Share
Justin Drake, a researcher at the Ethereum Foundation and co-author of Google’s landmark March 31 quantum paper, published a new thread on June 2, raising his Q-Day probability estimate to 50% by 2032 and 10% by 2030.
Today a crazy quantum story just got wilder.
On March 31, the Google Quantum AI team published a landmark result on Shor's algorithm for elliptic curve cryptography. Technically, the paper was a bombshell: a dramatic 10x improvement over the state-of-the-art. As a stunt and…
— Justin Drake (@drakefjustin) June 2, 2026
Q-Day is the moment a quantum computer successfully breaks the elliptic curve cryptography protecting live blockchain wallets. Drake placed the first estimate at 10% by 2032, when the Google paper dropped in March. Three months of accelerating breakthroughs have moved that number to 50%.
The Google Quantum AI paper released on March 31, co-authored by Drake and Stanford cryptographer Dan Boneh, demonstrated a 10-fold improvement in Shor’s algorithm efficiency against secp256k1, the elliptic curve underpinning every Bitcoin and Ethereum transaction.
Today, Google Quantum AI published a research paper that might boost the post-quantum migration. Their team has tailored Shor’s algorithm to solve the 256-bit Elliptic Curve Discrete Logarithm Problem. ECDLP is the hard mathematical problem that secures ECDSA: the signature… pic.twitter.com/CDzn4ydN2z
— Charles Guillemet (@P3b7_) March 31, 2026
The paper showed that breaking secp256k1 requires 1,200-1,450 logical qubits, a 20-fold reduction from prior estimates. That figure still sits far above Quantinuum’s current 48 logical qubits, but the trajectory of improvement is what changed Drake’s probability assessment.
The quantum threat to Bitcoin is not symmetrical. A quantum computer does not need to attack Bitcoin’s mining process; it does not need to break proof-of-work (PoW). It only needs to recover a private key from an exposed public key, and approximately 6.8 million BTC are sitting in wallets whose public keys have already been permanently recorded onchain.
Those wallets fall into two categories:
For these wallets, a quantum adversary need not intercept a live transaction. The public keys are already onchain, permanently visible. The attack requires only sufficient quantum hardware and time.
Charles Guillemet, chief technology officer of Ledger, added the most significant new dimension to the quantum debate on June 2, confirming on X that the US government did not ask Google to withhold its most advanced quantum circuits voluntarily. The government blocked publication outright.
🚨 Google Quantum result was just rediscovered and IMPROVED!
On March 31, 2026, Google Quantum AI published a paper showing that 256-bit ECDLP, the hard problem behind ECDSA and therefore behind Bitcoin, Ethereum, TLS, and most of the world's authentication, can be solved with… https://t.co/aIlG1InhRh pic.twitter.com/jkdj9oTrXk
— Charles Guillemet (@P3b7_) June 2, 2026
The implication is direct: The published Google paper, already a significant advance, represents a censored version of what Google’s quantum team achieved. Public probability estimates, including Drake’s, are built on the released research. The classified findings may justify more urgent timelines than 50% by 2032. The gap between the published threat model and the actual state of classified quantum development is unknown and unknowable from public sources.
Drake explicitly called the US government’s official 2035 timeline for post-quantum migration “outdated and likely to be accelerated,” a position that aligns with his 10-year-earlier Q-Day estimate and with Google’s own internal migration target of 2029.
BIP-360, a Bitcoin Improvement Proposal (BIP) introducing a quantum-resistant address type designated “bc1z,” was merged into Bitcoin’s official BIP repository on Feb. 11, 2026. It prevents public key exposure in new addresses and is the primary technical response from the Bitcoin community. A testnet implementation has processed more than 100,000 blocks. A full network migration, however, could take up to seven years, according to the developer’s estimate.
That timeline does not close before Drake’s Q-Day window. A 50% probability of Q-Day by 2032 and a seven-year migration timeline beginning in 2026 result in a scenario in which quantum computers can break exposed keys before the full Bitcoin network has migrated away from vulnerable address formats.
Bitcoin currently has about 8 million BTC with exposed public keys, representing 34% of the total supply, and lacks the onchain governance mechanism to execute a coordinated migration. BIP-361, a separate proposal to freeze quantum-vulnerable funds and force migration, would require the kind of protocol-level coordination Bitcoin’s governance culture has historically resisted.
An 18-year-old reproduced 80% of Google’s classified quantum breakthrough over a single weekend using an AI agent swarm, a development Drake highlighted in his June 2 thread. Quantum algorithm optimization is increasingly a software and AI problem.
— Sreeram Kannan (@sreeramkannan) June 2, 2026
As AI systems improve at identifying Shor’s algorithm efficiencies, the gap between published results and production-grade attacks may close faster than hardware timelines suggest.
The contrast between the two networks’ responses is the most analytically significant aspect of Drake’s warning.
Ethereum runs weekly post-quantum test networks. The Ethereum Foundation’s proposed 2029 migration plan would phase out key cryptographic primitives, including BLS signatures, KZG polynomial commitments, and Elliptic Curve Digital Signature Algorithm (ECDSA) signatures, in favor of hash-based cryptography implemented through leanVM, a minimal zkVM optimized for formal verification.
Now, the quantum resistance roadmap.
Today, four things in Ethereum are quantum-vulnerable:
* consensus-layer BLS signatures
* data availability (KZG commitments+proofs)
* EOA signatures (ECDSA)
* Application-layer ZK proofs (KZG or groth16)We can tackle these step by step:…
— vitalik.eth (@VitalikButerin) February 26, 2026
The Circle post-quantum roadmap, co-authored independently with Boneh, chose the same SLH-DSA hash-based signature standard and set a comparable 2029 migration target.
Bitcoin has BIP-360, a testnet, and a seven-year migration estimate. It does not have a scheduled hard fork, a post-quantum test network that runs weekly, or a governance mechanism that enables rapid protocol changes. The exposed 6.8 million BTC identified in Drake’s warning cannot be retroactively protected. Wallets that have already exposed their public keys onchain cannot be made quantum-resistant without the owners moving their funds to new, BIP-360-compliant addresses before Q-Day arrives.
Drake’s recommendation: start preparing now. The 2029 migration target he advocates is based on six years from the March 2026 Google paper. Whether that is sufficient depends on which side of the 50% probability materializes. If Q-Day arrives at the 10% tail by 2030, the preparation window will already have been four years.
The BIP-360 repository is live. The migration clock is running.
Share
preferred on
