On March 31, 2026, Google Quantum AI dropped a 57-page whitepaper that should have sent shockwaves through the cryptocurrency industry. The researchers reported improvements representing roughly an order-of-magnitude reduction in the combined computational resources required to break the elliptic curve cryptography protecting Bitcoin and Ethereum. The paper demonstrated that Shor's algorithm could execute with either 1,200 logical qubits and 90 million Toffoli gates, or 1,450 logical qubits and 70 million Toffoli gates, targeting the secp256k1 curve at the core of modern blockchain cryptography.
But instead of open-sourcing the technical details, Google did something unprecedented. In the interest of responsible disclosure, they used a zero-knowledge proof to validate these results without disclosing attack vectors. The paper's accompanying blog post mentions the team "engaged with the U.S. government" before publication. Academic censorship via cryptographic proof. A historic first.
The Whistleblower
The whitepaper was co-authored with Ethereum Foundation researcher Justin Drake and Stanford's Dan Boneh. Drake, in a post to X today, revealed he witnessed the context surrounding this censorship. He didn't mince words: multiple aspects of that context don't sit well with him. Though limited in his ability to fully disclose what he knows, Drake was clear about one thing: the Google team's professionalism has been "absolutely exemplary."
What Drake shared next reads like a plot twist from a techno-thriller.
The Streisand Effect, Quantum Edition
The paper "Reducing the Number of Qubits in Quantum Discrete Logarithms on Elliptic Curves" by Clémence Chevignard, Pierre-Alain Fouque, and André Schrottenloher was published at EUROCRYPT 2026 and is now available on the IACR Cryptology ePrint Archive. Two months after Google's paper, French quantum expert André Schrottenloher independently rediscovered the core optimization Google had hidden behind its ZK proof. The French team described a method to solve the Discrete Logarithm problem on 256-bit elliptic curves using 1,098 logical qubits, a reduction from previous estimates of 2,124 logical qubits.
According to Drake, Craig Gidney, the Google Quantum AI researcher behind landmark RSA-2048 resource estimates, had been sitting on this very optimization for a year under censorship pressure. Gidney is widely considered the most important researcher in quantum resource estimation. He declined to comment publicly beyond what he shared in a blog post acknowledging the situation.
The irony is thick. The attempt to bury something only drew more attention to it. According to Drake, a crowdsourced "Shor-at-home" challenge launched at ecdsa.fail and breached a new Shor world record within hours. The ZK verifier program Google created doubles as a reward function for AI-assisted research. Amateurs, including a teenager, have been finding micro-optimizations. An 8.4% improvement over Google's circuit has already been achieved.
Neutral Atoms Change Everything
The story doesn't end with Google. On the same day Google Quantum AI posted its estimates, a team from Oratomic, Caltech, and UC Berkeley claimed Shor's algorithm can run at cryptographically relevant scales with as few as 10,000 reconfigurable neutral atom qubits. The authors include Dolev Bluvstein, John Preskill, and Manuel Endres, lending significant credibility.
Oratomic's estimates reuse Google's newly compiled circuits. The leap comes from a different machine: neutral atoms with reconfigurable connectivity that can squeeze more computation out of fewer physical qubits. Oratomic's lifted-product codes achieved encoding rates near 30%, yielding a ratio closer to 10:1, some 160 times more efficient than surface codes at equal error performance. The prior state of the art, a 2023 paper by Daniel Litinski, estimated roughly 9 million physical qubits.
Together, the papers mark one of the sharpest compressions yet in the timeline of quantum threats. Estimated requirements for running Shor's algorithm have fallen five orders of magnitude in two decades, from roughly 1 billion physical qubits in 2012 to about 10,000 today.
Q-Day Probability, From an Insider
Neither Google nor Oratomic says a word about what their results mean for Q-Day, the day a quantum computer breaks the first piece of production cryptography. Drake finds this silence baffling, given that the whole point of whitehat quantum cryptanalysis is to inform threat timelines.
