Nine Minutes.
 That's Your New Attack Window.

Google Quantum AI just published the most significant quantum threat assessment the blockchain space has ever seen (https://quantumai.google/static/site-assets/downloads/cryptocurrency-whitepaper.pdf). Here's why you should take it seriously — and what to do about it.

JOEL VAN DYK APRIL 2026 ~7 MIN READ

Let me be direct. I have spent close to three decades as a security architect at some of the world's largest financial institutions — JPMorgan, DTCC, LSEG, State Street. My focus for the past several years has been post-quantum cryptography and digital asset security. I am not prone to hype. What Google Quantum AI published last month is not hype. It is a credible, methodologically rigorous reassessment of the quantum threat timeline that every serious participant in the blockchain space needs to understand.

The paper's headline finding: Shor's algorithm can break the 256-bit Elliptic Curve Discrete Logarithm Problem — the cryptographic foundation underneath Bitcoin, Ethereum, and essentially every major blockchain — using fewer than half a million physical qubits on a superconducting architecture, in approximately nine minutes. That is a twenty-fold reduction from prior best estimates.

To put that nine minutes in context: Bitcoin's average block time is ten minutes. That means a fast-clock cryptographically relevant quantum computer (CRQC) — one built on superconducting, photonic, or silicon spin qubit architecture — could intercept a transaction from the public mempool, derive the private key, and broadcast a forged transaction before the original is confirmed. The paper calculates the success probability at approximately 41% under idealised conditions.

1 - The ZK Proof Is the Story Within the Story

Before getting into the threat taxonomy, it is worth pausing on the methodology. The Google team chose not to publish their improved quantum circuits. This is a deliberate departure from the cryptanalysis field's tradition of full transparency, and they explain their reasoning carefully: detailed attack blueprints at this stage present a genuine dual-use risk.

Instead, they validated their resource estimates using a zero-knowledge proof — allowing independent cryptographic verification of the claims without disclosing the mechanics. The ZK proof commits to two circuit variants via SHA-256 hash and demonstrates approximate correctness across 9,024 pseudorandom test inputs derived via the Fiat-Shamir heuristic. It is a novel and important adaptation of responsible disclosure principles to quantum cryptanalysis.

The implication worth sitting with: if a team with Google's transparency norms is choosing not to publish the circuits, the opacity of nation-state programmes is almost certainly far greater. The paper states this plainly — the existence of early CRQCs may first be detected on the blockchain rather than announced.

2 - Three Attack Types. Three Different Threat Models.

The paper's taxonomy of quantum attacks is one of its most operationally useful contributions. These are not interchangeable threats — they require different defensive responses and carry different urgency levels depending on your architecture.

The on-setup attack is the one that should concern protocol architects most. A single CRQC computation against Ethereum's KZG trusted setup — the cryptographic ceremony underpinning the Data Availability Sampling mechanism introduced in the Dencun upgrade — produces a permanent backdoor that requires no further quantum capability to exploit. That backdoor can be used, shared, or sold. The paper estimates roughly 15 million ETH in Layer 2 TVS is exposed through this vector alone.

3 - Ethereum's Attack Surface Is Larger Than Bitcoin's

The crypto community's quantum conversation has been dominated by Bitcoin. That framing is increasingly inadequate when you consider where economic weight actually sits today — and where it is moving.

The paper identifies five distinct vulnerability classes in Ethereum. Three are immediately material:

Account Vulnerability. Every Ethereum EOA that has ever initiated a transaction has its public key permanently on-chain. There is no equivalent of Bitcoin's hash-protected addresses for accounts that have spent. A CRQC can target any of these at rest. The paper estimates the top 1,000 vulnerable Ethereum accounts hold approximately 20.5 million ETH — derivable in under nine days with a single fast-clock CRQC.

Admin Vulnerability. Smart contracts governing stablecoins and tokenized assets are controlled by admin keys. These keys are public — they have signed transactions. A quantum attacker who derives an admin private key gains the ability to mint unlimited tokens, drain liquidity pools, manipulate oracle feeds, or freeze user funds. Among the top 500 Ethereum contracts by ETH balance, at least 70 — holding around 2.5 million ETH and controlling over $200 billion in stablecoins and RWAs — are exposed.

