Taproot and Quantum Risk: What Google's Research Means for Bitcoin Security
New Google research suggests Taproot addresses may be more vulnerable to quantum attacks than older formats. Analyzing the real risk.
In March 2026, Google Quantum AI published a whitepaper titled Securing Elliptic Curve Cryptocurrencies against Quantum Vulnerabilities, co-authored with researchers from Stanford University and the Ethereum Foundation. The paper achieved a 10x improvement in the estimated resources needed to break elliptic curve cryptography using quantum computers, and it singled out Taproot (P2TR) addresses as uniquely exposed. The finding reignited debate about Bitcoin's long-term cryptographic security and what the ecosystem should do about it.
This article breaks down the research, explains why Taproot's design creates a larger quantum attack surface than older address formats, and evaluates the realistic timeline and mitigation options available to the Bitcoin ecosystem.
Why Taproot Exposes More Than Legacy Formats
Bitcoin's signature security depends on the difficulty of deriving a private key from a public key. With classical computers, this is computationally infeasible for the secp256k1 curve. The question is what happens when quantum computers enter the picture.
Older address formats like P2PKH and P2WPKH store a hash of the public key on-chain. The actual public key is only revealed when the owner spends from the address. This means a quantum attacker would need to extract the private key during the narrow window between transaction broadcast and block confirmation: roughly 10 minutes on average.
P2TR addresses work differently. Activated via the BIP-341 soft fork in November 2021, Taproot uses Schnorr signatures and exposes the full public key directly on-chain for key-path spends. This was a deliberate design choice: it enables signature aggregation, makes multisig indistinguishable from single-sig transactions, and improves privacy for complex spending conditions. But it also means the public key sits permanently on the blockchain, visible to anyone, regardless of whether the coins have been spent.
The core difference: With P2PKH and P2WPKH, a quantum attacker must race against Bitcoin's 10-minute block time to extract a private key from a just-revealed public key. With P2TR, the public key is available indefinitely, removing the time constraint entirely.
| Address Format | Public Key Visibility | Quantum Attack Window | Hash Protection |
|---|---|---|---|
| P2PKH (1...) | Hidden until spent | ~10 minutes (mempool to confirmation) | SHA-256 + RIPEMD-160 |
| P2WPKH (bc1q...) | Hidden until spent | ~10 minutes (mempool to confirmation) | SHA-256 + RIPEMD-160 |
| P2TR (bc1p...) | Exposed on-chain by default | Indefinite | None (raw public key) |
Google's research estimated that approximately 6.9 million BTC, around 32% of Bitcoin's circulating supply, currently sit in addresses with exposed public keys. This includes Taproot outputs along with previously spent legacy addresses. The paper noted that P2TR accounted for roughly 21.68% of all Bitcoin transactions in 2025, representing about 16.8 million BTC in movement.
What Google Actually Found
The Google Quantum AI research focused on optimizing the quantum circuits needed to solve the Elliptic Curve Discrete Logarithm Problem (ECDLP) underlying Bitcoin's digital signatures. The key numbers from the paper:
- Approximately 1,200 logical qubits and under 90 million Toffoli gates can solve the 256-bit ECDLP
- This translates to fewer than 500,000 physical qubits using superconducting architectures with error correction
- The estimate represents a 10x reduction in spacetime volume compared to prior academic estimates
- The paper modeled a real-time transaction hijacking attack with a 41% success rate within Bitcoin's 10-minute block window
To put this in perspective: Google's Willow quantum processor, announced in December 2024, has 105 superconducting qubits. That is roughly 5,000x fewer physical qubits than the lower bound of what would be needed. The gap between current hardware and a cryptographically relevant quantum computer (CRQC) remains enormous, but Google's research shortened the theoretical distance by an order of magnitude.
