Part 1 of this series explains what quantum computers actually are. Not just faster versions of classical computers, but a fundamentally different type of machine that exploits the strange rules of physics that only apply at the scale of atoms and particles.
But knowing how a quantum computer works doesn’t tell you how it can be used to steal bitcoin by a bad actor. This requires understanding what it is actually attacking, how Bitcoin security is built, and where exactly the weakness lies.
This article begins with the encryption of bitcoin and continues through the nine-minute window needed to decrypt it, as identified in Google’s recent article on quantum computing.
The one-way map
Bitcoin uses a system called elliptic curve cryptography to prove who owns what. Each wallet has two keys. A private key, which is a secret number of 256 digits in binary, about as long as this sentence. A public key is derived from the private key by performing a mathematical operation on the specific curve called “secp256k1“.
Think of it as a one-way map. Start at a known place on the curve that everyone agrees on, called the generating point G (as shown in the table below). Take a private number of steps in a pattern defined by the mathematics of the curve. The number of steps is your private key. Where you end up on the curve is your public key (point K in the graph). Anyone can verify that you ended up at this exact location. No one can know how many steps you took to get there.
Technically, this is written as K = k × G, where k is your private key and K is your public key. “Multiplication” is not regular multiplication but a geometric operation in which you repeatedly add a point to itself along the curve. The result lands in a seemingly random place that only your specific number k would produce.
The crucial property is that it is easy to move forward and that moving backward is, for classical computers, effectively impossible. If you know k and G, calculating K takes a few milliseconds. If you know K and G and want to understand k, you solve what mathematicians call the discrete logarithm of the elliptic curve problem.
It is estimated that the best-known classical algorithms for a 256-bit curve would take longer than the age of the universe.
This one-way hatch constitutes the entire security model. Your private key proves that you own your coins. Your public key can be shared securely because no classical computer can reverse the calculations. When you send bitcoin, your wallet uses the private key to create a digital signature, a mathematical proof that you know the secret number without revealing it.
Shor’s algorithm opens the door in both directions
In 1994, a mathematician named Peter Shor discovered a quantum algorithm that breaks the trapdoor.
Shor’s algorithm efficiently solves the discrete logarithm problem. The same mathematics that would take a classical computer longer than the existence of the universe, Shor’s algorithm handles what mathematicians call polynomial timemeaning the difficulty increases slowly as the numbers increase rather than explosively.
The intuition of how it works comes back to the three quantum properties from the first part of this series.
The algorithm needs to find your private key k, given your public key K and the generating point G. It converts this into a problem of finding the period of a function. Think of a function that takes a number as input and returns a point on the elliptic curve.
As you feed it sequential numbers, 1, 2, 3, 4, the outputs eventually repeat in a cycle. The length of this cycle is called the period, and once you know how often the function repeats, the math of the discrete logarithm problem happens in a single step. The private key drops almost immediately.
Finding this period of a function is exactly what quantum computers are designed for. The algorithm places its input register in a superposition (or, in quantum mechanics, a particle exists in multiple places simultaneously), representing all possible values simultaneously. It applies the function to everyone at the same time.
Then it applies a quantum operation called a Fourier transform, which cancels out the number of wrong answers while correct answers are reinforced.
When you measure the result, the period appears. From this period, ordinary mathematics recovers k. This is your private key, and therefore your coins.
The attack uses all three quantum tricks from the first piece. Overlay evaluates the function on all possible inputs at once. Entanglement connects the input and output so that the results remain correlated. “Interference” filters the noise until only the response remains.
Why Bitcoin still works today
Shor’s algorithm has been known for over 30 years. The reason Bitcoin still exists is that its operation requires a quantum computer with a large enough number of stable qubits to maintain consistency throughout the calculation.
Building this machine is out of reach, but the question has always been whether the size is “big enough.”
Previous estimates called for millions of physical qubits. Google’s paper, written in early April by its Quantum AI division with contributions from Ethereum Foundation researcher Justin Drake and Stanford cryptographer Dan Boneh, reduced that figure to less than 500,000.
That’s a reduction of around 20 times compared to previous estimates.
The team designed two quantum circuits that implement Shor’s algorithm with respect to Bitcoin’s specific elliptic curve. One uses about 1,200 logic qubits and 90 million Toffoli gates. The other uses around 1,450 logic qubits and 70 million Toffoli gates.
A Toffoli gate is a type of gate that acts on three qubits: two control qubits, which affect the state of a third target qubit. Think of it as three switches (qubits) and a special light bulb (the target) that only lights up if two specific switches are turned on at the same time.
Since qubits are constantly losing their quantum state, as part one explains, you need hundreds of redundant qubits checking each other’s work to maintain a single reliable logical qubit. Most quantum computers exist solely to detect the machine’s own errors before they ruin the calculation. The roughly 400-to-1 ratio of physical to logical qubits reflects the extent to which the machine exists as a self-monitoring infrastructure.
The nine minute window
Google’s paper didn’t just reduce the number of qubits. It introduced a practical attack scenario that changes the way we think about threat.
The parts of Shor’s algorithm that depend only on the fixed parameters of the elliptic curve, which are publicly known and identical for each Bitcoin wallet, can be precomputed. The quantum computer is in a primed state, already halfway through the calculation, waiting.
The moment a target public key appears, whether broadcast in a transaction to the network’s mempool or already exposed on the blockchain in a previous transaction, the machine only has to complete the second half.
Google estimates the second half to be around nine minutes long.
The average Bitcoin block confirmation time is 10 minutes. This means that if a user broadcasts a transaction and their public key is visible in the memory pool, a quantum attacker has approximately nine minutes to derive a private key and submit a competing transaction that redirects funds.
The calculation gives the attacker about a 41% chance of completing before your initial transaction is confirmed.
This is the mempool attack. This is alarming but requires a quantum computer which does not yet exist.
The biggest concern, however, is the 6.9 million bitcoins (about a third of the total supply) stored in wallets whose public key has already been permanently exposed on the blockchain. These parts are vulnerable to an “at rest” attack that does not require a race against time. The attacker can take as long as necessary.
A quantum computer running Shor’s algorithm can transform a Bitcoin public key into the private key that controls the coins. For coins traded from Taproot (a privacy upgrade to Bitcoin that went live in November 2021), the public key is already visible. For coins located in older addresses, the public key is hidden until you spend it, after which you have about nine minutes before the attacker catches up.
What this means in practice, what 6.9 million bitcoins have already been exposed, what Taproot has changed and how quickly hardware is closing the gap, is the subject of the next and final article in this series.
