Google Says Quantum Computers Could Crack Bitcoin in 9 Minutes. The Industry Needs Post-Quantum Engineers Yesterday.
Google dropped a paper today that should change how every crypto company thinks about hiring. Their quantum computing team demonstrated that breaking Bitcoin’s elliptic curve cryptography may require roughly 500,000 physical qubits — a 20-fold reduction from previous estimates. The attack could complete in about nine minutes. Bitcoin blocks take ten.
This isn’t a theoretical exercise from a university lab. This is Google’s dedicated quantum research team, the same group that previously identified 2029 as a milestone for useful quantum systems, telling the industry that the timeline just got shorter and the resource bar just got lower.
The Attack, Explained
Bitcoin’s security rests on elliptic curve cryptography (ECDSA). When you send Bitcoin, your public key is briefly exposed on the network. A sufficiently powerful quantum computer could use Shor’s algorithm to derive the private key from the public key — and redirect the funds.
Google’s researchers designed two attack methods, each requiring approximately 1,200 to 1,450 high-quality logical qubits. The key innovation: rather than brute-forcing the entire computation in real time, the attacker pre-computes part of the calculation and completes it once a transaction appears on the network.
The result: a quantum attack that finishes in roughly nine minutes, giving the attacker a 41% chance of beating the transaction to confirmation. Bitcoin’s average block time is ten minutes. The margins are that thin.
Previous estimates suggested millions of qubits would be needed. Google’s paper brings that number down to around 500,000 physical qubits. For context, Google’s current Willow chip operates at 105 qubits. The gap is still enormous — but it’s shrinking faster than the industry expected.
Taproot Made It Worse
This is the finding that should alarm Bitcoin developers most. Bitcoin’s Taproot upgrade, activated in 2021, was designed to improve privacy and efficiency. It succeeded at both. But it also made public keys visible on the blockchain by default.
In older Bitcoin address formats (P2PKH), the public key is only revealed when you spend from an address. If you never reuse an address, your public key stays hidden. Taproot changed this: public keys are exposed in the transaction output, meaning they’re visible whether or not the funds have been spent.
Google’s researchers specifically called this out. Taproot expands the pool of wallets vulnerable to future quantum attacks. The paper estimates 6.9 million BTC — roughly $700 billion at current prices — are already exposed through public keys sitting on the blockchain.
This isn’t a Taproot bug. It’s a design trade-off that made sense in a pre-quantum threat model. The problem is that the quantum threat model arrived faster than anyone anticipated.
The Zero-Knowledge Approach
One detail from Google’s methodology deserves attention. Rather than publishing step-by-step instructions for breaking Bitcoin’s cryptography, the research team used a zero-knowledge proof to verify their findings. Other researchers can confirm the results are accurate without gaining access to the attack methodology itself.
This is responsible disclosure at the cryptographic level. Google is saying: “We can prove this works, and we can prove how few resources it takes, but we’re not giving you the recipe.” It’s a model that the crypto industry — which routinely publishes exploit details — should study.
What Ethereum and Other Chains Face
Bitcoin isn’t the only target. Google’s paper explicitly mentions Ethereum, where the researchers warn that approximately $100 billion in ETH is at comparable risk. Any blockchain that relies on ECDSA or similar elliptic curve schemes faces the same fundamental vulnerability.
The chains that will weather this transition best are the ones that start migrating now. NIST finalized its post-quantum cryptography standards in 2024, selecting algorithms based on lattice-based and hash-based cryptography that are believed to be resistant to quantum attacks. The standards exist. The implementations are maturing. What’s missing is the engineering talent to execute the migration.
The Post-Quantum Talent Crisis
Here’s where Google’s paper becomes a hiring story. The crypto industry needs to migrate to quantum-resistant cryptography. That migration requires a specific set of skills that almost nobody has.
Post-quantum cryptography is not regular cryptography. The mathematical foundations are different — lattice-based schemes, hash-based signatures, and code-based cryptography operate on entirely different assumptions than the elliptic curve math that most blockchain engineers learned. An engineer who’s expert in ECDSA doesn’t automatically know how to implement CRYSTALS-Dilithium or SPHINCS+.
