Nine minutes. That's how long a quantum computer would need to derive a Bitcoin private key from an exposed public key. Not in a speculative 2019 paper estimating "millions of qubits." In a 57-page white paper published March 31, 2026 by Google Quantum AI — co-authored with the Ethereum Foundation and Stanford, verified via zero-knowledge proof, coordinated with the U.S. government before release.
6.9 million BTC with exposed public keys. Five attack vectors against Ethereum risking over $100 billion. USDT and USDC admin keys controlling $200 billion. Six hundred billion dollars in crypto assets relying on elliptic curve cryptography that Google just proved can be broken with 20 times fewer resources than the industry assumed.
Google compiled the attack circuits. Verified them. Refused to publish them.
The locksmith who builds locks
The paper carries signatures from Ryan Babbush and Hartmut Neven at Google Quantum AI, Craig Gidney — the researcher who in May 2025 slashed the qubit estimate for breaking RSA-2048 by 20x — alongside Justin Drake from the Ethereum Foundation and Dan Boneh from Stanford, one of the most cited cryptographers alive.
Google compiled two quantum circuits implementing Shor's algorithm on secp256k1 — the curve protecting Bitcoin and Ethereum. The first: fewer than 1,200 logical qubits and 90 million Toffoli gates. The second: fewer than 1,450 logical qubits and 70 million gates. Both require fewer than 500,000 physical qubits.
In 2019, the estimate was 20 million physical qubits. In 2023, Litinski brought it down to 9 million. Google: under half a million. A 20x reduction in three years.
Google's Willow chip, unveiled December 2024, has 105 qubits — roughly 4,700x short. But Willow proved quantum error correction works at scale. The March paper isn't about hardware. It's about algorithmic efficiency. You need fewer qubits. And the ones you build will work better than expected.
Google set its own internal post-quantum migration deadline for 2029. That says more than 57 pages.
Anatomy of nine minutes
The paper's central scenario is the "on-spend" attack. When someone sends Bitcoin, the network briefly exposes the sender's public key in the mempool before confirmation. A quantum attacker with Shor's algorithm precomputed could derive the private key in 9 to 12 minutes. Bitcoin confirms blocks every 10 minutes on average. The attack wins the race 41% of the time.
That's just Bitcoin in transit. The paper maps five vectors:
At-rest: 6.9 million BTC in addresses with permanently exposed public keys — including ~1.1 million belonging to Satoshi Nakamoto in legacy P2PK format. A quantum computer could work through them at leisure. Those coins aren't moving on their own.
On-stake: 37 million ETH staked with vulnerable BLS signatures. Compromise one-third of validators and finalization halts. Two-thirds lets you rewrite chain history.
On-setup: The most disturbing vector. Ethereum's KZG ceremony — 2023, 141,000 participants — generated a secret meant to be permanently destroyed. Google showed a quantum computer could reconstruct it from publicly available data. A permanent, reusable exploit: once recovered, data availability proofs can be forged without further quantum access. Forever.
L2s and bridges: Arbitrum, Optimism, and cross-chain bridges inherit Ethereum's vulnerability wholesale. Fifteen million ETH exposed.
Stablecoin admin keys: The ECDSA keys governing USDT and USDC minting authority. Break one and you can print unlimited tokens. Two hundred billion dollars.
The top 1,000 Ethereum wallets — 20.5 million ETH — could be compromised in under nine days. One key every nine minutes.
Knowing without showing
Google compiled the quantum circuits. Ran them in classical simulation. Verified that correct outputs emerge from correct inputs. And refused to publish the circuits.
Instead, they published a zero-knowledge proof — a cryptographic protocol that lets you prove a statement is true without revealing the information behind it. The same math Ethereum rollups use to compress thousands of transactions into a single verifiable proof. Google used it in reverse: to compress the proof that Ethereum can be destroyed.
The mechanism works like this: Google generates a "witness" — the Shor circuits compiled for secp256k1, with their gate structure, depth, and qubit count. Then runs a protocol producing a compact proof verifiable by anyone, without access to the original witness. The reviewers — including Boneh from Stanford and Drake from the Ethereum Foundation — verified the circuits produce correct results without seeing the circuits themselves.
