How a quantum computer could derive a Bitcoin private key in about nine minutes

Bitcoin’s security depends on elliptic curve cryptography, a one-way mathematical function designed so that deriving a private key from a public key is effectively impossible for traditional computers. A sufficiently powerful quantum computer running Shor’s algorithm could reverse this one-way function, turning a bitcoin public key into its corresponding private key and enabling theft. A recent Google-led paper outlines a realistic attack scenario in which a future quantum computer could, in about nine minutes, derive a private key from an exposed public key and potentially front-run or drain vulnerable bitcoin wallets.

The one-way map behind bitcoin’s keys

Bitcoin uses elliptic curve cryptography to prove ownership. Each wallet has two keys: a private key, described as a secret number roughly 256 bits long, and a public key derived from the private key using the secp256k1 elliptic curve.

The relationship is expressed as K = k × G, where k is the private key, K is the public key, and G is a publicly agreed generator point on the curve. The “multiplication” is not ordinary arithmetic; it is a geometric operation in which points are repeatedly added along the curve. Anyone can verify that a public key corresponds to a private key-derived point, but classical computers cannot efficiently determine the private key from the public key.

In practice, when a user sends bitcoin, the wallet uses the private key to create a digital signature—a proof that the sender knows the secret number without revealing it.

Shor’s algorithm: reversing the trapdoor

In 1994, mathematician Peter Shor developed a quantum algorithm that breaks the discrete logarithm “trapdoor” underlying elliptic curve cryptography. Shor’s algorithm solves the discrete logarithm problem efficiently, with difficulty that grows in polynomial time rather than exploding as key sizes increase.

The attack targets the problem of finding the private key k given the public key K and the generator point G. The algorithm reframes the task as finding the period of a function: by evaluating a function over sequential inputs, the outputs repeat in a cycle, and the cycle length reveals the private key through subsequent classical computation.

Quantum computers carry out this period-finding using three core quantum techniques: superposition (evaluating many inputs at once), entanglement (linking input and output so results remain correlated), and interference (amplifying correct outcomes while canceling incorrect ones). After measurement reveals the period, ordinary math recovers k, producing the private key and enabling control of the associated coins.

Why bitcoin still works today

Shor’s algorithm has been known for more than 30 years, but bitcoin remains secure because executing it requires a quantum computer with enough stable qubits to maintain coherence throughout the full computation.

Earlier estimates suggested millions of physical qubits. The Google-led paper, published in early April by Google’s Quantum AI division with contributions from Ethereum Foundation researcher Justin Drake and Stanford cryptographer Dan Boneh, reduced the estimate to fewer than 500,000 physical qubits—about a 20-fold reduction from prior estimates.

The paper describes two quantum circuit designs implementing Shor’s algorithm for bitcoin’s specific elliptic curve parameters. One circuit uses approximately 1,200 logical qubits and 90 million Toffoli gates. The other uses approximately 1,450 logical qubits and 70 million Toffoli gates.

A Toffoli gate is a three-qubit gate with two control qubits and one target qubit, where the target changes state only when both controls are in the required configuration. Because qubits lose their quantum state, the computation requires redundancy: the paper notes an approximate 400-to-1 ratio between physical and logical qubits to support error correction and maintain reliable logical qubits.

The nine-minute window and how the attack could work

The Google paper also changes how the threat is framed by introducing a practical attack scenario. Portions of Shor’s algorithm that depend only on elliptic curve parameters—fixed, publicly known, and identical across bitcoin wallets—can be precomputed. In the proposed approach, the quantum computer is “primed,” already halfway through the calculation, waiting for a target public key.

When a target public key becomes available—either broadcast in a transaction visible in the network’s mempool or already exposed on-chain—the quantum computer only needs to complete the second half. Google estimates that this second half takes about nine minutes.

Mempool attack: race against block confirmation

Bitcoin’s average block confirmation time is 10 minutes. If a user broadcasts a transaction and their public key is visible in the mempool, a quantum attacker would have roughly nine minutes to derive the private key and submit a competing transaction that redirects funds.

The paper estimates the attacker would have a roughly 41% chance of finishing before the original transaction confirms.

At-rest attack: exposed keys on-chain

The paper highlights a broader concern: 6.9 million bitcoin (roughly one-third of total supply) held in wallets where the public key has already been permanently exposed on the blockchain. For these coins, an attacker does not need to race against block times.

The paper notes that for coins transacted since Taproot (a privacy upgrade that went live in November 2021), the public key is already visible. For older addresses, the public key is hidden until spending, at which point an attacker would have about nine minutes before catching up.

The next piece in the series is described as covering what this means in practice, including which coins are already exposed, what Taproot changed, and how quickly hardware progress could close the gap.