How Shor's Algorithm Threatens Bitcoin
The specific quantum threat to Bitcoin comes from Shor's algorithm, a quantum algorithm that efficiently solves the discrete logarithm problem. On a classical computer, deriving a private key from a public key on the secp256k1 curve would take longer than the age of the universe. A sufficiently powerful quantum computer running Shor's algorithm could do it in minutes.
Two distinct attack vectors
The quantum threat to Bitcoin splits into two scenarios with very different risk profiles:
The first is a real-time attack on transactions in the mempool. When a user broadcasts a transaction from a P2PKH or P2WPKH address, the public key is revealed in the spending script. A quantum attacker with sufficient hardware could extract the private key and broadcast a competing transaction before the original is confirmed. Google's paper estimated a 41% success rate for this attack against the 10-minute block window, assuming a CRQC capable of operating within that timeframe.
The second is a static attack on exposed public keys. For P2TR addresses and any legacy address that has previously spent funds, the public key is already on-chain. There is no time pressure: a quantum attacker could download the blockchain, identify all exposed keys, and derive private keys at leisure. This is the scenario where Taproot's design creates meaningfully more risk than legacy formats.
The Harvest Now, Decrypt Later Problem
Even if a CRQC is years or decades away, the threat is not purely theoretical. The harvest now, decrypt later strategy is already a documented concern for nation-state actors.
Bitcoin's entire transaction history is public and permanent. Every exposed public key is available to anyone who downloads the blockchain. A well-resourced adversary could catalog every P2TR output and every previously-spent legacy address today, then wait for quantum hardware to mature. The Federal Reserve published a working paper in 2025 examining this exact risk for distributed ledger networks.
Why this matters now: The quantum computer does not need to exist today for the threat to be real. If an adversary records exposed public keys now, the only defense is moving funds to a new, unexposed address before quantum hardware catches up. For Taproot addresses, this means the clock is already ticking.
When Could Quantum Computers Actually Break Bitcoin?
Timeline estimates vary widely depending on who you ask, but a rough consensus is emerging from multiple sources:
| Source | Estimated Timeline | Basis |
|---|---|---|
| Google Quantum AI (2026) | Target CRQC by 2032 | Internal roadmap, Willow successor chips |
| NIST | Migrate by 2035 | Recommended migration deadline for all systems |
| European Union | Critical infrastructure by 2030 | Regulatory mandate for quantum-resistant encryption |
| Academic consensus (survey) | 17-34% probability by 2034 | Expert survey of CRQC arrival probability |
| a16z Crypto (2026) | Likely within 10-15 years | Hardware scaling trends, error correction progress |
The current state of quantum hardware is far from the threshold. Google's Willow chip has 105 qubits with single-qubit gate fidelity of 99.97% and coherence times around 100 microseconds. Breaking secp256k1 requires roughly 1,200 logical qubits, which with current error correction overhead maps to around 500,000 physical qubits. The gap is at least three orders of magnitude in qubit count alone, not accounting for improvements needed in error rates and coherence times.
However, quantum computing progress has historically been nonlinear. Google's Willow demonstrated exponential error reduction as qubit count scales, a result that, if sustained, could compress timelines significantly. The responsible assumption is that Bitcoin should be prepared well before the most optimistic estimates.
Mitigations Available Today
Key rotation and address hygiene
The simplest defense against quantum key exposure is key rotation: never reuse addresses, and move funds to fresh addresses periodically. Avoiding address reuse is already a best practice for privacy, but it takes on new urgency in a quantum context. For P2PKH and P2WPKH addresses, funds in never-spent addresses remain protected by the hash layer.
For Taproot addresses, key rotation helps but does not fully solve the problem. Moving funds from one P2TR address to another still exposes the new public key on-chain. The mitigation reduces the window of vulnerability (a quantum attacker must target the new key before the owner rotates again) but does not eliminate it. To fully protect against static quantum attacks, users would need to move funds to hash-protected address types or, eventually, to quantum-resistant formats.
