What Google Actually Said
On March 31, 2026, Google Quantum AI published a whitepaper titled “Safeguarding cryptocurrency by disclosing quantum vulnerabilities responsibly.” The paper’s central finding was not that quantum computers can break Bitcoin today. They cannot. The finding was that doing so requires significantly less computing power than anyone previously estimated.
Specifically, Google calculated that cracking ECDSA-256 — the elliptic curve cryptography that protects Bitcoin wallet ownership — could require fewer than 500,000 physical qubits. That is approximately a 20-fold reduction from earlier estimates that routinely cited millions of qubits as the threshold. The paper also designed two attack methods, each requiring roughly 1,200 to 1,450 high-quality logical qubits, a fraction of what the industry assumed.
The practical implication: a sufficiently powerful quantum computer could derive a Bitcoin private key from an exposed public key in approximately nine minutes. Bitcoin’s average block confirmation time is ten minutes. The probability of a successful mid-transaction attack — targeting a public key visible in the mempool — is approximately 41%.
Google set its own 2029 migration timeline for transitioning internal infrastructure to post-quantum cryptography. Researcher Craig Gidney placed a 10% probability on a cryptographically relevant quantum computer existing by 2030.
Two Types of Exposure, One More Dangerous
Not all Bitcoin is equally at risk, and understanding the distinction matters.
Long-exposure risk applies to coins in addresses where the public key is already permanently visible on-chain. This happens in two address formats. The first is Pay-to-Public-Key (P2PK), the format used by Satoshi Nakamoto and early miners — it embeds the public key directly in the transaction record. The second is Taproot (P2TR), Bitcoin’s current default address format activated in 2021, which exposes public keys by default. Coins in these addresses never need to move. Their exposure is permanent and readable by anyone, including a future quantum attacker.
Short-exposure risk is narrower. When any Bitcoin user sends a transaction, their public key is briefly visible in the mempool while the transaction waits to be confirmed. A quantum computer capable of a nine-minute attack could theoretically derive the private key and redirect the funds before the transaction clears. This window applies to all users, but it closes once the transaction is confirmed.
The critical difference: short-exposure risk is future-facing and manageable through protocol upgrades. Long-exposure risk is already in place, for every coin in every P2PK or Taproot address where the public key has been revealed. No action the owner takes today changes that exposure — the record is already on-chain.
Table 1 — Bitcoin Quantum Exposure Overview (April 2026)
| Category | BTC at Risk | Address Type | Status |
|---|---|---|---|
| Total long-exposure BTC | ~6.9 million | P2PK + Taproot | Public keys already on-chain |
| Early P2PK (incl. Satoshi era) | ~1.7 million | P2PK | Most vulnerable; keys permanently exposed |
| Satoshi Nakamoto’s holdings | ~1.1 million | P2PK | Unmoved 15+ years; cannot self-migrate |
| Total quantum-vulnerable (Chainalysis) | ~$718B value | Various | Includes all exposed-key addresses |
Why Most Bitcoin Owners Are Actually Fine
For the majority of Bitcoin holders, the quantum threat is real in theory but manageable in practice. Any wallet using a modern P2PKH or P2SH address type — the standard for most users today — only exposes its public key at the moment a transaction is signed. Before that moment, the address reveals only a cryptographic hash of the public key, not the key itself. A quantum attacker cannot work backward from a hash.
The proposed fix for new coins is well-developed. BIP 360, authored by developers Hunter Beast, Ethan Heilman, and Isabel Foxen Duke, proposes a new output type called Pay-to-Merkle-Root (P2MR). It functions similarly to Taproot but removes the quantum-vulnerable keypath spend entirely, keeping the public key hidden from on-chain exposure even after a transaction. Users can migrate existing coins to P2MR addresses by simply sending them there — a standard transaction that proves ownership without permanent key exposure.
A separate commit/reveal scheme addresses the short-exposure mempool risk. Rather than broadcasting a full transaction immediately, a user commits a hash of the transaction first, then reveals it in the next block. This closes the window during which a public key is visible and attackable.
