Public Disclosure — March 30, 2026

Quantum Computers Will Break Blockchain Cryptography. Here's What We Now Know.

A plain-language guide to the most consequential cryptographic threat assessment ever published for cryptocurrency — by Google Quantum AI, Stanford, and the Ethereum Foundation.

Authors Babbush, Zalcman, Gidney et al.

Institution Google Quantum AI + Stanford + ETH Foundation

Published March 30, 2026

Threat Level Critical — Near-Term

01 — Key Findings

What This Paper Actually Proved

This isn't theoretical. Google's team built quantum circuits that can crack Bitcoin's cryptography and proved it with cryptographic evidence — a zero-knowledge proof that the circuits exist and work, without publishing the blueprints. Here are the five things that make this paper different from everything that came before it.

1. The qubit count dropped by 20x

Every previous estimate said you needed millions of physical qubits to break Bitcoin's encryption. The best prior work (Litinski 2023) needed roughly 9 million. Google got it down to under 500,000 — on standard superconducting hardware with realistic error rates. That's not a minor improvement. That's the threat moving from "maybe in 20 years" to "when someone builds the machine."

2. Active transactions are at risk, not just stored funds

This is the new finding nobody saw coming. At 9 minutes per private key derivation, a quantum attacker has a 41% chance of stealing your Bitcoin before your transaction even confirms. You broadcast a transaction. Your public key is now visible in the public mempool. The attacker grabs it, cracks it, broadcasts their own transaction with a higher fee, and beats you to the block. This is called an "on-spend attack" — and it changes everything about how you think about the threat.

3. They used a zero-knowledge proof to disclose without weaponizing

For the first time in cryptanalysis history, a team published a cryptographic proof that their attack circuits are real and meet their claimed resource specs — without publishing the actual circuits. You can mathematically verify the claim is true without learning anything useful about how to replicate the attack. This is responsible disclosure adapted for quantum threats.

4. Ethereum has five separate attack surfaces Bitcoin doesn't have

Bitcoin is vulnerable. Ethereum is more vulnerable and in more complex ways. The account model, smart contracts, admin keys, validator signatures, and the Data Availability Sampling mechanism each introduce distinct quantum attack vectors. Some of them don't require a live quantum computer at all — one successful attack creates a reusable exploit that works forever on classical hardware.

5. ~6.9 million BTC is already exposed — and there's no clean policy answer

That's roughly a third of circulating supply. 2.3 million of it is dormant — hasn't moved in five years. Probably lost keys. Possibly Satoshi's coins. If nothing changes, a quantum attacker eventually takes all of it. If you change the protocol to destroy those coins, you're confiscating private property. There's no elegant solution and the paper says so explicitly.

02 — The Numbers

Resource Estimates at a Glance

<500K

Physical qubits needed to break 256-bit ECDLP

Previous best estimate: ~9 million qubits

9 min

Time to derive a private key on a fast-clock CRQC

Primed machine: ~4.5 min from public key reveal

70M

Toffoli gates in the low-gate circuit variant

Prior best: ~200M gates (Litinski 2023)

41%

Probability of successful on-spend attack against Bitcoin

Assuming ~9 min key derivation vs 10 min avg block time

6.9M

BTC currently vulnerable to at-rest attacks

~33% of circulating supply — exposed public keys

2.3M

Dormant BTC — haven't moved in 5+ years

Includes ~1M BTC attributed to Satoshi Nakamoto

1,200

Logical qubits in the low-qubit circuit variant

With 90M Toffoli gates — space-time tradeoff

37M

ETH staked on Ethereum's consensus layer — all vulnerable

BLS12-381 curve used for validator signatures is at-risk

Why this is a 20x improvement

The reduction in physical qubit count comes from two innovations: a more efficient logical circuit for elliptic curve point addition (the mathematical bottleneck), and better use of surface code error correction with "yoked" qubit configurations for dense logical storage. The paper validates this with a zero-knowledge proof — verifiable by anyone without revealing the circuit details.

03 — Attack Taxonomy

Three Types of Quantum Attacks

Not all quantum attacks are the same. They differ in how much time the attacker needs and whether they need the quantum computer to be running during the attack. This distinction determines which assets are at risk and what mitigations actually work.

Attack Type 01

On-Spend Attack

Targets transactions while they're sitting in the public mempool waiting to be confirmed. The public key is visible. The attacker has a race window — crack the key before a miner includes the original transaction in a block.

