Last updated: March 2026
Key Takeaways
- Two major research papers published on March 31, 2026 show that breaking the encryption protecting cryptocurrency wallets, web browsers, and VPN connections requires dramatically fewer quantum computing resources than previously believed — as few as 10,000 to 26,000 physical qubits, down from estimates of millions just a year ago.
- Google set a 2029 deadline for migrating its own infrastructure to post-quantum cryptography — more aggressive than the US government's 2035 mandate. The company engaged the US government before publishing its findings and used zero-knowledge proofs to verify results without giving attackers a blueprint.
- The immediate risk is not that a quantum computer will break your encryption tomorrow. It is that adversaries are harvesting encrypted traffic right now to decrypt it later when quantum capability arrives. Encrypted DNS, VPN usage, and network-level privacy matter today, not in 2029.
Two Papers, One Message: The Timeline Just Compressed
On March 31, 2026, two research papers landed that together represent the sharpest reduction in the quantum threat timeline in the history of cryptography.
The first came from Google Quantum AI. In a whitepaper published alongside a blog post titled "Safeguarding cryptocurrency by disclosing quantum vulnerabilities responsibly," Google showed that the elliptic curve cryptography protecting Bitcoin, Ethereum, most HTTPS connections, and many VPN implementations can be broken with fewer than 500,000 physical qubits — a 20-fold reduction from previous estimates. Google's researchers compiled two specific quantum circuits that implement Shor's algorithm against ECC-256 using fewer than 1,450 logical qubits and 70 to 90 million Toffoli gates.
The second paper came from Oratomic, a quantum computing startup, in collaboration with researchers at Caltech and UC Berkeley. Their paper, posted to arXiv on the same day, went further: using a neutral-atom quantum architecture with reconfigurable atomic qubits, they showed that Shor's algorithm can be executed at cryptographically relevant scales with as few as 10,000 physical qubits. With a system of approximately 26,000 qubits, breaking ECC-256 — the encryption standard securing the Bitcoin and Ethereum blockchains — could take roughly 10 days.
To put the trajectory in perspective: in 2012, breaking this encryption was estimated to require approximately one billion physical qubits. By 2019, that estimate had dropped to 20 million. In 2025, it fell below one million. As of March 2026, the number is below 25,000 for practical attack timelines. Five orders of magnitude in 14 years.
Google considered these findings sensitive enough to engage the United States government before publishing. The company also developed a novel approach using zero-knowledge proofs to verify its results without revealing the specific quantum circuits — because, as the blog post states, they did not want to provide "a roadmap for bad actors." When a company that builds quantum computers takes these precautions with its own research, the implications are worth paying attention to.
What Gets Broken and What Does Not
This is where most coverage of the quantum threat goes wrong, and where precision matters. Not all encryption is equally vulnerable.
ECC-256 Falls First
Elliptic curve cryptography (ECC-256) is the specific target of both papers. This is the cryptographic scheme that protects Bitcoin wallet signatures (ECDSA), Ethereum transactions, the majority of HTTPS/TLS connections that secure web browsing, many SSH implementations, and significant portions of VPN encryption.
The critical finding from the Oratomic paper is that ECC-256 requires roughly 100 times fewer quantum operations to break than RSA-2048 at the same classical security level. Elliptic curve cryptography is the easier quantum target. It falls first.
RSA-2048 Is Harder but Not Safe
RSA-2048, used by many older web servers, email encryption systems, and enterprise infrastructure, requires significantly more quantum resources. The Oratomic paper estimates approximately 102,000 physical qubits and roughly three months of runtime. This is a larger engineering challenge but not a fundamentally different one — it is the same algorithm, just applied to a harder mathematical problem.
Hash Functions Are Not at Risk
SHA-256, the hash function used in Bitcoin mining and proof-of-work systems, is not vulnerable to Shor's algorithm. Quantum computers offer only a quadratic speedup against hash functions (via Grover's algorithm), which means they would need to roughly square-root the search space — significant, but manageable by simply increasing hash output lengths. Mining and proof-of-work are not the concern here. The concern is the public-key cryptography that secures wallets, transactions, and authentication.
Important Caveats
The 10,000-qubit headline number from the Oratomic paper requires honest context.
The paper presents a range of architectures trading off space (fewer qubits) against time (longer runtime). The most space-efficient configuration — 10,000 qubits — would take approximately three years to execute, making it impractical for a real attack. The practical attack configuration uses 26,000 qubits and runs in roughly 10 days. The headline "10,000 qubits" is the theoretical minimum, not the realistic operational figure. Both numbers represent dramatic progress, but the distinction matters.
This is a theoretical architecture, not a built machine. Every individual component — neutral-atom trapping, reconfigurable qubit arrays, high-rate error-correcting codes — has been demonstrated in the lab. Oratomic co-founder Manuel Endres has already trapped arrays of 6,100 atomic qubits. But integrating these components into a fault-tolerant system at scale is an unsolved engineering challenge. The remaining problem is integration, not new physics — which is precisely what makes the timeline tractable rather than speculative.
