Google’s quantum AI team said earlier this week that a future quantum computer could derive a bitcoin private key from a public key in about nine minutes. The figure bounced around on social networks and scared the markets.
But what does it really mean in practice?
Let’s start with how bitcoin transactions work. When you send bitcoins, your wallet signs the transaction with a private key, a secret number that proves you own the coins.
That signature also reveals its public key, a shareable address, which is broadcast to the network and remains in a waiting area called a mempool until a miner includes it in a block. On average, this confirmation takes about 10 minutes.
Your private key and public key are linked by a mathematical problem called the elliptic curve discrete logarithm problem. Classical computers cannot reverse that math in any useful time frame, while a sufficiently powerful future quantum computer running an algorithm called Shor could do so.
This is where the nine minute part comes into play. The Google paper found that a quantum computer could “prepare” itself in advance by pre-calculating the parts of the attack that do not depend on any specific public key.
Once your public key appears in the mempool, the machine only needs about nine minutes to finish the job and derive your private key. The average confirmation time for Bitcoin is 10 minutes. That gives the attacker about a 41% chance of obtaining your key and redirecting your funds before the original transaction is confirmed.
Think of it as a thief spending hours building a universal safe-cracking machine (pre-calculation). The machine works for any safe, but every time a new one comes out, it only needs a few final adjustments, and that last step takes about nine minutes.
That’s the mempool attack. It’s alarming but it requires a quantum computer that doesn’t exist yet. The Google paper estimates that such a machine would need fewer than 500,000 physical qubits. Today’s largest quantum processors have around 1,000.
The biggest and most immediate concern is the 6.9 million bitcoins, about a third of the total supply, that are already in wallets where the public key has been permanently exposed.
This includes early bitcoin addresses from the early years of the network that used a format called public key payment, where the public key is visible on the blockchain by default. It also includes any wallet that has reused an address, since spending from one address reveals the public key to all remaining funds.
These coins don’t need the nine-minute run. An attacker with a powerful enough quantum computer could decrypt them at will, working through the exposed keys one by one without any time pressure.
Bitcoin’s Taproot 2021 update made this worse, as CoinDesk reported earlier Tuesday. Taproot changed the way addresses work so that public keys are visible on-chain by default, inadvertently expanding the set of wallets that would be vulnerable to a future quantum attack.
The bitcoin network itself would continue to function. Mining uses a different algorithm called SHA-256 that quantum computers cannot significantly speed up with current approaches. Blocks would still be produced.
The ledger would still exist. But if private keys can be derived from public keys, the ownership guarantees that make Bitcoin valuable fall apart. Anyone with exposed keys is at risk of theft and institutional trust in the network security model collapses.
The solution is post-quantum cryptography, which replaces vulnerable mathematics with algorithms that quantum computers cannot crack. Ethereum has spent eight years moving toward that migration. Bitcoin hasn’t even started.