THE SCALE PROBLEM

RWA tokenization is projected to exceed $16 trillion by 2030. The cryptographic protocols governing that infrastructure are the same ones this paper demonstrates are breakable. This is not a niche DeFi risk — it is a systemic one.

Consensus Vulnerability. Ethereum's Proof-of-Stake validators use BLS signatures on the BLS12-381 curve. Compromising more than one-third halts finality. More than two-thirds enables complete chain rewriting. As of February 2026, approximately 37 million ETH is staked and exposed. Recovery from a supermajority attack would require a social consensus hard fork — the kind of emergency intervention that fundamentally damages trust in the system.  Also, hard forks are never easy as some take one fork and others another, further fragmenting the environment.

4 - Bitcoin's Dormant Asset Problem Has No Clean Answer

Approximately 1.7 million BTC sits in P2PK scripts — including what are widely believed to be Satoshi's holdings. These coins are permanently, irrevocably exposed. No soft fork, no wallet upgrade, no user action can protect them, because the owners are either gone or the keys are lost.

The paper quantifies the broader dormant and vulnerable supply at approximately 6.9 million BTC across all protocol types. That is a target worth tens of billions of dollars that will, absent protocol intervention, eventually become accessible to whoever builds a CRQC first.

The Bitcoin community is debating three responses: Do Nothing, Burn (render dormant assets unspendable), and Hourglass (rate-limit spending of vulnerable coins). An informal poll at the 2025 Presidio Bitcoin Quantum Summit saw roughly equal support for all three. As said above about forking, that lack of consensus is itself a vulnerability. The paper adds a fourth proposal — a "bad sidechain" recovery mechanism allowing offchain proofs of ownership — but the political complexity is significant.

What is not in serious dispute is that governments will eventually need a policy framework for this. The paper introduces a "digital salvage" framing — analogous to maritime salvage law — as a model for regulated recovery of dormant assets.  The lack of any concrete action by the present US Administration and the previous one don’t portend well for the solution to this problem.  Whether or not that specific approach gains traction, the legal status of CRQC-derived private keys is currently undefined, and the absence of clarity creates the risk that these assets flow to adversarial actors rather than into any kind of regulated resolution.

5 - What to Actually Do Right Now

PQC migration is the only durable long-term answer. NIST standardised ML-KEM, ML-DSA, and SLH-DSA in 2024. These are the right foundations. But standardisation is not deployment, and the operational complexity of migrating cryptographic infrastructure at scale means the work needs to start now — not when the first CRQC is announced.

For the blockchain and digital asset community specifically, the paper's intermediate mitigations are worth taking seriously while full migration is underway:

Stop using P2TR and P2PK addresses for new Bitcoin holdings. P2TR in particular — introduced with Taproot in 2021 — exposes the public key directly in the locking script. The paper calls this a security regression. Use P2WPKH (bc1q) addresses and never reuse them.

Eliminate address reuse wherever operationally possible. Exchanges, custodians, and services that maintain stable deposit addresses for convenience are trading security for friction reduction. In a post-CRQC environment that trade-off is untenable.

Audit admin key exposure in smart contract infrastructure. If your protocol's admin keys have ever signed a transaction, the public key is on-chain, and a CRQC can theoretically back calculate the admin keys. Understand what those keys control, implement rotation mechanisms where possible, and plan the migration path now rather than under duress.

Treat the Ethereum DAS / KZG on-setup risk as a protocol-level priority. The Ethereum Foundation is actively researching hash-based alternatives. Layer 2 teams should be tracking this work closely and building transition plans into their roadmaps.

Do not assume Grover's algorithm threatens Bitcoin mining. The paper is definitive on this: quantum acceleration of SHA-256 mining is not a practical threat in any foreseeable timeframe. Do not let this misconception distract from the real vulnerabilities.

The margin for error is narrowing. The window for orderly migration is still open — but given the technology available now, the work required to complete it takes years, not months.

One final observation. This paper was authored by some of the most credible quantum computing researchers in the world, using a novel responsible disclosure methodology that should become the field's standard. They chose to publish despite the dual-use risks because they judged that the cryptocurrency community's "wait and see" posture presents a greater danger than the marginal risk of disclosure. I agree with that judgement. The community should honour it by acting accordingly.