All nine authors of the Oratomic paper are shareholders in Oratomic, which launched as a company the same day the paper was published. This does not invalidate the science — the mathematics and circuit designs are publicly verifiable — but the incentive structure is worth noting. The Google whitepaper, backed by a decade of institutional quantum computing research, provides independent corroboration on the same order of magnitude.
Google's 2029 Deadline: Why It Matters
On March 25, 2026 — six days before the papers dropped — Google announced a 2029 deadline for migrating its entire infrastructure to post-quantum cryptography. This is more aggressive than the National Institute of Standards and Technology's plan to deprecate legacy algorithms by 2030 and disallow them by 2035, and it is ahead of the NSA's 2031 deadline.
Google framed this as a response to three converging developments: progress in quantum hardware, advances in quantum error correction, and updated resource estimates for quantum factoring — the very research published on March 31. The company has been preparing since 2016, when it first experimented with post-quantum key exchange in Chrome. Android 17, expected in mid-2026, will integrate post-quantum digital signature protection using ML-DSA, the NIST-standardized algorithm.
The signal is clear: the company building some of the world's most advanced quantum computers is telling everyone else to be ready in three years. Whether the threat materializes in 2029 or 2035, Google is betting its own infrastructure on the earlier date.
Ethereum Is Preparing. Bitcoin Is Not.
The cryptocurrency community's response to these developments has been sharply divided along protocol lines.
The Ethereum Foundation launched pq.ethereum.org the same week, a dedicated hub for its post-quantum security effort that has been underway since 2018. More than 10 client teams are shipping weekly test networks through what the foundation calls PQ Interop. Their roadmap maps specific milestones across four upcoming hard forks, from a post-quantum key registry to full PQ consensus. Google's blog post names the Ethereum Foundation, Coinbase, and the Stanford Institute for Blockchain Research as collaborators on responsible post-quantum migration.
Bitcoin has no equivalent effort. No coordinated roadmap. No multi-team engineering program. No fork milestones. Bitcoin Improvement Proposal 360 (BIP-360) proposes a quantum-resistant output type, but proponents estimate a seven-year adoption timeline. The last major cryptographic upgrade to Bitcoin, Taproot, took years of discussion before activation in 2021. Nic Carter, co-founder of Castle Island Ventures and one of Bitcoin's most prominent advocates, has been publicly warning that Bitcoin developers are "sleepwalking towards collapse" on this issue.
This is not a commentary on the relative value of these networks. It is a factual description of preparedness. Ethereum has a plan. Bitcoin, as of today, does not.
What This Means for You
Most coverage of this story is aimed at cryptocurrency investors and quantum physicists. Here is what matters for everyone else.
Your Browser Is Already Migrating
Google Chrome supports post-quantum key exchange. Firefox is implementing it. Safari has begun the process. If you keep your browser updated — which you should already be doing for security — you will receive post-quantum protection as it rolls out. No action needed beyond staying current on updates.
Your VPN Matters More Than Ever
The "store now, decrypt later" threat is real and already happening. State-level adversaries are capturing encrypted internet traffic today with the expectation of decrypting it once quantum capability arrives. If your VPN traffic is being harvested now and your VPN provider has not implemented post-quantum key exchange, that traffic could be readable in the future.
This is one reason we recommend Proton VPN and Mullvad VPN. Proton VPN announced post-quantum cryptography support in 2023 and has been actively deploying it. Mullvad has similarly prioritized forward security. We do not recommend VPN providers that have not publicly addressed post-quantum readiness — and we do not recommend providers with opaque ownership structures regardless of their technical claims.
Your Router and Network Hardware Matter
Post-quantum cryptographic algorithms will need to be adopted at every layer of the network stack — including your router's firmware. Open-source router firmware like OpenWrt and pfSense will adopt PQC as upstream cryptographic libraries (OpenSSL, WolfSSL) update, likely within months of standardized releases. ISP-provided rental gateway firmware will lag by years — if it is updated at all. This is yet another argument for owning your own network equipment and controlling the software that runs on it.
If You Hold Cryptocurrency
Do not reuse wallet addresses. Every time you make a transaction, the public key associated with that address is exposed on the blockchain. Addresses that have been used and still hold funds are the most vulnerable — an attacker with a quantum computer could derive the private key from the exposed public key and drain the wallet. The Google whitepaper recommends "refraining from exposing or reusing vulnerable wallet addresses" as a short-term mitigation.
Watch for your blockchain's post-quantum migration roadmap. Ethereum has one. Bitcoin does not yet. If you hold significant value in cryptocurrency, the maturity of your network's PQC plan should factor into your long-term risk assessment.
Protect Your Traffic Now, Not Later
The "store now, decrypt later" model means that traffic you send today — even if it is encrypted with current best practices — could be decrypted in the future. This makes encrypted DNS, VPN usage, and network-level privacy tools like Pi-hole relevant today. Reducing the volume of cleartext and weakly-encrypted traffic leaving your network shrinks the target surface for future quantum decryption. Defense in depth is not paranoia. It is engineering.
