Last week, the Google Quantum AI team published a major paper estimating that, under specific superconducting, error-correction, and hardware assumptions, a future quantum computer could break 256-bit elliptic curve cryptography (ECDLP-256) within minutes using fewer than 500,000 physical qubits. That estimate is roughly 20 times lower than previous projections.
This directly targets ECDSA, the signature scheme used by most major public blockchains, including Bitcoin and Ethereum. Once the news broke, claims that “quantum computers will crack Bitcoin private keys” quickly spread online.
To understand this properly, we need a clear and balanced explanation: the threat is real, but it is still far from meaning “your wallet will be unsafe tomorrow.”
More importantly, the industry has already started preparing for it.
1. What Is Quantum Computing Really Threatening?
To understand this, let’s start with the basics: how are your crypto assets actually protected?
On blockchains like Bitcoin and Ethereum, assets are controlled by a key pair: a private key and a public key. The private key is a randomly generated large number that must remain strictly secret, much like the password to a safe. The public key is derived from the private key through elliptic curve multiplication, and the wallet address is then generated by hashing the public key into a shorter string.
The security of this system rests on one key fact: the process is one-way.
Put simply, deriving a public key from a private key is easy, but deriving the private key from the public key would take far longer than the age of the universe on a classical computer. This is what makes the Elliptic Curve Discrete Logarithm Problem secure: forward computation is easy, while reverse computation is effectively impossible.
Quantum computers challenge that assumption. They can solve integer factorization and discrete logarithm problems in polynomial time. In other words, a sufficiently powerful quantum computer could, in theory, derive your private key from your public key.
This leads to a key question: when is the public key exposed?
Every time you send a transaction on a blockchain, you use your private key to sign the transaction data, while also revealing your public key so the network can verify the signature. That means once you have sent a transaction, your public key is already exposed on-chain.
The significance of Google’s paper is that it moves “deriving a private key from a public key” from something that was theoretically possible but seemed unrealistic into a target that can now be mapped onto a quantum hardware roadmap. According to the paper’s estimate, breaking a 256-bit ECDLP would require a fault-tolerant quantum computer with roughly 500,000 physical qubits, far fewer than earlier estimates suggested.
In essence, quantum computing is not primarily “breaking the blockchain” itself. What it directly targets is the signature system that still relies on the hardness of the elliptic curve discrete logarithm problem.
So yes, the threat is real. But strictly speaking, calling it “imminent” is not accurate. Most industry estimates still place the earliest realistic window around 2030.
(For further reading: Native Account Abstraction + the Quantum Threat: Why Was EIP-8141 Passed Over as the Headline Feature of Ethereum’s Hegotá Upgrade?)
2. How Are Different Public Blockchains Preparing?
That said, there is an important distinction that many reports fail to explain clearly: many Bitcoin addresses do not expose their public keys on-chain from the very beginning.
In common formats such as P2PKH and P2WPKH, the address itself is usually just a hash of the public key. The actual public key is often only revealed when the address is spent for the first time. That means if an address has never sent a transaction, only the wallet address is visible on-chain, not the public key itself.
As a result, the most direct quantum attack surface is concentrated more on the public keys of addresses that have already spent funds. This also suggests the first practical step users can take today, which we will return to shortly.
The industry is not ignoring this issue. In fact, preparations for post-quantum cryptographic migration are already moving forward on multiple fronts.
Ethereum’s approach is to decouple the account layer from the signature scheme. For example, progress around EIP-7702 and account abstraction (AA) allows Ethereum accounts to define what counts as a valid signature through smart contract logic. That means when post-quantum signature schemes are introduced in the future, there may be no need to rewrite the protocol from the ground up. It may be enough to replace the account’s signature verification module.
Going a step further, Ethereum Foundation cryptography researcher Antonio Sanso shared an update at EthCC9 on Ethereum’s latest post-quantum progress. He noted that quantum computers may pose a practical threat to ECDSA in the mid-2030s, that Ethereum has already completed roughly 20% of its post-quantum preparation, and that the ecosystem aims to achieve full quantum resistance through the Lean Ethereum upgrade between 2028 and 2032.
