This article explains what Google found, whether Bitcoin is safe from quantum computers, and why Algorand and XRP are getting attention.
Introduction: The Threat Got Real, Not Immediate
Google’s latest quantum research did not say Bitcoin is about to collapse tomorrow. What it did say is more serious in a different way: the quantum resources needed to break the elliptic-curve cryptography used across much of crypto are far lower than many people assumed. Google’s whitepaper says a future cryptographically relevant quantum computer could attack ECDLP-256 with either fewer than 1,200 logical qubits and 90 million Toffoli gates or fewer than 1,450 logical qubits and 70 million Toffoli gates. Under Google’s stated superconducting assumptions, that maps to fewer than 500,000 physical qubits and execution in a few minutes.
That does not mean such a machine exists today. It means the migration window matters more than ever. Google has now set a 2029 timeline for its own post-quantum cryptography migration, while NIST says organizations should begin moving now and plans to deprecate quantum-vulnerable algorithms by 2035. The UK’s NCSC is sending the same message: plan early, migrate in stages, and aim to complete the transition by 2035.
What Quantum Risk Actually Means for Crypto
The first thing to get straight is this: quantum risk in crypto is mainly a signature problem before it is a blockchain problem. A sufficiently powerful quantum computer running Shor’s algorithm could recover private keys from public keys and forge signatures. That means theft and impersonation. It does not mean quantum computers magically rewrite finalized chain history. Ethereum’s post-quantum team states this plainly: the realistic failure mode is stolen funds and impersonation, not invalidating past finalized blocks.
In practical terms, the risk breaks down like this:
- Public-key signatures are the main target. ECDSA, EdDSA, and BLS are the pressure points, not blockchain “immutability” itself.
- Past transactions are not the main casualty. The real problem is authorizing new fraudulent transactions after a private key is derived from an exposed public key.
- Bitcoin mining is not the near-term quantum disaster some people imagine. Google’s paper argues that Grover-based attacks on Proof-of-Work are not practically relevant in the next several decades, because the theoretical speedup is overwhelmed by error-correction overhead and poor parallelization.
Is Bitcoin Safe From Quantum Computers?
Today, broadly yes. Long term, no — not without migration. That is the honest answer. There is no known quantum machine today that can break Bitcoin’s signatures in practice. But Google’s work makes clear that Bitcoin’s current signature model is not a permanent shelter. The long-term remedy is migration to post-quantum cryptography.
Bitcoin does, however, have one structural advantage over many account-model chains: it can hide public keys behind hashes until coins are spent. Google’s paper explains that P2PKH, P2SH, P2WPKH, and P2WSH outputs can be protected from at-rest quantum attacks as long as the public key is not exposed or reused. In other words, careful Bitcoin users are not all equally exposed.
But that advantage has limits, and they are big. Google estimates that about 1.7 million BTC are still secured by old P2PK scripts, where the public key is exposed from the start. The paper also says the total amount of BTC sitting in vulnerable addresses is about 6.7 million BTC. On top of that, public-key reuse remains widespread, especially where exchanges, merchants, or services keep reusing recognizable deposit addresses for convenience.
Bitcoin also has an on-spend problem. Google estimates that on a fast-clock superconducting architecture, deriving a private key from a newly exposed public key could take roughly 9 to 12 minutes. That matters because Bitcoin’s average block interval is about 10 minutes. In plain English: if a future CRQC exists, stealing coins during the broadcast-and-confirmation window becomes plausible, not theoretical.
Why Algorand Is Getting Attention
Algorand matters here because Google does not describe it as a marketing promise. It describes it as a real example of post-quantum deployment on a chain that is otherwise still quantum-vulnerable in core areas. Google’s paper says Algorand has deployed Falcon digital signatures for smart transactions and state proofs, exposed Falcon verification as a TEAL primitive, executed its first PQC-secured transaction in 2025, and supports account key changes through rekeying.
That is real progress. But the strong version of the claim is still false. Google explicitly says Algorand’s current mechanisms do not provide full quantum security at present; they facilitate future migration. Algorand’s own technical brief makes the same point from another angle: it says the ledger is already quantum-secure through Falcon-backed state proofs every 256 rounds, but also says the ledger is only part of the post-quantum picture.