Requires a fast-clock CRQC capable of solving ECDLP in minutes. Currently possible against Bitcoin. Practically impossible against Ethereum (12s blocks) or Solana (400ms).

Window: ~10 min avg (Bitcoin)

Attack Type 02

At-Rest Attack

Targets public keys that are permanently recorded on-chain — either from P2PK scripts that store the key directly, Taproot addresses, or addresses where a previous spend transaction revealed the key.

The attacker has unlimited time. Days, weeks, months. Works with slower quantum hardware (ion traps, neutral atoms). This is the threat to dormant wallets and Satoshi-era coins.

Window: Unlimited — key is permanently on-chain

Attack Type 03

On-Setup Attack

The most insidious type. Some protocols require a trusted setup ceremony that generates a secret scalar — called "toxic waste" — which must be destroyed. A CRQC can recover this secret from public parameters.

One successful attack creates a permanent, reusable backdoor. No quantum computer needed for subsequent attacks. Affects Ethereum's Data Availability Sampling (KZG), Tornado Cash, Zcash's Sapling pool, and Mimblewimble.

One-time quantum attack → unlimited classical exploit

Fast-Clock vs Slow-Clock Architectures

This distinction is unique to this paper. Not all quantum computers threaten the same things.

Architecture	Gate Speed	Examples	On-Spend	At-Rest
Fast-Clock	~1 microsecond	Superconducting (Google, IBM), Photonic, Silicon spin	Capable	Capable
Slow-Clock	~100 microseconds+	Ion trap (IonQ, Quantinuum), Neutral atom (QuEra)	Not capable	Capable

04 — Bitcoin

Bitcoin's Vulnerability Breakdown

Bitcoin's risk comes down to one question: is the public key visible? Different address types handle this differently. But address reuse — which is extremely common — collapses all these distinctions.

Script Type	Prefix	Key Exposed?	At-Rest Risk	On-Spend Risk	Notes
`P2PK`	—	Always	High	High	Satoshi era. 1.7M BTC. Key in locking script from day 1.
`P2PKH`	1...	On first spend	Low (if never spent)	High	Most used legacy type. Safe until any spend transaction.
`P2TR` (Taproot)	bc1p...	Always	High	High	Security regression vs P2PKH. Key exposed in locking script.
`P2WPKH`	bc1q...	On first spend	Low (if no reuse)	High	Current standard. Safest widely-used type today.
`P2SH`	3...	On first spend	Low (if no reuse)	High	Script hidden behind hash until spend.
`P2MR` (BIP-360)	bc1z...	Never at-rest	None	Medium	Proposed. Removes vulnerable key path from Taproot.

The Address Reuse Problem

Address reuse is everywhere — exchanges, merchants, DeFi protocols — because it's convenient. But once any spend transaction exists for an address, the public key is permanently on-chain and all remaining funds at that address are as vulnerable as P2PK. The "safer" address types only protect you if you never reuse an address. In practice, roughly 6.9 million BTC has been compromised by reuse alone.

What's NOT vulnerable: Proof-of-Work

There's a persistent myth that quantum computers could dominate Bitcoin mining via Grover's algorithm. The paper is clear: this is not a credible threat for decades. Grover's quadratic speedup is all but eliminated by quantum error correction overhead, and Bitcoin mining's massive parallelization advantage makes classical ASICs far superior. A quantum miner would achieve a hashrate roughly 10 orders of magnitude below a modern ASIC.

05 — Ethereum

Ethereum's Five Attack Vectors

Ethereum has a broader attack surface than Bitcoin. Its account model, smart contracts, Proof-of-Stake consensus, and data availability infrastructure each introduce vulnerabilities that don't exist in Bitcoin. All of these are at-rest attacks — a fast-clock CRQC is not needed.

Account Vulnerability

20.5M ETH

Every Ethereum account that has ever sent a transaction has its public key permanently exposed — because the first transaction reveals it to validate the ECDSA signature. Unlike Bitcoin, you can't rotate keys without abandoning your account entirely (losing your DeFi positions, governance history, reputation). An attacker with a fast-clock CRQC could crack the top 1,000 Ethereum accounts in under 9 days.

