The math behind Bitcoin security just got 20 times easier for a quantum computer to break. One Ethereum researcher puts the odds of compromise by 2032 at 10 percent.
Two papers dropped this week with the same mission: figure out how many qubits it would take to break the elliptic curve cryptography protecting Bitcoin wallets. The answers diverged sharply — and the gap between them is the actual story.
The first paper comes from Google Quantum AI, the Ethereum Foundation, and Stanford, published March 30, 2026. Breaking ECDLP-256 — the specific curve Bitcoin uses — requires fewer than 500,000 physical qubits and can be executed in minutes. That is a 20-fold reduction from prior estimates, which placed the threshold somewhere between 10 million and 1 billion qubits. The work was verified using a ZK proof via SP1 zkVM, which let the team confirm the quantum circuits without publishing the attack details. They coordinated with the US government before release. The paper does not provide a timeline for when a quantum computer capable of this could exist, but Ethereum researcher Justin Drake estimates a 10 percent probability of compromise by 2032 and 50 percent by 2036.
That is the credible paper.
The second paper is from Oratomic, a startup founded by researchers from Caltech and UC Berkeley that launched March 30, 2026 with a self-described mission to build a utility-scale quantum computer by decade end. The claim: Shor algorithm can be executed at cryptographically relevant scales with as few as 10,000 reconfigurable atomic qubits. The paper was sufficient for a CoinDesk headline. The fine print is not kind to it.
The 10,000-qubit scheme requires on the order of 117 years to execute. The question of how long an algorithm takes is not incidental — it is the entire point. A quantum computer that would take longer than the age of the universe to break a wallet is not a threat to that wallet. The Scirate community reviewed the preprint and called the 10K-qubit figure "a gross underestimate that does not reflect any realistic attack." The paper's authors are all shareholders in Oratomic; six are employees. Oratomic did not respond to a request for comment.
The divergence matters because the Bitcoin community is already moving. Ethereum has an active post-quantum migration program with an 8-year infrastructure runway and a 2029 target for full transition. Bitcoin has BIP-360, which creates a new output type with quantum-resistant signatures — though it cannot replace existing signatures on old coins, only add new ones. Taproot, introduced in 2021, made the problem marginally worse by batching signatures in a way that exposes more public keys. The highest-risk category is early Bitcoin era coins — approximately 1.7 million BTC from 2009 and 2010, much of it in addresses that never reused keys, making their public keys permanently exposed.
How exposed is the system? Google's paper puts the probability of a successful attack against a specific high-value address at 41 percent once a 500K-qubit machine is operational. That is not a theoretical ceiling — it is a conditional probability based on the actual circuit depth and gate error rates in the paper's model. Even at 500K qubits, this is 100 to 500 times beyond current hardware. The most powerful quantum computer publicly confirmed is IBM's Condor, at 1,121 qubits, and it is not close.
SHA-256, which Bitcoin uses for its mining hash, is not vulnerable to Shor algorithm attacks. It would require a Grover-type search attack, which provides only a quadratic speedup — meaning a quantum computer would need to evaluate roughly 2^128 hashes to succeed, compared to 2^256 classically. In practice, this is not a near-term concern for mining security.
The Oratomic paper dropped the same day as Google's. That timing is worth noting: two papers on the same problem, the same day, with answers that differ by a factor of 50. One paper has author conflicts and a runtime problem that disqualifies it as a threat model. The other is peer-verified and coordinated with federal agencies. The 10,000-qubit headline traveled faster. The 500,000-qubit reality is more important.
Post-quantum migration for Bitcoin and Ethereum is not a theoretical exercise. It is a running engineering problem with a clock on it. For high-value, long-horizon holders — corporate treasuries, exchange cold storage, nation-state reserves — the question is not whether to migrate, but how fast.
