Google’s Quantum AI team said earlier this week that a future quantum computer could derive a Bitcoin private key from a public key in about nine minutes. This figure ricocheted across social media and scared markets.
But in concrete terms, what does this mean?
Let’s start with how Bitcoin transactions work. When you send bitcoins, your wallet signs the transaction with a private key, a secret number that proves you own the coins.
This signature also reveals your public key, a shareable address, which is broadcast across the network and stored in a holding area called a mempool until a miner includes it in a block. On average, this confirmation takes around 10 minutes.
Your private key and your public key are linked by a mathematical problem called the discrete elliptic curve logarithm problem. Classical computers cannot reverse these calculations in a useful time frame, whereas a sufficiently powerful future quantum computer running an algorithm called Shor could.
This is where the nine-minute game comes into play. The Google paper found that a quantum computer could be “primed” in advance by precomputing parts of the attack that do not depend on any specific public key.
Once your public key appears in the memory pool, the machine only needs about nine minutes to complete the job and derive your private key. The average Bitcoin confirmation time is 10 minutes. This gives the attacker about a 41% chance of obtaining your key and redirecting your funds before the initial transaction is confirmed.
Think of it like a thief spending hours building a universal (pre-computing) security hacking machine. The machine works for any safe, but each time a new safe appears, it only requires a few final adjustments – and that final step takes about nine minutes.
This is the mempool attack. This is alarming but requires a quantum computer that does not yet exist. The Google paper estimates that such a machine would need fewer than 500,000 physical qubits. The largest current quantum processors have around 1,000.
The biggest and most immediate concern is the 6.9 million bitcoins, or about a third of the total supply, that are already in wallets where the public key has been permanently exposed.
This includes early Bitcoin addresses from the network’s early years that used a format called pay-to-public-key, where the public key is visible on the blockchain by default. This also includes any wallet that has reused an address, since spending from one address reveals the public key of any remaining funds.
These parts don’t need a nine-minute run. An attacker with a sufficiently powerful quantum computer could hack them at will, working on the exposed keys one by one without any time constraints.
Bitcoin’s 2021 Taproot upgrade has made the situation worse, as CoinDesk reported earlier on Tuesday. Taproot changed how addresses worked so that public keys were visible on-chain by default, inadvertently expanding the pool of wallets that would be vulnerable to a future quantum attack.
The Bitcoin network itself would continue to operate. Mining uses a different algorithm called SHA-256 that quantum computers cannot speed up significantly with current approaches. Blocks would still be produced.
The ledger would still exist. But if private keys can be derived from public keys, the ownership guarantees that make Bitcoin valuable collapse. Anyone with exposed keys is at risk of theft, and institutional trust in the network security model collapses.
The fix is post-quantum cryptography, which replaces vulnerable mathematics with algorithms that quantum computers cannot crack. Ethereum spent eight years preparing for this migration. Bitcoin hasn’t even started.
