain an active Bitcoin or Ethereum transaction from the mempool before it confirms on-chain. The faster superconducting hardware scales, the worse the window gets.

This is the first time anyone has published a production-quality, peer-reviewed number. The research suggests the timeline for quantum threats is compressed from previous estimates—shifting the conversation from "eventually problematic" to something requiring action within the next few years.

How Close Is the Hardware?

The quantum requirement is steep but achievable within the next 3–6 years if current scaling trends hold. Google and IBM have published aggressive roadmaps.

Hardware Type Logical Qubits Toffoli Gates Runtime Threat Window
Fast (Superconducting) 1,200 90M Minutes Live mempool (Bitcoin and Ethereum)
Fast (Superconducting Alt.) 1,450 70M Minutes Live mempool (Bitcoin and Ethereum)
Slow (Neutral Atoms/Ions) 8,700 317M Hours–Days Dormant wallets only

Here's the hardware reality: moving from physical to logical qubits requires error correction, which demands a 100:1 to 400:1 overhead depending on the method. Google aims to hit 500,000 physical qubits by 2028. At a 400:1 ratio, that yields 1,250 logical qubits—enough to break both chains in minutes using superconducting hardware. IBM has made similar public commitments. Neither timeline seems optimistic. Both seem achievable if funding holds.

Why Is Bitcoin Different from Ethereum?

Bitcoin and Ethereum use the same ECDSA signature scheme, but their threat models split on two fronts: transaction visibility and whether coins are active or dormant.

Bitcoin: Transactions sit in the mempool for up to 10 minutes before confirmation. A quantum attacker could extract the private key from a pending transaction, sweep the UTXO, and complete the theft before the original broadcast confirms. That's the live-chain risk. But there's a different problem underneath: 2.3 million BTC locked in old Pay-to-Public-Key (P2PK) addresses are sitting dormant forever. Nobody spends them. Nobody burns them. The private keys are exposed on-chain (that's how P2PK works). A quantum computer cracks them instantly and takes the coins. Bitcoin has no recovery mechanism for this. Hence the governance nightmare: burn them, let a government salvage them, or hard fork to recover them into a community pool?

Ethereum: Every active account breaks. Validators, wallets, smart contracts—all of it. Ethereum's Proof-of-Stake validators sign consensus messages. If a quantum attacker breaks those keys, they don't just steal funds. They forge blocks, finalize false network states, and force clients to reorganize or fork away from them. Ethereum's scaling layer (Danksharding) adds state commitments signed by validators. Those break too if the keys compromise. The result is a cascade: chain fork, trust collapse, and staked ETH likely liquidates in hours.

The Window Is Wider Than Expected

Industry consensus expected cryptographically relevant quantum computers (CRQCs) by 2035–2040. The Babbush calculations suggest 2028–2030 is now the upper bound for live-chain attacks if superconducting qubit scaling continues. This is speculative—hardware always moves slower than projections. But the narrative has shifted from "not in our lifetime" to "plan for the end of this decade." That's the real announcement.

What Migration Paths Exist Today?

Post-quantum cryptography standards are ready now. NIST completed standardization in 2022. Both Bitcoin and Ethereum can technically migrate to PQC signatures using soft forks and upgrades.

Asset Type Urgency Migration Path
Live Mempool Transactions IMMEDIATE Soft fork to new address types using PQC signatures (FALCON/Dilithium)
Active User Accounts HIGH Account abstraction + PQC credential layers (EIP-style upgrades)
Smart Contracts HIGH Signature verification modules upgraded to PQC; contract logic untouched
Dormant Coins (Bitcoin) MEDIUM Community governance decision (burn, salvage pool, or hard fork)

Why Haven't They Deployed It Yet?

Technically, both Bitcoin and Ethereum could support PQC in 12–18 months with coordinated effort. The real blockers are political and financial, not technical.

Bitcoin Core developers constantly debate soft-fork governance. Peter Todd and Luke Dashjr have raised concerns about adding new sighash versions and script types. Bitcoin's culture prioritizes backward compatibility. A PQC soft fork is possible (Segregated Witness proved it), but it requires consensus on activation rules, testing, and a timeline. Most developers treat it as a future problem because the threat still feels distant.

Ethereum's path is faster. The Ethereum Foundation has prototyped account abstraction (EIP-4337) and could slot PQC signature algorithms into a single upgrade. But Ethereum's next two years are spoken for: Proto-danksharding, then Danksharding itself. PQC waits in the queue.

The deeper reason: most stakeholders (exchanges, validators, wallet makers) see no immediate danger. Until someone demonstrates a quantum computer running Shor's algorithm against live cryptography—not papers, not theory—the urgency stays low.

What About Harvest-Now-Decrypt-Later Attacks?

Adversaries are recording encrypted transactions today. Once quantum computers arrive, they decrypt old recordings retroactively and steal cryptocurrency locked at historical addresses and keys.

This is not hypothetical. Intelligence agencies and well-funded cryptanalytic groups routinely archive Internet traffic for later exploitation. A reasonable assumption is that blockchain transactions—public, permanent, and cryptographically valuable—are already being harvested. This means dormant coins face potential risk today, not in 2030. The 2.3 million dormant Bitcoin could potentially be vulnerable to harvest-now attacks if a quantum computer capable of running Shor's algorithm becomes operational.

Digital Salvage Is a Governance Crisis Waiting to Happen

Bitcoin's dormant coins raise an uncomfortable question: does Bitcoin have a recovery mechanism for quantum theft of old P2PK outputs? The answer is no. The Bitcoin social consensus has always been "lost coins stay lost." But 2.3 million BTC (worth ~$115 billion at 2026 prices) is not pocket change. If a quantum actor drains those coins and moves them to an exchange, how does Bitcoin respond? Hard fork to reverse the transactions? Roll back the chain? Neither is precedent-friendly. The more likely outcome: community deliberation, governance failure, and a split fork. This becomes a political and economic event, not just a technical one.

What Should Crypto Stakeholders Do Now?

Bitcoin Core should announce a PQC initiative now. Ethereum Foundation slots PQC upgrades into 2027 roadmap. Exchanges and wallets build PQC signing support. Decide on dormant coins governance today.

The next steps are straightforward: Bitcoin Core announces a PQC research initiative and targets 2027–2028 for a soft fork. Ethereum Foundation puts a PQC validator upgrade on the 2027 roadmap. Exchanges and wallet makers start building PQC signing into their stacks. The Bitcoin community convenes a governance forum on dormant P2PK coins now, before a quantum computer forces the decision under duress.

The worst outcome is inaction followed by panic. Google just moved the calendar. It's 2028 now, not 2035.

Sources

Related Articles on Nexairi

Quantum Computing Cryptocurrency Security Post-Quantum Cryptography Bitcoin Ethereum Cybersecurity