Yesterday Google published a new whitepaper that set a new date for when they believe quantum computers may break the elliptic curve cryptography that protects cryptocurrency and other systems.
That date is 2029. Sooner than many academics previously predicted. The paper features both Bitcoin and Rootstock as examples of leading blockchains at risk from quantum attack unless action is taken.
As we wrote last year, The quantum risk is real but there is still time to prepare and that’s something that the team at RootstockLabs and other core contributors to the network have spent the best part of a decade doing.
Some of our work on this topic has already been published. Some of it remains internal research for now. More will be published over time. Together, it forms the early stages of a post-quantum roadmap for Rootstock that will enable the network to operate safely as quantum continues to advance.
Diving deeper into Google’s latest research
What Google’s new paper changes is not the existence of the threat. That part was already understood. What changes is the margin for comfort. And this is where it gets technical.
The whitepaper presents updated estimates for the quantum resources needed to break ECDLP-256, finding that Shor’s algorithm may require fewer than 1,200 to 1,450 logical qubits and 70 to 90 million Toffoli gates. This is well below many older estimates.
Google’s point is not that the break has happened. It is that on faster quantum architectures, a future attack could run in minutes on a sufficiently large fault-tolerant machine. That does not mean Bitcoin or Rootstock are vulnerable today. It does mean the gap between theoretical risk and practical concern is narrowing.
And Google’s paper did not arrive in isolation. A separate paper published a day prior argued that Shor’s algorithm may be possible with as few as 10,000 reconfigurable atomic qubits under the right assumptions. This paper approaches the problem from a slightly different angle, but points in the same direction.
One detail worth noting is how Google chose to present the work. Rather than publishing the full attack circuits, a blog accompanying the paper “Safeguarding cryptocurrency by disclosing quantum vulnerabilities responsibly” says it used a zero-knowledge proof to support the estimates without handing over a blueprint that could later be weaponized. That isn’t only a technical choice, it’s a sign that this conversation is moving out of abstract speculation and into responsible disclosure. There are billions of dollars at risk here and Google knows it.
Those working on this research deserve their flowers. This is serious work. Ryan Babbush, Adam Zalcman, Craig Gidney, Michael Broughton, Tanuj Khattar, Hartmut Neven, Thiago Bergamaschi, Justin Drake and Dan Boneh have given the whole industry something useful here. Despite what the media might tell you it wasn’t designed to spread FUD but to provide a sharper benchmark for planning.
Elliptic curve cryptography: the real pressure point
When people hear “quantum threat,” they often jump to mining, hashpower and Bitcoin collapsing overnight. That is not the main issue here and it’s not a new insight. As we already argued in our work last year, the central risk comes from Shor’s algorithm, not Grover’s.
The pressure point is ECDSA. Shor’s algorithm targets the discrete logarithm problem underneath it. Once cryptographically relevant quantum machines exist, exposed public keys become targets for private-key recovery.
For Rootstock, that means externally owned accounts, bridge signers and systems that incorporate multisig into their design as well as admin keys controlling upgradeable contracts powering applications on the network are affected.
Grover’s algorithm matters too, but differently. It weakens brute-force assumptions and touches SHA-256 in theory. But both our previous analysis and Google’s work converge on the same conclusion: quantum mining is not the first break that matters. Rootstock’s own research points the same way. Proof of Work stays in the picture, but signatures come first.
What does this mean for Rootstock?
Because Rootstock is anchored to Bitcoin, it inherits many of Bitcoin’s cryptographic assumptions. But it also has its own attack surface.
Rootstock uses ECDSA for account and bridge security, and double SHA-256 for proof of work through merged mining. So the main exposure sits in externally owned accounts with exposed public keys plus systems which contain an element of multisignatures as part of their defence in depth design such as the PowPeg.
That is why Rootstock’s quantum problem is not identical to Bitcoin’s. The more persistent the account model, and the more logic built around keys, the more valuable those keys become to an attacker.
What changes now, and what does not
Google’s new research is a warning, not a panic trigger. As Nico Vescovo from the RootstockLabs research team said in a recent conversation, “It’s more of an optimization than a fundamental breakthrough.” That is the clearest summary of the moment.
The research is serious. It tightens resource estimates and sharpens the timeline. But it does not put the industry into a post-quantum emergency this year. What it does do is make the old “we still have plenty of time” line much harder to defend.
That matters even more because Google distinguishes between slow-clock and fast-clock quantum architectures. If fast-clock systems arrive first, the gap between attacks on public keys and attacks on mempool transactions could be much smaller than many assumed. If slower systems arrive first, at-rest exposure may matter for longer. Either way, exposed keys get riskier over time, not safer.
What changes now is not the need for panic. It is the need for preparation.
How RootstockLabs and core contributors are preparing
Rootstock is not starting from zero. As we covered in a piece on quantum computing last year, the roadmap already outlines the shape of a serious post-quantum transition. Some of that roadmap is public. Some remain internal for now as teams across the ecosystem continue to validate this work.
The first step is adding post-quantum verification precompiles to RSKj, especially for schemes such as Dilithium and SPHINCS+. That creates the foundation for wallets, contracts and infrastructure to test and verify post-quantum signatures on-chain.
From there, the most realistic path is hybrid: keep ECDSA for compatibility while adding a post-quantum signature for forward security.
That path comes with costs. Post-quantum signatures are larger. Verification is heavier. Calldata grows. Wallet support is still immature. Hardware standards are still catching up. That is exactly why this work has to start early. Verification must be optimised to move from theory to practical application. We’re confident this can be achieved.
The roadmap also includes the possibility of a post-quantum checkpoint at the protocol level. The idea is simple: once the network reaches a defined activation point, earlier history is treated as final, reducing the risk that legacy keys could later be used to replay or reorganize the past.
Now we keep ₿uilding
Despite what you might read, the sky is not falling. But the clock is moving faster than many expected.
The safest networks will not be the ones that dismiss the threat, or the ones that lurch from headline to headline. They will be the ones that do the work early: map exposures, upgrade infrastructure, test migration paths and solve operational problems before the deadline is on top of them.
This is how Rootstock has delivered to date with 100% uptime, zero chain level exploits and a continuous security model grounded in Bitcoin’s Proof of Work.
That is where Rootstock is today. Preparing and building towards a post quantum future where Bitcoin (and Rootstock) work for everyone.
Tick tock, next block.