By Mohamed Abdel-Kareem
Recent technical disclosures from Google Quantum AI and the newly emerged Oratomic have provided updated resource estimates for executing Shor’s algorithm against the secp256k1 elliptic curve. secp256k1 is a specialized cryptographic algorithm best known for powering Bitcoin’s public-key cryptography and digital signatures. These findings indicate a reduction in the physical and logical requirements for a Cryptographically Relevant Quantum Computer (CRQC) to compromise the digital signature schemes underpinning the Bitcoin and Ethereum networks.
The following analysis evaluates the divergence between “fast-clock” and “slow-clock” architectures and the resulting implications for active and dormant digital assets.
The 1,000 Logical Qubit Milestone
In a whitepaper released on March 30, 2026, Google Quantum AI indicated that the 256-bit Elliptic Curve Discrete Logarithm Problem (ECDLP can be broken with a dramatically smaller quantum computer than previously thought (an order of magnitude smaller, using only 1,200-1450 logical qubits and 90-70 million Toffoli gates). Crucially on quantum computers with sufficiently fast clock speeds, the attack could be executed in as little as a 9 minute window; short enough to threaten digital signatures exposed during the Bitcoin transaction broadcast process.
In a noteworthy quantum industry first, Google utilized a Zero-Knowledge (ZK) proof to substantiate these claims, an approach dictated by the “Responsible Disclosure” paradigm. As quantum resource estimates shrink toward the thresholds of foreseeable hardware, Google argued that publishing the specific logical gate sequences or optimized attack vectors would effectively provide a functional blueprint for nefarious actors. The ZK proof allows for independent cryptographic verification of the results while keeping the sensitive “how-to” details opaque.
Crucially, the Toffoli gate count (70 to 90 million) serves as the primary determinant of execution speed. Because these gates represent the total computational depth required, their reduction is what allows a superconducting architecture with a 10-3 physical error rate to resolve a private key in approximately 9 to 23 minutes. By linking Toffoli count directly to a specific time window, the research demonstrates that “on-spend” attacks are transitioning from a theoretical possibility to a concrete threat model for fast-clock systems.
Fast-Clock vs. Slow-Clock Architectures
A key distinction highlighted in this research is the operational speed, or “clock rate,” of different quantum modalities:
- Fast-Clock (Superconducting Circuits/Photon Based/Silicon Spin): These systems feature short error-correction cycles (approx. 1 microsecond). High gate speeds enable “on-spend” attacks, where a private key is derived within the ten-minute average block time of Bitcoin.
- Slow-Clock (Neutral Atom/Trapped Ion): These systems have cycle times two to three orders of magnitude slower (100 microseconds to 1 millisecond). While capable of “at-rest” attacks on static balances, they are currently considered too slow to intercept active mempool transactions.
Neutral Atoms and Hardware Efficiency
Simultaneously, Oratomic (featuring researchers such as John Preskill and Dolev Bluvstein) published results demonstrating that Shor’s algorithm is viable with as few as 10,000 reconfigurable atomic qubits. This approach prioritizes hardware efficiency over raw execution speed, leveraging a specifically selected family of ultra-high-rate Quantum Low-Density Parity-Check (qLDPC) codes.
While the Google approach requires approximately 500,000 physical qubits on a superconducting plane to reach the logical threshold, Oratomic’s architecture achieves a 30% encoding rate. This allows for a cryptographically relevant machine to be built with an order of magnitude fewer physical components (~26,000 qubits). However, the trade-off involves more than just time—with an Oratomic system requiring days rather than minutes—it also encompasses significant engineering challenges regarding connectivity.
The high-rate qLDPC (Quantum Low-Density Parity-Check) codes utilized by Oratomic require “non-local” connectivity, often demanding 6 or more connections per qubit and interactions between non-nearest neighbors. While Oratomic’s reconfigurable neutral-atom arrays leverage optical tweezers to achieve this non-local mapping, traditional superconducting architectures are historically constrained by 4-nearest-neighbor planar connectivity. Google’s recent estimates specifically rely on this simpler planar model, as implementing the long-distance wiring required for qLDPC remains a formidable scaling hurdle for superconducting hardware.
These examples stand in alongside the resource estimates published in 2024 and 2025 by Alice & Bob of attacks on requiring 100,000 Cat qubits and an estimated runtime of 9 hours. This architecture though is at a significantly earlier stage of realization.