Responsible disclosure taken to its mathematical extreme. Google didn't trust their peers' goodwill. They trusted cryptography. Used the same family of tools that protects Ethereum to prove Ethereum breaks. The proof that the lock opens is built with the lock itself.
The paper has no traditional peer review. It doesn't need one. The zero-knowledge proof replaces institutional trust with mathematical certainty. If the proof verifies, the result is correct — regardless of who generated it. The circuits could be in a vault in Mountain View or on a server in Shenzhen. The math doesn't care.
The sixteen-year pattern
Satoshi Nakamoto warned about this in 2010. Recommended migrating to stronger algorithms if SHA-256 were compromised. Sixteen years later, the industry hasn't migrated.
Three papers in three months rewrote the quantum threat timeline. Gidney in May 2025: RSA-2048 from 20 million to under 1 million qubits. Iceberg Quantum in February 2026: under 100,000. Google in March: elliptic curve cryptography with even fewer resources than RSA. Each cut the estimate by an order of magnitude. The industry dismissed each one.
NIST published post-quantum cryptography standards in August 2024: ML-KEM, ML-DSA, SLH-DSA. Nineteen months later, blockchain adoption stands at exactly zero.
BlackRock quietly added quantum risk to its Bitcoin ETF (IBIT) prospectus in June 2025. Buried between pages 16 and 65 of risk disclosures. Bloomberg analysts called it "basic risk disclosures." Smart money already hedged. Bitcoin closed at $66,565 the day of the paper — its worst quarter ever at -23%.
The pattern mirrors what we documented in Nobody Scans the Scanner: the industry meant to protect itself cannot secure its own foundations. And as cli.js.map showed, security "upgrades" have a way of exposing exactly what they should protect.
Quantum irony
Taproot. Bitcoin's 2021 upgrade, debated for years, deployed with fanfare, celebrated as a privacy and efficiency breakthrough. Taproot exposes public keys by default via Schnorr signatures. Google noted specifically that it widens the pool of quantum-vulnerable wallets. The privacy upgrade that made Bitcoin more attackable.
Justin Drake, Ethereum Foundation researcher, co-authored the paper documenting five ways to destroy his own platform. His response: a "Strawmap" outlining seven hard forks through 2029. The doctor who diagnoses his own terminal illness and prescribes a cure that takes three years to prepare.
Google builds Willow. Publishes the paper proving Willow will eventually break crypto. Offers its own migration standards as the fix. Judge, jury, and vendor of the verdict.
QRL — the "quantum-resistant" token — surged 41% the day of the paper. On $242,549 in daily volume. A $127 million market cap celebrating the cryptographic apocalypse in a ghost market. The lifeboat has leather seats. No engine.
Samson Mow, CEO of Jan3, mocked the paper: "Quantum computing can't even factor 21, and people are panic selling." Meanwhile, BIP-360 has been on testnet for months with 50 miners and 100,000 blocks processed. But the Bitcoin community can't agree on when to adopt it. Migration is "more political than technical." As always.
Google opened early access to Willow three days before publishing the paper.
Attribution
Perpetrator: Google Quantum AI. Published 57 pages proving $600 billion in cryptography breaks with 20x fewer resources — using a zero-knowledge proof so no one can replicate the attack. Quantum noblesse oblige. Responsible disclosure doesn't erase the fact that they're actively building the tool that makes it possible. The paper has no peer review.
Accomplices: Bitcoin Core, with no coordinated plan, funding, or timeline for post-quantum migration. One developer summed it up: "isolated pieces of research presented as progress" with "no coherent strategy, no roadmap." The Ethereum Foundation, for co-authoring their own terminal diagnosis without a fix in production. The maximalists dismissing every warning as FUD while BlackRock already hedged in the fine print.
Systemic failure: A two-trillion-dollar industry built on early-2000s elliptic curve cryptography, ignoring warnings for sixteen years, with post-quantum standards available for nineteen months and zero adoption, celebrating "upgrades" that amplify the very vulnerabilities they claim to address.
The locksmith published a mathematical proof that he can open every lock in the city. He refused to share the technique. Set 2029 as the deadline for changing every lock. And three days before the announcement, he opened his laboratory for anyone to experiment with the mechanism. The question is not whether someone will replicate the circuits Google refused to publish. The question is who already has — without writing a paper about it.