Google’s March 30, 2026 whitepaper (titled “Securing Elliptic Curve Cryptocurrencies against Quantum Vulnerabilities: Resource Estimates and Mitigations”) provides updated, more optimistic resource estimates for using a cryptographically relevant quantum computer (CRQC) to solve the Elliptic Curve Discrete Logarithm Problem (ECDLP). This is the hard math problem underlying secp256k1 elliptic curve cryptography used in Bitcoin, Ethereum, and most cryptocurrencies — including the ECDSA and Schnorr signatures that protect private keys.

Key Findings from the Paper

The paper shows that Shor’s algorithm (adapted for ECDLP-256) could theoretically be executed with:

• Roughly 1,200 logical qubits (and under 90 million Toffoli gates) in one optimized circuit, or slightly more in another variant.
• Fewer than 500,000 physical qubits on a superconducting (fast-clock) quantum computer.
• Attack runtime of approximately 9 minutes per private-key derivation once a public key is known (for a “primed” machine that has pre-computed part of the workload).

This represents roughly a 20-fold reduction in required physical qubits compared to prior estimates, making the threat appear closer in timeline than previously thought (some co-authors now assign non-negligible probability to practical attacks by around 2032, though this remains speculative and depends on major hardware advances in error correction and qubit scaling).10

The paper distinguishes two main attack scenarios relevant to wallets:

• At-rest attacks: Target wallets where the public key is already exposed on the blockchain (e.g., older P2PK addresses, reused addresses, or any address from which a transaction has previously been sent). An attacker with a CRQC could derive the private key offline at leisure.
• On-spend attacks: Monitor the mempool for a pending transaction that reveals the public key, then rapidly compute the private key (in ~9 minutes on fast hardware) to broadcast a competing transaction that steals the funds before confirmation.

Impact on Common Wallets and Public Key Visibility

Most hardware wallets generate and display public keys/addresses for receiving funds. This visibility is inherent and necessary for cryptocurrency operation.

• For addresses that have never spent funds: The public key is typically not yet revealed on-chain (especially in modern scripts like P2WPKH or P2TR used by many wallets). In these cases, a quantum attacker cannot directly apply the ECDLP attack until you spend and the public key becomes visible. This provides meaningful short-term protection against “at-rest” attacks.
• For addresses that have spent funds (or reuse addresses): The public key is already public. Once a sufficiently powerful CRQC exists, those funds would be vulnerable to at-rest extraction. The Google paper explicitly highlights this risk for exposed or reused public keys and notes that sharing extended public keys (XPUBs) would allow an attacker to derive multiple private keys from one quantum run.

The core security model used by common wallets — keeping private keys non-extractable on the secure element chip — remains intact against classical attacks and side-channel threats. However, the paper underscores that no current ECC-based system (including hardware wallets) is quantum-safe in the long term once public keys are exposed. The hardware itself does not mitigate the mathematical vulnerability of ECDLP.

Practical Implications and Current Status (as of April 2026)

• NO IMMEDIATE THREAT: No CRQC capable of these attacks exists today. Current quantum hardware is far from the required scale, error correction, and stability. The paper’s estimates assume idealized future hardware consistent with Google’s own superconducting progress, but real-world timelines for “Q-day” (when such attacks become feasible) are still debated and likely years away.
• Other considerations: If you use XPUB sharing (e.g., for monitoring services), this amplifies risk under quantum scenarios, as noted in the paper. Single-use addresses without prior spends offer better interim protection.
• Broader ecosystem: The paper recommends reducing public key exposure, avoiding address reuse, and — most importantly — migrating blockchains and wallets to post-quantum cryptography (PQC) algorithms that resist Shor’s algorithm. Hardware wallets like Tangem / Ledger / Trezor will eventually need firmware/app updates to support PQC signatures once standards mature and chains adopt them.

Recommendations

1. Continue best practices: Use fresh addresses for each receive, avoid unnecessary XPUB sharing, and minimise address reuse.
2. Monitor developments: Watch for blockchain upgrades to PQC (e.g., proposals for Ethereum or Bitcoin layers) and wallet makers & developer’s response in terms of supported algorithms or firmware.
3. For high-value holdings: Consider diversifying storage methods and staying informed on quantum timelines from credible sources (NIST, Google Quantum AI, etc.).
4. Long-term: The only robust solution is a transition to quantum-resistant cryptography, which the paper and industry are actively discussing.

This highlights why the crypto community is accelerating post-quantum planning. The visibility of public keys, becomes a more critical exposure vector in a post-CRQC world.

If you’ve lost access to your Bitcoin or other cryptocurrency we may be able to recover it for you. Please visit our Bitcoin and cryptocurrency recovery page.