Google issues warning: Quantum computing may crack Bitcoin encryption by 2029

Google researchers say that by 2029, quantum computers may crack the security framework of mainstream blockchains. As many as 6.9 million existing bitcoins have already been exposed due to their public keys, and they could be compromised at any time by quantum computing power.

Investing in quantum computing is widely seen as betting on the future. It’s expected that in the coming years, large-scale, high-performance quantum systems will be introduced. They will bring disruptive potential as well as new risks. Google says not to get too comfortable too early.

The Alphabet subsidiary is working to advance its own quantum computing ambitions. Its Willow chip is believed to have sparked the global quantum boom that swept in toward the end of 2024, putting this emerging technology firmly on the fast track.

Now, Google researchers have released a white paper pointing out that “Q-Day” (the moment when quantum computers can break the encryption technology that protects massive amounts of data worldwide) is not a distant threat. The company has also explicitly stated a specific year, urging the public to prepare for this event before that year.

The paper was uploaded this week to Cornell University’s arXiv platform, focusing specifically on cryptocurrencies. Cryptocurrency trading relies on two keys: a private key and a public key. The private key is a huge, random, and secret number that lets you manage and access your funds. In contrast, the public key is shared openly to receive cryptocurrency.

The security of a range of cryptocurrencies such as Bitcoin depends on a technique called elliptic curve cryptography. Its basic assumption is that existing computers cannot derive the private key from the public key in reverse. That claim is not without reason—traditional computers indeed can’t do it within a feasible amount of time.

However, quantum computers are different. As Barron’s reported earlier, future machines may be able to run a quantum algorithm called “Shor’s algorithm,” which can factor large numbers into their prime factors.

The paper highlights a specific use case of Shor’s algorithm, known as an “on-spend attack.” When you send Bitcoin, during the time the transaction is in the mempool and waiting for confirmation, your public key is briefly exposed to the network. This process takes about 10 minutes.

Researchers found that running an optimized version of Shor’s algorithm on a “fast clock” quantum computer (or a computer using a particular quantum architecture) can derive the private key from that public key in as little as 9 to 12 minutes.

The key point is that the researchers estimate that on a superconducting quantum computer, breaking the elliptic curve cryptography that protects Bitcoin and most mainstream cryptocurrencies may require fewer than 500k physical qubits. That is about 20 times less than earlier estimates.

Researchers say that as many as 6.9 million bitcoins are stored in addresses where the public keys are exposed. Because these keys are already public, the quantum system won’t be limited by the 10-minute window; it can use Shor’s algorithm to infiltrate these wallets at any time.

One of the paper’s co-authors, Justin Drake, said on social media that his confidence that “Q-Day” will arrive before 2032 has “significantly increased.” Drake expects that by that year, the probability that a quantum system can recover a private key from exposed public keys will be at least 10%.

“I expect the narrative to shift accordingly and further drive investment in post-quantum cryptography R&D,” Drake wrote. While he admits he is not a “quantum expert,” and that these results, which have not yet been peer-reviewed, still need time “to be properly validated,” he believes—based on conversations with the research team—that Google’s estimates are conservative.

Industry consensus generally holds that this event will most likely happen sometime in the 2030s, but Google expects “Q-Day” to arrive earlier. In the company’s view, a quantum computer with practical cryptographic capabilities may be sufficient to break most mainstream blockchain systems around 2029.

Coincidentally, this timing aligns with the target dates set by multiple quantum R&D teams for the introduction of large-scale, commercial-grade quantum computers. International Business Machines (IBM), which is usually viewed as Google’s quantum competitor, also aims to deploy a fault-tolerant supercomputer by then.

In a blog post last week, Google urged companies to strengthen cybersecurity measures so they are not left behind by the times. The company wrote: “The threat to encryption is already present today, because there is an ‘store now, decrypt later’ attack. And the threat to digital signatures is a risk for the future.”

Google is especially pushing for the transition to “post-quantum cryptography,” meaning adopting new, quantum-resistant algorithms to protect data and withstand future attacks.