Quantum computers aren’t just faster PCs — they’re a completely different kind of machine that exploits quantum physics to solve problems classical computers can’t. That difference is exactly what makes them a potential threat to Bitcoin’s core cryptography.
How Bitcoin’s keys work (quick refresher)
- Every Bitcoin wallet is protected by a 256-bit private key (a secret number) and a public key derived from it. The public key is what everyone sees; the private key is what you keep secret.
- Bitcoin uses elliptic curve cryptography (secp256k1). Starting from a common point on the curve (the generator G), you “walk” a number of steps equal to your private key k. The point you land on is the public key K. Formally: K = k × G.
- Going from k to K is trivial for classical computers; reversing that — going from K to k — is the elliptic curve discrete logarithm problem. With current classical algorithms, cracking a 256-bit key would take far longer than the age of the universe. That one-way property underpins Bitcoin’s security.
Enter Shor’s algorithm
- In 1994 Peter Shor showed a quantum algorithm that solves discrete logarithms efficiently. Problems that are infeasible for classical machines become tractable on a sufficiently capable quantum computer.
- Shor’s algorithm finds the “period” of a function derived from the elliptic curve relationship. Quantum hardware leverages superposition (testing many inputs at once), entanglement (linking inputs and outputs), and interference (canceling wrong answers) to reveal that period. Once you have it, the private key k pops out.
Why this hasn’t happened — yet
- Shor’s algorithm has been known for decades, but running it in practice requires a huge, error-corrected quantum computer with many stable logical qubits. Qubits are fragile; most of a useful quantum machine is overhead for error correction.
- Older estimates put the requirement in the millions of physical qubits. That’s been a major barrier — until now.
Google’s new attack model: much less hardware, and a practical race
- In a new paper from Google Quantum AI (with input from Justin Drake and Dan Boneh), researchers dramatically cut previous resource estimates: they argue that an attack against Bitcoin’s secp256k1 can be done with fewer than 500,000 physical qubits — roughly a 20-fold reduction from earlier projections.
- They designed two quantum circuits tailored to Bitcoin:
- One uses ~1,200 logical qubits and about 90 million Toffoli gates.
- The other uses ~1,450 logical qubits and about 70 million Toffoli gates.
- Toffoli gates are three-qubit operations used in reversible/quantum computations. Because of error correction, the paper assumes roughly a 400:1 ratio of physical to logical qubits — most physical qubits serve to detect and correct errors.
The nine-minute danger and two types of attacks
- Critically, Google’s team showed much of the hard quantum work can be precomputed because many circuit components depend only on the curve’s fixed parameters (public and identical across wallets). A quantum machine can sit “primed,” already halfway through the calculation.
- When a public key appears on the network — either broadcast in a transaction to the mempool or already exposed on-chain — the computer only needs to complete the second stage. Google estimates finishing that second half takes about nine minutes.
- Why nine minutes matters: Bitcoin’s average block time is about 10 minutes. If a user broadcasts a transaction that reveals their public key, a quantum attacker has roughly nine minutes to derive the private key and submit a competing transaction that redirects the funds. Google’s analysis gives the attacker roughly a 41% chance of finishing before the original transaction confirms. This is the mempool (race) attack.
- Even more alarming is the “at-rest” attack: about 6.9 million BTC (roughly one-third of the supply) sit in wallets whose public keys are already exposed on-chain — for example, outputs spent under Taproot or addresses that have been reused. Those coins can be targeted at leisure; no nine-minute race is required.
What this means
- The core cryptographic assumption that public keys are safe because they can’t be inverted by classical algorithms is threatened by quantum computers that can run Shor’s algorithm at scale.
- While the required quantum hardware doesn’t exist yet, Google’s work shows the practical requirements are much closer than previously thought, and the attack model is realistic: precomputation plus a short finishing time creates an exploitable window.
- For users, the immediate lesson is to avoid exposing public keys unnecessarily (use fresh addresses, prefer pay-to-public-key-hash where appropriate), and for the Bitcoin ecosystem the result underscores the urgency of post-quantum migration planning.
This is the first part of a two-piece look at quantum risk to Bitcoin. The next installment will dig into which coins are already exposed, what Taproot changed, and how close hardware developments are to making these attacks possible.
Read more AI-generated news on: undefined/news