Comparative Resource Estimates for secp256k1 (n=256)
The following table compares the current leading proposals for breaking the elliptic curve cryptography used in major cryptocurrencies:
| Platform | Modality | Logical Qubits | Physical Qubits | Estimated Time | Attack Type |
| Superconducting | 1,200 | ~500,000 | 9–23 Minutes | On-Spend & At-Rest | |
| Oratomic | Neutral Atom | ~1,000 | 26,000* | ~10 Days | At-Rest |
| Alice & Bob | Cat Qubits | ~1,000** | ~100,000*** | ~9 Hours**** | Hybrid |
* The “Space-Efficient” Oratomic setup uses ~10,000 qubits but takes ~264 days; the “Time-Efficient” 26k setup reduces this to ~10 days.
** Standard Shor’s requirement for 256-bit ECDLP.
*** Per Alice & Bob 2024 LDPC architecture paper.
**** Per Gouzien et al. (2023) estimate for 256-bit ECDLP.
The “On-Spend” Threat to Blockchains
The feasibility of sub-30-minute decryption introduces the On-Spend Attack vector. In this scenario, an adversary monitors the public mempool for a transaction broadcast. Once the public key is revealed, the CRQC derives the private key and broadcasts a “forged” transaction with a higher fee to the same miners.
- Bitcoin Resilience: With an average block time of 10 minutes, Bitcoin is highly vulnerable to fast-clock CRQCs.
- Ethereum Resilience: Ethereum’s 12-second block slots and use of private mempools (e.g., BuilderNet) provide a higher degree of insulation against on-spend attacks, though at-rest vulnerabilities remain.
- Proof-of-Work (PoW): Google’s whitepaper highlights that Grover’s algorithm does not pose a credible threat to Bitcoin mining. The theoretical quadratic speedup is effectively negated by quantum error-correction overhead and the massive parallelization of existing classical ASIC miners.
Policy Implications: Digital Salvage and Dormant Assets
The existence of “historic P2PK” (Pay-to-Public-Key) assets—wallets that have not moved funds in years and primarily date back to the network’s first year—presents a unique policy challenge. Approximately 1.7 million BTC are currently held in these Satoshi-era scripts, which have been largely phased out in favor of more secure hashed formats like P2PKH. Because the public keys for these UTXOs are exposed directly on the ledger, they are vulnerable to “at-rest” attacks by a CRQC. As illustrated in the Google whitepaper’s Figure 7, which ranks vulnerable addresses by balance, these fixed targets cannot be migrated to Post-Quantum Cryptography (PQC) because the owners have likely lost their private keys, leaving hundreds of billions of dollars in digital wealth effectively abandoned.
Google’s whitepaper suggests three community-led frameworks for these assets:
- Burn: Modifying the protocol to render dormant assets unspendable after a certain date.
- Hourglass: Limiting the rate at which dormant assets can be spent to prevent a sudden supply shock.
- Digital Salvage: A legal framework where the recovery of abandoned digital assets is treated similarly to “sunken treasure,” regulated by governments to ensure proceeds enter the taxable economy.
The Imperative for Immediate Migration
The technical path to quantum resilience is well-defined: a systemic migration to Post-Quantum Cryptography (PQC) standards, such as ML-DSA (Dilithium) or Falcon. However, the Google Quantum AI team emphasizes that the window for this transition is narrowing. In their 2026 disclosure, they took the unusual step of bolding their primary recommendation to ensure it was not lost in the technical data:
“As we will argue throughout this piece, the safest course of action for the cryptocurrency community is to begin preparing itself against quantum attacks immediately.”
Google’s decision to transition from publishing “attack blueprints” to providing “resource estimates via ZK proofs” signals that the industry has entered a new phase of risk. While a cryptographically relevant quantum computer (CRQC) does not exist today, the 20x reduction in required physical qubits—bringing the requirement to under 500,000—suggests that the 2029–2030 timeframe is no longer a conservative estimate, but an active deadline for the digital economy.
Intermediate mitigations include:
- Address Rotation: Strictly avoiding public key reuse for P2PKH/P2WPKH addresses.
- Key Rotation in PoS: Implementing mechanisms for Ethereum validators to rotate to PQC credentials before CRQCs reach the 1,000 logical qubit threshold.
- Account Abstraction: Utilizing smart contract wallets to decouple identity from a single, static ECDSA key.
Follow-up Question: Given that fast-clock architectures are now estimated to break secp256k1 within a single block window, should Bitcoin developers prioritize a hard fork for PQC migration over intermediate soft-fork “hourglass” solutions?
For technical details and industry commentary on these updated resource estimates, view a blog post published by Google here, consult the Google Quantum AI whitepaper here, the Oratomic study on atomic hardware efficiency here, and Alice & Bob’s architectural analysis here.
April 3, 2026