BIP 360 was assigned in December 2024 and renamed Pay-to-Merkle-Root in February 2026. It has not yet been activated. Bitcoin’s decentralized governance — spanning developers, miners, and node operators — means any soft fork takes time to materialize, even when the technical case is clear.
The Satoshi Problem: Why Nobody Can Fix It
Satoshi Nakamoto’s roughly 1.1 million BTC, spread across thousands of P2PK addresses from Bitcoin’s earliest mining period, represent a fundamentally different problem from every other quantum vulnerability in the network. The distinction is not technical. It is structural.
The zero-knowledge migration fix — where a wallet owner proves ownership without revealing the public key and moves funds to a quantum-safe address — only works if the wallet owner initiates a transaction. Satoshi’s wallets have not moved since the earliest days of Bitcoin. None of the coins from those addresses have been touched in over 15 years. If Satoshi is unable or unwilling to act, there is no mechanism for anyone else to initiate that migration on their behalf.
Each of Satoshi’s thousands of addresses has its own private key. The single transaction Satoshi made in January 2009 — sending 10 BTC to Hal Finney — came from one address. Moving those coins required access to that address’s private key only. The remaining 1.1 million BTC are distributed across separate addresses, each requiring its own key. Moving one says nothing about the ability to move the others.
“If those coins move during a migration, it means he is still around, which is interesting to know. If they don’t, it might be better to lock or effectively burn those addresses so that they don’t go to the first hacker who cracks it.” — Changpeng Zhao (CZ), March 31, 2026
Hourglass V2: The Damage-Control Proposal
Developer Hunter Beast has proposed Hourglass V2 specifically to address the market consequences of a quantum attack on P2PK coins, rather than to prevent the attack itself. The proposal is explicit that these coins could be stolen in a future quantum scenario. Its goal is to slow the resulting market impact.
Under Hourglass V2, only 1 BTC per block from P2PK addresses could be included as a transaction input. New P2PK outputs could not be created for addresses not already being spent, and P2PK outputs could not be generated from other output types. The result: P2PK spending is capped at approximately 144 BTC per day.
Without this restriction, the math is stark. Over 6,000 P2PK transactions could be packed into a single block, releasing more than 300,000 BTC in one block. At that rate, all P2PK coins — including Satoshi’s — could be drained within a few hours of a successful quantum attack. Under Hourglass V2, the same process would take more than 32 years.
The proposal is controversial. Even limiting how quickly someone can spend their own coins is seen by portions of the Bitcoin community as a violation of “your keys, your coins.” Nima Beni, founder of Bitlease, framed the philosophical objection directly: “Bitcoin’s structure treats all UTXOs equally. It does not distinguish based on wallet age, identity, or perceived future threat. That neutrality is foundational to the protocol’s credibility. Once authority exists to freeze coins for protection, it exists for other justifications as well.”
The Dilemma Nobody Wants to Answer
The community ultimately faces two options that are both, in different ways, a violation of Bitcoin’s core promise.
Option 1: Freeze or burn Satoshi’s coins — a protocol-level decision to prevent a quantum attacker from ever claiming them. This requires the network to take action against a specific set of UTXOs without the owner’s consent. It establishes a precedent that the community can override individual ownership when sufficiently motivated.
Option 2: Leave the coins untouched — and accept that a future quantum attacker capable of cracking P2PK cryptography could claim roughly $76 billion in BTC, flooding the market with coins that have been dormant for over 15 years. The scale of potential market disruption is one of the reasons Hourglass V2 exists at all.
Both paths are uncomfortable. Freezing challenges the immutability principle. Inaction transfers those coins to whoever builds the first sufficiently powerful quantum computer — which could be a state actor operating in secret, with no advance warning to the market.
What is certain is that the technical community is no longer treating this as a distant problem. Google has placed its own migration deadline at 2029. BIP 360 is in active development. Hourglass V2 is being debated. For the first time in Bitcoin’s history, there is a scientifically-grounded timeline for when quantum attacks become possible — and the community has not yet reached consensus on what to do about the coins that cannot migrate themselves.