Admin Vulnerability

~$200B in RWAs

Smart contracts frequently grant admin privileges to specific accounts — the ability to pause execution, upgrade code, mint tokens, or drain funds. These admin keys are rarely rotated and often publicly visible from governance transactions. Cracking 70 such accounts with a fast-clock CRQC would take under 15 hours — and could give an attacker control over stablecoin minting, bridge liquidity, and oracle price feeds simultaneously.

Code Vulnerability

15M ETH in L2s

The smart contracts powering Layer 2 rollups and bridges use quantum-vulnerable cryptographic primitives in their validity proofs (zkSNARKs using ECDLP-based commitment schemes). Even if Ethereum's base layer upgrades to PQC, deployed L2 contracts can't be automatically recompiled. Each protocol's governance council would need to manually coordinate a migration — and in the meantime the quantum attack surface remains open.

Consensus Vulnerability

37M ETH staked

Ethereum's Proof-of-Stake consensus uses BLS signature aggregation on the BLS12-381 elliptic curve. A CRQC that breaks this can compromise validators. Controlling more than 1/3 halts finality. More than 2/3 allows rewriting chain history — an existential threat. With ~1 million validators, a concentrated attacker targeting large staking pools (Lido holds ~20%) could reach a dangerous threshold faster than targeting individual validators.

Data Availability Vulnerability

This is the most insidious one. Ethereum's Data Availability Sampling (DAS) mechanism — introduced to make L2 rollups cheap and fast — uses KZG polynomial commitments on BLS12-381. These commitments require a "trusted setup" ceremony that generated a secret scalar (toxic waste) which was destroyed. A CRQC can recover that secret from publicly available parameters using Shor's algorithm. The result: a permanent, reusable backdoor that lets an attacker forge data availability proofs on classical hardware — forever — with no further need for a quantum computer. One attack, infinite classical exploits.

06 — Other Blockchains

Quantum Risk Across the Ecosystem

Chain	At-Rest Risk	On-Spend Risk	Special Vulnerabilities	PQC Status
Bitcoin Cash	High	Low	Inherits P2PK coins from shared history with Bitcoin	None
Litecoin	High	Very Low (3%)	Mimblewimble sidechain vulnerable to on-setup attacks via Pedersen commitments	None
Dogecoin	High	<0.02%	1-min blocks make on-spend practically impossible today	None
Zcash	High	Very Low	Sapling pool's trusted setup (toxic waste) recoverable by CRQC. Retroactive privacy degradation.	Orchard protocol is safer — in progress
Monero	High	Low	BulletProofs and ECDH key exchange both quantum-vulnerable. On-setup attack on Pedersen commitments.	Research stage
Solana	High	None (400ms)	Account model — all public keys permanently exposed after first tx	Winternitz Vault (experimental)
Algorand	Medium	Medium	Ed25519 consensus vulnerable, but key rotation supported natively	Falcon signatures deployed (2025)
QRL	None	None	Post-quantum from inception (XMSS signatures)	Fully PQC since launch (2018)

07 — Policy Crisis

The Dormant Asset Problem Has No Clean Answer

Roughly 2.3 million BTC hasn't moved in five years or more. Most of it is locked in old P2PK scripts — public key permanently on-chain. The keys are almost certainly lost. But there's no way to verify that. And there's no way to make them safe without changing the protocol. The paper presents three options the Bitcoin community is debating, none of which is satisfying.

Option 01

Do Nothing

Leave the protocol unchanged. Quantum attackers eventually take the dormant coins. Preserves property rights and the fixed supply principle — but hands billions of dollars to whoever builds the first CRQC, potentially a rogue state or criminal organization. Supply shock when those coins re-enter circulation.

Option 02

Burn

Protocol change that renders dormant P2PK assets unspendable after a specific date — effectively confiscating them. Prevents quantum salvage and supply shock. But it sets a confiscatory precedent, expropriates anyone who genuinely still has their keys, and is deeply controversial in the Bitcoin community. Requires broad consensus to implement.

Option 03

Hourglass

Rate-limit how many dormant coins can be spent per block — creating a bottleneck that slows the supply shock and sets up a fee-auction dynamic where quantum attackers bid for block inclusion. Doesn't prevent theft, just slows and monetizes it for miners. Doesn't confiscate either.

Option 04 — Paper's Proposal

Digital Salvage (Bad Sidechain)

A regulated recovery framework — like maritime salvage law applied to crypto. A special-purpose sidechain where CRQC operators deposit recovered dormant assets. Automated and manual processes verify offchain ownership proofs (mnemonic phrases, Project 11 yellowpages registry). Rightful owners get their funds back; unclaimed assets follow a defined burn/distribution schedule. Governments legalize the salvage while recommending the Bitcoin community vote to burn. The only option that tries to return funds to real owners.