That nuance matters. Algorand is ahead because it is shipping pieces that matter, not because the entire chain is “quantum-proof.” It is also worth being precise about Falcon itself. Falcon was selected by NIST for ongoing standardization, but the finalized NIST signature standards today are ML-DSA and SLH-DSA. Falcon is still moving through the standardization pipeline.
Why XRP Ledger Matters — and Why “Ready” Is Too Strong
XRP Ledger matters for a different reason. Google lists it as an experimental early deployment, not a completed migration. Specifically, the paper says XRPL deployed post-quantum ML-DSA signatures on its AlphaNet test instance. That is significant because ML-DSA is one of NIST’s finalized post-quantum signature standards, which gives XRPL’s testing more weight than a vague “we’re researching it” statement.
XRPL also has something Google clearly values in this context: protocol-level key rotation. XRP Ledger accounts can assign, replace, or remove a regular key pair without abandoning the account itself, which makes migration more practical than on systems that lock users into long-term public-key exposure. Google’s taxonomy specifically groups XRPL with account-model chains that face persistent public-key exposure risk, but notes that Algorand, TRON, and XRPL support native protocol-level key rotation.
That puts XRPL in the serious category. It does not put XRPL in the finished category. Testing ML-DSA on AlphaNet is meaningful. It is not the same thing as saying the production ledger, wallet stack, asset issuers, institutions, and long-tail accounts are already migrated. So XRP deserves attention here, but not a free pass.
What About Ethereum and the Rest of Crypto?
Ethereum is the clearest reminder that this is a systems problem, not just an algorithm swap. Ethereum’s post-quantum roadmap says the transition touches the execution layer, consensus layer, and data layer, and will take years of coordinated engineering and governance. That alone should kill the lazy idea that one press release or one testnet demo equals readiness.
Google’s paper makes a broader point that is easy to miss: not all blockchains have the same quantum risk profile. UTXO-based ledgers like Bitcoin can let careful users avoid long-term public-key exposure in some cases. Account-model chains such as Ethereum, Solana, Algorand, TRON, and XRP Ledger generally make persistent public-key exposure harder to avoid, even when key rotation exists. That does not automatically make Bitcoin “safe” or account-model chains “unsafe.” It means the migration path, user behavior, and wallet design all matter.
What Investors and Builders Should Actually Watch
Do not watch slogans. Watch infrastructure.
- Key rotation: Can users replace vulnerable keys without abandoning their account history, permissions, or app relationships? Algorand and XRPL have meaningful advantages here.
- Mainnet deployment vs. test deployment: Algorand has real post-quantum elements live today; XRPL’s ML-DSA work cited by Google is on AlphaNet; Solana is still in experimental territory.
- Which signature scheme is actually being used: ML-DSA is standardized now; Falcon is promising and already used in important experiments, but it is still in ongoing standardization.
- Performance cost: Post-quantum signatures are bigger and heavier. Google says Bitcoin would face throughput tradeoffs if it swapped signatures without changing block design, and migration could take several months even if the chain processed nothing but asset migrations.
- Dormant and abandoned assets: Even a successful migration leaves a hard policy problem around coins that cannot or will not move. Google highlights old Bitcoin P2PK coins as a distinct challenge with no simple clean solution.
Conclusion: Bitcoin Is Not Broken, but Complacency Is
Bitcoin is not dead. But the claim that “BTC is safe from quantum computers” is only true in the lazy, near-term sense that no CRQC exists yet. The stronger and more useful truth is this: Bitcoin still has time, but not time to ignore the problem. Google’s paper narrows the technical gap, Google’s own 2029 migration target raises the urgency, and broader standards bodies are already telling organizations to prepare now rather than later.
Algorand and XRP Ledger deserve attention because they show that post-quantum migration work can move from theory into actual deployment and testing. But neither should be sold as fully quantum-proof. The chain that wins this race will not be the one with the loudest marketing. It will be the one that can migrate signatures, wallets, contracts, users, and institutions before quantum capability stops being theoretical.