Google Put the Quantum Threat to Bitcoin at 500,000 Qubits. The Previous Estimate Was Millions

In March 2026, Google Quantum AI published a paper estimating that Shor’s algorithm could break the secp256k1 elliptic curve securing Bitcoin with fewer than 500,000 physical qubits under certain hardware assumptions. The previous working estimate was several million. Three research papers released within roughly 12 months reduced the projected quantum resources needed to attack elliptic curve cryptography by nearly an order of magnitude. The timeline the crypto industry was planning around has compressed significantly.

Why the resource estimate is the number that matters

The quantum threat to Bitcoin has been understood mathematically for decades. Shor’s algorithm can solve the discrete logarithm problem efficiently, and Bitcoin’s ECDSA signatures depend on that problem being computationally hard. The open question has always been when, not whether, a quantum computer capable of running Shor’s algorithm at the required scale will exist.

For most of that conversation, the resource estimates provided a comfortable buffer. Breaking secp256k1 required millions of physical qubits with error correction. Current quantum hardware was orders of magnitude away. Migration felt like a 15-to-20-year problem at minimum.

The March 2026 Google paper changes that framing. 500,000 physical qubits is still far beyond current capability — Google’s Willow chip operates at 105 qubits. But the trajectory has shifted. The industry was planning for a multi-million qubit requirement. That requirement just dropped by roughly an order of magnitude in a single year of research.

3 million Bitcoin that can never be migrated

One element of the quantum migration problem has no technical solution available. Quantus, the firm behind the State of Quantum report that surfaced this data, estimates that between 2.3 million and 3.7 million Bitcoin are permanently inaccessible because their owners lost the private keys — including coins widely believed to belong to Bitcoin’s creator.

These wallets cannot migrate to quantum-resistant addresses. Migration requires proving ownership with a private key that no longer exists. When quantum computers reach sufficient capability, those wallets become permanent targets. Any attacker who breaks the elliptic curve cryptography protecting the exposed public keys can drain them.

Auryn Macmillan, co-founder of Gnosis Guild, described one possible response in the Quantus report: setting a hard deadline after which tokens held in vulnerable, unmigratable accounts are permanently frozen. That would be one of the most consequential governance decisions in Bitcoin’s history, and the community has not come close to consensus on it.

Harvest now, crack later is not a future problem

The quantum threat doesn’t require waiting for quantum hardware to arrive before adversaries start acting. Blockchain data is public and permanent. Every transaction, every public key, every historical signature is available to download today. State-level actors and well-resourced adversaries can be collecting that data now, planning to decrypt it when quantum capability arrives.

Centralized services can update encryption standards through software patches and rotate keys without exposing old records. Blockchains expose public keys permanently on public ledgers. The historical data that has been harvested cannot be retroactively protected. For any addresses where the public key is already on-chain, the attack surface exists whether or not a capable quantum computer exists yet.

The rest of the industry moved first

The comparison with other sectors is instructive. NIST finalized post-quantum cryptography standards in August 2024: ML-DSA (CRYSTALS-Dilithium), ML-KEM (CRYSTALS-Kyber), and SLH-DSA (SPHINCS+). Google, Signal, Apple, and Cloudflare have already begun deploying post-quantum protections with migration targets extending into 2029 and 2030. Ripple set a 2028 deadline to quantum-proof the XRP Ledger, describing the threat as having moved from theoretical to credible.

Bitcoin’s migration is structurally more difficult. Centralized services update cryptography server-side without requiring each user to act. Bitcoin’s transition requires governance coordination across a decentralized network, user-initiated migration at scale, and replacement of existing signature systems without introducing new vulnerabilities in the process.

The migration paradox

This is where the situation becomes genuinely difficult. Dan Boneh, a Stanford cryptographer and co-author of the Google Quantum AI March 2026 paper that produced the 500,000-qubit estimate, offered a warning that deserves attention: a hasty transition to post-quantum cryptography is more likely to cause a catastrophic bug than Bitcoin will be attacked by a quantum computer.

Both claims can be true simultaneously. The leading researcher contributing to the evidence that the timeline is shorter than expected is also warning that rushing the response carries its own catastrophic risk. Post-quantum cryptographic algorithms are newer, less battle-tested, and have more complex implementations than the elliptic curve systems they would replace. A flawed migration that introduces exploitable bugs in Bitcoin’s signature scheme could be more destructive than a quantum attack that’s still years away.

Boneh’s recommended path is gradual migration toward post-quantum signatures and hybrid cryptographic systems — not sudden replacement. That approach requires starting well before the threat is imminent, because it takes time to do correctly.

Hardware wallets add another constraint

Post-quantum migration isn’t only a software and governance challenge. Hardware wallets are a significant practical constraint. Aaron Chen, CTO of Keystone, noted in the Quantus report that post-quantum algorithms like ML-DSA-87 place significant strain on MCU-based hardware wallets because of memory and computing limits.

Most consumer hardware wallets were designed around elliptic curve operations. Post-quantum signature schemes have much larger key sizes and computational requirements. The ecosystem of signing devices that users depend on to hold Bitcoin securely needs hardware-level updates, not just software patches. Hardware upgrade cycles are slower than software ones.

The cost of early vs late

Quantus framed the asymmetry clearly: preparing too early creates operational inconvenience and larger transaction sizes. Preparing too late risks fund losses, institutional panic, and regulatory intervention after quantum attacks become possible.

For protocol teams and infrastructure builders, that asymmetry makes the design work worth starting now. Governance coordination, signature scheme upgrades, and hardware wallet ecosystem changes can be staged and gradual. They cannot be rushed safely once the threat is immediate. The window for doing this well is open. The resource estimates suggest it’s narrower than it looked 18 months ago.

At Boosty Labs, we build AI-powered security systems for Web3 protocols and exchanges. The quantum migration timeline is one of the factors that shapes smart contract security architecture and wallet infrastructure recommendations for the clients we work with. The 500,000-qubit threshold doesn’t change what needs to be built today. It does change when teams need to start building it.