The Hard Truth

The Paper's Conclusion

An informal poll at the 2025 Presidio Bitcoin Quantum Summit found roughly equal support for each of the three main options. No consensus. The paper concludes: "it is conceivable that the existence of early CRQCs may first be detected on the blockchain rather than announced." Meaning the first sign a CRQC exists might be anomalous on-chain activity — a dormant wallet draining, a statistically impossible front-run, validator keys compromised in patterns that suggest a quantum attack. We may not get advance warning.

08 — The Path Forward

Migrating to Post-Quantum Cryptography

The only durable solution is replacing ECDLP-based cryptography with post-quantum alternatives. NIST has standardized several candidates. The migration is technically feasible — several blockchains have already done it — but logistically hard and contentious in the Bitcoin community specifically.

What PQC Actually Costs

Post-quantum signatures are not free. The tradeoffs are real and this is why migration is controversial:

64–73

bytes — ECDSA signature size (current Bitcoin)

~1,280

bytes — Falcon (PQC) signature size used on Algorand

20x

Increase in signature size — means fewer transactions per block if block size stays constant

Months

Time to migrate all BTC at current network transaction rate — even if everyone starts today

Chains That Have Already Moved

Chain	PQC Scheme	Type	Status
QRL	XMSS + ML-DSA	Hash-based	Live since 2018
Algorand	Falcon (FN-DSA)	Lattice-based	First PQC tx in 2025
Solana	Winternitz Vault (WOTS)	Hash-based	Experimental
XRP Ledger	ML-DSA	Lattice-based	AlphaNet deployment
Abelian	Lattice-based full stack	Lattice-based	Live — privacy-preserving PQC

The Window Is Still Open — For Now

The paper's final word: "We contend that the amount of time remaining before the arrival of CRQCs still exceeds the amount of time needed to migrate public blockchains to PQC, though the margin for error is increasingly narrow." The time to start is now, not after the first confirmed CRQC attack. By then, it's too late for a significant portion of assets.

09 — Reference

Glossary of Terms

Every technical term used in this briefing, defined in plain language.

Elliptic Curve Discrete Logarithm Problem ECDLP

The mathematical problem that underlies almost all blockchain cryptography. Given a public key (a point on an elliptic curve), find the private key (the scalar that generated it). On classical computers, this is computationally infeasible. On a sufficiently large quantum computer running Shor's algorithm, it can be solved efficiently. This is the root vulnerability the entire paper revolves around. ⚠ Broken by quantum computers

Cryptographically Relevant Quantum Computer CRQC

A quantum computer large and accurate enough to actually run Shor's algorithm against real-world cryptographic key sizes (256-bit and up). Not just a quantum computer — the specific threshold of capability needed to break deployed cryptosystems. The paper estimates this requires fewer than 500,000 physical qubits with standard error rates. Does not yet exist, but the paper argues the timeline is shortening dramatically.

Shor's Algorithm —

A quantum algorithm invented by Peter Shor in 1994 that solves the integer factoring problem and the discrete logarithm problem (including ECDLP) in polynomial time — exponentially faster than the best classical algorithms. It's why quantum computers threaten RSA and elliptic curve cryptography. It does not help with hash functions, which is why Proof-of-Work is safe. ⚠ Core attack algorithm

Post-Quantum Cryptography PQC

Cryptographic algorithms designed to be secure against both classical and quantum computers. Does not require a quantum computer to run — these are classical algorithms with different mathematical hardness assumptions. NIST standardized the first PQC algorithms in 2024: ML-KEM (lattice-based key encapsulation), ML-DSA (lattice-based signatures), and SLH-DSA (hash-based signatures). These are larger and slower than ECDLP-based equivalents but quantum-resistant. ✓ Quantum resistant

Toffoli Gate CCX / CCNOT

A specific three-qubit quantum logic gate used as the primary unit of computation in fault-tolerant quantum circuits. It's the most expensive operation in terms of error correction overhead, so researchers count Toffoli gates to measure circuit complexity — like measuring FLOPS for classical computing. The paper reduced the Toffoli count for breaking ECDLP from ~200 million (prior work) to 70-90 million.

