On the afternoon of March 31, Bitcoin reversed the morning's upward trend, rapidly falling below the $67,000 mark, with the Fear and Greed Index sliding to 28. On social media, a repeatedly shared image shows the physical quantum bits required for quantum computers to crack Bitcoin private keys plunging from the millions to the tens of thousands. A researcher from Google's Quantum AI warns that a quantum attack could hijack a broadcasting Bitcoin transaction in 9 minutes, with about a 41% chance of completing it before confirmation. Approximately 6.9 million Bitcoins with exposed public keys are currently sitting quietly on the chain, waiting for computational power to catch up with the theory.

The panic was triggered by two papers published nearly simultaneously the day before. One from Google's Quantum AI team, and the other from the neutral atom quantum computing company Oratomic. Viewed separately, each paper represents significant progress in its respective field. Together, they target different layers of the quantum computing stack, resulting in a direct multiplication effect.

Ethereum core researcher Justin Drake referred to it as "a milestone day for quantum computing and cryptography" in a tweet. He was involved in the Google team's paper, which improved the Shor algorithm, the most famous quantum attack algorithm in cryptography, specifically designed to crack RSA and elliptic curve encryption. The secp256k1 signature algorithm used by Bitcoin and Ethereum falls under the category of elliptic curve encryption.

Why is it truly scary to place the two papers together? Because the total physical quantum bits needed to crack an elliptic curve signature = the number of logical quantum bits (how many "clean" computational units are needed at the algorithmic level) × the number of physical bits required for each logical bit (how much "redundant" hardware is needed at the error correction level to maintain a clean unit). Google's paper compresses the former, while Oratomic's paper compresses the latter. By reducing both the numerator and the denominator, the product plummets.

According to a paper included in EUROCRYPT 2026, the number of logical quantum bits needed to crack a 256-bit elliptic curve has decreased from 2,330 in 2017 (according to benchmarks by Roetteler et al.) to 2,124 in 2020 (according to improvements by Haner et al.), and further to 1,098 as of March 2026. Over the nine years, the demand at the algorithmic level has reduced by more than half. The Google team's paper goes further by specifically optimizing for the secp256k1 curve used in Bitcoin and Ethereum, bringing the required logical bits down to about 1,000, with a circuit depth of only about 100 million Toffoli gates (as described by Justin Drake in CryptoBriefing), which translates to about 1,000 seconds of Shor algorithm running time on a superconducting platform.

Meanwhile, according to data from the Oratomic paper cited in tweets, the neutral atom scheme has compressed the physical bits required for each logical bit from about 400 in conventional surface codes down to about 10. The principles behind this breakthrough are entirely different from Google's. Google optimizes the efficiency of the algorithm itself, while Oratomic optimizes the error correction overhead of the underlying hardware. Both improvements can be stacked together.

Multiplying the two numbers: the estimate in 2017 was about 7 million physical quantum bits, while the neutral atom route estimate in March 2026 is about 10,000. The total demand has plunged from the millions to the tens of thousands, a reduction of more than two orders of magnitude.

This multiplication effect has given birth to two distinctly different attack routes.

According to the paper calculations organized in tweets, the superconducting route (Google's research direction) requires about 500,000 physical quantum bits, running for about 9 minutes to crack a private key, fast enough to hijack real-time transactions. The neutral atom route (Oratomic's research direction) requires only about 10,000 physical quantum bits but has a running time extended to about 10 days. This is not an issue because its attack target is dormant wallets with exposed public keys, which are not in a hurry.

How to understand the gap? Google's currently strongest Willow processor has 105 superconducting quantum bits (according to Google Quantum AI specifications), falling short of the 500,000 threshold by about 4,762 times. However, the fault-tolerant computing system in the neutral atom field has reached about 500 quantum bits, only about 20 times away from the 10,000 threshold. If we look at the physical array size rather than fault-tolerance capability, laboratories have captured more than 6,100 atoms, narrowing the gap to less than 2 times.

Twenty times and 4,762 times are two completely different orders of distance. The neutral atom route is closer than most people imagine.

