[Op-Ed] Paul Soliman: Google Just Put a Number on It. Crypto’s Quantum Clock Is Ticking

A few months ago, I wrote about Bell states and how quantum entanglement could be operationalized for blockchain security. I talked about how BYC is building toward quantum-safe infrastructure through Prismo and Lumen. At the time, some readers probably thought it was forward-looking. Maybe even premature.

It wasn’t.

Last week, Google Quantum AI, in collaboration with the Ethereum Foundation and Stanford, published a whitepaper that should make every blockchain builder, every crypto holder, and every government CIO sit up straight. The paper is titled “Securing Elliptic Curve Cryptocurrencies against Quantum Vulnerabilities: Resource Estimates and Mitigations.” It’s 57 pages of technical detail, but the core message is simple: they’ve figured out how to break the cryptography behind Bitcoin and Ethereum using far fewer quantum resources than anyone previously estimated.

And they proved it with a zero-knowledge proof. Not a blog post. Not a press release. A cryptographic proof that their circuits work, verified without revealing the attack itself.

Paul Soliman is the Founder and CEO/CTO of Hacktiv Colab Inc. and Chairman and Group CEO of BayaniChain, where he leads initiatives in blockchain, enterprise tech, and digital nation-building. He also serves as CTO of Blockfy, driving innovation in decentralized finance solutions in the Philippines.

The numbers that matter

The Google team developed quantum circuits that can break 256-bit ECDLP, the elliptic curve problem that secures Bitcoin, Ethereum, and most blockchains, using either 1,200 logical qubits with 90 million Toffoli gates or 1,450 logical qubits with 70 million Toffoli gates. On a standard superconducting architecture with conservative hardware assumptions, that translates to fewer than 500,000 physical qubits.

That’s a 20x reduction over prior estimates.

To put it in context, the previous best-known compilation by Litinski in 2023 required roughly 9 million physical qubits in a photonic architecture. Google just brought that down to under half a million on superconducting hardware. The finish line moved. A lot.

To be clear, no machine capable of this attack exists today. Google’s own best chip, Willow, has about 105 qubits. The paper is a resource estimate, not a demonstration. It hasn’t been formally peer-reviewed yet, and the zero-knowledge proof that substantiates the claims hasn’t been independently audited. But the point isn’t that the attack is happening now. It’s that the engineering specification just got 20x smaller, and the trajectory only goes in one direction. IBM’s public roadmap targets 200 logical qubits by 2029. Google’s estimate requires roughly 1,200. The gap is real, but it’s closing, and every prior estimate in this field has been revised downward over time.

Nine minutes. That’s the number.

Here’s where it gets uncomfortable. On a “primed” superconducting quantum computer, where the first half of the algorithm is precomputed and the machine is waiting for a public key to appear, private key derivation takes roughly 9 minutes.

Bitcoin’s average block time is 10 minutes.

That means on-spend attacks become viable. An attacker monitors the public mempool, intercepts a transaction, derives the private key from the exposed public key, and submits a fraudulent replacement transaction, all before the original gets confirmed. The paper estimates a 41% success probability per transaction under idealized conditions. That’s not theoretical. That’s an engineering problem with a timeline.

Ethereum’s 12-second block time makes on-spend attacks much harder. But at-rest attacks, targeting keys that are already exposed on-chain, remain fully viable against both chains.

Three types of attacks, and the third one is the worst

The paper defines three attack categories. On-spend attacks target transactions in transit. At-rest attacks target public keys sitting on the blockchain. These two are intuitive.

The third category, on-setup attacks, is the one that should keep protocol designers awake. An on-setup attack targets fixed public parameters of a cryptographic protocol. You run Shor’s algorithm once, offline, against the protocol’s trusted setup. You recover the “toxic waste” that was supposed to be destroyed. And now you have a permanent, reusable, classical backdoor into the protocol. No quantum computer needed after that first computation.

Ethereum’s Data Availability Sampling mechanism uses KZG commitments on the BLS12-381 curve. The toxic waste from its trusted setup ceremony can be recovered by a single quantum computation. Once recovered, an attacker can forge data availability proofs, stall rollups, and hold Layer 2 infrastructure hostage, all without ever touching a quantum computer again. The exploit becomes tradable. Classical attackers can use it. That’s an entirely different threat model than most people are discussing.

The same applies to Tornado Cash, Pedersen commitments in Mimblewimble, and any protocol with ECDLP-based trusted setups.

What’s actually at risk

The paper quantifies the exposure across both major chains.

On Bitcoin, approximately 6.9 million BTC across all vulnerable address types are exposed. 1.7 million BTC sit in legacy P2PK scripts, including Satoshi-era mining rewards. These public keys have been visible on-chain since 2009. They cannot be migrated because the private keys are almost certainly lost. The paper also flags that Taproot (P2TR), Bitcoin’s most recent upgrade, reintroduced public key exposure by storing keys directly in the locking script. They call it a “security regression.”

On Ethereum, the top 1,000 vulnerable accounts hold roughly 20.5 million ETH. At least 70 of the top 500 smart contracts by ETH balance have admin keys that are exposed on-chain, putting about 2.5 million ETH at risk of account takeover. Around 37 million ETH is staked in the consensus layer using BLS signatures on BLS12-381. And approximately $200 billion in stablecoins and tokenized real-world assets are governed by quantum-vulnerable admin keys.