Logical vs Physical Qubits —

Physical qubits are the actual hardware components — they're noisy and error-prone. Logical qubits are error-corrected "virtual" qubits built from many physical qubits, reliable enough for computation. The paper needs ~1,200–1,450 logical qubits to break ECDLP, but logical qubits require dozens to hundreds of physical qubits each to maintain through error correction — hence the ~500,000 physical qubit estimate.

Surface Code —

The leading quantum error correction scheme for superconducting qubits. It arranges qubits in a 2D grid where neighboring qubits monitor each other for errors. It's practical because it only requires local (nearest-neighbor) interactions, which real hardware can implement. The downside: it has a low encoding rate — many physical qubits per logical qubit. The paper's estimates assume standard surface code. More aggressive approaches (qLDPC codes) could reduce the qubit count further.

Zero-Knowledge Proof ZKP / ZK

A cryptographic method that lets you prove you know something without revealing what you know. Example: prove you know the private key for a Bitcoin address without revealing the key itself. The paper uses a ZK proof in a novel way — proving that a quantum attack circuit exists and meets certain resource specs, without revealing the circuit itself (which would be a weapon blueprint). Two major flavors: SNARKs (smaller proofs, require trusted setup) and STARKs (larger proofs, no trusted setup, post-quantum safe).

zkSNARK Zero-Knowledge Succinct Non-interactive Argument of Knowledge

A type of ZK proof that is very small and fast to verify. The "succinct" part means the proof size and verification time are tiny regardless of how complex the underlying computation was. The downside: most zkSNARKs (like Groth16, Plonk) rely on elliptic curve pairings for their efficiency — which are ECDLP-based and quantum-vulnerable. Used extensively in Ethereum L2 rollups (zkSync, Polygon zkEVM, etc.). ⚠ Pairing-based SNARKs are quantum-vulnerable

zkSTARK Zero-Knowledge Scalable Transparent Argument of Knowledge

A type of ZK proof that uses only hash functions — no elliptic curves, no pairings, no trusted setup. The "transparent" means anyone can verify the setup parameters. Hash functions are believed to be quantum-resistant (breaking them would only require Grover's algorithm, which gives a quadratic speedup that's manageable by doubling key sizes). STARKs are larger and slower to verify than SNARKs, but post-quantum safe. Used by StarkWare, Starknet, and the SP1 zkVM (which the paper itself uses). ✓ Post-quantum safe (hash-based)

Groth16 —

The most widely deployed zkSNARK construction, designed by Jens Groth in 2016. It produces extremely small proofs (~200 bytes) that verify cheaply on-chain. The catch: it uses the BN254 (alt_bn128) pairing-friendly elliptic curve, which is ECDLP-based and quantum-vulnerable. It also requires a trusted setup. Zcash's Sapling pool, many Ethereum L2s, and even the paper's own ZK disclosure mechanism use Groth16. The paper notes the irony that their responsible disclosure proof is itself vulnerable to quantum forgery. ⚠ ECDLP-based — quantum vulnerable

KZG Commitment Kate-Zaverucha-Goldberg

A polynomial commitment scheme that lets you commit to a polynomial and later prove evaluations of it efficiently. Used in Ethereum's Data Availability Sampling (EIP-4844) and in many zkSNARK systems. Requires a trusted setup (the "powers of tau" ceremony) and relies on the BLS12-381 elliptic curve. The paper explains that a CRQC can recover the toxic waste from the KZG trusted setup, creating a permanent backdoor. This is the on-setup attack vulnerability in Ethereum's L2 infrastructure. ⚠ Trusted setup recoverable by CRQC

BLS Signatures Boneh-Lynn-Shacham

A digital signature scheme that enables efficient aggregation — thousands of individual signatures can be compressed into a single short signature. Ethereum uses BLS to aggregate ~500,000 validator attestations per slot into a few dozen, making the consensus layer practical. It requires pairing-friendly elliptic curves (BLS12-381). The pairing computation is ECDLP-based and quantum-vulnerable. Breaking validator keys gives an attacker the ability to equivocate, halt finality, or rewrite chain history depending on how many keys are compromised. ⚠ Pairing-based — quantum vulnerable