So Drake attempted to fill it. Given everything he knows, including what he describes as "scary non-public information," he now puts the odds of Q-Day by 2032 at 50%. 10% by 2030.
2026 has been designated the "Year of Quantum Security," a global initiative backed by the FBI, NIST, and CISA. The U.S. government's official deadline, originating at the NSA and adopted by NIST, is 2035. Drake's assessment: "that date is a joke and should be discounted entirely."
The Google paper estimates around 6.7 million Bitcoin, worth approximately $462 billion, reside in addresses where public keys have already been exposed through spending or reuse, making them prime targets for a quantum adversary.
The Crypto Divide
Ethereum has spent eight years preparing a detailed, multi-fork roadmap for post-quantum security and is already running weekly test networks, while Bitcoin has no coordinated plan, funding structure, or agreed timeline for a similar migration.
The Ethereum Foundation's structured fork milestones target the completion of core post-quantum infrastructure by approximately 2029. Because post-quantum signatures are larger and lack BLS's native aggregation properties, a SNARK-based aggregation approach using a minimal zkVM called leanVM is being developed to restore scalability. The codebase is open-source under the leanEthereum GitHub organization.
Drake's current work focuses on safely migrating Ethereum toward post-quantum cryptography. The plan involves replacing BLS signatures at the consensus layer, KZG commitments at the data layer, and ECDSA signatures at the execution layer.
Two $1 million initiatives are now open. The Proximity Prize rewards anyone who can solve a long-standing mathematical conjecture in coding theory and improve hash-based SNARKs. The Poseidon Initiative offers $1 million for breaking Poseidon, the SNARK-friendly hash function.
The Philosophical Problem
Google's paper uses a zero-knowledge proof to demonstrate the algorithm's existence without leaking actual optimizations. As one commenter put it: "From now on, assume state-of-the-art algorithms will be censored."
ZK proofs were supposed to be tools for proving knowledge without revealing it, for privacy-preserving verification, for building trustless systems. Google just demonstrated they work equally well for hiding science. In an unprecedented move for quantum cryptanalysis, Google chose not to publish the actual circuits.
The philosophical implications are unsettling. If breakthroughs can be proven to exist without being disclosed, if governments can coordinate with researchers to suppress technical details while still claiming the discovery, then the traditional academic process of open publication and peer review enters unfamiliar territory.
What Happens Next
Drake's message is urgent but measured. He warns against panic. Rushing carelessly toward immature post-quantum cryptography is a recipe for disaster. His target date for migration: 2029. Google and Cloudflare, which sits in front of a substantial fraction of global internet traffic, are also targeting 2029 for full quantum security. When two of the most security-forward infrastructure companies on the planet independently converge on the same year, that year stops being a guess.
The Google paper closes with a line worth noticing: "It is conceivable that the existence of early CRQCs may first be detected on the blockchain rather than announced." That's not fear-mongering. That's the considered assessment of the team building the hardware.
The quantum genie isn't out of the bottle. It's been handed a ZK-wrapped receipt proving the bottle was opened, while the researchers who opened it negotiate what to tell the public. The open-source rebellion, the French rediscovery, the crowdsourced optimizations, the teenager finding micro-improvements using AI: these suggest the traditional model of state-controlled scientific secrecy doesn't scale well to the internet age.
The "harvest now, decrypt later" threat is no longer hypothetical. State actors and sophisticated adversaries are already collecting encrypted data with the expectation of decrypting it when quantum computers arrive. Any data that must remain confidential into the 2030s is at risk today.
For the crypto community, the message is clear. "While a cryptographically-relevant quantum computer before 2030 still feels unlikely, now is undoubtedly the time to start preparing," Drake wrote. Protocols like Zcash and Ethereum are already executing on their post-quantum plan. Bitcoin, structurally, is not. The difference in governance models may matter more in the next six years than it has in the previous fifteen.
