Google’s quantum AI team said earlier this week that a future quantum computer could derive a Bitcoin private key from a public key in about nine minutes. This number is spreading panic on social media and markets.
But, what does this actually mean in practice?
Let’s start with how Bitcoin transactions work. When you send Bitcoin, your wallet signs the transaction with a private key, a secret number that proves you own the coins.
That signature also reveals your public key, a shareable address, which is broadcast on the network and sits in a waiting area called the mempool until a miner includes it in a block. On average, that confirmation takes about 10 minutes.
Your private key and public key are linked by a math problem called the elliptic curve discrete logarithm problem. Classical computers can’t reverse that math in any useful time frame, while a sufficiently powerful future quantum computer could run an algorithm called Shor.
This is where the nine-minute part comes in. Google’s paper found that a quantum computer could be “primed” in advance by pre-computing the parts of an attack that do not depend on a specific public key.
Once your public key appears in the mempool, it only takes nine minutes for the machine to complete the job and obtain your private key. The average confirmation time for Bitcoin is 10 minutes. This gives an attacker about a 41% chance of obtaining your keys and redirecting your funds before the original transaction is confirmed.
Think of it like a thief spending hours building a universal safe-cracking machine (pre-computed). The machine works for any safe, but each time a new safe appears, it only needs a few final adjustments – and the final step takes about nine minutes.
That is mempool attack. This is worrying but it requires a quantum computer which does not exist yet. Google’s paper estimates that such a machine would require fewer than 500,000 physical qubits. The largest quantum processors today number about 1,000.
The larger and more immediate concern is the 6.9 million Bitcoins, roughly a third of the total supply, that are already held in wallets where the public keys are permanently exposed.
It includes early Bitcoin addresses from the first years of the network that used a format called pay-to-public-key, where the public key is visible on the blockchain by default. This includes any wallet that has reused an address, as spending from an address reveals the public keys to all remaining funds.
These coins do not require a nine-minute race. An attacker with a sufficiently powerful quantum computer could crack them at leisure, working through the exposed keys one by one, without any time pressure.
As CoinDesk reported earlier on Tuesday, Bitcoin’s 2021 taproot upgrade has made this worse. Taproot changed the way addresses work so that the public key appears on-chain by default, inadvertently expanding the pool of wallets that would be vulnerable to a future quantum attack.
The Bitcoin network will continue to run automatically. Mining uses a different algorithm called SHA-256 that quantum computers cannot speed up meaningfully with current approaches. Blocks will still be produced.
The ledger will still exist. But if the private key can be derived from the public key, the guarantee of ownership is what makes Bitcoin valuable. Anyone with exposed keys is at risk of being stolen, and institutional trust in the network’s security model is eroded.
The solution is post-quantum cryptography, which replaces weak mathematics with algorithms that quantum computers cannot crack. Ethereum has spent eight years building that migration. Bitcoin hasn’t even started yet.