Quantum Computing and Blockchain: What You Need to Know

Google Just Moved the Timeline Forward

On March 31, 2026, Google's Quantum AI division published a whitepaper that landed like a thunderclap across the digital asset industry. The paper demonstrated that future quantum computers could break the elliptic curve cryptography protecting Bitcoin, Ethereum, and most blockchain wallets using significantly fewer resources than anyone had previously estimated.

The numbers: fewer than 500,000 physical qubits and roughly 1,200–1,450 high-quality logical qubits. Previous estimates sat in the millions. Google's team compiled two quantum circuits implementing Shor's algorithm for the 256-bit elliptic curve discrete logarithm problem (ECDLP-256). One uses fewer than 1,200 logical qubits and 90 million Toffoli gates. The other uses fewer than 1,450 logical qubits and 70 million Toffoli gates. Both represent an approximately 20-fold reduction in the physical qubits required compared with prior research.

Six days later, on April 6, Circle announced a quantum-resistant roadmap for its Arc blockchain — one of the first major layer-1 networks to treat quantum resistance as a launch-day design requirement rather than a problem to fix later.

These aren't disconnected events. The quantum timeline has compressed from "mid-2030s" to 2029 or sooner, and the industry is starting to respond. For institutions managing digital assets — custodians, banks, stablecoin issuers, RWA platforms — the question is no longer whether quantum poses a risk, but when to start preparing.

How Quantum Computers Could Break Blockchain Cryptography

Traditional computers use bits: each one is either 0 or 1. Quantum computers use qubits, which can represent both states simultaneously through a property called superposition. This lets quantum systems solve certain mathematical problems exponentially faster than classical machines — including the elliptic curve math that secures virtually every blockchain wallet in existence.

The cryptography at stake is called ECDSA (Elliptic Curve Digital Signature Algorithm). When you send Bitcoin or interact with an Ethereum smart contract, your wallet signs the transaction using a private key. The blockchain verifies that signature using the corresponding public key. The security of this entire system relies on one assumption: that deriving a private key from a public key is computationally infeasible for classical computers.

Quantum computers running Shor's algorithm can do exactly that.

Current hardware is not there yet. Google's Willow chip has 105 qubits. The attack described in the whitepaper would require hundreds of thousands of physical qubits to operate at the logical level needed. But the trajectory matters. Google has pointed to 2029 as a milestone for useful quantum systems. And the resource estimates keep dropping — this latest paper is a 20x improvement over earlier projections.

Mike Belshe, CEO of BitGo, addressed this directly on Tokenized Episode 77:

"We should all be taking quantum very, very seriously. I think the numbers are only going to come in. I don't think they're going to go out. Even if you don't believe that it's going to happen in 2029, it's preventing people from buying and participating right now. We were on this road show going public — the quantum question was definitely a top five question."

That last point is worth sitting with. Quantum risk is already affecting investment decisions and institutional confidence, regardless of when a working attack becomes feasible.

The 9-Minute Attack Window

Google's research describes a specific attack scenario that has drawn significant attention. When a Bitcoin user broadcasts a transaction, their public key becomes visible on the network. A quantum attacker could use that public key to reverse-engineer the private key and create a competing transaction — effectively stealing the funds.

Bitcoin transactions take roughly 10 minutes to confirm. Google's paper suggests the quantum portion of the attack could be completed in approximately 9 minutes, assuming the attacker pre-computes part of the calculation in advance. That creates a race condition: the attacker has a meaningful chance of landing their fraudulent transaction before the legitimate one confirms.

Who's exposed? The vulnerability affects any wallet where the public key has been revealed on-chain. That includes roughly 6.9 million Bitcoin — about one-third of total supply — sitting in wallets with exposed public keys. Of that, 1.7 million Bitcoin from the network's earliest years are particularly vulnerable, because early address formats used direct public key exposure.

There's an irony here. Bitcoin's 2021 Taproot upgrade, designed to improve privacy and efficiency through Schnorr signatures, actually increases quantum exposure. Taproot makes public keys visible on-chain by default. Older address formats (P2PKH, P2SH) hashed the public key first, providing an additional layer of protection that Taproot removed. Google's researchers noted this explicitly: the design choice "could expand the number of wallets vulnerable to future quantum attacks."

Taproot wasn't a mistake — quantum computing wasn't on the 2021 threat horizon the way it is now. But it illustrates how quickly the risk calculus can shift.

Ethereum is somewhat better positioned for this specific attack. Ethereum transactions confirm in seconds, leaving far less time for a quantum attacker to execute the key-derivation race. But Ethereum's cryptographic foundations still rely on ECDSA, and its broader infrastructure — TLS connections, validator keys, zero-knowledge proof systems — all need post-quantum upgrades eventually.

"Harvest Now, Decrypt Later" Is Already Happening

NIST (the National Institute of Standards and Technology) has warned about a class of attack that doesn't require a working quantum computer today. In a "harvest now, decrypt later" scenario, adversaries collect encrypted data and signed transactions with the intention of decrypting them once quantum computers are powerful enough to break the underlying cryptography.

For blockchains, where every transaction is recorded permanently on a public ledger, this is particularly relevant. An attacker accumulating public keys today could begin cracking them the moment sufficient quantum hardware becomes available.

This isn't speculative. Intelligence agencies and state actors routinely intercept and store encrypted communications for future decryption. The same logic applies to blockchain data — except the data is already public and doesn't need to be intercepted. It just needs to be catalogued.

