In a significant announcement from Google’s Quantum AI team earlier this week, the prospect of a future quantum computer deriving a bitcoin private key from its corresponding public key in about nine minutes has sent ripples through market communities and social media. This revelation raises alarming questions regarding the safety and security of bitcoin transactions.
To understand the implications, it’s essential to grasp how bitcoin transactions fundamentally work. When a user sends bitcoin, their wallet uses a private key—a confidential number—to sign the transaction, thereby verifying ownership of the funds. This signature simultaneously reveals the public key, which serves as a shareable address. The transaction is then broadcasted to the network, where it resides in a temporary holding area known as the mempool until a miner successfully includes it in a blockchain block—this process typically takes around ten minutes.
The relationship between the private and public keys is rooted in the elliptic curve discrete logarithm problem, a mathematical challenge that currently remains unsolvable by classical computers within a meaningful timeframe. However, the emergence of sufficiently powerful quantum computers running an algorithm known as Shor’s could turn this dynamic upside down.
The nine-minute timeframe highlighted in Google’s paper stems from the ability of a future quantum computer to be “primed” through pre-computation of certain attack components that do not depend on specific public keys. When a public key is detected in the mempool, the quantum machine would need only about nine additional minutes to complete the attack, creating a 41% chance of deriving the private key and redirecting the bitcoin before the original transaction gains confirmation.
This scenario can be likened to a burglar who spends days constructing a universal safe-cracking device. Although the device is capable of cracking any safe, it requires only minor final adjustments once a new safe (or public key) appears—representing the critical nine minutes in this case.
While the concept of the mempool attack is concerning, it hinges on the assumption that such a quantum computer exists, which, according to Google’s paper, would require fewer than 500,000 physical qubits. Currently, the most advanced quantum processors operate with around 1,000 qubits.
However, a more pressing issue looms: around 6.9 million bitcoin—approximately one-third of the entire supply—are presently held in wallets where the public key has already been permanently exposed. This situation includes early bitcoin addresses that originated from the network’s formative years and utilized a format known as pay-to-public-key, making the public key visible on the blockchain by default. Furthermore, any wallet that has reused an address also inadvertently exposes the public key, making remaining funds vulnerable.
Unlike the time-sensitive mempool attack scenario, an attacker armed with a sufficiently powerful quantum computer could leisurely exploit these exposed keys, methodically deciphering them without the constraint of a ticking clock.
Complicating matters further, the 2021 Taproot upgrade to the bitcoin network exacerbated this vulnerability. Taproot modified the manner in which addresses function, causing public keys to be visible on-chain by default, thereby expanding the pool of wallets that could potentially fall prey to future quantum attacks.
In this context, while the bitcoin network itself might continue to operate—since mining relies on a different algorithm called SHA-256, which remains less vulnerable to quantum capabilities—the crux of the issue lies in the foundational ownership guarantees essential to bitcoin’s value. If private keys can indeed be derived from public keys, anyone with exposed keys would be at risk of theft, leading to a potential erosion of institutional trust in the network’s security model.
The impending solution to these vulnerabilities rests in the realm of post-quantum cryptography, which offers a shift towards mathematical frameworks that quantum systems cannot crack. While Ethereum has been actively working toward the integration of post-quantum solutions for the past eight years, the bitcoin network has yet to embark on this critical journey. The urgency for adaptive solutions has never been greater as the potential of quantum technology inches closer to realization.
