On the afternoon of March 31, Bitcoin reversed its morning uptrend, accelerating below the $67,000 mark, with the market fear and greed index sliding to 28. A widely circulated image on social media showed that the physical quantum bit requirement for breaking a Bitcoin private key with a quantum computer had dropped from the million-level to the thousand-level. A researcher from Google Quantum AI issued a warning that a quantum attack could hijack a Bitcoin transaction being broadcasted in 9 minutes, with about a 41% chance of completing the theft before confirmation. Around 6.9 million Bitcoins with exposed public keys are currently lying quietly on the chain, waiting for the computational power to catch up to theory.
Triggering this panic were two papers published almost simultaneously the day before. One came from the Google Quantum AI team, and the other from the neutral-atom quantum computing company Oratomic. Individually, each was a significant advancement in its respective field. However, when viewed together, they targeted different layers of the quantum computing stack, resulting in a direct multiplicative effect.
Ethereum core researcher Justin Drake called it a "milestone day for quantum computing and cryptography" in a tweet. He was involved in the Google team's paper, which enhanced the Shor algorithm, the most famous quantum attack algorithm in the cryptography world, specifically designed to break RSA and elliptic curve encryption. The secp256k1 signature algorithm used by Bitcoin and Ethereum falls under elliptic curve cryptography.
Why was it truly frightening when the two papers were put together? Because the total physical quantum bit requirement to break an elliptic curve signature = the number of logical quantum bits (how many "clean" computing units are needed at the algorithmic level) × the number of physical bits required per logical bit (how much "redundant" hardware is needed at the error correction level to maintain a clean unit). Google's paper compressed the former, while Oratomic's paper compressed the latter. As both the numerator and denominator shrink, the product takes a dive.
According to a paper included in EUROCRYPT 2026, the number of logical quantum bits required to break a 256-bit elliptic curve dropped from 2,330 in 2017 (according to Roetteler et al.'s baseline paper) to 2,124 in 2020 (according to Haner et al.'s improvement), and further to 1,098 in March 2026. Over nine years, the algorithmic requirements were reduced by over half. The Google team's paper went further, optimizing for the secp256k1 curve used by Bitcoin and Ethereum, reducing the required logical bits to around 1,000, with a circuit depth of only about 100 million Toffoli gates (as described by Justin Drake citing CryptoBriefing), meaning about 1,000 seconds of Shor algorithm runtime on a superconducting platform.
Meanwhile, according to the tweet-cited Oratomic paper data, the neutral atom approach reduces the number of physical qubits needed per logical qubit from about 400 in traditional surface codes to about 10. The principle of this breakthrough is completely different from Google's. Google optimized the efficiency of the algorithm itself, while Oratomic optimized the error correction overhead of the underlying hardware. Both improvements can be combined.
The multiplication of these two numbers: the estimate in 2017 was about 7 million physical quantum bits, and the neutral atom roadmap estimate in March 2026 is about 10,000. The total demand has dropped from the millions to the thousands, a reduction of over two orders of magnitude.
This multiplication effect has spurred two completely different attack paths.
According to the tweet-compiled paper estimates, the superconducting roadmap (Google's research direction) requires about 500,000 physical quantum bits, running for about 9 minutes to break a private key, fast enough to hijack real-time transactions. The neutral atom roadmap (Oratomic's research direction) only needs about 10,000 physical quantum bits, but the runtime extends to about 10 days. This is not a problem because its target attack is dormant wallets with exposed public keys, not time-sensitive.
How to understand the gap? Google's current strongest Willow processor has 105 superconducting quantum bits (according to the Google Quantum AI specs), still about 4,762 times away from the 500,000 threshold. However, the fault-tolerant computing system in the neutral atom field has already reached about 500 qubits, only about 20 times away from the 10,000 threshold. If we look at the physical array scale rather than fault-tolerant capacity, the lab has already trapped over 6,100 atoms, further narrowing the gap to less than 2 times.
20 times and 4,762 times are two completely different orders of magnitude. The neutral atom roadmap is closer than most people imagine.
On the Bitcoin side, the situation is far from ready to face this change.
According to a joint report by Ark Invest and Unchained, about 7 million Bitcoins (approximately 33% of the total supply) are exposed to quantum risk, valued at around $440 to $480 billion. These vulnerable addresses fall into three categories. About 1.7 million are in early P2PK addresses, with public keys directly exposed on the chain, and most have been lost with no one able to operate the migration. About 1.1 million belong to Satoshi Nakamoto, distributed among about 22,000 addresses, with the identity of the holders unknown. The remaining approximately 4.2 million are in address reuse or P2TR addresses, where the public keys have also been exposed, but theoretically, the holders can proactively move them to secure addresses.
In other words, around 2.8 million bitcoins (40% of the fragile total supply) are beyond saving. Their private keys are either lost or the holders will never show up. This is not a problem that can be solved by technology, but a governance issue of whether the community should freeze these inevitably compromised addresses. According to a February report by CoinDesk, the Bitcoin community has been fiercely debating whether to freeze Satoshi's 1.1 million BTC holdings, with no consensus reached so far.
Even for the theoretically movable 4.2 million bitcoins, migration is not automatic. Holders need to proactively move the assets from old addresses to addresses using a new signature scheme, and historical experience shows that a large number of holders will not take action before the deadline.
Facing the same threat, the response strategies of the three mainstream blockchains have diverged significantly.
According to pq.ethereum.org launched by the Ethereum Foundation on March 25, 2026, Ethereum has been preparing for 8 years, with a complete multi-stage roadmap: replacing the current BLS signature scheme with leanXMSS hash signatures, aiming to complete the L1 protocol upgrade by 2029. Over 10 client teams conduct weekly post-quantum devnet interoperability tests, and users can migrate progressively through account abstraction without the need for a hard fork. Google itself has set a deadline of 2029 to complete its internal post-quantum migration (according to the Google Security Blog), which aligns with Ethereum's schedule.
Solana has an experimental approach. The Winternitz Vault proposed by Dean Little, Chief Scientist of Zeus Network, on GitHub in December 2025 uses a hash-based one-time insurance vault mechanism. However, this is an optional solution, requiring users to opt-in proactively, and there is no official timeline.
Bitcoin faces the most severe situation. There is no coordinated plan, no foundation-level dedicated funding, and no timeline. Bitcoin's governance model requires decentralized community-wide consensus to drive protocol changes, and this community has historically been known for its sluggishness. According to the Global Risk Institute's 2026 Quantum Threat Timeline report, quantum computing relevant to cryptography is "quite likely" to appear within 10 years and "very likely" within 15 years. If Ethereum's 2029 goal progresses as planned, the migration will be completed before the window closes. Bitcoin is still in the early stages of discussion.
Two papers published on the same day have put specific numbers to a long-theoretical looming threat: 10,000 physical quantum bits, 10 days, a dormant wallet's private key.
It should be stressed, however, that this is still a significant lowering of a theoretical threshold, not an imminent one-time attack. The current state-of-the-art neutral atom systems are still about an order of magnitude away from 10,000 fault-tolerant qubits, with the superconducting route behind by several orders of magnitude. A time window of 10 to 15 years still exists, giving the Bitcoin community a fighting chance. Bitcoin has weathered past governance tests like the block size war and SegWit activation, all highly contentious, eventually converging under pressure. The nature of the quantum threat is different from a governance dispute; it does not involve conflicting interests but is a shared risk facing the entire network. This could, in fact, serve as an external force driving accelerated action within the Bitcoin community.
The real question is not whether quantum computing can break Bitcoin, but whether the Bitcoin community can prepare in time before the window closes.
