Google has proven — via a zero-knowledge proof — that it possesses quantum circuits capable of breaking the cryptography protecting Bitcoin, Ethereum, and most major blockchains. Here's how it works.
Google Quantum AI's new resource estimates represent an order-of-magnitude improvement over the best prior work, bringing cryptographically relevant quantum computers (CRQCs) dramatically closer.
These figures assume superconducting hardware with 10-3 physical error rates and planar degree-4 connectivity — consistent with a scaled-up version of Google's experimentally demonstrated quantum processors.
The paper classifies quantum attacks by execution speed and whether access to a CRQC is needed once or repeatedly.
When a user broadcasts a transaction, their public key becomes visible in the mempool. A quantum attacker must derive the private key before the transaction is confirmed on-chain.
Time window: ~10 minutes (Bitcoin), ~12 seconds (Ethereum), ~400ms (Solana)
With a ~9 minute primed attack, Bitcoin transactions face a ~41% interception risk. The attacker can then forge a competing transaction with a higher fee.
Public keys recorded directly on the blockchain (e.g., P2PK, P2TR scripts) are permanently visible. The attacker has unlimited time to derive the private key.
Vulnerable: Over 1.7 million BTC locked by P2PK scripts (Satoshi-era coins). Total quantum-vulnerable BTC across all script types: ~6.9 million.
Keys hidden behind hash functions (P2PKH, P2WPKH) are immune to at-rest attacks as long as they haven't been reused for spending.
Fast-clock architectures (superconducting, photonic, silicon spin) have fast gates and short error correction cycles. At-rest and on-spend attacks become viable at roughly the same time.
Slow-clock architectures (neutral atom, ion trap) have 100-1000x slower operations. At-rest attacks become viable well before on-spend attacks.
Some protocols rely on "trusted setup" ceremonies that generate public parameters while discarding secret "toxic waste." A CRQC can recover this toxic waste, creating a reusable classical backdoor.
This is the most insidious attack: the quantum computation is done once, offline, and subsequent exploits use only classical computers.
Vulnerable: Ethereum's Data Availability Sampling, Tornado Cash, certain zk-rollups. Immune: Bitcoin (no trusted setup).
1. One-time quantum cost — Break the trusted setup once
2. Reusable exploit — Classical backdoor works forever
3. Undetectable — Exploits look like valid transactions
4. Forge validity proofs — Create money, drain pools, bypass checks
The paper presents two optimized quantum circuits trading off qubit count against gate count. Toggle between them to explore the tradeoffs.
The ZK proof attests to the cost of elliptic curve point addition — the core bottleneck. The full ECDLP algorithm cost follows from:
ECDLPToff = (PAToff + 3 × 2w) × (2n/w − 4)
ECDLPQubits = PAQubits + w
With optimal window size w=16 and n=256 bits, the algorithm performs 28 windowed point additions (2×256/16 − 4 = 28). This means:
Low-Qubit: (2,700,000 + 196,608) × 28 ≈ 81M Toffoli gates on 1,175+16 = 1,191 qubits
Low-Gate: (2,100,000 + 196,608) × 28 ≈ 64M Toffoli gates on 1,425+16 = 1,441 qubits
Kickmix circuits are a specific subclass of quantum circuits composed entirely of classical reversible logic gates, measurement-based uncomputation (MBUC) via Pauli-X basis measurements, and diagonal phasing gates. By restricting to this gate set, the circuits never generate intractable quantum entanglement and can be efficiently simulated classically.
This is crucial: it means the ZK proof verifier can simulate the circuit inside a classical virtual machine (the SP1 zkVM) without needing a quantum computer.
MBUC replaces the traditional approach of running the inverse circuit U† to clean up ancilla qubits (which would double gate costs). Instead, measuring in the X basis either cleanly disentangles the qubit (50% chance) or introduces a correctable phase kickback.
Logical qubits must be encoded in many physical qubits using quantum error correction (the surface code). The paper assumes:
Result: fewer than 500,000 physical qubits — a ~20x reduction over the best prior estimate of ~9 million (Litinski, 2023).
Publishing attack circuits would be irresponsible. Claiming results without evidence is unscientific. The solution: a cryptographic zero-knowledge proof via the SP1 zkVM and Groth16 SNARK.
Shor's algorithm tolerates a small fraction of incorrect outputs. If ≤1% of inputs produce wrong results, the algorithm succeeds ≥99% of the time.
If the circuit were wrong on >1% of inputs, the probability it passes all 9,024 independent random tests is:
(1 − 0.01)9,024 ≈ 2−130
This is astronomically unlikely — equivalent to 130 bits of cryptographic security, exceeding the standard 128-bit threshold. The test inputs are derived from the circuit itself via the Fiat-Shamir heuristic (SHAKE256 seeded with the circuit bytes), preventing cherry-picking.
| Non-Clifford Gates | ≤ 2,700,000 |
| Logical Qubits | ≤ 1,175 |
| Total Operations | ≤ 17,000,000 |
| Tests Passed | 9,024 / 9,024 |
| Non-Clifford Gates | ≤ 2,100,000 |
| Logical Qubits | ≤ 1,425 |
| Total Operations | ≤ 17,000,000 |
| Tests Passed | 9,024 / 9,024 |
A practical irony: The Groth16 SNARK relies on pairing-friendly elliptic curves, making its soundness inherently vulnerable to the very quantum attacks analyzed in the paper. A sufficiently powerful quantum computer could forge this proof. However, since CRQCs do not yet exist, the proof's soundness remains intact today.
A multi-layered pipeline transforms "we have a good circuit" into a publicly verifiable cryptographic artifact — without leaking the circuit.
The secret circuit is hashed to produce a unique digital fingerprint. This commits the prover to a specific circuit without revealing it.
SHAKE256 extendable-output function is seeded with the circuit hash to deterministically generate 9,024 pseudo-random test inputs. The circuit determines its own tests — no cherry-picking possible.
The classically-simulable kickmix circuit is executed on all 9,024 test inputs. Each output is verified against the expected secp256k1 point addition result. Non-Clifford gates are counted.
The program asserts that the circuit's qubit count and average Toffoli count satisfy the claimed upper bounds.
The entire Rust program runs inside the SP1 RISC-V virtual machine. SP1 records every CPU cycle, divides execution into ~222-instruction shards, and generates a STARK proof per shard with recursive composition.
The compressed STARK is wrapped in a Groth16 zk-SNARK, adding the zero-knowledge property (STARKs alone don't hide the witness in SP1) and producing a succinct, publicly verifiable proof.
Model the probability that a quantum attacker can break a key before a transaction is confirmed. Block mining follows an exponential distribution.
Resource estimates for quantum attacks on elliptic curve cryptography have dropped dramatically. "Attacks always get better."
Walk through the mathematics of the verification step by step in our interactive Jupyter notebook.