Google's quantum paper sounds the alarm: 600 billion in crypto assets face risks

A new paper co-published by Google’s quantum AI and multiple parties has significantly lowered the hardware threshold for cracking the elliptic curve cryptography used for Bitcoin and Ethereum, bringing quantum security risks—long lingering and unresolved—into the market’s near-term reality. At current market prices, the total size of affected crypto assets exceeds $600 billion.

The paper notes that cracking the 256-bit elliptic curve discrete logarithm problem requires only 1,200–1,450 logical qubits and 70 million–90 million Toffoli gates. For the corresponding superconducting quantum computer, fewer than 500,000 physical qubits are needed. The attack can be completed in minutes, reducing hardware estimates by about 20x compared with earlier estimates.

Google emphasizes that no such machine exists yet, but an Ethereum Foundation researcher says confidence in the 2032 “Quantum Day” (when quantum computers have a 10% probability of cracking private keys) has increased significantly.

Google also reveals that it has worked with the U.S. government to estimate external verification resources via zero-knowledge proofs, while avoiding disclosure of attack details.

Bitcoin’s quantum risk is concentrated in transaction attacks and the security of held assets. The paper simulates attacks during spending: with a quantum computer, private keys can be derived in 9 minutes—close to Bitcoin’s 10-minute average block time—with a theft success rate of nearly 41%.

Worse still, about 6.7 million Bitcoins (about $444 billion, or 32% of total market value) are stored in vulnerable addresses. Of these, 1.7 million protected only by older script mechanisms ($112.6 billion), 2.3 million that are various kinds of dormant and vulnerable ($152.3 billion), and some are unable to be migrated because they were abandoned or lost.

In addition, while the Taproot protocol improves privacy, because the public key is directly embedded into the script, it reintroduces quantum weaknesses. And in the short term, the main risk focus is signatures rather than mining.

Ethereum’s quantum risk runs through accounts, contracts, and infrastructure. Because Ethereum produces blocks every 12 seconds, processes transactions quickly, and relies on private mempools, the difficulty of real-time transaction attacks is relatively high.

The core risk is static attacks: fast quantum computers could compromise the first 1,000 Ethereum accounts within 9 days (about $41.5 billion) and crack 70 core contract accounts within 15 hours (about $5.1 billion).

Even more worth worrying about is that on Ethereum, $200 billion in stablecoins and tokenized assets—if the keys belonging to issuers, bridge operators, and similar parties are compromised—could trigger crises such as money supply expansion and funds being frozen.

In addition, $30.4 billion in ETH within L2 and protocol value, and $74.9 billion in ETH within consensus stakes, also face threats due to vulnerabilities and signature risks.

However, the industry already has post-quantum cryptography tools, but migration will take several years. It requires protocol upgrades and changes in wallet behavior to reduce public key leakage and key reuse.

For the crypto market, quantum risk has moved from theory to reality: Bitcoin needs to address settlement-window pressure, while Ethereum must protect its massive contract and tokenized ecosystem. Immediately advancing post-quantum cryptography migration is an urgent task for the industry right now.