ECDSA Elliptic Curve Digital Signature Algorithm

The signature scheme used by Bitcoin (pre-Taproot), Ethereum, and most other blockchains. Uses the secp256k1 elliptic curve (Bitcoin/Ethereum) or other ECDLP-based curves. A valid ECDSA signature proves you know the private key without revealing it. The paper's resource estimates specifically target secp256k1 ECDLP — breaking it means any ECDSA signature scheme on that curve becomes forgeable. ⚠ Quantum vulnerable

Schnorr Signatures —

An alternative to ECDSA used in Bitcoin's Taproot upgrade (BIP-340). Offers cleaner math, better security proofs, and native multisignature aggregation. Still uses secp256k1 — still ECDLP-based — still quantum-vulnerable. Taproot's signature upgrade didn't help the quantum situation; in fact it made it worse by storing the tweaked public key directly in the locking script, re-exposing keys that P2PKH-style addresses had hidden. ⚠ Still ECDLP — quantum vulnerable

Falcon / FN-DSA NIST PQC Standard

A lattice-based post-quantum digital signature scheme standardized by NIST in 2024 under the name FN-DSA. Uses NTRU lattices for its hardness assumption. Produces ~1,280-byte signatures — about 20x larger than ECDSA. Known for compact signatures relative to other PQC signature schemes. Algorand deployed Falcon for smart transactions in 2025, making it the first major blockchain to run production PQC transactions. Has known implementation challenges (Gaussian sampling can create side-channel vulnerabilities if not done carefully). ✓ Post-quantum secure

ML-DSA / CRYSTALS-Dilithium NIST PQC Standard

A lattice-based digital signature scheme standardized by NIST in 2024 as ML-DSA (Module-Lattice Digital Signature Algorithm). Based on the hardness of Module LWE and Module SIS problems. Larger signatures than Falcon but simpler, safer implementation (no Gaussian sampling). XRP Ledger deployed ML-DSA on its AlphaNet. The QRL blockchain added support for Dilithium alongside its original XMSS signatures. ✓ Post-quantum secure

XMSS / WOTS Hash-Based Signatures

Hash-based post-quantum signature schemes. XMSS (eXtended Merkle Signature Scheme) and WOTS (Winternitz One-Time Signatures) derive their security entirely from hash function collision resistance — no elliptic curves, no lattices. Considered the most conservative and well-understood PQC option because hash functions have been studied for 50+ years. QRL was built entirely on XMSS from launch (2018). Solana's Winternitz Vault uses WOTS experimentally. Downside: XMSS is stateful — the signer must track which keys have been used to avoid reuse, which is operationally complex at scale. ✓ Post-quantum secure

Trusted Setup / Toxic Waste Powers-of-Tau Ceremony

Some cryptographic systems (KZG commitments, Groth16 SNARKs) require a one-time setup ceremony that generates a secret random value embedded in the public parameters. This secret — informally called "toxic waste" — must be destroyed after the ceremony. If it's ever recovered, the cryptographic guarantees collapse. The design of these ceremonies involves hundreds of participants, any one of whom could destroy their fragment to ensure the final secret is unknowable. A CRQC can recover toxic waste from the public parameters without going through the ceremony at all — defeating the entire security model. ⚠ CRQC can recover toxic waste from public params

Pedersen Commitment —

A commitment scheme used to hide transaction amounts while allowing the network to verify that inputs and outputs balance (no coins created out of thin air). Used in Mimblewimble (Litecoin, Grin), Monero's RingCT, and older Confidential Transaction designs. Its binding property relies on ECDLP — a quantum attacker can forge commitments, enabling undetected coin inflation. Because Mimblewimble's Pedersen commitments use fixed public curve points, this is also an on-setup attack vulnerability. ⚠ Binding property broken by CRQC

ECDH Key Exchange Elliptic Curve Diffie-Hellman

A protocol that lets two parties derive a shared secret over a public channel without transmitting the secret itself. Used in Zcash (to derive encryption keys for shielded notes), Monero (stealth addresses), and Litecoin's Mimblewimble (offline transaction derivation). A quantum attacker can break ECDH retroactively — anyone who recorded encrypted on-chain data in the past can decrypt it once a CRQC is available. This is the "retroactive privacy degradation" threat for privacy coins. ⚠ Quantum vulnerable — enables retroactive decryption

UTXO Model Unspent Transaction Output

Bitcoin's accounting model. Rather than tracking account balances, Bitcoin tracks individual "coins" as unspent transaction outputs. Each UTXO is locked to a public key (or script). Spending a UTXO reveals the public key in the unlocking script. The UTXO model is more quantum-friendly than account models because you can use a new address (and new keypair) for every transaction — you don't have to reuse keys. The downside: address reuse (which happens constantly in practice) removes this protection entirely.