Post-quantum signature proposals
NIST finalized three post-quantum cryptography standards in August 2024, and the Bitcoin developer community has been evaluating them for integration. Each involves significant tradeoffs:
| Scheme | Type | Signature Size | Advantage | Challenge for Bitcoin |
|---|---|---|---|---|
| SPHINCS+ (SLH-DSA) | Hash-based | Up to 41 KB | Minimal security assumptions | ~94% reduction in transactions per block |
| CRYSTALS-Dilithium (ML-DSA) | Lattice-based | ~2,420 bytes | Compact for post-quantum; fast verification | 30-40x larger than ECDSA signatures |
| FALCON (FN-DSA) | Lattice-based | ~666 bytes | Most compact post-quantum option | Complex implementation, newer security assumptions |
| Lamport signatures | Hash-based, one-time | Several KB | Simplest quantum-safe primitive | Single-use only; requires new key per transaction |
The fundamental challenge is scale. Current ECDSA signatures in Bitcoin are roughly 64-73 bytes. Even the most compact post-quantum alternative (FALCON at 666 bytes) is nearly 10x larger. SPHINCS+, the scheme with the strongest security assumptions, would reduce Bitcoin's transaction throughput from approximately 7,600 transactions per block to around 400. Any post-quantum migration will force difficult tradeoffs between security, throughput, and fee economics.
BIP-360 and BIP-361: The Migration Proposals
Two Bitcoin Improvement Proposals published in April 2026 represent the most concrete migration plans to date.
BIP-360: Pay-to-Merkle-Root (P2MR)
BIP-360 introduces a new output type (P2MR) using SegWit version 2 that replaces elliptic curve public key exposure with a Merkle root commitment. The proposal includes five new opcodes for post-quantum signature verification based on CRYSTALS-Dilithium (ML-DSA). Critically, it can be deployed as a soft fork, allowing gradual adoption without disrupting the existing network.
BTQ Technologies implemented BIP-360 on Bitcoin's testnet in March 2026, demonstrating that the mechanics work in practice. The tradeoff is that post-quantum signatures under this scheme can reach up to 8 kilobytes, significantly increasing transaction fees and block space demand.
BIP-361: Forced migration with legacy sunset
BIP-361, co-authored by Jameson Lopp and five other developers, proposes a three-phase migration plan with eventual deadlines for moving funds to quantum-resistant addresses. The final phase would restrict spending from legacy address types entirely.
The response from the Bitcoin community has been sharply divided. Critics argue that freezing legacy coins violates Bitcoin's core property rights guarantees. Proponents counter that without a forcing function, migration would take too long: the Taproot upgrade itself took years from proposal to activation, and a post-quantum migration is orders of magnitude more complex because every holder, wallet, and exchange must participate.
Alternative approaches
Beyond the BIP process, other proposals are in development:
- StarkWare's Quantum Safe Bitcoin (QSB) enables quantum-resistant transactions via hash-based proofs without requiring a soft fork
- Tadge Dryja's commit/reveal scheme separates transactions into two phases with timestamped commitments, providing protection against mempool-based quantum attacks
- Hourglass V2 specifically addresses the 6.9 million BTC with already exposed public keys by limiting withdrawal rates to one per block
The Counterargument: Is This Premature?
Not everyone agrees that quantum risk demands immediate action. The counterargument rests on several points:
The hardware gap is still enormous. Going from 105 qubits to 500,000+ is not a matter of incremental improvement: it requires fundamental advances in error correction, qubit connectivity, and fabrication. Many researchers believe a CRQC is 15-20 years away at minimum, and some argue Bitcoin has ample time to soft fork to quantum-resistant signatures before the threat materializes.
Post-quantum cryptography itself is still maturing. The NIST-standardized algorithms have been studied for years, but lattice-based schemes like CRYSTALS-Dilithium and FALCON are built on security assumptions that have not been tested for as long as elliptic curve cryptography. There is a nonzero risk that a classical or quantum attack on lattice problems could emerge, undermining schemes adopted too eagerly.