The migration is protocol-level surgery. Changing Bitcoin’s signature scheme isn’t a library swap. It touches consensus rules, transaction formats, wallet software, hardware signing devices, and every piece of infrastructure that validates transactions. The engineers who can design and execute this kind of migration — without breaking a $1.5 trillion network — are extraordinarily rare.
The timeline is compressed. Google previously pointed to 2029 as a quantum milestone. Their new paper suggests the resource requirements are dropping faster than expected. If the industry waits until quantum computers can actually break ECDSA to start migrating, it’s already too late. The migration itself will take years.
Here are the roles that crypto companies need to fill now — not when quantum computers arrive, but while there’s still time to prepare:
| Role | What They’d Do | Typical Comp (USD) |
|---|---|---|
| Post-Quantum Cryptography Engineer | Implement lattice/hash-based signature schemes for blockchain protocols | $200,000 - $320,000 |
| Protocol Migration Engineer | Design and execute consensus-level cryptographic transitions | $220,000 - $350,000+ |
| Cryptography Researcher | Evaluate quantum-resistant algorithms for blockchain-specific constraints | $180,000 - $280,000 |
| Hardware Security Engineer (PQC) | Implement post-quantum algorithms in HSMs and hardware wallets | $190,000 - $290,000 |
| Quantum-Aware Security Auditor | Assess blockchain protocols and smart contracts for quantum vulnerability | $170,000 - $260,000 |
| Wallet / SDK Engineer (PQC) | Migrate wallet software and developer tooling to quantum-resistant crypto | $160,000 - $240,000 |
| Consensus Engineer | Modify block validation and transaction verification for new signature schemes | $200,000 - $300,000 |
The compensation reflects the scarcity. There are perhaps a few hundred people globally who understand both post-quantum cryptography and blockchain protocol engineering deeply enough to do this work. The demand will soon be measured in thousands.
What’s Actually Being Done
The crypto industry isn’t completely asleep on this. Several initiatives are already underway:
Bitcoin. The Bitcoin development community has been discussing quantum resistance since at least 2019. BIP proposals for quantum-resistant signature schemes exist but haven’t gained consensus. The conservative development culture that makes Bitcoin reliable also makes it slow to adopt new cryptographic primitives. This is the central tension.
Ethereum. Vitalik Buterin has publicly discussed quantum migration paths, including the potential use of account abstraction (EIP-4337) to allow individual wallets to upgrade to post-quantum signatures before a protocol-level change. Ethereum’s more flexible upgrade mechanism gives it an advantage here.
New chains. Several newer protocols (QRL, IOTA with its Winternitz signatures, and others) were designed with quantum resistance from the start. They’re interesting from a research perspective but lack the network effects and capital of Bitcoin and Ethereum.
NIST standards. The standardization of CRYSTALS-Kyber (key encapsulation), CRYSTALS-Dilithium (digital signatures), SPHINCS+ (hash-based signatures), and FALCON (compact signatures) in 2024 gave the industry concrete algorithms to implement. The open question is execution speed.
The Window Is Closing
Google’s paper doesn’t say quantum computers can break Bitcoin today. It says the resources needed to break Bitcoin are dropping faster than expected, and a specific design choice (Taproot) has expanded the attack surface beyond what previous analyses considered.
The responsible reading is: the industry has a window — likely measured in years, not decades — to migrate to quantum-resistant cryptography. That window requires engineers who understand both the cryptographic theory and the practical constraints of modifying live, high-value blockchain networks.
The irresponsible reading is: “quantum is still far away, we’ll deal with it later.” That reading gets more dangerous every time Google publishes a paper showing the bar is lower than we thought.
The engineers who build quantum-resistant infrastructure for crypto will be doing some of the most technically challenging and consequential work in the industry. The ones who start now will have a multi-year head start on everyone else.
The clock started today.
Related reading: The 20 Millionth Bitcoin Was Mined — Who Secures the Rest? · North Korea Backdoored Axios — Crypto Was the Target · Claude Code’s Source Leaked — What Crypto Devs Need to Know
Explore post-quantum cryptography and blockchain security roles at cryptogrind.com →