What the Industry Is Doing

Circle's Arc: Quantum Resistance from Day One

Circle announced on April 6, 2026 that its Arc blockchain would launch with post-quantum signature support, allowing users to create quantum-resistant wallets from mainnet day one. Arc's roadmap rolls out in phases:

• Phase 1 (mainnet launch, 2026): Opt-in post-quantum wallet signatures
• Near-term: Quantum-resistant private state protection (confidential balances, private transactions)
• Mid-term: Post-quantum infrastructure across TLS 1.3, HSMs, and cloud environments
• Long-term: Validator authentication hardening

Arc's approach is notable because it treats quantum resistance as a design requirement rather than a retrofit. Building post-quantum cryptography into a new chain is straightforward. Migrating an existing chain — with millions of wallets, thousands of validators, and complex smart contract dependencies — is orders of magnitude harder.

The tradeoff is size. NIST's lattice-based post-quantum algorithms carry signature sizes 2–10x larger than current ECDSA signatures, which creates throughput pressure. Circle's roadmap acknowledges this directly, pointing to algorithm optimisation and hardware acceleration as the mitigation path.

NIST Post-Quantum Standards

NIST finalised its post-quantum cryptography standards in 2024, approving three algorithms: ML-KEM (for key exchange), ML-DSA (for digital signatures), and SLH-DSA (a stateless hash-based signature scheme). These are designed to resist both classical and quantum attacks.

Adoption is already underway outside crypto. TLS 1.3 supports post-quantum key exchange. Major cloud providers — AWS, Google Cloud, Azure — are migrating their internal infrastructure. The cryptographic community has moved past debate and into deployment.

Ethereum's Long Road

Ethereum has acknowledged quantum resistance as a long-term priority, but migration will span the execution layer, consensus layer, and data layer. Wallets, validators, smart contracts, and HSMs all need upgrades. The Ethereum Foundation estimates this will take years of coordinated effort. Zero-knowledge proof systems — central to Ethereum's scaling roadmap — also require post-quantum redesigns.

Bitcoin's Challenge

Bitcoin has no formal quantum-resistant upgrade path yet. The community is aware of the issue, and researchers like Jonas Nick have proposed new signature schemes. But Bitcoin's consensus process moves deliberately, and there's no agreement on timeline or approach.

Mike Belshe outlined the sequence of work required on Episode 77:

"Three things have to happen. First, you have to update on chain — probably takes a year and a half, two years. Number two, wallets have to integrate that. Number three, all of the users need to move to those wallets. Then number four, we need to deal with Satoshi's coins, which is maybe the non-technical and yet existential debate for what Bitcoin is at its core."

Post-quantum signatures are also significantly larger than current 64-byte ECDSA signatures, which creates scalability issues for Bitcoin's already constrained block space. Migration won't be simple.

Is This Urgent or Is It Hype?

The case for urgency:

• Google's research is peer-reviewed and uses zero-knowledge proofs to validate findings without providing a roadmap for attackers
• Resource estimates have dropped 20x in this paper alone — the trend line points down
• NIST, Circle, the Ethereum Foundation, and major cloud providers are all treating this as real
• Google's own internal 2029 migration timeline signals genuine institutional concern
• "Harvest now, decrypt later" is a real threat for long-lived assets that can't be rotated

The case for measured response:

• No quantum computer can execute this attack today
• 105 qubits (Google Willow) vs 1,200–1,450 logical qubits needed — a significant hardware gap remains
• Institutions have time to prepare, but the preparation itself takes years
• The bigger risk is compressed migration timelines and rushed implementations, not a surprise attack

Haseeb Qureshi, a partner at Dragonfly, framed the shift in urgency on Episode 77: the Google research "brings in the date of what we thought was going to be something in the mid-2030s to three years away. And that changes the urgency."

What Institutions Should Do Now

1. Assess cryptographic exposure. Map which systems rely on ECDSA or other quantum-vulnerable cryptography. This includes wallets, custody platforms, TLS connections, HSMs, and MPC systems. If you hold digital assets in wallets with exposed public keys — or your custody provider does — that's the first thing to address.

2. Follow BitGo's lead on key hygiene. Belshe noted on Episode 77 that BitGo already uses the most resistant techniques available: "If you don't expose your public keys, you're as safe as you can be." Never reusing addresses and avoiding Taproot-format wallets where possible buys time.

3. Budget for larger signatures. Post-quantum cryptographic signatures are 2–10x larger than their classical equivalents. That means more storage, more bandwidth, and slower verification. Plan for it now in infrastructure design.

4. Start testing NIST-approved algorithms. The post-quantum standards are finalised. Begin integrating ML-KEM and ML-DSA into non-production environments to understand the performance implications.

5. Build new infrastructure quantum-resistant from day one. If you're launching new blockchain infrastructure, new custody platforms, or new digital asset products, follow Circle's Arc approach and design in post-quantum cryptography from the start. Retrofitting is harder and riskier.

The Takeaway

Quantum computing is no longer a theoretical concern sitting on a 15-year horizon. Google's March 2026 research showed the required computing resources are dramatically lower than previously estimated, and their own internal timeline points to 2029. Circle is already building quantum resistance into new infrastructure. NIST standards are finalised and being adopted across the broader technology industry.

For institutions managing digital assets, the migration will take years — updating chains, upgrading wallets, moving users, testing new cryptographic schemes. That's precisely why the time to start is now. The risk isn't a quantum attack next week. It's arriving at Q-Day without having done the preparation work, and discovering the migration window has already closed.