The second-order effects are worse than the direct exposure. A compromised oracle node can broadcast false price data and trigger cascading liquidations across DeFi. A compromised bridge admin can drain cross-chain liquidity. A compromised stablecoin issuer key can mint unbacked tokens and collapse a peg. These aren’t hypotheticals. They’re attack paths that become available the moment someone has a CRQC and the will to use it.

Fast clocks and slow clocks

One of the most useful frameworks in the paper is the distinction between “fast-clock” and “slow-clock” quantum architectures.

Superconducting qubits (Google, IBM, Rigetti), photonic systems (PsiQuantum, Xanadu), and silicon spin qubits (Intel, Diraq) have fast gate operations and short error correction cycles. These are the platforms that could enable on-spend attacks within minutes.

Neutral atom (QuEra, Pasqal, Atom Computing) and ion trap platforms (IonQ, Quantinuum) operate 100 to 1,000 times slower per elementary operation. These can still break ECDLP, but it would take hours or days instead of minutes. They can launch at-rest attacks but probably not on-spend attacks.

The paper recommends that the crypto community plan for both scenarios simultaneously. Because we don’t know which architecture will scale first. And the paper makes a sobering observation: the first sign of a CRQC might not be an announcement. It might be detected on the blockchain itself.

Why I wrote about Bell states last year

In my Bell states piece from August 2025, I argued that quantum entanglement isn’t just a threat. It’s also a tool. Bell states can serve as integrity triggers for blockchain systems, collapsing if data is tampered with. I outlined how BYC’s Prismo Protocol and Lumen BaaS could integrate Bell-state-based QKD channels into hybrid architectures, creating quantum-safe validation layers for public records and government services.

That piece was about the long game. About building toward quantum-hardened infrastructure before the threat materializes.

This Google paper is the short game. It’s saying the threat is closer than most people assumed. The resource estimates dropped 20x. The attack time fits inside a Bitcoin block. The engineering path from current quantum hardware to cryptographically relevant machines is narrower than the community has been comfortable admitting.

Both perspectives matter. You need people thinking about the defensive architecture (that’s what we’re doing at BYC with PQC experimentation, Prismo’s homomorphic encryption layer, and our work on quantum-safe data integrity). And you need people honestly assessing the offensive timeline (that’s what this Google paper does, with unusual rigor).

What’s already happening on the defense side

The paper is not all doom. Several projects are already moving.

QRL, Mochimo, and Abelian are post-quantum blockchains from inception. Algorand executed its first PQC-secured transaction in 2025 using Falcon signatures and made Falcon verification available as a TEAL primitive for developers. Solana has an experimental Winternitz Vault. The XRP Ledger deployed ML-DSA signatures on its test network. The Ethereum Foundation is actively researching hash-based replacements for BLS12-381 signatures in its consensus layer.

These are real deployments, not whitepapers. The path to post-quantum security exists. The question is whether the broader ecosystem moves fast enough.

The dormant asset problem has no clean solution

There’s one challenge that no software upgrade can fix. Dormant assets, coins locked behind keys that are probably lost forever, cannot be migrated to post-quantum protocols. They sit on-chain, exposed, waiting.

The paper explores three community proposals: Do Nothing (let quantum attackers take them), Burn (make them unspendable), and Hourglass (rate-limit spending of dormant coins). None of these has consensus.

The authors also propose a “bad sidechain” concept, inspired by the “bad bank” model from traditional finance. CRQC operators would send recovered dormant coins to a special-purpose sidechain that accepts off-chain proofs of ownership (like mnemonic phrases) to return assets to their rightful owners. It’s creative. It’s also politically and technically complex.

On the policy side, the paper discusses “digital salvage,” treating abandoned crypto assets like sunken treasure under a regulated recovery framework. The logic is pragmatic: if protocol changes don’t happen, these coins will eventually be taken by someone. Better to create a legal framework that channels the proceeds into the formal economy than to wait for rogue actors to do it in the shadows.

What this means if you’re building

If you’re building on any EVM-compatible chain, you inherit account vulnerability, admin vulnerability, and code vulnerability. If your protocol uses KZG commitments, you have an on-setup attack surface. If your smart contracts have admin keys that have ever signed a transaction, those keys are exposed.

The migration to PQC is not optional. It’s a question of when, not if. And the window is narrowing.

At BYC, this is why we’ve been investing in PQC experimentation alongside our core government infrastructure work. Our chain of custody and audit trail systems need to survive the quantum transition. That means building with the assumption that the cryptographic foundations we rely on today have an expiration date. Not in 20 years. Possibly in fewer than 10.

The Google paper ends with a line that’s worth repeating: “We urge all vulnerable cryptocurrency communities to join the migration to PQC without delay.”

I’d extend that to every builder working on public data infrastructure, government transparency systems, and digital trust layers. The clock is ticking. The numbers are in. The time to move is now.

This opinion article is published on BitPinas: [Op-Ed] Paul Soliman: Google Just Put a Number on It. Crypto’s Quantum Clock Is Ticking

What else is happening in Crypto Philippines and beyond?