That said, the main technical challenge today is still signature size. Even Falcon, one of the lightest post-quantum signature schemes, produces signatures more than 10 times larger than ECDSA. Verifying lattice-based cryptography directly in Solidity is also extremely expensive in Gas terms. As a result, the research team has identified two main technical paths:
- Account abstraction could allow users to upgrade their wallet signature algorithm to a quantum-resistant scheme without modifying the underlying protocol.
- LeanVM could be introduced to handle more complex hash computations, while zero-knowledge proofs could be used to verify ownership of address mnemonics and protect assets during migration.
Antonio also said he would begin chairing biweekly ACD post-quantum meetings starting in February 2026. Experimental post-quantum testnets have already gone live on consensus clients such as Lighthouse and Grandine.
Beyond Ethereum, the Bitcoin community is clearly taking a more conservative approach. A recent proposal, BIP360, now in the BIPs repository, introduces a new output type called P2MR (Pay-to-Merkle-Root). One of its design goals is to remove the quantum-vulnerable key-path spend in Taproot and create a more migration-friendly structure for future post-quantum signature schemes.
Of course, a proposal entering the BIPs repository does not mean it has already reached community consensus, nor does it mean adoption is near. At most, it shows that the Bitcoin community has started discussing quantum exposure and possible output-type changes in a more concrete way. That is also very much in line with Bitcoin’s usual style: define the problem clearly first, then move toward consensus slowly.
It is also worth noting that in 2024, the U.S. National Institute of Standards and Technology (NIST) formally published three post-quantum cryptography standards. This gives the blockchain ecosystem a clear migration target. It no longer needs to wait for the debate over which algorithm is best to fully settle before engineering work can move forward.
3. What Should Ordinary Users Do?
Even though the threat from quantum computers is still years away, that does not mean it can be ignored today. Some good habits are easy to adopt now.
First, avoid address reuse. This is the most direct and effective form of self-protection.
As explained above, if you use a UTXO-based chain such as Bitcoin, your public key is exposed on-chain once you spend from an address. If you keep reusing the same address, that public key remains exposed for a long time. Once quantum computing matures, an attacker could take their time deriving the private key from that public key.
Today, mainstream wallets such as imToken already provide HD wallet functionality by default. A good habit is to receive each transfer with a fresh address instead of repeatedly using one address as a permanent identity marker. For addresses that have never sent a transaction, the public key has never been exposed, so the current quantum threat largely does not apply.
Second, pay attention to your wallet’s post-quantum upgrade path.
If you mainly use account-model chains such as Ethereum, then the priority is not mechanically rotating to a new address again and again. What matters more is whether the wallet and chain you use will provide a clear migration path in the future.
For account-model chains, the bigger issue in a quantum era is often not one-time exposure, but the long-term binding of active accounts, public key history, on-chain identity, and application permissions. Once the real migration window arrives, the accounts that are easier to upgrade, and the wallets that can replace signature logic more smoothly, will be safer.
Finally, from a practical perspective, one thing is easy to foresee: as the topic gains attention, more and more wallets and protocols will start marketing themselves as “quantum-safe.” We should stay cautious about wallets, protocols, and infrastructure products that use “quantum safety” as a selling point.
When faced with such claims, the most important questions are not in the marketing copy, but in three harder ones:
- Does it rely on an algorithm that has already been standardized by NIST?
- Has its security been independently audited and thoroughly validated in implementation?
- Is its claimed “quantum safety” really about chain-level migration, account-level upgrades, or just application-layer packaging?
Real post-quantum security ultimately has to cover more than a label on an app. It needs to cover the full path from signing and verification to on-chain compatibility.
Overall, the threat quantum computing poses to blockchains is real, and the significance of Google’s latest paper lies in the fact that it moves that threat one step closer from distant theory to a risk that can be planned for.
But this is still not a signal that “wallets will be broken tomorrow.” A more accurate way to understand it is that post-quantum migration is no longer a topic confined to academia. Over the coming years, it will gradually become a practical issue in protocol upgrades, wallet design, and user asset management.
Final Thoughts
For the industry, what matters next is not who is first to say that quantum is coming, but who can design a clear migration path first.
For users, the goal is not to panic now, but to build a basic understanding of risk: which assets are exposed first, which actions increase that exposure, and which wallets and public chains are more likely to offer smooth upgrades in the future.
What we need is early action, not excessive anxiety.
A perspective worth keeping in mind.