Yet the situation on the Bitcoin side is far from ready to embrace this change.

According to a joint report by Ark Invest and Unchained, about 7 million Bitcoins (approximately 33% of the total supply) are exposed to quantum risks, valued at around $440 to $480 billion. These vulnerable addresses fall into three categories. About 1.7 million are in early P2PK addresses, with public keys directly exposed on the chain, and most have been lost, making it impossible for anyone to operate or migrate. About 1.1 million belong to Satoshi Nakamoto, distributed across approximately 22,000 addresses, with the identity of the holders unknown. The remaining approximately 4.2 million are in address reuse or P2TR addresses, also having exposed public keys, but theoretically, the holders can proactively migrate to secure addresses.

In other words, about 2.8 million Bitcoins (accounting for 40% of the vulnerable total) cannot be salvaged under any circumstances. Their private keys are either lost or the holders will never appear. This is not a problem that can be solved by technology, but rather a governance issue regarding whether the community should freeze these inevitably exposed addresses. According to a report from CoinDesk in February, there has already been heated debate in the Bitcoin community regarding whether to freeze Satoshi's 1.1 million holdings, and no consensus has been reached.

Even for the theoretically movable 4.2 million, migration does not happen automatically. Holders need to proactively transfer assets from old addresses to new addresses using the new signature scheme, and historical experience shows that a significant number of holders will not take action by the deadline.

Faced with the same threat, the response strategies of the three mainstream public chains diverge significantly.

According to the Ethereum Foundation's pq.ethereum.org, launched on March 25, 2026, Ethereum has been preparing for 8 years and has a complete multi-stage roadmap: replacing the current BLS signature scheme with leanXMSS hash signatures, aiming for L1 protocol upgrade completion by 2029. Over 10 client teams are running post-quantum devnet interoperability tests weekly, allowing users to migrate incrementally through account abstraction without the need for hard forks. Google has also set a deadline of 2029 to complete its internal post-quantum migration (according to the Google Security Blog), aligning with Ethereum's timeline.

Solana has an experimental plan. Proposed in December 2025 by Zeus Network Chief Scientist Dean Little on GitHub, Winternitz Vault utilizes a one-time vault mechanism with hash signatures. However, this is an optional solution, and users need to actively opt-in, with no official timeline.

The situation for Bitcoin is the most severe. There is no coordinated plan, no foundation-level special funding, and no timeline. Bitcoin's governance model requires a decentralized community to reach broad consensus to promote protocol changes, and this community is historically known for its slowness. According to the Quantum Threat Timeline Report by the Global Risk Institute, cryptography-related quantum computers are "quite likely" to appear within 10 years and "very likely" within 15 years. If Ethereum's 2029 goal advances as planned, the migration will be completed before the window closes. Bitcoin is still in the early stages of discussion.

The simultaneous publication of the two papers has suddenly turned an issue long considered a "distant threat" into a concrete number: 10,000 physical quantum bits, 10 days, a private key of a dormant wallet.

However, it should be emphasized that this is still a significant reduction in theoretical thresholds rather than an imminent attack. The current most advanced neutral atom systems are still about 20 times away from having 10,000 fault-tolerant quantum bits, and the superconducting route's gap is even in the thousands of times range. The 10 to 15-year time window still exists, and the Bitcoin community is not entirely without opportunities. Bitcoin has gone through highly polarized governance tests like the block size debate and SegWit activation, ultimately moving toward consensus under pressure. The nature of the quantum threat differs from route disputes; it does not involve interest divergences but rather a shared risk faced by the entire network. This could even become an external force driving the Bitcoin community to accelerate action.

The real question is not whether quantum computing can crack Bitcoin, but whether the Bitcoin community can complete its preparations before the window closes.

免责声明：本文章仅代表作者个人观点，不代表本平台的立场和观点。本文章仅供信息分享，不构成对任何人的任何投资建议。用户与作者之间的任何争议，与本平台无关。如网页中刊载的文章或图片涉及侵权，请提供相关的权利证明和身份证明发送邮件到support@aicoin.com，本平台相关工作人员将会进行核查。