Is Google the Arsonist and the Firefighter?
It is worth addressing a criticism that surfaced prominently in the online discussion of these papers: Google is simultaneously building quantum computers, publishing research on how they break encryption, setting migration deadlines, and selling post-quantum security solutions through Google Cloud. As one commenter put it: "Google builds the weapon, measures how dangerous it is, and sells you the shield."
This criticism has some structural merit — there is a clear commercial incentive for Google to accelerate the perception of quantum risk. However, the research itself is verifiable. The quantum circuits are mathematically defined. The Oratomic paper independently corroborates the trajectory. NIST has been standardizing post-quantum algorithms since 2016, long before Google set a deadline. And Google's decision to use zero-knowledge proofs and engage the US government before publishing suggests a company that is genuinely concerned about responsible disclosure, not one that is simply manufacturing demand for its security products.
The more useful framing is not whether Google's motives are pure but whether the underlying math is correct. On that question, the scientific community appears to be converging: the resources required to break ECC-256 are falling faster than most people expected, and the migration window is narrower than it looks.
Frequently Asked Questions
Can quantum computers break Bitcoin?
Not today, but the timeline is shortening. Bitcoin uses ECC-256 (specifically ECDSA) for wallet signatures, which is the exact cryptographic scheme targeted by both the Google and Oratomic papers. A quantum computer with approximately 26,000 physical qubits could theoretically derive a Bitcoin private key from an exposed public key in about 10 days. Such a machine does not exist yet, but lab demonstrations of 6,100 trapped atomic qubits suggest it could be built by the end of the decade. Bitcoin's proof-of-work mining (SHA-256) is not vulnerable to Shor's algorithm and would not be affected.
How soon can quantum computers break encryption?
Google has set 2029 as its internal deadline for migrating to post-quantum cryptography, suggesting the company believes a cryptographically relevant quantum computer could exist around that time or shortly after. The Oratomic/Caltech paper describes a theoretical architecture that could break ECC-256 in 10 days with 26,000 qubits, using components that have been individually demonstrated in the lab. A more conservative view, reflected in NIST timelines, places the threat window at 2030–2035. The honest answer is that no one knows the exact date, but the range is narrowing.
What is post-quantum cryptography?
Post-quantum cryptography (PQC) refers to cryptographic algorithms designed to be secure against both classical and quantum computers. NIST finalized the first set of PQC standards in 2024, including algorithms like ML-KEM (for key exchange) and ML-DSA (for digital signatures). These algorithms are based on mathematical problems that quantum computers cannot solve efficiently, unlike the elliptic curve and integer factorization problems that underpin current encryption. PQC is already being deployed in Google Chrome, Android 17, and several VPN providers.
Is my VPN safe from quantum computers?
It depends on your VPN provider. VPN connections typically use a combination of key exchange (for establishing the encrypted tunnel) and symmetric encryption (for the actual data). The key exchange step is the quantum-vulnerable component. VPN providers that have implemented post-quantum key exchange — such as Proton VPN — offer protection against "store now, decrypt later" attacks. Providers that have not implemented PQC leave your historical traffic vulnerable to future quantum decryption. The symmetric encryption used inside the tunnel (typically AES-256) is not significantly threatened by quantum computers.
What is the difference between ECC and RSA encryption?
Both are public-key cryptographic systems, but they rely on different mathematical problems. ECC (Elliptic Curve Cryptography) is based on the difficulty of the elliptic curve discrete logarithm problem. RSA is based on the difficulty of factoring large prime numbers. ECC is more widely used in modern systems — it protects most cryptocurrency transactions, HTTPS connections, and SSH sessions. RSA is more common in older enterprise systems. The critical finding from the March 2026 papers is that ECC requires roughly 100 times fewer quantum operations to break than RSA at the same security level, meaning ECC falls first.
What should I do to protect myself from quantum computing threats?
Keep your browser and operating system updated — post-quantum protection is being rolled out in Chrome, Firefox, and Android. Use a VPN provider that has implemented post-quantum key exchange. If you hold cryptocurrency, do not reuse wallet addresses and monitor your blockchain's PQC migration roadmap. Control your own network hardware by owning your modem and router rather than renting from your ISP, so you can update firmware as PQC support arrives. Use encrypted DNS and network-level privacy tools to reduce the volume of harvestable traffic leaving your network.
Has anyone built a quantum computer that can break encryption?
No. As of March 2026, no quantum computer capable of breaking cryptographically relevant encryption exists. The largest demonstrated neutral-atom qubit array is approximately 6,100 qubits, built by Oratomic co-founder Manuel Endres. The Oratomic paper describes a theoretical architecture requiring at least 26,000 qubits for a practical attack on ECC-256. Google's superconducting qubit approach estimates fewer than 500,000 physical qubits. Both represent dramatic progress, but neither has been built. The papers describe what is now achievable with known technology — the remaining challenge is engineering, not new physics.