The throughput cost is severe. Replacing 73-byte ECDSA signatures with multi-kilobyte post-quantum signatures in Bitcoin's 4 MB block weight limit would dramatically reduce transaction capacity. This creates pressure to either increase block sizes (a politically fraught change) or accept significantly higher fees.
The response to these counterarguments is that Bitcoin's upgrade process is slow by design. The Taproot upgrade took from BIP proposal (2018) to activation (2021): three years. A post-quantum migration would be far more complex. Developers working on Bitcoin Optech's quantum resistance topic estimate 5-10 years for complete migration, assuming work begins now. Starting too late means the migration may not complete before quantum hardware catches up.
What This Means for Bitcoin Layer 2 Protocols
Quantum risk is not limited to Bitcoin L1. Every protocol that builds on Bitcoin's cryptographic primitives inherits the same vulnerability. Lightning Network channel funding transactions use the same elliptic curve signatures as L1, meaning channel balances face the same quantum exposure.
Spark uses FROST threshold signatures, which are built on Schnorr signatures over the same secp256k1 curve. A quantum computer capable of breaking standard ECDSA would equally threaten Schnorr-based schemes, since both rely on the hardness of the elliptic curve discrete logarithm problem. This means post-quantum upgrades are relevant across the entire Bitcoin stack: L1 consensus, Lightning channels, FROST signing, and any protocol using secp256k1.
The silver lining for Layer 2 systems is that they can adopt new signature schemes more quickly than L1. A Layer 2 protocol can upgrade its signing infrastructure without a Bitcoin consensus change, provided the on-chain settlement transactions eventually move to quantum-resistant formats. This makes L2 protocols well positioned to lead the transition rather than wait for L1 to move first.
Practical Steps for Bitcoin Holders
While the quantum threat is not imminent, the research makes several best practices more urgent:
- Avoid address reuse entirely: every spend from a hash-protected address reveals the public key permanently
- For long-term cold storage, prefer P2WPKH over P2TR until quantum-resistant address types are available: the hash layer provides an additional barrier
- Monitor BIP-360 development and be prepared to migrate when quantum-resistant output types are activated
- For large holdings, consider multisig configurations where keys are distributed across geographic locations and rotated regularly
- Stay informed about quantum computing milestones: the transition from hundreds to thousands of logical qubits will be the clearest signal that migration timelines are compressing
The Road Ahead
Google's research did not demonstrate an imminent threat to Bitcoin. No quantum computer today, or in the near future, can break secp256k1. What the paper did was narrow the theoretical gap by 10x and highlight a design asymmetry in Taproot that makes certain funds more vulnerable than others when quantum hardware eventually matures.
The Bitcoin community's response has been constructive: BIP-360 demonstrates a viable path to quantum resistance via soft fork, and testnet implementations prove the mechanics work. The harder problem is social, not technical: coordinating a migration across millions of holders, wallets, and exchanges on a timeline measured in years. The debate between gradual incentive-based adoption (BIP-360) and forced migration (BIP-361) will define how Bitcoin navigates its most significant cryptographic transition since the move to SegWit.
For developers building on Bitcoin, including those working with Spark's SDK and other Layer 2 infrastructure, the practical takeaway is to design signing architectures with cryptographic agility in mind. The specific post-quantum scheme Bitcoin adopts is still uncertain, but the need to swap out signature primitives is increasingly clear. For a deeper look at how the post-quantum cryptography landscape is shaping Bitcoin's future, see our comprehensive analysis. You can also explore our guide to Bitcoin address types to understand the full evolution from P2PKH to Taproot.
This article is for educational purposes only. It does not constitute financial or investment advice. Bitcoin and Layer 2 protocols involve technical and financial risk. Always do your own research and understand the tradeoffs before using any protocol.