Account Model —

Ethereum, Solana, and most smart contract blockchains use an account model — persistent identities with balances, rather than discrete coins. Once an account sends its first transaction, its public key is permanently on-chain and the account is forever at-rest vulnerable to quantum attacks. Unlike Bitcoin UTXOs, you can't silently rotate to a fresh key — your DeFi positions, governance votes, and reputation are tied to that address. This is why the paper identifies Ethereum's quantum exposure as structurally worse than Bitcoin's.

Mempool Memory Pool

The public waiting room for unconfirmed blockchain transactions. When you broadcast a transaction, it enters the mempool and waits for a miner (Bitcoin) or validator (Ethereum) to include it in the next block. The mempool is public — anyone can see all pending transactions. This is the attack surface for on-spend quantum attacks: the moment a transaction enters the mempool, the public key is visible and the clock starts on how fast an attacker can derive the private key and broadcast a competing transaction with a higher fee.

BLS12-381 Curve Barreto-Lynn-Scott

A pairing-friendly elliptic curve designed specifically for applications requiring bilinear pairings — mathematical operations that enable BLS signature aggregation and KZG polynomial commitments. Used by Ethereum's consensus layer (validator BLS signatures), Zcash's Sapling pool (Groth16), and many zkSNARK systems. The curve uses 381-bit field elements — slightly larger than secp256k1's 256 bits — which means breaking it requires a somewhat larger CRQC, but the paper estimates it's still accessible to first-generation fast-clock machines. ⚠ ECDLP-based — quantum vulnerable

secp256k1 —

The specific elliptic curve used for digital signatures in Bitcoin, Ethereum (execution layer), and most major blockchains. Defined by SECG (Standards for Efficient Cryptography Group). The paper's quantum resource estimates specifically target secp256k1 — the two circuit variants (1,200 logical qubits at 90M gates, or 1,450 logical qubits at 70M gates) are designed to solve ECDLP on this exact curve. Not a pairing-friendly curve, so it can't be used for BLS signatures or KZG commitments. ⚠ Primary target of the paper's attack circuits

Replace-By-Fee RBF

A Bitcoin mempool policy that allows a transaction to be replaced by a new version of the same transaction if it includes a higher fee. Originally designed for legitimate use cases like fee bumping. In the context of quantum attacks, RBF enables the "scorched earth" scenario: an attacker who has derived your private key can keep outbidding you in fee auctions, forcing you to offer increasingly high fees to get your own transaction confirmed. The paper notes this could transfer wealth from victim to miners even if the theft is technically "thwarted."

Hierarchical Deterministic Wallet HD Wallet / BIP-32

A wallet system that derives an infinite number of keypairs from a single master seed (usually a 12 or 24-word mnemonic phrase). Makes it easy to use a fresh address for every transaction — good for quantum safety. However, HD wallets expose a subtle quantum risk: sharing an "extended public key" (xpub) with third-party services enables those services to monitor all your addresses — but in the presence of CRQCs, knowing the xpub plus any single derived private key allows recovery of the master private key, compromising all derived keys at once.

Miner/Maximal Extractable Value MEV

The extra profit a miner or validator can extract by reordering, inserting, or removing transactions within the blocks they produce. Common MEV strategies include front-running DEX trades, sandwich attacks, and liquidation races. The paper introduces a new MEV dynamic: quantum attackers could participate in fee-auction wars using stolen funds they don't rightfully own, since they can rationally bid their entire stolen amount in fees — creating a new class of adversarial MEV that doesn't exist in the classical threat model.

10 — Source

About This Paper

This briefing is a plain-language summary of the following primary research. All specific numbers, findings, and claims in this document trace directly to the original paper.

Original Publication

Securing Elliptic Curve Cryptocurrencies against Quantum Vulnerabilities: Resource Estimates and Mitigations

Ryan Babbush, Adam Zalcman, Craig Gidney, Michael Broughton, Tanuj Khattar, Hartmut Neven, Thiago Bergamaschi (Google Quantum AI), Justin Drake (Ethereum Foundation), Dan Boneh (Stanford)

Published: March 30, 2026 · arXiv / IACR ePrint · Dataset and ZK proof: Zenodo repository