Google research finds quantum computers could break Bitcoin encryption with 500,000 qubits

Bitcoin's security model has held up for over fifteen years. The cryptographic foundation, specifically the elliptic curve digital signature algorithm it relies on, has never been broken in practice. Google's latest quantum computing research suggests that barrier has a number attached to it now: roughly 500,000 qubits. That's the threshold at which a quantum computer could crack the encryption protecting Bitcoin wallets, and about a third of all Bitcoin in circulation sits in addresses that would be exposed.

The research doesn't mean Bitcoin is broken today. Current quantum hardware is nowhere near 500,000 qubits of fault-tolerant capacity. Google's Willow chip, announced in late 2024, operates at 105 qubits. But the paper establishes a concrete target, and that changes the conversation from theoretical to technical.

What the 500,000 qubit number actually means

Quantum computers use qubits instead of binary bits, which lets them process certain types of problems exponentially faster than classical computers. One class of problems they're particularly good at involves factoring large numbers, which is exactly what breaking elliptic curve cryptography requires. Shor's algorithm, developed in 1994, laid out the theoretical approach. The question has always been how much quantum hardware you'd actually need to run it at scale.

Google's research pins that requirement at approximately 500,000 physical qubits operating with error correction. The 'physical' qualifier matters. Today's qubits are noisy and error-prone, so a large portion of them have to be dedicated to error correction rather than computation. The ratio between physical qubits and usable logical qubits is still unfavorable, which is part of why 105 qubits today doesn't translate to meaningful cryptographic threat.

Which Bitcoin is actually at risk

Not all Bitcoin wallets carry the same exposure. The addresses most at risk are pay-to-public-key addresses, where the public key is visible on the blockchain. Anyone who has ever sent Bitcoin from an address has also exposed their public key in the transaction signature. From that public key, a sufficiently powerful quantum computer running Shor's algorithm could work backward to derive the private key.

Estimates vary, but research published in 2022 by Mark Webber and colleagues at the University of Sussex calculated that around 25% of Bitcoin in circulation at the time sat in vulnerable address formats. Google's new paper suggests the figure is closer to a third when accounting for address reuse patterns that have accumulated over the years. Satoshi Nakamoto's original coins, which have never moved, are among the most exposed holdings in the entire network.

How fast could this actually happen

The timeline question is where serious disagreement exists. IBM's quantum roadmap targets 100,000 qubits by 2033. Google has not published a public timeline for reaching 500,000 fault-tolerant qubits. The gap between current hardware and the threshold needed to threaten Bitcoin is still enormous, and progress in error correction has been slower than raw qubit count growth would suggest.

The National Institute of Standards and Technology finalized its first set of post-quantum cryptographic standards in August 2024, covering algorithms like CRYSTALS-Kyber and CRYSTALS-Dilithium. These are designed to resist attacks from quantum computers. The standards exist specifically because governments and standards bodies expect the threat window to open within the next ten to thirty years, even if the exact timing is uncertain.

What the Bitcoin network can do about it

Bitcoin is not defenseless here, but any fix requires a protocol upgrade, and Bitcoin upgrades are slow by design. The network would need to implement quantum-resistant signature schemes, likely through a soft fork or hard fork, and users with exposed addresses would need to migrate funds to new addresses using post-quantum cryptography. That migration has to happen before a capable quantum computer exists, which means the window for action is tied to how quickly quantum hardware scales.

The Bitcoin developer community has discussed quantum resistance for years without producing a formal proposal that's gained traction. The technical complexity is real: changing Bitcoin's signature scheme without breaking backward compatibility or consensus is genuinely hard. Ethereum's developers have been more publicly active on post-quantum planning, with Vitalik Buterin outlining an account abstraction approach in early 2024 that could simplify the migration path.

Google's broader quantum research context

Google has been publishing aggressive quantum milestones since its 2019 claim of quantum supremacy on a narrow computational task. The Willow chip announcement in December 2024 showed meaningful progress on error correction, reducing error rates as qubit count increased, which had been a persistent problem. The Bitcoin encryption research appears to be part of a broader effort to quantify real-world cryptographic risk, not just benchmark abstract problems.

The paper puts a specific number on a threat that has previously been described only in rough terms. That specificity is useful for policy and engineering work, even if the hardware needed to act on it is still years away. NIST's post-quantum standards are already finalized. The question now is how fast the cryptocurrency industry, and specifically Bitcoin, moves to implement them.